add system tests covering EDE 7 and 8

Add DNSSEC system tests to cover extended DNS error 7 (Signature Expired) and 8 (Signature Not Yet Valid).
2026-04-22 14:49:20 -04:00 · 2025-03-12 10:53:33 +01:00 · 2025-03-12 10:53:33 +01:00 · e763d6637f
commit e763d6637f
parent 334ea1269f
2 changed files with 14 additions and 1 deletions
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@ -64,7 +64,7 @@ for subdomain in digest-alg-unsupported ds-unsupported secure badds \
  kskonly update-nsec3 auto-nsec auto-nsec3 secure.below-cname \
  ttlpatch split-dnssec split-smart expired expiring upper lower \
  dnskey-unknown dnskey-unsupported dnskey-unsupported-2 \
-  dnskey-nsec3-unknown managed-future revkey \
+  dnskey-nsec3-unknown managed-future future revkey \
  dname-at-apex-nsec3 occluded rsasha1 rsasha1-1024; do
  cp "../ns3/dsset-$subdomain.example." .
 done
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@ -2859,6 +2859,19 @@ dig_with_opts +noauth expired.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$
 grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
 grep "expired.example/.*: RRSIG has expired" ns4/named.run >/dev/null || ret=1
+grep "; EDE: 7 (Signature Expired): (expired.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
+n=$((n + 1))
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
+status=$((status + ret))
+echo_i "checking signatures in the future do not validate ($n)"
+ret=0
+dig_with_opts +noauth future.example. +dnssec @10.53.0.4 soa >dig.out.ns4.test$n || ret=1
+grep "SERVFAIL" dig.out.ns4.test$n >/dev/null || ret=1
+grep "flags:.*ad.*QUERY" dig.out.ns4.test$n >/dev/null && ret=1
+grep "future.example/.*: RRSIG validity period has not begun" ns4/named.run >/dev/null || ret=1
+grep "; EDE: 8 (Signature Not Yet Valid): (future.example/DNSKEY)" dig.out.ns4.test$n >/dev/null || ret=1
 n=$((n + 1))
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))