Add bump in the wire multisigner test

Add a test case where updates are being made against a hidden primary
and two bump in the wire signers (the providers in the multisigner
model) serve the zone.

The test covers the same cases as for two primary providers that is:
- Add DNSKEY
- Remove (previously added) DNSKEY
- Add CDNSKEY
- Remove (previously added) CDNSKEY
- Add CDS
- Remove (previously added) CDS

diff --git a/bin/tests/system/multisigner/clean.sh b/bin/tests/system/multisigner/clean.sh
index 0dd6eb6d48818a760a01741aa0d9191a650ba285..393efbbf3711b1b6b785fe608a01b713ca43e906 100644 (file)
--- a/bin/tests/system/multisigner/clean.sh
+++ b/bin/tests/system/multisigner/clean.sh
@@ -16,6 +16,8 @@ set -e
 rm -f *.created
 rm -f cdnskey.ns*
 rm -f cds.ns*
+rm -f secondary.cdnskey.ns*
+rm -f secondary.cds.ns*
 rm -f created.key-*
 rm -f dig.out.*
 rm -f python.out.*
@@ -29,9 +31,12 @@ rm -f ns*/*.journal.out.test*
 rm -f ns*/*.signed
 rm -f ns*/*.signed.jnl
 rm -f ns*/*.zsk
+rm -f ns*/db-*
 rm -f ns*/K*
 rm -f ns*/keygen.out.*
 rm -f ns*/managed-keys*
+rm -f ns*/model2.secondary.db
+rm -f ns*/model2.secondary.db
 rm -f ns*/named.conf
 rm -f ns*/named.memstats
 rm -f ns*/named.run

diff --git a/bin/tests/system/multisigner/ns3/named.conf.in b/bin/tests/system/multisigner/ns3/named.conf.in
index 893e79d87bb1630b25dc3ce75e67a80f4f9d5b03..ce570696b6d4532ba10fdc74e0c5ace71885168b 100644 (file)
--- a/bin/tests/system/multisigner/ns3/named.conf.in
+++ b/bin/tests/system/multisigner/ns3/named.conf.in
@@ -44,3 +44,11 @@ zone "model2.multisigner." {
        dnssec-policy model2;
        inline-signing no;
 };
+
+zone "model2.secondary." {
+       type secondary;
+       primaries { 10.53.0.5; };
+       file "model2.secondary.db";
+       dnssec-policy model2;
+       inline-signing yes;
+};

diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh
index 54ee7dcb45751e39aba1ef863abf2204550a7857..0f6b343e14fd8e8a7e113b6527e26a0cb9fa719a 100644 (file)
--- a/bin/tests/system/multisigner/ns3/setup.sh
+++ b/bin/tests/system/multisigner/ns3/setup.sh
@@ -16,16 +16,29 @@
 
 echo_i "ns3/setup.sh"
 
+O="OMNIPRESENT"
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+
 zone="model2.multisigner"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
 
-O="OMNIPRESENT"
-ksktimes="-P now -A now -P sync now"
-zsktimes="-P now -A now"
 KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O now -z $O now           "$ZSK" > settime.out.$zone.2 2>&1
 # ZSK will be added to the other provider with nsupdate.
 cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk"
+
+zone="model2.secondary"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+cp "../ns5/${zonefile}.in" "$zonefile"
+
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now  "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now            "$ZSK" > settime.out.$zone.2 2>&1
+# ZSK will be added to the other provider with nsupdate.
+cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk"

diff --git a/bin/tests/system/multisigner/ns4/named.conf.in b/bin/tests/system/multisigner/ns4/named.conf.in
index ba1f6b85fa13a84884bd1b71207d16a8516c5700..e19fd35f0d070808e5f1b3570cc88d4c1a5d6281 100644 (file)
--- a/bin/tests/system/multisigner/ns4/named.conf.in
+++ b/bin/tests/system/multisigner/ns4/named.conf.in
@@ -44,3 +44,11 @@ zone "model2.multisigner." {
        dnssec-policy model2;
        inline-signing yes;
 };
+
+zone "model2.secondary." {
+       type secondary;
+       primaries { 10.53.0.5; };
+       file "model2.secondary.db";
+       dnssec-policy model2;
+       inline-signing yes;
+};

diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh
index 05d1060be4cd3f4cf663d5c407e902df2dc63a7a..94ac16ad8d03f7679f77aee8d4625422fd20c150 100644 (file)
--- a/bin/tests/system/multisigner/ns4/setup.sh
+++ b/bin/tests/system/multisigner/ns4/setup.sh
@@ -16,13 +16,26 @@
 
 echo_i "ns4/setup.sh"
 
