upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-21 14:17:27 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/checkconf/tests.sh

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

740 lines
23 KiB
Bash
Raw Normal View History

Add shell interpreter line where missing The checkbashisms script reports errors like this one: script util/check-line-length.sh does not appear to have a #! interpreter line; you may get strange results
2022-08-02 09:01:01 -04:00
#!/bin/sh
update copyrights
2014-01-10 15:07:56 -05:00
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
reverse bad copyright update
2012-06-28 21:39:47 -04:00
#
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
# SPDX-License-Identifier: MPL-2.0
Update the copyright information in all files in the repository This commit converts the license handling to adhere to the REUSE specification. It specifically: 1. Adds used licnses to LICENSES/ directory 2. Add "isc" template for adding the copyright boilerplate 3. Changes all source files to include copyright and SPDX license header, this includes all the C sources, documentation, zone files, configuration files. There are notes in the doc/dev/copyrights file on how to add correct headers to the new files. 4. Handle the rest that can't be modified via .reuse/dep5 file. The binary (or otherwise unmodifiable) files could have license places next to them in <foo>.license file, but this would lead to cluttered repository and most of the files handled in the .reuse/dep5 file are system test files.
2021-06-03 02:37:05 -04:00
#
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
Update license headers to not include years in copyright in all applicable files
2018-02-23 03:53:12 -05:00
#
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
# See the COPYRIGHT file distributed with this work for additional
parallelize most system tests
2018-02-20 18:43:27 -05:00
# information regarding copyright ownership.
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
Run system tests with set -e Ensure all shell system tests are executed with the errexit option set. This prevents unchecked return codes from commands in the test from interfering with the tests, since any failures need to be handled explicitly.
2023-06-07 09:35:57 -04:00
set -e
Drop $SYSTEMTESTTOP from bin/tests/system/ The $SYSTEMTESTTOP shell variable if often set to .. in various shell scripts inside bin/tests/system/, but most of the time it is only used one line later, while sourcing conf.sh. This hardly improves code readability. $SYSTEMTESTTOP is also used for the purpose of referencing scripts/files living in bin/tests/system/, but given that the variable is always set to a short, relative path, we can drop it and replace all of its occurrences with the relative path without adversely affecting code readability.
2020-07-21 06:12:59 -04:00
. ../conf.sh
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
status=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=0
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
Clean up keys directory in checkconf test The keys directory should be cleaned up in clean.sh. Doing that in the test itself isn't reliable which may lead to failing mkdir which causes the test to fail with set -e.
2023-07-24 12:35:13 -04:00
mkdir -p keys
Add checkconf tests for [#2463] Add two tests to make sure named-checkconf catches key-directory issues where a zone in multiple views uses the same directory but has different dnssec-policies. One test sets the key-directory specifically, the other inherits the default key-directory (NULL, aka the working directory). Also update the good.conf test to allow zones in different views with the same key-directory if they use the same dnssec-policy. Also allow zones in different views with different key-directories if they use different dnssec-policies. Also allow zones in different views with the same key-directories if only one view uses a dnssec-policy (the other is set to "none"). Also allow zones in different views with the same key-directories if no views uses a dnssec-policy (zone in both views has the dnssec-policy set to "none").
2021-05-04 10:30:17 -04:00
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf handles a known good config ($n)"
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF good.conf >checkconf.out$n 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf prints a known good config ($n)"
2909. [bug] named-checkzone -p could die if "update-policy local;" was specified in named.conf. [RT #21416]
2010-06-01 21:07:47 -04:00
ret=0
Upgrade uses of hmac-md5 to DEFAULT_HMAC where the test is not hmac-md5 specific
2022-07-05 05:38:31 -04:00
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good.conf >good.conf.raw
[ -s good.conf.raw ] || ret=1
$CHECKCONF -p good.conf.raw >checkconf.out$n || ret=1
grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1
cmp good.conf.raw good.conf.out || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
2909. [bug] named-checkzone -p could die if "update-policy local;" was specified in named.conf. [RT #21416]
2010-06-01 21:07:47 -04:00
status=$((status + ret))
3111. [bug] Improved consistency checks for dnssec-enable and dnssec-validation, added test cases to the checkconf system test. [RT #24398]
2011-05-07 01:55:17 -04:00
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -x removes secrets ($n)"
3701. [func] named-checkconf can now suppress the printing of shared secrets by specifying '-x'. [RT #34465]
2014-01-10 00:56:36 -05:00
ret=0
# ensure there is a secret and that it is not the check string.
Upgrade uses of hmac-md5 to DEFAULT_HMAC where the test is not hmac-md5 specific
2022-07-05 05:38:31 -04:00
grep 'secret "' good.conf.raw >/dev/null || ret=1
grep 'secret "????????????????"' good.conf.raw >/dev/null 2>&1 && ret=1
$CHECKCONF -p -x good.conf.raw >checkconf.out$n || ret=1
grep -v '^good.conf.raw:' <checkconf.out$n >good.conf.out 2>&1 || ret=1
3701. [func] named-checkconf can now suppress the printing of shared secrets by specifying '-x'. [RT #34465]
2014-01-10 00:56:36 -05:00
grep 'secret "????????????????"' good.conf.out >/dev/null 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
3701. [func] named-checkconf can now suppress the printing of shared secrets by specifying '-x'. [RT #34465]
2014-01-10 00:56:36 -05:00
status=$((status + ret))
Fix a regression in radix tree implementation introduced by ECS code (#38983)
2015-05-05 03:39:07 -04:00
for bad in bad-*.conf; do
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf detects error in $bad ($n)"
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
ret=0
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF $bad >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -ne 1 ]; then ret=1; fi
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "^$bad:[0-9]*: " <checkconf.out$n >/dev/null || ret=1
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
case $bad in
bad-update-policy[123].conf)
pat="identity and name fields are not the same"
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "$pat" <checkconf.out$n >/dev/null || ret=1
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
;;
add more missing name in update rule checks
2018-09-09 19:52:36 -04:00
bad-update-policy[4589].conf | bad-update-policy1[01].conf)
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
pat="name field not set to placeholder value"
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "$pat" <checkconf.out$n >/dev/null || ret=1
