From: Matthijs Mekking Date: Fri, 13 Oct 2023 13:17:29 +0000 (+0200) Subject: Add test case for GL #4350 X-Git-Tag: v9.18.20~27^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=e9989c541b4e264d6ab56b9157ce7819598824db;p=thirdparty%2Fbind9.git Add test case for GL #4350 Add a test scenario for a dynamic zone that uses inline-signing which accidentally has signed the raw version of the zone. This should not trigger resign scheduling on the raw version of the zone. (cherry picked from commit c90b62264842950145e49a092ceaf818be86f42a) --- diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index db264c28107..d31b53a4646 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -29,6 +29,7 @@ rm -f ns*/*.mkeys rm -f ns*/zones ns*/*.db.infile rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f ns3/legacy-keys.* +rm -rf ns3/keys/ rm -f *.created published.test* retired.test* rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index a6e8b3a5b93..02e8099ec95 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -146,6 +146,18 @@ zone "dynamic-inline-signing.kasp" { inline-signing yes; }; +/* + * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the + * raw version of the zone. + */ +zone "dynamic-signed-inline-signing.kasp" { + type primary; + file "dynamic-signed-inline-signing.kasp.db.signed"; + key-directory "keys"; + dnssec-policy "default"; + allow-update { any; }; +}; + /* An inline-signed zone with dnssec-policy. */ zone "inline-signing.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 8af40ed588d..b53d0af0a84 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -164,6 +164,19 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" cp $infile $zonefile $SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +# We are signing the raw version of the zone here. This is unusual and not +# common operation, but want to make sure that in such a case BIND 9 does not +# schedule a resigning operation on the raw version. Add expired signatures so +# a resign is imminent. +setup dynamic-signed-inline-signing.kasp +T="now-1d" +csktimes="-P $T -A $T -P sync $T" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +cp $infile $zonefile +$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 + # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign T="now-6mo" diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 67cfa92e7df..f733de92d15 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -19,6 +19,7 @@ set -e $SHELL clean.sh mkdir keys +mkdir ns3/keys copy_setports ns2/named.conf.in ns2/named.conf if ! $SHELL ../testcrypto.sh -q RSASHA1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 213cc31fed1..5e42bee7f83 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -487,6 +487,23 @@ retry_quiet 10 update_is_signed || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# +# Zone: dynamic-signed-inline-signing.kasp +# +set_zone "dynamic-signed-inline-signing.kasp" +set_dynamic +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" +dnssec_verify +# Ensure no zone_resigninc for the unsigned version of the zone is triggered. +n=$((n+1)) +echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)" +ret=0 +grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1 +grep "error reading K$ZONE" $DIR/named.run && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # # Zone: inline-signing.kasp #