knot-dns/tests/knot/test_semantic_check.in

#!/bin/sh

KZONECHECK="@top_builddir@/src/kzonecheck"
DATA="@top_srcdir@/tests/knot/semantic_check_data"

. "@top_srcdir@/tests/tap/libtap.sh"

TMPDIR=$(test_tmpdir)
LOG="$TMPDIR/log"

# Params: zonefile fatal_error expected_erros_count semcheck_err_msg
expect_error()
{
	if [ ! -r "$DATA/$1" ]; then
		skip_block 4 "missing zone file for test"
		return
	fi

	"$KZONECHECK" -o example.com "$DATA/$1" > "$LOG"
	ok "$1 - check program return" test $? -eq 1

	fatal=$(grep -E "^Serious semantic error detected" $LOG | wc -l)
	ok "$1 - check fatal" test $fatal -eq $2

	errors=$(grep -E "^\[.+\] $4" $LOG | wc -l)
	ok "$1 - check errors" test $errors -eq $3
	if [ $errors != $3 ]; then
		diag "expected errors $3 but found $errors"
	fi
}

#param zonefile
test_correct()
{
	$KZONECHECK -o example.com "$DATA/$1" > /dev/null
	ok "$1 - correct zone, without error" test $? -eq 0
}

#param zonefile
test_correct_no_dnssec()
{
	$KZONECHECK -o example.com -d off "$DATA/$1" > /dev/null
	ok "$1 - correct zone, without error" test $? -eq 0
}

if [ ! -x $KZONECHECK ]; then
	skip_all "kzonecheck is missing or is not executable"
fi

# error messages exported from knot/src/zone/semantic-check.c
CDNSKEY_NONE="missing CDNSKEY"
CDNSKEY_NO_CDS="CDNSKEY without corresponding CDS"
CDNSKEY_DELETE="invalid CDNSKEY/CDS for DNSSEC delete algorithm"
CDS_NONE="missing CDS"
CDS_NOT_MATCH="CDS not match CDNSKEY"
CNAME_EXTRA_RECORDS="more records exist at CNAME"
CNAME_MULTIPLE="multiple CNAME records"
DNAME_CHILDREN="child record exists under DNAME"
DNAME_MULTIPLE="multiple DNAME records"
DNAME_EXTRA_NS="NS record exists at DNAME"
DNSKEY_PROTO="invalid protocol in DNSKEY"
DS_ALG="invalid algorithm in DS"
NSEC3PARAM_FLAGS="invalid flags in NSEC3PARAM"
NSEC3_ALG="incorrect algorithm in NSEC3"
NSEC3_INSECURE_DELEGATION_OPT="insecure delegation outside NSEC3 opt-out"
NSEC3_ITERS="incorrect number of iterations in NSEC3"
NSEC3_NONE="missing NSEC3"
NSEC3_RDATA_BITMAP="incorrect type bitmap in NSEC3"
NSEC3_RDATA_CHAIN="incoherent NSEC3 chain"
NSEC_NONE="missing NSEC"
NSEC_RDATA_BITMAP="incorrect type bitmap in NSEC"
NSEC_RDATA_CHAIN="incoherent NSEC chain"
NSEC_RDATA_MULTIPLE="multiple NSEC records"
NS_APEX="missing NS at the zone apex"
NS_GLUE="missing glue record"
RRSIG_EXPIRED="expired RRSIG"
RRSIG_NO_RRSIG="missing RRSIG"
RRSIG_RDATA_DNSKEY_OWNER="wrong signer's name in RRSIG"
RRSIG_RDATA_TTL="wrong original TTL in RRSIG"
RRSIG_SIGNED="signed RRSIG"
RRSIG_UNVERIFIABLE="unverifiable signature"

plan_lazy

expect_error "cname_extra_01.zone"   1 1 "$CNAME_EXTRA_RECORDS"
expect_error "cname_extra_02.signed" 1 1 "$CNAME_EXTRA_RECORDS"
expect_error "cname_multiple.zone"   1 1 "$CNAME_MULTIPLE"
expect_error "dname_children.zone"   1 1 "$DNAME_CHILDREN"
expect_error "dname_multiple.zone"   1 1 "$DNAME_MULTIPLE"
expect_error "dname_extra_ns.zone"   1 1 "$DNAME_EXTRA_NS"

