xref: /freebsd/contrib/unbound/smallapp/unbound-checkconf.c (revision a25896ca1270e25b657ceaa8d47d5699515f5c25)
1 /*
2  * checkconf/unbound-checkconf.c - config file checker for unbound.conf file.
3  *
4  * Copyright (c) 2007, NLnet Labs. All rights reserved.
5  *
6  * This software is open source.
7  *
8  * Redistribution and use in source and binary forms, with or without
9  * modification, are permitted provided that the following conditions
10  * are met:
11  *
12  * Redistributions of source code must retain the above copyright notice,
13  * this list of conditions and the following disclaimer.
14  *
15  * Redistributions in binary form must reproduce the above copyright notice,
16  * this list of conditions and the following disclaimer in the documentation
17  * and/or other materials provided with the distribution.
18  *
19  * Neither the name of the NLNET LABS nor the names of its contributors may
20  * be used to endorse or promote products derived from this software without
21  * specific prior written permission.
22  *
23  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24  * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25  * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
26  * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27  * HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29  * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30  * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31  * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32  * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33  * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34  */
35 
36 /**
37  * \file
38  *
39  * The config checker checks for syntax and other errors in the unbound.conf
40  * file, and can be used to check for errors before the server is started
41  * or sigHUPped.
42  * Exit status 1 means an error.
43  */
44 
45 #include "config.h"
46 #include <ctype.h>
47 #include "util/log.h"
48 #include "util/config_file.h"
49 #include "util/module.h"
50 #include "util/net_help.h"
51 #include "util/regional.h"
52 #include "iterator/iterator.h"
53 #include "iterator/iter_fwd.h"
54 #include "iterator/iter_hints.h"
55 #include "validator/validator.h"
56 #include "services/localzone.h"
57 #include "services/view.h"
58 #include "services/authzone.h"
59 #include "respip/respip.h"
60 #include "sldns/sbuffer.h"
61 #ifdef HAVE_GETOPT_H
62 #include <getopt.h>
63 #endif
64 #ifdef HAVE_PWD_H
65 #include <pwd.h>
66 #endif
67 #ifdef HAVE_SYS_STAT_H
68 #include <sys/stat.h>
69 #endif
70 #ifdef HAVE_GLOB_H
71 #include <glob.h>
72 #endif
73 #ifdef WITH_PYTHONMODULE
74 #include "pythonmod/pythonmod.h"
75 #endif
76 #ifdef CLIENT_SUBNET
77 #include "edns-subnet/subnet-whitelist.h"
78 #endif
79 
80 /** Give checkconf usage, and exit (1). */
81 static void
82 usage(void)
83 {
84 	printf("Usage:	local-unbound-checkconf [file]\n");
85 	printf("	Checks unbound configuration file for errors.\n");
86 	printf("file	if omitted %s is used.\n", CONFIGFILE);
87 	printf("-o option	print value of option to stdout.\n");
88 	printf("-f 		output full pathname with chroot applied, eg. with -o pidfile.\n");
89 	printf("-h		show this usage help.\n");
90 	printf("Version %s\n", PACKAGE_VERSION);
91 	printf("BSD licensed, see LICENSE in source package for details.\n");
92 	printf("Report bugs to %s\n", PACKAGE_BUGREPORT);
93 	exit(1);
94 }
95 
96 /**
97  * Print given option to stdout
98  * @param cfg: config
99  * @param opt: option name without trailing :.
100  *	This is different from config_set_option.
101  * @param final: if final pathname with chroot applied has to be printed.