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
;;
Add tests for {krb5,ms}-subdomain-self-rhs update policy rules check that updates are accepted and rejected as expected under the following scenarios: * check krb5-subdomain-self-rhs match PTR * check krb5-subdomain-self-rhs no-match PTR * check krb5-subdomain-self-rhs match SRV * check krb5-subdomain-self-rhs no listed types match (SRV & TXT) * check krb5-subdomain-self-rhs no-match RDATA (SRV) * check krb5-subdomain-self-rhs no-match TYPE (TXT) * check krb5-subdomain-self-rhs delete PTR (matching PTR) * check krb5-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) * check krb5-subdomain-self-rhs delete ANY (matching PTR) * check krb5-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) * check krb5-subdomain-self-rhs delete SRV (matching SRV) * check krb5-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) * check krb5-subdomain-self-rhs delete ANY (matching SRV) * check krb5-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV) * check ms-subdomain-self-rhs match (PTR) * check ms-subdomain-self-rhs no-match (PTR) * check ms-subdomain-self-rhs match (SRV) * check ms-subdomain-self-rhs no-match (SRV) * check ms-subdomain-self-rhs delete SRV (matching SRV) * check ms-subdomain-self-rhs delete SRV (matching SRV with non-matching SRV) * check ms-subdomain-self-rhs delete PTR (matching PTR) * check ms-subdomain-self-rhs delete PTR (matching PTR with non-matching PTR) * check ms-subdomain-self-rhs delete ANY (matching PTR) * check ms-subdomain-self-rhs delete ANY (matching PTR with non-matching PTR) * check ms-subdomain-self-rhs delete ANY (matching SRV) * check ms-subdomain-self-rhs delete ANY (matching SRV with non-matching SRV)
2018-09-12 22:39:06 -04:00
bad-update-policy[67].conf | bad-update-policy1[2345789].conf | bad-update-policy20.conf)
check that name field is not a valid type
2018-09-06 05:36:17 -04:00
pat="missing name field type '.*' found"
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "$pat" <checkconf.out$n >/dev/null || ret=1
check that name field is not a valid type
2018-09-06 05:36:17 -04:00
;;
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
esac
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
4885. [security] update-policy rules that otherwise ignore the name field now require that it be set to "." to ensure that any type list present is properly interpreted. [RT #47126]
2018-02-06 21:34:02 -05:00
status=$((status + ret))
3385. [bug] named-checkconf didn't detect missing master lists in also-notify clauses. [RT #30810]
2012-10-01 23:06:02 -04:00
done
1890. [func] Add a system test for named-checkconf. [RT #14931]
2005-06-23 02:52:23 -04:00
Fix a regression in radix tree implementation introduced by ECS code (#38983)
2015-05-05 03:39:07 -04:00
for good in good-*.conf; do
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf detects no error in $good ($n)"
Fix a regression in radix tree implementation introduced by ECS code (#38983)
2015-05-05 03:39:07 -04:00
ret=0
Make the DNS over HTTPS support optional This commit adds two new autoconf options `--enable-doh` (enabled by default) and `--with-libnghttp2` (mandatory when DoH is enabled). When DoH support is disabled the library is not linked-in and support for http(s) protocol is disabled in the netmgr, named and dig.
2021-04-21 07:52:15 -04:00
if ! $FEATURETEST --with-libnghttp2; then
case $good in
Skip good-dot-*.conf when libnghttp2 is not available
2021-08-24 00:06:48 -04:00
good-doh-*.conf) continue ;;
good-dot-*.conf) continue ;;
Add checkonf tests for the PROXYv2 related options This commit adds necessary PROXYv2 configuration options checks.
2023-11-14 13:33:30 -05:00
good-proxy-*doh*.conf) continue ;;
bad-proxy-*doh*.conf) continue ;;
Make the DNS over HTTPS support optional This commit adds two new autoconf options `--enable-doh` (enabled by default) and `--with-libnghttp2` (mandatory when DoH is enabled). When DoH support is disabled the library is not linked-in and support for http(s) protocol is disabled in the netmgr, named and dig.
2021-04-21 07:52:15 -04:00
esac
Remove no longer needed OpenSSL shims and checks Since the minimal OpenSSL version is now OpenSSL 1.1.1, remove all kind of OpenSSL shims and checks for functions that are now always present in the OpenSSL libraries. Co-authored-by: Ondřej Surý <ondrej@isc.org> Co-authored-by: Aydın Mercan <aydin@isc.org>
2024-07-01 05:05:18 -04:00
else
Add TLS 'cipher-suites' checkconf test This commit adds a set of valid and invalid configuration files samples that use the new 'cipher-suites' option of the 'tls' statement.
2023-12-12 11:37:30 -05:00
case $good in
good-tls-cipher-suites-*.conf) continue ;;
esac
Make the DNS over HTTPS support optional This commit adds two new autoconf options `--enable-doh` (enabled by default) and `--with-libnghttp2` (mandatory when DoH is enabled). When DoH support is disabled the library is not linked-in and support for http(s) protocol is disabled in the netmgr, named and dig.
2021-04-21 07:52:15 -04:00
fi
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF $good >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -ne 0 ]; then
echo_i "failed"
ret=1
fi
Fix a regression in radix tree implementation introduced by ECS code (#38983)
2015-05-05 03:39:07 -04:00
status=$((status + ret))
done
Special case tests for lmdb When compiling BIND 9 without lmdb, this is promoted from 'not operational' to 'not configured', resulting in a failure (and no longer a warning) if ldmb-related configuration options are set. Special case certain system tests to avoid test failures on systems that do not have lmdb.
2020-12-09 08:14:43 -05:00
for lmdb in lmdb-*.conf; do
n=$((n + 1))
ret=0
Reformat shell scripts with shfmt All changes in this commit were automated using the command: shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in") By default, only *.sh and files without extension are checked, so *.sh.in files have to be added additionally. (See mvdan/sh#944)
2023-10-24 08:43:14 -04:00
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
if $FEATURETEST --with-lmdb; then
Special case tests for lmdb When compiling BIND 9 without lmdb, this is promoted from 'not operational' to 'not configured', resulting in a failure (and no longer a warning) if ldmb-related configuration options are set. Special case certain system tests to avoid test failures on systems that do not have lmdb.
2020-12-09 08:14:43 -05:00
echo_i "checking that named-checkconf detects no error in $lmdb ($n)"
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF $lmdb >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -ne 0 ]; then
echo_i "failed"
ret=1
fi
Special case tests for lmdb When compiling BIND 9 without lmdb, this is promoted from 'not operational' to 'not configured', resulting in a failure (and no longer a warning) if ldmb-related configuration options are set. Special case certain system tests to avoid test failures on systems that do not have lmdb.
2020-12-09 08:14:43 -05:00
else
echo_i "checking that named-checkconf detects error in $lmdb ($n)"
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF $lmdb >checkconf.out$n 2>&1
rc=$?
} || true
if [ $rc -eq 0 ]; then
echo_i "failed"
ret=1
Special case tests for lmdb When compiling BIND 9 without lmdb, this is promoted from 'not operational' to 'not configured', resulting in a failure (and no longer a warning) if ldmb-related configuration options are set. Special case certain system tests to avoid test failures on systems that do not have lmdb.
