Add test for thaw dynamic kasp zone

Add a test for freezing, manually updating, and then thawing a dynamic
zone with "dnssec-policy". In the kasp system test we add parameters
to the "update_is_signed" check to signal the indicated IP addresses
for the labels "a" and "d". If set to '-', the test is skipped.

After nsupdating the dynamic.kasp zone, we revert the update (with
nsupdate) and update the zone again, but now with the freeze/thaw
approach.

diff --git a/bin/tests/system/kasp/ns3/template2.db.in b/bin/tests/system/kasp/ns3/template2.db.in
index 3fe69f34c38b8123e50d81b35d5159a2762877b4..3377d725a099eb52dfe2d77d3466925bc2df9232 100644 (file)
--- a/bin/tests/system/kasp/ns3/template2.db.in
+++ b/bin/tests/system/kasp/ns3/template2.db.in
@@ -20,6 +20,6 @@ $TTL 300
 ns3                    A       10.53.0.3
 
 a                      A       10.0.0.11
-b                      A       10.0.0.2
-c                      A       10.0.0.3
-d                      A       10.0.0.4
+b                      A       10.0.0.22
+c                      A       10.0.0.33
+d                      A       10.0.0.44

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 2b423058e93b538a084416b9b5886e63ad40dc3c..ce2869b843ca5a1cd704a6bef9bf0210fd882784 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1357,22 +1357,29 @@ cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
 rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
 
 update_is_signed() {
-       dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
-       grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
-       grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1
-       lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
-       test "$lines" -eq 1 || return 1
-       get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1
+       ip_a=$1
+       ip_d=$2
+
+       if [ "$ip_a" != "-" ]; then
+               dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
+               grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
+               grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1
+               lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
+               test "$lines" -eq 1 || return 1
+               get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1
+       fi
 
-       dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1
-       grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1
-       grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n".d > /dev/null || return 1
-       lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
-       test "$lines" -eq 1 || return 1
-       get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1
+       if [ "$ip_d" != "-" ]; then
+               dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1
+               grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1
+               grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1
+               lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
+               test "$lines" -eq 1 || return 1
+               get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1
+       fi
 }
 
-retry_quiet 10 update_is_signed || ret=1
+retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
@@ -1400,12 +1407,42 @@ ret=0
 echo zone ${ZONE}
 echo server 10.53.0.3 "$PORT"
 echo update del "a.${ZONE}" 300 A 10.0.0.1
-echo update add "a.${ZONE}" 300 A 10.0.0.11
+echo update add "a.${ZONE}" 300 A 10.0.0.101
 echo update add "d.${ZONE}" 300 A 10.0.0.4
 echo send
 ) | $NSUPDATE
 
-retry_quiet 10 update_is_signed || ret=1
+retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update zone with nsupdate (reverting the above change).
+n=$((n+1))
+echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.3 "$PORT"
+echo update add "a.${ZONE}" 300 A 10.0.0.1
+echo update del "a.${ZONE}" 300 A 10.0.0.101
+echo update del "d.${ZONE}" 300 A 10.0.0.4
+echo send
+) | $NSUPDATE
+
+retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update zone with freeze/thaw.
+n=$((n+1))
+echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)"
+ret=0
+rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+sleep 1
+echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db"
+rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+
+retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))