102  */
103 static void
104 print_option(struct config_file* cfg, const char* opt, int final)
105 {
106 	if(strcmp(opt, "pidfile") == 0 && final) {
107 		char *p = fname_after_chroot(cfg->pidfile, cfg, 1);
108 		if(!p) fatal_exit("out of memory");
109 		printf("%s\n", p);
110 		free(p);
111 		return;
112 	}
113 	if(strcmp(opt, "auto-trust-anchor-file") == 0 && final) {
114 		struct config_strlist* s = cfg->auto_trust_anchor_file_list;
115 		for(; s; s=s->next) {
116 			char *p = fname_after_chroot(s->str, cfg, 1);
117 			if(!p) fatal_exit("out of memory");
118 			printf("%s\n", p);
119 			free(p);
120 		}
121 		return;
122 	}
123 	if(!config_get_option(cfg, opt, config_print_func, stdout))
124 		fatal_exit("cannot print option '%s'", opt);
125 }
126 
127 /** check if module works with config */
128 static void
129 check_mod(struct config_file* cfg, struct module_func_block* fb)
130 {
131 	struct module_env env;
132 	memset(&env, 0, sizeof(env));
133 	env.cfg = cfg;
134 	env.scratch = regional_create();
135 	env.scratch_buffer = sldns_buffer_new(BUFSIZ);
136 	if(!env.scratch || !env.scratch_buffer)
137 		fatal_exit("out of memory");
138 	if(!edns_known_options_init(&env))
139 		fatal_exit("out of memory");
140 	if(!(*fb->init)(&env, 0)) {
141 		fatal_exit("bad config for %s module", fb->name);
142 	}
143 	(*fb->deinit)(&env, 0);
144 	sldns_buffer_free(env.scratch_buffer);
145 	regional_destroy(env.scratch);
146 	edns_known_options_delete(&env);
147 }
148 
149 /** check localzones */
150 static void
151 localzonechecks(struct config_file* cfg)
152 {
153 	struct local_zones* zs;
154 	if(!(zs = local_zones_create()))
155 		fatal_exit("out of memory");
156 	if(!local_zones_apply_cfg(zs, cfg))
157 		fatal_exit("failed local-zone, local-data configuration");
158 	local_zones_delete(zs);
159 }
160 
161 /** check view and response-ip configuration */
162 static void
163 view_and_respipchecks(struct config_file* cfg)
164 {
165 	struct views* views = NULL;
166 	struct respip_set* respip = NULL;
167 	int ignored = 0;
168 	if(!(views = views_create()))
169 		fatal_exit("Could not create views: out of memory");
170 	if(!(respip = respip_set_create()))
171 		fatal_exit("Could not create respip set: out of memory");
172 	if(!views_apply_cfg(views, cfg))
173 		fatal_exit("Could not set up views");
174 	if(!respip_global_apply_cfg(respip, cfg))
175 		fatal_exit("Could not setup respip set");
176 	if(!respip_views_apply_cfg(views, cfg, &ignored))
177 		fatal_exit("Could not setup per-view respip sets");
178 	views_delete(views);
179 	respip_set_delete(respip);
180 }
181 
182 /** emit warnings for IP in hosts */
183 static void
184 warn_hosts(const char* typ, struct config_stub* list)
185 {
186 	struct sockaddr_storage a;
187 	socklen_t alen;
188 	struct config_stub* s;
189 	struct config_strlist* h;
190 	for(s=list; s; s=s->next) {
191 		for(h=s->hosts; h; h=h->next) {
192 			if(extstrtoaddr(h->str, &a, &alen)) {
193 				fprintf(stderr, "unbound-checkconf: warning:"
194 				  " %s %s: \"%s\" is an IP%s address, "
195 				  "and when looked up as a host name "
196 				  "during use may not resolve.\n",
197 				  s->name, typ, h->str,
198 				  addr_is_ip6(&a, alen)?"6":"4");
199 			}
200 		}
201 	}
202 }
203 
204 /** check interface strings */
205 static void
206 interfacechecks(struct config_file* cfg)
207 {
208 	int d;
209 	struct sockaddr_storage a;
210 	socklen_t alen;
211 	int i, j;
212 	for(i=0; i<cfg->num_ifs; i++) {
213 		if(!extstrtoaddr(cfg->ifs[i], &a, &alen)) {
214 			fatal_exit("cannot parse interface specified as '%s'",