2020-12-09 08:14:43 -05:00
fi
Reformat shell scripts with shfmt All changes in this commit were automated using the command: shfmt -w -i 2 -ci -bn . $(find . -name "*.sh.in") By default, only *.sh and files without extension are checked, so *.sh.in files have to be added additionally. (See mvdan/sh#944)
2023-10-24 08:43:14 -04:00
fi
Special case tests for lmdb When compiling BIND 9 without lmdb, this is promoted from 'not operational' to 'not configured', resulting in a failure (and no longer a warning) if ldmb-related configuration options are set. Special case certain system tests to avoid test failures on systems that do not have lmdb.
2020-12-09 08:14:43 -05:00
status=$((status + ret))
done
Ancient named.conf options are now a fatal configuration error - options that were flagged as obsolete or not implemented in 9.0.0 are now flagged as "ancient", and are a fatal error - the ARM has been updated to remove these, along with other obsolete descriptions of BIND 8 behavior - the log message for obsolete options explicitly recommends removal
2019-01-21 02:50:17 -05:00
n=$((n + 1))
echo_i "checking that ancient options report a fatal error ($n)"
ret=0
$CHECKCONF ancient.conf >ancient.out 2>&1 && ret=1
grep "no longer exists" ancient.out >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Ancient named.conf options are now a fatal configuration error - options that were flagged as obsolete or not implemented in 9.0.0 are now flagged as "ancient", and are a fatal error - the ARM has been updated to remove these, along with other obsolete descriptions of BIND 8 behavior - the log message for obsolete options explicitly recommends removal
2019-01-21 02:50:17 -05:00
status=$((status + ret))
Remove "port" from source address options Remove the use of "port" when configuring query-source(-v6), transfer-source(-v6), notify-source(-v6), parental-source(-v6), etc. Remove the use of source ports for parental-agents. Also remove the deprecated options use-{v4,v6}-udp-ports and avoid-{v4,v6}udp-ports.
2024-09-04 11:48:04 -04:00
for ancient_conf in ancient-*.conf; do
ancient_opt="${ancient_conf#ancient-}"
ancient_opt="${ancient_opt%.conf}"
n=$((n + 1))
echo_i "checking that ancient \"${ancient_opt}\" option report a fatal error ($n)"
ret=0
$CHECKCONF ${ancient_conf} >"${ancient_conf}.out" 2>&1 && ret=1
grep "no longer exists" "${ancient_conf}.out" >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
done
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z catches missing hint file ($n)"
[master] check hint files in named-checkconf -z 3676. [bug] "named-checkconf -z" now checks zones of type hint and redirect as well as master. [RT #35046]
2013-11-25 15:26:53 -05:00
ret=0
4031. [bug] named-checkconf -z failed to report a missing file with a hint zone. [RT #38294]
2015-01-08 03:19:12 -05:00
$CHECKCONF -z hint-nofile.conf >hint-nofile.out 2>&1 && ret=1
grep "could not configure root hints from 'nonexistent.db': file not found" hint-nofile.out >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
[master] check hint files in named-checkconf -z 3676. [bug] "named-checkconf -z" now checks zones of type hint and redirect as well as master. [RT #35046]
2013-11-25 15:26:53 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf catches range errors ($n)"
[master] add DSCP support 3535. [func] Add support for setting Differentiated Services Code Point (DSCP) values in named. Most configuration options which take a "port" option (e.g., listen-on, forwarders, also-notify, masters, notify-source, etc) can now also take a "dscp" option specifying a code point for use with outgoing traffic, if supported by the underlying OS. [RT #27596]
2013-03-22 15:27:54 -04:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF range.conf >checkconf.out$n 2>&1 && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
[master] add DSCP support 3535. [func] Add support for setting Differentiated Services Code Point (DSCP) values in named. Most configuration options which take a "port" option (e.g., listen-on, forwarders, also-notify, masters, notify-source, etc) can now also take a "dscp" option specifying a code point for use with outgoing traffic, if supported by the underlying OS. [RT #27596]
2013-03-22 15:27:54 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf warns of notify inconsistencies ($n)"
[master] skip unnecesary also-notify data 3713. [bug] Save memory by not storing "also-notify" addresses in zone objects that are configured not to send notify requests. [RT #35195]
2014-01-20 18:53:51 -05:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF notify.conf >checkconf.out$n 2>&1
warnings=$(grep "'notify' is disabled" <checkconf.out$n | wc -l)
[master] skip unnecesary also-notify data 3713. [bug] Save memory by not storing "also-notify" addresses in zone objects that are configured not to send notify requests. [RT #35195]
2014-01-20 18:53:51 -05:00
[ $warnings -eq 3 ] || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
[master] skip unnecesary also-notify data 3713. [bug] Save memory by not storing "also-notify" addresses in zone objects that are configured not to send notify requests. [RT #35195]
2014-01-20 18:53:51 -05:00
status=$((status + ret))
named-checkconf -i: ignore deprecate warnings Adds a new option to named-checkconf, -i. If set, named-checkconf will not warn you about deprecated options. This allows people to use named-checkconf in automated deployment precoesses where an operator only cares if their conf is valid, even if it is not optimal. This was added as a request as part of introducing a policy on removing named.conf options.
2019-06-25 03:41:51 -04:00
n=$((n + 1))
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
remove the "dialup" and "heartbeat-interval" options mark "dialup" and "heartbeat-interval" options as ancient and remove the documentation and the code implementing them.
2023-07-03 19:22:04 -04:00
$CHECKCONF deprecated.conf >checkconf.out$n.1 2>&1 || ret=1
mark max-zone-ttl deprecated in options and zone The "max-zone-ttl" option should now be configured as part of "dnssec-policy". The option with the same name in "zone" and "options" is hereby flagged as deprecated, and its functionality will be removed in a future release.
2022-07-11 16:38:51 -04:00
grep "option 'max-zone-ttl' is deprecated" <checkconf.out$n.1 >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
named-checkconf -i: ignore deprecate warnings Adds a new option to named-checkconf, -i. If set, named-checkconf will not warn you about deprecated options. This allows people to use named-checkconf in automated deployment precoesses where an operator only cares if their conf is valid, even if it is not optimal. This was added as a request as part of introducing a policy on removing named.conf options.
2019-06-25 03:41:51 -04:00
status=$((status + ret))
# set -i to ignore deprecate warnings
Deprecate fixed value for the rrset-order option Mark the "fixed" value for the "rrset-order" option deprecated, so we can remove it in the future.
2024-03-01 03:34:32 -05:00
$CHECKCONF -i deprecated.conf 2>&1 | grep_v "rrset-order: order 'fixed' was disabled at compilation time" >checkconf.out$n.2
grep '^.+$' <checkconf.out$n.2 >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
named-checkconf -i: ignore deprecate warnings Adds a new option to named-checkconf, -i. If set, named-checkconf will not warn you about deprecated options. This allows people to use named-checkconf in automated deployment precoesses where an operator only cares if their conf is valid, even if it is not optimal. This was added as a request as part of introducing a policy on removing named.conf options.
