+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-include "good-kasp.conf";
-
-// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
-// configuration options (auto-dnssec).
-zone "example.net" {
- type primary;
- file "example.db";
- dnssec-policy "test";
- auto-dnssec maintain;
- allow-update { any; };
-};
zone example {
type primary;
file "example.db";
- auto-dnssec maintain;
+ dnssec-policy default;
allow-update { none; };
};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-view view1 {
- match-clients { any; };
- dnssec-validation yes;
-};
-
-view view2 {
- match-clients { none; };
- dnssec-validation auto;
-};
-
-view view3 {
- match-clients { none; };
- auto-dnssec maintain;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-view view1 {
- match-clients { any; };
-};
-
-view view2 {
- match-clients { none; };
-};
-
-view view3 {
- match-clients { none; };
- dnssec-validation auto;
-};
-
-view view4 {
- match-clients { none; };
-};
-
-view view5 {
- match-clients { none; };
- auto-dnssec off;
-};
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-zone "test" {
- type primary;
- file "test.db";
- auto-dnssec maintain;
-};
zone "example.net" {
type secondary;
key-directory "/var/lib/bind/example.net";
- auto-dnssec maintain;
+ dnssec-policy default;
inline-signing yes;
primaries { stealthPrimaries; };
notify explicit;
type secondary;
file "/var/cache/bind/example.net.db";
key-directory "/var/lib/bind/example.net";
- auto-dnssec maintain;
+ dnssec-policy default;
inline-signing yes;
primaries { stealthPrimaries; };
notify explicit;
zone "example.net" {
type secondary;
key-directory "/var/lib/bind/example.net";
- auto-dnssec maintain;
+ dnssec-policy default;
inline-signing no;
primaries { stealthPrimaries; };
notify explicit;
type primary;
file "nsec3.db";
dnssec-policy "test";
- auto-dnssec maintain;
dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
dnssec-update-mode maintain;
if [ $ret -ne 0 ]; then echo_i "failed"; fi
status=$((status + ret))
-n=$((n + 1))
-echo_i "checking named-checkconf dnssec warnings ($n)"
-ret=0
-# dnssec.1: auto-dnssec warning
-$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 && ret=1
-grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1
-# dnssec.2: should have no warnings (other than deprecation warning)
-$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 || ret=1
-grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1
-lines=$(wc -l < "checkconf.out$n.2")
-if [ $lines != 1 ]; then ret=1; fi
-# dnssec.3: should have specific deprecation warning
-$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 && ret=1
-grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
n=$((n + 1))
echo_i "checking named-checkconf deprecate warnings ($n)"
ret=0
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1
grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1
-grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
projects / thirdparty / bind9.git / commitdiff
