Regression check for missing RRSIGs

When transitioning from NSEC3 to NSEC the added records where not
being signed because the wrong time was being used to determine if
a key should be used or not.  Check that these records are actually
signed.

diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in
index ded882ee7bc3b7e3d85368f23d2ee9685deae236..bfcccaf001c76c45006bde4c57f49566d3c4adf5 100644 (file)
--- a/bin/tests/system/autosign/ns3/named.conf.in
+++ b/bin/tests/system/autosign/ns3/named.conf.in
@@ -261,7 +261,8 @@ zone "nsec3-to-nsec.example" {
        file "nsec3-to-nsec.example.db";
        allow-update { any; };
        inline-signing no;
-       dnssec-policy nsec3;
+       max-journal-size 10M;
+       dnssec-policy autosign;
 };
 
 zone "oldsigs.example" {

diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh
index 61afacf1e49378eaa076fd3f2926aeb3cf3ed020..1741589dcf334456d6e15d1f9cfae855f27549d1 100755 (executable)
--- a/bin/tests/system/autosign/tests.sh
+++ b/bin/tests/system/autosign/tests.sh
@@ -1324,5 +1324,16 @@ n=$((n + 1))
 if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
 
+echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)"
+ret=0
+$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \
+  | awk 'BEGIN { count=0; ok=0 }
+$1 == "del" && $5 == "SOA" { count++; if (count == 2) { if (ok) { exit(0); } else { exit(1); } } }
+$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { ok=1 }
+' || ret=1
+n=$((n + 1))
+if [ "$ret" -ne 0 ]; then echo_i "failed"; fi
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1