1# Copyright (C) 2005, 2007, 2010-2015  Internet Systems Consortium, Inc. ("ISC")
2#
3# Permission to use, copy, modify, and/or distribute this software for any
4# purpose with or without fee is hereby granted, provided that the above
5# copyright notice and this permission notice appear in all copies.
6#
7# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
11# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
12# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
13# PERFORMANCE OF THIS SOFTWARE.
14
15# Id
16
17SYSTEMTESTTOP=..
18. $SYSTEMTESTTOP/conf.sh
19
20status=0
21
22echo "I: checking that named-checkconf handles a known good config"
23ret=0
24$CHECKCONF good.conf > /dev/null 2>&1 || ret=1
25if [ $ret != 0 ]; then echo "I:failed"; fi
26status=`expr $status + $ret`
27
28echo "I: checking that named-checkconf prints a known good config"
29ret=0
30awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf > good.conf.in
31[ -s good.conf.in ] || ret=1
32$CHECKCONF -p good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
33cmp good.conf.in good.conf.out || ret=1
34if [ $ret != 0 ]; then echo "I:failed"; fi
35status=`expr $status + $ret`
36
37echo "I: checking that named-checkconf -x removes secrets"
38ret=0
39# ensure there is a secret and that it is not the check string.
40grep 'secret "' good.conf.in > /dev/null || ret=1
41grep 'secret "????????????????"' good.conf.in > /dev/null 2>&1 && ret=1
42$CHECKCONF -p -x good.conf.in | grep -v '^good.conf.in:' > good.conf.out 2>&1 || ret=1
43grep 'secret "????????????????"' good.conf.out > /dev/null 2>&1 || ret=1
44if [ $ret != 0 ]; then echo "I:failed"; fi
45status=`expr $status + $ret`
46
47for bad in bad*.conf
48do
49	ret=0
50	echo "I: checking that named-checkconf detects error in $bad"
51	$CHECKCONF $bad > /dev/null 2>&1
52	if [ $? != 1 ]; then echo "I:failed"; ret=1; fi
53	status=`expr $status + $ret`
54done
55
56echo "I: checking that named-checkconf -z catches missing hint file"
57ret=0
58$CHECKCONF -z hint-nofile.conf > hint-nofile.out 2>&1 && ret=1
59grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out > /dev/null || ret=1
60if [ $ret != 0 ]; then echo "I:failed"; fi
61status=`expr $status + $ret`
62
63echo "I: checking that named-checkconf catches range errors"
64ret=0
65$CHECKCONF range.conf > /dev/null 2>&1 && ret=1
66if [ $ret != 0 ]; then echo "I:failed"; fi
67status=`expr $status + $ret`
68
69echo "I: checking that named-checkconf warns of notify inconsistencies"
70ret=0
71warnings=`$CHECKCONF notify.conf 2>&1 | grep "'notify' is disabled" | wc -l`
72[ $warnings -eq 3 ] || ret=1
73if [ $ret != 0 ]; then echo "I:failed"; fi
74status=`expr $status + $ret`
75
76echo "I: checking named-checkconf dnssec warnings"
77ret=0
78$CHECKCONF dnssec.1 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
79$CHECKCONF dnssec.2 2>&1 | grep 'auto-dnssec may only be ' > /dev/null || ret=1
80$CHECKCONF dnssec.2 2>&1 | grep 'validation auto.*enable no' > /dev/null || ret=1
81$CHECKCONF dnssec.2 2>&1 | grep 'validation yes.*enable no' > /dev/null || ret=1
82# this one should have no warnings
83$CHECKCONF dnssec.3 2>&1 | grep '.*' && ret=1
84if [ $ret != 0 ]; then echo "I:failed"; fi
85status=`expr $status + $ret`
86
87echo "I: range checking fields that do not allow zero"
88ret=0
89for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
90    cat > badzero.conf << EOF
91options {
92    $field 0;
93};
94EOF
95    $CHECKCONF badzero.conf > /dev/null 2>&1
96    [ $? -eq 1 ] || { echo "I: options $field failed" ; ret=1; }
97    cat > badzero.conf << EOF
98view dummy {
99    $field 0;
100};
101EOF
102    $CHECKCONF badzero.conf > /dev/null 2>&1
103    [ $? -eq 1 ] || { echo "I: view $field failed" ; ret=1; }
104    cat > badzero.conf << EOF
105options {
106    $field 0;
107};
108view dummy {
109};
110EOF
111    $CHECKCONF badzero.conf > /dev/null 2>&1
112    [ $? -eq 1 ] || { echo "I: options + view $field failed" ; ret=1; }
113    cat > badzero.conf << EOF
114zone dummy {
115    type slave;
116    masters { 0.0.0.0; };
117    $field 0;
118};
119EOF
120    $CHECKCONF badzero.conf > /dev/null 2>&1
121    [ $? -eq 1 ] || { echo "I: zone $field failed" ; ret=1; }
122done
123if [ $ret != 0 ]; then echo "I:failed"; fi
124status=`expr $status + $ret`
125
126echo "I: checking options allowed in inline-signing slaves"
127ret=0
128n=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-dnskey-kskonly.*requires inline" | wc -l`
129[ $n -eq 1 ] || ret=1
130n=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "dnssec-loadkeys-interval.*requires inline" | wc -l`
131[ $n -eq 1 ] || ret=1
132n=`$CHECKCONF bad-dnssec.conf 2>&1 | grep "update-check-ksk.*requires inline" | wc -l`
133[ $n -eq 1 ] || ret=1
134if [ $ret != 0 ]; then echo "I:failed"; fi
135status=`expr $status + $ret`