215 				cfg->ifs[i]);
216 		}
217 		for(j=0; j<cfg->num_ifs; j++) {
218 			if(i!=j && strcmp(cfg->ifs[i], cfg->ifs[j])==0)
219 				fatal_exit("interface: %s present twice, "
220 					"cannot bind same ports twice.",
221 					cfg->ifs[i]);
222 		}
223 	}
224 	for(i=0; i<cfg->num_out_ifs; i++) {
225 		if(!ipstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen) &&
226 		   !netblockstrtoaddr(cfg->out_ifs[i], UNBOUND_DNS_PORT, &a, &alen, &d)) {
227 			fatal_exit("cannot parse outgoing-interface "
228 				"specified as '%s'", cfg->out_ifs[i]);
229 		}
230 		for(j=0; j<cfg->num_out_ifs; j++) {
231 			if(i!=j && strcmp(cfg->out_ifs[i], cfg->out_ifs[j])==0)
232 				fatal_exit("outgoing-interface: %s present "
233 					"twice, cannot bind same ports twice.",
234 					cfg->out_ifs[i]);
235 		}
236 	}
237 }
238 
239 /** check acl ips */
240 static void
241 aclchecks(struct config_file* cfg)
242 {
243 	int d;
244 	struct sockaddr_storage a;
245 	socklen_t alen;
246 	struct config_str2list* acl;
247 	for(acl=cfg->acls; acl; acl = acl->next) {
248 		if(!netblockstrtoaddr(acl->str, UNBOUND_DNS_PORT, &a, &alen,
249 			&d)) {
250 			fatal_exit("cannot parse access control address %s %s",
251 				acl->str, acl->str2);
252 		}
253 	}
254 }
255 
256 /** check tcp connection limit ips */
257 static void
258 tcpconnlimitchecks(struct config_file* cfg)
259 {
260 	int d;
261 	struct sockaddr_storage a;
262 	socklen_t alen;
263 	struct config_str2list* tcl;
264 	for(tcl=cfg->tcp_connection_limits; tcl; tcl = tcl->next) {
265 		if(!netblockstrtoaddr(tcl->str, UNBOUND_DNS_PORT, &a, &alen,
266 			&d)) {
267 			fatal_exit("cannot parse tcp connection limit address %s %s",
268 				tcl->str, tcl->str2);
269 		}
270 	}
271 }
272 
273 /** true if fname is a file */
274 static int
275 is_file(const char* fname)
276 {
277 	struct stat buf;
278 	if(stat(fname, &buf) < 0) {
279 		if(errno==EACCES) {
280 			printf("warning: no search permission for one of the directories in path: %s\n", fname);
281 			return 1;
282 		}
283 		perror(fname);
284 		return 0;
285 	}
286 	if(S_ISDIR(buf.st_mode)) {
287 		printf("%s is not a file\n", fname);
288 		return 0;
289 	}
290 	return 1;
291 }
292 
293 /** true if fname is a directory */
294 static int
295 is_dir(const char* fname)
296 {
297 	struct stat buf;
298 	if(stat(fname, &buf) < 0) {
299 		if(errno==EACCES) {
300 			printf("warning: no search permission for one of the directories in path: %s\n", fname);
301 			return 1;
302 		}
303 		perror(fname);
304 		return 0;
305 	}
306 	if(!(S_ISDIR(buf.st_mode))) {
307 		printf("%s is not a directory\n", fname);
308 		return 0;
309 	}
310 	return 1;
311 }
312 
313 /** get base dir of a fname */
314 static char*
315 basedir(char* fname)
316 {
317 	char* rev;
318 	if(!fname) fatal_exit("out of memory");
319 	rev = strrchr(fname, '/');
320 	if(!rev) return NULL;
321 	if(fname == rev) return NULL;
322 	rev[0] = 0;
323 	return fname;
324 }
325 
326 /** check chroot for a file string */
327 static void
328 check_chroot_string(const char* desc, char** ss,
329 	const char* chrootdir, struct config_file* cfg)
330 {
331 	char* str = *ss;
332 	if(str && str[0]) {
333 		*ss = fname_after_chroot(str, cfg, 1);
334 		if(!*ss) fatal_exit("out of memory");
335 		if(!is_file(*ss)) {
336 			if(chrootdir && chrootdir[0])
337 				fatal_exit("%s: \"%s\" does not exist in "
338 					"chrootdir %s", desc, str, chrootdir);
339 			else
340 				fatal_exit("%s: \"%s\" does not exist",
341 					desc, str);
342 		}