2019-06-25 03:41:51 -04:00
status=$((status + ret))
Warn if 'stale-refresh-time' < 30 (default) RFC 8767 recommends that attempts to refresh to be done no more frequently than every 30 seconds. Added check into named-checkconf, which will warn if values below the default are found in configuration. BIND will also log the warning during loading of configuration in the same fashion.
2020-11-05 11:07:47 -05:00
n=$((n + 1))
echo_i "checking named-checkconf servestale warnings ($n)"
ret=0
$CHECKCONF servestale.stale-refresh-time.0.conf >checkconf.out$n.1 2>&1
grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Warn if 'stale-refresh-time' < 30 (default) RFC 8767 recommends that attempts to refresh to be done no more frequently than every 30 seconds. Added check into named-checkconf, which will warn if values below the default are found in configuration. BIND will also log the warning during loading of configuration in the same fashion.
2020-11-05 11:07:47 -05:00
status=$((status + ret))
ret=0
$CHECKCONF servestale.stale-refresh-time.29.conf >checkconf.out$n.1 2>&1
grep "'stale-refresh-time' should either be 0 or otherwise 30 seconds or higher" <checkconf.out$n.1 >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Warn if 'stale-refresh-time' < 30 (default) RFC 8767 recommends that attempts to refresh to be done no more frequently than every 30 seconds. Added check into named-checkconf, which will warn if values below the default are found in configuration. BIND will also log the warning during loading of configuration in the same fashion.
2020-11-05 11:07:47 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "range checking fields that do not allow zero ($n)"
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
ret=0
for field in max-retry-time min-retry-time max-refresh-time min-refresh-time; do
cat >badzero.conf <<EOF
options {
$field 0;
};
EOF
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF badzero.conf >checkconf.out$n.1 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "options $field failed"
ret=1
}
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
cat >badzero.conf <<EOF
view dummy {
$field 0;
};
EOF
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF badzero.conf >checkconf.out$n.2 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "view $field failed"
ret=1
}
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
cat >badzero.conf <<EOF
we didn't catch a zero option at the global level when views are active
2012-08-15 23:53:47 -04:00
options {
$field 0;
};
view dummy {
};
EOF
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF badzero.conf >checkconf.out$n.3 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "options + view $field failed"
ret=1
}
we didn't catch a zero option at the global level when views are active
2012-08-15 23:53:47 -04:00
cat >badzero.conf <<EOF
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
zone dummy {
further tidying of primary/secondary terminology in system tests this changes most visble uses of master/slave terminology in tests.sh and most uses of 'type master' or 'type slave' in named.conf files. files in the checkconf test were not updated in order to confirm that the old syntax still works. rpzrecurse was also left mostly unchanged to avoid interference with DNSRPS.
2020-06-30 16:10:59 -04:00
type secondary;
primaries { 0.0.0.0; };
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
$field 0;
};
EOF
Make $? compatible with set -e in system tests Ensure handling of return code from previous command doesn't cause the script to halt if that code is non-zero when running with `set -e`.
2023-06-09 04:57:34 -04:00
{
$CHECKCONF badzero.conf >checkconf.out$n.4 2>&1
rc=$?
} || true
[ $rc -eq 1 ] || {
echo_i "zone $field failed"
ret=1
}
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
done
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
properly range-check fields that do not allow 0 3362. [bug] Setting some option values to 0 in named.conf could trigger an assertion failure on startup. [RT #27730]
2012-08-14 01:39:42 -04:00
status=$((status + ret))
add missing test number increment
2017-10-29 17:50:00 -04:00
n=$((n + 1))
further tidying of primary/secondary terminology in system tests this changes most visble uses of master/slave terminology in tests.sh and most uses of 'type master' or 'type slave' in named.conf files. files in the checkconf test were not updated in order to confirm that the old syntax still works. rpzrecurse was also left mostly unchanged to avoid interference with DNSRPS.
2020-06-30 16:10:59 -04:00
echo_i "checking options allowed in inline-signing secondaries ($n)"
[master] allow dnssec options in inline-signing slaves 3408. [bug] Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now legal in slave zones as long as inline-signing is in use. [RT #31078]
2012-10-26 19:14:59 -04:00
ret=0
Handle non-zero return codes in checkconf test
2023-06-22 11:34:44 -04:00
$CHECKCONF bad-dnssec.conf >checkconf.out$n.2 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
l=$(grep "dnssec-loadkeys-interval.*requires inline" <checkconf.out$n.2 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 1 ] || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
3582. [bug] Silence false positive warning regarding missing file directive for inline slave zones. [RT #33662]
2013-06-03 21:34:03 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
further tidying of primary/secondary terminology in system tests this changes most visble uses of master/slave terminology in tests.sh and most uses of 'type master' or 'type slave' in named.conf files. files in the checkconf test were not updated in order to confirm that the old syntax still works. rpzrecurse was also left mostly unchanged to avoid interference with DNSRPS.
