diff --git a/bin/tests/system/dnssec/signer/general/test13.zone b/bin/tests/system/dnssec/signer/general/test13.zone new file mode 100644 index 0000000000..3f2c7207f3 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test13.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index a922baf69a..0ee960229a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2137,6 +2137,42 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +echo_i "checking dnssec-signzone without -o and zone is in directory (incorrect basename) ($n)" +ret=0 +cp signer/general/test13.zone signer/bad.db +$SIGNER -O full -S signer/bad.db 2>signer.err.$n && ret=1 +grep "example.com: not at top of zone" signer.err.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone without -o and zone is in directory ($n)" +ret=0 +cp signer/general/test13.zone signer/example.com +$SIGNER -S -K signer/general -O full signer/example.com >signer.out.$n || ret=1 +test -f signer/example.com.signed +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-verify without -o and zone is in directory (incorrect basename) ($n)" +ret=0 +$VERIFY signer/example.com.signed 2>verify.err.$n && ret=1 +grep "example.com: not at top of zone" verify.err.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-verify without -o and zone is in directory ($n)" +ret=0 +cp signer/example.com.signed signer/example.com +$VERIFY signer/example.com >verify.out.$n || ret=1 +grep "Loading zone 'example.com' from file 'signer/example.com'" verify.out.$n >/dev/null || ret=1 +grep "Zone fully signed" verify.out.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index a824ee7ef9..e99434d9a0 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -20,12 +20,17 @@ pytestmark = pytest.mark.extra_artifacts( "dig.out.*", "dnssectools.out.*", "dsfromkey.out.*", + "dsset-*", "keygen*.err*", "named.secroots.*", "nsupdate.out.*", "python.out.*", "rndc.out.*", + "signer.out.*", + "signer.err.*", "signing.out.*", + "verify.out.*", + "verify.err.*", "*/K*", "*/dsset-*", "*/managed.conf", @@ -154,6 +159,8 @@ pytestmark = pytest.mark.extra_artifacts( "ns6/optout-tld.db", "ns7/split-rrsig.db", "ns7/split-rrsig.db.unsplit", + "signer/bad.db", + "signer/example.com", "signer/example.db", "signer/example.db.after", "signer/example.db.before",