From: Mark Andrews <marka@isc.org>
Date: Thu, 23 Jun 2022 04:22:10 +0000 (+1000)
Subject: Make "checking revoked key with duplicate key ID" work
X-Git-Tag: v9.19.4~36^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=513cb24b5539f5173b31f154fa401b356ed563b4;p=thirdparty%2Fbind9.git

Make "checking revoked key with duplicate key ID" work

There should be 2 keys with the same key id after the numerically
lower one is revoked (serial space arithmetic).  The DS points
at the non-revoked key so validation should still succeed.
---

diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh
index 20d04e3bca1..6b969c31781 100644
--- a/bin/tests/system/autosign/ns1/keygen.sh
+++ b/bin/tests/system/autosign/ns1/keygen.sh
@@ -19,7 +19,7 @@ infile=root.db.in
 
 (cd ../ns2 && $SHELL keygen.sh )
 
-cat $infile ../ns2/dsset-example. > $zonefile
+cat $infile ../ns2/dsset-example. ../ns2/dsset-bar. > $zonefile
 
 zskact=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
 zskvanish=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone)
diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index b14e1c9cdcd..96a6c4d20af 100755
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1309,17 +1309,22 @@ n=$((n + 1))
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
-echo_i "checking revoked key with duplicate key ID (failure expected) ($n)"
-lret=0
+echo_i "checking revoked key with duplicate key ID ($n)"
+ret=0
 id=30676
-$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || lret=1
-grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null || lret=1
-$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || lret=1
-grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || lret=1
+rid=30804
+$DIG $DIGOPTS +multi dnskey bar @10.53.0.2 > dig.out.ns2.test$n || ret=1
+grep '; key id = '"$id"'$' dig.out.ns2.test$n > /dev/null && ret=1
+keys=$(grep '; key id = '"$rid"'$' dig.out.ns2.test$n | wc -l)
+test $keys -eq 2 || ret=1
+$DIG $DIGOPTS dnskey bar @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1
 n=$((n + 1))
-if [ $lret != 0 ]; then echo_i "not yet implemented"; fi
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
 
 echo_i "checking key event timers are always set ($n)"
+ret=0
 # this is a regression test for a bug in which the next key event could
 # be scheduled for the present moment, and then never fire.  check for
 # visible evidence of this error in the logs: