From: Matthijs Mekking <matthijs@isc.org>
Date: Fri, 31 Jul 2020 09:13:53 +0000 (+0200)
Subject: Test 'rndc dnssec -checkds' on multiple zones
X-Git-Tag: v9.17.5~63^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a43bb41909285cb13eba858306fef84bbb326002;p=thirdparty%2Fbind9.git

Test 'rndc dnssec -checkds' on multiple zones

Make sure the 'checkds' command correctly sets the right key timing
metadata and also make sure that it rejects setting the key timing
metadata if there are multiple keys with the KSK role and no key
identifier is provided.
---

diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index 8a7f3ebd487..ef1fc22fa74 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -45,6 +45,27 @@ zone "default.kasp" {
 	dnssec-policy "default";
 };
 
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+	type primary;
+	file "checkds-ksk.kasp.db";
+	dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+	type primary;
+	file "checkds-doubleksk.kasp.db";
+	dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+	type primary;
+	file "checkds-csk.kasp.db";
+	dnssec-policy "checkds-csk";
+};
+
 /* Key lifetime unlimited. */
 zone "unlimited.kasp" {
 	type primary;
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf b/bin/tests/system/kasp/ns3/policies/kasp.conf
index e0ce931d901..81c764c7f20 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf
@@ -76,3 +76,30 @@ dnssec-policy "ecdsa384" {
 		zsk key-directory lifetime P1Y  algorithm 14 384;
 	};
 };
+
+dnssec-policy "checkds-ksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+};
+
+dnssec-policy "checkds-doubleksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+};
+
+dnssec-policy "checkds-csk" {
+	dnskey-ttl 303;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm 13;
+	};
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index f75cd6e53ad..c6e62e8b257 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -53,7 +53,7 @@ U="UNRETENTIVE"
 for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
 	  rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
 	  dynamic dynamic-inline-signing inline-signing \
-	  inherit unlimited
+	  checkds-ksk checkds-doubleksk checkds-csk inherit unlimited
 do
 	setup "${zn}.kasp"
 	cp template.db.in "$zonefile"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 34915ff221c..d83017b6bab 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -960,35 +960,6 @@ check_dnssecstatus() {
 	status=$((status+ret))
 }
 
-_loadkeys_on() {
-	_server=$1
-	_dir=$2
-	_zone=$3
-
-	nextpart $_dir/named.run > /dev/null
-	rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
-	wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
-}
-
-# Tell named that the DS for the key in given zone has been seen in the
-# parent (this does not actually has to be true, we just issue the command
-# to make named believe it can continue with the rollover).
-rndc_checkds() {
-	_server=$1
-	_dir=$2
-	_keyid=$3
-	_when=$4
-	_what=$5
-	_zone=$6
-	_view=$7
-
-	echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
-
-	rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
-	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
-}
-
-
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 check_signatures() {
@@ -1201,6 +1172,42 @@ check_subdomain() {
 	status=$((status+ret))
 }
 
+#
+# rndc dnssec -checkds
+#
+_loadkeys_on() {
+	_server=$1
+	_dir=$2
+	_zone=$3
+
+	nextpart $_dir/named.run > /dev/null
+	rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
+	wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
+}
+
+# Tell named that the DS for the key in given zone has been seen in the
+# parent (this does not actually has to be true, we just issue the command
+# to make named believe it can continue with the rollover).
+rndc_checkds() {
+	_server=$1
+	_dir=$2
+	_keyid=$3
+	_when=$4
+	_what=$5
+	_zone=$6
+	_view=$7
+
+	echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
+
+	if [ "${_keyid}" = "-" ]; then
+		rndccmd $_server dnssec -checkds -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+	else
+		rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+	fi
+
+	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+}
+
 #
 # Zone: default.kasp.
 #