From 52abfa3e07e65ae6eb34aa3c3dbd0f9489f25da4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 1 Apr 2026 11:11:55 +0200 Subject: [PATCH] Test dnssec tools using zone file basename as origin Add test cases where dnssec-signzone and dnssec-verify use the zone file's basename as the origin when '-o' is omitted. (cherry picked from commit 1251ae896c06c1a2e8c7953042f859847dacfa6b) --- .../system/dnssec/signer/general/test13.zone | 17 +++++++++ bin/tests/system/dnssec/tests.sh | 36 +++++++++++++++++++ bin/tests/system/dnssec/tests_sh_dnssec.py | 7 ++++ 3 files changed, 60 insertions(+) create mode 100644 bin/tests/system/dnssec/signer/general/test13.zone diff --git a/bin/tests/system/dnssec/signer/general/test13.zone b/bin/tests/system/dnssec/signer/general/test13.zone new file mode 100644 index 0000000000..3f2c7207f3 --- /dev/null +++ b/bin/tests/system/dnssec/signer/general/test13.zone @@ -0,0 +1,17 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +; This is a zone which has two DNSKEY records, both of which have +; existing private key files available. They should be loaded automatically +; and the zone correctly signed. +; +$TTL 3600 +example.com. IN SOA ns hostmaster 00090000 1200 3600 604800 300 diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index a922baf69a..0ee960229a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2137,6 +2137,42 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +echo_i "checking dnssec-signzone without -o and zone is in directory (incorrect basename) ($n)" +ret=0 +cp signer/general/test13.zone signer/bad.db +$SIGNER -O full -S signer/bad.db 2>signer.err.$n && ret=1 +grep "example.com: not at top of zone" signer.err.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-signzone without -o and zone is in directory ($n)" +ret=0 +cp signer/general/test13.zone signer/example.com +$SIGNER -S -K signer/general -O full signer/example.com >signer.out.$n || ret=1 +test -f signer/example.com.signed +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-verify without -o and zone is in directory (incorrect basename) ($n)" +ret=0 +$VERIFY signer/example.com.signed 2>verify.err.$n && ret=1 +grep "example.com: not at top of zone" verify.err.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + +echo_i "checking dnssec-verify without -o and zone is in directory ($n)" +ret=0 +cp signer/example.com.signed signer/example.com +$VERIFY signer/example.com >verify.out.$n || ret=1 +grep "Loading zone 'example.com' from file 'signer/example.com'" verify.out.$n >/dev/null || ret=1 +grep "Zone fully signed" verify.out.$n >/dev/null || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + echo_i "checking validated data are not cached longer than originalttl ($n)" ret=0 dig_with_opts +ttl +noauth a.ttlpatch.example. @10.53.0.3 a >dig.out.ns3.test$n || ret=1 diff --git a/bin/tests/system/dnssec/tests_sh_dnssec.py b/bin/tests/system/dnssec/tests_sh_dnssec.py index a824ee7ef9..e99434d9a0 100644 --- a/bin/tests/system/dnssec/tests_sh_dnssec.py +++ b/bin/tests/system/dnssec/tests_sh_dnssec.py @@ -20,12 +20,17 @@ pytestmark = pytest.mark.extra_artifacts( "dig.out.*", "dnssectools.out.*", "dsfromkey.out.*", + "dsset-*", "keygen*.err*", "named.secroots.*", "nsupdate.out.*", "python.out.*", "rndc.out.*", + "signer.out.*", + "signer.err.*", "signing.out.*", + "verify.out.*", + "verify.err.*", "*/K*", "*/dsset-*", "*/managed.conf", @@ -154,6 +159,8 @@ pytestmark = pytest.mark.extra_artifacts( "ns6/optout-tld.db", "ns7/split-rrsig.db", "ns7/split-rrsig.db.unsplit", + "signer/bad.db", + "signer/example.com", "signer/example.db", "signer/example.db.after", "signer/example.db.before",