Add test cases for 'checkds yes'

author Matthijs Mekking <matthijs@isc.org>

Tue, 28 Mar 2023 10:00:56 +0000 (12:00 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Mon, 3 Apr 2023 14:01:22 +0000 (14:01 +0000)
author Matthijs Mekking <matthijs@isc.org>
Tue, 28 Mar 2023 10:00:56 +0000 (12:00 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Mon, 3 Apr 2023 14:01:22 +0000 (14:01 +0000)
diff --git a/bin/tests/system/checkds/ns2/ns2-4-5.db.in b/bin/tests/system/checkds/ns2/ns2-4-5.db.in

index 9ea5b889c28d2ff377865a3ede9cd500450c98eb..3a8b69432e5991926a80682f0920c93edd72495b 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns2-4-5.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4-5.db.in
@@ -28,3 +28,7 @@ ns5                           A       10.53.0.5
  $ORIGIN explicit.dspublish.ns2-4-5.
  incomplete                     NS      ns9.incomplete
  ns9.imcomplete                 A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-5.
+incomplete                     NS      ns9.incomplete
+ns9.imcomplete                 A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns2-4-6.db.in b/bin/tests/system/checkds/ns2/ns2-4-6.db.in

index f30962852b88181d599e4ef2728b007779adbfe6..b29fabc982a6d9119f29b663ba8dafdaa3dbbf19 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns2-4-6.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4-6.db.in
@@ -28,3 +28,7 @@ ns6                           A       10.53.0.6
  $ORIGIN explicit.dspublish.ns2-4-6.
  bad                            NS      ns9.bad
  ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-6.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns2-4.db.in b/bin/tests/system/checkds/ns2/ns2-4.db.in

index 5ed06dbb92fbf42b7e96ba262c08fca46cb4971f..86b050a87218064bcaaa49bbc6f8ca9e8a10b0dc 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns2-4.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-4.db.in
@@ -26,3 +26,7 @@ ns4                           A       10.53.0.4
  $ORIGIN explicit.dspublish.ns2-4.
  good                           NS      ns9.good
  ns9.good                       A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4.
+good                           NS      ns9.good
+ns9.good                       A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns2-5-7.db.in b/bin/tests/system/checkds/ns2/ns2-5-7.db.in

index 689f316e5ce70fe4df0c8f29841ab34fafe92eb3..b1fe39c6a568e4801305a75a5204a607beaea161 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns2-5-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns2-5-7.db.in
@@ -28,3 +28,7 @@ ns7                           A       10.53.0.7
  $ORIGIN explicit.dsremoved.ns2-5-7.
  incomplete                     NS      ns9.incomplete
  ns9.incomplete                 A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2-5-7.
+incomplete                     NS      ns9.incomplete
+ns9.incomplete                 A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns2.db.in b/bin/tests/system/checkds/ns2/ns2.db.in

index 200129ef1bf63959959b01070824aa005391f396..bd4a635e4f35bcad699179d3442b31580639a2a7 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns2.db.in
+++ b/bin/tests/system/checkds/ns2/ns2.db.in
@@ -29,6 +29,14 @@ ns9.good                     A       10.53.0.9
  ns9.reference                  A       10.53.0.9
  ns9.resolver                   A       10.53.0.9
  
+$ORIGIN yes.dspublish.ns2.
+good                           NS      ns9.good
+ns9.good                       A       10.53.0.9
+
  $ORIGIN explicit.dsremoved.ns2.
  still-there                    NS      ns9.still-there
  ns9.still-there                        A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2.
+still-there                    NS      ns9.still-there
+ns9.still-there                        A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns5-6-7.db.in b/bin/tests/system/checkds/ns2/ns5-6-7.db.in

