From: Mark Andrews Date: Fri, 16 Jul 2021 05:15:09 +0000 (+1000) Subject: Check reload of dnssec-policy zone works X-Git-Tag: v9.16.20~8^2~4 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=8a81830001387b306f7423eeb4cc82e3ccd4c78a;p=thirdparty%2Fbind9.git Check reload of dnssec-policy zone works (cherry picked from commit c7fc13a9fa350c7c8c137a877abe681eece067d5) --- diff --git a/bin/tests/system/kasp/ns6/example.db.in b/bin/tests/system/kasp/ns6/example.db.in new file mode 100644 index 00000000000..1ea5cb29adb --- /dev/null +++ b/bin/tests/system/kasp/ns6/example.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/kasp/ns6/example2.db.in b/bin/tests/system/kasp/ns6/example2.db.in new file mode 100644 index 00000000000..479dbd5711f --- /dev/null +++ b/bin/tests/system/kasp/ns6/example2.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 2 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns6 +ns6 A 10.53.0.6 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index d1a15cf2407..29cc010d140 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -68,3 +68,15 @@ zone "step1.csk-algorithm-roll.kasp" { file "step1.csk-algorithm-roll.kasp.db"; dnssec-policy "csk-algoroll"; }; + +dnssec-policy "modified" { + keys { + csk lifetime unlimited algorithm rsasha256 2048; + }; +}; + +zone example { + type primary; + dnssec-policy modified; + file "example.db"; +}; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 38f0e92c961..91af68325b0 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -145,3 +145,15 @@ zone "step6.csk-algorithm-roll.kasp" { file "step6.csk-algorithm-roll.kasp.db"; dnssec-policy "csk-algoroll"; }; + +dnssec-policy "modified" { + keys { + csk lifetime unlimited algorithm rsasha256 2048; + }; +}; + +zone example { + type primary; + dnssec-policy modified; + file "example.db"; +}; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 5f934ae9cc0..2e1f005693e 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -381,3 +381,9 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# +# Reload testing +# +echo "example" >> zones +cp example.db.in example.db diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 83217801248..fa100295859 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -4621,5 +4621,26 @@ dnssec_verify # an unlimited lifetime. Fallback to the default loadkeys interval. check_next_key_event 3600 +echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" +TSIG= +ret=0 +dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 +cp ns6/example2.db.in ns6/example.db || ret=1 +nextpart ns6/named.run > /dev/null +rndccmd 10.53.0.6 reload || ret=1 +wait_for_log 3 "all zones loaded" ns6/named.run +sleep 1 +dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || ret=1 +soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) +soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) +ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) +ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) +test ${soa1:-1000} -lt ${soa2:-0} || ret=1 +test ${ttl1:-0} -eq 300 || ret=1 +test ${ttl2:-0} -eq 300 || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) +n=$((n+1)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1