2020-06-30 16:10:59 -04:00
echo_i "check file + inline-signing for secondary zones ($n)"
Handle non-zero return codes in checkconf test
2023-06-22 11:34:44 -04:00
$CHECKCONF inline-no.conf >checkconf.out$n.1 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
l=$(grep "missing 'file' entry" <checkconf.out$n.1 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 0 ] || ret=1
Handle non-zero return codes in checkconf test
2023-06-22 11:34:44 -04:00
$CHECKCONF inline-good.conf >checkconf.out$n.2 2>&1 || ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
l=$(grep "missing 'file' entry" <checkconf.out$n.2 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 0 ] || ret=1
Handle non-zero return codes in checkconf test
2023-06-22 11:34:44 -04:00
$CHECKCONF inline-bad.conf >checkconf.out$n.3 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
l=$(grep "missing 'file' entry" <checkconf.out$n.3 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 1 ] || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
3582. [bug] Silence false positive warning regarding missing file directive for inline slave zones. [RT #33662]
2013-06-03 21:34:03 -04:00
status=$((status + ret))
[master] multiple-dlz/dlz-nxdomain 3432. [func] Multiple DLZ databases can now be configured. DLZ databases are searched in the order configured, unless set to "search no", in which case a zone can be configured to be retrieved from a particular DLZ database by using a "dlz <name>" option in the zone statement. DLZ databases can support type "master" and "redirect" zones. [RT #27597]
2012-12-06 15:39:52 -05:00
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking named-checkconf DLZ warnings ($n)"
[master] multiple-dlz/dlz-nxdomain 3432. [func] Multiple DLZ databases can now be configured. DLZ databases are searched in the order configured, unless set to "search no", in which case a zone can be configured to be retrieved from a particular DLZ database by using a "dlz <name>" option in the zone statement. DLZ databases can support type "master" and "redirect" zones. [RT #27597]
2012-12-06 15:39:52 -05:00
ret=0
Handle non-zero return codes in checkconf test
2023-06-22 11:34:44 -04:00
$CHECKCONF dlz-bad.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "'dlz' and 'database'" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
[master] allow dnssec options in inline-signing slaves 3408. [bug] Some DNSSEC-related options (update-check-ksk, dnssec-loadkeys-interval, dnssec-dnskey-kskonly) are now legal in slave zones as long as inline-signing is in use. [RT #31078]
2012-10-26 19:14:59 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking for missing key directory warning ($n)"
[master] warn if key-directory doesn't exist 3694. [bug] Warn when a key-directory is configured for a zone, but does not exist or is not a directory. [RT #35109]
2013-12-20 17:57:03 -05:00
ret=0
rm -rf test.keydir
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
rm -rf test.keystoredir
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF warn-keydir.conf >checkconf.out$n.1 2>&1
l=$(grep "'test.keydir' does not exist" <checkconf.out$n.1 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 1 ] || ret=1
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
l=$(grep "'test.keystoredir' does not exist" <checkconf.out$n.1 | wc -l)
[ $l -eq 1 ] || ret=1
[master] warn if key-directory doesn't exist 3694. [bug] Warn when a key-directory is configured for a zone, but does not exist or is not a directory. [RT #35109]
2013-12-20 17:57:03 -05:00
touch test.keydir
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
touch test.keystoredir
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF warn-keydir.conf >checkconf.out$n.2 2>&1
l=$(grep "'test.keydir' is not a directory" <checkconf.out$n.2 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 1 ] || ret=1
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
l=$(grep "'test.keystoredir' is not a directory" <checkconf.out$n.2 | wc -l)
[ $l -eq 1 ] || ret=1
[master] warn if key-directory doesn't exist 3694. [bug] Warn when a key-directory is configured for a zone, but does not exist or is not a directory. [RT #35109]
2013-12-20 17:57:03 -05:00
rm -f test.keydir
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
rm -f test.keystoredir
[master] warn if key-directory doesn't exist 3694. [bug] Warn when a key-directory is configured for a zone, but does not exist or is not a directory. [RT #35109]
2013-12-20 17:57:03 -05:00
mkdir test.keydir
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
mkdir test.keystoredir
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF warn-keydir.conf >checkconf.out$n.3 2>&1
l=$(grep "key-directory" <checkconf.out$n.3 | wc -l)
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
[ $l -eq 0 ] || ret=1
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
l=$(grep "key-store directory" <checkconf.out$n.3 | wc -l)
[ $l -eq 0 ] || ret=1
[master] warn if key-directory doesn't exist 3694. [bug] Warn when a key-directory is configured for a zone, but does not exist or is not a directory. [RT #35109]
2013-12-20 17:57:03 -05:00
rm -rf test.keydir
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
rm -rf test.keystoredir
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Check if key-store directory exists Similar to key-directory, check if the key-store directory exists and if it is an actual directory. This commit fixes an accidental test bug in checkconf where if the "warn key-dir" test failed, the result was ignored.
2022-02-09 06:19:06 -05:00
status=$((status + ret))
[master] max-zone-ttl 3746. [func] New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.) [RT #38405]
2014-02-19 02:26:50 -05:00
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z catches conflicting ttl with max-ttl ($n)"
[master] max-zone-ttl 3746. [func] New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.) [RT #38405]
2014-02-19 02:26:50 -05:00
ret=0
Handle non-zero return codes in checkconf test
2023-06-22 11:34:44 -04:00
$CHECKCONF -z max-ttl.conf >check.out 2>&1 && ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1
[master] max-zone-ttl 3746. [func] New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.) [RT #38405]
2014-02-19 02:26:50 -05:00
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1
grep 'TTL 900 exceeds configured max-zone-ttl 600' check.out >/dev/null 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] max-zone-ttl 3746. [func] New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.) [RT #38405]
2014-02-19 02:26:50 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z catches invalid max-ttl ($n)"
[master] max-zone-ttl 3746. [func] New "max-zone-ttl" option enforces maximum TTLs for zones. If loading a zone containing a higher TTL, the load fails. DDNS updates with higher TTLs are accepted but the TTL is truncated. (Note: Currently supported for master zones only; inline-signing slaves will be added.) [RT #38405]
2014-02-19 02:26:50 -05:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z max-ttl-bad.conf >checkconf.out$n 2>&1 && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] warn if key-directory doesn't exist 3694. [bug] Warn when a key-directory is configured for a zone, but does not exist or is not a directory. [RT #35109]
2013-12-20 17:57:03 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z skips zone check with alternate databases ($n)"
[master] allow null "file" for DLZ or alternate db zones 3803. [bug] "named-checkconf -z" incorrectly rejected zones using alternate data sources for not having a "file" option. [RT #35685]
2014-04-07 16:29:56 -04:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z altdb.conf >checkconf.out$n 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] allow null "file" for DLZ or alternate db zones 3803. [bug] "named-checkconf -z" incorrectly rejected zones using alternate data sources for not having a "file" option. [RT #35685]
2014-04-07 16:29:56 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z skips zone check with DLZ ($n)"
[master] allow null "file" for DLZ or alternate db zones 3803. [bug] "named-checkconf -z" incorrectly rejected zones using alternate data sources for not having a "file" option. [RT #35685]
2014-04-07 16:29:56 -04:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z altdlz.conf >checkconf.out$n 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] allow null "file" for DLZ or alternate db zones 3803. [bug] "named-checkconf -z" incorrectly rejected zones using alternate data sources for not having a "file" option. [RT #35685]
2014-04-07 16:29:56 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z fails on view with ANY class ($n)"
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z view-class-any1.conf >checkconf.out$n 2>&1 && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z fails on view with CLASS255 class ($n)"
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z view-class-any2.conf >checkconf.out$n 2>&1 && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z passes on view with IN class ($n)"
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z view-class-in1.conf >checkconf.out$n 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "checking that named-checkconf -z passes on view with CLASS1 class ($n)"
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
ret=0
capture named-checkconf output
2019-06-05 22:50:47 -04:00
$CHECKCONF -z view-class-in2.conf >checkconf.out$n 2>&1 || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
Check that configured view class isn't a meta class (#41572)
2016-02-08 03:26:19 -05:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that check-names fails as configured ($n)"
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z check-names-fail.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "near '_underscore': bad name (check-names)" <checkconf.out$n >/dev/null || ret=1
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
grep "zone check-names/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that check-mx fails as configured ($n)"
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "near '10.0.0.1': MX is an address" <checkconf.out$n >/dev/null || ret=1
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that check-dup-records fails as configured ($n)"
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z check-dup-records-fail.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "has semantically identical records" <checkconf.out$n >/dev/null || ret=1
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
grep "zone check-dup-records/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that check-mx fails as configured ($n)"
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z check-mx-fail.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "failed: MX is an address" <checkconf.out$n >/dev/null || ret=1
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
grep "zone check-mx/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that check-mx-cname fails as configured ($n)"
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z check-mx-cname-fail.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "MX.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that check-srv-cname fails as configured ($n)"
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z check-srv-cname-fail.conf >checkconf.out$n 2>&1 && ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "SRV.* is a CNAME (illegal)" <checkconf.out$n >/dev/null || ret=1
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
grep "zone check-mx-cname/IN: loaded serial" <checkconf.out$n >/dev/null && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
[master] fixes to checkconf test, HIP casecompare 3933. [bug] Corrected the implementation of dns_rdata_casecompare() for the HIP rdata type. [RT #36911] 3932. [test] Improved named-checkconf tests. [RT #36911]
2014-08-28 00:36:13 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that named-checkconf -z handles in-view ($n)"
4197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses. [RT #40603]
2015-09-09 03:56:23 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -z in-view-good.conf >checkconf.out$n 2>&1 || ret=1
grep "zone shared.example/IN: loaded serial" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
4197. [bug] 'named-checkconf -z' didn't handle 'in-view' clauses. [RT #40603]
2015-09-09 03:56:23 -04:00
status=$((status + ret))
named-checkconf -z could exit with an incorrect staatus the CHECK() macro resets result, so an error code from an earlier view could be erased if the last view loaded had no errors.