index 5a4200bda9f869f3dcee8cd241588b45d93dbfbf..6be4649886af37f0095be8b0f1189f23b666356d 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns5-6-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns5-6-7.db.in
@@ -28,3 +28,7 @@ ns7                           A       10.53.0.7
  $ORIGIN explicit.dsremoved.ns5-6-7.
  bad                            NS      ns9.bad
  ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-6-7.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns5-7.db.in b/bin/tests/system/checkds/ns2/ns5-7.db.in

index f051c5eafb08201bd40430da22c006e23611926b..5d66b990b5ded9a3d95f153e57ebef89ed10400e 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns5-7.db.in
+++ b/bin/tests/system/checkds/ns2/ns5-7.db.in
@@ -26,3 +26,7 @@ ns7                           A       10.53.0.7
  $ORIGIN explicit.dsremoved.ns5-7.
  good                           NS      ns9.good
  ns9.good                       A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-7.
+good                           NS      ns9.good
+ns9.good                       A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns5.db.in b/bin/tests/system/checkds/ns2/ns5.db.in

index 33449d340c5e68188c4f598dd0d0b3596c3b6f08..4501776a3e5416c58d5c21d2039a629c9c056029 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns5.db.in
+++ b/bin/tests/system/checkds/ns2/ns5.db.in
@@ -25,8 +25,18 @@ $ORIGIN explicit.dspublish.ns5.
  not-yet                                NS      ns9.not-yet
  ns9.not-yet                    A       10.53.0.9
  
+$ORIGIN yes.dspublish.ns5.
+not-yet                                NS      ns9.not-yet
+ns9.not-yet                    A       10.53.0.9
+
  $ORIGIN explicit.dsremoved.ns5.
  good                           NS      ns9.good
  resolver                       NS      ns9.resolver
  ns9.good                       A       10.53.0.9
  ns9.resolver                   A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5.
+good                           NS      ns9.good
+resolver                       NS      ns9.resolver
+ns9.good                       A       10.53.0.9
+ns9.resolver                   A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns2/ns6.db.in b/bin/tests/system/checkds/ns2/ns6.db.in

index 27cbb03d9922b275deaba9db551735697d1b2256..59e28543e0c2527465f88cf00d6ba769db1d5eac 100644 (file)
--- a/bin/tests/system/checkds/ns2/ns6.db.in
+++ b/bin/tests/system/checkds/ns2/ns6.db.in
@@ -28,3 +28,11 @@ ns9.bad                              A       10.53.0.9
  $ORIGIN explicit.dsremoved.ns6.
  bad                            NS      ns9.bad
  ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns6.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns6.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns2-4-5.db.in b/bin/tests/system/checkds/ns5/ns2-4-5.db.in

index 9ea5b889c28d2ff377865a3ede9cd500450c98eb..3a8b69432e5991926a80682f0920c93edd72495b 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns2-4-5.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4-5.db.in
@@ -28,3 +28,7 @@ ns5                           A       10.53.0.5
  $ORIGIN explicit.dspublish.ns2-4-5.
  incomplete                     NS      ns9.incomplete
  ns9.imcomplete                 A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-5.
+incomplete                     NS      ns9.incomplete
+ns9.imcomplete                 A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns2-4-6.db.in b/bin/tests/system/checkds/ns5/ns2-4-6.db.in

index f30962852b88181d599e4ef2728b007779adbfe6..b29fabc982a6d9119f29b663ba8dafdaa3dbbf19 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns2-4-6.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4-6.db.in
@@ -28,3 +28,7 @@ ns6                           A       10.53.0.6
  $ORIGIN explicit.dspublish.ns2-4-6.
  bad                            NS      ns9.bad
  ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4-6.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns2-4.db.in b/bin/tests/system/checkds/ns5/ns2-4.db.in

index 5ed06dbb92fbf42b7e96ba262c08fca46cb4971f..86b050a87218064bcaaa49bbc6f8ca9e8a10b0dc 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns2-4.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-4.db.in
@@ -26,3 +26,7 @@ ns4                           A       10.53.0.4
  $ORIGIN explicit.dspublish.ns2-4.
  good                           NS      ns9.good
  ns9.good                       A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns2-4.
+good                           NS      ns9.good
+ns9.good                       A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns2-5-7.db.in b/bin/tests/system/checkds/ns5/ns2-5-7.db.in

