From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 13 Oct 2022 07:09:12 +0000 (+0200)
Subject: Ensure no DNSSEC records are in the raw journal
X-Git-Tag: v9.19.14~32^2~6
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=508c60ad90aad316fc1cb3729da588cab0510a45;p=thirdparty%2Fbind9.git

Ensure no DNSSEC records are in the raw journal

Add checks to the multisigner test to make sure no DNSSEC related
records (NSEC, NSEC3, NSEC3PARAM, RRSIG) end up in the raw journal.
---

diff --git a/bin/tests/system/multisigner/clean.sh b/bin/tests/system/multisigner/clean.sh
index fb75cfe4077..0dd6eb6d488 100644
--- a/bin/tests/system/multisigner/clean.sh
+++ b/bin/tests/system/multisigner/clean.sh
@@ -25,6 +25,7 @@ rm -f verify.out.*
 
 rm -f ns*/*.jbk
 rm -f ns*/*.jnl
+rm -f ns*/*.journal.out.test*
 rm -f ns*/*.signed
 rm -f ns*/*.signed.jnl
 rm -f ns*/*.zsk
diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh
index 6c1ac20b8fa..d6e56f9c8c8 100644
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@@ -20,7 +20,6 @@ dig_with_opts() {
 	$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT "$@"
 }
 
-
 start_time="$(TZ=UTC date +%s)"
 status=0
 n=0
@@ -82,7 +81,6 @@ check_keytimes
 check_apex
 dnssec_verify
 
-
 #
 # Update DNSKEY RRset.
 #
@@ -98,6 +96,14 @@ zsks_are_published() {
 	test "$lines" -eq 1 || return 1
 }
 
+# Check if a certain RRtype is present in the journal file.
+rrset_exists() (
+	rrtype=$1
+	file=$2
+	lines=$(awk -v rt="${rrtype}" '$5 == rt {print}' ${file} | wc -l)
+	test "$lines" -gt 0
+)
+
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4"
 ret=0
@@ -132,7 +138,17 @@ test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 # Verify again.
 dnssec_verify
-
+# No DNSSEC in raw journal.
+n=$((n+1))
+echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+ret=0
+$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+rrset_exists "NSEC" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists "NSEC3" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists "NSEC3PARAM" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists "RRSIG" "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 #
 # Update CDNSKEY RRset.
@@ -173,7 +189,6 @@ retry_quiet 10 records_published CDNSKEY 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns4 with CDNSKEY from provider ns3"
 ret=0
@@ -192,6 +207,17 @@ echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
 retry_quiet 10 records_published CDNSKEY 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# No DNSSEC in raw journal.
+n=$((n+1))
+echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+ret=0
+$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 
 #
@@ -242,6 +268,17 @@ echo_i "check zone ${ZONE} CDS RRset after update ($n)"
 retry_quiet 10 records_published CDS 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# No DNSSEC in raw journal.
+n=$((n+1))
+echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+ret=0
+$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1