[master] tag initializing keys so they can't be used for normal validation

4773. [bug] Keys specified in "managed-keys" statements can now only be used when validating key refresh queries during initialization of RFC 5011 key maintenance. If initialization fails, DNSSEC validation of normal queries will also fail. Previously, validation of normal queries could succeed using the initializing key, potentially masking problems with managed-keys. [RT #46077]
2017-10-11 21:01:13 -07:00
parent 77c7d1c555
commit 560d8b833e
24 changed files with 378 additions and 128 deletions
--- a/bin/tests/system/mkeys/README
+++ b/bin/tests/system/mkeys/README
@@ -16,17 +16,8 @@ is used so it will send TAT queries once per second.

 ns3 is a validator with a broken key in managed-keys.

-Tests TODO:
-
- initial working KSK
-
-TODO: test using delv with new trusted key too
-
- introduce a REVOKE bit
-
- later remove a signature
-
- corrupt a signature
-
-TODO: also same things with dlv auto updates of trust anchor
+ns4 is a validator with a deliberately broken managed-keys.bind and
+managed-keys.jnl, causing RFC 5011 initialization to fail.

+ns5 is a validator which is prevented from getting a response from the
+root server, causing key refresh queries to fail.