2020-04-30 16:17:37 -04:00
n=$((n + 1))
echo_i "check that named-checkconf -z returns error when a later view is okay ($n)"
ret=0
$CHECKCONF -z check-missing-zone.conf >checkconf.out$n 2>&1 && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
named-checkconf -z could exit with an incorrect staatus the CHECK() macro resets result, so an error code from an earlier view could be erased if the last view loaded had no errors.
2020-04-30 16:17:37 -04:00
status=$((status + ret))
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that named-checkconf prints max-cache-size <percentage> correctly ($n)"
4223. [func] Add support for setting max-cache-size to percentage of available physical memory, set default to 90%. [RT #38442]
2015-09-28 05:08:50 -04:00
ret=0
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
$CHECKCONF -p max-cache-size-good.conf >checkconf.out$n 2>&1 || ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "max-cache-size 60%;" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
status=$((status + ret))
n=$((n + 1))
initialize sockaddrdscp to prevent spurious output from 'named-checkconf -p'
2020-05-05 15:48:31 -04:00
echo_i "check that named-checkconf -l prints out the zone list ($n)"
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
ret=0
$CHECKCONF -l good.conf \
mark "port" as deprecated for source address options Deprecate the use of "port" when configuring query-source(-v6), transfer-source(-v6), notify-source(-v6), parental-source(-v6), etc. Also deprecate use-{v4,v6}-udp-ports and avoid-{v4,v6}udp-ports.
2023-01-06 20:01:06 -05:00
| grep -v "is deprecated" \
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
| grep -v "is not implemented" \
check port in *-source and *-source-v6 options in named.conf - when transfer-source(-v6), query-source(-v6), notify-source(-v6) or parental-source(-v6) are specified with a port number, issue a warning. - when the port specified is the same as the DNS listener port (i.e., 53, or whatever was specified as "port" in "options"), issue a fatal error. - check that "port" is in range. (previously this was only checked by named, not by named-checkconf.) - added checkconf tests. - incidental fix: removed dead code in check.c:bind9_check_namedconf(). (note: if the DNS port is specified on the command line with "named -p", that is not conveyed to libbind9, so these checks will not take it into account.)
2021-09-13 20:55:34 -04:00
| grep -v "is not recommended" \
Ancient named.conf options are now a fatal configuration error - options that were flagged as obsolete or not implemented in 9.0.0 are now flagged as "ancient", and are a fatal error - the ARM has been updated to remove these, along with other obsolete descriptions of BIND 8 behavior - the log message for obsolete options explicitly recommends removal
2019-01-21 02:50:17 -05:00
| grep -v "no longer exists" \
4506. [func] 'named-checkconf -l' will now list the zones found in named.conf. [RT #43154]
2016-11-02 02:47:51 -04:00
| grep -v "is obsolete" >checkconf.out$n || ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
diff good.zonelist checkconf.out$n >diff.out$n || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
4223. [func] Add support for setting max-cache-size to percentage of available physical memory, set default to 90%. [RT #38442]
2015-09-28 05:08:50 -04:00
status=$((status + ret))
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
n=$((n + 1))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "check that the 2010 ICANN ROOT KSK without the 2017 ICANN ROOT KSK generates a warning ($n)"
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
ret=0
$CHECKCONF check-root-ksk-2010.conf >checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] || ret=1
capture named-checkconf output
2019-06-05 22:50:47 -04:00
grep "key without the updated" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
status=$((status + ret))
reject the use of trusted-keys and managed-keys for the same name
2019-02-07 18:10:41 -05:00
n=$((n + 1))
echo_i "check that the 2010 ICANN ROOT KSK with the 2017 ICANN ROOT KSK does not generate a warning ($n)"
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
ret=0
$CHECKCONF check-root-ksk-both.conf >checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
status=$((status + ret))
Add missing n increments in checkconf test
2019-08-30 06:11:56 -04:00
n=$((n + 1))
deprecate "trusted-keys" - trusted-keys is now flagged as deprecated, but still works - managed-keys can be used to configure permanent trust anchors by using the "static-key" keyword in place of "initial-key" - parser now uses an enum for static-key and initial-key keywords
2018-08-15 19:59:45 -04:00
echo_i "check that the 2017 ICANN ROOT KSK alone does not generate a warning ($n)"
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
ret=0
$CHECKCONF check-root-ksk-2017.conf >checkconf.out$n 2>/dev/null || ret=1
[ -s checkconf.out$n ] && ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
4889. [func] Warn about the use of old root keys without the new root key being present. Warn about dlv.isc.org's key being present. Warn about both managed and trusted root keys being present. [RT #43670]
2018-02-08 20:04:45 -05:00
status=$((status + ret))
Add missing n increments in checkconf test
2019-08-30 06:11:56 -04:00
n=$((n + 1))
update key checks in lib/bind9/check.c and fix checkconf test - any use of trusted or static keys for the root zone will now elicit a warning, regardless of what the keys may be - ditto for any use of a key for dlv.isc.org, static or managed
2018-10-03 14:46:06 -04:00
echo_i "check that a static root key generates a warning ($n)"
ret=0
$CHECKCONF check-root-static-key.conf >checkconf.out$n 2>/dev/null || ret=1
read DS trust anchors in named.conf (but they aren't used for anything yet)
2019-09-16 02:14:51 -04:00
grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
read DS trust anchors in named.conf (but they aren't used for anything yet)
2019-09-16 02:14:51 -04:00
status=$((status + ret))
n=$((n + 1))
echo_i "check that a static root DS trust anchor generates a warning ($n)"
ret=0
$CHECKCONF check-root-static-ds.conf >checkconf.out$n 2>/dev/null || ret=1
grep "static entry for the root zone WILL FAIL" checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
update key checks in lib/bind9/check.c and fix checkconf test - any use of trusted or static keys for the root zone will now elicit a warning, regardless of what the keys may be - ditto for any use of a key for dlv.isc.org, static or managed
2018-10-03 14:46:06 -04:00
status=$((status + ret))
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2019-09-02 10:24:48 -04:00
n=$((n + 1))
add support for key algorithm mnemonics in dnssec-policy
2020-02-06 15:13:20 -05:00
echo_i "checking named-checkconf kasp errors ($n)"
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2019-09-02 10:24:48 -04:00
ret=0
add support for key algorithm mnemonics in dnssec-policy
2020-02-06 15:13:20 -05:00
$CHECKCONF kasp-and-other-dnssec-options.conf >checkconf.out$n 2>&1 && ret=1
Clarify error message about missing inline-signing & dnssec-policy
2022-10-05 08:44:09 -04:00
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2019-09-02 10:24:48 -04:00
status=$((status + ret))
Check nsec3param configuration values Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt.
