From 270512949e639e1a406c07ef29adb41d4e2e65ed Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Thu, 30 May 2024 12:26:03 +0200
Subject: [PATCH] Add test cases that use DNSSEC signing

Add two new masterformat tests that use signing. In the case of
'under-limit-kasp', the signing will keep the number of records in the
RRset under the limit. In the case of 'on-limit-kasp', the signing
will push the number of records in the RRset over the limit, because
of the added RRSIG record.

(cherry picked from commit 4c677882e66883670990a771337ecbb5206a6faa)
---
 bin/tests/system/masterformat/ns1/compile.sh  |  2 +
 .../system/masterformat/ns1/named.conf.in     | 15 ++++
 .../system/masterformat/ns2/named.conf.in     | 14 ++++
 bin/tests/system/masterformat/setup.sh        |  5 ++
 bin/tests/system/masterformat/tests.sh        | 73 +++++++++++++++++++
 5 files changed, 109 insertions(+)

diff --git a/bin/tests/system/masterformat/ns1/compile.sh b/bin/tests/system/masterformat/ns1/compile.sh
index d6ec07428b..6e5a8b12f1 100755
--- a/bin/tests/system/masterformat/ns1/compile.sh
+++ b/bin/tests/system/masterformat/ns1/compile.sh
@@ -27,7 +27,9 @@ $CHECKZONE -D -F raw=0 -o example.db.compat example-compat \
 $CHECKZONE -D -F raw -L 3333 -o example.db.serial.raw example \
   example.db >/dev/null 2>&1
 $CHECKZONE -D -F raw -o under-limit.db.raw under-limit under-limit.db >/dev/null 2>&1
+$CHECKZONE -D -F raw -o under-limit-kasp.db.raw under-limit-kasp under-limit-kasp.db >/dev/null 2>&1
 $CHECKZONE -D -F raw -o on-limit.db.raw on-limit on-limit.db >/dev/null 2>&1
+$CHECKZONE -D -F raw -o on-limit-kasp.db.raw on-limit-kasp on-limit-kasp.db >/dev/null 2>&1
 $CHECKZONE -D -F raw -o over-limit.db.raw over-limit over-limit.db >/dev/null 2>&1
 $CHECKZONE -D -F raw -o 255types.db.raw 255types 255types.db >/dev/null 2>&1
 
diff --git a/bin/tests/system/masterformat/ns1/named.conf.in b/bin/tests/system/masterformat/ns1/named.conf.in
index 3c83896d12..2da4c642eb 100644
--- a/bin/tests/system/masterformat/ns1/named.conf.in
+++ b/bin/tests/system/masterformat/ns1/named.conf.in
@@ -80,6 +80,14 @@ zone "under-limit" {
 	allow-transfer { any; };
 };
 
+zone "under-limit-kasp" {
+	type primary;
+	file "under-limit-kasp.db.raw";
+	masterfile-format raw;
+	dnssec-policy masterformat;
+	allow-transfer { any; };
+};
+
 zone "on-limit" {
 	type primary;
 	file "on-limit.db.raw";
@@ -87,6 +95,13 @@ zone "on-limit" {
 	allow-transfer { any; };
 };
 
+zone "on-limit-kasp" {
+	type primary;
+	file "on-limit-kasp.db.raw";
+	masterfile-format raw;
+	dnssec-policy masterformat;
+	allow-transfer { any; };
+};
 
 zone "over-limit" {
 	type primary;
diff --git a/bin/tests/system/masterformat/ns2/named.conf.in b/bin/tests/system/masterformat/ns2/named.conf.in
index 277ad19805..790ec731b2 100644
--- a/bin/tests/system/masterformat/ns2/named.conf.in
+++ b/bin/tests/system/masterformat/ns2/named.conf.in
@@ -65,6 +65,13 @@ zone "under-limit" {
 	file "under-limit.bk";
 };
 
+zone "under-limit-kasp" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	masterfile-format raw;
+	file "under-limit-kasp.bk";
+};
+
 zone "on-limit" {
 	type secondary;
 	primaries { 10.53.0.1; };
@@ -72,6 +79,13 @@ zone "on-limit" {
 	file "on-limit.bk";
 };
 
