Add more multisigner tests

A zone in multisigner model 2 should also be possible to publish the CDS and CDNSKEY records from their KSK into the zone operated by the other provider.
2022-10-05 17:11:50 +02:00
parent b493c8505e
commit a565cb9c31
2 changed files with 131 additions and 11 deletions
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@@ -74,6 +74,19 @@ check_keytimes
 check_apex
 dnssec_verify

+set_server "ns4" "10.53.0.4"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_model2
+check_keytimes
+check_apex
+dnssec_verify
+
+
+#
+# Update DNSKEY RRset.
+#
+
 # Check that the ZSKs from the other provider are published.
 zsks_are_published() {
 	dig_with_opts "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
@@ -88,9 +101,10 @@ zsks_are_published() {
 n=$((n+1))
 echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4"
 ret=0
+set_server "ns3" "10.53.0.3"
 (
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
 echo update add $(cat "ns4/${ZONE}.zsk")
 echo send
 ) | $NSUPDATE
@@ -101,20 +115,14 @@ status=$((status+ret))
 # Verify again.
 dnssec_verify

-set_server "ns4" "10.53.0.4"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_model2
-check_keytimes
-check_apex
-dnssec_verify

 n=$((n+1))
 echo_i "update zone ${ZONE} at ns4 with ZSK from provider ns3"
 ret=0
+set_server "ns4" "10.53.0.4"
 (
-echo zone ${ZONE}
-echo server 10.53.0.4 "$PORT"
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
 echo update add $(cat "ns3/${ZONE}.zsk")
 echo send
 ) | $NSUPDATE
@@ -125,5 +133,115 @@ status=$((status+ret))
 # Verify again.
 dnssec_verify

+
+#
+# Update CDNSKEY RRset.
+#
+
+# Check that the CDNSKEY from both providers are published.
+records_published() {
+	_rrtype=$1
+	_expect=$2
+
+	dig_with_opts "$ZONE" "@${SERVER}" "${_rrtype}" > "dig.out.$DIR.test$n" || return 1
+	lines=$(awk -v rt="${_rrtype}" '$4 == rt {print}' dig.out.$DIR.test$n | wc -l)
+	test "$lines" -eq "$_expect" || return 1
+}
+
+# Retrieve CDNSKEY records from the other provider.
+dig_with_opts ${ZONE} @10.53.0.3 CDNSKEY > dig.out.ns3.cdnskey
+awk '$4 == "CDNSKEY" {print}' dig.out.ns3.cdnskey > cdnskey.ns3
+dig_with_opts ${ZONE} @10.53.0.4 CDNSKEY > dig.out.ns4.cdnskey
+awk '$4 == "CDNSKEY" {print}' dig.out.ns4.cdnskey > cdnskey.ns4
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns3 with CDNSKEY from provider ns4"
+ret=0
+set_server "ns3" "10.53.0.3"
+# Initially there should be one CDNSKEY.
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cdnskey.ns4")
+echo send
+) | $NSUPDATE
+# Now there should be two CDNSKEY records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns4 with CDNSKEY from provider ns3"
+ret=0
+set_server "ns4" "10.53.0.4"
+# Initially there should be one CDNSKEY.
+retry_quiet 10 records_published CDNSKEY 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cdnskey.ns3")
+echo send
+) | $NSUPDATE
+# Now there should be two CDNSKEY records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDNSKEY RRset after update ($n)"
+retry_quiet 10 records_published CDNSKEY 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+#
+# Update CDS RRset.
+#
+
+# Retrieve CDS records from the other provider.
+dig_with_opts ${ZONE} @10.53.0.3 CDS > dig.out.ns3.cds
+awk '$4 == "CDS" {print}' dig.out.ns3.cds > cds.ns3
+dig_with_opts ${ZONE} @10.53.0.4 CDS > dig.out.ns4.cds
+awk '$4 == "CDS" {print}' dig.out.ns4.cds > cds.ns4
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns3 with CDS from provider ns4"
+ret=0
+set_server "ns3" "10.53.0.3"
+# Initially there should be one CDS.
+retry_quiet 10 records_published CDS 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cds.ns4")
+echo send
+) | $NSUPDATE
+# Now there should be two CDS records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns4 with CDS from provider ns3"
+ret=0
+set_server "ns4" "10.53.0.4"
+# Initially there should be one CDS.
+retry_quiet 10 records_published CDS 1 || ret=1
+(
+echo zone "${ZONE}"
+echo server "${SERVER}" "${PORT}"
+echo update add $(cat "cds.ns3")
+echo send
+) | $NSUPDATE
+# Now there should be two CDS records (we test that BIND does not
+# skip it during DNSSEC maintenance).
+echo_i "check zone ${ZONE} CDS RRset after update ($n)"
+retry_quiet 10 records_published CDS 2 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1