Adding upstream version 1:9.18.19.upstream/1%9.18.19upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

317 files changed, 8507 insertions, 0 deletions

diff --git a/bin/tests/system/checkconf/altdb.conf b/bin/tests/system/checkconf/altdb.conf
new file mode 100644
index 0000000..1d8aded
--- /dev/null
+++ b/bin/tests/system/checkconf/altdb.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view override_bind chaos {
+	zone "version.bind" chaos {
+		type primary;
+		database "_builtin version";
+	};
+};
diff --git a/bin/tests/system/checkconf/altdlz.conf b/bin/tests/system/checkconf/altdlz.conf
new file mode 100644
index 0000000..db8eecc
--- /dev/null
+++ b/bin/tests/system/checkconf/altdlz.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dlz external {
+	database "dlopen driver.so";
+	search no;
+};
+
+zone "example.com" {
+	type primary;
+	dlz external;
+};
+
+zone "." {
+	type redirect;
+	dlz external;
+};
diff --git a/bin/tests/system/checkconf/ancient.conf b/bin/tests/system/checkconf/ancient.conf
new file mode 100644
index 0000000..98189cc
--- /dev/null
+++ b/bin/tests/system/checkconf/ancient.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Ancient options are fatal.
+ */
+options {
+	fake-iquery yes;
+};
diff --git a/bin/tests/system/checkconf/bad-acl.conf b/bin/tests/system/checkconf/bad-acl.conf
new file mode 100644
index 0000000..5095059
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-acl.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl a {
+	{ "none"; };
+	{ !19.0.0.0/7; };
+};
+
+options {
+	allow-query { a; };
+};
diff --git a/bin/tests/system/checkconf/bad-also-notify.conf b/bin/tests/system/checkconf/bad-also-notify.conf
new file mode 100644
index 0000000..2ab8896
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-also-notify.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * Missing primary in also-notify clause.
+ */
+
+zone dummy {
+	type primary;
+	file "xxxx";
+	also-notify { xxxx; };
+};
diff --git a/bin/tests/system/checkconf/bad-catz-zone-dup.conf b/bin/tests/system/checkconf/bad-catz-zone-dup.conf
new file mode 100644
index 0000000..08fae42
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-catz-zone-dup.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	catalog-zones { zone example.com; zone example.com; };
+};
+
+zone example.com {
+	type primary;
+	file "example.com";
+};
diff --git a/bin/tests/system/checkconf/bad-catz-zone-primary-dup.conf b/bin/tests/system/checkconf/bad-catz-zone-primary-dup.conf
new file mode 100644
index 0000000..55a2d78
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-catz-zone-primary-dup.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	catalog-zones {
+		zone "catalog.example"
+			default-masters { 10.53.0.1; }
+			default-primaries { 10.53.0.1 port 5304; }
+			in-memory yes;
+	};
+};
+
+zone "catalog.example" {
+    type secondary;
+    file "catalog.example.db";
+    primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-catz-zone.conf b/bin/tests/system/checkconf/bad-catz-zone.conf
new file mode 100644
index 0000000..6f0677a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-catz-zone.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	catalog-zones {
+		zone "nonexistent";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf
new file mode 100644
index 0000000..24e6ef9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-checknames-primary-dup-2.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	check-names primary warn;
+	check-names primary fail;
+};
diff --git a/bin/tests/system/checkconf/bad-checknames-primary-dup.conf b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf
new file mode 100644
index 0000000..e746e84
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-checknames-primary-dup.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	check-names master warn;
+	check-names primary fail;
+};
diff --git a/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf
new file mode 100644
index 0000000..ea83d7e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-checknames-secondary-dup.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	check-names slave ignore;
+	check-names secondary warn;
+};
diff --git a/bin/tests/system/checkconf/bad-dnskey-validity.conf b/bin/tests/system/checkconf/bad-dnskey-validity.conf
new file mode 100644
index 0000000..8c28ac5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dnskey-validity.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnskey-sig-validity 5000;	/* maximum value 10 years, this is 14 */
+};
diff --git a/bin/tests/system/checkconf/bad-dnssec.conf b/bin/tests/system/checkconf/bad-dnssec.conf
new file mode 100644
index 0000000..3dbd0f3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dnssec.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone not-inline {
+	type secondary;
+	primaries { 127.0.0.1; };
+	inline-signing no;
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+	dnssec-loadkeys-interval 10;
+
+};
+
+zone inline {
+	type secondary;
+	primaries { 127.0.0.1; };
+	inline-signing yes;
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+	dnssec-loadkeys-interval 10;
+};
diff --git a/bin/tests/system/checkconf/bad-doh-1.conf b/bin/tests/system/checkconf/bad-doh-1.conf
new file mode 100644
index 0000000..a10a236
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-1.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+};
+
+# undefined 'tls' specification
+options {
+	listen-on port 8080 http local-http-server tls unknown { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-doh-2.conf b/bin/tests/system/checkconf/bad-doh-2.conf
new file mode 100644
index 0000000..c797eee
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-2.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+# undefined 'http' specification
+options {
+	listen-on port 8080 http unknown tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-doh-3.conf b/bin/tests/system/checkconf/bad-doh-3.conf
new file mode 100644
index 0000000..7447a01
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-3.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+};
+
+# no 'tls' specification
+options {
+	listen-on port 8080 http unknown { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-doh-badpath-1.conf b/bin/tests/system/checkconf/bad-doh-badpath-1.conf
new file mode 100644
index 0000000..9a0f449
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-badpath-1.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# bad HTTP location
+http local-http-server {
+	endpoints { "dns-query"; };
+};
+
+options {
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-doh-badpath-2.conf b/bin/tests/system/checkconf/bad-doh-badpath-2.conf
new file mode 100644
index 0000000..e8013ee
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-badpath-2.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# bad HTTP location
+http local-http-server {
+	endpoints { "//"; };
+};
+
+options {
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-doh-badpath-3.conf b/bin/tests/system/checkconf/bad-doh-badpath-3.conf
new file mode 100644
index 0000000..fc5464c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-badpath-3.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# bad HTTP location
+http local-http-server {
+	endpoints { "/dns-query?dns="; };
+};
+
+options {
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-doh-default.conf b/bin/tests/system/checkconf/bad-doh-default.conf
new file mode 100644
index 0000000..dce7fe6
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-default.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# 'default' is a built-in configuration intended to be used in
+# 'listen-on' statements
+http default {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
diff --git a/bin/tests/system/checkconf/bad-doh-duplicates.conf b/bin/tests/system/checkconf/bad-doh-duplicates.conf
new file mode 100644
index 0000000..a598d07
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-doh-duplicates.conf
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
+
+# duplicated HTTP configuration
+http local-http-server {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	http-listener-clients 100;
+	http-streams-per-connection 100;
+	listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-1.conf b/bin/tests/system/checkconf/bad-dot-1.conf
new file mode 100644
index 0000000..436a269
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-1.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# undefined 'tls' specification
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf
new file mode 100644
index 0000000..7d807fd
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-port.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 99999 { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf
new file mode 100644
index 0000000..cba5557
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-1.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport blah { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf
new file mode 100644
index 0000000..e772592
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-2.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport udp { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf
new file mode 100644
index 0000000..22956d2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-3.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport http { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf
new file mode 100644
index 0000000..dfc7794
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-allow-transfer-bad-proto-4.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport http-plain { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-badciphers.conf b/bin/tests/system/checkconf/bad-dot-badciphers.conf
new file mode 100644
index 0000000..42a9f64
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-badciphers.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+	ciphers "$bad:ciphers";
+};
+
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-badprotocol.conf b/bin/tests/system/checkconf/bad-dot-badprotocol.conf
new file mode 100644
index 0000000..f1cc15a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-badprotocol.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+	protocols { unknown; TLSv1.2; }; # bad TLS protocol version name
+};
+
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-duplicatetls.conf b/bin/tests/system/checkconf/bad-dot-duplicatetls.conf
new file mode 100644
index 0000000..508290f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-duplicatetls.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-ephemeral.conf b/bin/tests/system/checkconf/bad-dot-ephemeral.conf
new file mode 100644
index 0000000..c9581f2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-ephemeral.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# ephemeral is reserved for internal use
+tls ephemeral {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on port 853 tls ephemeral { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-nocert.conf b/bin/tests/system/checkconf/bad-dot-nocert.conf
new file mode 100644
index 0000000..db02e9f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-nocert.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	http-listener-clients 100;
+	http-streams-per-connection 100;
+	listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-nokey.conf b/bin/tests/system/checkconf/bad-dot-nokey.conf
new file mode 100644
index 0000000..1d5c3c5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-nokey.conf
@@ -0,0 +1,32 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	cert-file "cert.pem";
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	http-listener-clients 100;
+	http-streams-per-connection 100;
+	listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-none.conf b/bin/tests/system/checkconf/bad-dot-none.conf
new file mode 100644
index 0000000..fa26ab1
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-none.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# none is reserved for internal use
+tls none {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on port 853 tls none { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-dot-primaries.conf b/bin/tests/system/checkconf/bad-dot-primaries.conf
new file mode 100644
index 0000000..8958cbe
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-dot-primaries.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls undefined; };
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-duplicate-key.conf b/bin/tests/system/checkconf/bad-duplicate-key.conf
new file mode 100644
index 0000000..17f2237
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-key.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+};
+
+trust-anchors {
+	example. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf
new file mode 100644
index 0000000..3bbabde
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-primaries-1.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+primaries duplicate { 1.2.3.4; };
+primaries duplicate { 4.3.2.1; };
diff --git a/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf
new file mode 100644
index 0000000..1d1c6f0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-primaries-2.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+masters duplicate { 1.2.3.4; };
+primaries duplicate { 4.3.2.1; };
diff --git a/bin/tests/system/checkconf/bad-duplicate-root-key.conf b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
new file mode 100644
index 0000000..1cbc7d4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duplicate-root-key.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+	. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+};
+
+trusted-keys {
+	. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-duration.conf b/bin/tests/system/checkconf/bad-duration.conf
new file mode 100644
index 0000000..1fbecc7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-duration.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "test" {
+	dnskey-ttl xPT1H;
+};
diff --git a/bin/tests/system/checkconf/bad-glue-cache-bogus.conf b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf
new file mode 100644
index 0000000..c264b26
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-glue-cache-bogus.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	glue-cache bogusvalue;
+};
diff --git a/bin/tests/system/checkconf/bad-hint.conf b/bin/tests/system/checkconf/bad-hint.conf
new file mode 100644
index 0000000..7214a00
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-hint.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	masterfile-format raw;
+	file "hint";
+};
diff --git a/bin/tests/system/checkconf/bad-in-view-dup.conf b/bin/tests/system/checkconf/bad-in-view-dup.conf
new file mode 100644
index 0000000..1d8bd17
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-in-view-dup.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view a {
+	zone x { type primary; file "x"; };
+};
+
+view b {
+	zone x { type primary; file "x"; };
+	zone x { in-view a; };
+};
diff --git a/bin/tests/system/checkconf/bad-inline-options.conf b/bin/tests/system/checkconf/bad-inline-options.conf
new file mode 100644
index 0000000..f7c62dd
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-options.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing not allowed at options level.
+ */
+options {
+	inline-signing yes;
+};
+
+zone "." {
+	type primary;
+	file "root.db";
+};
diff --git a/bin/tests/system/checkconf/bad-inline-secondary.conf b/bin/tests/system/checkconf/bad-inline-secondary.conf
new file mode 100644
index 0000000..3646216
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-secondary.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+ /*
+  * An inline-signing secondary should be forced to have a file option
+  */
+
+  zone "." {
+	  type secondary;
+	  inline-signing yes;
+	  primaries { 10.53.0.1; };
+  };
diff --git a/bin/tests/system/checkconf/bad-inline-view.conf b/bin/tests/system/checkconf/bad-inline-view.conf
new file mode 100644
index 0000000..e46bd0b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-inline-view.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * inline-signing not allowed at view level.
+ */
+view "a" {
+	inline-signing yes;
+
+	zone "." {
+		type primary;
+		file "root.db.signed";
+	};
+};
+
+view "b" {
+	zone "." {
+		type primary;
+		file "root.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-interface-interval.conf b/bin/tests/system/checkconf/bad-interface-interval.conf
new file mode 100644
index 0000000..ba8341a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-interface-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	interface-interval 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
new file mode 100644
index 0000000..d7604eb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl myacl {
+	127.1; /* Incomplete dotted IPv4 address / prefix */
+};
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
new file mode 100644
index 0000000..cb53741
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl myacl {
+	127.1/8; /* No-zero bits */
+};
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix2.conf b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
new file mode 100644
index 0000000..98e724a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ipv4-prefix2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl myacl {
+	127; /* Non-dotted quad IPv4 address (0.0.0.127) / prefix without length. */
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-define-default.conf b/bin/tests/system/checkconf/bad-kasp-define-default.conf
new file mode 100644
index 0000000..73c90ef
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-default.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'default' is a built-in policy, redefinition not allowed.
+dnssec-policy "default" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-define-insecure.conf b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
new file mode 100644
index 0000000..b2d22d3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-insecure.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'insecure' is a built-in policy, redefinition not allowed.
+dnssec-policy "insecure" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "insecure";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-define-none.conf b/bin/tests/system/checkconf/bad-kasp-define-none.conf
new file mode 100644
index 0000000..cea9988
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-define-none.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// 'none' is a built-in policy, redefinition not allowed.
+dnssec-policy "none" {
+	signatures-refresh P5D;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "none";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-duplicate.conf b/bin/tests/system/checkconf/bad-kasp-duplicate.conf
new file mode 100644
index 0000000..7f3ade6
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-duplicate.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy a { };
+dnssec-policy a { };
diff --git a/bin/tests/system/checkconf/bad-kasp-key1.conf b/bin/tests/system/checkconf/bad-kasp-key1.conf
new file mode 100644
index 0000000..0bf80de
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key1.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm ceasarscipher;
+	};
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-key2.conf b/bin/tests/system/checkconf/bad-kasp-key2.conf
new file mode 100644
index 0000000..8e97e2a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key2.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm 8 4097;
+	};
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-key3.conf b/bin/tests/system/checkconf/bad-kasp-key3.conf
new file mode 100644
index 0000000..85e4e48
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key3.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm rsasha512 1023;
+	};
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-key4.conf b/bin/tests/system/checkconf/bad-kasp-key4.conf
new file mode 100644
index 0000000..ca142a3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-key4.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badalg" {
+	keys {
+		csk lifetime unlimited algorithm 5 511;
+	};
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "badalg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
new file mode 100644
index 0000000..b0deaea
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf.in
@@ -0,0 +1,50 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The same zone in different views is using different DNSSEC policies, so it
+ * may not have the same key-directory.
+ */
+
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		key-directory ".";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory ".";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
new file mode 100644
index 0000000..699c193
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf.in
@@ -0,0 +1,48 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * No key-directory is set, so the default is used.
+ * Should fail because the same zone in different views is using different
+ * DNSSEC policies.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
new file mode 100644
index 0000000..0dbd7e2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir3.conf.in
@@ -0,0 +1,55 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The zone in view "example1" inherits the key directory value from "options",
+ * but in view "example2" sets the key directory to the same value. This should
+ * be detected as an error because the zone is using different DNSSEC policies
+ * and should thus use different key directories.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+options {
+	key-directory "keys";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		/* key-directory inherited from options. */
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory "keys";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
new file mode 100644
index 0000000..af4a8f9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir4.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The zone inherits the key-directory from the "view" level. Both views use the
+ * same key-directory, but the zone uses a different DNSSEC policy per view.
+ * This is a configuration error.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	key-directory "keys";
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	key-directory "keys";
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
new file mode 100644
index 0000000..1cca608
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir5.conf.in
@@ -0,0 +1,52 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * In one view, the zone inherits the key-directory from the "view" level, while
+ * in the other it is set explicitly at the "zone" level. In both cases, the
+ * same key-directory is used, but the zone uses a different DNSSEC policy per
+ * view. This is a configuration error.
