Add more multisigner tests

A zone in multisigner model 2 should also be possible to publish the
CDS and CDNSKEY records from their KSK into the zone operated by the
other provider.

diff --git a/bin/tests/system/multisigner/clean.sh b/bin/tests/system/multisigner/clean.sh
index 0cd0a18f7d4db9b123e2a89aea9f9083de02f8d5..fb75cfe407710ae75f9d9fc2d7917f3eefb2e11f 100644 (file)
--- a/bin/tests/system/multisigner/clean.sh
+++ b/bin/tests/system/multisigner/clean.sh
@@ -14,6 +14,8 @@
 set -e
 
 rm -f *.created
+rm -f cdnskey.ns*
+rm -f cds.ns*
 rm -f created.key-*
 rm -f dig.out.*
 rm -f python.out.*

diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh
index f1a477f100a94886a2052f273ffbda445400956e..6c1ac20b8fa596ec0db390633e4728b3729ebb0d 100644 (file)
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@@ -74,6 +74,19 @@ check_keytimes
 check_apex
 dnssec_verify
 
+set_server "ns4" "10.53.0.4"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_model2
+check_keytimes
+check_apex
+dnssec_verify
+
+
+#
+# Update DNSKEY RRset.
+#
+
 # Check that the ZSKs from the other provider are published.
 zsks_are_published() {
        dig_with_opts "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
@@ -88,9 +101,10 @@ zsks_are_published() {
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4"
 ret=0
+set_server "ns3" "10.53.0.3"
 (
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
 echo update add $(cat "ns4/${ZONE}.zsk")
 echo send
 ) | $NSUPDATE
@@ -101,20 +115,14 @@ status=$((status+ret))
 # Verify again.
 dnssec_verify
 
-set_server "ns4" "10.53.0.4"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_model2
-check_keytimes
-check_apex
-dnssec_verify
 
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns4 with ZSK from provider ns3"
 ret=0
+set_server "ns4" "10.53.0.4"
 (
-echo zone ${ZONE}
-echo server 10.53.0.4 "$PORT"
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
 echo update add $(cat "ns3/${ZONE}.zsk")
 echo send
 ) | $NSUPDATE
@@ -125,5 +133,115 @@ status=$((status+ret))
 # Verify again.
 dnssec_verify
 
+
+#
+# Update CDNSKEY RRset.
+#
+
+# Check that the CDNSKEY from both providers are published.
+records_published() {
+       _rrtype=$1
+       _expect=$2
+
+       dig_with_opts "$ZONE" "@${SERVER}" "${_rrtype}" > "dig.out.$DIR.test$n" || return 1
+       lines=$(awk -v rt="${_rrtype}" '$4 == rt {print}' dig.out.$DIR.test$n | wc -l)
+       test "$lines" -eq "$_expect" || return 1
+}
+
+# Retrieve CDNSKEY records from the other provider.
+dig_with_opts ${ZONE} @10.53.0.3 CDNSKEY > dig.out.ns3.cdnskey
+awk '$4 == "CDNSKEY" {print}' dig.out.ns3.cdnskey > cdnskey.ns3
+dig_with_opts ${ZONE} @10.53.0.4 CDNSKEY > dig.out.ns4.cdnskey
+awk '$4 == "CDNSKEY" {print}' dig.out.ns4.cdnskey > cdnskey.ns4
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns3 with CDNSKEY from provider ns4"
+ret=0
+set_server "ns3" "10.53.0.3"
+# Initially there should be one CDNSKEY.
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cdnskey.ns4")
+echo send
+) | $NSUPDATE
+# Now there should be two CDNSKEY records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns4 with CDNSKEY from provider ns3"
+ret=0
+set_server "ns4" "10.53.0.4"
+# Initially there should be one CDNSKEY.
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cdnskey.ns3")
+echo send
+) | $NSUPDATE
+# Now there should be two CDNSKEY records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+#
+# Update CDS RRset.
+#
+
+# Retrieve CDS records from the other provider.
+dig_with_opts ${ZONE} @10.53.0.3 CDS > dig.out.ns3.cds
+awk '$4 == "CDS" {print}' dig.out.ns3.cds > cds.ns3
+dig_with_opts ${ZONE} @10.53.0.4 CDS > dig.out.ns4.cds
+awk '$4 == "CDS" {print}' dig.out.ns4.cds > cds.ns4
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns3 with CDS from provider ns4"
+ret=0
+set_server "ns3" "10.53.0.3"
+# Initially there should be one CDS.
+retry_quiet 10 records_published CDS 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cds.ns4")
+echo send
+) | $NSUPDATE
+# Now there should be two CDS records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns4 with CDS from provider ns3"
+ret=0
+set_server "ns4" "10.53.0.4"
+# Initially there should be one CDS.
+retry_quiet 10 records_published CDS 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cds.ns3")
+echo send
+) | $NSUPDATE
+# Now there should be two CDS records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1