2020-10-13 11:48:22 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 iterations errors ($n)"
ret=0
Replace testcrypto.sh invocations in tests Use the provided environment variables instead.
2024-01-24 09:38:55 -05:00
if [ $RSASHA1_SUPPORTED = 0 ]; then
make cfg_kaspkey_fromconfig FIPS aware - RSASHA1 (5) and NSEC3RSASHA1 (7) are not accepted in FIPS mode - minimum RSA key size is set to 2048 bit adjust kasp and checkconf system tests to ensure non FIPS compliant configurations are not used in FIPS mode
2021-12-22 22:09:36 -05:00
conf=kasp-bad-nsec3-iter-fips.conf
expect=2
else
conf=kasp-bad-nsec3-iter.conf
expect=3
fi
$CHECKCONF $conf >checkconf.out$n 2>&1 && ret=1
Change NSEC3 iterations to 0 in system tests The system tests need to be updated because non-zero iterations are no longer accepted. The autosign system test changes its iterations from 1 to 0 in one test case. This requires the hash to be updated. The checkconf system test needs to change the iterations in the good configuration files to 0, and in the bad ones to 1 (any non-zero value would suffice, but we test the corner case here). Also, the expected failure message is change, so needs to be adjusted. The nsec3 system test also needs iteration configuration adjustments. In addition, the test script no longer needs the ITERATIONS environment variable. In the process of updating the system tests, I noticed an error in the dnssec-policy "nsec3-other", where the salt length in one configuration file is different than in the other (they need to be the same). Furthermore, the 'rndc signing -nsec3param' test case is operated on the zone 'nsec-change.kasp', so is moved so that the tests on the same zone are grouped together.
2023-11-22 06:32:55 -05:00
grep "dnssec-policy: nsec3 iterations value 1 not allowed, must be zero" <checkconf.out$n >/dev/null || ret=1
Check nsec3param configuration values Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt.
2020-10-13 11:48:22 -04:00
lines=$(wc -l <"checkconf.out$n")
make cfg_kaspkey_fromconfig FIPS aware - RSASHA1 (5) and NSEC3RSASHA1 (7) are not accepted in FIPS mode - minimum RSA key size is set to 2048 bit adjust kasp and checkconf system tests to ensure non FIPS compliant configurations are not used in FIPS mode
2021-12-22 22:09:36 -05:00
if [ $lines -ne $expect ]; then ret=1; fi
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Check nsec3param configuration values Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt.
2020-10-13 11:48:22 -04:00
status=$((status + ret))
Add check for NSEC3 and key algorithms NSEC3 is not backwards compatible with key algorithms that existed before the RFC 5155 specification was published.
2020-10-19 04:19:52 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf >checkconf.out$n 2>&1 && ret=1
Replace testcrypto.sh invocations in tests Use the provided environment variables instead.
2024-01-24 09:38:55 -05:00
if [ $RSASHA1_SUPPORTED = 0 ]; then
nsec3: use fips configuration if rsasha1 is not supported
2022-08-25 00:14:42 -04:00
grep "dnssec-policy: algorithm rsasha1 not supported" <checkconf.out$n >/dev/null || ret=1
named-checkconf needs to know if named will be running in FIPS mode Call dst_lib_init to set FIPS mode if it was turned on at configure time. Check that named-checkconf report that dnssec policies that wont work in FIPS mode are reported if named would be running in FIPS mode.
2022-07-11 19:09:57 -04:00
else
grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" <checkconf.out$n >/dev/null || ret=1
fi
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Add check for NSEC3 and key algorithms NSEC3 is not backwards compatible with key algorithms that existed before the RFC 5155 specification was published.
2020-10-19 04:19:52 -04:00
status=$((status + ret))
Check nsec3param configuration values Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt.
2020-10-13 11:48:22 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp key errors ($n)"
ret=0
$CHECKCONF kasp-bad-keylen.conf >checkconf.out$n 2>&1 && ret=1
named-checkconf needs to know if named will be running in FIPS mode Call dst_lib_init to set FIPS mode if it was turned on at configure time. Check that named-checkconf report that dnssec policies that wont work in FIPS mode are reported if named would be running in FIPS mode.
2022-07-11 19:09:57 -04:00
grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Check nsec3param configuration values Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt.
2020-10-13 11:48:22 -04:00
status=$((status + ret))
Add offline-ksk option Add a new configuration option to enable Offline KSK key management. Offline KSK cannot work with CSK because it splits how keys with the KSK and ZSK role operate. Therefore, one key cannot have both roles. Add a configuration check to ensure this.
2024-03-22 06:48:53 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp offline-ksk with csk errors ($n)"
ret=0
$CHECKCONF kasp-bad-offline-ksk.conf >checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: csk keys are not allowed when offline-ksk is enabled" <checkconf.out$n >/dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
Error if signatures-refresh is too high The signatures-refresh should not near the signatures-validity value, to prevent operational instability. Same is true when checking against signatures-validity-dnskey.
2022-05-06 10:54:49 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp signatures refresh errors ($n)"
ret=0
$CHECKCONF kasp-bad-signatures-refresh.conf >checkconf.out$n 2>&1 && ret=1
grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" <checkconf.out$n >/dev/null || ret=1
lines=$(wc -l <"checkconf.out$n")
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $lines -ne 2 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Error if signatures-refresh is too high The signatures-refresh should not near the signatures-validity value, to prevent operational instability. Same is true when checking against signatures-validity-dnskey.
