RUNTIME_CHECK(setup_logging(mctx, stdout, &logc) == ISC_R_SUCCESS);
+ RUNTIME_CHECK(dst_lib_init(mctx, NULL) == ISC_R_SUCCESS);
+
RUNTIME_CHECK(cfg_parser_create(mctx, logc, &parser) == ISC_R_SUCCESS);
if (nodeprecate) {
if (print && exit_status == 0) {
cfg_printx(config, flags, output, NULL);
}
+
cfg_obj_destroy(parser, &config);
cfg_parser_destroy(&parser);
isc_log_destroy(&logc);
+ dst_lib_destroy();
+
isc_mem_destroy(&mctx);
return (exit_status);
echo_i "checking named-checkconf kasp nsec3 algorithm errors ($n)"
ret=0
$CHECKCONF kasp-bad-nsec3-alg.conf > checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+if $FEATURETEST --have-fips-mode; then
+ grep "dnssec-policy: algorithm rsasha1 not supported in FIPS mode" < checkconf.out$n > /dev/null || ret=1
+else
+ grep "dnssec-policy: cannot use nsec3 with algorithm 'RSASHA1'" < checkconf.out$n > /dev/null || ret=1
+fi
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking named-checkconf kasp key errors ($n)"
ret=0
$CHECKCONF kasp-bad-keylen.conf > checkconf.out$n 2>&1 && ret=1
-grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
+grep "dnssec-policy: key with algorithm rsasha256 has invalid key length 511" < checkconf.out$n > /dev/null || ret=1
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`