improve handling of trailing dots in dnssec-keymgr and dnssec-coverage

- mishandling of trailing dots caused bad behavior with the
  root zone or names like "example.com."
- fixing this exposed an error in dnssec-coverage caused the
  wrong return value if there were KSK errors but no ZSK errors
- incidentally silenced the dnssec-keygen output in the coverage
  system test

(cherry picked from commit 1ccf4e6c169993a20305dfec5a23a55e1d920fe1)

diff --git a/CHANGES b/CHANGES
index 52a143e2e300e4ff533b7b8a6c0fbd9a838ae023..a8504d88d014b71ef8395c30d63749968f8788a3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+5143.  [bug]           dnssec-keymgr and dnssec-coverage failed to find
+                       key files for zone names ending in ".". [GL #560]
+
 5140.  [bug]           Don't immediately mark existing keys as inactive and
                        deleted when running dnssec-keymgr for the first
                        time. [GL #117]

diff --git a/bin/python/isc/coverage.py.in b/bin/python/isc/coverage.py.in
index 4e392a780ef72f994c275dbcc106090e3dfba658..b6ed5d0a6929137668fc939e3c4a41bbb622fba0 100644 (file)
--- a/bin/python/isc/coverage.py.in
+++ b/bin/python/isc/coverage.py.in
@@ -188,6 +188,9 @@ def parse_args():
     if args.filename and len(args.zone) > 1:
         fatal("ERROR: -f can only be used with one zone.")
 
+    # strip trailing dots
+    args.zone = [x[:-1] for x in args.zone if len(x) > 1 and x[-1] == '.']
+
     # convert from time arguments to seconds
     try:
         if args.maxttl:
@@ -251,7 +254,7 @@ def main():
     print("PHASE 1--Loading keys to check for internal timing problems")
 
     try:
-        kd = keydict(path=args.path, zone=args.zone, keyttl=args.keyttl)
+        kd = keydict(path=args.path, zones=args.zone, keyttl=args.keyttl)
     except Exception as e:
         fatal('ERROR: Unable to build key dictionary: ' + str(e))
 

diff --git a/bin/python/isc/eventlist.py.in b/bin/python/isc/eventlist.py.in
index 5c1b31aebb97f5542fa43e41203ed11c4f2cf52e..f11bba3a7a592d5d6fa1c1239594def885abf4b5 100644 (file)
--- a/bin/python/isc/eventlist.py.in
+++ b/bin/python/isc/eventlist.py.in
@@ -73,7 +73,7 @@ class eventlist:
                     kok = self.checkzone(z, "KSK", until, output)
                 if not no_zsk and z in self._Z.keys():
                     found = True
-                    kok = self.checkzone(z, "ZSK", until, output)
+                    zok = self.checkzone(z, "ZSK", until, output)
 
         if not found:
             output("ERROR: No key events found")

diff --git a/bin/python/isc/keydict.py.in b/bin/python/isc/keydict.py.in
index 578a8478885c0525cb06d2a6e4b75126d1170bc1..e4dcb08fc212f91741904fc08070dce59a14ad09 100644 (file)
--- a/bin/python/isc/keydict.py.in
+++ b/bin/python/isc/keydict.py.in
@@ -49,15 +49,18 @@ class keydict:
             self._keydict[key.name][key.alg][key.keyid] = key
 
     def readone(self, path, zone):
-        match='K' + zone + '.+*.private'
+        if not zone.endswith('.'):
+            zone += '.'
+        match='K' + zone + '+*.private'
         files = glob.glob(os.path.join(path, match))
 
         found = False
         for infile in files:
             key = dnskey(infile, path, self._defttl)
-            if key.name != zone: # shouldn't ever happen
+            if key.fullname != zone: # shouldn't ever happen
                 continue
-            self._keydict[key.name][key.alg][key.keyid] = key
+            keyname=key.name if zone != '.' else '.'
+            self._keydict[keyname][key.alg][key.keyid] = key
             found = True
 