2022-05-06 10:54:49 -04:00
status=$((status + ret))
Error if key lifetime is too short The key lifetime should not be shorter than the time it costs to introduce the successor key, otherwise keys will be created faster than they are removed, resulting in a large key set. The time it takes to replace a key is determined by the publication interval (Ipub) of the successor key and the retire interval of the predecessor key (Iret). For the ZSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of Dsgn, the maximum zone TTL and zone propagation delay (and retire safety). The sign delay is the signature validity period minus the refresh interval: The time to ensure that all existing RRsets have been re-signed with the new key. The ZSK lifetime should be larger than both values. For the KSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of the DS TTL and parent zone propagation delay (and retire safety). The KSK lifetime should be larger than both values.
2022-05-09 07:56:45 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp key lifetime errors ($n)"
ret=0
$CHECKCONF kasp-bad-lifetime.conf >checkconf.out$n 2>&1 && ret=1
lines=$(grep "dnssec-policy: key lifetime is shorter than the time it takes to do a rollover" <checkconf.out$n | wc -l) || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $lines -ne 3 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Error if key lifetime is too short The key lifetime should not be shorter than the time it costs to introduce the successor key, otherwise keys will be created faster than they are removed, resulting in a large key set. The time it takes to replace a key is determined by the publication interval (Ipub) of the successor key and the retire interval of the predecessor key (Iret). For the ZSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of Dsgn, the maximum zone TTL and zone propagation delay (and retire safety). The sign delay is the signature validity period minus the refresh interval: The time to ensure that all existing RRsets have been re-signed with the new key. The ZSK lifetime should be larger than both values. For the KSK, Ipub is the sum of the DNSKEY TTL and zone propagation delay (and publish safety). Iret is the sum of the DS TTL and parent zone propagation delay (and retire safety). The KSK lifetime should be larger than both values.
2022-05-09 07:56:45 -04:00
status=$((status + ret))
Check nsec3param configuration values Check 'nsec3param' configuration for the number of iterations. The maximum number of iterations that are allowed are based on the key size (see https://tools.ietf.org/html/rfc5155#section-10.3). Check 'nsec3param' configuration for correct salt. If the string is not "-" or hex-based, this is a bad salt.
2020-10-13 11:48:22 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp predefined key length ($n)"
Warn if key lengths are out of range/predefined
2020-02-06 11:43:54 -05:00
ret=0
add support for key algorithm mnemonics in dnssec-policy
2020-02-06 15:13:20 -05:00
$CHECKCONF kasp-ignore-keylen.conf >checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: key algorithm ecdsa256 has predefined length; ignoring length value 2048" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Warn if key lengths are out of range/predefined
2020-02-06 11:43:54 -05:00
status=$((status + ret))
Warn if multiple keys have same role If a dnssec-policy has multiple keys configured with the same algorithm and role.
2022-05-06 10:08:39 -04:00
n=$((n + 1))
echo_i "checking named-checkconf kasp warns about weird policies ($n)"
ret=0
$CHECKCONF kasp-warning.conf >checkconf.out$n 2>&1 || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 8 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with KSK role" <checkconf.out$n >/dev/null || ret=1
grep "dnssec-policy: algorithm 13 has multiple keys with ZSK role" <checkconf.out$n >/dev/null || ret=1
Warn if key lifetime is short Log a warning if the key lifetime is less than 30 days.
2022-05-06 10:21:16 -04:00
grep "dnssec-policy: key lifetime is shorter than 30 days" <checkconf.out$n >/dev/null || ret=1
Warn if multiple keys have same role If a dnssec-policy has multiple keys configured with the same algorithm and role.
2022-05-06 10:08:39 -04:00
lines=$(wc -l <"checkconf.out$n")
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $lines -ne 5 ]; then ret=1; fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Warn if multiple keys have same role If a dnssec-policy has multiple keys configured with the same algorithm and role.
2022-05-06 10:08:39 -04:00
status=$((status + ret))
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2019-09-02 10:24:48 -04:00
n=$((n + 1))
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0
$CHECKCONF good-kasp.conf >checkconf.out$n 2>/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2019-09-02 10:24:48 -04:00
status=$((status + ret))
n=$((n + 1))
echo_i "checking that named-checkconf prints a known good kasp config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf >good-kasp.conf.in
[ -s good-kasp.conf.in ] || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' >good-kasp.conf.out 2>&1 || ret=1
cmp good-kasp.conf.in good-kasp.conf.out || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then echo_i "failed"; fi
Introduce dnssec-policy configuration This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2019-09-02 10:24:48 -04:00
status=$((status + ret))
add syntax and setter/getter functions to configure max-ixfr-ratio
2020-02-21 13:53:08 -05:00
n=$((n + 1))
echo_i "check that max-ixfr-ratio 100% generates a warning ($n)"
ret=0
$CHECKCONF warn-maxratio1.conf >checkconf.out$n 2>/dev/null || ret=1
grep "exceeds 100%" <checkconf.out$n >/dev/null || ret=1
Replace string comparisons with integer comparisons checkbashisms reports Bash-style ("==") string comparisons inside test/[ command: possible bashism in bin/tests/system/checkconf/tests.sh line 105 (should be 'b = a'): if [ $? == 0 ]; then echo_i "failed"; ret=1; fi possible bashism in bin/tests/system/keyfromlabel/tests.sh line 62 (should be 'b = a'): test $ret == 0 || continue possible bashism in bin/tests/system/keyfromlabel/tests.sh line 79 (should be 'b = a'): test $ret == 0 || continue
2022-08-02 09:07:49 -04:00
if [ $ret -ne 0 ]; then
echo_i "failed"
ret=1
fi
add syntax and setter/getter functions to configure max-ixfr-ratio
2020-02-21 13:53:08 -05:00
status=$((status + ret))
Check 'named-checkconf -z' and check-wildcard Add tests to check the behavior of 'named-checkconf -z' and check-wildcard setting in named.conf.
2022-11-09 06:12:20 -05:00
n=$((n + 1))
echo_i "check that 'check-wildcard no;' succeeds as configured ($n)"
ret=0
$CHECKCONF -z check-wildcard-no.conf >checkconf.out$n 2>&1 || ret=1
grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null && ret=1
if [ $ret != 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
n=$((n + 1))
echo_i "check that 'check-wildcard yes;' warns as configured ($n)"
ret=0
$CHECKCONF -z check-wildcard.conf >checkconf.out$n 2>&1 || ret=1
grep -F "warning: ownername 'foo.*.check-wildcard' contains an non-terminal wildcard" checkconf.out$n >/dev/null || ret=1
if [ $ret != 0 ]; then
echo_i "failed"
ret=1
fi
status=$((status + ret))
parallelize most system tests
2018-02-20 18:43:27 -05:00
echo_i "exit status: $status"
do not overflow exit status. [RT #42643]
2016-06-13 23:48:39 -04:00
[ $status -eq 0 ] || exit 1
Reference in a new issue Copy permalink