index 689f316e5ce70fe4df0c8f29841ab34fafe92eb3..b1fe39c6a568e4801305a75a5204a607beaea161 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns2-5-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns2-5-7.db.in
@@ -28,3 +28,7 @@ ns7                           A       10.53.0.7
  $ORIGIN explicit.dsremoved.ns2-5-7.
  incomplete                     NS      ns9.incomplete
  ns9.incomplete                 A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2-5-7.
+incomplete                     NS      ns9.incomplete
+ns9.incomplete                 A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns2.db.in b/bin/tests/system/checkds/ns5/ns2.db.in

index 200129ef1bf63959959b01070824aa005391f396..bd4a635e4f35bcad699179d3442b31580639a2a7 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns2.db.in
+++ b/bin/tests/system/checkds/ns5/ns2.db.in
@@ -29,6 +29,14 @@ ns9.good                     A       10.53.0.9
  ns9.reference                  A       10.53.0.9
  ns9.resolver                   A       10.53.0.9
  
+$ORIGIN yes.dspublish.ns2.
+good                           NS      ns9.good
+ns9.good                       A       10.53.0.9
+
  $ORIGIN explicit.dsremoved.ns2.
  still-there                    NS      ns9.still-there
  ns9.still-there                        A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns2.
+still-there                    NS      ns9.still-there
+ns9.still-there                        A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns5-6-7.db.in b/bin/tests/system/checkds/ns5/ns5-6-7.db.in

index 5a4200bda9f869f3dcee8cd241588b45d93dbfbf..6be4649886af37f0095be8b0f1189f23b666356d 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns5-6-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns5-6-7.db.in
@@ -28,3 +28,7 @@ ns7                           A       10.53.0.7
  $ORIGIN explicit.dsremoved.ns5-6-7.
  bad                            NS      ns9.bad
  ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-6-7.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns5-7.db.in b/bin/tests/system/checkds/ns5/ns5-7.db.in

index f051c5eafb08201bd40430da22c006e23611926b..5d66b990b5ded9a3d95f153e57ebef89ed10400e 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns5-7.db.in
+++ b/bin/tests/system/checkds/ns5/ns5-7.db.in
@@ -26,3 +26,7 @@ ns7                           A       10.53.0.7
  $ORIGIN explicit.dsremoved.ns5-7.
  good                           NS      ns9.good
  ns9.good                       A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5-7.
+good                           NS      ns9.good
+ns9.good                       A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns5.db.in b/bin/tests/system/checkds/ns5/ns5.db.in

index 33449d340c5e68188c4f598dd0d0b3596c3b6f08..4501776a3e5416c58d5c21d2039a629c9c056029 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns5.db.in
+++ b/bin/tests/system/checkds/ns5/ns5.db.in
@@ -25,8 +25,18 @@ $ORIGIN explicit.dspublish.ns5.
  not-yet                                NS      ns9.not-yet
  ns9.not-yet                    A       10.53.0.9
  
+$ORIGIN yes.dspublish.ns5.
+not-yet                                NS      ns9.not-yet
+ns9.not-yet                    A       10.53.0.9
+
  $ORIGIN explicit.dsremoved.ns5.
  good                           NS      ns9.good
  resolver                       NS      ns9.resolver
  ns9.good                       A       10.53.0.9
  ns9.resolver                   A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns5.
+good                           NS      ns9.good
+resolver                       NS      ns9.resolver
+ns9.good                       A       10.53.0.9
+ns9.resolver                   A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns5/ns6.db.in b/bin/tests/system/checkds/ns5/ns6.db.in

