blob: f9cd4a9bd2f747f5016da8439286cf086e485d11 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
#!/bin/sh
KZONECHECK="@top_builddir@/src/kzonecheck"
DATA="@top_srcdir@/tests/knot/semantic_check_data"
. "@top_srcdir@/tests/tap/libtap.sh"
TMPDIR=$(test_tmpdir)
LOG="$TMPDIR/log"
# Params: zonefile fatal_error expected_erros_count semcheck_err_msg
expect_error()
{
if [ ! -r "$DATA/$1" ]; then
skip_block 4 "missing zone file for test"
return
fi
"$KZONECHECK" -o example.com "$DATA/$1" > "$LOG"
ok "$1 - check program return" test $? -eq 1
fatal=$(grep -E "^Serious semantic error detected" $LOG | wc -l)
ok "$1 - check fatal" test $fatal -eq $2
errors=$(grep -E "^\[.+\] $4" $LOG | wc -l)
ok "$1 - check errors" test $errors -eq $3
if [ $errors != $3 ]; then
diag "expected errors $3 but found $errors"
fi
}
#param zonefile
test_correct()
{
$KZONECHECK -o example.com "$DATA/$1" > /dev/null
ok "$1 - correct zone, without error" test $? -eq 0
}
#param zonefile
test_correct_no_dnssec()
{
$KZONECHECK -o example.com -d off "$DATA/$1" > /dev/null
ok "$1 - correct zone, without error" test $? -eq 0
}
if [ ! -x $KZONECHECK ]; then
skip_all "kzonecheck is missing or is not executable"
fi
# error messages exported from knot/src/zone/semantic-check.c
CDNSKEY_NONE="missing CDNSKEY"
CDNSKEY_NO_CDS="CDNSKEY without corresponding CDS"
CDNSKEY_DELETE="invalid CDNSKEY/CDS for DNSSEC delete algorithm"
CDS_NONE="missing CDS"
CDS_NOT_MATCH="CDS not match CDNSKEY"
CNAME_EXTRA_RECORDS="more records exist at CNAME"
CNAME_MULTIPLE="multiple CNAME records"
DNAME_CHILDREN="child record exists under DNAME"
DNAME_MULTIPLE="multiple DNAME records"
DNAME_EXTRA_NS="NS record exists at DNAME"
DNSKEY_PROTO="invalid protocol in DNSKEY"
DS_ALG="invalid algorithm in DS"
NSEC3PARAM_FLAGS="invalid flags in NSEC3PARAM"
NSEC3_ALG="incorrect algorithm in NSEC3"
NSEC3_INSECURE_DELEGATION_OPT="insecure delegation outside NSEC3 opt-out"
NSEC3_ITERS="incorrect number of iterations in NSEC3"
NSEC3_NONE="missing NSEC3"
NSEC3_RDATA_BITMAP="incorrect type bitmap in NSEC3"
NSEC3_RDATA_CHAIN="incoherent NSEC3 chain"
NSEC_NONE="missing NSEC"
NSEC_RDATA_BITMAP="incorrect type bitmap in NSEC"
NSEC_RDATA_CHAIN="incoherent NSEC chain"
NSEC_RDATA_MULTIPLE="multiple NSEC records"
NS_APEX="missing NS at the zone apex"
NS_GLUE="missing glue record"
RRSIG_EXPIRED="expired RRSIG"
RRSIG_NO_RRSIG="missing RRSIG"
RRSIG_RDATA_DNSKEY_OWNER="wrong signer's name in RRSIG"
RRSIG_RDATA_TTL="wrong original TTL in RRSIG"
RRSIG_SIGNED="signed RRSIG"
RRSIG_UNVERIFIABLE="unverifiable signature"
plan_lazy
expect_error "cname_extra_01.zone" 1 1 "$CNAME_EXTRA_RECORDS"
expect_error "cname_extra_02.signed" 1 1 "$CNAME_EXTRA_RECORDS"
expect_error "cname_multiple.zone" 1 1 "$CNAME_MULTIPLE"
expect_error "dname_children.zone" 1 1 "$DNAME_CHILDREN"
expect_error "dname_multiple.zone" 1 1 "$DNAME_MULTIPLE"
expect_error "dname_extra_ns.zone" 1 1 "$DNAME_EXTRA_NS"
expect_error "ns_apex.missing" 0 1 "$NS_APEX"
expect_error "glue_apex_both.missing" 0 2 "$NS_GLUE"
expect_error "glue_apex_one.missing" 0 1 "$NS_GLUE"
expect_error "glue_besides.missing" 0 1 "$NS_GLUE"
expect_error "glue_deleg.missing" 0 1 "$NS_GLUE"
expect_error "glue_in_apex.missing" 0 1 "$NS_GLUE"
expect_error "different_signer_name.signed" 0 1 "$RRSIG_RDATA_DNSKEY_OWNER \(record type NSEC\)"
expect_error "different_signer_name.signed" 0 1 "$RRSIG_UNVERIFIABLE \(record type NSEC\)"
expect_error "no_rrsig.signed" 0 1 "$RRSIG_NO_RRSIG \(record type A\)"
expect_error "no_rrsig.signed" 0 1 "$RRSIG_NO_RRSIG \(record type NSEC\)"
expect_error "no_rrsig_with_delegation.signed" 0 1 "$RRSIG_NO_RRSIG \(record type NSEC\)"
expect_error "nsec_broken_chain_01.signed" 0 1 "$NSEC_RDATA_CHAIN"
