Test NSEC3PARAM TTL is not preserved

Now that we are setting the NSEC3PARAM TTL to SOA MINIMUM, we should
not preserve the TTL, otherwise a SOA MINIMUM change would not be
picked up.

diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh
index 7ca682968902d7ea6b573e973ad0a31e92bd7fe4..fab9352c1c8fe3c20dfad2f091259bf98ccf85de 100644 (file)
--- a/bin/tests/system/nsec3/clean.sh
+++ b/bin/tests/system/nsec3/clean.sh
@@ -13,7 +13,7 @@
 
 set -e
 
-rm -f dig.out.* rndc.signing.* update.out.* verify.out.*
+rm -f dig.out.* rndc.reload.* rndc.signing.* update.out.* verify.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
 rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state

diff --git a/bin/tests/system/nsec3/ns3/template2.db.in b/bin/tests/system/nsec3/ns3/template2.db.in
new file mode 100644 (file)
index 0000000..963606b
--- /dev/null
+++ b/bin/tests/system/nsec3/ns3/template2.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@              IN      SOA  mname1. . (
+                       2       ; serial
+                       20      ; refresh (20 seconds)
+                       20      ; retry (20 seconds)
+                       1814400 ; expire (3 weeks)
+                       900    ; minimum (15 minutes)
+                       )
+
+                       NS      ns3
+ns3                    A       10.53.0.3
+
+a                      A       10.0.0.1
+b                      A       10.0.0.2
+c                      A       10.0.0.3
+

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 1c66f0858c5b5e667ad91212c786fb4584c8f005..bf744b696a299cf1e008586a5bd6c781e44f1f3d 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -275,14 +275,6 @@ set_nsec3param "0" "0" "0"
 set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
-# Test that NSEC3PARAM TTL is equal to SOA MINIMUM.
-n=$((n+1))
-echo_i "check TTL of NSEC3PARAM in zone $ZONE ($n)"
-ret=0
-dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n" || ret=1
-grep "${ZONE}\..*3600.*IN.*NSEC3PARAM" "dig.out.test$n" > /dev/null || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
 
 # Zone: nsec3-dynamic.kasp.
 set_zone_policy "nsec3-dynamic.kasp" "nsec3" 1 3600
@@ -298,6 +290,24 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Test that NSEC3PARAM TTL is equal to SOA MINIMUM.
+n=$((n+1))
+echo_i "check TTL of NSEC3PARAM in zone $ZONE is equal to SOA MINIMUM ($n)"
+ret=0
+dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.test$n" || ret=1
+grep "${ZONE}\..*3600.*IN.*NSEC3PARAM" "dig.out.test$n" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Update SOA MINIMUM.
+cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
+rndccmd $SERVER reload $ZONE > rndc.reload.test$n.$ZONE || log_error "failed to call rndc reload $ZONE"
+_wait_for_new_soa() {
+       dig_with_opts +noquestion "@${SERVER}" "$ZONE" SOA > "dig.out.soa.test$n" || return 1
+       grep "${ZONE}\..*IN.*SOA.*mname1..*..*20.*20.*.1814400.*900" "dig.out.soa.test$n" > /dev/null || return 1
+}
+retry_quiet 10 _wait_for_new_soa || log_error "failed to update SOA record in zone $ZONE"
+
 # Zone: nsec3-dynamic-change.kasp.
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
@@ -461,6 +471,16 @@ set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
+# Test that NSEC3PARAM TTL is equal to new SOA MINIMUM.
+n=$((n+1))
+echo_i "check TTL of NSEC3PARAM in zone $ZONE is updated after SOA MINIMUM changed ($n)"
+ret=0
+# Check NSEC3PARAM TTL.
+dig_with_opts +noquestion "@${SERVER}" "$ZONE" NSEC3PARAM > "dig.out.nsec3param.test$n" || ret=1
+grep "${ZONE}\..*900.*IN.*NSEC3PARAM" "dig.out.nsec3param.test$n" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 # Zone: nsec3-dynamic-change.kasp. (reconfigured)
 set_zone_policy "nsec3-dynamic-change.kasp" "nsec3-other" 1 3600
 set_nsec3param "1" "11" "8"