From 15601cca43bbca97a58fa084a2003aae91e7ba4f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Mon, 18 Dec 2023 11:23:21 +1100 Subject: [PATCH] Regression check for missing RRSIGs When transitioning from NSEC3 to NSEC the added records where not being signed because the wrong time was being used to determine if a key should be used or not. Check that these records are actually signed. (cherry picked from commit bdb42d383887cb931ff543a231bc6b5b882a95b4) --- bin/tests/system/autosign/ns3/named.conf.in | 1 + bin/tests/system/autosign/tests.sh | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 42a0fd618e..1f878e6737 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -167,6 +167,7 @@ zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + max-journal-size 10M; auto-dnssec maintain; }; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 9c1d926d7c..516e121245 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -1793,5 +1793,16 @@ n=$((n + 1)) if [ "$ret" -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "check that the startup change from NSEC3 to NSEC is properly signed ($n)" +ret=0 +$JOURNALPRINT ns3/nsec3-to-nsec.example.db.jnl \ + | awk 'BEGIN { count=0; ok=0 } +$1 == "del" && $5 == "SOA" { count++; if (count == 2) { if (ok) { exit(0); } else { exit(1); } } } +$1 == "add" && $5 == "RRSIG" && $6 == "TYPE65534" { ok=1 } +' || ret=1 +n=$((n + 1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status + ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1