+ */
+
+key "keyforview1" {
+	algorithm @DEFAULT_HMAC@;
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm @DEFAULT_HMAC@;
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	key-directory "keys";
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory "keys";
+		file "example2.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf b/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf
new file mode 100644
index 0000000..ff25ece
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-nsec3-alg.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "badnsec3alg" {
+	keys {
+		csk lifetime unlimited algorithm rsasha1;
+	};
+	nsec3param iterations 0 optout 0 salt-length 0;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "badnsec3alg";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
new file mode 100644
index 0000000..12a26d3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited-view.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+view "test" {
+	dnssec-policy "notdefined";
+
+	zone "example.net" {
+		type primary;
+		file "example.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
new file mode 100644
index 0000000..48514ac
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-policy-undefined-inherited.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy "notdefined";
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+};
diff --git a/bin/tests/system/checkconf/bad-kasp10.conf b/bin/tests/system/checkconf/bad-kasp10.conf
new file mode 100644
index 0000000..8253fae
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp10.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy 'none', one zone with dnssec-policy 'insecure',
+// both using the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "none";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp11.conf b/bin/tests/system/checkconf/bad-kasp11.conf
new file mode 100644
index 0000000..68177c2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp11.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with a dnssec-policy, the other with allow-update,
+// with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp12.conf b/bin/tests/system/checkconf/bad-kasp12.conf
new file mode 100644
index 0000000..0ae8c1e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp12.conf
@@ -0,0 +1,30 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with a dnssec-policy, the other with update-policy,
+// with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	update-policy {
+		grant * self * TXT;
+	};
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp13.conf b/bin/tests/system/checkconf/bad-kasp13.conf
new file mode 100644
index 0000000..c74a5d7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp13.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone transitioning to insecure, the other with allow-update,
+// with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	allow-update { any; };
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp2.conf b/bin/tests/system/checkconf/bad-kasp2.conf
new file mode 100644
index 0000000..2e88964
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp2.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
+// configuration options (auto-dnssec).
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "test";
+	auto-dnssec maintain;
+	allow-update { any; };
+};
diff --git a/bin/tests/system/checkconf/bad-kasp3.conf b/bin/tests/system/checkconf/bad-kasp3.conf
new file mode 100644
index 0000000..8c6d7b4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp3.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+// Bad zone configuration because this has dnssec-policy with no matching
+// dnssec-policy configuration (good-kasp.conf has "test", zone refers to
+// "nosuchpolicy".
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "nosuchpolicy";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp4.conf b/bin/tests/system/checkconf/bad-kasp4.conf
new file mode 100644
index 0000000..d35d12f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp4.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Bad kasp configuration because this has an invalid duration for
+// signatures-refresh.
+dnssec-policy "badduration" {
+	signatures-refresh PT20Sabcd;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "badduration";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp6.conf b/bin/tests/system/checkconf/bad-kasp6.conf
new file mode 100644
index 0000000..3304038
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp6.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Two zones with dnssec-policy with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp7.conf b/bin/tests/system/checkconf/bad-kasp7.conf
new file mode 100644
index 0000000..c5dfbe8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp7.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// Two zones with dnssec-policy 'insecure' (transitioning to insecure)
+// with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp8.conf b/bin/tests/system/checkconf/bad-kasp8.conf
new file mode 100644
index 0000000..1712fd0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp8.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy, the other zone has 'dnssec-policy none',
+// both with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "none";
+};
+
diff --git a/bin/tests/system/checkconf/bad-kasp9.conf b/bin/tests/system/checkconf/bad-kasp9.conf
new file mode 100644
index 0000000..3bb5448
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp9.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// One zone with dnssec-policy, the other zone has 'dnssec-policy insecure'
+// (transitioning to inseure), both with the same zone file.
+
+zone "example1.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+};
+
+zone "example2.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "insecure";
+};
+
diff --git a/bin/tests/system/checkconf/bad-keep-response-order.conf b/bin/tests/system/checkconf/bad-keep-response-order.conf
new file mode 100644
index 0000000..a3685d7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-keep-response-order.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	keep-response-order {
+		does_not_exist;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-ksk-without-zsk.conf b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf
new file mode 100644
index 0000000..66e1b7f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-ksk-without-zsk.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy ksk-without-zsk {
+	keys {
+		ksk lifetime 30d algorithm 13;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	dnssec-policy ksk-without-zsk;
+};
diff --git a/bin/tests/system/checkconf/bad-lifetime.conf b/bin/tests/system/checkconf/bad-lifetime.conf
new file mode 100644
index 0000000..f268076
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lifetime.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	nta-lifetime 8d;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
new file mode 100644
index 0000000..5655a16
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-bogus.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize bogusvalue;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
new file mode 100644
index 0000000..006ca7d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toolarge.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 2048G;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
new file mode 100644
index 0000000..5dd1720
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-toosmall.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 1;
+};
diff --git a/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
new file mode 100644
index 0000000..f1e7b88
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-lmdb-mapsize-unlimited.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize unlimited;
+};
diff --git a/bin/tests/system/checkconf/bad-master-request-ixfr.conf b/bin/tests/system/checkconf/bad-master-request-ixfr.conf
new file mode 100644
index 0000000..770afb3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-master-request-ixfr.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * request-ixfr clause is not allowed in zone of type primary.
+ */
+
+zone dummy {
+	type primary;
+	request-ixfr no;
+	file "xxxx";
+};
diff --git a/bin/tests/system/checkconf/bad-masterfile-format-map.conf b/bin/tests/system/checkconf/bad-masterfile-format-map.conf
new file mode 100644
index 0000000..634ca14
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-masterfile-format-map.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { ::1; };
+	masterfile-format map;
+};
diff --git a/bin/tests/system/checkconf/bad-maxcachettl.conf b/bin/tests/system/checkconf/bad-maxcachettl.conf
new file mode 100644
index 0000000..47f0643
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxcachettl.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-cache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-1.conf b/bin/tests/system/checkconf/bad-maxncachettl-1.conf
new file mode 100644
index 0000000..ad852c3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-1.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-ncache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-2.conf b/bin/tests/system/checkconf/bad-maxncachettl-2.conf
new file mode 100644
index 0000000..ada5c83
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-2.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view two {
+	max-ncache-ttl 604801;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-3.conf b/bin/tests/system/checkconf/bad-maxncachettl-3.conf
new file mode 100644
index 0000000..771a0f3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-3.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view three {
+	max-ncache-ttl 4000000000;
+};
+view four {
+	max-ncache-ttl -1;
+};
diff --git a/bin/tests/system/checkconf/bad-maxncachettl-4.conf b/bin/tests/system/checkconf/bad-maxncachettl-4.conf
new file mode 100644
index 0000000..d9cd939
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxncachettl-4.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view four {
+	max-ncache-ttl -1;
+};
diff --git a/bin/tests/system/checkconf/bad-maxratio1.conf b/bin/tests/system/checkconf/bad-maxratio1.conf
new file mode 100644
index 0000000..ade4de1
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxratio1.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	masterfile-format raw;
+	file "example.db";
+	max-ixfr-ratio 0.9;
+};
diff --git a/bin/tests/system/checkconf/bad-maxratio2.conf b/bin/tests/system/checkconf/bad-maxratio2.conf
new file mode 100644
index 0000000..adb63f3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-maxratio2.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	masterfile-format raw;
+	file "example.db";
+	max-ixfr-ratio 0%;
+};
diff --git a/bin/tests/system/checkconf/bad-mincachettl.conf b/bin/tests/system/checkconf/bad-mincachettl.conf
new file mode 100644
index 0000000..cd02c66
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mincachettl.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-cache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-minncachettl.conf b/bin/tests/system/checkconf/bad-minncachettl.conf
new file mode 100644
index 0000000..1148bcc
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-minncachettl.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-ncache-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf
new file mode 100644
index 0000000..1f4c8fe
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-allow-recursion-none.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	recursion yes;
+	allow-recursion { none; };
+};
+
+zone "." {
+	type mirror;
+	primaries { 127.0.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf
new file mode 100644
index 0000000..27ad850
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-explicit-notify-yes.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+	notify yes;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf
new file mode 100644
index 0000000..c9c8b03
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-non-root-zone-without-masters.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "foo." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-recursion-no.conf b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf
new file mode 100644
index 0000000..f5536ac
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-recursion-no.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	recursion no;
+};
+
+zone "." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/bad-mirror-zonename.conf b/bin/tests/system/checkconf/bad-mirror-zonename.conf
new file mode 100644
index 0000000..6fc11c1
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-mirror-zonename.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "\0example" {
+        type mirror;
+        file "example.db";
+};
diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf
new file mode 100644
index 0000000..f7859d1
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-noddns.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	file "example.db";
+	auto-dnssec maintain;
+	allow-update { none; };
+};
diff --git a/bin/tests/system/checkconf/bad-notify-source-v6.conf b/bin/tests/system/checkconf/bad-notify-source-v6.conf
new file mode 100644
index 0000000..ef53c96
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-notify-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-notify-source.conf b/bin/tests/system/checkconf/bad-notify-source.conf
new file mode 100644
index 0000000..b950784
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-notify-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-options-also-notify.conf b/bin/tests/system/checkconf/bad-options-also-notify.conf
new file mode 100644
index 0000000..889a88f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-options-also-notify.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	also-notify { missing; };
+};
+
+zone "example.net" {
+	type secondary;
+	primaries { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-options.conf b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf
new file mode 100644
index 0000000..2091155
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-options.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	parental-agents { 192.168.1.2; };
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf
new file mode 100644
index 0000000..47c062a
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-view.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "test" {
+	parental-agents { 192.168.1.2; };
+	zone "example.net" {
+		type primary;
+		file "example.net.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
new file mode 100644
index 0000000..aa65a4d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-view2.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "test" {
+	parental-agents "net" {
+		192.168.1.2;
+	 };
+	zone "example.net" {
+		type primary;
+		file "example.net.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
new file mode 100644
index 0000000..e2a8389
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-def-zone.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents "net" { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-dup.conf b/bin/tests/system/checkconf/bad-parental-agents-dup.conf
new file mode 100644
index 0000000..cb5ac44
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-dup.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { 192.168.1.1; };
+	parental-agents { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
new file mode 100644
index 0000000..7ca88f7
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-dupdef.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "net" {
+	192.168.1.1;
+};
+
+parental-agents "net" {
+	192.168.1.2;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty.conf b/bin/tests/system/checkconf/bad-parental-agents-empty.conf
new file mode 100644
index 0000000..f61de06
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-empty.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "net" { };
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-empty2.conf b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf
new file mode 100644
index 0000000..93b8f7b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-empty2.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-mirror.conf b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf
new file mode 100644
index 0000000..62926e2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-mirror.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+	file "root.mirror";
+	parental-agents { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-agents-notfound.conf b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf
new file mode 100644
index 0000000..98075c4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-agents-notfound.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+parental-agents "com" {
+	192.168.1.2;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.net.db";
+	parental-agents { "net"; };
+};
diff --git a/bin/tests/system/checkconf/bad-parental-source-v6.conf b/bin/tests/system/checkconf/bad-parental-source-v6.conf
new file mode 100644
index 0000000..1b053d0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-parental-source.conf b/bin/tests/system/checkconf/bad-parental-source.conf
new file mode 100644
index 0000000..9587b3e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-parental-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-port.conf b/bin/tests/system/checkconf/bad-port.conf
new file mode 100644
index 0000000..9650c8f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-port.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 99999;
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-dup.conf b/bin/tests/system/checkconf/bad-primaries-dup.conf
new file mode 100644
index 0000000..ed761c9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-dup.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.net" {
+	type secondary;
+	primaries { 192.168.1.1; };
+	masters { 192.168.1.2; };
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-key.conf b/bin/tests/system/checkconf/bad-primaries-key.conf
new file mode 100644
index 0000000..f592293
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-key.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 key a..b; };
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-notfound.conf b/bin/tests/system/checkconf/bad-primaries-notfound.conf
new file mode 100644
index 0000000..4640098
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-notfound.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+primaries "net" {
+	 192.168.1.2;
+};
+
+zone "example.net" {
+	type secondary;
+	primaries { "foo"; };
+};
diff --git a/bin/tests/system/checkconf/bad-primaries-tls.conf b/bin/tests/system/checkconf/bad-primaries-tls.conf
new file mode 100644
index 0000000..7858d1d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-primaries-tls.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+        type secondary;
+        primaries { 1.2.3.4 tls a..b; };
+};
diff --git a/bin/tests/system/checkconf/bad-printtime.conf b/bin/tests/system/checkconf/bad-printtime.conf
new file mode 100644
index 0000000..80a53cb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-printtime.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+logging {
+	channel one {
+		file "one.out";
+		print-time bogus;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-acl.conf b/bin/tests/system/checkconf/bad-rate-limit-acl.conf
new file mode 100644
index 0000000..06543fb
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-acl.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		responses-per-second 10;
+		exempt-clients { localhost; localnets; unknownacl; };
+		log-only yes;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
new file mode 100644
index 0000000..aae353e
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-all-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		all-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
new file mode 100644
index 0000000..b2c6097
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-errors-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		errors-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
new file mode 100644
index 0000000..b728575
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-ipv4-prefix-length.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		ipv4-prefix-length 33;	// greater than bits in address
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
new file mode 100644
index 0000000..6b5fda5
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-ipv6-prefix-length.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		ipv6-prefix-length 65; // max 64
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
new file mode 100644
index 0000000..95309db
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-max-table-size.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		max-table-size 30;	// less than min-table-size default of 500
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
new file mode 100644
index 0000000..ecfb5f8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-nodata-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		nodata-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
new file mode 100644
index 0000000..77c5749
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-nxdomains-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		nxdomains-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
new file mode 100644
index 0000000..0dc4532
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-qps-scale.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		qps-scale 0; // must be greater than zero
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
new file mode 100644
index 0000000..0ea4836
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-referrals-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		referrals-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
new file mode 100644
index 0000000..8187244
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-responses-per-second.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		responses-per-second 1001; // greater than DNS_RRL_MAX_RATE
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-slip.conf b/bin/tests/system/checkconf/bad-rate-limit-slip.conf
new file mode 100644
index 0000000..15d270c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-slip.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		slip 11; // greater than default of 10
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rate-limit-window.conf b/bin/tests/system/checkconf/bad-rate-limit-window.conf
new file mode 100644
index 0000000..7ded786
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rate-limit-window.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rate-limit {
+		window 3601; // greater than default of 3600
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-root-mixed-key.conf b/bin/tests/system/checkconf/bad-root-mixed-key.conf
new file mode 100644
index 0000000..7035066
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-root-mixed-key.conf
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf
new file mode 100644
index 0000000..0eb9ef3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-too-many-zones.conf
@@ -0,0 +1,148 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	response-policy {
+		zone "max1";
+		zone "max2";
+		zone "max3";
+		zone "max4";
+		zone "max5";
+		zone "max6";
+		zone "max7";
+		zone "max8";
+		zone "max9";
+		zone "max10";
+		zone "max11";
+		zone "max12";
+		zone "max13";
+		zone "max14";
+		zone "max15";
+		zone "max16";
+		zone "max17";
+		zone "max18";
+		zone "max19";
+		zone "max20";
+		zone "max21";
+		zone "max22";
+		zone "max23";
+		zone "max24";
+		zone "max25";
+		zone "max26";
+		zone "max27";
+		zone "max28";
+		zone "max29";
+		zone "max30";
+		zone "max31";
+		zone "max32";
+		zone "max33";
+		zone "max34";
+		zone "max35";
+		zone "max36";
+		zone "max37";
+		zone "max38";
+		zone "max39";
+		zone "max40";
+		zone "max41";
+		zone "max42";
+		zone "max43";
+		zone "max44";
+		zone "max45";
+		zone "max46";
+		zone "max47";
+		zone "max48";
+		zone "max49";
+		zone "max50";
+		zone "max51";
+		zone "max52";
+		zone "max53";
+		zone "max54";
+		zone "max55";
+		zone "max56";
+		zone "max57";
+		zone "max58";
+		zone "max59";
+		zone "max60";
+		zone "max61";
+		zone "max62";
+		zone "max63";
+		zone "max64";
+		zone "max65";
+	};
+};
+
+zone "max1" { type primary; file "rpz.db"; };
+zone "max2" { type primary; file "rpz.db"; };
+zone "max3" { type primary; file "rpz.db"; };
+zone "max4" { type primary; file "rpz.db"; };
+zone "max5" { type primary; file "rpz.db"; };
+zone "max6" { type primary; file "rpz.db"; };
+zone "max7" { type primary; file "rpz.db"; };
+zone "max8" { type primary; file "rpz.db"; };
+zone "max9" { type primary; file "rpz.db"; };
+zone "max10" { type primary; file "rpz.db"; };
+zone "max11" { type primary; file "rpz.db"; };
+zone "max12" { type primary; file "rpz.db"; };
+zone "max13" { type primary; file "rpz.db"; };
+zone "max14" { type primary; file "rpz.db"; };
+zone "max15" { type primary; file "rpz.db"; };
+zone "max16" { type primary; file "rpz.db"; };
+zone "max17" { type primary; file "rpz.db"; };
+zone "max18" { type primary; file "rpz.db"; };
+zone "max19" { type primary; file "rpz.db"; };
+zone "max20" { type primary; file "rpz.db"; };
+zone "max21" { type primary; file "rpz.db"; };
+zone "max22" { type primary; file "rpz.db"; };
+zone "max23" { type primary; file "rpz.db"; };
+zone "max24" { type primary; file "rpz.db"; };
+zone "max25" { type primary; file "rpz.db"; };
+zone "max26" { type primary; file "rpz.db"; };
+zone "max27" { type primary; file "rpz.db"; };
+zone "max28" { type primary; file "rpz.db"; };
+zone "max29" { type primary; file "rpz.db"; };
+zone "max30" { type primary; file "rpz.db"; };
+zone "max31" { type primary; file "rpz.db"; };
+zone "max32" { type primary; file "rpz.db"; };
+zone "max33" { type primary; file "rpz.db"; };
+zone "max34" { type primary; file "rpz.db"; };
+zone "max35" { type primary; file "rpz.db"; };
+zone "max36" { type primary; file "rpz.db"; };
+zone "max37" { type primary; file "rpz.db"; };
+zone "max38" { type primary; file "rpz.db"; };
+zone "max39" { type primary; file "rpz.db"; };
+zone "max40" { type primary; file "rpz.db"; };
+zone "max41" { type primary; file "rpz.db"; };
+zone "max42" { type primary; file "rpz.db"; };
+zone "max43" { type primary; file "rpz.db"; };
+zone "max44" { type primary; file "rpz.db"; };
+zone "max45" { type primary; file "rpz.db"; };
+zone "max46" { type primary; file "rpz.db"; };
+zone "max47" { type primary; file "rpz.db"; };
+zone "max48" { type primary; file "rpz.db"; };
+zone "max49" { type primary; file "rpz.db"; };
+zone "max50" { type primary; file "rpz.db"; };
+zone "max51" { type primary; file "rpz.db"; };
+zone "max52" { type primary; file "rpz.db"; };
+zone "max53" { type primary; file "rpz.db"; };
+zone "max54" { type primary; file "rpz.db"; };
+zone "max55" { type primary; file "rpz.db"; };
+zone "max56" { type primary; file "rpz.db"; };
+zone "max57" { type primary; file "rpz.db"; };
+zone "max58" { type primary; file "rpz.db"; };
+zone "max59" { type primary; file "rpz.db"; };
+zone "max60" { type primary; file "rpz.db"; };
+zone "max61" { type primary; file "rpz.db"; };
+zone "max62" { type primary; file "rpz.db"; };
+zone "max63" { type primary; file "rpz.db"; };
+zone "max64" { type primary; file "rpz.db"; };
+zone "max65" { type primary; file "rpz.db"; };
diff --git a/bin/tests/system/checkconf/bad-rpz-ttl.conf b/bin/tests/system/checkconf/bad-rpz-ttl.conf
new file mode 100644
index 0000000..7b3a6ef
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-ttl.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." policy given;
+	}
+		max-policy-ttl 1x;
+};
diff --git a/bin/tests/system/checkconf/bad-rpz-update.conf b/bin/tests/system/checkconf/bad-rpz-update.conf
new file mode 100644
index 0000000..a03f179
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-update.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com."
