From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 14 Jan 2025 13:10:20 +0000 (+0100)
Subject: Test dnssec-signzone with private key file missing
X-Git-Tag: v9.21.5~35^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0a91321d787968f1fb0409023d6ab233f0a4403e;p=thirdparty%2Fbind9.git

Test dnssec-signzone with private key file missing

Add a test case for the scenario below.

There is a case when signing a zone with dnssec-signzone where the
private key file is moved outside the key directory (for offline
ksk purposes), and then the zone is resigned. The signature of the
DNSKEY needs refreshing, but is not expired.

Rather than removing the signature without having a valid replacement,
leave the signature in the zone (despite it needs to be refreshed).
---

diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index d94c2670740..1c3876e0fba 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -1358,6 +1358,33 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+echo_ic "two DNSKEYs, DNSKEY RRset only by KSK ($n)"
+ret=0
+(
+cd signer/general || exit 1
+rm -f signed.zone
+$SIGNER -s now-1mo -e now+2d -P -x -f signed.zone -O full -o example.com. test1.zone >signer.out.$n
+test -f signed.zone
+) || ret=1
+n=$((n+1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_ic "two DNSKEYs, DNSKEY RRset only by KSK, private key missing ($n)"
+ret=0
+(
+  cd signer/general || exit 1
+  cp signed.zone signed.expect
+  grep "example\.com\..*3600.*IN.*RRSIG.*DNSKEY.*10.*2.*3600.*28633.*example\.com\." signed.expect >dnskey.expect || exit 1
+  mv Kexample.com.+010+28633.private Kexample.com.+010+28633.offline
+  $SIGNER -P -x -f signed.zone -O full -o example.com. signed.zone >signer.out.$n
+  mv Kexample.com.+010+28633.offline Kexample.com.+010+28633.private
+  grep "$(cat dnskey.expect)" signed.zone >/dev/null || exit 1
+) || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_ic "one non-KSK DNSKEY ($n)"
 ret=0
 (
diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py
index b0e9a558712..91817bd0b7b 100644
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@@ -146,7 +146,9 @@ pytestmark = pytest.mark.extra_artifacts(
         "signer/example.db.changed",
         "signer/example2.db",
         "signer/example3.db",
+        "signer/general/dnskey.expect",
         "signer/general/dsset-*",
+        "signer/general/signed.expect",
         "signer/general/signed.zone",
         "signer/general/signer.out.*",
         "signer/nsec3param.out",