+O="OMNIPRESENT"
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+
 zone="model2.multisigner"
 echo_i "setting up zone: $zone"
 zonefile="${zone}.db"
 
-O="OMNIPRESENT"
-ksktimes="-P now -A now -P sync now"
-zsktimes="-P now -A now"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now  "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now            "$ZSK" > settime.out.$zone.2 2>&1
+# ZSK will be added to the other provider with nsupdate.
+cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk"
+
+zone="model2.secondary"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+cp "../ns5/${zonefile}.in" "$zonefile"
+
 KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
 $SETTIME -s -g $O -k $O now -r $O now -d $O now  "$KSK" > settime.out.$zone.1 2>&1

diff --git a/bin/tests/system/multisigner/ns5/model2.secondary.db.in b/bin/tests/system/multisigner/ns5/model2.secondary.db.in
new file mode 100644 (file)
index 0000000..ea0f3cc
--- /dev/null
+++ b/bin/tests/system/multisigner/ns5/model2.secondary.db.in
@@ -0,0 +1,29 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@              IN      SOA  mname1. . (
+                       1       ; serial
+                       20      ; refresh (20 seconds)
+                       20      ; retry (20 seconds)
+                       1814400 ; expire (3 weeks)
+                       3600    ; minimum (1 hour)
+                       )
+
+                       NS      ns3
+                       NS      ns4
+ns3                    A       10.53.0.3
+ns4                    A       10.53.0.4
+
+a                      A       10.0.0.1
+b                      A       10.0.0.2
+c                      A       10.0.0.3
+

diff --git a/bin/tests/system/multisigner/ns5/named.conf.in b/bin/tests/system/multisigner/ns5/named.conf.in
new file mode 100644 (file)
index 0000000..3518fe3
--- /dev/null
+++ b/bin/tests/system/multisigner/ns5/named.conf.in
@@ -0,0 +1,44 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS5
+
+include "../kasp.conf";
+
+options {
+       query-source address 10.53.0.5;
+       notify-source 10.53.0.5;
+       transfer-source 10.53.0.5;
+       port @PORT@;
+       pid-file "named.pid";
+       listen-on { 10.53.0.5; };
+       listen-on-v6 { none; };
+       allow-transfer { any; };
+       recursion no;
+       key-directory ".";
+};
+
+key rndc_key {
+       secret "1234abcd8765";
+       algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+       inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "model2.secondary." {
+       type primary;
+       allow-update { any; };
+       file "model2.secondary.db";
+};

diff --git a/bin/tests/system/multisigner/ns5/setup.sh b/bin/tests/system/multisigner/ns5/setup.sh
new file mode 100644 (file)
index 0000000..6bf3e6f
--- /dev/null
+++ b/bin/tests/system/multisigner/ns5/setup.sh
@@ -0,0 +1,22 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns5/setup.sh"
+
+zone="model2.secondary"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+cp "${zonefile}.in" "$zonefile"

diff --git a/bin/tests/system/multisigner/setup.sh b/bin/tests/system/multisigner/setup.sh
index a28917fdd9a13d97220f99d2e71f5cfc02561421..f7fc496ca863ec5ebb5cf7af2e3a6266e8956b3c 100644 (file)
--- a/bin/tests/system/multisigner/setup.sh
+++ b/bin/tests/system/multisigner/setup.sh
@@ -20,6 +20,7 @@ $SHELL clean.sh
 
 copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
+copy_setports ns5/named.conf.in ns5/named.conf
 
