From 26b3ca7acf43141dc77de1dd4d4fa4c79ddf9211 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 20 May 2020 14:20:29 +1000 Subject: [PATCH] Check that delv supports deprecated trusted-keys --- bin/tests/system/conf.sh.common | 7 +++++++ bin/tests/system/dnssec/ns1/sign.sh | 2 ++ bin/tests/system/dnssec/tests.sh | 9 +++++++++ 3 files changed, 18 insertions(+) diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index f6596deb0e..5970f8e8da 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -292,6 +292,13 @@ keyfile_to_dskeys() { echo "};" } +# keyfile_to_trusted_keys: convert key data contained in the keyfile(s) +# provided to a "trust-keys" section suitable for including in a +# resolver's configuration file +keyfile_to_trusted_keys() { + keyfile_to_keys "trusted-keys" "" $* +} + # keyfile_to_static_keys: convert key data contained in the keyfile(s) # provided to a *static-key* "trust-anchors" section suitable for including in # a resolver's configuration file diff --git a/bin/tests/system/dnssec/ns1/sign.sh b/bin/tests/system/dnssec/ns1/sign.sh index 66254b7cfe..5882789500 100644 --- a/bin/tests/system/dnssec/ns1/sign.sh +++ b/bin/tests/system/dnssec/ns1/sign.sh @@ -46,6 +46,8 @@ cp trusted.conf ../ns6/trusted.conf cp trusted.conf ../ns7/trusted.conf cp trusted.conf ../ns9/trusted.conf +keyfile_to_trusted_keys "$ksk" > trusted.keys + # ...or with an initializing key. keyfile_to_initial_ds "$ksk" > managed.conf cp managed.conf ../ns4/managed.conf diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 9d7597c8e2..84e4ad627b 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -205,6 +205,15 @@ if [ -x ${DELV} ] ; then n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) + + ret=0 + echo_i "checking positive validation NSEC using dns_client (trusted-keys) ($n)" + "$DELV" -a ns1/trusted.keys -p "$PORT" @10.53.0.4 a a.example > delv.out$n || ret=1 + grep "a.example..*10.0.0.1" delv.out$n > /dev/null || ret=1 + grep "a.example..*.RRSIG.A [0-9][0-9]* 2 300 .*" delv.out$n > /dev/null || ret=1 + n=$((n+1)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) fi echo_i "checking positive validation NSEC3 ($n)"