Ensure no DNSSEC records are in the raw journal

Add checks to the multisigner test to make sure no DNSSEC related
records (NSEC, NSEC3, NSEC3PARAM, RRSIG) end up in the raw journal.

diff --git a/bin/tests/system/multisigner/clean.sh b/bin/tests/system/multisigner/clean.sh
index fb75cfe407710ae75f9d9fc2d7917f3eefb2e11f..0dd6eb6d48818a760a01741aa0d9191a650ba285 100644 (file)
--- a/bin/tests/system/multisigner/clean.sh
+++ b/bin/tests/system/multisigner/clean.sh
@@ -25,6 +25,7 @@ rm -f verify.out.*
 
 rm -f ns*/*.jbk
 rm -f ns*/*.jnl
+rm -f ns*/*.journal.out.test*
 rm -f ns*/*.signed
 rm -f ns*/*.signed.jnl
 rm -f ns*/*.zsk

diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh
index 6c1ac20b8fa596ec0db390633e4728b3729ebb0d..d6e56f9c8c8e8015cf28d68fd273615dd0f2cb14 100644 (file)
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@@ -20,7 +20,6 @@ dig_with_opts() {
        $DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT "$@"
 }
 
-
 start_time="$(TZ=UTC date +%s)"
 status=0
 n=0
@@ -82,7 +81,6 @@ check_keytimes
 check_apex
 dnssec_verify
 
-
 #
 # Update DNSKEY RRset.
 #
@@ -98,6 +96,14 @@ zsks_are_published() {
        test "$lines" -eq 1 || return 1
 }
 
+# Check if a certain RRtype is present in the journal file.
+rrset_exists() (
+       rrtype=$1
+       file=$2
+       lines=$(awk -v rt="${rrtype}" '$5 == rt {print}' ${file} | wc -l)
+       test "$lines" -gt 0
+)
+
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4"
 ret=0
@@ -132,7 +138,17 @@ test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 # Verify again.
 dnssec_verify
-
+# No DNSSEC in raw journal.
+n=$((n+1))
+echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+ret=0
+$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+rrset_exists "NSEC" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists "NSEC3" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists "NSEC3PARAM" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists "RRSIG" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 #
 # Update CDNSKEY RRset.
@@ -173,7 +189,6 @@ retry_quiet 10 records_published CDNSKEY 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns4 with CDNSKEY from provider ns3"
 ret=0
@@ -192,6 +207,17 @@ echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
 retry_quiet 10 records_published CDNSKEY 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# No DNSSEC in raw journal.
+n=$((n+1))
+echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+ret=0
+$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 
 #
@@ -242,6 +268,17 @@ echo_i "check zone ${ZONE} CDS RRset after update ($n)"
 retry_quiet 10 records_published CDS 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# No DNSSEC in raw journal.
+n=$((n+1))
+echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+ret=0
+$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1