         return found

diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh
index 5184a5edbfe7a9b8c0cc1644290eebe83f4ccf2a..be6e3d8fba80fa9e422b6048789563359a6d7de8 100644 (file)
--- a/bin/tests/system/coverage/setup.sh
+++ b/bin/tests/system/coverage/setup.sh
@@ -22,115 +22,115 @@ ln -s $CHECKZONE named-compilezone
 dir=01-ksk-inactive
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
+ksk2=`$KEYGEN -q -K $dir -S $ksk1`
 $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 
 # Test 2: ZSK goes inactive before successor is active
 dir=02-zsk-inactive
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+zsk2=`$KEYGEN -q -K $dir -S $zsk1`
 $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 
 # Test 3: KSK is unpublished before its successor is published
 dir=03-ksk-unpublished
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
+ksk2=`$KEYGEN -q -K $dir -S $ksk1`
 $SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 
 # Test 4: ZSK is unpublished before its successor is published
 dir=04-zsk-unpublished
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+zsk2=`$KEYGEN -q -K $dir -S $zsk1`
 $SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 
 # Test 5: KSK deleted and successor published before KSK is deactivated
 # and successor activated.
 dir=05-ksk-unpub-active
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+ksk2=`$KEYGEN -q -K $dir -S $ksk1`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 
 # Test 6: ZSK deleted and successor published before ZSK is deactivated
 # and successor activated.
 dir=06-zsk-unpub-active
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+zsk2=`$KEYGEN -q -K $dir -S $zsk1`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 
 # Test 7: KSK rolled with insufficient delay after prepublication.
 dir=07-ksk-ttl
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
+ksk2=`$KEYGEN -q -K $dir -S $ksk1`
 # allow only 1 day between publication and activation
 $SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 
 # Test 8: ZSK rolled with insufficient delay after prepublication.
 dir=08-zsk-ttl
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+zsk2=`$KEYGEN -q -K $dir -S $zsk1`
 # allow only 1 day between publication and activation
 $SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 
 # Test 9: KSK goes inactive before successor is active, but checking ZSKs
 dir=09-check-zsk
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 $SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
-ksk2=`$KEYGEN -K $dir -S $ksk1`
+ksk2=`$KEYGEN -q -K $dir -S $ksk1`
 $SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 
 # Test 10: ZSK goes inactive before successor is active, but checking KSKs
 dir=10-check-ksk
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+zsk2=`$KEYGEN -q -K $dir -S $zsk1`
 $SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 
 # Test 11: ZSK goes inactive before successor is active, but after cutoff
 dir=11-cutoff
 rm -f $dir/K*.key
 rm -f $dir/K*.private
-zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
+zsk1=`$KEYGEN -q -K $dir -a rsasha1 -3 example.com`
 $SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
-zsk2=`$KEYGEN -K $dir -S $zsk1`
+zsk2=`$KEYGEN -q -K $dir -S $zsk1`
 $SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
-ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
+ksk1=`$KEYGEN -q -K $dir -a rsasha1 -3fk example.com`
 
 # Test 12: Too early KSK deletion
 dir=12-ksk-deletion
-ksk1=`$KEYGEN -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com`
-ksk2=`$KEYGEN -K $dir -S $ksk1.key example.com`
+ksk1=`$KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com`
+ksk2=`$KEYGEN -q -K $dir -S $ksk1.key example.com`

diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh
index 3b9b1a2ea62a56f209f28d14412d474eb69bf481..04aebe1b953376a24d35beaf4ff3930a3ffe99a4 100644 (file)
--- a/bin/tests/system/keymgr/clean.sh
+++ b/bin/tests/system/keymgr/clean.sh
@@ -9,9 +9,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-rm -f */K*.key
-rm -f */K*.private
-rm -f Kexample.com.*.key
-rm -f Kexample.com.*.private
-rm -f coverage.* keymgr.*
+rm -f K*.key */K*.key
+rm -f K*.private */K*.private
+rm -f coverage.* keymgr.* settime.*
 rm -f policy.out

diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
index 89fedd31dff5c455399ffdd0545f2770281321dc..6ef0a3676820bcfe6623d01305232feb57727de2 100644 (file)
--- a/bin/tests/system/keymgr/tests.sh
+++ b/bin/tests/system/keymgr/tests.sh
@@ -104,6 +104,23 @@ for dir in [0-9][0-9]-*; do
         status=`expr $status + $ret`
 done
 
+echo_i "checking domains ending in . ($n)"
+ret=0
+$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l`
+[ "$nkeys" -eq 2 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l`
+[ "$nkeys" -eq 0 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l`
+[ "$nkeys" -eq 2 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l`
+[ "$nkeys" -eq 0 ] || ret=1
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
 echo_i "checking policy.conf parser ($n)"
 ret=0
 ${PYTHON} testpolicy.py policy.sample > policy.out