index 27cbb03d9922b275deaba9db551735697d1b2256..59e28543e0c2527465f88cf00d6ba769db1d5eac 100644 (file)
--- a/bin/tests/system/checkds/ns5/ns6.db.in
+++ b/bin/tests/system/checkds/ns5/ns6.db.in
@@ -28,3 +28,11 @@ ns9.bad                              A       10.53.0.9
  $ORIGIN explicit.dsremoved.ns6.
  bad                            NS      ns9.bad
  ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dspublish.ns6.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
+
+$ORIGIN yes.dsremoved.ns6.
+bad                            NS      ns9.bad
+ns9.bad                                A       10.53.0.9
diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in

index e9c6075efca20fa2d33642a59cf864db594305a5..6697e5fc2e6e88ee30a25a6ba14b0b8957abda07 100644 (file)
--- a/bin/tests/system/checkds/ns9/named.conf.in
+++ b/bin/tests/system/checkds/ns9/named.conf.in
@@ -78,6 +78,15 @@ zone "resolver.explicit.dspublish.ns2" {
         };
  };
  
+/* Same as above, but now with auto parental agents. */
+zone "good.yes.dspublish.ns2" {
+       type primary;
+       file "good.yes.dspublish.ns2.db";
+       inline-signing yes;
+       dnssec-policy "default";
+       checkds yes;
+};
+
  /*
   * 1.     Enabling DNSSEC
   * 1.1    - With one parental agent
@@ -93,6 +102,14 @@ zone "not-yet.explicit.dspublish.ns5" {
         };
  };
  
+zone "not-yet.yes.dspublish.ns5" {
+       type primary;
+       file "not-yet.yes.dspublish.ns5.db";
+       inline-signing yes;
+       dnssec-policy "default";
+       checkds yes;
+};
+
  /*
   * 1.     Enabling DNSSEC
   * 1.1    - With one parental agent
@@ -108,6 +125,14 @@ zone "bad.explicit.dspublish.ns6" {
         };
  };
  
+zone "bad.yes.dspublish.ns6" {
+       type primary;
+       file "bad.yes.dspublish.ns6.db";
+       inline-signing yes;
+       dnssec-policy "default";
+       checkds yes;
+};
+
  /*
   * 1.     Enabling DNSSEC
   * 1.1    - With one parental agent
@@ -131,6 +156,14 @@ zone "good.explicit.dspublish.ns2-4" {
         };
  };
  
+zone "good.yes.dspublish.ns2-4" {
+       type primary;
+       file "good.yes.dspublish.ns2-4.db";
+       inline-signing yes;
+       dnssec-policy "default";
+       checkds yes;
+};
+
  /*
   * 1.     Enabling DNSSEC
   * 1.2    - With multiple parental agent
@@ -148,6 +181,14 @@ zone "incomplete.explicit.dspublish.ns2-4-5" {
         };
  };
  
+zone "incomplete.yes.dspublish.ns2-4-5" {
+       type primary;
+       file "incomplete.yes.dspublish.ns2-4-5.db";
+       inline-signing yes;
+       dnssec-policy "default";
+       checkds yes;
+};
+
  /*
   * 1.     Enabling DNSSEC
   * 1.2    - With multiple parental agent
@@ -165,6 +206,14 @@ zone "bad.explicit.dspublish.ns2-4-6" {
         };
  };
  
+zone "bad.yes.dspublish.ns2-4-6" {
+       type primary;
+       file "bad.yes.dspublish.ns2-4-6.db";
+       inline-signing yes;
+       dnssec-policy "default";
+       checkds yes;
+};
+
  /*
   * 1.     Enabling DNSSEC
   * 1.2    - With multiple parental agent
@@ -199,6 +248,14 @@ zone "resolver.explicit.dsremoved.ns5" {
         };
  };
  
+zone "good.yes.dsremoved.ns5" {
+       type primary;
+       file "good.yes.dsremoved.ns5.db";
+       inline-signing yes;
+       dnssec-policy "insecure";
+       checkds yes;
+};
+
  /*
   * 2.     Going insecure
   * 2.1    - With one parental agent
@@ -214,6 +271,14 @@ zone "still-there.explicit.dsremoved.ns2" {
         };
  };
  