expect_error "ns_apex.missing" 0 1 "$NS_APEX"
expect_error "glue_apex_both.missing" 0 2 "$NS_GLUE"
expect_error "glue_apex_one.missing" 0 1 "$NS_GLUE"
expect_error "glue_besides.missing" 0 1 "$NS_GLUE"
expect_error "glue_deleg.missing" 0 1 "$NS_GLUE"
expect_error "glue_in_apex.missing" 0 1 "$NS_GLUE"
expect_error "different_signer_name.signed" 0 1 "$RRSIG_RDATA_DNSKEY_OWNER \(record type NSEC\)"
expect_error "different_signer_name.signed" 0 1 "$RRSIG_UNVERIFIABLE \(record type NSEC\)"
expect_error "no_rrsig.signed" 0 1 "$RRSIG_NO_RRSIG \(record type A\)"
expect_error "no_rrsig.signed" 0 1 "$RRSIG_NO_RRSIG \(record type NSEC\)"
expect_error "no_rrsig_with_delegation.signed" 0 1 "$RRSIG_NO_RRSIG \(record type NSEC\)"
expect_error "nsec_broken_chain_01.signed" 0 1 "$NSEC_RDATA_CHAIN"
expect_error "nsec_broken_chain_02.signed" 0 1 "$NSEC_RDATA_CHAIN"
expect_error "nsec_missing.signed" 0 1 "$NSEC_NONE"
expect_error "nsec_multiple.signed" 0 1 "$NSEC_RDATA_MULTIPLE"
expect_error "nsec_wrong_bitmap_01.signed" 0 1 "$NSEC_RDATA_BITMAP"
expect_error "nsec_wrong_bitmap_02.signed" 0 1 "$NSEC_RDATA_BITMAP"
expect_error "nsec3_missing.signed" 0 1 "$NSEC3_NONE"
expect_error "nsec3_wrong_bitmap_01.signed" 0 1 "$NSEC3_RDATA_BITMAP"
expect_error "nsec3_wrong_bitmap_02.signed" 0 1 "$NSEC3_RDATA_BITMAP"
expect_error "nsec3_ds.signed" 0 1 "$NSEC3_NONE"
expect_error "nsec3_optout.signed" 0 1 "$NSEC3_INSECURE_DELEGATION_OPT"
expect_error "nsec3_chain_01.signed" 0 1 "$NSEC3_RDATA_CHAIN"
expect_error "nsec3_chain_02.signed" 0 2 "$NSEC3_RDATA_CHAIN"
expect_error "nsec3_chain_03.signed" 0 2 "$NSEC3_RDATA_CHAIN"
expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3_ALG"
expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3_ITERS"
expect_error "nsec3_param_invalid.signed" 0 1 "$NSEC3PARAM_FLAGS"
expect_error "rrsig_signed.signed" 0 1 "$RRSIG_SIGNED"
expect_error "rrsig_rdata_ttl.signed" 0 1 "$RRSIG_RDATA_TTL \(record type A\)"
expect_error "duplicate.signature" 0 7 "$RRSIG_EXPIRED"
expect_error "missing.signed" 0 1 "$NSEC_NONE"
expect_error "dnskey_param_error.signed" 0 1 "$DNSKEY_PROTO"
expect_error "invalid_ds.signed" 0 2 "$DS_ALG \(keytag 60485\)"
expect_error "cdnskey.invalid" 0 1 "$CDS_NOT_MATCH"
expect_error "cdnskey.invalid.param" 0 1 "$CDS_NOT_MATCH"
expect_error "cdnskey.nocds" 0 1 "$CDS_NONE"
expect_error "cdnskey.nocdnskey" 0 1 "$CDNSKEY_NONE"
expect_error "cdnskey.nodnskey" 0 1 "$CDNSKEY_NOT_MATCH"
expect_error "cdnskey.orphan.cds" 0 1 "$CDS_NOT_MATCH"
expect_error "cdnskey.orphan.cdnskey" 0 1 "$CDNSKEY_NO_CDS"
expect_error "cdnskey.delete.invalid.cds" 0 1 "$CDNSKEY_DELETE"
expect_error "cdnskey.delete.invalid.cdnskey" 0 1 "$CDNSKEY_DELETE"

test_correct "rrsig_ttl.signed"
test_correct "no_error_delegaton_bitmap.signed"
test_correct "no_error_nsec3_delegation.signed"
test_correct "no_error_nsec3_optout.signed"
test_correct "glue_wildcard.valid"
test_correct "glue_no_foreign.valid"
test_correct "glue_in_deleg.valid"
test_correct "cdnskey.cds"
test_correct "cdnskey.delete.both"
test_correct "dname_apex_nsec3.signed"

test_correct_no_dnssec "no_rrsig.signed"
test_correct_no_dnssec "no_rrsig_with_delegation.signed"
test_correct_no_dnssec "nsec_broken_chain_01.signed"
test_correct_no_dnssec "nsec_broken_chain_02.signed"
test_correct_no_dnssec "nsec_missing.signed"
test_correct_no_dnssec "nsec_multiple.signed"
test_correct_no_dnssec "nsec_wrong_bitmap_01.signed"
test_correct_no_dnssec "nsec_wrong_bitmap_02.signed"
test_correct_no_dnssec "nsec3_missing.signed"
test_correct_no_dnssec "nsec3_wrong_bitmap_01.signed"
test_correct_no_dnssec "nsec3_wrong_bitmap_02.signed"
test_correct_no_dnssec "nsec3_ds.signed"
test_correct_no_dnssec "nsec3_optout.signed"
test_correct_no_dnssec "nsec3_chain_01.signed"
test_correct_no_dnssec "nsec3_chain_02.signed"
test_correct_no_dnssec "nsec3_chain_03.signed"
test_correct_no_dnssec "nsec3_param_invalid.signed"
test_correct_no_dnssec "rrsig_signed.signed"
test_correct_no_dnssec "rrsig_rdata_ttl.signed"
test_correct_no_dnssec "duplicate.signature"
test_correct_no_dnssec "missing.signed"
test_correct_no_dnssec "dnskey_param_error.signed"
test_correct_no_dnssec "cdnskey.invalid"
test_correct_no_dnssec "cdnskey.invalid.param"
test_correct_no_dnssec "cdnskey.nocds"
test_correct_no_dnssec "cdnskey.nocdnskey"
test_correct_no_dnssec "cdnskey.nodnskey"
test_correct_no_dnssec "cdnskey.orphan.cds"
test_correct_no_dnssec "cdnskey.orphan.cdnskey"
test_correct_no_dnssec "cdnskey.delete.invalid.cds"
test_correct_no_dnssec "cdnskey.delete.invalid.cdnskey"

rm $LOG