diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 23:51:28 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 23:51:28 +0000 |
commit | 754c7de1e91eeb28c6d3766900ead0c3e44fdb85 (patch) | |
tree | 51433c0e38731dc9ecd342555a56f876980b1834 /bin/tests/system/checkconf/tests.sh | |
parent | Adding debian version 1:9.16.44-1~deb11u1. (diff) | |
download | bind9-754c7de1e91eeb28c6d3766900ead0c3e44fdb85.tar.xz bind9-754c7de1e91eeb28c6d3766900ead0c3e44fdb85.zip |
Merging upstream version 1:9.16.48.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/checkconf/tests.sh')
-rw-r--r-- | bin/tests/system/checkconf/tests.sh | 856 |
1 files changed, 490 insertions, 366 deletions
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index c978efe..c8f883e 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -19,623 +19,747 @@ n=0 mkdir keys -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf handles a known good config ($n)" ret=0 -$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1 +$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf prints a known good config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.in [ -s good.conf.in ] || ret=1 -$CHECKCONF -p good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 +$CHECKCONF -p good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 cmp good.conf.in good.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -x removes secrets ($n)" ret=0 # ensure there is a secret and that it is not the check string. -grep 'secret "' good.conf.in > /dev/null || ret=1 -grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1 -$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1 -grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1 -grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1 +grep 'secret "' good.conf.in >/dev/null || ret=1 +grep 'secret "????????????????"' good.conf.in >/dev/null 2>&1 && ret=1 +$CHECKCONF -p -x good.conf.in >checkconf.out$n || ret=1 +grep -v '^good.conf.in:' <checkconf.out$n >good.conf.out 2>&1 || ret=1 +grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` - -for bad in bad-*.conf -do - n=`expr $n + 1` - echo_i "checking that named-checkconf detects error in $bad ($n)" - ret=0 - $CHECKCONF $bad > checkconf.out$n 2>&1 - if [ $? -ne 1 ]; then ret=1; fi - grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1 - case $bad in +status=$(expr $status + $ret) + +for bad in bad-*.conf; do + n=$(expr $n + 1) + echo_i "checking that named-checkconf detects error in $bad ($n)" + ret=0 + $CHECKCONF $bad >checkconf.out$n 2>&1 + if [ $? -ne 1 ]; then ret=1; fi + grep "^$bad:[0-9]*: " <checkconf.out$n >/dev/null || ret=1 + case $bad in bad-update-policy[123].conf) - pat="identity and name fields are not the same" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[4589].conf|bad-update-policy1[01].conf) - pat="name field not set to placeholder value" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - bad-update-policy[67].conf|bad-update-policy1[2345].conf) - pat="missing name field type '.*' found" - grep "$pat" < checkconf.out$n > /dev/null || ret=1 - ;; - esac - if [ $ret -ne 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + pat="identity and name fields are not the same" + grep "$pat" <checkconf.out$n >/dev/null || ret=1 + ;; + bad-update-policy[4589].conf | bad-update-policy1[01].conf) + pat="name field not set to placeholder value" + grep "$pat" <checkconf.out$n >/dev/null || ret=1 + ;; + bad-update-policy[67].conf | bad-update-policy1[2345].conf) + pat="missing name field type '.*' found" + grep "$pat" <checkconf.out$n >/dev/null || ret=1 + ;; + esac + if [ $ret -ne 0 ]; then echo_i "failed"; fi + status=$(expr $status + $ret) done -for good in good-*.conf -do - n=`expr $n + 1` - echo_i "checking that named-checkconf detects no error in $good ($n)" - ret=0 - $CHECKCONF $good > checkconf.out$n 2>&1 - if [ $? -ne 0 ]; then echo_i "failed"; ret=1; fi - status=`expr $status + $ret` +for good in good-*.conf; do + n=$(expr $n + 1) + echo_i "checking that named-checkconf detects no error in $good ($n)" + ret=0 + $CHECKCONF $good >checkconf.out$n 2>&1 + if [ $? -ne 0 ]; then + echo_i "failed" + ret=1 + fi + status=$(expr $status + $ret) done -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that ancient options report a fatal error ($n)" ret=0 -$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1 -grep "no longer exists" ancient.out > /dev/null || ret=1 +$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1 +grep "no longer exists" ancient.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z catches missing hint file ($n)" ret=0 -$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1 -grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1 +$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1 +grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf catches range errors ($n)" ret=0 -$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1 +$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf warns of notify inconsistencies ($n)" ret=0 -$CHECKCONF notify.conf > checkconf.out$n 2>&1 -warnings=`grep "'notify' is disabled" < checkconf.out$n | wc -l` +$CHECKCONF notify.conf >checkconf.out$n 2>&1 +warnings=$(grep "'notify' is disabled" <checkconf.out$n | wc -l) [ $warnings -eq 3 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf dnssec warnings ($n)" ret=0 # dnssec.1: dnssec-enable is obsolete -$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 -grep "'dnssec-enable' is obsolete and should be removed" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF dnssec.1 >checkconf.out$n.1 2>&1 +grep "'dnssec-enable' is obsolete and should be removed" <checkconf.out$n.1 >/dev/null || ret=1 # dnssec.2: auto-dnssec warning -$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 -grep 'auto-dnssec may only be ' < checkconf.out$n.2 > /dev/null || ret=1 +$CHECKCONF dnssec.2 >checkconf.out$n.2 2>&1 +grep 'auto-dnssec may only be ' <checkconf.out$n.2 >/dev/null || ret=1 # dnssec.3: should have no warnings (other than deprecation warning) -$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 -grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.3 > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n.3") +$CHECKCONF dnssec.3 >checkconf.out$n.3 2>&1 +grep "option 'auto-dnssec' is deprecated" <checkconf.out$n.3 >/dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n.3") if [ $lines != 1 ]; then ret=1; fi # dnssec.4: should have specific deprecation warning -$CHECKCONF dnssec.4 > checkconf.out$n.4 2>&1 -grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.4 > /dev/null || ret=1 +$CHECKCONF dnssec.4 >checkconf.out$n.4 2>&1 +grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" <checkconf.out$n.4 >/dev/null || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 -$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1 -grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "option 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 -grep "token 'dscp' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 +grep "option 'managed-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'trusted-keys' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "option 'dscp' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 +grep "token 'dscp' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) # set -i to ignore deprecate warnings -$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1 -grep '.*' < checkconf.out$n.2 > /dev/null && ret=1 +$CHECKCONF -i deprecated.conf >checkconf.out$n.2 2>&1 +grep '.*' <checkconf.out$n.2 >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf servestale warnings ($n)" ret=0 -$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1 +$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null && ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) ret=0 -$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1 -grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1 +$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1 +grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "range checking fields that do not allow zero ($n)" ret=0 for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do - cat > badzero.conf << EOF + cat >badzero.conf <<EOF options { $field 0; }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1 - [ $? -eq 1 ] || { echo_i "options $field failed" ; ret=1; } - cat > badzero.conf << EOF + $CHECKCONF badzero.conf >checkconf.out$n.1 2>&1 + [ $? -eq 1 ] || { + echo_i "options $field failed" + ret=1 + } + cat >badzero.conf <<EOF view dummy { $field 0; }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1 - [ $? -eq 1 ] || { echo_i "view $field failed" ; ret=1; } - cat > badzero.conf << EOF + $CHECKCONF badzero.conf >checkconf.out$n.2 2>&1 + [ $? -eq 1 ] || { + echo_i "view $field failed" + ret=1 + } + cat >badzero.conf <<EOF options { $field 0; }; view dummy { }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1 - [ $? -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; } - cat > badzero.conf << EOF + $CHECKCONF badzero.conf >checkconf.out$n.3 2>&1 + [ $? -eq 1 ] || { + echo_i "options + view $field failed" + ret=1 + } + cat >badzero.conf <<EOF zone dummy { type secondary; primaries { 0.0.0.0; }; $field 0; }; EOF - $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1 - [ $? -eq 1 ] || { echo_i "zone $field failed" ; ret=1; } + $CHECKCONF badzero.conf >checkconf.out$n.4 2>&1 + [ $? -eq 1 ] || { + echo_i "zone $field failed" + ret=1 + } done if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 -l=`grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l` +$CHECKCONF bad-dnssec.conf >checkconf.out$n.1 2>&1 +l=$(grep "dnssec-dnskey-kskonly.*requires inline" <checkconf.out$n.1 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 -l=`grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l` +$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 +l=$(grep "dnssec-loadkeys-interval.*requires inline" <checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 -l=`grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l` +$CHECKCONF bad-dnssec.conf >checkconf.out$n.3 2>&1 +l=$(grep "update-check-ksk.*requires inline" <checkconf.out$n.3 | wc -l) [ $l -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check file + inline-signing for secondary zones ($n)" -$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.1 | wc -l` +$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 +l=$(grep "missing 'file' entry" <checkconf.out$n.1 | wc -l) [ $l -eq 0 ] || ret=1 -$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.2 | wc -l` +$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 +l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l) [ $l -eq 0 ] || ret=1 -$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 -l=`grep "missing 'file' entry" < checkconf.out$n.3 | wc -l` +$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 +l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l) [ $l -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf DLZ warnings ($n)" ret=0 -$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 -grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 +grep "'dlz' and 'database'" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking for missing key directory warning ($n)" ret=0 rm -rf test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1 -l=`grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l` +$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1 +l=$(grep "'test.keydir' does not exist" <checkconf.out$n.1 | wc -l) [ $l -eq 1 ] || ret=1 touch test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1 -l=`grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l` +$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1 +l=$(grep "'test.keydir' is not a directory" <checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 rm -f test.keydir mkdir test.keydir -$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1 -l=`grep "key-directory" < checkconf.out$n.3 | wc -l` +$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1 +l=$(grep "key-directory" <checkconf.out$n.3 | wc -l) [ $l -eq 0 ] || ret=1 rm -rf test.keydir if [ $ret -ne 0 ]; then echo_i "failed"; fi -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl.conf > check.out 2>&1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +$CHECKCONF -z max-ttl.conf >check.out 2>&1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) + +n=$(expr $n + 1) echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)" ret=0 -$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)" ret=0 -$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)" ret=0 -$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z fails on view with ANY class ($n)" ret=0 -$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)" ret=0 -$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z passes on view with IN class ($n)" ret=0 -$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)" ret=0 -$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-names fails as configured ($n)" ret=0 -$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '_underscore': bad name (check-names)" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-names/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "near '10.0.0.1': MX is an address" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-dup-records fails as configured ($n)" ret=0 -$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "has semantically identical records" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-dup-records/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-mx fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "failed: MX is an address" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-mx-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "MX.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that check-srv-cname fails as configured ($n)" ret=0 -$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1 -grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1 -grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1 +grep "SRV.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1 +grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -p properly print a port range ($n)" ret=0 -$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -p portrange-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "range 8610 8614;" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -z handles in-view ($n)" ret=0 -$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "zone shared.example/IN: loaded serial" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -z returns error when a later view is okay ($n)" ret=0 -$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)" ret=0 -$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1 -grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1 +grep "max-cache-size 60%;" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that named-checkconf -l prints out the zone list ($n)" ret=0 -$CHECKCONF -l good.conf | -grep -v "is deprecated" | -grep -v "is not implemented" | -grep -v "is not recommended" | -grep -v "no longer exists" | -grep -v "is obsolete" > checkconf.out$n || ret=1 -diff good.zonelist checkconf.out$n > diff.out$n || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +$CHECKCONF -l good.conf \ + | grep -v "is deprecated" \ + | grep -v "is not implemented" \ + | grep -v "is not recommended" \ + | grep -v "no longer exists" \ + | grep -v "is obsolete" >checkconf.out$n || ret=1 +diff good.zonelist checkconf.out$n >diff.out$n || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) + +n=$(expr $n + 1) echo_i "check that 'dnssec-lookaside auto;' generates a warning ($n)" ret=0 -$CHECKCONF warn-dlv-auto.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-dlv-auto.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'dnssec-lookaside . trust-anchor dlv.isc.org;' generates a warning ($n)" ret=0 -$CHECKCONF warn-dlv-dlv.isc.org.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-dlv-dlv.isc.org.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' generates a warning ($n)" ret=0 -$CHECKCONF warn-dlv-dlv.example.com.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'dnssec-lookaside' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-dlv-dlv.example.com.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'dnssec-lookaside' is obsolete and should be removed" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "key without the updated" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +grep "key without the updated" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) + +n=$(expr $n + 1) echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)" ret=0 -$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] && ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a static root key generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a static root DS trust anchor generates a warning ($n)" ret=0 -$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a trusted-keys entry for root generates a warning ($n)" ret=0 -$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-root-trusted-key.