343 		/* put in a new full path for continued checking */
344 		free(str);
345 	}
346 }
347 
348 /** check file list, every file must be inside the chroot location */
349 static void
350 check_chroot_filelist(const char* desc, struct config_strlist* list,
351 	const char* chrootdir, struct config_file* cfg)
352 {
353 	struct config_strlist* p;
354 	for(p=list; p; p=p->next) {
355 		check_chroot_string(desc, &p->str, chrootdir, cfg);
356 	}
357 }
358 
359 /** check file list, with wildcard processing */
360 static void
361 check_chroot_filelist_wild(const char* desc, struct config_strlist* list,
362 	const char* chrootdir, struct config_file* cfg)
363 {
364 	struct config_strlist* p;
365 	for(p=list; p; p=p->next) {
366 #ifdef HAVE_GLOB
367 		if(strchr(p->str, '*') || strchr(p->str, '[') ||
368 			strchr(p->str, '?') || strchr(p->str, '{') ||
369 			strchr(p->str, '~')) {
370 			char* s = p->str;
371 			/* adjust whole pattern for chroot and check later */
372 			p->str = fname_after_chroot(p->str, cfg, 1);
373 			free(s);
374 		} else
375 #endif /* HAVE_GLOB */
376 			check_chroot_string(desc, &p->str, chrootdir, cfg);
377 	}
378 }
379 
380 #ifdef CLIENT_SUBNET
381 /** check ECS configuration */
382 static void
383 ecs_conf_checks(struct config_file* cfg)
384 {
385 	struct ecs_whitelist* whitelist = NULL;
386 	if(!(whitelist = ecs_whitelist_create()))
387 		fatal_exit("Could not create ednssubnet whitelist: out of memory");
388         if(!ecs_whitelist_apply_cfg(whitelist, cfg))
389 		fatal_exit("Could not setup ednssubnet whitelist");
390 	ecs_whitelist_delete(whitelist);
391 }
392 #endif /* CLIENT_SUBNET */
393 
394 /** check that the modules exist, are compiled in */
395 static void
396 check_modules_exist(const char* module_conf)
397 {
398 	const char** names = module_list_avail();
399 	const char* s = module_conf;
400 	while(*s) {
401 		int i = 0;
402 		int is_ok = 0;
403 		while(*s && isspace((unsigned char)*s))
404 			s++;
405 		if(!*s) break;
406 		while(names[i]) {
407 			if(strncmp(names[i], s, strlen(names[i])) == 0) {
408 				is_ok = 1;
409 				break;
410 			}
411 			i++;
412 		}
413 		if(is_ok == 0) {
414 			char n[64];
415 			size_t j;
416 			n[0]=0;
417 			n[sizeof(n)-1]=0;
418 			for(j=0; j<sizeof(n)-1; j++) {
419 				if(!s[j] || isspace((unsigned char)s[j])) {
420 					n[j] = 0;
421 					break;
422 				}
423 				n[j] = s[j];
424 			}
425 			fatal_exit("module_conf lists module '%s' but that "
426 				"module is not available.", n);
427 		}
428 		s += strlen(names[i]);
429 	}
430 }
431 
432 /** check configuration for errors */
433 static void
434 morechecks(struct config_file* cfg, const char* fname)
435 {
436 	warn_hosts("stub-host", cfg->stubs);
437 	warn_hosts("forward-host", cfg->forwards);
438 	interfacechecks(cfg);
439 	aclchecks(cfg);
440 	tcpconnlimitchecks(cfg);
441 
442 	if(cfg->verbosity < 0)
443 		fatal_exit("verbosity value < 0");
444 	if(cfg->num_threads <= 0 || cfg->num_threads > 10000)
445 		fatal_exit("num_threads value weird");
446 	if(!cfg->do_ip4 && !cfg->do_ip6)
447 		fatal_exit("ip4 and ip6 are both disabled, pointless");
448 	if(!cfg->do_ip6 && cfg->prefer_ip6)
449 		fatal_exit("cannot prefer and disable ip6, pointless");
450 	if(!cfg->do_udp && !cfg->do_tcp)
451 		fatal_exit("udp and tcp are both disabled, pointless");
452 	if(cfg->edns_buffer_size > cfg->msg_buffer_size)
453 		fatal_exit("edns-buffer-size larger than msg-buffer-size, "
454 			"answers will not fit in processing buffer");
455 #ifdef UB_ON_WINDOWS
456 	w_config_adjust_directory(cfg);
457 #endif
