Add kasp test case for root with checkds enabled

Add a test case where the root zone has dnssec-policy configured, with
checkds enabled. This is a silly case because the root does not have
any parent NS records, but it should not crash the server.

The same is true for zones that do not have parent NS records, but
eventually they will hit the same code path.

diff --git a/bin/tests/system/kasp/ns1/named.conf.j2 b/bin/tests/system/kasp/ns1/named.conf.j2
new file mode 100644 (file)
index 0000000..4280a28
--- /dev/null
+++ b/bin/tests/system/kasp/ns1/named.conf.j2
@@ -0,0 +1,21 @@
+// NS1
+
+options {
+       query-source address 10.53.0.1;
+       notify-source 10.53.0.1;
+       transfer-source 10.53.0.1;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.1; };
+       listen-on-v6 { none; };
+       recursion no;
+       notify yes;
+        allow-transfer { any; };
+};
+
+zone "." {
+       type primary;
+       file "root.db";
+       dnssec-policy default;
+       checkds yes;
+};

diff --git a/bin/tests/system/kasp/ns1/root.db.j2 b/bin/tests/system/kasp/ns1/root.db.j2
new file mode 100644 (file)
index 0000000..709558a
--- /dev/null
+++ b/bin/tests/system/kasp/ns1/root.db.j2
@@ -0,0 +1,10 @@
+$TTL 300
+.                      IN SOA  . a.root.servers.nil. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               600             ; minimum
+                               )
+.                      NS      a.root-servers.nil.
+a.root-servers.nil.    A       10.53.0.1

diff --git a/bin/tests/system/kasp/ns1/setup.sh b/bin/tests/system/kasp/ns1/setup.sh
new file mode 100644 (file)
index 0000000..f1b8eaa
--- /dev/null
+++ b/bin/tests/system/kasp/ns1/setup.sh
@@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns1/setup.sh"
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+O="OMNIPRESENT"
+
+zone="."
+echo_i "setting up zone: $zone"
+Tpub="now-30d"
+Tact="now-1d"
+keytimes="-P ${Tpub} -A ${Tact}"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $Tpub -r $O $Tpub -d $H $Tact -z $O $Tpub "$CSK" >settime.out.$zone.1 2>&1
+echo "KSK: yes" >>"${CSK}".state
+echo "ZSK: yes" >>"${CSK}".state

diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh
index 2b8cf6b4d866a1fc6464cbe77c929fc096b084a0..acf6052a89aabd5d20202fc9ecdfb6e3ccc0d168 100644 (file)
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@@ -20,6 +20,10 @@ mkdir keys
 mkdir ns3/keys
 
 # Setup zones
+(
+  cd ns1
+  $SHELL setup.sh
+)
 (
   cd ns2
   $SHELL setup.sh

diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py
index 0c4f42ffda7b296b5797caaa88d2a2e50eb56ebc..7fc2805031024d314bfb3ab99befd5a059534bc9 100644 (file)
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -80,6 +80,7 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns*/signer.out.*",
         "ns*/zones",
         "ns*/policies/*.conf",
+        "ns1/managed-keys.*",
         "ns3/legacy-keys.*",
         "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed",
         "ns4/purgekeys.conf",
@@ -87,6 +88,18 @@ pytestmark = pytest.mark.extra_artifacts(
     ]
 )
 
+default_config = {
+    "dnskey-ttl": timedelta(hours=1),
+    "ds-ttl": timedelta(days=1),
+    "max-zone-ttl": timedelta(days=1),
+    "parent-propagation-delay": timedelta(hours=1),
+    "publish-safety": timedelta(hours=1),
+    "purge-keys": timedelta(days=90),
+    "retire-safety": timedelta(hours=1),
+    "signatures-refresh": timedelta(days=5),
+    "signatures-validity": timedelta(days=14),
+    "zone-propagation-delay": timedelta(minutes=5),
+}
 
 kasp_config = {
     "dnskey-ttl": timedelta(seconds=1234),
@@ -1764,3 +1777,28 @@ def test_kasp_manual_mode(ns3, default_algorithm):
     isctest.kasp.check_keys(zone, keys, expected)
     check_all(ns3, zone, policy, ksks, zsks, manual_mode=True)
     isctest.kasp.check_dnssec_verify(ns3, zone)
+
+
+def test_root_case(ns1):
+    keydir = ns1.identifier
+
+    # Get test parameters.
+    zone = ""
+    policy = "default"
+    ttl = 3600
+
+    isctest.kasp.wait_keymgr_done(ns1, ".")
+
+    # Test case.
+    isctest.log.info(f"check root zone with policy {policy}")
+
+    # First make sure the zone is signed.
+    isctest.kasp.check_dnssec_verify(ns1, zone)
+
+    # Check key properties. DS is expected to go to rumoured, so checkds kicks in.
+    keyprops = [
+        "csk 0 13 256 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured",
+    ]
+    expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=keyprops)
+    keys = isctest.kasp.keydir_to_keylist(zone, keydir)
+    isctest.kasp.check_keys(zone, keys, expected)