Add a test case for no -P sync

This is a follow-up from the test cases that were added long time ago
that cover migrating to dnssec-policy.

The test covers legacy keys that do not have the SyncPublish timing
metadata set.

diff --git a/bin/tests/system/migrate2kasp/ns3/named.conf.j2 b/bin/tests/system/migrate2kasp/ns3/named.conf.j2
index 3bf1b5955fb04b213fb2daa3302d5e65c01577e9..a52538b262c5f47859cab2e17435670f5bb86ba5 100644 (file)
--- a/bin/tests/system/migrate2kasp/ns3/named.conf.j2
+++ b/bin/tests/system/migrate2kasp/ns3/named.conf.j2
@@ -78,6 +78,14 @@ zone "omnipresent.kasp" {
        allow-update { any; };
 };
 
+zone "no-syncpublish.kasp" {
+       type primary;
+       file "no-syncpublish.kasp.db";
+       dnssec-policy "timing-metadata";
+       inline-signing no;
+       allow-update { any; };
+};
+
 zone "migrate-nomatch-algnum.kasp" {
        type primary;
        file "migrate-nomatch-algnum.kasp.db";

diff --git a/bin/tests/system/migrate2kasp/ns3/setup.sh b/bin/tests/system/migrate2kasp/ns3/setup.sh
index ef2623bd2ba90e7755622bdb6c95c40d0cb34492..0f6cccc8799d3aadf31251644563e1cfc71ce9f3 100644 (file)
--- a/bin/tests/system/migrate2kasp/ns3/setup.sh
+++ b/bin/tests/system/migrate2kasp/ns3/setup.sh
@@ -146,3 +146,16 @@ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
+
+# Key states expected to be omnipresent after migration, except DS because -P sync is missing.
+setup no-syncpublish.kasp
+echo "$zone" >>zones
+Tsig="now-12h" # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tsig} -A ${Tsig}"
+zsktimes="-P ${Tsig} -A ${Tsig}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1

diff --git a/bin/tests/system/migrate2kasp/tests_migrate2kasp.py b/bin/tests/system/migrate2kasp/tests_migrate2kasp.py
index 95b37d7a07895ffdf64e5ceb33e791aa072d2b8e..92642c1f29833647d0b8c848cdc5efa28828f888 100644 (file)
--- a/bin/tests/system/migrate2kasp/tests_migrate2kasp.py
+++ b/bin/tests/system/migrate2kasp/tests_migrate2kasp.py
@@ -199,6 +199,21 @@ lifetime = {
             },
             id="omnipresent.kasp",
         ),
+        # Testing key states derived from timing metadata: no SyncPublish.
+        pytest.param(
+            {
+                "zone": "no-syncpublish.kasp",
+                "policy": "timing-metadata",
+                "server": "ns3",
+                "config": timing_config,
+                "offset": -timedelta(hours=12),
+                "key-properties": [
+                    f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured",
+                    f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+                ],
+            },
+            id="no-syncpublish.kasp",
+        ),
         # Test migration to dnssec-policy, existing keys do not match key algorithm.
         pytest.param(
             {