+			policy given
+			min-update-interval 5x;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-rpz-zone.conf b/bin/tests/system/checkconf/bad-rpz-zone.conf
new file mode 100644
index 0000000..4aadc61
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-rpz-zone.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	response-policy {
+		zone "nonexistent";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sharedwritable1.conf b/bin/tests/system/checkconf/bad-sharedwritable1.conf
new file mode 100644
index 0000000..3fcb1af
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedwritable1.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone a {
+	type primary;
+	file "shared.db";
+};
+zone b {
+	type secondary;
+	file "shared.db";
+	primaries { 1.2.3.4; };
+};
diff --git a/bin/tests/system/checkconf/bad-sharedwritable2.conf b/bin/tests/system/checkconf/bad-sharedwritable2.conf
new file mode 100644
index 0000000..e8c940c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedwritable2.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone a {
+	type secondary;
+	file "shared.db";
+	primaries { 1.2.3.4; };
+};
+zone b {
+	type secondary;
+	file "shared.db";
+	primaries { 1.2.3.4; };
+};
diff --git a/bin/tests/system/checkconf/bad-sharedzone1.conf b/bin/tests/system/checkconf/bad-sharedzone1.conf
new file mode 100644
index 0000000..fccffe9
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedzone1.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "clone" {
+		type primary;
+		file "xxx";
+	};
+};
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "clone" {
+		in-view "first";
+		type secondary;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sharedzone2.conf b/bin/tests/system/checkconf/bad-sharedzone2.conf
new file mode 100644
index 0000000..76032e3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedzone2.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "clone" {
+		type primary;
+		file "xxx";
+	};
+};
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "clone" {
+		in-view "first";
+		forward only;
+		forwarders { 10.0.0.100; };
+		type secondary;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sharedzone3.conf b/bin/tests/system/checkconf/bad-sharedzone3.conf
new file mode 100644
index 0000000..07e92bd
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sharedzone3.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view first {
+	zone shared.example {
+		in-view second;
+	};
+};
+
+view second {
+	zone shared.example {
+		type primary;
+		file "shared.example.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-sig-validity.conf b/bin/tests/system/checkconf/bad-sig-validity.conf
new file mode 100644
index 0000000..1744eba
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-sig-validity.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+    sig-validity-interval 5000;
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-1.conf b/bin/tests/system/checkconf/bad-static-initial-1.conf
new file mode 100644
index 0000000..91a5c10
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-1.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-2.conf b/bin/tests/system/checkconf/bad-static-initial-2.conf
new file mode 100644
index 0000000..3b4754d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-2.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-3.conf b/bin/tests/system/checkconf/bad-static-initial-3.conf
new file mode 100644
index 0000000..c396d9c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-3.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-static-initial-4.conf b/bin/tests/system/checkconf/bad-static-initial-4.conf
new file mode 100644
index 0000000..2170d52
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-static-initial-4.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+        example. initial-key 257 3 5 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafGtURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJYkYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJfpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaSWG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjINQyrszHhWUU=";
+        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-stub-masters-dialup.conf b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
new file mode 100644
index 0000000..a30236c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-stub-masters-dialup.conf
@@ -0,0 +1,36 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+controls { /* empty */ };
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	heartbeat-interval 2;
+	recursion no;
+};
+zone "." {
+	type hint;
+	file "hint";
+};
+zone "example." {
+	type stub;
+	dialup notify;
+	notify no;
+	file "example.bk";
+	// primaries { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/bad-transfer-source-v6.conf b/bin/tests/system/checkconf/bad-transfer-source-v6.conf
new file mode 100644
index 0000000..da182ff
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-transfer-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source-v6 fd92:7065:b8e:ffff::1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-transfer-source.conf b/bin/tests/system/checkconf/bad-transfer-source.conf
new file mode 100644
index 0000000..315c410
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-transfer-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1 port 5300;
+};
diff --git a/bin/tests/system/checkconf/bad-tsig.conf b/bin/tests/system/checkconf/bad-tsig.conf
new file mode 100644
index 0000000..4af25b0
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-tsig.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/* Bad secret */
+key "badtsig" {
+	algorithm hmac-md5;
+	secret "jEdD+BPKg==";
+};
+
diff --git a/bin/tests/system/checkconf/bad-unpaired-keys.conf b/bin/tests/system/checkconf/bad-unpaired-keys.conf
new file mode 100644
index 0000000..63b6dc2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-unpaired-keys.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy unpaired-keys {
+	keys {
+		/* zsk without ksk */
+		zsk lifetime 30d algorithm 13;
+		/* ksk without zsk */
+		ksk lifetime 30d algorithm 7;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	dnssec-policy unpaired-keys;
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy1.conf b/bin/tests/system/checkconf/bad-update-policy1.conf
new file mode 100644
index 0000000..fa1330c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy1.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy10.conf b/bin/tests/system/checkconf/bad-update-policy10.conf
new file mode 100644
index 0000000..39ac656
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy10.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-selfsub TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy11.conf b/bin/tests/system/checkconf/bad-update-policy11.conf
new file mode 100644
index 0000000..d148b58
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy11.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * ms-selfsub TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy12.conf b/bin/tests/system/checkconf/bad-update-policy12.conf
new file mode 100644
index 0000000..dc79db3
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy12.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * external TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy13.conf b/bin/tests/system/checkconf/bad-update-policy13.conf
new file mode 100644
index 0000000..694c73b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy13.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name name TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy14.conf b/bin/tests/system/checkconf/bad-update-policy14.conf
new file mode 100644
index 0000000..af02ef2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy14.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name subdomain TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy15.conf b/bin/tests/system/checkconf/bad-update-policy15.conf
new file mode 100644
index 0000000..f8f7d13
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy15.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant a-key-name wildcard TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy16.conf b/bin/tests/system/checkconf/bad-update-policy16.conf
new file mode 100644
index 0000000..747c381
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy16.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * tcp-self . "ptr(10 )";
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy17.conf b/bin/tests/system/checkconf/bad-update-policy17.conf
new file mode 100644
index 0000000..a2955f2
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy17.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant realm krb5-subdomain-self-rhs PTR;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy18.conf b/bin/tests/system/checkconf/bad-update-policy18.conf
new file mode 100644
index 0000000..090f621
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy18.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant realm krb5-subdomain-self-rhs SRV;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy19.conf b/bin/tests/system/checkconf/bad-update-policy19.conf
new file mode 100644
index 0000000..b8c636b
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy19.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant realm ms-subdomain-self-rhs PTR;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy2.conf b/bin/tests/system/checkconf/bad-update-policy2.conf
new file mode 100644
index 0000000..0d5adf6
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy2.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * selfsub TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy20.conf b/bin/tests/system/checkconf/bad-update-policy20.conf
new file mode 100644
index 0000000..9775e2c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy20.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant realm ms-subdomain-self-rhs SRV;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy3.conf b/bin/tests/system/checkconf/bad-update-policy3.conf
new file mode 100644
index 0000000..4583ede
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy3.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * selfwild TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy4.conf b/bin/tests/system/checkconf/bad-update-policy4.conf
new file mode 100644
index 0000000..52a074d
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy4.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * ms-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy5.conf b/bin/tests/system/checkconf/bad-update-policy5.conf
new file mode 100644
index 0000000..38a6d4f
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy5.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy6.conf b/bin/tests/system/checkconf/bad-update-policy6.conf
new file mode 100644
index 0000000..acca627
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy6.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * ms-subdomain TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy7.conf b/bin/tests/system/checkconf/bad-update-policy7.conf
new file mode 100644
index 0000000..95541d4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy7.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-subdomain TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy8.conf b/bin/tests/system/checkconf/bad-update-policy8.conf
new file mode 100644
index 0000000..d0534c4
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy8.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * tcp-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-update-policy9.conf b/bin/tests/system/checkconf/bad-update-policy9.conf
new file mode 100644
index 0000000..96d201c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-update-policy9.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * 6to4-self TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-validation-auto-key.conf b/bin/tests/system/checkconf/bad-validation-auto-key.conf
new file mode 100644
index 0000000..bd6f547
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-validation-auto-key.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation auto;
+};
+
+trust-anchors {
+	. static-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/bad-view-also-notify.conf b/bin/tests/system/checkconf/bad-view-also-notify.conf
new file mode 100644
index 0000000..071a621
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-view-also-notify.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view example {
+	also-notify { missing; };
+	zone "example.net" {
+		type secondary;
+		primaries { 192.168.1.1; };
+	};
+};
diff --git a/bin/tests/system/checkconf/bad-zsk-without-ksk.conf b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf
new file mode 100644
index 0000000..31b031c
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-zsk-without-ksk.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy zsk-without-ksk {
+	keys {
+		zsk lifetime 30d algorithm 13;
+	};
+};
+
+zone "example" {
+	type primary;
+	file "example.db";
+	dnssec-policy zsk-without-ksk;
+};
diff --git a/bin/tests/system/checkconf/check-dup-records-fail.conf b/bin/tests/system/checkconf/check-dup-records-fail.conf
new file mode 100644
index 0000000..04880b6
--- /dev/null
+++ b/bin/tests/system/checkconf/check-dup-records-fail.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-dup-records" {
+  type primary;
+  file "check-dup-records.db";
+  check-dup-records fail;
+};
+
diff --git a/bin/tests/system/checkconf/check-dup-records.db b/bin/tests/system/checkconf/check-dup-records.db
new file mode 100644
index 0000000..558686c
--- /dev/null
+++ b/bin/tests/system/checkconf/check-dup-records.db
@@ -0,0 +1,33 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+mail			A	10.0.0.1
+ns2			A	10.53.0.2
+
+; following records are not de-duplicated
+; and will be matched by check-dup-records
+duplicate		HIP     ( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+                                rvs.example.com. )
+duplicate		HIP     ( 2 200100107B1A74DF365639CC39F1D578
+                                AwEAAbdxyhNuSutc5EMzxTs9LBPCIkOFH8cIvM4p9+LrV4e19WzK00+CI6zBCQTdtWsuxKbWIy87UOoJTwkUs7lBu+Upr1gsNrut79ryra+bSRGQb1slImA8YVJyuIDsj7kwzG7jnERNqnWxZ48AWkskmdHaVDP4BcelrTI3rMXdXF5D
+                                RVS.example.com. )
diff --git a/bin/tests/system/checkconf/check-missing-zone.conf b/bin/tests/system/checkconf/check-missing-zone.conf
new file mode 100644
index 0000000..daf2cf7
--- /dev/null
+++ b/bin/tests/system/checkconf/check-missing-zone.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view missing {
+	zone missing.example {
+		type primary;
+		file "missing.example.db";
+	};
+};
+
+view good {
+	zone shared.example {
+		type primary;
+		file "shared.example.db";
+	};
+};
diff --git a/bin/tests/system/checkconf/check-mixed-keys.conf b/bin/tests/system/checkconf/check-mixed-keys.conf
new file mode 100644
index 0000000..1dd018d
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mixed-keys.conf
@@ -0,0 +1,43 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. static-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};
+
+managed-keys {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-mx-cname-fail.conf b/bin/tests/system/checkconf/check-mx-cname-fail.conf
new file mode 100644
index 0000000..ac52ec0
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx-cname-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-mx-cname" {
+  type primary;
+  file "check-mx-cname.db";
+  check-mx-cname fail;
+};
diff --git a/bin/tests/system/checkconf/check-mx-cname.db b/bin/tests/system/checkconf/check-mx-cname.db
new file mode 100644
index 0000000..dc30f08
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx-cname.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+; MX points to a CNAME which is detected by check-mx-cname
+mail			CNAME	ns2
+
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/checkconf/check-mx-fail.conf b/bin/tests/system/checkconf/check-mx-fail.conf
new file mode 100644
index 0000000..aa7a666
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-mx" {
+  type primary;
+  file "check-mx.db";
+  check-mx fail;
+};
diff --git a/bin/tests/system/checkconf/check-mx.db b/bin/tests/system/checkconf/check-mx.db
new file mode 100644
index 0000000..dced644
--- /dev/null
+++ b/bin/tests/system/checkconf/check-mx.db
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+; MX appears to be an address and will be detected by check-mx
+			MX	10 10.0.0.1
+
+ns2			A	10.53.0.2
diff --git a/bin/tests/system/checkconf/check-names-fail.conf b/bin/tests/system/checkconf/check-names-fail.conf
new file mode 100644
index 0000000..86be82d
--- /dev/null
+++ b/bin/tests/system/checkconf/check-names-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-names" {
+  type primary;
+  file "check-names.db";
+  check-names fail;
+};
diff --git a/bin/tests/system/checkconf/check-names.db b/bin/tests/system/checkconf/check-names.db
new file mode 100644
index 0000000..0274ec9
--- /dev/null
+++ b/bin/tests/system/checkconf/check-names.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+mail			A	10.0.0.1
+ns2			A	10.53.0.2
+
+; the RDATA of this record contains a name that may be considered
+; invalid and will be detected by check-names configuration.
