Add log check in multisigner system test

When we add DNSKEY records via dynamic update, this should no longer
trigger signing the zone with these keys. This currently happens when
'find_zone_keys()' looks up the keys by inspecting the DNSKEY RRset,
then attempting to read the corresponding key files.

Add checks that inspect the logs whether an attempt to read the key
files for the newly added keys was done (and failed because these files
are not available).

diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh
index aac1c2ecdcac6773a6c19f442a8cc0e343ed51d2..5a209e79464126f1b42df5978e0670cb7ae715b5 100644 (file)
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@@ -132,10 +132,19 @@ echo server "${SERVER}" "${PORT}"
 echo update add $(cat "ns4/${ZONE}.zsk")
 echo send
 ) | $NSUPDATE
+# Check the new DNSKEY RRset.
+n=$((n+1))
 echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
 retry_quiet 10 zsks_are_published || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# Check the logs for find zone keys errors.
+n=$((n+1))
+ret=0
+echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
+grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # Verify again.
 dnssec_verify
 
@@ -149,10 +158,19 @@ echo server "${SERVER}" "${PORT}"
 echo update add $(cat "ns3/${ZONE}.zsk")
 echo send
 ) | $NSUPDATE
+# Check the new DNSKEY RRset.
+n=$((n+1))
 echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
 retry_quiet 10 zsks_are_published || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
+# Check the logs for find zone keys errors.
+n=$((n+1))
+ret=0
+echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
+grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # Verify again.
 dnssec_verify
 no_dnssec_in_journal
@@ -446,6 +464,9 @@ test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 dnssec_verify
 no_dnssec_in_journal
+grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # NS4
 set_server "ns4" "10.53.0.4"
 echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
@@ -454,6 +475,9 @@ test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 dnssec_verify
 no_dnssec_in_journal
+grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 
 n=$((n+1))
 echo_i "remove dnskey record: remove ns3 and ns4 DNSKEY records from primary ns5 ($n)"