Update kasp tests to "insecure" policy

The tests for going insecure should be changed to use the built-in
"insecure" policy.

The function that checks dnssec status output should again check
for the special case "none".

(cherry picked from commit 17e3b056c87c912127fe94181108b4df898915f7)

diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index a619c0e6a9b2de22cf179e97626dd9ca83190695..7594f90b97b246a25feb07fe39383457ba3272d1 100644 (file)
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -196,8 +196,8 @@ set_policy() {
        CDS_DELETE="no"
 }
 # By default policies are considered to be secure.
-# If a zone sets its policy to "none", call 'set_cdsdelete' to tell the system
-# test to expect a CDS and CDNSKEY Delete record.
+# If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the
+# system test to expect a CDS and CDNSKEY Delete record.
 set_cdsdelete() {
        CDS_DELETE="yes"
 }
@@ -779,18 +779,22 @@ check_dnssecstatus() {
 
        _rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed"
 
-       grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}"
-       if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
-               grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status"
-       fi
-       if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
-               grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status"
-       fi
-       if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
-               grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status"
-       fi
-       if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
-               grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status"
+       if [ "$_policy" = "none" ]; then
+               grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}"
+       else
+               grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}"
+               if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+                       grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status"
+               fi
+               if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+                       grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status"
+               fi
+               if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+                       grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status"
+               fi
+               if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+                       grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status"
+               fi
        fi
 
        test "$ret" -eq 0 || echo_i "failed"

diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index 731cf4ced33b51330e1a1586626f25ee0ce9f42f..8967c8a44acc0249ae0e1b449347669bb135121b 100644 (file)
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -39,26 +39,26 @@ controls {
 zone "step1.going-insecure.kasp" {
         type master;
         file "step1.going-insecure.kasp.db";
-        dnssec-policy "none";
+        dnssec-policy "insecure";
 };
 
 zone "step2.going-insecure.kasp" {
         type master;
         file "step2.going-insecure.kasp.db";
-        dnssec-policy "none";
+        dnssec-policy "insecure";
 };
 
 zone "step1.going-insecure-dynamic.kasp" {
         type master;
         file "step1.going-insecure-dynamic.kasp.db";
-        dnssec-policy "none";
+        dnssec-policy "insecure";
        allow-update { any; };
 };
 
 zone "step2.going-insecure-dynamic.kasp" {
         type master;
         file "step2.going-insecure-dynamic.kasp.db";
-        dnssec-policy "none";
+        dnssec-policy "insecure";
        allow-update { any; };
 };
 

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index d208c79c3d178aafd5c4a51112994364364e178f..d033b7d11c5b2007e8f0be06e0795a8175cd57df 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -3599,7 +3599,7 @@ wait_for_done_signing() {
 # Zone: step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "none" "2" "7200"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -3636,7 +3636,7 @@ check_next_key_event 93600
 # Zone: step2.going-insecure.kasp
 #
 set_zone "step2.going-insecure.kasp"
-set_policy "none" "2" "7200"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
@@ -3666,7 +3666,7 @@ check_next_key_event 7500
 #
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "none" "2" "7200"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -3704,7 +3704,7 @@ check_next_key_event 93600
 #
 set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "none" "2" "7200"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.