expect_error "nsec_broken_chain_02.signed" 0 1 "$NSEC_RDATA_CHAIN"
expect_error "nsec_missing.signed" 0 1 "$NSEC_NONE"
expect_error "nsec_multiple.signed" 0 1 "$NSEC_RDATA_MULTIPLE"
expect_error "nsec_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
expect_error "nsec_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
expect_error "nsec3_missing.signed" 0 1 "$NSEC3_NONE"
expect_error "nsec3_wrong_bitmap_01.signed" 0 1 "$NSEC3_RDATA_BITMAP"
expect_error "nsec3_wrong_bitmap_02.signed" 0 1 "$NSEC3_RDATA_BITMAP"
expect_error "nsec3_ds.signed" 0 1 "$NSEC3_NONE"
expect_error "nsec3_optout.signed" 0 1 "$NSEC3_INSECURE_DELEGATION_OPT"
expect_error "nsec3_chain_01.signed" 0 1 "$NSEC3_RDATA_CHAIN"
expect_error "nsec3_chain_02.signed" 0 2 "$NSEC3_RDATA_CHAIN"
expect_error "nsec3_chain_03.signed" 0 2 "$NSEC3_RDATA_CHAIN"
expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3_ALG"
expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3_ITERS"
expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3PARAM_FLAGS"
expect_error "rrsig_signed.signed" 0 1 "$RRSIG_SIGNED"
expect_error "rrsig_rdata_ttl.signed" 0 1 "$RRSIG_RDATA_TTL \(record type A\)"
expect_error "duplicate.signature" 0 7 "$RRSIG_EXPIRED"
expect_error "missing.signed" 0 1 "$NSEC_NONE"
expect_error "dnskey_param_error.signed" 0 1 "$DNSKEY_PROTO"
expect_error "invalid_ds.signed" 0 2 "$DS_ALG \(keytag 60485\)"
expect_error "cdnskey.invalid" 0 1 "$CDS_NOT_MATCH"
expect_error "cdnskey.invalid.param" 0 1 "$CDS_NOT_MATCH"
expect_error "cdnskey.nocds" 0 1 "$CDS_NONE"
expect_error "cdnskey.nocdnskey" 0 1 "$CDNSKEY_NONE"
expect_error "cdnskey.nodnskey" 0 1 "$CDNSKEY_NOT_MATCH"
expect_error "cdnskey.orphan.cds" 0 1 "$CDS_NOT_MATCH"
expect_error "cdnskey.orphan.cdnskey" 0 1 "$CDNSKEY_NO_CDS"
expect_error "cdnskey.delete.invalid.cds" 0 1 "$CDNSKEY_DELETE"
expect_error "cdnskey.delete.invalid.cdnskey" 0 1 "$CDNSKEY_DELETE"
test_correct "rrsig_ttl.signed"
test_correct "no_error_delegaton_bitmap.signed"
test_correct "no_error_nsec3_delegation.signed"
test_correct "no_error_nsec3_optout.signed"
test_correct "glue_wildcard.valid"
test_correct "glue_no_foreign.valid"
test_correct "glue_in_deleg.valid"
test_correct "cdnskey.cds"
test_correct "cdnskey.delete.both"
test_correct "dname_apex_nsec3.signed"
test_correct_no_dnssec "no_rrsig.signed"
test_correct_no_dnssec "no_rrsig_with_delegation.signed"
test_correct_no_dnssec "nsec_broken_chain_01.signed"
test_correct_no_dnssec "nsec_broken_chain_02.signed"
test_correct_no_dnssec "nsec_missing.signed"
test_correct_no_dnssec "nsec_multiple.signed"
test_correct_no_dnssec "nsec_wrong_bitmap_01.signed"
test_correct_no_dnssec "nsec_wrong_bitmap_02.signed"
test_correct_no_dnssec "nsec3_missing.signed"
test_correct_no_dnssec "nsec3_wrong_bitmap_01.signed"
test_correct_no_dnssec "nsec3_wrong_bitmap_02.signed"
test_correct_no_dnssec "nsec3_ds.signed"
test_correct_no_dnssec "nsec3_optout.signed"
test_correct_no_dnssec "nsec3_chain_01.signed"
test_correct_no_dnssec "nsec3_chain_02.signed"
test_correct_no_dnssec "nsec3_chain_03.signed"
test_correct_no_dnssec "nsec3_param_invalid.signed"
test_correct_no_dnssec "rrsig_signed.signed"
test_correct_no_dnssec "rrsig_rdata_ttl.signed"
test_correct_no_dnssec "duplicate.signature"
test_correct_no_dnssec "missing.signed"
test_correct_no_dnssec "dnskey_param_error.signed"
test_correct_no_dnssec "cdnskey.invalid"
test_correct_no_dnssec "cdnskey.invalid.param"
test_correct_no_dnssec "cdnskey.nocds"
test_correct_no_dnssec "cdnskey.nocdnskey"
test_correct_no_dnssec "cdnskey.nodnskey"
test_correct_no_dnssec "cdnskey.orphan.cds"
test_correct_no_dnssec "cdnskey.orphan.cdnskey"
test_correct_no_dnssec "cdnskey.delete.invalid.cds"
test_correct_no_dnssec "cdnskey.delete.invalid.cdnskey"
rm $LOG
|