+zone "still-there.yes.dsremoved.ns2" {
+       type primary;
+       file "still-there.yes.dsremoved.ns2.db";
+       inline-signing yes;
+       dnssec-policy "insecure";
+       checkds yes;
+};
+
  /*
   * 2.     Going insecure
   * 2.1    - With one parental agent
@@ -229,6 +294,14 @@ zone "bad.explicit.dsremoved.ns6" {
         };
  };
  
+zone "bad.yes.dsremoved.ns6" {
+       type primary;
+       file "bad.yes.dsremoved.ns6.db";
+       inline-signing yes;
+       dnssec-policy "insecure";
+       checkds yes;
+};
+
  /*
   * 2.     Going insecure
   * 2.1    - With one parental agent
@@ -252,6 +325,14 @@ zone "good.explicit.dsremoved.ns5-7" {
         };
  };
  
+zone "good.yes.dsremoved.ns5-7" {
+       type primary;
+       file "good.yes.dsremoved.ns5-7.db";
+       inline-signing yes;
+       dnssec-policy "insecure";
+       checkds yes;
+};
+
  /*
   * 2.     Going insecure
   * 2.2.    - With multiple parental agents
@@ -269,6 +350,14 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" {
         };
  };
  
+zone "incomplete.yes.dsremoved.ns2-5-7" {
+       type primary;
+       file "incomplete.yes.dsremoved.ns2-5-7.db";
+       inline-signing yes;
+       dnssec-policy "insecure";
+       checkds yes;
+};
+
  /*
   * 2.     Going insecure
   * 2.2.    - With multiple parental agents
@@ -286,6 +375,14 @@ zone "bad.explicit.dsremoved.ns5-6-7" {
         };
  };
  
+zone "bad.yes.dsremoved.ns5-6-7" {
+       type primary;
+       file "bad.yes.dsremoved.ns5-6-7.db";
+       inline-signing yes;
+       dnssec-policy "insecure";
+       checkds yes;
+};
+
  /*
   * 2.     Going insecure
   * 2.2.    - With multiple parental agents
diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh

index cb399c22889f1c792afa2c91fdac3458fe4206de..a83a8cb633259a968c78f883d77cbfd9d038ec21 100644 (file)
--- a/bin/tests/system/checkds/ns9/setup.sh
+++ b/bin/tests/system/checkds/ns9/setup.sh
@@ -33,7 +33,7 @@ T="now-30d"
  Y="now-1y"
  
  # DS Publication.
-for checkds in explicit
+for checkds in explicit yes
  do
         for zn in \
                 good.${checkds}.dspublish.ns2 \
@@ -60,7 +60,7 @@ do
  done
  
  # DS Withdrawal.
-for checkds in explicit
+for checkds in explicit yes
  do
         for zn in \
                 good.${checkds}.dsremoved.ns5 \
diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py

index ef6bec143ec35735a917583380a3aa52e2cb0e50..fff3c49e2818fecfe3c94dace906bafb9e29b251 100755 (executable)
--- a/bin/tests/system/checkds/tests_checkds.py
+++ b/bin/tests/system/checkds/tests_checkds.py
@@ -249,7 +249,7 @@ def wait_for_log(filename, log):
      assert found
  
  
-def test_checkds_dspublished(named_port):
+def checkds_dspublished(named_port, checkds):
      # We create resolver instances that will be used to send queries.
      server = dns.resolver.Resolver()
      server.nameservers = ["10.53.0.9"]
@@ -265,55 +265,44 @@ def test_checkds_dspublished(named_port):
      #
  
