Add a test case for non-SEP CSK migration

A zone with a single key without the SEP bit set must also be assumed
to be a CSK.

bin/tests/system/keymgr2kasp/ns3/named.conf.in

@@ -51,6 +51,14 @@ zone "csk.kasp" {
 	dnssec-dnskey-kskonly no;
 };
 
+zone "csk-nosep.kasp" {
+	type primary;
+	file "csk-nosep.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly no;
+};
+
 zone "rumoured.kasp" {
 	type primary;
 	file "rumoured.kasp.db";

bin/tests/system/keymgr2kasp/ns3/named2.conf.in

@@ -49,6 +49,13 @@ zone "csk.kasp" {
 	dnssec-policy "default";
 };
 
+zone "csk-nosep.kasp" {
+	type primary;
+	file "csk-nosep.kasp.db";
+	allow-update { any; };
+	dnssec-policy "default";
+};
+
 zone "rumoured.kasp" {
 	type primary;
 	file "rumoured.kasp.db";

bin/tests/system/keymgr2kasp/ns3/setup.sh

@@ -39,7 +39,7 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
-# Set up a Single-Type Signing Scheme zone with auto-dnssec maintain to
+# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
 # migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
 # configured, meaning the zone is signed with a single CSK.
 setup csk.kasp
@@ -50,6 +50,14 @@ cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 $SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
+setup csk-nosep.kasp
+echo "$zone" >> zones
+csktimes="-P now -A now -P sync now"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
 # time the existing keys do not match the policy.  The existing keys are
 # RSASHA1 keys, and will be migrated to a dnssec-policy that dictates

bin/tests/system/keymgr2kasp/tests.sh

@@ -152,7 +152,9 @@ set_server "ns3" "10.53.0.3"
 
 key_clear        "KEY1"
 key_set          "KEY1" "LEGACY" "yes"
-set_keyrole      "KEY1" "csk"
+set_keyrole      "KEY1" "ksk"
+# This key also acts as a ZSK.
+key_set          "KEY1" "ZSK" "yes"
 set_keylifetime  "KEY1" "none"
 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
 set_keysigning   "KEY1" "yes"
@@ -184,6 +186,49 @@ dnssec_verify
 # Remember legacy key tags.
 _migrate_csk=$(key_get KEY1 ID)
 
+#
+# Testing a good migration (CSK, no SEP).
+#
+set_zone "csk-nosep.kasp"
+set_policy "none" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear        "KEY1"
+key_set          "KEY1" "LEGACY" "yes"
+set_keyrole      "KEY1" "zsk"
+# Despite the missing SEP bit, this key also acts as a KSK.
+key_set          "KEY1" "KSK" "yes"
+set_keylifetime  "KEY1" "none"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Make sure the zone is signed with legacy key.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# The key is immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE"      "${_created}"
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_csk_nosep=$(key_get KEY1 ID)
+
 #
 # Testing key states derived from key timing metadata (rumoured).
 #
@@ -461,6 +506,57 @@ ret=0
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+#
+# Testing a good migration (CSK, no SEP).
+#
+set_zone "csk-nosep.kasp"
+set_policy "default" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear        "KEY1"
+key_set          "KEY1" "LEGACY" "no"
+set_keyrole      "KEY1" "csk"
+key_set          "KEY1" "FLAGS" "256"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The key was immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED"   "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE"      "${_created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
+ret=0
+[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Test migration to dnssec-policy, existing keys do not match key algorithm.
 #