Test 'rndc dnssec -checkds' on multiple zones

Make sure the 'checkds' command correctly sets the right key timing
metadata and also make sure that it rejects setting the key timing
metadata if there are multiple keys with the KSK role and no key
identifier is provided.

diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index 8a7f3ebd487ef54e6eb674441c9e58efef482b71..ef1fc22fa743ad5de3910164bb48799e1bc90be6 100644 (file)
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -45,6 +45,27 @@ zone "default.kasp" {
        dnssec-policy "default";
 };
 
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+       type primary;
+       file "checkds-ksk.kasp.db";
+       dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+       type primary;
+       file "checkds-doubleksk.kasp.db";
+       dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+       type primary;
+       file "checkds-csk.kasp.db";
+       dnssec-policy "checkds-csk";
+};
+
 /* Key lifetime unlimited. */
 zone "unlimited.kasp" {
        type primary;

diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf b/bin/tests/system/kasp/ns3/policies/kasp.conf
index e0ce931d901c1c3a905656322d0f5ced8cf95173..81c764c7f203f65117f3994ed6b51d503871cd4e 100644 (file)
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf
@@ -76,3 +76,30 @@ dnssec-policy "ecdsa384" {
                zsk key-directory lifetime P1Y  algorithm 14 384;
        };
 };
+
+dnssec-policy "checkds-ksk" {
+       dnskey-ttl 303;
+
+       keys {
+               ksk key-directory lifetime unlimited algorithm 13;
+               zsk key-directory lifetime unlimited algorithm 13;
+       };
+};
+
+dnssec-policy "checkds-doubleksk" {
+       dnskey-ttl 303;
+
+       keys {
+               ksk key-directory lifetime unlimited algorithm 13;
+               ksk key-directory lifetime unlimited algorithm 13;
+               zsk key-directory lifetime unlimited algorithm 13;
+       };
+};
+
+dnssec-policy "checkds-csk" {
+       dnskey-ttl 303;
+
+       keys {
+               csk key-directory lifetime unlimited algorithm 13;
+       };
+};

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index f75cd6e53ad731b2d85199dbf47b92249dc0dd80..c6e62e8b2574a37beda4af7cff6fe8332f57b9f1 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -53,7 +53,7 @@ U="UNRETENTIVE"
 for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
          rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
          dynamic dynamic-inline-signing inline-signing \
-         inherit unlimited
+         checkds-ksk checkds-doubleksk checkds-csk inherit unlimited
 do
        setup "${zn}.kasp"
        cp template.db.in "$zonefile"

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 34915ff221c23a6712954783a514bd98c2726fb4..d83017b6bab203305abb7ecafdd4304013b1e9d2 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -960,35 +960,6 @@ check_dnssecstatus() {
        status=$((status+ret))
 }
 
-_loadkeys_on() {
-       _server=$1
-       _dir=$2
-       _zone=$3
-
-       nextpart $_dir/named.run > /dev/null
-       rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
-       wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
-}
-
-# Tell named that the DS for the key in given zone has been seen in the
-# parent (this does not actually has to be true, we just issue the command
-# to make named believe it can continue with the rollover).
-rndc_checkds() {
-       _server=$1
-       _dir=$2
-       _keyid=$3
-       _when=$4
-       _what=$5
-       _zone=$6
-       _view=$7
-
-       echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
-
-       rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
-       _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
-}
-
-
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 check_signatures() {
@@ -1201,6 +1172,42 @@ check_subdomain() {
        status=$((status+ret))
 }
 
+#
+# rndc dnssec -checkds
+#
+_loadkeys_on() {
+       _server=$1
+       _dir=$2
+       _zone=$3
+
+       nextpart $_dir/named.run > /dev/null
+       rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
+       wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
+}
+
+# Tell named that the DS for the key in given zone has been seen in the
+# parent (this does not actually has to be true, we just issue the command
+# to make named believe it can continue with the rollover).
+rndc_checkds() {
+       _server=$1
+       _dir=$2
+       _keyid=$3
+       _when=$4
+       _what=$5
+       _zone=$6
+       _view=$7
+
+       echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
+
+       if [ "${_keyid}" = "-" ]; then
+               rndccmd $_server dnssec -checkds -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+       else
+               rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+       fi
+
+       _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+}
+
 #
 # Zone: default.kasp.
 #