      # The simple case.
-    zone_check(server, "good.explicit.dspublish.ns2.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone good.explicit.dspublish.ns2/IN (signed): checkds: "
-       "DS response from 10.53.0.2",
-    )
-    keystate_check(parent, "good.explicit.dspublish.ns2.", "DSPublish")
-
-    # Using a reference to parental-agents.
-    zone_check(server, "reference.explicit.dspublish.ns2.")
+    zone_check(server, "good.{}.dspublish.ns2.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone reference.explicit.dspublish.ns2/IN (signed): "
-       "checkds: DS response from 10.53.0.2",
+        "zone good.{}.dspublish.ns2/IN (signed): checkds: "
+       "DS response from 10.53.0.2".format(checkds),
      )
-    keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
-
-    # Using a resolver as parental-agent (ns3).
-    zone_check(server, "resolver.explicit.dspublish.ns2.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: "
-        "DS response from 10.53.0.3",
-    )
-    keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish")
+    keystate_check(parent, "good.{}.dspublish.ns2.".format(checkds), "DSPublish")
  
      #
      # 1.1.2: DS is not published in parent.
      # parental-agents: ns5
      #
-    zone_check(server, "not-yet.explicit.dspublish.ns5.")
+    zone_check(server, "not-yet.{}.dspublish.ns5.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone not-yet.explicit.dspublish.ns5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone not-yet.{}.dspublish.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
      )
-    keystate_check(parent, "not-yet.explicit.dspublish.ns5.", "!DSPublish")
+    keystate_check(parent, "not-yet.{}.dspublish.ns5.".format(checkds), "!DSPublish")
  
      #
      # 1.1.3: The parental agent is badly configured.
      # parental-agents: ns6
      #
-    zone_check(server, "bad.explicit.dspublish.ns6.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad.explicit.dspublish.ns6/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
-    )
-    keystate_check(parent, "bad.explicit.dspublish.ns6.", "!DSPublish")
+    zone_check(server, "bad.{}.dspublish.ns6.".format(checkds))
+    if checkds == "explicit":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dspublish.ns6/IN (signed): checkds: "
+            "bad DS response from 10.53.0.6".format(checkds),
+        )
+    elif checkds == "yes":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dspublish.ns6/IN (signed): checkds: "
+            "error during parental-agents processing".format(checkds),
+        )
+    keystate_check(parent, "bad.{}.dspublish.ns6.".format(checkds), "!DSPublish")
  
      #
      # 1.1.4: DS is published, but has bogus signature.
@@ -324,62 +313,62 @@ def test_checkds_dspublished(named_port):
      # 1.2.1: DS is correctly published in all parents.
      # parental-agents: ns2, ns4
      #
-    zone_check(server, "good.explicit.dspublish.ns2-4.")
+    zone_check(server, "good.{}.dspublish.ns2-4.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone good.{}.dspublish.ns2-4/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
+        "zone good.{}.dspublish.ns2-4/IN (signed): checkds: "
+        "DS response from 10.53.0.4".format(checkds),
      )
-    keystate_check(parent, "good.explicit.dspublish.ns2-4.", "DSPublish")
+    keystate_check(parent, "good.{}.dspublish.ns2-4.".format(checkds), "DSPublish")
  
      #
      # 1.2.2: DS is not published in some parents.
      # parental-agents: ns2, ns4, ns5
      #
-    zone_check(server, "incomplete.explicit.dspublish.ns2-4-5.")
+    zone_check(server, "incomplete.{}.dspublish.ns2-4-5.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
+        "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
+        "DS response from 10.53.0.4".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
      )
-    keystate_check(parent, "incomplete.explicit.dspublish.ns2-4-5.", "!DSPublish")
+    keystate_check(parent, "incomplete.{}.dspublish.ns2-4-5.".format(checkds), "!DSPublish")
  