 (
        cd ns3
@@ -29,3 +30,7 @@ copy_setports ns4/named.conf.in ns4/named.conf
        cd ns4
        $SHELL setup.sh
 )
+(
+       cd ns5
+       $SHELL setup.sh
+)

diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh
index d6e56f9c8c8e8015cf28d68fd273615dd0f2cb14..b3fa7948b01ea3a88b6bd618962eddb5a5e7a321 100644 (file)
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@@ -96,6 +96,20 @@ zsks_are_published() {
        test "$lines" -eq 1 || return 1
 }
 
+# Test to make sure no DNSSEC records end up in the raw journal.
+no_dnssec_in_journal() {
+       n=$((n+1))
+       ret=0
+       echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+       $JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
+       rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+       rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+       rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+       rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret= 1
+       test "$ret" -eq 0 || echo_i "failed"
+       status=$((status+ret))
+}
+
 # Check if a certain RRtype is present in the journal file.
 rrset_exists() (
        rrtype=$1
@@ -269,16 +283,265 @@ retry_quiet 10 records_published CDS 2 || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 # No DNSSEC in raw journal.
+no_dnssec_in_journal
+
+#
+# Check secondary server behaviour.
+#
+set_zone "model2.secondary"
+set_policy "model2" "2" "3600"
+
+set_server "ns3" "10.53.0.3"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_model2
+check_keytimes
+check_apex
+dnssec_verify
+
+set_server "ns4" "10.53.0.4"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_model2
+check_keytimes
+check_apex
+dnssec_verify
+
+#
+# Update DNSKEY RRset.
+#
 n=$((n+1))
-echo_i "check zone ${ZONE} raw journal has no DNSSEC ($n)"
+echo_i "add dnskey record: update zone ${ZONE} at ns5 with ZSKs from providers ns3 and ns4 ($n)"
 ret=0
-$JOURNALPRINT "${DIR}/${ZONE}.db.jnl" > "${DIR}/${ZONE}.journal.out.test$n"
-rrset_exists NSEC "${DIR}/${ZONE}.journal.out.test$n" && ret=1
-rrset_exists NSEC3 "${DIR}/${ZONE}.journal.out.test$n" && ret=1
-rrset_exists NSEC3PARAM "${DIR}/${ZONE}.journal.out.test$n" && ret=1
-rrset_exists RRSIG "${DIR}/${ZONE}.journal.out.test$n" && ret=1
+set_server "ns5" "10.53.0.5"
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "ns3/${ZONE}.zsk")
+echo update add $(cat "ns4/${ZONE}.zsk")
+echo send
+) | $NSUPDATE
+# NS3
+set_server "ns3" "10.53.0.3"
+echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
+retry_quiet 10 zsks_are_published || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+# NS4
+set_server "ns4" "10.53.0.4"
+echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
+retry_quiet 10 zsks_are_published || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+
+n=$((n+1))
+echo_i "remove dnskey record: remove ns3 and ns4 DNSKEY records from primary ns5 ($n)"
+ret=0
+set_server "ns5" "10.53.0.5"
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update del $(cat "ns3/${ZONE}.zsk")
+echo update del $(cat "ns4/${ZONE}.zsk")
+echo send
+) | $NSUPDATE
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# Now there should be one DNSKEY record again.
+# While we did remove both DNSKEY records, the bump in the wire signer, i.e
+# the secondary inline-signing zone, should add back the DNSKEY belonging to
+# its own KSK when re-signing the zone.
+#
+# NS3
+set_server "ns3" "10.53.0.3"
+echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
+check_keys
+check_apex
+dnssec_verify
+no_dnssec_in_journal
+# NS4
+set_server "ns4" "10.53.0.4"
+echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
+check_keys
+check_apex
+dnssec_verify
+no_dnssec_in_journal
+
+#
+# Update CDNSKEY RRset.
+#
+
+# Retrieve CDNSKEY records from the providers.
+n=$((n+1))
+echo_i "check initial CDSNKEY response for zone ${ZONE} at ns3 and ns4 ($n)"
+ret=0
+dig_with_opts ${ZONE} @10.53.0.3 CDNSKEY > dig.out.ns3.secondary.cdnskey
+awk '$4 == "CDNSKEY" {print}' dig.out.ns3.secondary.cdnskey > secondary.cdnskey.ns3
