Fix a kasp system test bug

In '_check_apex_dnskey' we check for each key (KEY1 to KEY4) if they
are present in the DNSKEY RRset if they should be.

However, we only grep the dig output for the first seven fields (owner,
ttl, class, type, flags, protocol, algorithm). This can be the same
for different keys.

For example, KEY1 may be KSK predecessor and KEY2 a KSK successor,
both DNSKEY records for these keys are the same up to the public key
field. This can cause test failures if KEY1 needs to be present, but
KEY2 not, because when grepping for KEY2 we will falsely detect the
key to be present (because the grep matches KEY1).

Fix the function by grepping looking for the first seven fields in the
corresponding key file and retrieve the public key part. Grep for this
in the dig output.

diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index 74a2345e37e9203619724613df96024f0914f017..01bcce3fd0377eb80c0e3f9cc74c806354375da4 100644 (file)
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -1008,6 +1008,15 @@ check_cds() {
        status=$((status+ret))
 }
 
+_find_dnskey() {
+       _owner="${ZONE}."
+       _alg="$(key_get $1 ALG_NUM)"
+       _flags="$(key_get $1 FLAGS)"
+       _key_file="$(key_get $1 BASEFILE).key"
+
+       awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file"
+}
+
 
 # Test DNSKEY query.
 _check_apex_dnskey() {
@@ -1015,40 +1024,49 @@ _check_apex_dnskey() {
        grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1
 
        _checksig=0
-       _flags="$(key_get KEY1 FLAGS)"
 
        if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+               _pubkey=$(_find_dnskey KEY1)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
                _checksig=1
        elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+               _pubkey=$(_find_dnskey KEY1)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
        fi
 
-       _flags="$(key_get KEY2 FLAGS)"
-
        if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+               _pubkey=$(_find_dnskey KEY2)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
                _checksig=1
        elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+               _pubkey=$(_find_dnskey KEY2)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
        fi
 
-       _flags="$(key_get KEY3 FLAGS)"
-
        if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+               _pubkey=$(_find_dnskey KEY3)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
                _checksig=1
        elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+               _pubkey=$(_find_dnskey KEY3)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
        fi
 
-       _flags="$(key_get KEY4 FLAGS)"
-
        if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || return 1
+               _pubkey=$(_find_dnskey KEY4)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
                _checksig=1
        elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
-               grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*DNSKEY.*${_flags}.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && return 1
+               _pubkey=$(_find_dnskey KEY4)
+               test -z "$_pubkey" && return 1
+               grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
        fi
 
        test "$_checksig" -eq 0 && return 0