      #
      # 1.2.3: One parental agent is badly configured.
      # parental-agents: ns2, ns4, ns6
      #
-    zone_check(server, "bad.explicit.dspublish.ns2-4-6.")
+    zone_check(server, "bad.{}.dspublish.ns2-4-6.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
-        "DS response from 10.53.0.4",
+        "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
+        "DS response from 10.53.0.4".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
+        "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6".format(checkds),
      )
-    keystate_check(parent, "bad.explicit.dspublish.ns2-4-6.", "!DSPublish")
+    keystate_check(parent, "bad.{}.dspublish.ns2-4-6.".format(checkds), "!DSPublish")
  
      #
      # 1.2.4: DS is completely published, bogus signature.
@@ -390,7 +379,7 @@ def test_checkds_dspublished(named_port):
      # TBD: Check with TLS
  
  
-def test_checkds_dswithdrawn(named_port):
+def checkds_dswithdrawn(named_port, checkds):
      # We create resolver instances that will be used to send queries.
      server = dns.resolver.Resolver()
      server.nameservers = ["10.53.0.9"]
@@ -406,46 +395,44 @@ def test_checkds_dswithdrawn(named_port):
      #
  
      # The simple case.
-    zone_check(server, "good.explicit.dsremoved.ns5.")
+    zone_check(server, "good.{}.dsremoved.ns5.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone good.explicit.dsremoved.ns5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone good.{}.dsremoved.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
      )
-    keystate_check(parent, "good.explicit.dsremoved.ns5.", "DSRemoved")
-
-    # Using a resolver as parental-agent (ns3).
-    zone_check(server, "resolver.explicit.dsremoved.ns5.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: "
-        "empty DS response from 10.53.0.3",
-    )
-    keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved")
+    keystate_check(parent, "good.{}.dsremoved.ns5.".format(checkds), "DSRemoved")
  
      #
      # 2.1.2: DS is published in the parent.
      # parental-agents: ns2
      #
-    zone_check(server, "still-there.explicit.dsremoved.ns2.")
+    zone_check(server, "still-there.{}.dsremoved.ns2.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone still-there.explicit.dsremoved.ns2/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone still-there.{}.dsremoved.ns2/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
      )
-    keystate_check(parent, "still-there.explicit.dsremoved.ns2.", "!DSRemoved")
+    keystate_check(parent, "still-there.{}.dsremoved.ns2.".format(checkds), "!DSRemoved")
  
      #
      # 2.1.3: The parental agent is badly configured.
      # parental-agents: ns6
      #
-    zone_check(server, "bad.explicit.dsremoved.ns6.")
-    wait_for_log(
-        "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns6/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
-    )
-    keystate_check(parent, "bad.explicit.dsremoved.ns6.", "!DSRemoved")
+    zone_check(server, "bad.{}.dsremoved.ns6.".format(checkds))
+    if checkds == "explicit":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dsremoved.ns6/IN (signed): checkds: "
+            "bad DS response from 10.53.0.6".format(checkds),
+        )
+    elif checkds == "yes":
+        wait_for_log(
+            "ns9/named.run",
+            "zone bad.{}.dsremoved.ns6/IN (signed): checkds: "
+            "error during parental-agents processing".format(checkds),
+        )
+    keystate_check(parent, "bad.{}.dsremoved.ns6.".format(checkds), "!DSRemoved")
  
      #
      # 2.1.4: DS is withdrawn, but has bogus signature.
@@ -456,64 +443,123 @@ def test_checkds_dswithdrawn(named_port):
      # 2.2.1: DS is correctly withdrawn from all parents.
      # parental-agents: ns5, ns7
      #
-    zone_check(server, "good.explicit.dsremoved.ns5-7.")
+    zone_check(server, "good.{}.dsremoved.ns5-7.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone good.{}.dsremoved.ns5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.7",
+        "zone good.{}.dsremoved.ns5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7".format(checkds),
      )
-    keystate_check(parent, "good.explicit.dsremoved.ns5-7.", "DSRemoved")
+    keystate_check(parent, "good.{}.dsremoved.ns5-7.".format(checkds), "DSRemoved")
  
