Test 'rndc dnssec -checkds' on multiple zones

Make sure the 'checkds' command correctly sets the right key timing metadata and also make sure that it rejects setting the key timing metadata if there are multiple keys with the KSK role and no key identifier is provided.
2026-03-27 04:43:08 -04:00 · 2020-07-31 11:13:53 +02:00 · 2020-07-31 11:13:53 +02:00 · a43bb41909
commit a43bb41909
parent a25f49f153
4 changed files with 85 additions and 30 deletions
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@ -45,6 +45,27 @@ zone "default.kasp" {
 	dnssec-policy "default";
 };

+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+	type primary;
+	file "checkds-ksk.kasp.db";
+	dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+	type primary;
+	file "checkds-doubleksk.kasp.db";
+	dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+	type primary;
+	file "checkds-csk.kasp.db";
+	dnssec-policy "checkds-csk";
+};
+
 /* Key lifetime unlimited. */
 zone "unlimited.kasp" {
 	type primary;
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf
@ -76,3 +76,30 @@ dnssec-policy "ecdsa384" {
 		zsk key-directory lifetime P1Y  algorithm 14 384;
 	};
 };
+
+dnssec-policy "checkds-ksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+};
+
+dnssec-policy "checkds-doubleksk" {
+	dnskey-ttl 303;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm 13;
+		ksk key-directory lifetime unlimited algorithm 13;
+		zsk key-directory lifetime unlimited algorithm 13;
+	};
+};
+
+dnssec-policy "checkds-csk" {
+	dnskey-ttl 303;
+
+	keys {
+		csk key-directory lifetime unlimited algorithm 13;
+	};
+};
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@ -53,7 +53,7 @@ U="UNRETENTIVE"
 for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
 	  rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
 	  dynamic dynamic-inline-signing inline-signing \
-	  inherit unlimited
+	  checkds-ksk checkds-doubleksk checkds-csk inherit unlimited
 do
 	setup "${zn}.kasp"
 	cp template.db.in "$zonefile"
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -960,35 +960,6 @@ check_dnssecstatus() {
 	status=$((status+ret))
 }

-_loadkeys_on() {
-	_server=$1
-	_dir=$2
-	_zone=$3
-
-	nextpart $_dir/named.run > /dev/null
-	rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
-	wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
-}
-
-# Tell named that the DS for the key in given zone has been seen in the
-# parent (this does not actually has to be true, we just issue the command
-# to make named believe it can continue with the rollover).
-rndc_checkds() {
-	_server=$1
-	_dir=$2
-	_keyid=$3
-	_when=$4
-	_what=$5
-	_zone=$6
-	_view=$7
-
-	echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
-
-	rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
-	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
-}
-
-
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 check_signatures() {
@ -1201,6 +1172,42 @@ check_subdomain() {
 	status=$((status+ret))
 }

+#
+# rndc dnssec -checkds
+#
+_loadkeys_on() {
+	_server=$1
+	_dir=$2
+	_zone=$3
+
+	nextpart $_dir/named.run > /dev/null
+	rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n
+	wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1
+}
+
+# Tell named that the DS for the key in given zone has been seen in the
+# parent (this does not actually has to be true, we just issue the command
+# to make named believe it can continue with the rollover).
+rndc_checkds() {
+	_server=$1
+	_dir=$2
+	_keyid=$3
+	_when=$4
+	_what=$5
+	_zone=$6
+	_view=$7
+
+	echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)"
+
+	if [ "${_keyid}" = "-" ]; then
+		rndccmd $_server dnssec -checkds -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+	else
+		rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed"
+	fi
+
+	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+}
+
 #
 # Zone: default.kasp.
 #