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that using trust-anchors and managed-keys generates an error ($n)" ret=0 -$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1 -grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF check-mixed-keys.conf >checkconf.out$n 2>/dev/null && ret=1 +grep "use of managed-keys is not allowed" checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'geoip-use-ecs no' generates a warning ($n)" ret=0 -$CHECKCONF warn-geoip-use-ecs.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF warn-geoip-use-ecs.conf >checkconf.out$n 2>/dev/null || ret=1 [ -s checkconf.out$n ] || ret=1 -grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +grep "'geoip-use-ecs' is obsolete" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) + +n=$(expr $n + 1) echo_i "checking named-checkconf kasp errors ($n)" ret=0 -$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 -grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1 +grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" <checkconf.out$n >/dev/null || ret=1 +grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 +grep "update-check-ksk: cannot be configured if dnssec-policy is also set" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n") +$CHECKCONF kasp-bad-nsec3-iter.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: nsec3 iterations value 151 out of range" <checkconf.out$n >/dev/null || ret=1 +lines=$(wc -l <"checkconf.out$n") if [ $lines -ne 3 ]; then ret=1; fi if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)" ret=0 -$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp key errors ($n)" ret=0 -$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1 -grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1 +grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking named-checkconf kasp predefined key length ($n)" ret=0 -$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1 -grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1 +$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1 +grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" <checkconf.out$n >/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that a good 'kasp' configuration is accepted ($n)" ret=0 -$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1 +$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "checking that named-checkconf prints a known good kasp config ($n)" ret=0 -awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in +awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in [ -s good-kasp.conf.in ] || ret=1 -$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1 +$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1 cmp good-kasp.conf.in good-kasp.conf.out || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that max-ixfr-ratio 100% generates a warning ($n)" ret=0 -$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "exceeds 100%" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that *-source options with specified port generate warnings ($n)" ret=0 -$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "not recommended" < checkconf.out$n > /dev/null || ret=1 -if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` - -n=`expr $n + 1` +$CHECKCONF warn-transfer-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" <checkconf.out$n >/dev/null || ret=1 +$CHECKCONF warn-notify-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" <checkconf.out$n >/dev/null || ret=1 +$CHECKCONF warn-parental-source.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "not recommended" <checkconf.out$n >/dev/null || ret=1 +if [ $ret -ne 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) + +n=$(expr $n + 1) echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)" ret=0 -$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF warn-kasp-max-zone-ttl.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=$((n+1)) +n=$((n + 1)) echo_i "check that masterfile-format map generates deprecation warning ($n)" ret=0 -$CHECKCONF deprecated-masterfile-format-map.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "is deprecated" < checkconf.out$n >/dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=$((status+ret)) +$CHECKCONF deprecated-masterfile-format-map.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" <checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) -n=$((n+1)) +n=$((n + 1)) echo_i "check that masterfile-format text and raw don't generate deprecation warning ($n)" ret=0 -$CHECKCONF good-masterfile-format-text.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 -$CHECKCONF good-masterfile-format-raw.conf > checkconf.out$n 2>/dev/null || ret=1 -grep "is deprecated" < checkconf.out$n >/dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=$((status+ret)) - -n=$((n+1)) +$CHECKCONF good-masterfile-format-text.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" <checkconf.out$n >/dev/null && ret=1 +$CHECKCONF good-masterfile-format-raw.conf >checkconf.out$n 2>/dev/null || ret=1 +grep "is deprecated" <checkconf.out$n >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$((status + ret)) + +n=$((n + 1)) echo_i "check that 'check-wildcard no;' succeeds as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) -n=`expr $n + 1` +n=$(expr $n + 1) echo_i "check that 'check-wildcard yes;' warns as configured ($n)" ret=0 -$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1 -grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi -status=`expr $status + $ret` +$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1 +grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1 +if [ $ret != 0 ]; then + echo_i "failed" + ret=1 +fi +status=$(expr $status + $ret) rmdir keys |