      #
      # 2.2.2: DS is not withdrawn from some parents.
      # parental-agents: ns2, ns5, ns7
      #
-    zone_check(server, "incomplete.explicit.dsremoved.ns2-5-7.")
+    zone_check(server, "incomplete.{}.dsremoved.ns2-5-7.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
-        "DS response from 10.53.0.2",
+        "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
+        "DS response from 10.53.0.2".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.7",
+        "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7".format(checkds),
      )
-    keystate_check(parent, "incomplete.explicit.dsremoved.ns2-5-7.", "!DSRemoved")
+    keystate_check(parent, "incomplete.{}.dsremoved.ns2-5-7.".format(checkds), "!DSRemoved")
  
      #
      # 2.2.3: One parental agent is badly configured.
      # parental-agents: ns5, ns6, ns7
      #
-    zone_check(server, "bad.explicit.dsremoved.ns5-6-7.")
+    zone_check(server, "bad.{}.dsremoved.ns5-6-7.".format(checkds))
      wait_for_log(
          "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.5",
+        "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.5".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
-        "empty DS response from 10.53.0.7",
+        "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
+        "empty DS response from 10.53.0.7".format(checkds),
      )
      wait_for_log(
          "ns9/named.run",
-        "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: "
-        "bad DS response from 10.53.0.6",
+        "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: "
+        "bad DS response from 10.53.0.6".format(checkds),
      )
-    keystate_check(parent, "bad.explicit.dsremoved.ns5-6-7.", "!DSRemoved")
+    keystate_check(parent, "bad.{}.dsremoved.ns5-6-7.".format(checkds), "!DSRemoved")
  
      #
      # 2.2.4:: DS is removed completely, bogus signature.
      #
      # TBD
+
+
+def test_checkds_reference(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    # Using a reference to parental-agents.
+    zone_check(server, "reference.explicit.dspublish.ns2.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone reference.explicit.dspublish.ns2/IN (signed): "
+        "checkds: DS response from 10.53.0.2",
+    )
+    keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish")
+
+
+def test_checkds_resolver(named_port):
+    # We create resolver instances that will be used to send queries.
+    server = dns.resolver.Resolver()
+    server.nameservers = ["10.53.0.9"]
+    server.port = named_port
+
+    parent = dns.resolver.Resolver()
+    parent.nameservers = ["10.53.0.2"]
+    parent.port = named_port
+
+    # Using a resolver as parental-agent (ns3).
+    zone_check(server, "resolver.explicit.dspublish.ns2.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: "
+        "DS response from 10.53.0.3",
+    )
+    keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish")
+
+    # Using a resolver as parental-agent (ns3).
+    zone_check(server, "resolver.explicit.dsremoved.ns5.")
+    wait_for_log(
+        "ns9/named.run",
+        "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: "
+        "empty DS response from 10.53.0.3",
+    )
+    keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved")
+
+
+def test_checkds_dspublished(named_port):
+    checkds_dspublished(named_port, "explicit")
+    checkds_dspublished(named_port, "yes")
+
+
+def test_checkds_dswithdrawn(named_port):
+    checkds_dswithdrawn(named_port, "explicit")
+    checkds_dswithdrawn(named_port, "yes")
author	Matthijs Mekking <matthijs@isc.org>
	Tue, 28 Mar 2023 10:00:56 +0000 (12:00 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Mon, 3 Apr 2023 14:01:22 +0000 (14:01 +0000)
bin/tests/system/checkds/ns2/ns2-4-5.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns2-4-6.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns2-4.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns2-5-7.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns2.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns5-6-7.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns5-7.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns5.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns2/ns6.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns2-4-5.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns2-4-6.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns2-4.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns2-5-7.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns2.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns5-6-7.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns5-7.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns5.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns5/ns6.db.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns9/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/checkds/ns9/setup.sh		patch \| blob \| blame \| history
bin/tests/system/checkds/tests_checkds.py		patch \| blob \| blame \| history