Test that named checks maximum two keys for SIG(0)-signed messages

Send three updates with three different keys, and expect that one
of them should fail.

Also retain more artifacts for neighboring nsupdate calls.

diff --git a/bin/tests/system/upforwd/clean.sh b/bin/tests/system/upforwd/clean.sh
index 14b9cc6a446a4a2bf004dfab83b8b3169bea53c0..d56c942069aaa796c407afdada95aac1d82cc24f 100644 (file)
--- a/bin/tests/system/upforwd/clean.sh
+++ b/bin/tests/system/upforwd/clean.sh
@@ -29,6 +29,7 @@ rm -f */ans.run
 rm -f Ksig0.example2.*
 rm -f keyname keyname.err
 rm -f ns1/example2.db
+rm -f ns1/example2-toomanykeys.db
 rm -f ns*/managed-keys.bind*
 rm -f nsupdate.out.*
 rm -f ns*/named.run.prev

diff --git a/bin/tests/system/upforwd/ns1/named.conf.in b/bin/tests/system/upforwd/ns1/named.conf.in
index 79d66c2fa400457439aaf1f1159b417978e6633f..2c25a371de3103ec12964aff00eed0b956ceb0a9 100644 (file)
--- a/bin/tests/system/upforwd/ns1/named.conf.in
+++ b/bin/tests/system/upforwd/ns1/named.conf.in
@@ -44,6 +44,12 @@ zone "example2" {
        allow-update { key sig0.example2.; };
 };
 
+zone "example2-toomanykeys" {
+       type primary;
+       file "example2-toomanykeys.db";
+       allow-update { key sig0.example2-toomanykeys.; };
+};
+
 zone "example3" {
        type primary;
        file "example3.db";

diff --git a/bin/tests/system/upforwd/ns3/named1.conf.in b/bin/tests/system/upforwd/ns3/named1.conf.in
index df51f7bb2c2767a684fc3d138411856e225e01fa..95feb796aae1443ab5af6a59d15d836831629f82 100644 (file)
--- a/bin/tests/system/upforwd/ns3/named1.conf.in
+++ b/bin/tests/system/upforwd/ns3/named1.conf.in
@@ -56,6 +56,13 @@ zone "example2" {
        primaries { 10.53.0.1; };
 };
 
+zone "example2-toomanykeys" {
+       type secondary;
+       file "example2-toomanykeys.bk";
+       allow-update-forwarding { 10.53.0.1; };
+       primaries { 10.53.0.1; };
+};
+
 zone "example3" {
        type secondary;
        file "example3.bk";

diff --git a/bin/tests/system/upforwd/setup.sh b/bin/tests/system/upforwd/setup.sh
index cc34d3966bfca99fedc9a274b7f972d399c071db..0df66cb6f2d525b714d0be26aa7c29ab0ab9efbe 100644 (file)
--- a/bin/tests/system/upforwd/setup.sh
+++ b/bin/tests/system/upforwd/setup.sh
@@ -32,7 +32,7 @@ else
 fi
 
 #
-# SIG(0) required cryptographic support which may not be configured.
+# SIG(0) requires cryptographic support which may not be configured.
 #
 keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2 2>keyname.err)
 if test -n "$keyname"; then
@@ -42,3 +42,12 @@ else
   cat ns1/example1.db >ns1/example2.db
 fi
 cat_i <keyname.err
+
+cat ns1/example1.db >ns1/example2-toomanykeys.db
+for i in 1 2 3; do
+  keyname=$($KEYGEN -q -n HOST -a ${DEFAULT_ALGORITHM} -T KEY sig0.example2-toomanykeys 2>/dev/null)
+  if test -n "$keyname"; then
+    cat $keyname.key >>ns1/example2-toomanykeys.db
+    echo $keyname >keyname$i
+  fi
+done

diff --git a/bin/tests/system/upforwd/tests.sh b/bin/tests/system/upforwd/tests.sh
index 6c8e40b5a9bee7f363cf2163a73d0f2e56b9489c..5e1f4550bd6a7f8d1b0ca43b3e742d0435050a40 100644 (file)
--- a/bin/tests/system/upforwd/tests.sh
+++ b/bin/tests/system/upforwd/tests.sh
@@ -389,7 +389,7 @@ if test -f keyname; then
   nextpart_thrice
   ret=0
   keyname=$(cat keyname)
-  $NSUPDATE -k $keyname.private -- - <<EOF || ret=1
+  $NSUPDATE -k $keyname.private -- - <<EOF >nsupdate.out.test$n 2>&1 || ret=1
        local 10.53.0.1
        server 10.53.0.3 ${PORT}
        zone example2
@@ -424,7 +424,7 @@ EOF
   nextpart_thrice
   ret=0
   keyname=$(cat keyname)
-  $NSUPDATE -k $keyname.private -S -O -- - <<EOF || ret=1
+  $NSUPDATE -k $keyname.private -S -O -- - <<EOF >nsupdate.out.test$n 2>&1 || ret=1
         local 10.53.0.1
        server 10.53.0.3 ${TLSPORT}
        zone example2
@@ -454,6 +454,28 @@ EOF
     status=$((status + ret))
     n=$((n + 1))
   fi
+
+  echo_i "checking update forwarding with sig0 with too many keys ($n)"
+  nextpart_thrice
+  ret=0
+  good=0
+  bad=0
+  for i in 1 2 3; do
+    keyname=$(cat keyname$i)
+    $NSUPDATE -d -D -k $keyname.private -- - <<EOF >nsupdate.out.test$n.$i 2>&1 && good=$((good + 1)) || bad=$((bad + 1))
+       local 10.53.0.1
+       server 10.53.0.3 ${PORT}
+       zone example2-toomanykeys
+       update add toomanykeys$i.example2-toomanykeys. 600 A 10.10.10.1
+       send
+EOF
+  done
+  # There are three keys in the zone but named checks the signature using
+  # maximum two keys, so one of these updates should have been failed.
+  [ $good = 2 ] && [ $bad = 1 ] || ret=1
+  if [ $ret != 0 ]; then echo_i "failed"; fi
+  status=$((status + ret))
+  n=$((n + 1))
 fi
 
 echo_i "attempting an update that should be rejected by ACL ($n)"