+check-names		SRV	1 2 3 _underscore
diff --git a/bin/tests/system/checkconf/check-root-ksk-2010.conf b/bin/tests/system/checkconf/check-root-ksk-2010.conf
new file mode 100644
index 0000000..d422635
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-ksk-2010.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};
diff --git a/bin/tests/system/checkconf/check-root-ksk-2017.conf b/bin/tests/system/checkconf/check-root-ksk-2017.conf
new file mode 100644
index 0000000..72f6fb4
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-ksk-2017.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-root-ksk-both.conf b/bin/tests/system/checkconf/check-root-ksk-both.conf
new file mode 100644
index 0000000..88c308f
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-ksk-both.conf
@@ -0,0 +1,41 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (19036) is to be phased out starting in 2017. It will
+	# remain in the root zone for some time after its successor key
+	# has been added. It will remain this file until it is removed from
+	# the root zone.
+	. initial-key 257 3 8 "AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-root-static-ds.conf b/bin/tests/system/checkconf/check-root-static-ds.conf
new file mode 100644
index 0000000..eb37b85
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-static-ds.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+        . static-ds 20326 8 2 "E06D44B80B8F1D39A95C0B0D7C65D08458E880409BBC683457104237C7F8EC8D";
+};
diff --git a/bin/tests/system/checkconf/check-root-static-key.conf b/bin/tests/system/checkconf/check-root-static-key.conf
new file mode 100644
index 0000000..7be5304
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-static-key.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. static-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-root-trusted-key.conf b/bin/tests/system/checkconf/check-root-trusted-key.conf
new file mode 100644
index 0000000..65261a8
--- /dev/null
+++ b/bin/tests/system/checkconf/check-root-trusted-key.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trusted-keys {
+	# This key (20326) was published in the root zone in 2017.
+	# Servers which were already using the old key (19036) should
+	# roll seamlessly to this new one via RFC 5011 rollover. Servers
+	# being set up for the first time can use the contents of this
+	# file as initializing keys; thereafter, the keys in the
+	# managed key database will be trusted and maintained
+	# automatically.
+	. 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
diff --git a/bin/tests/system/checkconf/check-srv-cname-fail.conf b/bin/tests/system/checkconf/check-srv-cname-fail.conf
new file mode 100644
index 0000000..3897bf8
--- /dev/null
+++ b/bin/tests/system/checkconf/check-srv-cname-fail.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+  check-integrity yes; // default is yes
+};
+
+zone "check-srv-cname" {
+  type primary;
+  file "check-srv-cname.db";
+  check-srv-cname fail;
+};
diff --git a/bin/tests/system/checkconf/check-srv-cname.db b/bin/tests/system/checkconf/check-srv-cname.db
new file mode 100644
index 0000000..0671ab1
--- /dev/null
+++ b/bin/tests/system/checkconf/check-srv-cname.db
@@ -0,0 +1,28 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+			MX	10 mail
+
+mail			A	10.0.0.1
+ns2			A	10.53.0.2
+
+check-srv-cname		SRV	1 2 3 	target
+; SRV points to a CNAME which is detected by check-srv-cname configuration
+target			CNAME	mail
diff --git a/bin/tests/system/checkconf/check-wildcard-no.conf b/bin/tests/system/checkconf/check-wildcard-no.conf
new file mode 100644
index 0000000..beb641a
--- /dev/null
+++ b/bin/tests/system/checkconf/check-wildcard-no.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "check-wildcard" {
+  type primary;
+  file "check-wildcard.db";
+  check-wildcard no;
+};
diff --git a/bin/tests/system/checkconf/check-wildcard.conf b/bin/tests/system/checkconf/check-wildcard.conf
new file mode 100644
index 0000000..263f8b4
--- /dev/null
+++ b/bin/tests/system/checkconf/check-wildcard.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "check-wildcard" {
+  type primary;
+  file "check-wildcard.db";
+  check-wildcard yes;
+};
diff --git a/bin/tests/system/checkconf/check-wildcard.db b/bin/tests/system/checkconf/check-wildcard.db
new file mode 100644
index 0000000..1db5af0
--- /dev/null
+++ b/bin/tests/system/checkconf/check-wildcard.db
@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@		IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+; an interior wildcard name
+foo.*			TXT	The owner name contains an interior wildcard
diff --git a/bin/tests/system/checkconf/clean.sh b/bin/tests/system/checkconf/clean.sh
new file mode 100644
index 0000000..8981c45
--- /dev/null
+++ b/bin/tests/system/checkconf/clean.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f bad-kasp-keydir1.conf
+rm -f bad-kasp-keydir2.conf
+rm -f bad-kasp-keydir3.conf
+rm -f bad-kasp-keydir4.conf
+rm -f bad-kasp-keydir5.conf
+rm -f checkconf.out*
+rm -f diff.out*
+rm -f good-kasp.conf.in
+rm -f good-server-christmas-tree.conf
+rm -f good.conf.in good.conf.out badzero.conf *.out
+rm -rf keys
+rm -f ns*/named.lock
+rm -rf test.keydir
diff --git a/bin/tests/system/checkconf/deprecated.conf b/bin/tests/system/checkconf/deprecated.conf
new file mode 100644
index 0000000..bd6e0c2
--- /dev/null
+++ b/bin/tests/system/checkconf/deprecated.conf
@@ -0,0 +1,66 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+server 1.2.3.4 {
+	query-source 10.10.10.10 port 5353;
+};
+
+options {
+	dnssec-validation yes;
+
+	dialup yes;
+	heartbeat-interval 60;
+
+	dnssec-must-be-secure mustbesecure.example yes;
+
+	use-v4-udp-ports { range 1024 65535; };
+	use-v6-udp-ports { range 1024 65535; };
+	avoid-v4-udp-ports { range 1 1023; };
+	avoid-v6-udp-ports { range 1 1023; };
+
+	tkey-dhkey "server" 12345;
+
+	root-delegation-only exclude { "them"; };
+};
+
+trusted-keys {
+	fake.trusted. 257 3 8
+		"AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjF
+		FVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoX
+		bfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaD
+		X6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpz
+		W5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relS
+		Qageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulq
+		QxA+Uk1ihz0=";
+};
+
+managed-keys {
+	fake.managed. initial-key 257 3 8
+		"AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3
+		+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv
+		ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF
+		0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e
+		oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd
+		RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN
+		R1AkUTV74bU=";
+};
+
+zone "." {
+	type hint;
+	file "shared.example.db";
+	delegation-only yes;
+};
+
+zone com {
+	type delegation-only;
+};
diff --git a/bin/tests/system/checkconf/dlz-bad.conf b/bin/tests/system/checkconf/dlz-bad.conf
new file mode 100644
index 0000000..7332112
--- /dev/null
+++ b/bin/tests/system/checkconf/dlz-bad.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dlz one {
+	database "one";
+};
+
+dlz two {
+	database "two";
+	search no;
+};
+
+zone primary {
+	type primary;
+	database "none";
+	dlz two;
+};
diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1
new file mode 100644
index 0000000..a466ac4
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.1
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view view1 {
+	match-clients { any; };
+	dnssec-validation yes;
+};
+
+view view2 {
+	match-clients { none; };
+	dnssec-validation auto;
+};
+
+view view3 {
+	match-clients { none; };
+	auto-dnssec maintain;
+};
diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2
new file mode 100644
index 0000000..0f6a8af
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.2
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view view1 {
+	match-clients { any; };
+};
+
+view view2 {
+	match-clients { none; };
+};
+
+view view3 {
+	match-clients { none; };
+	dnssec-validation auto;
+};
+
+view view4 {
+	match-clients { none; };
+};
+
+view view5 {
+	match-clients { none; };
+	auto-dnssec off;
+};
diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3
new file mode 100644
index 0000000..53e5d91
--- /dev/null
+++ b/bin/tests/system/checkconf/dnssec.3
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "test" {
+	type primary;
+	file "test.db";
+	auto-dnssec maintain;
+};
diff --git a/bin/tests/system/checkconf/good-acl.conf b/bin/tests/system/checkconf/good-acl.conf
new file mode 100644
index 0000000..be32923
--- /dev/null
+++ b/bin/tests/system/checkconf/good-acl.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl a {
+	{ "none"; };
+	{ !19.0.0.0/8; };
+};
+
+options {
+	allow-query { a; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf
new file mode 100644
index 0000000..5bc9232
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update-forwarding-view.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	allow-update-forwarding { any; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update-forwarding.conf b/bin/tests/system/checkconf/good-allow-update-forwarding.conf
new file mode 100644
index 0000000..d7e89be
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update-forwarding.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	allow-update-forwarding { any; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update-view.conf b/bin/tests/system/checkconf/good-allow-update-view.conf
new file mode 100644
index 0000000..da799a2
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update-view.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	allow-update { any; };
+};
diff --git a/bin/tests/system/checkconf/good-allow-update.conf b/bin/tests/system/checkconf/good-allow-update.conf
new file mode 100644
index 0000000..6b7a67e
--- /dev/null
+++ b/bin/tests/system/checkconf/good-allow-update.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	allow-update { any; };
+};
diff --git a/bin/tests/system/checkconf/good-class.conf b/bin/tests/system/checkconf/good-class.conf
new file mode 100644
index 0000000..2f8c321
--- /dev/null
+++ b/bin/tests/system/checkconf/good-class.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" class00 { };
diff --git a/bin/tests/system/checkconf/good-dnskey-validity-3660.conf b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf
new file mode 100644
index 0000000..4e0a7ee
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dnskey-validity-3660.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnskey-sig-validity 3660;	/* maximum value 10 years */
+};
diff --git a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf
new file mode 100644
index 0000000..5da41b8
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnskey-sig-validity 0;	/* 0 is disabled */
+};
diff --git a/bin/tests/system/checkconf/good-doh-1.conf b/bin/tests/system/checkconf/good-doh-1.conf
new file mode 100644
index 0000000..0c642ec
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-1.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	http-listener-clients 100;
+	http-streams-per-connection 100;
+	listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-doh-2.conf b/bin/tests/system/checkconf/good-doh-2.conf
new file mode 100644
index 0000000..1bbe9e0
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-2.conf
@@ -0,0 +1,29 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	listen-on port 443 http local-http-server tls local-tls { 10.53.0.1; };
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-doh-3.conf b/bin/tests/system/checkconf/good-doh-3.conf
new file mode 100644
index 0000000..cd410b9
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-3.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	listen-on port 8080 tls none http default { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-doh-4.conf b/bin/tests/system/checkconf/good-doh-4.conf
new file mode 100644
index 0000000..d191347
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-4.conf
@@ -0,0 +1,31 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+# Use the default values only - just to make sure that we could
+# override only values which we need and there is no required ones.
+http empty-http-server {
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	http-listener-clients 100;
+	listen-on port 443 tls local-tls http empty-http-server { 10.53.0.1; };
+	listen-on port 8080 tls none http empty-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-doh-tlsopts.conf b/bin/tests/system/checkconf/good-doh-tlsopts.conf
new file mode 100644
index 0000000..7ba4bdb
--- /dev/null
+++ b/bin/tests/system/checkconf/good-doh-tlsopts.conf
@@ -0,0 +1,38 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	protocols { TLSv1.2; };
+	key-file "key.pem";
+	cert-file "cert.pem";
+	dhparam-file "dhparam.pem";
+	ciphers "HIGH:!aNULL:!MD5:!RC4";
+	prefer-server-ciphers yes;
+	session-tickets no;
+};
+
+http local-http-server {
+	endpoints { "/dns-query"; };
+	listener-clients 100;
+	streams-per-connection 100;
+};
+
+options {
+	listen-on { 10.53.0.1; };
+	http-port 80;
+	https-port 443;
+	http-listener-clients 100;
+	http-streams-per-connection 100;
+	listen-on port 443 tls local-tls http local-http-server { 10.53.0.1; };
+	listen-on port 8080 tls none http local-http-server { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-dot-1.conf b/bin/tests/system/checkconf/good-dot-1.conf
new file mode 100644
index 0000000..d94616a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-1.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	key-file "key.pem";
+	cert-file "cert.pem";
+};
+
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf b/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf
new file mode 100644
index 0000000..74c7969
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-allow-transfer-encrypted.conf
@@ -0,0 +1,49 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example1" {
+	type primary;
+	file "example1.db";
+	allow-transfer port 44344 transport tls { any; };
+};
+
+zone "example2" {
+	type primary;
+	file "example2.db";
+	allow-transfer port 44344 transport tcp { any; };
+};
+
+zone "example3" {
+	type primary;
+	file "example3.db";
+	allow-transfer transport tls { any; };
+};
+
+zone "example4" {
+	type primary;
+	file "example4.db";
+	allow-transfer transport tcp { any; };
+};
+
+
+zone "example5" {
+	type primary;
+	file "example5.db";
+	allow-transfer port 53 { any; };
+};
+
+zone "example6" {
+	type primary;
+	file "example6.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
new file mode 100644
index 0000000..d541d15
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-doh-tls-nokeycert.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# In some cases a "tls" statement may omit key-file and cert-file.
+tls local-tls {
+    protocols {TLSv1.2;};
+    remote-hostname "fqdn.example.com";
+};
diff --git a/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf
new file mode 100644
index 0000000..2b33cf3
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-primaries-ephemeral.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls ephemeral; };
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/checkconf/good-dot-primaries.conf b/bin/tests/system/checkconf/good-dot-primaries.conf
new file mode 100644
index 0000000..592a94c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-primaries.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	protocols { TLSv1.2; };
+	ciphers "HIGH:!kRSA:!aNULL:!eNULL:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!SHA1:!SHA256:!SHA384";
+	prefer-server-ciphers no;
+};
+
+zone "example" {
+	type secondary;
+	primaries { 10.53.0.1 tls local-tls; };
+	file "example.db";
+	allow-transfer { any; };
+};
diff --git a/bin/tests/system/checkconf/good-dot-tlsopts.conf b/bin/tests/system/checkconf/good-dot-tlsopts.conf
new file mode 100644
index 0000000..fc7e248
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dot-tlsopts.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+tls local-tls {
+	protocols { TLSv1.2; };
+	key-file "key.pem";
+	cert-file "cert.pem";
+	dhparam-file "dhparam.pem";
+	ciphers "HIGH:!aNULL:!MD5:!RC4";
+	prefer-server-ciphers yes;
+	session-tickets no;
+};
+
+options {
+	listen-on port 853 tls local-tls { 10.53.0.1; };
+};
diff --git a/bin/tests/system/checkconf/good-ds-key-1.conf b/bin/tests/system/checkconf/good-ds-key-1.conf
new file mode 100644
index 0000000..de7de84
--- /dev/null
+++ b/bin/tests/system/checkconf/good-ds-key-1.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. initial-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-ds-key-2.conf b/bin/tests/system/checkconf/good-ds-key-2.conf
new file mode 100644
index 0000000..060fb2f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-ds-key-2.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. static-ds 60724 5 1 "D74CF845955A0DFE604AF215E948E67D2EA94FF3";
+        example. static-key 257 3 5 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbody0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQYfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuwE60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-dup-managed-key.conf b/bin/tests/system/checkconf/good-dup-managed-key.conf
new file mode 100644
index 0000000..2f91247
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dup-managed-key.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trust-anchors {
+	example. initial-key 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+	example. initial-key 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-dup-trusted-key.conf b/bin/tests/system/checkconf/good-dup-trusted-key.conf
new file mode 100644
index 0000000..46089c4
--- /dev/null
+++ b/bin/tests/system/checkconf/good-dup-trusted-key.conf
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	dnssec-validation yes;
+};
+
+trusted-keys {
+	example. 257 3 8 "AwEAAawvFp8GlBx8Qt6yaIqXkDe+nMkSk2HkTAG7qlVBo++AQwZ1j3Xl
+		25IN4jsw0VTMbKUbafw9DYsVzztIwx1sNkKRLo6qP9SSkBL8RicQaafG
+		tURtsYI3oqte5qqLve1CUpRD8J06Pg1xkOxsDlz9sQAyiQrOyvMbykJY
+		kYrFYGLzYAgl/JtMyVVYlBl9pqxQuAPKYPOuO1axaad/wLN3+wTy/hcJ
+		fpvJpqzXlDF9bI5RmpoX/7geZ06vpcYJEoT0xkkmPlEl0ZjEDrm/WIaS
+		WG0/CEDpHcOXFz4OEczMVpY+lnuFfKybwF1WHFn2BwVEOS6cMM6ukIjI
+		NQyrszHhWUU=";
+	example. 257 3 8 "AwEAAZtP9+RAA+W33A97e+HnnH8WTXzCWiEICyWj1B6rvZ9hd50ysbod
+		y0NLx7b3vZ1bzMLxLSRAr/n3Wi0TDZ1fvCKZhennfW8Wlc7ulCvHntSQ
+		YfKHUP0YWEo84sQAqIi850N1aiddj6CidwFo9JNW/HQ+8yarfrnGMFhX
+		2STtkE0hNJ/R6JYKmD2EH7k1nyqJd08ibrEt55DuV4BiUjyyERdVbsuw
+		E60jVqAwCKyVBYXb2sI+zv1yPNDBIANd6KTgnq6YWzx5ZodQP3W4K7Z/
+		Bk3EKmVCvrTKZK/ADLAKaL0/6DD07+1jXA4BiNyoZTLTapkudkGad+Rn
+		6zqCkwuMmrU=";
+};
diff --git a/bin/tests/system/checkconf/good-glue-cache.conf b/bin/tests/system/checkconf/good-glue-cache.conf
new file mode 100644
index 0000000..fd5524b
--- /dev/null
+++ b/bin/tests/system/checkconf/good-glue-cache.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	glue-cache yes;
+};
diff --git a/bin/tests/system/checkconf/good-initial-ds.conf b/bin/tests/system/checkconf/good-initial-ds.conf
new file mode 100644
index 0000000..b54a2b3
--- /dev/null
+++ b/bin/tests/system/checkconf/good-initial-ds.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. initial-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
diff --git a/bin/tests/system/checkconf/good-interface-interval.conf b/bin/tests/system/checkconf/good-interface-interval.conf
new file mode 100644
index 0000000..60c50b3
--- /dev/null
+++ b/bin/tests/system/checkconf/good-interface-interval.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	interface-interval 1h;
+};
diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
new file mode 100644
index 0000000..17309e5
--- /dev/null
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -0,0 +1,68 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is just a random selection of DNSSEC configuration options.
+ */
+
+/* cut here */
+dnssec-policy "test" {
+	dnskey-ttl 3600;
+	keys {
+		ksk key-directory lifetime P1Y algorithm ecdsa256;
+		zsk lifetime P30D algorithm 13;
+		csk key-directory lifetime unlimited algorithm rsasha256 2048;
+	};
+	max-zone-ttl 86400;
+	nsec3param iterations 5 optout no salt-length 8;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	publish-safety PT3600S;
+	retire-safety PT3600S;
+	signatures-refresh P3D;
+	signatures-validity P2W;
+	signatures-validity-dnskey P14D;
+	zone-propagation-delay PT5M;
+};
+options {
+	dnssec-policy "default";
+};
+zone "example1" {
+	type primary;
+	file "example1.db";
+	inline-signing yes;
+};
+zone "example2" {
+	type primary;
+	file "example2.db";
+	allow-update {
+		"any";
+	};
+	dnssec-policy "test";
+};
+zone "example3" {
+	type primary;
+	file "example3.db";
+	inline-signing yes;
+	dnssec-policy "default";
+};
+zone "dnssec-policy-none-shared-zonefile1" {
+	type primary;
+	file "shared.db";
+	dnssec-policy "none";
+};
+zone "dnssec-policy-none-shared-zonefile2" {
+	type primary;
+	file "shared.db";
+	dnssec-policy "none";
+};
diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf
new file mode 100644
index 0000000..45befff
--- /dev/null
+++ b/bin/tests/system/checkconf/good-key-directory.conf
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "internet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P90D        algorithm ecdsa256;
+  };
+
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "intranet" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+dnssec-policy "localhost" {
+  keys {
+    ksk   key-directory   lifetime unlimited   algorithm ecdsa256;
+    zsk   key-directory   lifetime P30D        algorithm ecdsa256;
+  };
+  nsec3param iterations 15 optout no salt-length 8;
+};
+
+options {
+    key-directory "global/keys";
+};
+
+view "localhost" {
+    match-clients { 127.0.0.1; ::1; };
+    zone "example.com" IN {
+        type primary;
+        file "localhost/example.com.zone";
+        dnssec-policy "localhost";
+        inline-signing yes;
+    };
+};
+
+view "external" {
+    match-clients { 0/0; };
+    key-directory "external/keys";
+    zone "example.com" IN {
+        type primary;
+        file "external/example.com.zone";
+        dnssec-policy "internet";
+        inline-signing yes;
+    };
+};
+
+view "internal" {
+    match-clients { ::/0; };
+    key-directory "internal/keys";
+    zone "example.com" IN {
+        type primary;
+        file "internal/example.com.zone";
+        dnssec-policy "intranet";
+        inline-signing yes;
+    };
+};
diff --git a/bin/tests/system/checkconf/good-masterfile-format-raw.conf b/bin/tests/system/checkconf/good-masterfile-format-raw.conf
new file mode 100644
index 0000000..b6f3cbf
--- /dev/null
+++ b/bin/tests/system/checkconf/good-masterfile-format-raw.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { ::1; };
+	masterfile-format raw;
+};
diff --git a/bin/tests/system/checkconf/good-masterfile-format-text.conf b/bin/tests/system/checkconf/good-masterfile-format-text.conf
new file mode 100644
index 0000000..8138058
--- /dev/null
+++ b/bin/tests/system/checkconf/good-masterfile-format-text.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { ::1; };
+	masterfile-format text;
+};
diff --git a/bin/tests/system/checkconf/good-masters-and-primaries.conf b/bin/tests/system/checkconf/good-masters-and-primaries.conf
new file mode 100644
index 0000000..d84657f
--- /dev/null
+++ b/bin/tests/system/checkconf/good-masters-and-primaries.conf
@@ -0,0 +1,15 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+masters a { 1.2.3.4; };
+primaries b { 1.2.3.4; };
diff --git a/bin/tests/system/checkconf/good-maxcachettl.conf b/bin/tests/system/checkconf/good-maxcachettl.conf
new file mode 100644
index 0000000..58f6901
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxcachettl.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-cache-ttl 0;
+};
+view two {
+	max-cache-ttl 86400;
+};
+view three {
+	max-cache-ttl 4000000000;
+};
+view four {
+	max-cache-ttl 3600s;
+};
+view five {
+	max-cache-ttl 1h;
+};
+view six {
+	max-cache-ttl 1d;
+};
+view seven {
+	max-cache-ttl 1w;
+};
diff --git a/bin/tests/system/checkconf/good-maxncachettl.conf b/bin/tests/system/checkconf/good-maxncachettl.conf
new file mode 100644
index 0000000..80dc753
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxncachettl.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	max-ncache-ttl 0;
+};
+view two {
+	max-ncache-ttl 86400;
+};
+view three {
+	max-ncache-ttl 604800;
+};
+view four {
+	max-ncache-ttl 3600s;
+};
+view five {
+	max-ncache-ttl 1h;
+};
+view six {
+	max-ncache-ttl 1d;
+};
+view seven {
+	max-ncache-ttl 1w;
+};
diff --git a/bin/tests/system/checkconf/good-maxratio1.conf b/bin/tests/system/checkconf/good-maxratio1.conf
new file mode 100644
index 0000000..4161a24
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxratio1.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	masterfile-format raw;
+	file "example.db";
+	max-ixfr-ratio 50%;
+};
diff --git a/bin/tests/system/checkconf/good-maxratio2.conf b/bin/tests/system/checkconf/good-maxratio2.conf
new file mode 100644
index 0000000..0ef2f3c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-maxratio2.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	masterfile-format raw;
+	file "example.db";
+	max-ixfr-ratio unlimited;
+};
diff --git a/bin/tests/system/checkconf/good-mincachettl.conf b/bin/tests/system/checkconf/good-mincachettl.conf
new file mode 100644
index 0000000..b619a73
--- /dev/null
+++ b/bin/tests/system/checkconf/good-mincachettl.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-cache-ttl 0;
+};
+view two {
+	min-cache-ttl 30;
+};
+view three {
+	min-cache-ttl 60;
+};
+view four {
+	min-cache-ttl 90s;
+};
+view five {
+	min-cache-ttl 1m;
+};
diff --git a/bin/tests/system/checkconf/good-minncachettl.conf b/bin/tests/system/checkconf/good-minncachettl.conf
new file mode 100644
index 0000000..3e4101b
--- /dev/null
+++ b/bin/tests/system/checkconf/good-minncachettl.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	min-ncache-ttl 0;
+};
+view two {
+	min-ncache-ttl 30;
+};
+view three {
+	min-ncache-ttl 60;
+};
+view four {
+	min-ncache-ttl 90s;
+};
+view five {
+	min-ncache-ttl 1m;
+};
diff --git a/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf
new file mode 100644
index 0000000..09bbf94
--- /dev/null
+++ b/bin/tests/system/checkconf/good-mirror-inherited-notify-yes.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	notify yes;
+};
+
+zone "." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf
new file mode 100644
index 0000000..9723b7a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-mirror-root-zone-without-masters.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type mirror;
+};
diff --git a/bin/tests/system/checkconf/good-nested.conf b/bin/tests/system/checkconf/good-nested.conf
new file mode 100644
index 0000000..12a027c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-nested.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl a { 127.0.0.1; ::1; };
+acl b { a; };
+acl c { !b; };
+
+options {
+	allow-query { c; };
+};
diff --git a/bin/tests/system/checkconf/good-notify-source-v6.conf b/bin/tests/system/checkconf/good-notify-source-v6.conf
new file mode 100644
index 0000000..797f966
--- /dev/null
+++ b/bin/tests/system/checkconf/good-notify-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source-v6 fd92:7065:b8e:ffff::1;
+};
diff --git a/bin/tests/system/checkconf/good-notify-source.conf b/bin/tests/system/checkconf/good-notify-source.conf
new file mode 100644
index 0000000..6b97314
--- /dev/null
+++ b/bin/tests/system/checkconf/good-notify-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1;
+};
diff --git a/bin/tests/system/checkconf/good-options-also-notify.conf b/bin/tests/system/checkconf/good-options-also-notify.conf
new file mode 100644
index 0000000..e10403d
--- /dev/null
+++ b/bin/tests/system/checkconf/good-options-also-notify.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	also-notify { missing; };
+};
+
+zone "example.net" {
+	type secondary;
+	notify no;
+	primaries { 192.168.1.1; };
+};
diff --git a/bin/tests/system/checkconf/good-parental-source-v6.conf b/bin/tests/system/checkconf/good-parental-source-v6.conf
new file mode 100644
index 0000000..fe998f1
--- /dev/null
+++ b/bin/tests/system/checkconf/good-parental-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source-v6 fd92:7065:b8e:ffff::1;
+};
diff --git a/bin/tests/system/checkconf/good-parental-source.conf b/bin/tests/system/checkconf/good-parental-source.conf
new file mode 100644
index 0000000..e45856a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-parental-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1;
+};
diff --git a/bin/tests/system/checkconf/good-printtime.conf b/bin/tests/system/checkconf/good-printtime.conf
new file mode 100644
index 0000000..06bb7be
--- /dev/null
+++ b/bin/tests/system/checkconf/good-printtime.conf
@@ -0,0 +1,35 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+logging {
+	channel one {
+		file "one.out";
+		print-time no;
+	};
+	channel two {
+		file "two.out";
+		print-time yes;
+	};
+	channel three {
+		file "three.out";
+		print-time local;
+	};
+	channel four {
+		file "four.out";
+		print-time iso8601;
+	};
+	channel five {
+		file "five.out";
+		print-time iso8601-utc;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-response-dot.conf b/bin/tests/system/checkconf/good-response-dot.conf
new file mode 100644
index 0000000..f21daeb
--- /dev/null
+++ b/bin/tests/system/checkconf/good-response-dot.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." policy given;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-rpz-ttl.conf b/bin/tests/system/checkconf/good-rpz-ttl.conf
new file mode 100644
index 0000000..26d41bb
--- /dev/null
+++ b/bin/tests/system/checkconf/good-rpz-ttl.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com." policy given;
+	}
+		max-policy-ttl 1h;
+};
diff --git a/bin/tests/system/checkconf/good-rpz-update.conf b/bin/tests/system/checkconf/good-rpz-update.conf
new file mode 100644
index 0000000..34b3ec5
--- /dev/null
+++ b/bin/tests/system/checkconf/good-rpz-update.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com." {
+	type primary;
+	file "example.com.zone";
+};
+
+options {
+	response-policy {
+		zone "example.com."
