summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/verify/tests.sh
blob: fb8cc40a2bc5d3b553a621038f811e19abb8dd06 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
#!/bin/sh

# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0.  If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
failed() {
  cat verify.out.$n | sed 's/^/D:/'
  echo_i "failed"
  status=1
}

n=0
status=0

for file in zones/*.good; do
  n=$(expr $n + 1)
  zone=$(expr "$file" : 'zones/\(.*\).good')
  echo_i "checking supposedly good zone: $zone ($n)"
  ret=0
  case $zone in
    zsk-only.*) only=-z ;;
    ksk-only.*) only=-z ;;
    *) only= ;;
  esac
  $VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 || ret=1
  [ $ret = 0 ] || failed
done

for file in zones/*.bad; do
  n=$(expr $n + 1)
  zone=$(expr "$file" : 'zones/\(.*\).bad')
  echo_i "checking supposedly bad zone: $zone ($n)"
  ret=0
  dumpit=0
  case $zone in
    zsk-only.*) only=-z ;;
    ksk-only.*) only=-z ;;
    *) only= ;;
  esac
  expect1= expect2=
  case $zone in
    *.dnskeyonly)
      expect1="DNSKEY is not signed"
      ;;
    *.expired)
      expect1="signature has expired"
      expect2="No self-signed .*DNSKEY found"
      ;;
    *.ksk-expired)
      expect1="signature has expired"
      expect2="No self-signed .*DNSKEY found"
      ;;
    *.out-of-zone-nsec | *.below-bottom-of-zone-nsec | *.below-dname-nsec)
      expect1="unexpected NSEC RRset at"
      ;;
    *.nsec.broken-chain)
      expect1="Bad NSEC record for.*, next name mismatch"
      ;;
    *.bad-bitmap)
      expect1="bit map mismatch"
      ;;
    *.missing-empty)
      expect1="Missing NSEC3 record for"
      ;;
    unsigned)
      expect1="Zone contains no DNSSEC keys"
      ;;
    *.extra-nsec3)
      expect1="Expected and found NSEC3 chains not equal"
      ;;
    *)
      dumpit=1
      ;;
  esac
  $VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 && ret=1
  grep "${expect1:-.}" verify.out.$n >/dev/null || ret=1
  grep "${expect2:-.}" verify.out.$n >/dev/null || ret=1
  [ $ret = 0 ] || failed
  [ $dumpit = 1 ] && cat verify.out.$n
done

n=$(expr $n + 1)
echo_i "checking error message when -o is not used and a SOA record not at top of zone is found ($n)"
ret=0
# When -o is not used, origin is set to zone file name, which should cause an error in this case
$VERIFY zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1
grep "not at top of zone" verify.out.$n >/dev/null || ret=1
grep "use -o to specify a different zone origin" verify.out.$n >/dev/null || ret=1
[ $ret = 0 ] || failed

n=$(expr $n + 1)
echo_i "checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)"
ret=0
$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1
grep "not at top of zone" verify.out.$n >/dev/null || ret=1
grep "use -o to specify a different zone origin" verify.out.$n >/dev/null && ret=1
[ $ret = 0 ] || failed

echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1