blob: 408433946b8480f4992d4b992cc3545e415f90e5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../conf.sh
failed() {
cat verify.out.$n | sed 's/^/D:/'
echo_i "failed"
status=1
}
n=0
status=0
for file in zones/*.good; do
n=$((n + 1))
zone=$(expr "$file" : 'zones/\(.*\).good')
echo_i "checking supposedly good zone: $zone ($n)"
ret=0
case $zone in
zsk-only.*) only=-z ;;
ksk-only.*) only=-z ;;
*) only= ;;
esac
$VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 || ret=1
[ $ret = 0 ] || failed
done
for file in zones/*.bad; do
n=$((n + 1))
zone=$(expr "$file" : 'zones/\(.*\).bad')
echo_i "checking supposedly bad zone: $zone ($n)"
ret=0
dumpit=0
case $zone in
zsk-only.*) only=-z ;;
ksk-only.*) only=-z ;;
*) only= ;;
esac
expect1= expect2=
case $zone in
*.dnskeyonly)
expect1="DNSKEY is not signed"
;;
*.expired)
expect1="signature has expired"
expect2="No self-signed .*DNSKEY found"
;;
*.ksk-expired)
expect1="signature has expired"
expect2="No self-signed .*DNSKEY found"
;;
*.out-of-zone-nsec | *.below-bottom-of-zone-nsec | *.below-dname-nsec)
expect1="unexpected NSEC RRset at"
;;
*.nsec.broken-chain)
expect1="Bad NSEC record for.*, next name mismatch"
;;
*.bad-bitmap)
expect1="bit map mismatch"
;;
*.missing-empty)
expect1="Missing NSEC3 record for"
;;
unsigned)
expect1="Zone contains no DNSSEC keys"
;;
*.extra-nsec3)
expect1="Expected and found NSEC3 chains not equal"
;;
*)
dumpit=1
;;
esac
$VERIFY ${only} -o $zone $file >verify.out.$n 2>&1 && ret=1
grep "${expect1:-.}" verify.out.$n >/dev/null || ret=1
grep "${expect2:-.}" verify.out.$n >/dev/null || ret=1
[ $ret = 0 ] || failed
[ $dumpit = 1 ] && cat verify.out.$n
done
n=$((n + 1))
echo_i "checking error message when -o is not used and a SOA record not at top of zone is found ($n)"
ret=0
# When -o is not used, origin is set to zone file name, which should cause an error in this case
$VERIFY zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1
grep "not at top of zone" verify.out.$n >/dev/null || ret=1
grep "use -o to specify a different zone origin" verify.out.$n >/dev/null || ret=1
[ $ret = 0 ] || failed
n=$((n + 1))
echo_i "checking error message when an invalid -o is specified and a SOA record not at top of zone is found ($n)"
ret=0
$VERIFY -o invalid.origin zones/ksk+zsk.nsec.good >verify.out.$n 2>&1 && ret=1
grep "not at top of zone" verify.out.$n >/dev/null || ret=1
grep "use -o to specify a different zone origin" verify.out.$n >/dev/null && ret=1
[ $ret = 0 ] || failed
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
|
