Test dnssec tools using zone file basename as origin

Add test cases where dnssec-signzone and dnssec-verify use the zone file's basename as the origin when '-o' is omitted. (cherry picked from commit 1251ae896c)
2026-05-27 20:25:55 -04:00 · 2026-04-01 11:11:55 +02:00 · 2026-04-01 11:11:55 +02:00 · 52abfa3e07
commit 52abfa3e07
parent 96da856018
3 changed files with 60 additions and 0 deletions
--- a/bin/tests/system/dnssec/signer/general/test13.zone
+++ b/bin/tests/system/dnssec/signer/general/test13.zone
@ -0,0 +1,17 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+;	This is a zone which has two DNSKEY records, both of which have
+; existing private key files available.  They should be loaded automatically
+; and the zone correctly signed.
+;
+$TTL 3600
+example.com.	IN	SOA ns hostmaster 00090000 1200 3600 604800 300
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -2137,6 +2137,42 @@ n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

+echo_i "checking dnssec-signzone without -o and zone is in directory (incorrect basename) ($n)"
+ret=0
+cp signer/general/test13.zone signer/bad.db
+$SIGNER -O full -S signer/bad.db 2>signer.err.$n && ret=1
+grep "example.com: not at top of zone" signer.err.$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-signzone without -o and zone is in directory ($n)"
+ret=0
+cp signer/general/test13.zone signer/example.com
+$SIGNER -S -K signer/general -O full signer/example.com >signer.out.$n || ret=1
+test -f signer/example.com.signed
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-verify without -o and zone is in directory (incorrect basename) ($n)"
+ret=0
+$VERIFY signer/example.com.signed 2>verify.err.$n && ret=1
+grep "example.com: not at top of zone" verify.err.$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+echo_i "checking dnssec-verify without -o and zone is in directory ($n)"
+ret=0
+cp signer/example.com.signed signer/example.com
+$VERIFY signer/example.com >verify.out.$n || ret=1
+grep "Loading zone 'example.com' from file 'signer/example.com'" verify.out.$n >/dev/null || ret=1
+grep "Zone fully signed" verify.out.$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 echo_i "checking validated data are not cached longer than originalttl ($n)"
 ret=0
 dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1
--- a/bin/tests/system/dnssec/tests_sh_dnssec.py
+++ b/bin/tests/system/dnssec/tests_sh_dnssec.py
@ -20,12 +20,17 @@ pytestmark = pytest.mark.extra_artifacts(
        "dig.out.*",
        "dnssectools.out.*",
        "dsfromkey.out.*",
+        "dsset-*",
        "keygen*.err*",
        "named.secroots.*",
        "nsupdate.out.*",
        "python.out.*",
        "rndc.out.*",
+        "signer.out.*",
+        "signer.err.*",
        "signing.out.*",
+        "verify.out.*",
+        "verify.err.*",
        "*/K*",
        "*/dsset-*",
        "*/managed.conf",
@ -154,6 +159,8 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns6/optout-tld.db",
        "ns7/split-rrsig.db",
        "ns7/split-rrsig.db.unsplit",
+        "signer/bad.db",
+        "signer/example.com",
        "signer/example.db",
        "signer/example.db.after",
        "signer/example.db.before",