[master] fixed revoked key regression

4436. [bug] Fixed a regression introduced in change #4337 which caused signed domains with revoked KSKs to fail validation. [RT #42147]
2016-04-14 18:52:52 -07:00
parent fb7e1d0e71
commit 3cd204c4a4
9 changed files with 66 additions and 6 deletions
--- a/bin/tests/system/dnssec/tests.sh
+++ b/bin/tests/system/dnssec/tests.sh
@@ -872,6 +872,25 @@ if [ -x ${DELV} ] ; then
   status=`expr $status + $ret`
 fi

+echo "I:checking that validation succeeds when a revoked key is encountered ($n)"
+ret=0
+$DIG $DIGOPTS revkey.example soa @10.53.0.4 > dig.out.ns4.test$n || ret=1
+grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1
+grep "flags: .* ad" dig.out.ns4.test$n > /dev/null || ret=1
+n=`expr $n + 1`
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+if [ -x ${DELV} ] ; then
+   ret=0
+   echo "I:checking that validation succeeds when a revoked key is encountered using dns_client ($n)"
+   $DELV $DELVOPTS +cd @10.53.0.4 soa revkey.example > delv.out$n 2>&1 || ret=1
+   grep "fully validated" delv.out$n > /dev/null || ret=1
+   n=`expr $n + 1`
+   if [ $ret != 0 ]; then echo "I:failed"; fi
+   status=`expr $status + $ret`
+fi
+
 echo "I:Checking that a bad CNAME signature is caught after a +CD query ($n)"
 ret=0
 #prime