]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: eec0aaa)
Test dnssec-signzone with private key file missing
authorMatthijs Mekking <matthijs@isc.org>
Tue, 14 Jan 2025 13:10:20 +0000 (14:10 +0100)
committerMatthijs Mekking <matthijs@isc.org>
Thu, 23 Jan 2025 09:43:07 +0000 (09:43 +0000)
Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).

bin/tests/system/dnssec/tests.sh patch | blob | blame | history
bin/tests/system/dnssec/tests_sh_dnssec.py patch | blob | blame | history

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index d94c2670740cd78ff0945df17ff8bd46feaf622d..1c3876e0fba1c6b4cb37c2d1958544e184e93e59 100644 (file)
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1358,6 +1358,33 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)"
+ret=0
+(
+  cd signer/general || exit 1
+  cp signed.zone signed.expect
+  grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1
+  mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline
+  $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n
+  mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private
+  grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_ic "one non-KSK DNSKEY ($n)"
 ret=0
 (
diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py
index b0e9a5587122a3250e9162654d4697bf3435c13b..91817bd0b7b509a28ff7b8f0b06bd768c2829503 100644 (file)
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@@ -146,7 +146,9 @@ pytestmark = pytest.mark.extra_artifacts(
         "signer/example.db.changed",
         "signer/example2.db",
         "signer/example3.db",
+        "signer/general/dnskey.expect",
         "signer/general/dsset-*",
+        "signer/general/signed.expect",
         "signer/general/signed.zone",
         "signer/general/signer.out.*",
         "signer/nsec3param.out",
Mirror of https://gitlab.isc.org/isc-projects/bind9.git