458 	if(cfg->chrootdir && cfg->chrootdir[0] &&
459 		cfg->chrootdir[strlen(cfg->chrootdir)-1] == '/')
460 		fatal_exit("chootdir %s has trailing slash '/' please remove.",
461 			cfg->chrootdir);
462 	if(cfg->chrootdir && cfg->chrootdir[0] &&
463 		!is_dir(cfg->chrootdir)) {
464 		fatal_exit("bad chroot directory");
465 	}
466 	if(cfg->chrootdir && cfg->chrootdir[0]) {
467 		char buf[10240];
468 		buf[0] = 0;
469 		if(fname[0] != '/') {
470 			if(getcwd(buf, sizeof(buf)) == NULL)
471 				fatal_exit("getcwd: %s", strerror(errno));
472 			(void)strlcat(buf, "/", sizeof(buf));
473 		}
474 		(void)strlcat(buf, fname, sizeof(buf));
475 		if(strncmp(buf, cfg->chrootdir, strlen(cfg->chrootdir)) != 0)
476 			fatal_exit("config file %s is not inside chroot %s",
477 				buf, cfg->chrootdir);
478 	}
479 	if(cfg->directory && cfg->directory[0]) {
480 		char* ad = fname_after_chroot(cfg->directory, cfg, 0);
481 		if(!ad) fatal_exit("out of memory");
482 		if(!is_dir(ad)) fatal_exit("bad chdir directory");
483 		free(ad);
484 	}
485 	if( (cfg->chrootdir && cfg->chrootdir[0]) ||
486 	    (cfg->directory && cfg->directory[0])) {
487 		if(cfg->pidfile && cfg->pidfile[0]) {
488 			char* ad = (cfg->pidfile[0]=='/')?strdup(cfg->pidfile):
489 				fname_after_chroot(cfg->pidfile, cfg, 1);
490 			char* bd = basedir(ad);
491 			if(bd && !is_dir(bd))
492 				fatal_exit("pidfile directory does not exist");
493 			free(ad);
494 		}
495 		if(cfg->logfile && cfg->logfile[0]) {
496 			char* ad = fname_after_chroot(cfg->logfile, cfg, 1);
497 			char* bd = basedir(ad);
498 			if(bd && !is_dir(bd))
499 				fatal_exit("logfile directory does not exist");
500 			free(ad);
501 		}
502 	}
503 
504 	check_chroot_filelist("file with root-hints",
505 		cfg->root_hints, cfg->chrootdir, cfg);
506 	check_chroot_filelist("trust-anchor-file",
507 		cfg->trust_anchor_file_list, cfg->chrootdir, cfg);
508 	check_chroot_filelist("auto-trust-anchor-file",
509 		cfg->auto_trust_anchor_file_list, cfg->chrootdir, cfg);
510 	check_chroot_filelist_wild("trusted-keys-file",
511 		cfg->trusted_keys_file_list, cfg->chrootdir, cfg);
512 	check_chroot_string("dlv-anchor-file", &cfg->dlv_anchor_file,
513 		cfg->chrootdir, cfg);
514 #ifdef USE_IPSECMOD
515 	if(cfg->ipsecmod_enabled && strstr(cfg->module_conf, "ipsecmod")) {
516 		/* only check hook if enabled */
517 		check_chroot_string("ipsecmod-hook", &cfg->ipsecmod_hook,
518 			cfg->chrootdir, cfg);
519 	}
520 #endif
521 	/* remove chroot setting so that modules are not stripping pathnames*/
522 	free(cfg->chrootdir);
523 	cfg->chrootdir = NULL;
524 
525 	/* check that the modules listed in module_conf exist */
526 	check_modules_exist(cfg->module_conf);
527 
528 	/* There should be no reason for 'respip' module not to work with
529 	 * dns64, but it's not explicitly confirmed,  so the combination is
530 	 * excluded below.   It's simply unknown yet for the combination of
531 	 * respip and other modules. */
532 	if(strcmp(cfg->module_conf, "iterator") != 0
533 		&& strcmp(cfg->module_conf, "validator iterator") != 0
534 		&& strcmp(cfg->module_conf, "dns64 validator iterator") != 0
535 		&& strcmp(cfg->module_conf, "dns64 iterator") != 0
536 		&& strcmp(cfg->module_conf, "respip iterator") != 0
537 		&& strcmp(cfg->module_conf, "respip validator iterator") != 0
538 #ifdef WITH_PYTHONMODULE
539 		&& strcmp(cfg->module_conf, "python iterator") != 0
540 		&& strcmp(cfg->module_conf, "python validator iterator") != 0
541 		&& strcmp(cfg->module_conf, "validator python iterator") != 0