+dig_with_opts ${ZONE} @10.53.0.4 CDNSKEY > dig.out.ns4.secondary.cdnskey
+awk '$4 == "CDNSKEY" {print}' dig.out.ns4.secondary.cdnskey > secondary.cdnskey.ns4
+# Initially there should be one CDNSKEY.
+set_server "ns3" "10.53.0.3"
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+set_server "ns4" "10.53.0.4"
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "add cdnskey record: update zone ${ZONE} at ns5 with CDNSKEY records from providers ns3 and ns4 ($n)"
+ret=0
+set_server "ns5" "10.53.0.5"
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "secondary.cdnskey.ns3")
+echo update add $(cat "secondary.cdnskey.ns4")
+echo send
+) | $NSUPDATE
+# Now there should be two CDNSKEY records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+#
+# NS3
+set_server "ns3" "10.53.0.3"
+echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+# NS4
+set_server "ns4" "10.53.0.4"
+echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+
+n=$((n+1))
+echo_i "remove cdnskey record: remove ns3 and ns4 CDNSKEY records from primary ns5 ($n)"
+ret=0
+set_server "ns5" "10.53.0.5"
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update del $(cat "secondary.cdnskey.ns3")
+echo update del $(cat "secondary.cdnskey.ns4")
+echo send
+) | $NSUPDATE
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# Now there should be one CDNSKEY record again.
+# While we did remove both CDNSKEY records, the bump in the wire signer, i.e
+# the secondary inline-signing zone, should add back the CDNSKEY belonging to
+# its own KSK when re-signing the zone.
+#
+# NS3
+set_server "ns3" "10.53.0.3"
+echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+# NS4
+set_server "ns4" "10.53.0.4"
+echo_i "check server ${DIR} zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+
+#
+# Update CDS RRset.
+#
+
+# Retrieve CDS records from the other provider.
+n=$((n+1))
+echo_i "check initial CDS response for zone ${ZONE} at ns3 and ns4 ($n)"
+ret=0
+dig_with_opts ${ZONE} @10.53.0.3 CDS > dig.out.ns3.secondary.cds
+awk '$4 == "CDS" {print}' dig.out.ns3.secondary.cds > secondary.cds.ns3
+dig_with_opts ${ZONE} @10.53.0.4 CDS > dig.out.ns4.secondary.cds
+awk '$4 == "CDS" {print}' dig.out.ns4.secondary.cds > secondary.cds.ns4
+# Initially there should be one CDS.
+set_server "ns3" "10.53.0.3"
+retry_quiet 10 records_published CDS 1 || ret=1
+set_server "ns4" "10.53.0.4"
+retry_quiet 10 records_published CDS 1 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+n=$((n+1))
+echo_i "add cds record: update zone ${ZONE} at ns5 with CDS from provider ns4 ($n)"
+ret=0
+set_server "ns5" "10.53.0.5"
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "secondary.cds.ns3")
+echo update add $(cat "secondary.cds.ns4")
+echo send
+) | $NSUPDATE
+# Now there should be two CDS records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+#
+# NS3
+set_server "ns3" "10.53.0.3"
+echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+# NS4
+set_server "ns4" "10.53.0.4"
+echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+
+n=$((n+1))
+echo_i "remove cds record: remove ns3 and ns4 CDS records from primary ns5 ($n)"
+ret=0
+set_server "ns5" "10.53.0.5"
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update del $(cat "secondary.cds.ns3")
+echo update del $(cat "secondary.cds.ns4")
+echo send
+) | $NSUPDATE
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# Now there should be one CDS record again.
+# While we did remove both CDS records, the bump in the wire signer, i.e
+# the secondary inline-signing zone, should add back the CDS belonging to
+# its own KSK when re-signing the zone.
+#
+# NS3
+set_server "ns3" "10.53.0.3"
+echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 1 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
+# NS4
+set_server "ns4" "10.53.0.4"
+echo_i "check server ${DIR} zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 1 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+dnssec_verify
+no_dnssec_in_journal
 
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1