Test purge-keys with views

Create a test scenario where a signed zone is in multiple views and then a key may be purged. This is a bug case where the key files are removed by one view and then the other view starts complaining.
2026-06-11 07:40:00 -04:00 · 2025-06-03 14:38:28 +02:00 · 2025-06-03 14:38:28 +02:00 · 752d8617f5
commit 752d8617f5
parent 119f511a45
5 changed files with 111 additions and 0 deletions
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@ -13,6 +13,8 @@

 // NS4

+include "purgekeys.conf";
+
 key rndc_key {
 	secret "1234abcd8765";
 	algorithm @DEFAULT_HMAC@;
@ -154,6 +156,12 @@ view "example1" {
 		inline-signing no;
 		file "example1.db";
 	};
+
+	zone "purgekeys.kasp" {
+		type primary;
+		file "purgekeys.kasp.example1.db";
+		dnssec-policy "purgekeys";
+	};
 };

 view "example2" {
@ -163,6 +171,12 @@ view "example2" {
 		type primary;
 		file "example2.db";
 	};
+
+	zone "purgekeys.kasp" {
+		type primary;
+		file "purgekeys.kasp.example2.db";
+		dnssec-policy "purgekeys";
+	};
 };

 view "example3" {
--- a/bin/tests/system/kasp/ns4/purgekeys1.conf
+++ b/bin/tests/system/kasp/ns4/purgekeys1.conf
@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "purgekeys" {
+	keys {
+		ksk key-directory lifetime 0 algorithm 13;
+		zsk key-directory lifetime P30D algorithm 13;
+	};
+	/*
+	 * Initially set to 0, so no keys are purged. Keys that are no longer
+	 * in use will still be in the zone's keyring, one per view. After
+	 * reconfig the purge-keys value is set to 7 days, at least one key
+	 * will be eligible for purging, and should be purged from both
+	 * keyrings without issues.
+	 */
+	purge-keys 0;
+	//purge-keys P7D;
+};
--- a/bin/tests/system/kasp/ns4/purgekeys2.conf
+++ b/bin/tests/system/kasp/ns4/purgekeys2.conf
@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "purgekeys" {
+	keys {
+		ksk key-directory lifetime 0 algorithm 13;
+		zsk key-directory lifetime P30D algorithm 13;
+	};
+	//purge-keys 0;
+	purge-keys P7D;
+};
--- a/bin/tests/system/kasp/ns4/setup.sh
+++ b/bin/tests/system/kasp/ns4/setup.sh
@ -30,3 +30,22 @@ done

 cp example1.db.in example1.db
 cp example2.db.in example2.db
+
+# Regression test for GL #5315
+cp purgekeys1.conf purgekeys.conf
+cp example1.db.in purgekeys.kasp.example1.db
+cp example2.db.in purgekeys.kasp.example2.db
+
+zone="purgekeys.kasp"
+H="HIDDEN"
+O="OMNIPRESENT"
+T="now-9mo"
+# KSK omnipresent
+KSK=$($KEYGEN -fk -a 13 -L 3600 $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+# ZSK omnipresent
+ZSK1=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK1" >settime.out.$zone.2 2>&1
+# ZSK hidden (may be purged)
+ZSK2=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $T -z $H $T "$ZSK2" >settime.out.$zone.2 2>&1
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@ -78,6 +78,8 @@ pytestmark = pytest.mark.extra_artifacts(
        "ns*/policies/*.conf",
        "ns3/legacy-keys.*",
        "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed",
+        "ns4/purgekeys.conf",
+        "ns4/purgekeys2.conf",
    ]
 )

@ -1566,6 +1568,33 @@ def test_kasp_zsk_retired(servers):
    server.log.prohibit(msg)


+def test_kasp_purge_keys(servers):
+    zone = "purgekeys.kasp"
+    server = servers["ns4"]
+
+    tsig1 = (
+        f"{os.environ['DEFAULT_HMAC']}:keyforview1:{KASP_INHERIT_TSIG_SECRET['view1']}"
+    )
+    tsig2 = (
+        f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}"
+    )
+
+    isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig1)
+    isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig2)
+
+    # Reconfig, make sure the purged key is not an issue when verifying keys.
+    shutil.copyfile("ns4/purgekeys2.conf", "ns4/purgekeys.conf")
+    with server.watch_log_from_here() as watcher:
+        server.rndc("reconfig", log=False)
+        watcher.wait_for_line(f"keymgr: {zone} done")
+
+    msg = f"zone {zone}/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
+    server.log.prohibit(msg)
+
+    msg = f"zone {zone}/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
+    server.log.prohibit(msg)
+
+
 def test_kasp_reload_restart(servers):
    server = servers["ns6"]
    zone = "example"