542 		&& strcmp(cfg->module_conf, "dns64 python iterator") != 0
543 		&& strcmp(cfg->module_conf, "dns64 python validator iterator") != 0
544 		&& strcmp(cfg->module_conf, "dns64 validator python iterator") != 0
545 		&& strcmp(cfg->module_conf, "python dns64 iterator") != 0
546 		&& strcmp(cfg->module_conf, "python dns64 validator iterator") != 0
547 #endif
548 #ifdef USE_CACHEDB
549 		&& strcmp(cfg->module_conf, "validator cachedb iterator") != 0
550 		&& strcmp(cfg->module_conf, "cachedb iterator") != 0
551 		&& strcmp(cfg->module_conf, "dns64 validator cachedb iterator") != 0
552 		&& strcmp(cfg->module_conf, "dns64 cachedb iterator") != 0
553 #endif
554 #if defined(WITH_PYTHONMODULE) && defined(USE_CACHEDB)
555 		&& strcmp(cfg->module_conf, "python dns64 cachedb iterator") != 0
556 		&& strcmp(cfg->module_conf, "python dns64 validator cachedb iterator") != 0
557 		&& strcmp(cfg->module_conf, "dns64 python cachedb iterator") != 0
558 		&& strcmp(cfg->module_conf, "dns64 python validator cachedb iterator") != 0
559 		&& strcmp(cfg->module_conf, "python cachedb iterator") != 0
560 		&& strcmp(cfg->module_conf, "python validator cachedb iterator") != 0
561 		&& strcmp(cfg->module_conf, "cachedb python iterator") != 0
562 		&& strcmp(cfg->module_conf, "validator cachedb python iterator") != 0
563 		&& strcmp(cfg->module_conf, "validator python cachedb iterator") != 0
564 #endif
565 #ifdef CLIENT_SUBNET
566 		&& strcmp(cfg->module_conf, "subnetcache iterator") != 0
567 		&& strcmp(cfg->module_conf, "subnetcache validator iterator") != 0
568 		&& strcmp(cfg->module_conf, "dns64 subnetcache iterator") != 0
569 		&& strcmp(cfg->module_conf, "dns64 subnetcache validator iterator") != 0
570 #endif
571 #if defined(WITH_PYTHONMODULE) && defined(CLIENT_SUBNET)
572 		&& strcmp(cfg->module_conf, "python subnetcache iterator") != 0
573 		&& strcmp(cfg->module_conf, "subnetcache python iterator") != 0
574 		&& strcmp(cfg->module_conf, "python subnetcache validator iterator") != 0
575 		&& strcmp(cfg->module_conf, "subnetcache python validator iterator") != 0
576 		&& strcmp(cfg->module_conf, "subnetcache validator python iterator") != 0
577 #endif
578 #ifdef USE_IPSECMOD
579 		&& strcmp(cfg->module_conf, "ipsecmod iterator") != 0
580 		&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
581 #endif
582 #if defined(WITH_PYTHONMODULE) && defined(USE_IPSECMOD)
583 		&& strcmp(cfg->module_conf, "python ipsecmod iterator") != 0
584 		&& strcmp(cfg->module_conf, "ipsecmod python iterator") != 0
585 		&& strcmp(cfg->module_conf, "ipsecmod validator iterator") != 0
586 		&& strcmp(cfg->module_conf, "python ipsecmod validator iterator") != 0
587 		&& strcmp(cfg->module_conf, "ipsecmod python validator iterator") != 0
588 		&& strcmp(cfg->module_conf, "ipsecmod validator python iterator") != 0
589 #endif
590 		) {
591 		fatal_exit("module conf '%s' is not known to work",
592 			cfg->module_conf);
593 	}
594 
595 #ifdef HAVE_GETPWNAM
596 	if(cfg->username && cfg->username[0]) {
597 		if(getpwnam(cfg->username) == NULL)
598 			fatal_exit("user '%s' does not exist.", cfg->username);
599 #  ifdef HAVE_ENDPWENT
600 		endpwent();
601 #  endif
602 	}
603 #endif
604 	if(cfg->remote_control_enable && options_remote_is_address(cfg)
605 		&& cfg->control_use_cert) {
606 		check_chroot_string("server-key-file", &cfg->server_key_file,
607 			cfg->chrootdir, cfg);
608 		check_chroot_string("server-cert-file", &cfg->server_cert_file,
609 			cfg->chrootdir, cfg);
610 		if(!is_file(cfg->control_key_file))