+zone "on-limit-kasp" {
+	type secondary;
+	primaries { 10.53.0.1; };
+	masterfile-format raw;
+	file "on-limit-kasp.bk";
+};
+
 zone "255types" {
 	type secondary;
 	primaries { 10.53.0.1; };
diff --git a/bin/tests/system/masterformat/setup.sh b/bin/tests/system/masterformat/setup.sh
index 0c8f6042ad..e4cc52b085 100755
--- a/bin/tests/system/masterformat/setup.sh
+++ b/bin/tests/system/masterformat/setup.sh
@@ -32,6 +32,8 @@ awk 'END {
 	 for (i = 0; i < 1000; i++ ) { print "1000-txt TXT", i; }
 	 for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; }
 }' </dev/null >>ns1/under-limit.db
+cp ns1/under-limit.db ns1/under-limit-kasp.db
+
 cp ns1/empty.db.in ns1/on-limit.db
 awk 'END {
 	 for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; }
@@ -39,6 +41,8 @@ awk 'END {
 	 for (i = 0; i < 2000; i++ ) { print "2000-txt TXT", i; }
 	 for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; }
 }' </dev/null >>ns1/on-limit.db
+cp ns1/on-limit.db ns1/on-limit-kasp.db
+
 cp ns1/empty.db.in ns1/over-limit.db
 awk 'END {
 	 for (i = 0; i < 500; i++ ) { print "500-txt TXT", i; }
@@ -47,6 +51,7 @@ awk 'END {
 	 for (i = 0; i < 2050; i++ ) { print "2050-txt TXT", i; }
 	 for (i = 0; i < 2100; i++ ) { print "2100-txt TXT", i; }
 }' </dev/null >>ns1/over-limit.db
+
 cp ns1/empty.db.in ns1/255types.db
 for ntype in $(seq 65280 65534); do
   echo "m TYPE${ntype} \# 0"
diff --git a/bin/tests/system/masterformat/tests.sh b/bin/tests/system/masterformat/tests.sh
index 5f423b385b..2daeeb450a 100755
--- a/bin/tests/system/masterformat/tests.sh
+++ b/bin/tests/system/masterformat/tests.sh
@@ -201,6 +201,49 @@ n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+echo_i "checking that under-limit-kasp dnskeys loaded ($n)"
+for _attempt in 0 1 2 3 4 5 6 7 8 9; do
+  ret=0
+
+  $DIG +tcp +dnssec dnskey "under-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.dnskey.test$n"
+  grep "status: NOERROR" "dig.out.ns1.dnskey.test$n" >/dev/null || ret=1
+  grep "RRSIG" "dig.out.ns1.dnskey.test$n" >/dev/null || ret=1
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+n=$((n + 1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that under-limit-kasp rdatasets loaded ($n)"
+for _attempt in 0 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  for rrcount in 500-txt 1000-txt 2000-txt; do
+    $DIG +tcp +dnssec txt "${rrcount}.under-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n"
+    grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
+    grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
+  done
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+n=$((n + 1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that under-limit-kasp rdatasets transfered ($n)"
+for _attempt in 0 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  for rrcount in 500-txt 1000-txt 2000-txt; do
+    $DIG +tcp +dnssec txt "${rrcount}.under-limit-kasp" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n"
+    grep "status: NOERROR" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1
+  done
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+n=$((n + 1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking that on-limit rdatasets loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
   ret=0
@@ -229,6 +272,36 @@ n=$((n + 1))
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+echo_i "checking that on-limit-kasp rdatasets loaded ($n)"
+for _attempt in 0 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do
+    $DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.1 -p "${PORT}" >"dig.out.ns1.$rrcount.test$n"
+    grep "status: NOERROR" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
+    grep "RRSIG" "dig.out.ns1.$rrcount.test$n" >/dev/null || ret=1
+  done
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+n=$((n + 1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking that on-limit-kasp rdatasets not transfered ($n)"
+for _attempt in 0 1 2 3 4 5 6 7 8 9; do
+  ret=0
+  for rrcount in 500-txt 1000-txt 2000-txt 2050-txt; do
+    $DIG +tcp +dnssec txt "${rrcount}.on-limit-kasp" @10.53.0.2 -p "${PORT}" >"dig.out.ns2.$rrcount.test$n"
+    grep "status: SERVFAIL" "dig.out.ns2.$rrcount.test$n" >/dev/null || ret=1
+  done
+  [ $ret -eq 0 ] && break
+  sleep 1
+done
+n=$((n + 1))
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+
 echo_i "checking that over-limit rdatasets not loaded ($n)"
 for _attempt in 0 1 2 3 4 5 6 7 8 9; do
   ret=0