Add dynamic update prepub and doubleksk test case

Add two test cases for zones that use auto-dnssec, but not
inline-signing, and make sure that the change for find_zone_keys()
do not affect introducing a new key that is intended for signing.

See note https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/7638#note_355944

diff --git a/bin/tests/system/nsupdate/clean.sh b/bin/tests/system/nsupdate/clean.sh
index d7cc60df032fd2cd6053a173c01fa9a8d6ffe1b7..f2a9f1ef599dc523aa0d47b6948442d116120000 100644 (file)
--- a/bin/tests/system/nsupdate/clean.sh
+++ b/bin/tests/system/nsupdate/clean.sh
@@ -21,9 +21,11 @@ rm -f */named.memstats
 rm -f */named.run */ans.run
 rm -f */named.run.prev
 rm -f Kxxx.*
+rm -f doubleksk.key prepub.key
 rm -f check.out.*
 rm -f dig.out.*
 rm -f jp.out.ns3.*
+rm -f keygen.out.*
 rm -f nextpart.out.*
 rm -f ns*/managed-keys.bind* ns*/*.mkeys*
 rm -f ns*/named.lock
@@ -45,12 +47,14 @@ rm -f ns3/*.signed
 rm -f ns3/K*
 rm -f ns3/delegation.test.db
 rm -f ns3/dnskey.test.db
+rm -f ns3/doubleksk.test.db
 rm -f ns3/dsset-*
 rm -f ns3/example.db
 rm -f ns3/relaxed.db
 rm -f ns3/multisigner.test.db
 rm -f ns3/many.test.bk
 rm -f ns3/nsec3param.test.db
+rm -f ns3/prepub.test.db
 rm -f ns3/too-big.test.db
 rm -f ns5/local.db
 rm -f ns6/in-addr.db

diff --git a/bin/tests/system/nsupdate/ns3/doubleksk.test.db.in b/bin/tests/system/nsupdate/ns3/doubleksk.test.db.in
new file mode 100644 (file)
index 0000000..9430fb7
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/doubleksk.test.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+doubleksk.test. 10 IN SOA doubleksk.test. hostmaster.doubleksk.test. 1 3600 900 2419200 3600
+doubleksk.test. 10 IN NS doubleksk.test.
+doubleksk.test. 10 IN A 10.53.0.3
+doubleksk.test. 10 IN NSEC3PARAM 1 1 0 -

diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in
index ffc240c75dbcdc3b65e4e39d6fd59cc8696923f3..c678fe9d2c3ba83951e05f2eb33cb5032f35edd7 100644 (file)
--- a/bin/tests/system/nsupdate/ns3/named.conf.in
+++ b/bin/tests/system/nsupdate/ns3/named.conf.in
@@ -26,6 +26,16 @@ options {
        dnssec-validation yes;
 };
 
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+
 zone "example" {
        type primary;
        allow-update { any; };
@@ -71,6 +81,22 @@ zone "too-big.test" {
        file "too-big.test.db";
 };
 
+zone "prepub.test" {
+       type primary;
+       allow-update { any; };
+       auto-dnssec maintain;
+       dnssec-dnskey-kskonly yes;
+       file "prepub.test.db.signed";
+};
+
+zone "doubleksk.test" {
+       type primary;
+       allow-update { any; };
+       auto-dnssec maintain;
+       dnssec-dnskey-kskonly yes;
+       file "doubleksk.test.db.signed";
+};
+
 /* Zone for testing CDS and CDNSKEY updates from other provider */
 zone "multisigner.test" {
        type primary;

diff --git a/bin/tests/system/nsupdate/ns3/prepub.test.db.in b/bin/tests/system/nsupdate/ns3/prepub.test.db.in
new file mode 100644 (file)
index 0000000..916a0b2
--- /dev/null
+++ b/bin/tests/system/nsupdate/ns3/prepub.test.db.in
@@ -0,0 +1,15 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+prepub.test. 10 IN SOA prepub.test. hostmaster.prepub.test. 1 3600 900 2419200 3600
+prepub.test. 10 IN NS prepub.test.
+prepub.test. 10 IN A 10.53.0.3
+prepub.test. 10 IN NSEC3PARAM 1 1 0 -

diff --git a/bin/tests/system/nsupdate/ns3/sign.sh b/bin/tests/system/nsupdate/ns3/sign.sh
index 519497c6da1b3b2122a3bf1a209cde7577e6d320..19105e5f1a3434eeb0c29d32ff8bb581a2336d3b 100644 (file)
--- a/bin/tests/system/nsupdate/ns3/sign.sh
+++ b/bin/tests/system/nsupdate/ns3/sign.sh
@@ -46,5 +46,27 @@ cat $infile $keyname1.key $keyname2.key >$zonefile
 
