Add checkconf tests for [#2463]

Add two tests to make sure named-checkconf catches key-directory issues
where a zone in multiple views uses the same directory but has
different dnssec-policies. One test sets the key-directory specifically,
the other inherits the default key-directory (NULL, aka the working
directory).

Also update the good.conf test to allow zones in different views
with the same key-directory if they use the same dnssec-policy.

Also allow zones in different views with different key-directories if
they use different dnssec-policies.

Also allow zones in different views with the same key-directories if
only one view uses a dnssec-policy (the other is set to "none").

Also allow zones in different views with the same key-directories if
no views uses a dnssec-policy (zone in both views has the dnssec-policy
set to "none").

diff --git a/bin/tests/system/checkconf/bad-kasp-keydir1.conf b/bin/tests/system/checkconf/bad-kasp-keydir1.conf
new file mode 100644 (file)
index 0000000..5be13a1
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key "keyforview1" {
+       algorithm "hmac-sha1";
+       secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+       algorithm "hmac-sha1";
+       secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+       match-clients { key "keyforview1"; };
+
+       zone "example.net" {
+               type primary;
+               dnssec-policy "default";
+               key-directory ".";
+               file "example1.db";
+       };
+};
+
+view "example2" {
+       match-clients { key "keyforview2"; };
+
+       zone "example.net" {
+               type primary;
+               dnssec-policy "insecure";
+               key-directory ".";
+               file "example2.db";
+       };
+};

diff --git a/bin/tests/system/checkconf/bad-kasp-keydir2.conf b/bin/tests/system/checkconf/bad-kasp-keydir2.conf
new file mode 100644 (file)
index 0000000..67161a8
--- /dev/null
+++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key "keyforview1" {
+       algorithm "hmac-sha1";
+       secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+       algorithm "hmac-sha1";
+       secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+       match-clients { key "keyforview1"; };
+
+       zone "example.net" {
+               type primary;
+               dnssec-policy "default";
+               file "example1.db";
+       };
+};
+
+view "example2" {
+       match-clients { key "keyforview2"; };
+
+       zone "example.net" {
+               type primary;
+               dnssec-policy "insecure";
+               file "example2.db";
+       };
+};

diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf
index e09b9e802b41d0063c311c5279547515150446cc..6b950996ccf6b75f91431d5c7d2f8acb5b391b50 100644 (file)
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -192,7 +192,53 @@ view "fourth" {
                file "dnssec-none.db";
                dnssec-policy "none";
        };
+       zone "dnssec-view1" {
+               type master;
+               file "dnssec-view41.db";
+               dnssec-policy "test";
+       };
+       zone "dnssec-view2" {
+               type master;
+               file "dnssec-view42.db";
+       };
+       zone "dnssec-view3" {
+               type master;
+               file "dnssec-view43.db";
+               dnssec-policy "none";
+               key-directory "keys";
+       };
+       zone "dnssec-view4" {
+               type master;
+               file "dnssec-view44.db";
+               dnssec-policy "none";
+       };
        dnssec-policy "default";
+       key-directory ".";
+};
+view "fifth" {
+       zone "dnssec-view1" {
+               type master;
+               file "dnssec-view51.db";
+               dnssec-policy "test";
+       };
+       zone "dnssec-view2" {
+               type master;
+               file "dnssec-view52.db";
+               dnssec-policy "test";
+               key-directory "keys";
+       };
+       zone "dnssec-view3" {
+               type master;
+               file "dnssec-view53.db";
+               dnssec-policy "default";
+               key-directory "keys";
+       };
+       zone "dnssec-view4" {
+               type master;
+               file "dnssec-view54.db";
+               dnssec-policy "none";
+       };
+       key-directory ".";
 };
 view "chaos" chaos {
        zone "hostname.bind" chaos {

diff --git a/bin/tests/system/checkconf/good.zonelist b/bin/tests/system/checkconf/good.zonelist
index b33d2fc239e0ba8b1bd4b583a595836491c9bf31..08a5665afdf22f9d8fb882979e6a195c88885830 100644 (file)
--- a/bin/tests/system/checkconf/good.zonelist
+++ b/bin/tests/system/checkconf/good.zonelist
@@ -13,4 +13,12 @@ dnssec-test IN fourth master
 dnssec-default IN fourth master
 dnssec-inherit IN fourth master
 dnssec-none IN fourth master
+dnssec-view1 IN fourth master
+dnssec-view2 IN fourth master
+dnssec-view3 IN fourth master
+dnssec-view4 IN fourth master
+dnssec-view1 IN fifth master
+dnssec-view2 IN fifth master
+dnssec-view3 IN fifth master
+dnssec-view4 IN fifth master
 hostname.bind chaos chaos master

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index e6b2e16e406a1378a3c143c8ad48841020a093ef..23d2c430f97e8c19f8b330f6dba8c1776377fc1d 100644 (file)
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -12,6 +12,8 @@
 status=0
 n=0
 
+mkdir keys
+
 n=`expr $n + 1`
 echo_i "checking that named-checkconf handles a known good config ($n)"
 ret=0
@@ -549,5 +551,7 @@ grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
+rmdir keys
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1