Alter mkeys system test

The mkeys system test configured 'auto-dnssec' on the root zone to do
smart signing and simulate root key changes that should be picked up
by the automated trust anchor management of BIND.

This does not require 'auto-dnssec' or 'dnssec-policy', so change the
tests to use manual smart signing with 'dnssec-signzone'.

diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh
index 3f297a22a2f5a01bba721751125c5bfbfd4d7210..045c9b21c51878b74a711847760e9f73bc19df04 100644 (file)
--- a/bin/tests/system/mkeys/clean.sh
+++ b/bin/tests/system/mkeys/clean.sh
@@ -25,6 +25,7 @@ rm -f ns*/named.lock
 rm -f ns1/dsset-sub.tld.
 rm -f ns1/dsset-tld.
 rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
+rm -f ns1/signer.out.*
 rm -f ns1/zone.key
 rm -f ns3/broken.conf
 rm -f ns4/dsset-sub.foo.

diff --git a/bin/tests/system/mkeys/ns1/named1.conf.in b/bin/tests/system/mkeys/ns1/named1.conf.in
index 0b3f068a27bed678ff030dd1b3e65e9b2446a794..4271668ea97e4f7b979950b83e3195ca686e315d 100644 (file)
--- a/bin/tests/system/mkeys/ns1/named1.conf.in
+++ b/bin/tests/system/mkeys/ns1/named1.conf.in
@@ -44,8 +44,6 @@ controls {
 zone "." {
        type primary;
        file "root.db.signed";
-       allow-update { any; };
-       auto-dnssec maintain;
 };
 
 zone "tld" {

diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db
index bc837886721fe9ede40024ec9f6c7df2535fc422..333ee457596b9d9cbcd106c6b3136c3b3a5348d6 100644 (file)
--- a/bin/tests/system/mkeys/ns1/root.db
+++ b/bin/tests/system/mkeys/ns1/root.db
@@ -11,7 +11,7 @@
 
 $TTL 20
 .                      IN SOA  gson.nominum.com. a.root.servers.nil. (
-                               2000042100      ; serial
+                               1               ; serial
                                600             ; refresh
                                600             ; retry
                                1200            ; expire

diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh
index 626e18f77683433b8872a1079562f3f9f3e8dc6c..0a24811afc3185fb2560932f1f80a93df0b8e0cb 100644 (file)
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -37,7 +37,7 @@ zonefile=root.db
 keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
 zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
 
-$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+$SIGNER -Sg -N unixtime -o $zone $zonefile > /dev/null 2>/dev/null
 
 # Configure the resolving server with an initializing key.
 keyfile_to_initial_ds $keyname > managed.conf

diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh
index a82cff8a78fd8ec3ca78281259561381b95aeb19..68757fa824450f5a3ff8c5be3f66aaf3c2ef4db8 100644 (file)
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -41,11 +41,15 @@ mkeys_reload_on() (
        wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1
 )
 
-mkeys_loadkeys_on() (
-       nsidx=$1
-       nextpart "ns${nsidx}"/named.run > /dev/null
-       rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i
-       wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1
+mkeys_resign_rootzone() (
+       n=$1
+       (
+               cd ns1
+               $SIGNER -PSg -N unixtime -o . root.db > signer.out.test$1 2>&1
+       )
+       nextpart ns1/named.run > /dev/null
+       rndccmd "10.53.0.1" reload . | sed "s/^/ns1 /" | cat_i
+       wait_for_log 20 "loaded serial" ns1/named.run || return 1
 )
 
 mkeys_refresh_on() (
@@ -137,7 +141,7 @@ n=$((n+1))
 echo_i "check new trust anchor can be added ($n)"
 ret=0
 standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
 # there should be two keys listed now
@@ -178,7 +182,7 @@ ret=0
 mkeys_sync_on 2 || ret=1
 t1=$(grep "trust pending" ns2/managed-keys.bind) || true
 $SETTIME -D now -K ns1 "$standby1" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 # Less than a second may have passed since the last time ns2 received a
 # ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
 # timestamp to prevent false negatives caused by the acceptance timer getting
@@ -199,7 +203,7 @@ echo_i "restore untrusted standby key, revoke original key ($n)"
 t1=$t2
 $SETTIME -D none -K ns1 "$standby1" > /dev/null
 $SETTIME -R now -K ns1 "$original" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 # Less than a second may have passed since the last time ns2 received a
 # ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
 # timestamp to prevent false negatives caused by the acceptance timer getting
@@ -269,9 +273,9 @@ ret=0
 echo_i "restore revoked key, ensure same result ($n)"
 t1=$t2
 $SETTIME -R none -D now -K ns1 "$original" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 $SETTIME -D none -K ns1 "$original" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 # Less than a second may have passed since the last time ns2 received a
 # ./DNSKEY response from ns1.  Ensure keys are refreshed at a different
 # timestamp to prevent false negatives caused by the acceptance timer getting
@@ -347,7 +351,7 @@ echo_i "revoke original key, add new standby ($n)"
 ret=0
 standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
 $SETTIME -R now -K ns1 "$original" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
 # three keys listed
@@ -378,7 +382,7 @@ n=$((n+1))
 echo_i "revoke standby before it is trusted ($n)"
 ret=0
 standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .)
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1
 # four keys listed
@@ -391,7 +395,7 @@ count=$(grep -c "trust revoked" rndc.out.1.$n) || true
 count=$(grep -c "trust pending" rndc.out.1.$n) || true
 [ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; }
 $SETTIME -R now -K ns1 "$standby3" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1
 # now three keys listed
@@ -404,7 +408,7 @@ count=$(grep -c "trust revoked" rndc.out.2.$n) || true
 count=$(grep -c "trust pending" rndc.out.2.$n) || true
 [ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; }
 $SETTIME -D now -K ns1 "$standby3" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
@@ -435,7 +439,7 @@ ret=0
 $SETTIME -D now -K ns1 "$original" > /dev/null
 $SETTIME -R now -K ns1 "$standby1" > /dev/null
 $SETTIME -R now -K ns1 "$standby2" > /dev/null
-mkeys_loadkeys_on 1 || ret=1
+mkeys_resign_rootzone $n || ret=1
 mkeys_refresh_on 2 || ret=1
 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1
 # two keys listed