 $SIGNER -A -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
 
+zone=prepub.test.
+infile=prepub.test.db.in
+zonefile=prepub.test.db
+
+keyname1=$($KEYGEN -q -L 3600 -a ${DEFAULT_ALGORITHM} -f KSK $zone)
+keyname2=$($KEYGEN -q -L 3600 -a ${DEFAULT_ALGORITHM} $zone)
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -A -x -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+
+zone=doubleksk.test.
+infile=doubleksk.test.db.in
+zonefile=doubleksk.test.db
+
+keyname1=$($KEYGEN -q -L 3600 -a ${DEFAULT_ALGORITHM} -f KSK $zone)
+keyname2=$($KEYGEN -q -L 3600 -a ${DEFAULT_ALGORITHM} $zone)
+
+cat $infile $keyname1.key $keyname2.key >$zonefile
+
+$SIGNER -A -x -3 - -P -o $zone -k $keyname1 $zonefile $keyname2 > /dev/null
+
 # Just copy multisigner.db.in because it is signed with dnssec-policy.
 cp multisigner.test.db.in multisigner.test.db

diff --git a/bin/tests/system/nsupdate/tests.sh b/bin/tests/system/nsupdate/tests.sh
index d57c357195333f81c557127502af5c4baf1eacb1..8ba497e44c01eebe7131ae552746bd155071ef90 100755 (executable)
--- a/bin/tests/system/nsupdate/tests.sh
+++ b/bin/tests/system/nsupdate/tests.sh
@@ -1614,6 +1614,48 @@ END
 retry_quiet 5 has_positive_response multisigner.test CDNSKEY 10.53.0.3 || ret=1
 [ $ret = 0 ] || { echo_i "failed"; status=1; }
 
+n=$((n + 1))
+ret=0
+echo_i "check that DNSKEY can be prepublished with dynamic update ($n)"
+$DIG $DIGOPTS +tcp +norec prepub.test DNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+grep "ANSWER: 2," dig.out.pre.test$n > /dev/null || ret=1
+zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -K ns3 -L 3600 -P now -A now+1w prepub.test 2> keygen.out.prepub.test.out$n)
+cat "ns3/${zsk}.key" | grep -v ";.*" > prepub.key
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone prepub.test
+update add $(cat prepub.key)
+send
+END
+$RNDCCMD 10.53.0.3 loadkeys prepub.test. 2>&1 || ret=1
+$DIG $DIGOPTS +tcp +norec prepub.test DNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+grep "ANSWER: 3," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
+n=$((n + 1))
+ret=0
+echo_i "check that DNSKEY can be added as a signing key with dynamic update ($n)"
+$DIG $DIGOPTS +dnssec +tcp +norec doubleksk.test DNSKEY @10.53.0.3 > dig.out.pre.test$n || ret=1
+grep "status: NOERROR" dig.out.pre.test$n > /dev/null || ret=1
+# 2x DNSKEY, 1x RRSIG
+grep "ANSWER: 3," dig.out.pre.test$n > /dev/null || ret=1
+ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -K ns3 -L 3600 -fk -P now -A now doubleksk.test 2> keygen.out.doubleksk.test.out$n)
+cat "ns3/${ksk}.key" | grep -v ";.*" > doubleksk.key
+$NSUPDATE -d <<END > nsupdate.out.test$n 2>&1 || ret=1
+server 10.53.0.3 ${PORT}
+zone doubleksk.test
+update add $(cat doubleksk.key)
+send
+END
+$RNDCCMD 10.53.0.3 loadkeys doubleksk.test. 2>&1 || ret=1
+$DIG $DIGOPTS +dnssec +tcp +norec doubleksk.test DNSKEY @10.53.0.3 > dig.out.post.test$n || ret=1
+grep "status: NOERROR" dig.out.post.test$n > /dev/null || ret=1
+# 3x DNSKEY, 2x RRSIG
+grep "ANSWER: 5," dig.out.post.test$n > /dev/null || ret=1
+[ $ret = 0 ] || { echo_i "failed"; status=1; }
+
 n=$((n + 1))
 ret=0
 echo_i "check that excessive NSEC3PARAM iterations are rejected by nsupdate ($n)"