From: Matthijs Mekking Date: Tue, 20 Aug 2024 12:38:24 +0000 (+0200) Subject: Test removing DNSKEYs from other providers X-Git-Tag: v9.21.3~88^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5f552293d72dbfb150d6e4ab5ff660996f51baf1;p=thirdparty%2Fbind9.git Test removing DNSKEYs from other providers In a multi-signer setup, removing DNSKEY records from the zone should not be treated as a key that previously exists in the keyring, thus blocking the keymgr. Add a test case to make sure. --- diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index cea5eb42a2a..2215666bb35 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2201,16 +2201,23 @@ check_apex check_subdomain dnssec_verify -# Check that the ZSKs from the other provider are published. +# Check that the ZSKs from the other providers are published. zsks_are_published() { + num=$1 dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY >"dig.out.$DIR.test$n" || return 1 # We should have three ZSKs. lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) - test "$lines" -eq 3 || return 1 + test "$lines" -eq $num || return 1 # And one KSK. lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) test "$lines" -eq 1 || return 1 } +n=$((n + 1)) +echo_i "check initial number of ZSKs (one from us and one from another provider) for zone ${ZONE} ($n)" +ret=0 +retry_quiet 10 zsks_are_published 2 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) n=$((n + 1)) echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" @@ -2221,7 +2228,21 @@ ret=0 echo update add $(cat "${DIR}/${ZONE}.zsk2") echo send ) | $NSUPDATE -retry_quiet 10 zsks_are_published || ret=1 +retry_quiet 10 zsks_are_published 3 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +n=$((n + 1)) +echo_i "remove ZSKs from the other providers for zone ${ZONE} ($n)" +ret=0 +( + echo zone ${ZONE} + echo server 10.53.0.3 "$PORT" + echo update del $(cat "${DIR}/${ZONE}.zsk1") + echo update del $(cat "${DIR}/${ZONE}.zsk2") + echo send +) | $NSUPDATE +retry_quiet 10 zsks_are_published 1 || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status + ret))