Add test case for GL #4350

Add a test scenario for a dynamic zone that uses inline-signing which
accidentally has signed the raw version of the zone.

This should not trigger resign scheduling on the raw version of the
zone.

(cherry picked from commit c90b622648)

bin/tests/system/kasp/clean.sh

@@ -29,6 +29,7 @@ rm -f ns*/*.mkeys
 rm -f ns*/zones ns*/*.db.infile
 rm -f ns*/*.zsk1 ns*/*.zsk2
 rm -f ns3/legacy-keys.*
+rm -rf ns3/keys/
 rm -f *.created published.test* retired.test*
 rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
 rm -f python.out.*

bin/tests/system/kasp/ns3/named-fips.conf.in

@@ -146,6 +146,18 @@ zone "dynamic-inline-signing.kasp" {
 	inline-signing yes;
 };
 
+/*
+ * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the
+ * raw version of the zone.
+ */
+zone "dynamic-signed-inline-signing.kasp" {
+	type primary;
+	file "dynamic-signed-inline-signing.kasp.db.signed";
+	key-directory "keys";
+	dnssec-policy "default";
+	allow-update { any; };
+};
+
 /* An inline-signed zone with dnssec-policy. */
 zone "inline-signing.kasp" {
 	type primary;

bin/tests/system/kasp/ns3/setup.sh

@@ -164,6 +164,19 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
 cp $infile $zonefile
 $SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
+# We are signing the raw version of the zone here. This is unusual and not
+# common operation, but want to make sure that in such a case BIND 9 does not
+# schedule a resigning operation on the raw version. Add expired signatures so
+# a resign is imminent.
+setup dynamic-signed-inline-signing.kasp
+T="now-1d"
+csktimes="-P $T -A $T -P sync $T"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+cp $infile $zonefile
+$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+
 # These signatures are set to expire long in the past, update immediately.
 setup expired-sigs.autosign
 T="now-6mo"

bin/tests/system/kasp/setup.sh

@@ -19,6 +19,7 @@ set -e
 $SHELL clean.sh
 
 mkdir keys
+mkdir ns3/keys
 
 copy_setports ns2/named.conf.in ns2/named.conf
 if ! $SHELL ../testcrypto.sh -q RSASHA1

bin/tests/system/kasp/tests.sh

@@ -487,6 +487,23 @@ retry_quiet 10 update_is_signed || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
+#
+# Zone: dynamic-signed-inline-signing.kasp
+#
+set_zone "dynamic-signed-inline-signing.kasp"
+set_dynamic
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+dnssec_verify
+# Ensure no zone_resigninc for the unsigned version of the zone is triggered.
+n=$((n+1))
+echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)"
+ret=0
+grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1
+grep "error reading K$ZONE" $DIR/named.run && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Zone: inline-signing.kasp
 #