From: Mark Andrews <marka@isc.org>
Date: Wed, 29 Jan 2020 08:02:01 +0000 (+1100)
Subject: check kskonly key ids
X-Git-Tag: v9.14.11~25^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f079c4fa37e03de5d01c1908fc1cf378c9d4e8e;p=thirdparty%2Fbind9.git

check kskonly key ids

(cherry picked from commit 379949cce43be56ec3132cd1c1f4c9b24d9d04fb)
---

diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh
index bee3bbfd62f..550b5a7f7f5 100644
--- a/bin/tests/system/dnssec/clean.sh
+++ b/bin/tests/system/dnssec/clean.sh
@@ -24,9 +24,9 @@ rm -f ./canonical?.*
 rm -f ./delv.out*
 rm -f ./delve.out*
 rm -f ./dig.out.*
+rm -f ./dnssectools.out*
 rm -f ./dsfromkey.out.*
 rm -f ./keygen.err
-rm -f ./dnssectools.out*
 rm -f ./named.secroots.test*
 rm -f ./nosign.before
 rm -f ./ns*/*.nta
@@ -37,11 +37,13 @@ rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db
 rm -f ./ns2/algroll.db
 rm -f ./ns2/badparam.db ./ns2/badparam.db.bad
 rm -f ./ns2/cdnskey-kskonly.secure.db
+rm -f ./ns2/cdnskey-kskonly.secure.id
 rm -f ./ns2/cdnskey-update.secure.db
 rm -f ./ns2/cdnskey-x.secure.db
 rm -f ./ns2/cdnskey.secure.db
 rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl
 rm -f ./ns2/cds-kskonly.secure.db
+rm -f ./ns2/cds-kskonly.secure.id
 rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl
 rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db
 rm -f ./ns2/dlv.db
@@ -50,8 +52,6 @@ rm -f ./ns2/nsec3chain-test.db
 rm -f ./ns2/private.secure.example.db
 rm -f ./ns2/single-nsec3.db
 rm -f ./ns2/updatecheck-kskonly.secure.*
-rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
-rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
 rm -f ./ns3/auto-nsec.example.db ./ns3/auto-nsec3.example.db
 rm -f ./ns3/badds.example.db
 rm -f ./ns3/dname-at-apex-nsec3.example.db
@@ -59,10 +59,10 @@ rm -f ./ns3/dnskey-nsec3-unknown.example.db
 rm -f ./ns3/dnskey-nsec3-unknown.example.db.tmp
 rm -f ./ns3/dnskey-unknown.example.db
 rm -f ./ns3/dnskey-unknown.example.db.tmp
-rm -f ./ns3/dnskey-unsupported.example.db
-rm -f ./ns3/dnskey-unsupported.example.db.tmp
 rm -f ./ns3/dnskey-unsupported-2.example.db
 rm -f ./ns3/dnskey-unsupported-2.example.db.tmp
+rm -f ./ns3/dnskey-unsupported.example.db
+rm -f ./ns3/dnskey-unsupported.example.db.tmp
 rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl
 rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db
 rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db
@@ -82,6 +82,7 @@ rm -f ./ns3/publish-inactive.example.db
 rm -f ./ns3/revkey.example.db
 rm -f ./ns3/rsasha256.example.db ./ns3/rsasha512.example.db
 rm -f ./ns3/secure.below-cname.example.db
+rm -f ./ns3/secure.example.db ./ns3/*.managed.db ./ns3/*.trusted.db
 rm -f ./ns3/secure.nsec3.example.db
 rm -f ./ns3/secure.optout.example.db
 rm -f ./ns3/siginterval.conf
@@ -91,6 +92,7 @@ rm -f ./ns3/split-smart.example.db
 rm -f ./ns3/ttlpatch.example.db ./ns3/ttlpatch.example.db.signed
 rm -f ./ns3/ttlpatch.example.db.patched
 rm -f ./ns3/unsecure.example.db ./ns3/bogus.example.db ./ns3/keyless.example.db
+rm -f ./ns3/unsupported.managed.db.tmp ./ns3/unsupported.trusted.db.tmp
 rm -f ./ns4/managed-keys.bind*
 rm -f ./ns4/named_dump.db*
 rm -f ./ns6/optout-tld.db
diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh
index 23964b98189..0c588f2e54b 100644
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -263,6 +263,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
 "$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+keyfile_to_key_id "$key1" > cds-kskonly.secure.id
 
 zone=cds-auto.secure
 infile=cds-auto.secure.db.in
@@ -306,6 +307,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
 key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
 cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
 "$SIGNER" -P -g -o "$zone" "$zonefile" > /dev/null 2>&1
+keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
 
 zone=cdnskey-auto.secure
 infile=cdnskey-auto.secure.db.in
diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh
index 9f511fa279b..c645a897811 100644
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -3402,6 +3402,7 @@ status=$((status+ret))
 echo_i "check that CDS records are signed only using KSK when added by"
 echo_i "   nsupdate when dnssec-dnskey-kskonly is yes ($n)"
 ret=0
+keyid=$(cat ns2/cds-kskonly.secure.id)
 (
 echo zone cds-kskonly.secure
 echo server 10.53.0.2 "$PORT"
@@ -3416,6 +3417,8 @@ echo send
 dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
 test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
 test "$lines" -eq 2 || ret=1
 n=$((n+1))
@@ -3425,6 +3428,7 @@ status=$((status+ret))
 echo_i "check that CDS deletion records are signed only using KSK when added by"
 echo_i "   nsupdate when dnssec-dnskey-kskonly is yes ($n)"
 ret=0
+keyid=$(cat ns2/cds-kskonly.secure.id)
 (
 echo zone cds-kskonly.secure
 echo server 10.53.0.2 "$PORT"
@@ -3435,6 +3439,8 @@ echo send
 dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l)
 test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l)
 test "$lines" -eq 1 || ret=1
 n=$((n+1))
@@ -3625,6 +3631,7 @@ status=$((status+ret))
 echo_i "check that CDNSKEY records are signed only using KSK when added by"
 echo_i "   nsupdate when dnssec-dnskey-kskonly is yes ($n)"
 ret=0
+keyid=$(cat ns2/cdnskey-kskonly.secure.id)
 (
 echo zone cdnskey-kskonly.secure
 echo server 10.53.0.2 "$PORT"
@@ -3636,6 +3643,8 @@ echo send
 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n
 lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
 test "$lines" -eq 1 || ret=1
+lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l)
+test "$lines" -eq 1 || ret=1
 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l)
 test "$lines" -eq 1 || ret=1
 n=$((n+1))