136
137echo "I: check file + inline-signing for slave zones"
138n=`$CHECKCONF inline-no.conf 2>&1 | grep "missing 'file' entry" | wc -l`
139[ $n -eq 0 ] || ret=1
140n=`$CHECKCONF inline-good.conf 2>&1 | grep "missing 'file' entry" | wc -l`
141[ $n -eq 0 ] || ret=1
142n=`$CHECKCONF inline-bad.conf 2>&1 | grep "missing 'file' entry" | wc -l`
143[ $n -eq 1 ] || ret=1
144if [ $ret != 0 ]; then echo "I:failed"; fi
145status=`expr $status + $ret`
146
147echo "I: checking named-checkconf DLZ warnings"
148ret=0
149$CHECKCONF dlz-bad.conf 2>&1 | grep "'dlz' and 'database'" > /dev/null || ret=1
150if [ $ret != 0 ]; then echo "I:failed"; fi
151status=`expr $status + $ret`
152
153echo "I: checking for missing key directory warning"
154ret=0
155rm -rf test.keydir
156n=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' does not exist" | wc -l`
157[ $n -eq 1 ] || ret=1
158touch test.keydir
159n=`$CHECKCONF warn-keydir.conf 2>&1 | grep "'test.keydir' is not a directory" | wc -l`
160[ $n -eq 1 ] || ret=1
161rm -f test.keydir
162mkdir test.keydir
163n=`$CHECKCONF warn-keydir.conf 2>&1 | grep "key-directory" | wc -l`
164[ $n -eq 0 ] || ret=1
165rm -rf test.keydir
166if [ $ret != 0 ]; then echo "I:failed"; fi
167
168echo "I: checking that named-checkconf -z catches conflicting ttl with max-ttl"
169ret=0
170$CHECKCONF -z max-ttl.conf > check.out 2>&1
171grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
172grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
173grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out > /dev/null 2>&1 || ret=1
174if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
175status=`expr $status + $ret`
176
177echo "I: checking that named-checkconf -z catches invalid max-ttl"
178ret=0
179$CHECKCONF -z max-ttl-bad.conf > /dev/null 2>&1 && ret=1
180if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
181status=`expr $status + $ret`
182
183echo "I: checking that named-checkconf -z skips zone check with alternate databases"
184ret=0
185$CHECKCONF -z altdb.conf > /dev/null 2>&1 || ret=1
186if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
187status=`expr $status + $ret`
188
189echo "I: checking that named-checkconf -z skips zone check with DLZ"
190ret=0
191$CHECKCONF -z altdlz.conf > /dev/null 2>&1 || ret=1
192if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
193status=`expr $status + $ret`
194
195echo "I: check that check-names fails as configured"
196ret=0
197$CHECKCONF -z check-names-fail.conf > checkconf.out1 2>&1 && ret=1
198grep "near '_underscore': bad name (check-names)" checkconf.out1 > /dev/null || ret=1
199grep "zone check-names/IN: loaded serial" < checkconf.out1 > /dev/null && ret=1
200if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
201status=`expr $status + $ret`
202
203echo "I: check that check-mx fails as configured"
204ret=0
205$CHECKCONF -z check-mx-fail.conf > checkconf.out2 2>&1 && ret=1
206grep "near '10.0.0.1': MX is an address" checkconf.out2 > /dev/null || ret=1
207grep "zone check-mx/IN: loaded serial" < checkconf.out2 > /dev/null && ret=1
208if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
209status=`expr $status + $ret`
210
211echo "I: check that check-dup-records fails as configured"
212ret=0
213$CHECKCONF -z check-dup-records-fail.conf > checkconf.out3 2>&1 && ret=1
214grep "has semantically identical records" checkconf.out3 > /dev/null || ret=1
215grep "zone check-dup-records/IN: loaded serial" < checkconf.out3 > /dev/null && ret=1
216if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
217status=`expr $status + $ret`
218
219echo "I: check that check-mx fails as configured"
220ret=0
221$CHECKCONF -z check-mx-fail.conf > checkconf.out4 2>&1 && ret=1
222grep "failed: MX is an address" checkconf.out4 > /dev/null || ret=1
223grep "zone check-mx/IN: loaded serial" < checkconf.out4 > /dev/null && ret=1
224if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
225status=`expr $status + $ret`
226
227echo "I: check that check-mx-cname fails as configured"
228ret=0
229$CHECKCONF -z check-mx-cname-fail.conf > checkconf.out5 2>&1 && ret=1
230grep "MX.* is a CNAME (illegal)" checkconf.out5 > /dev/null || ret=1
231grep "zone check-mx-cname/IN: loaded serial" < checkconf.out5 > /dev/null && ret=1
232if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
233status=`expr $status + $ret`
234
235echo "I: check that check-srv-cname fails as configured"
236ret=0
237$CHECKCONF -z check-srv-cname-fail.conf > checkconf.out6 2>&1 && ret=1
238grep "SRV.* is a CNAME (illegal)" checkconf.out6 > /dev/null || ret=1
239grep "zone check-mx-cname/IN: loaded serial" < checkconf.out6 > /dev/null && ret=1
240if [ $ret != 0 ]; then echo "I:failed"; ret=1; fi
241status=`expr $status + $ret`
242
243echo "I:exit status: $status"
244exit $status
245