+			policy given
+			min-update-interval 5m;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-rrset-order-none.conf b/bin/tests/system/checkconf/good-rrset-order-none.conf
new file mode 100644
index 0000000..f0818ca
--- /dev/null
+++ b/bin/tests/system/checkconf/good-rrset-order-none.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	rrset-order {
+		order none;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-server-christmas-tree.conf.in b/bin/tests/system/checkconf/good-server-christmas-tree.conf.in
new file mode 100644
index 0000000..a786a11
--- /dev/null
+++ b/bin/tests/system/checkconf/good-server-christmas-tree.conf.in
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key example {
+	algorithm hmac-sha256;
+	secret "aaaaaaaaaaaaaaaaaaaaaaaa";
+};
+
+server 0.0.0.0 {
+	bogus no;
+	edns no;
+	edns-udp-size 512;
+	edns-version 0;
+	keys example;
+	max-udp-size 512;
+	notify-source 0.0.0.0;
+	padding 512;
+	provide-ixfr no;
+	query-source 0.0.0.0;
+	request-expire no;
+	request-ixfr no;
+	request-nsid no;
+	send-cookie no;
+	tcp-keepalive no;
+	tcp-only no;
+	transfer-format one-answer;
+	transfer-source 0.0.0.0;
+	transfers 1;
+};
+
+server :: {
+	bogus no;
+	edns no;
+	edns-udp-size 512;
+	edns-version 0;
+	keys example;
+	max-udp-size 512;
+	notify-source-v6 ::;
+	padding 512;
+	provide-ixfr no;
+	query-source-v6 ::;
+	request-expire no;
+	request-ixfr no;
+	request-nsid no;
+	send-cookie no;
+	tcp-keepalive no;
+	tcp-only no;
+	transfer-format one-answer;
+	transfer-source-v6 ::;
+	transfers 1;
+};
diff --git a/bin/tests/system/checkconf/good-sig-signing-type.conf b/bin/tests/system/checkconf/good-sig-signing-type.conf
new file mode 100644
index 0000000..dda1b73
--- /dev/null
+++ b/bin/tests/system/checkconf/good-sig-signing-type.conf
@@ -0,0 +1,18 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	file "example.db";
+	sig-signing-type 65280;
+};
diff --git a/bin/tests/system/checkconf/good-static-ds.conf b/bin/tests/system/checkconf/good-static-ds.conf
new file mode 100644
index 0000000..be7412a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-static-ds.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+trust-anchors {
+	example. static-ds 60724 5 2 "29E79B9064EE1A11DF3BFF19581DDFED7952C22CC204ACE17B6007EB1437E9E6";
+};
diff --git a/bin/tests/system/checkconf/good-transfer-source-v6.conf b/bin/tests/system/checkconf/good-transfer-source-v6.conf
new file mode 100644
index 0000000..0527b85
--- /dev/null
+++ b/bin/tests/system/checkconf/good-transfer-source-v6.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source-v6 fd92:7065:b8e:ffff::1;
+};
diff --git a/bin/tests/system/checkconf/good-transfer-source.conf b/bin/tests/system/checkconf/good-transfer-source.conf
new file mode 100644
index 0000000..df23d1c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-transfer-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1;
+};
diff --git a/bin/tests/system/checkconf/good-update-policy1.conf b/bin/tests/system/checkconf/good-update-policy1.conf
new file mode 100644
index 0000000..b312590
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy1.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * self * TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy10.conf b/bin/tests/system/checkconf/good-update-policy10.conf
new file mode 100644
index 0000000..3605834
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy10.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-subdomain . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy11.conf b/bin/tests/system/checkconf/good-update-policy11.conf
new file mode 100644
index 0000000..92be340
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy11.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * tcp-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy12.conf b/bin/tests/system/checkconf/good-update-policy12.conf
new file mode 100644
index 0000000..b76e583
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy12.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * 6to4-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy13.conf b/bin/tests/system/checkconf/good-update-policy13.conf
new file mode 100644
index 0000000..e0030e8
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy13.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * tcp-self . ptr(1);
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy2.conf b/bin/tests/system/checkconf/good-update-policy2.conf
new file mode 100644
index 0000000..9af4d8a
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy2.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy3.conf b/bin/tests/system/checkconf/good-update-policy3.conf
new file mode 100644
index 0000000..2d4f8ee
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy3.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * selfsub . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy4.conf b/bin/tests/system/checkconf/good-update-policy4.conf
new file mode 100644
index 0000000..480ec5e
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy4.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * selfsub * TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy5.conf b/bin/tests/system/checkconf/good-update-policy5.conf
new file mode 100644
index 0000000..5619188
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy5.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * selfwild * TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy6.conf b/bin/tests/system/checkconf/good-update-policy6.conf
new file mode 100644
index 0000000..7e9d8c0
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy6.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * selfwild . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy7.conf b/bin/tests/system/checkconf/good-update-policy7.conf
new file mode 100644
index 0000000..8b0b821
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy7.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * krb5-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy8.conf b/bin/tests/system/checkconf/good-update-policy8.conf
new file mode 100644
index 0000000..b00e8c4
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy8.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * ms-self . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-update-policy9.conf b/bin/tests/system/checkconf/good-update-policy9.conf
new file mode 100644
index 0000000..491e07c
--- /dev/null
+++ b/bin/tests/system/checkconf/good-update-policy9.conf
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "example.com" {
+	type primary;
+	file "example.com.db";
+	update-policy {
+		grant * ms-subdomain . TXT;
+	};
+};
diff --git a/bin/tests/system/checkconf/good-view-also-notify.conf b/bin/tests/system/checkconf/good-view-also-notify.conf
new file mode 100644
index 0000000..54d90ba
--- /dev/null
+++ b/bin/tests/system/checkconf/good-view-also-notify.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view example {
+	also-notify { missing; };
+	zone "example.net" {
+		type secondary;
+		notify no;
+		primaries { 192.168.1.1; };
+	};
+};
diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
new file mode 100644
index 0000000..f8d0408
--- /dev/null
+++ b/bin/tests/system/checkconf/good.conf
@@ -0,0 +1,286 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * This is just a random selection of configuration options.
+ */
+
+/* cut here */
+dnssec-policy "test" {
+	dnskey-ttl 3600;
+	keys {
+		ksk key-directory lifetime P1Y algorithm 13 256;
+		zsk key-directory lifetime P30D algorithm 13;
+		csk key-directory lifetime P30D algorithm 8 2048;
+	};
+	max-zone-ttl 86400;
+	nsec3param ;
+	parent-ds-ttl 7200;
+	parent-propagation-delay PT1H;
+	publish-safety PT3600S;
+	purge-keys P90D;
+	retire-safety PT3600S;
+	signatures-refresh P3D;
+	signatures-validity P2W;
+	signatures-validity-dnskey P14D;
+	zone-propagation-delay PT5M;
+};
+options {
+	avoid-v4-udp-ports {
+		100;
+	};
+	avoid-v6-udp-ports {
+		100;
+	};
+	blackhole {
+		10.0.0.0/8;
+	};
+	directory ".";
+	dscp 41;
+	dump-file "named_dumpdb";
+	heartbeat-interval 30;
+	hostname none;
+	interface-interval 30;
+	keep-response-order {
+		10.0.10.0/24;
+	};
+	listen-on port 90 {
+		"any";
+	};
+	listen-on port 100 dscp 33 {
+		127.0.0.1/32;
+	};
+	listen-on-v6 port 53 dscp 57 {
+		"none";
+	};
+	match-mapped-addresses yes;
+	memstatistics-file "named.memstats";
+	pid-file none;
+	port 5300;
+	querylog yes;
+	recursing-file "named.recursing";
+	recursive-clients 3000;
+	serial-query-rate 100;
+	server-id none;
+	update-quota 200;
+	check-names primary warn;
+	check-names secondary ignore;
+	max-cache-size 20000000000000;
+	nta-lifetime 604800;
+	nta-recheck 604800;
+	validate-except {
+		"corp";
+	};
+	dnssec-policy "test";
+	max-ixfr-ratio 90%;
+	transfer-source 0.0.0.0 dscp 63;
+	zone-statistics none;
+};
+parental-agents "parents" {
+	10.10.10.11;
+	10.10.10.12;
+};
+view "first" {
+	match-clients {
+		"none";
+	};
+	zone "example1" {
+		type primary;
+		file "xxx";
+		update-policy local;
+		max-ixfr-ratio 20%;
+		notify-source 10.10.10.10 port 53 dscp 55;
+	};
+	zone "clone" {
+		type primary;
+		file "yyy";
+		inline-signing yes;
+		max-ixfr-ratio unlimited;
+	};
+	dnssec-validation auto;
+	zone-statistics terse;
+};
+view "second" {
+	match-clients {
+		"any";
+	};
+	zone "example1" {
+		type primary;
+		file "zzz";
+		update-policy local;
+		zone-statistics yes;
+	};
+	zone "example2" {
+		type static-stub;
+		forward only;
+		forwarders {
+			10.53.0.4;
+		};
+		zone-statistics no;
+	};
+	zone "example3" {
+		type static-stub;
+		server-addresses {
+			1.2.3.4;
+		};
+	};
+	zone "clone" {
+		in-view "first";
+	};
+	zone "." {
+		type redirect;
+		primaries {
+			1.2.3.4;
+		};
+	};
+	dnssec-validation auto;
+	zone-statistics full;
+};
+view "third" {
+	match-clients {
+		"none";
+	};
+	zone "clone" {
+		in-view "first";
+		forward only;
+		forwarders {
+			10.0.0.100;
+		};
+	};
+	zone "dnssec" {
+		type primary;
+		file "file";
+		allow-update {
+			"any";
+		};
+		dnssec-policy "default";
+	};
+	zone "p" {
+		type primary;
+		file "pfile";
+		inline-signing yes;
+	};
+	zone "s" {
+		type secondary;
+		file "sfile";
+		inline-signing yes;
+		primaries {
+			1.2.3.4;
+		};
+		notify primary-only;
+	};
+};
+view "fourth" {
+	zone "dnssec-test" {
+		type primary;
+		file "dnssec-test.db";
+		inline-signing yes;
+		parental-agents {
+			1.2.3.4;
+			1.2.3.5;
+		};
+		dnssec-policy "test";
+		parental-source 10.10.10.10 port 53 dscp 55;
+	};
+	zone "dnssec-default" {
+		type primary;
+		file "dnssec-default.db";
+		inline-signing yes;
+		parental-agents {
+			"parents";
+		};
+		dnssec-policy "default";
+	};
+	zone "dnssec-inherit" {
+		type primary;
+		file "dnssec-inherit.db";
+		inline-signing yes;
+	};
+	zone "dnssec-none" {
+		type primary;
+		file "dnssec-none.db";
+		dnssec-policy "none";
+	};
+	zone "dnssec-view1" {
+		type primary;
+		file "dnssec-view41.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+	zone "dnssec-view2" {
+		type primary;
+		file "dnssec-view42.db";
+		inline-signing yes;
+	};
+	zone "dnssec-view3" {
+		type primary;
+		file "dnssec-view43.db";
+		dnssec-policy "none";
+		key-directory "keys";
+	};
+	zone "dnssec-view4" {
+		type primary;
+		file "dnssec-view44.db";
+		dnssec-policy "none";
+	};
+	dnssec-policy "default";
+	key-directory ".";
+};
+view "fifth" {
+	zone "dnssec-view1" {
+		type primary;
+		file "dnssec-view51.db";
+		inline-signing yes;
+		dnssec-policy "test";
+	};
+	zone "dnssec-view2" {
+		type primary;
+		file "dnssec-view52.db";
+		inline-signing yes;
+		dnssec-policy "test";
+		key-directory "keys";
+	};
+	zone "dnssec-view3" {
+		type primary;
+		file "dnssec-view53.db";
+		inline-signing yes;
+		dnssec-policy "default";
+		key-directory "keys";
+	};
+	zone "dnssec-view4" {
+		type primary;
+		file "dnssec-view54.db";
+		dnssec-policy "none";
+	};
+	key-directory ".";
+};
+view "chaos" chaos {
+	zone "hostname.bind" chaos {
+		type primary;
+		database "_builtin hostname";
+		inline-signing yes;
+	};
+};
+dyndb "name" "library.so" {
+	this;
+	\};
+	is a {
+		"test" { \{ of; the; };
+	} bracketed;
+	"text \"";
+	system;
+};
+key "mykey" {
+	algorithm "hmac-md5";
+	secret "qwertyuiopasdfgh";
+};
diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist
new file mode 100644
index 0000000..a5fbfda
--- /dev/null
+++ b/bin/tests/system/checkconf/good.zonelist
@@ -0,0 +1,24 @@
+example1 IN first primary
+clone IN first primary
+example1 IN second primary
+example2 IN second static-stub
+example3 IN second static-stub
+clone IN second in-view first
+. IN second redirect
+clone IN third in-view first
+dnssec IN third primary
+p IN third primary
+s IN third secondary
+dnssec-test IN fourth primary
+dnssec-default IN fourth primary
+dnssec-inherit IN fourth primary
+dnssec-none IN fourth primary
+dnssec-view1 IN fourth primary
+dnssec-view2 IN fourth primary
+dnssec-view3 IN fourth primary
+dnssec-view4 IN fourth primary
+dnssec-view1 IN fifth primary
+dnssec-view2 IN fifth primary
+dnssec-view3 IN fifth primary
+dnssec-view4 IN fifth primary
+hostname.bind chaos chaos primary
diff --git a/bin/tests/system/checkconf/hint-nofile.conf b/bin/tests/system/checkconf/hint-nofile.conf
new file mode 100644
index 0000000..1d1dee2
--- /dev/null
+++ b/bin/tests/system/checkconf/hint-nofile.conf
@@ -0,0 +1,17 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "." {
+	type hint;
+	file "nonexistent.db";
+};
diff --git a/bin/tests/system/checkconf/in-view-good.conf b/bin/tests/system/checkconf/in-view-good.conf
new file mode 100644
index 0000000..e5e860d
--- /dev/null
+++ b/bin/tests/system/checkconf/in-view-good.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view internal {
+	zone shared.example {
+		type primary;
+		file "shared.example.db";
+	};
+};
+
+view external {
+	zone shared.example {
+		in-view internal;
+	};
+};
diff --git a/bin/tests/system/checkconf/inline-bad.conf b/bin/tests/system/checkconf/inline-bad.conf
new file mode 100644
index 0000000..17dcb6b
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-bad.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl "transferees" {};
+primaries "stealthPrimaries" {127.0.0.1;};
+primaries "publicSecondaries" {127.0.0.1;};
+zone "example.net" {
+	type secondary;
+	key-directory "/var/lib/bind/example.net";
+	auto-dnssec maintain;
+	inline-signing yes;
+	primaries { stealthPrimaries; };
+	notify explicit;
+	also-notify { publicSecondaries; };
+	allow-transfer { localhost; transferees; };
+};
+
diff --git a/bin/tests/system/checkconf/inline-good.conf b/bin/tests/system/checkconf/inline-good.conf
new file mode 100644
index 0000000..f588bcd
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-good.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl "transferees" {};
+primaries "stealthPrimaries" {127.0.0.1;};
+primaries "publicSecondaries" {127.0.0.1;};
+zone "example.net" {
+	type secondary;
+	file "/var/cache/bind/example.net.db";
+	key-directory "/var/lib/bind/example.net";
+	auto-dnssec maintain;
+	inline-signing yes;
+	primaries { stealthPrimaries; };
+	notify explicit;
+	also-notify { publicSecondaries; };
+	allow-transfer { localhost; transferees; };
+};
+
diff --git a/bin/tests/system/checkconf/inline-no.conf b/bin/tests/system/checkconf/inline-no.conf
new file mode 100644
index 0000000..f6dbc5a
--- /dev/null
+++ b/bin/tests/system/checkconf/inline-no.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+acl "transferees" {};
+primaries "stealthPrimaries" {127.0.0.1;};
+primaries "publicSecondaries" {127.0.0.1;};
+zone "example.net" {
+	type secondary;
+	key-directory "/var/lib/bind/example.net";
+	auto-dnssec maintain;
+	inline-signing no;
+	primaries { stealthPrimaries; };
+	notify explicit;
+	also-notify { publicSecondaries; };
+	allow-transfer { localhost; transferees; };
+};
+
diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf
new file mode 100644
index 0000000..b67a0e1
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "good-kasp.conf";
+
+zone "nsec3.net" {
+	type primary;
+	file "nsec3.db";
+	dnssec-policy "test";
+	auto-dnssec maintain;
+	dnskey-sig-validity 3600;
+	dnssec-dnskey-kskonly yes;
+	dnssec-secure-to-insecure yes;
+	dnssec-update-mode maintain;
+	inline-signing no;
+	sig-validity-interval 3600;
+	update-check-ksk yes;
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-keylen.conf b/bin/tests/system/checkconf/kasp-bad-keylen.conf
new file mode 100644
index 0000000..5ca4c34
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-keylen.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-keylen" {
+	keys {
+		csk lifetime P10Y algorithm rsasha1 511;
+	};
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "bad-keylen";
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-lifetime.conf b/bin/tests/system/checkconf/kasp-bad-lifetime.conf
new file mode 100644
index 0000000..225b386
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-lifetime.conf
@@ -0,0 +1,91 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-lifetime-ksk" {
+	/*
+	 * The KSK lifetime is too short.
+	 * The ZSK lifetime is good enough but should trigger a warning.
+	 */
+	keys {
+		ksk lifetime PT3H algorithm 13;
+		zsk lifetime P8DT2H1S algorithm 13;
+	};
+
+	dnskey-ttl PT1H;
+	publish-safety PT1H;
+	retire-safety PT1H;
+	zone-propagation-delay PT1H;
+	max-zone-ttl P1D;
+	signatures-validity P10D;
+	signatures-refresh P3D;
+	parent-ds-ttl PT1H;
+	parent-propagation-delay PT5M;
+};
+
+dnssec-policy "bad-lifetime-zsk" {
+	/*
+	 * The ZSK lifetime is too short.
+	 * The KSK lifetime is good enough but should trigger a warning.
+	 */
+	keys {
+		ksk lifetime PT3H1S algorithm 13;
+		zsk lifetime P8DT2H algorithm 13;
+	};
+
+	dnskey-ttl PT1H;
+	publish-safety PT1H;
+	retire-safety PT1H;
+	zone-propagation-delay PT1H;
+	max-zone-ttl P1D;
+	signatures-validity P10D;
+	signatures-refresh P3D;
+	parent-ds-ttl PT1H;
+	parent-propagation-delay PT5M;
+};
+
+dnssec-policy "bad-lifetime-csk" {
+	/*
+	 * The CSK lifetime is too short.
+	 */
+	keys {
+		csk lifetime PT3H algorithm 13;
+	};
+
+	dnskey-ttl PT1H;
+	publish-safety PT1H;
+	retire-safety PT1H;
+	zone-propagation-delay PT1H;
+	max-zone-ttl P1D;
+	signatures-validity P10D;
+	signatures-refresh P3D;
+	parent-ds-ttl PT1H;
+	parent-propagation-delay PT5M;
+};
+
+zone "bad-lifetime-ksk.example.net" {
+	type primary;
+	file "bad-lifetime-ksk.example.db";
+	dnssec-policy "bad-lifetime-ksk";
+};
+
+zone "bad-lifetime-zsk.example.net" {
+	type primary;
+	file "bad-lifetime-zsk.example.db";
+	dnssec-policy "bad-lifetime-zsk";
+};
+
+zone "bad-lifetime-csk.example.net" {
+	type primary;
+	file "bad-lifetime-csk.example.db";
+	dnssec-policy "bad-lifetime-csk";
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf
new file mode 100644
index 0000000..8691b6c
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-alg.conf
@@ -0,0 +1,26 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	keys {
+		csk lifetime unlimited algorithm rsasha1;
+	};
+	nsec3param ;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
new file mode 100644
index 0000000..a5a71d3
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "rsasha1" {
+	keys {
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha1-bad" {
+	keys {
+		csk lifetime P10Y algorithm nsec3rsasha1 1024;
+	};
+	nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha256" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha256-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha256 2048;
+	};
+	nsec3param iterations 151;
+};
+
+dnssec-policy "rsasha512" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 150;
+};
+
+dnssec-policy "rsasha512-bad" {
+	keys {
+		csk lifetime P10Y algorithm rsasha512 4096;
+	};
+	nsec3param iterations 151;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "default";
+	inline-signing yes;
+};
diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf
new file mode 100644
index 0000000..708e580
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-nsec3-salt.conf
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-salt" {
+	nsec3param salt "pepper";
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "bad-salt";
+};
+
diff --git a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
new file mode 100644
index 0000000..197ff17
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "bad-sigrefresh" {
+	keys {
+		csk lifetime unlimited algorithm 13;
+	};
+
+	signatures-validity P10D;
+	signatures-validity-dnskey P20D;
+	signatures-refresh P9DT1S;
+};
+
+dnssec-policy "bad-sigrefresh-dnskey" {
+	keys {
+		csk lifetime unlimited algorithm 13;
+	};
+
+	signatures-validity P20D;
+	signatures-validity-dnskey P10D;
+	signatures-refresh P9DT1S;
+};
+
+zone "sigrefresh.example.net" {
+	type primary;
+	file "sigrefresh.example.db";
+	inline-signing yes;
+	dnssec-policy "bad-sigrefresh";
+};
+
+zone "dnskey.example.net" {
+	type primary;
+	file "dnskey.example.db";
+	inline-signing yes;
+	dnssec-policy "bad-sigrefresh-dnskey";
+};
diff --git a/bin/tests/system/checkconf/kasp-ignore-keylen.conf b/bin/tests/system/checkconf/kasp-ignore-keylen.conf
new file mode 100644
index 0000000..c9787d4
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "warn-length" {
+	keys {
+		// Algorithm 13 has predefined length, warn about length param.
+		csk lifetime unlimited algorithm ecdsa256 2048;
+	};
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	dnssec-policy "warn-length";
+	inline-signing yes;
+};
+
diff --git a/bin/tests/system/checkconf/kasp-warning.conf b/bin/tests/system/checkconf/kasp-warning.conf
new file mode 100644
index 0000000..41b6d6f
--- /dev/null
+++ b/bin/tests/system/checkconf/kasp-warning.conf
@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "warn1" {
+	keys {
+		// This policy has keys in the same algorithm with the same
+		// role, this should trigger a warning.
+		ksk lifetime unlimited algorithm ecdsa256;
+		zsk lifetime unlimited algorithm ecdsa256;
+		zsk lifetime unlimited algorithm ecdsa256;
+		ksk lifetime unlimited algorithm ecdsa256;
+	};
+};
+
+dnssec-policy "warn2" {
+	keys {
+		// This policy has keys in the same algorithm with the same
+		// role, this should trigger a warning.
+		csk lifetime unlimited algorithm rsasha256;
+		ksk lifetime unlimited algorithm rsasha256;
+		zsk lifetime unlimited algorithm rsasha256;
+	};
+};
+
+dnssec-policy "warn3" {
+	keys {
+		// This policy has a key with a very short lifetime.
+		csk lifetime PT2591999S algorithm rsasha256;
+	};
+};
+
+zone "warn1.example.net" {
+	type primary;
+	file "warn1.example.db";
+	inline-signing yes;
+	dnssec-policy "warn1";
+};
+
+zone "warn2.example.net" {
+	type primary;
+	file "warn2.example.db";
+	inline-signing yes;
+	dnssec-policy "warn2";
+};
+
+zone "warn3.example.net" {
+	type primary;
+	file "warn3.example.db";
+	inline-signing yes;
+	dnssec-policy "warn3";
+};
+
diff --git a/bin/tests/system/checkconf/lmdb-mapsize-largest.conf b/bin/tests/system/checkconf/lmdb-mapsize-largest.conf
new file mode 100644
index 0000000..a55b835
--- /dev/null
+++ b/bin/tests/system/checkconf/lmdb-mapsize-largest.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 1024G;
+};
diff --git a/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf b/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf
new file mode 100644
index 0000000..4478706
--- /dev/null
+++ b/bin/tests/system/checkconf/lmdb-mapsize-smallest.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	lmdb-mapsize 1M;
+};
diff --git a/bin/tests/system/checkconf/max-cache-size-good.conf b/bin/tests/system/checkconf/max-cache-size-good.conf
new file mode 100644
index 0000000..bb12775
--- /dev/null
+++ b/bin/tests/system/checkconf/max-cache-size-good.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	max-cache-size 60%;
+};
diff --git a/bin/tests/system/checkconf/max-ttl.conf b/bin/tests/system/checkconf/max-ttl.conf
new file mode 100644
index 0000000..b91a5fd
--- /dev/null
+++ b/bin/tests/system/checkconf/max-ttl.conf
@@ -0,0 +1,34 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	max-zone-ttl 600;
+};
+
+zone "maxttl1.example" {
+	type primary;
+	file "maxttl-bad.db";
+};
+
+zone "maxttl2.example" {
+	type primary;
+	file "maxttl-bad.db";
+	max-zone-ttl 300;
+};
+
+zone "maxttl3.example" {
+	type primary;
+	file "maxttl-bad.db";
+	max-zone-ttl 120;
+};
diff --git a/bin/tests/system/checkconf/maxttl-bad.conf b/bin/tests/system/checkconf/maxttl-bad.conf
new file mode 100644
index 0000000..66bbebd
--- /dev/null
+++ b/bin/tests/system/checkconf/maxttl-bad.conf
@@ -0,0 +1,24 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	directory ".";
+	max-zone-ttl 8000w;
+};
+
+zone "maxttl.example" {
+	type primary;
+	file "maxttl-bad.db";
+};
+
+
diff --git a/bin/tests/system/checkconf/maxttl-bad.db b/bin/tests/system/checkconf/maxttl-bad.db
new file mode 100644
index 0000000..978f0ec
--- /dev/null
+++ b/bin/tests/system/checkconf/maxttl-bad.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300	; 5 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a       600		A	10.0.0.1
+mail	900		A	10.0.0.2
diff --git a/bin/tests/system/checkconf/maxttl.db b/bin/tests/system/checkconf/maxttl.db
new file mode 100644
index 0000000..3ad695e
--- /dev/null
+++ b/bin/tests/system/checkconf/maxttl.db
@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 600	; 10 minutes
+@                       IN SOA	mname1. . (
+				1          ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns2
+ns2			A	10.53.0.2
+			MX	10 mail
+
+a			A	10.0.0.1
+mail			A	10.0.0.2
diff --git a/bin/tests/system/checkconf/notify.conf b/bin/tests/system/checkconf/notify.conf
new file mode 100644
index 0000000..2978118
--- /dev/null
+++ b/bin/tests/system/checkconf/notify.conf
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view one {
+	notify primary-only;
+
+	# also-notify inconsistent with primary-only notify option
+	zone "secondary" {
+		type secondary;
+		primaries { 1.2.3.4; };
+		also-notify { 5.6.7.8; };
+	};
+
+	# OK
+	zone "primary" {
+		type primary;
+		file "filename";
+		also-notify { 5.6.7.8; };
+	};
+};
+
+view two {
+	notify no;
+
+	# also-notify inconsistent with notify option at the view level
+	zone "secondary" {
+		type secondary;
+		primaries { 1.2.3.4; };
+		also-notify { 5.6.7.8; };
+	};
+
+	# OK
+	zone "primary" {
+		type primary;
+		file "filename";
+		notify yes;
+		also-notify { 5.6.7.8; };
+	};
+};
+
+view three {
+	# also-notify inconsistent with notify option at the zone level
+	zone "secondary" {
+		type secondary;
+		primaries { 1.2.3.4; };
+		notify no;
+		also-notify { 5.6.7.8; };
+	};
+
+	# OK
+	zone "primary" {
+		type primary;
+		file "filename";
+		also-notify { 5.6.7.8; };
+	};
+};
+
+view four {
+	also-notify { 5.6.7.8; };
+
+	# OK
+	zone "secondary" {
+		type secondary;
+		primaries { 1.2.3.4; };
+		notify primary-only;
+	};
+
+	# OK
+	zone "primary" {
+		type primary;
+		file "filename";
+		notify no;
+	};
+};
diff --git a/bin/tests/system/checkconf/portrange-good.conf b/bin/tests/system/checkconf/portrange-good.conf
new file mode 100644
index 0000000..c4eb582
--- /dev/null
+++ b/bin/tests/system/checkconf/portrange-good.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	avoid-v4-udp-ports {
+		1935;
+		2605;
+		4321;
+		6514;
+		range 8610 8614;
+	};
+};
diff --git a/bin/tests/system/checkconf/range.conf b/bin/tests/system/checkconf/range.conf
new file mode 100644
index 0000000..c254f5c
--- /dev/null
+++ b/bin/tests/system/checkconf/range.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 999999;
+};
diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf
new file mode 100644
index 0000000..3ff6b0d
--- /dev/null
+++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.0.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	stale-refresh-time 0;
+};
diff --git a/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf
new file mode 100644
index 0000000..9e0669c
--- /dev/null
+++ b/bin/tests/system/checkconf/servestale.stale-refresh-time.29.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	stale-refresh-time 29;
+};
diff --git a/bin/tests/system/checkconf/setup.sh b/bin/tests/system/checkconf/setup.sh
new file mode 100644
index 0000000..7d83eb5
--- /dev/null
+++ b/bin/tests/system/checkconf/setup.sh
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../conf.sh
+
+copy_setports bad-kasp-keydir1.conf.in bad-kasp-keydir1.conf
+copy_setports bad-kasp-keydir2.conf.in bad-kasp-keydir2.conf
+copy_setports bad-kasp-keydir3.conf.in bad-kasp-keydir3.conf
+copy_setports bad-kasp-keydir4.conf.in bad-kasp-keydir4.conf
+copy_setports bad-kasp-keydir5.conf.in bad-kasp-keydir5.conf
+cp -f good-server-christmas-tree.conf.in good-server-christmas-tree.conf
diff --git a/bin/tests/system/checkconf/shared.example.db b/bin/tests/system/checkconf/shared.example.db
new file mode 100644
index 0000000..5dcdd1b
--- /dev/null
+++ b/bin/tests/system/checkconf/shared.example.db
@@ -0,0 +1,13 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+@	0	SOA	. . 0 0 0 0 0
+@	0	NS	.
diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
new file mode 100644
index 0000000..8d82f92
--- /dev/null
+++ b/bin/tests/system/checkconf/tests.sh
@@ -0,0 +1,664 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+. ../conf.sh
+
+status=0
+n=0
+
+mkdir -p keys
+
+n=$((n + 1))
+echo_i "checking that named-checkconf handles a known good config ($n)"
+ret=0
+$CHECKCONF good.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf prints a known good config ($n)"
+ret=0
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
+[ -s good.conf.in ] || ret=1
+$CHECKCONF -p good.conf.in  > checkconf.out$n || ret=1
+grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+cmp good.conf.in good.conf.out || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -x removes secrets ($n)"
+ret=0
+# ensure there is a secret and that it is not the check string.