611 			fatal_exit("control-key-file: \"%s\" does not exist",
612 				cfg->control_key_file);
613 		if(!is_file(cfg->control_cert_file))
614 			fatal_exit("control-cert-file: \"%s\" does not exist",
615 				cfg->control_cert_file);
616 	}
617 
618 	localzonechecks(cfg);
619 	view_and_respipchecks(cfg);
620 #ifdef CLIENT_SUBNET
621 	ecs_conf_checks(cfg);
622 #endif
623 }
624 
625 /** check forwards */
626 static void
627 check_fwd(struct config_file* cfg)
628 {
629 	struct iter_forwards* fwd = forwards_create();
630 	if(!fwd || !forwards_apply_cfg(fwd, cfg)) {
631 		fatal_exit("Could not set forward zones");
632 	}
633 	forwards_delete(fwd);
634 }
635 
636 /** check hints */
637 static void
638 check_hints(struct config_file* cfg)
639 {
640 	struct iter_hints* hints = hints_create();
641 	if(!hints || !hints_apply_cfg(hints, cfg)) {
642 		fatal_exit("Could not set root or stub hints");
643 	}
644 	hints_delete(hints);
645 }
646 
647 /** check auth zones */
648 static void
649 check_auth(struct config_file* cfg)
650 {
651 	struct auth_zones* az = auth_zones_create();
652 	if(!az || !auth_zones_apply_cfg(az, cfg, 0)) {
653 		fatal_exit("Could not setup authority zones");
654 	}
655 	auth_zones_delete(az);
656 }
657 
658 /** check config file */
659 static void
660 checkconf(const char* cfgfile, const char* opt, int final)
661 {
662 	char oldwd[4096];
663 	struct config_file* cfg = config_create();
664 	if(!cfg)
665 		fatal_exit("out of memory");
666 	oldwd[0] = 0;
667 	if(!getcwd(oldwd, sizeof(oldwd))) {
668 		log_err("cannot getcwd: %s", strerror(errno));
669 		oldwd[0] = 0;
670 	}
671 	if(!config_read(cfg, cfgfile, NULL)) {
672 		/* config_read prints messages to stderr */
673 		config_delete(cfg);
674 		exit(1);
675 	}
676 	if(oldwd[0] && chdir(oldwd) == -1)
677 		log_err("cannot chdir(%s): %s", oldwd, strerror(errno));
678 	if(opt) {
679 		print_option(cfg, opt, final);
680 		config_delete(cfg);
681 		return;
682 	}
683 	morechecks(cfg, cfgfile);
684 	check_mod(cfg, iter_get_funcblock());
685 	check_mod(cfg, val_get_funcblock());
686 #ifdef WITH_PYTHONMODULE
687 	if(strstr(cfg->module_conf, "python"))
688 		check_mod(cfg, pythonmod_get_funcblock());
689 #endif
690 	check_fwd(cfg);
691 	check_hints(cfg);
692 	check_auth(cfg);
693 	printf("unbound-checkconf: no errors in %s\n", cfgfile);
694 	config_delete(cfg);
695 }
696 
697 /** getopt global, in case header files fail to declare it. */
698 extern int optind;
699 /** getopt global, in case header files fail to declare it. */
700 extern char* optarg;
701 
702 /** Main routine for checkconf */
703 int main(int argc, char* argv[])
704 {
705 	int c;
706 	int final = 0;
707 	const char* f;
708 	const char* opt = NULL;
709 	const char* cfgfile = CONFIGFILE;
710 	log_ident_set("unbound-checkconf");
711 	log_init(NULL, 0, NULL);
712 	checklock_start();
713 #ifdef USE_WINSOCK
714 	/* use registry config file in preference to compiletime location */
715 	if(!(cfgfile=w_lookup_reg_str("Software\\Unbound", "ConfigFile")))
716 		cfgfile = CONFIGFILE;
717 #endif /* USE_WINSOCK */
718 	/* parse the options */
719 	while( (c=getopt(argc, argv, "fho:")) != -1) {
720 		switch(c) {
721 		case 'f':
722 			final = 1;
723 			break;
724 		case 'o':
725 			opt = optarg;
726 			break;
727 		case '?':
728 		case 'h':
729 		default:
730 			usage();
731 		}
732 	}
733 	argc -= optind;
734 	argv += optind;
735 	if(argc != 0 && argc != 1)
736 		usage();
737 	if(argc == 1)
738 		f = argv[0];
739 	else	f = cfgfile;
740 	checkconf(f, opt, final);
741 	checklock_stop();
742 	return 0;
743 }
744