From: Matthijs Mekking Date: Mon, 11 Jul 2022 08:25:47 +0000 (+0200) Subject: Test setting of inline-signing with dnssec-policy X-Git-Tag: v9.19.4~42^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=efa8a4e88de7715e69badd10e3ba948a50935d16;p=thirdparty%2Fbind9.git Test setting of inline-signing with dnssec-policy When dnssec-policy is used, and the zone is not dynamic, BIND will assume that the zone is inline-signed. Add test cases to verify this. --- diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index f4058f64005..03ff93c4c4a 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -864,6 +864,28 @@ check_dnssecstatus() { status=$((status+ret)) } +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# inline-signing is enabled. +check_inlinesigning() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + +# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if +# the zone is dynamic. +check_isdynamic() { + _server=$1 + _zone=$2 + _view=$3 + + _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1 + grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1 +} + # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. _check_signatures() { diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 174bed21e4a..637e5e0ce78 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -29,7 +29,7 @@ rm -f ns*/zones ns*/*.db.infile rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* rm -f *.created published.test* retired.test* -rm -f rndc.dnssec.*.out.* +rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* rm -f *-supported.file rm -f created.key-* unused.key-* diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index c3f19a93962..568587e09bb 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -145,9 +145,12 @@ view "none" { view "example1" { match-clients { key "keyforview1"; }; + allow-update { any; }; + zone "example.net" { type primary; file "example1.db"; + // Dynamic zone, inline-signing disabled, policy inerhited. }; }; @@ -157,6 +160,7 @@ view "example2" { zone "example.net" { type primary; file "example2.db"; + // Static zone, inline-signing, policy inherited. }; }; diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 52007245bbf..9c6cea20c84 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1880,8 +1880,16 @@ set_keytimes_csk_policy check_keytimes check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example1) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" +check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" @@ -1897,8 +1905,16 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example2) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" @@ -1914,8 +1930,16 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" check_apex dnssec_verify +# check zonestatus n=$((n+1)) +echo_i "check $ZONE (view example3) zonestatus ($n)" +ret=0 +check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" +check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # check subdomain +n=$((n+1)) echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" ret=0 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"