+grep 'secret "' good.conf.in > /dev/null || ret=1
+grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
+$CHECKCONF -p -x good.conf.in > checkconf.out$n || ret=1
+grep -v '^good.conf.in:' < checkconf.out$n > good.conf.out 2>&1 || ret=1
+grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+for bad in bad-*.conf
+do
+    n=$((n + 1))
+    echo_i "checking that named-checkconf detects error in $bad ($n)"
+    ret=0
+    { $CHECKCONF $bad > checkconf.out$n 2>&1; rc=$?; } || true
+    if [ $rc -ne 1 ]; then ret=1; fi
+    grep "^$bad:[0-9]*: " < checkconf.out$n > /dev/null || ret=1
+    case $bad in
+    bad-update-policy[123].conf)
+	pat="identity and name fields are not the same"
+	grep "$pat" < checkconf.out$n > /dev/null || ret=1
+	;;
+    bad-update-policy[4589].conf|bad-update-policy1[01].conf)
+	pat="name field not set to placeholder value"
+	grep "$pat" < checkconf.out$n > /dev/null || ret=1
+	;;
+    bad-update-policy[67].conf|bad-update-policy1[2345789].conf|bad-update-policy20.conf)
+	pat="missing name field type '.*' found"
+	grep "$pat" < checkconf.out$n > /dev/null || ret=1
+	;;
+    esac
+    if [ $ret -ne 0 ]; then echo_i "failed"; fi
+    status=$((status + ret))
+done
+
+for good in good-*.conf
+do
+	n=$((n + 1))
+	echo_i "checking that named-checkconf detects no error in $good ($n)"
+	ret=0
+	if ! $FEATURETEST --with-libnghttp2
+	then
+		case $good in
+		good-doh-*.conf) continue;;
+		good-dot-*.conf) continue;;
+		esac
+	fi
+	{ $CHECKCONF $good > checkconf.out$n 2>&1; rc=$?; } || true
+	if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi
+	status=$((status + ret))
+done
+
+for lmdb in lmdb-*.conf
+do
+	n=$((n + 1))
+	ret=0
+
+	if $FEATURETEST --with-lmdb; then
+		echo_i "checking that named-checkconf detects no error in $lmdb ($n)"
+		{ $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true
+		if [ $rc -ne 0 ]; then echo_i "failed"; ret=1; fi
+	else
+		echo_i "checking that named-checkconf detects error in $lmdb ($n)"
+		{ $CHECKCONF $lmdb > checkconf.out$n 2>&1; rc=$?; } || true
+		if [ $rc -eq 0 ]; then echo_i "failed"; ret=1; fi
+	fi
+	status=$((status + ret))
+done
+
+n=$((n + 1))
+echo_i "checking that ancient options report a fatal error ($n)"
+ret=0
+$CHECKCONF ancient.conf > ancient.out 2>&1 && ret=1
+grep "no longer exists" ancient.out > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z catches missing hint file ($n)"
+ret=0
+$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
+grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf catches range errors ($n)"
+ret=0
+$CHECKCONF range.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
+ret=0
+$CHECKCONF notify.conf > checkconf.out$n 2>&1
+warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l)
+[ $warnings -eq 3 ] || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf dnssec warnings ($n)"
+ret=0
+# dnssec.1: auto-dnssec warning
+$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 && ret=1
+grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1
+# dnssec.2: should have no warnings (other than deprecation warning)
+$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 || ret=1
+grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n.2")
+if [ $lines != 1 ]; then ret=1; fi
+# dnssec.3: should have specific deprecation warning
+$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 && ret=1
+grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf deprecate warnings ($n)"
+ret=0
+$CHECKCONF deprecated.conf > checkconf.out$n.1 2>&1
+grep "option 'managed-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'trusted-keys' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'use-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'use-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'avoid-v4-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'avoid-v6-udp-ports' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'tkey-dhkey' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'root-delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "'type delegation-only' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dialup' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'heartbeat-interval' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "option 'dnssec-must-be-secure' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+grep "token 'port' is deprecated" < checkconf.out$n.1 > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+# set -i to ignore deprecate warnings
+$CHECKCONF -i deprecated.conf > checkconf.out$n.2 2>&1
+grep '.*' < checkconf.out$n.2 > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf servestale warnings ($n)"
+ret=0
+$CHECKCONF servestale.stale-refresh-time.0.conf > checkconf.out$n.1 2>&1
+grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+ret=0
+$CHECKCONF servestale.stale-refresh-time.29.conf > checkconf.out$n.1 2>&1
+grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" < checkconf.out$n.1 > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "range checking fields that do not allow zero ($n)"
+ret=0
+for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
+    cat > badzero.conf << EOF
+options {
+    $field 0;
+};
+EOF
+    { $CHECKCONF badzero.conf > checkconf.out$n.1 2>&1; rc=$?; } || true
+    [ $rc -eq 1 ] || { echo_i "options $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+view dummy {
+    $field 0;
+};
+EOF
+    { $CHECKCONF badzero.conf > checkconf.out$n.2 2>&1; rc=$?; } || true
+    [ $rc -eq 1 ] || { echo_i "view $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+options {
+    $field 0;
+};
+view dummy {
+};
+EOF
+    { $CHECKCONF badzero.conf > checkconf.out$n.3 2>&1; rc=$?; } || true
+    [ $rc -eq 1 ] || { echo_i "options + view $field failed" ; ret=1; }
+    cat > badzero.conf << EOF
+zone dummy {
+    type secondary;
+    primaries { 0.0.0.0; };
+    $field 0;
+};
+EOF
+    { $CHECKCONF badzero.conf > checkconf.out$n.4 2>&1; rc=$?; } || true
+    [ $rc -eq 1 ] || { echo_i "zone $field failed" ; ret=1; }
+done
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking options allowed in inline-signing secondaries ($n)"
+ret=0
+$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1
+l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l)
+[ $l -eq 1 ] || ret=1
+$CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1
+l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l)
+[ $l -eq 1 ] || ret=1
+$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1
+l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l)
+[ $l -eq 1 ] || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check file + inline-signing for secondary zones ($n)"
+$CHECKCONF inline-no.conf > checkconf.out$n.1 2>&1 && ret=1
+l=$(grep "missing 'file' entry" < checkconf.out$n.1 | wc -l)
+[ $l -eq 0 ] || ret=1
+$CHECKCONF inline-good.conf > checkconf.out$n.2 2>&1 || ret=1
+l=$(grep "missing 'file' entry" < checkconf.out$n.2 | wc -l)
+[ $l -eq 0 ] || ret=1
+$CHECKCONF inline-bad.conf > checkconf.out$n.3 2>&1 && ret=1
+l=$(grep "missing 'file' entry" < checkconf.out$n.3 | wc -l)
+[ $l -eq 1 ] || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf DLZ warnings ($n)"
+ret=0
+$CHECKCONF dlz-bad.conf > checkconf.out$n 2>&1 && ret=1
+grep "'dlz' and 'database'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking for missing key directory warning ($n)"
+ret=0
+rm -rf test.keydir
+$CHECKCONF warn-keydir.conf > checkconf.out$n.1 2>&1
+l=$(grep "'test.keydir' does not exist" < checkconf.out$n.1 | wc -l)
+[ $l -eq 1 ] || ret=1
+touch test.keydir
+$CHECKCONF warn-keydir.conf > checkconf.out$n.2 2>&1
+l=$(grep "'test.keydir' is not a directory" < checkconf.out$n.2 | wc -l)
+[ $l -eq 1 ] || ret=1
+rm -f test.keydir
+mkdir test.keydir
+$CHECKCONF warn-keydir.conf > checkconf.out$n.3 2>&1
+l=$(grep "key-directory" < checkconf.out$n.3 | wc -l)
+[ $l -eq 0 ] || ret=1
+rm -rf test.keydir
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
+ret=0
+$CHECKCONF -z max-ttl.conf > check.out 2>&1 && ret=1
+grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
+grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
+grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
+ret=0
+$CHECKCONF -z max-ttl-bad.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
+ret=0
+$CHECKCONF -z altdb.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
+ret=0
+$CHECKCONF -z altdlz.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
+ret=0
+$CHECKCONF -z view-class-any1.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
+ret=0
+$CHECKCONF -z view-class-any2.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
+ret=0
+$CHECKCONF -z view-class-in1.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
+ret=0
+$CHECKCONF -z view-class-in2.conf > checkconf.out$n 2>&1 || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that check-names fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-names-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "near '_underscore': bad name (check-names)" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-names/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that check-mx fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "near '10.0.0.1': MX is an address" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that check-dup-records fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-dup-records-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "has semantically identical records" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-dup-records/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that check-mx fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-mx-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "failed: MX is an address" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that check-mx-cname fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "MX.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that check-srv-cname fails as configured ($n)"
+ret=0
+$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out$n 2>&1 && ret=1
+grep "SRV.* is a CNAME (illegal)" < checkconf.out$n > /dev/null || ret=1
+grep "zone check-mx-cname/IN: loaded serial" < checkconf.out$n > /dev/null && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that named-checkconf -p properly print a port range ($n)"
+ret=0
+$CHECKCONF -p portrange-good.conf > checkconf.out$n 2>&1 || ret=1
+grep "range 8610 8614;" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that named-checkconf -z handles in-view ($n)"
+ret=0
+$CHECKCONF -z in-view-good.conf > checkconf.out$n 2>&1 || ret=1
+grep "zone shared.example/IN: loaded serial" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
+ret=0
+$CHECKCONF -z check-missing-zone.conf > checkconf.out$n 2>&1 && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
+ret=0
+$CHECKCONF -p max-cache-size-good.conf > checkconf.out$n 2>&1 || ret=1
+grep "max-cache-size 60%;" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that named-checkconf -l prints out the zone list ($n)"
+ret=0
+$CHECKCONF -l good.conf |
+grep -v "is deprecated" |
+grep -v "is not implemented" |
+grep -v "is not recommended" |
+grep -v "no longer exists" |
+grep -v "is obsolete" > checkconf.out$n || ret=1
+diff good.zonelist checkconf.out$n > diff.out$n || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-2010.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] || ret=1
+grep "key without the updated" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-both.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)"
+ret=0
+$CHECKCONF check-root-ksk-2017.conf > checkconf.out$n 2>/dev/null || ret=1
+[ -s checkconf.out$n ] && ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that a static root key generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-static-key.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that a static root DS trust anchor generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-static-ds.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "static entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that a trusted-keys entry for root generates a warning ($n)"
+ret=0
+$CHECKCONF check-root-trusted-key.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "trusted-keys entry for the root zone WILL FAIL" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that using trust-anchors and managed-keys generates an error ($n)"
+ret=0
+$CHECKCONF check-mixed-keys.conf > checkconf.out$n 2>/dev/null && ret=1
+grep "use of managed-keys is not allowed" checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp errors ($n)"
+ret=0
+$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
+grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
+grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-iter.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: nsec3 iterations value 151 out of range" < checkconf.out$n > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n")
+if [ $lines -ne 3 ]; then ret=1; fi
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp key errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp signatures refresh errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1
+grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n")
+if [ $lines -ne 2 ]; then ret=1; fi
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp key lifetime errors ($n)"
+ret=0
+$CHECKCONF kasp-bad-lifetime.conf > checkconf.out$n 2>&1 && ret=1
+lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" < checkconf.out$n | wc -l) || ret=1
+if [ $lines -ne 3 ]; then ret=1; fi
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp predefined key length ($n)"
+ret=0
+$CHECKCONF kasp-ignore-keylen.conf > checkconf.out$n 2>&1 || ret=1
+grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking named-checkconf kasp warns about weird policies ($n)"
+ret=0
+$CHECKCONF kasp-warning.conf > checkconf.out$n 2>&1 || ret=1
+grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: key lifetime is shorter than 30 days" < checkconf.out$n > /dev/null || ret=1
+lines=$(wc -l < "checkconf.out$n")
+if [ $lines -ne 5 ]; then ret=1; fi
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that a good 'kasp' configuration is accepted ($n)"
+ret=0
+$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "checking that named-checkconf prints a known good kasp config ($n)"
+ret=0
+awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
+[ -s good-kasp.conf.in ] || ret=1
+$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
+cmp good-kasp.conf.in good-kasp.conf.out || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that max-ixfr-ratio 100% generates a warning ($n)"
+ret=0
+$CHECKCONF warn-maxratio1.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that *-source options with specified port generate warnings ($n)"
+ret=0
+$CHECKCONF warn-transfer-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF warn-notify-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+$CHECKCONF warn-parental-source.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "not recommended" < checkconf.out$n > /dev/null || ret=1
+if [ $ret -ne 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that using both max-zone-ttl and dnssec-policy generates a warning ($n)"
+ret=0
+$CHECKCONF warn-kasp-max-zone-ttl.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'max-zone-ttl' is ignored when used together with 'dnssec-policy'" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check obsolete options generate warnings ($n)"
+ret=0
+$CHECKCONF warn-random-device.conf > checkconf.out$n 2>/dev/null || ret=1
+grep "option 'random-device' is obsolete and should be removed" < checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that 'check-wildcard no;' succeeds as configured ($n)"
+ret=0
+$CHECKCONF -z check-wildcard-no.conf > checkconf.out$n 2>&1 || ret=1
+grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null && ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that 'check-wildcard yes;' warns as configured ($n)"
+ret=0
+$CHECKCONF -z check-wildcard.conf > checkconf.out$n 2>&1 || ret=1
+grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=$((status + ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/checkconf/tests_sh_checkconf.py b/bin/tests/system/checkconf/tests_sh_checkconf.py
new file mode 100644
index 0000000..3a348ba
--- /dev/null
+++ b/bin/tests/system/checkconf/tests_sh_checkconf.py
@@ -0,0 +1,14 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+
+def test_checkconf(run_tests_sh):
+    run_tests_sh()
diff --git a/bin/tests/system/checkconf/view-class-any1.conf b/bin/tests/system/checkconf/view-class-any1.conf
new file mode 100644
index 0000000..8b39456
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-any1.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" any { };
diff --git a/bin/tests/system/checkconf/view-class-any2.conf b/bin/tests/system/checkconf/view-class-any2.conf
new file mode 100644
index 0000000..049ccf6
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-any2.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" class255 { };
diff --git a/bin/tests/system/checkconf/view-class-in1.conf b/bin/tests/system/checkconf/view-class-in1.conf
new file mode 100644
index 0000000..1d203e6
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-in1.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" in { };
diff --git a/bin/tests/system/checkconf/view-class-in2.conf b/bin/tests/system/checkconf/view-class-in2.conf
new file mode 100644
index 0000000..38b356e
--- /dev/null
+++ b/bin/tests/system/checkconf/view-class-in2.conf
@@ -0,0 +1,14 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+view "example" class1 { };
diff --git a/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
new file mode 100644
index 0000000..0d3139d
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-kasp-max-zone-ttl.conf
@@ -0,0 +1,27 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * The dnssec-policy is not defined. Should also be caught if it is inherited.
+ */
+
+options {
+	dnssec-policy default;
+};
+
+zone "example.net" {
+	type primary;
+	file "example.db";
+	inline-signing yes;
+        max-zone-ttl 600;
+};
diff --git a/bin/tests/system/checkconf/warn-keydir.conf b/bin/tests/system/checkconf/warn-keydir.conf
new file mode 100644
index 0000000..9600071
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-keydir.conf
@@ -0,0 +1,25 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+/*
+ * key-directory defined but doesn't exist.
+ */
+options {
+	directory ".";
+};
+
+zone dummy {
+	type primary;
+	file "xxxx";
+	key-directory "test.keydir";
+};
diff --git a/bin/tests/system/checkconf/warn-maxratio1.conf b/bin/tests/system/checkconf/warn-maxratio1.conf
new file mode 100644
index 0000000..eedf263
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-maxratio1.conf
@@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone example {
+	type primary;
+	masterfile-format raw;
+	file "example.db";
+	max-ixfr-ratio 101%;
+};
diff --git a/bin/tests/system/checkconf/warn-notify-source.conf b/bin/tests/system/checkconf/warn-notify-source.conf
new file mode 100644
index 0000000..4d840cc
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-notify-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	notify-source 10.53.0.1 port 100;
+};
diff --git a/bin/tests/system/checkconf/warn-parental-source.conf b/bin/tests/system/checkconf/warn-parental-source.conf
new file mode 100644
index 0000000..2bbb34b
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-parental-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	parental-source 10.53.0.1 port 100;
+};
diff --git a/bin/tests/system/checkconf/warn-random-device.conf b/bin/tests/system/checkconf/warn-random-device.conf
new file mode 100644
index 0000000..bc1451d
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-random-device.conf
@@ -0,0 +1,16 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+        random-device "/dev/urandom";
+};
diff --git a/bin/tests/system/checkconf/warn-transfer-source.conf b/bin/tests/system/checkconf/warn-transfer-source.conf
new file mode 100644
index 0000000..eb31041
--- /dev/null
+++ b/bin/tests/system/checkconf/warn-transfer-source.conf
@@ -0,0 +1,22 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+options {
+	port 5300;
+};
+
+zone example {
+	type secondary;
+	primaries { 1.2.3.4; };
+	transfer-source 10.53.0.1 port 100;
+};