wait for remove-dnskeys to be transfered

bin/tests/system/inline/clean.sh

@@ -100,3 +100,5 @@ rm -f ns*/named.lock
 rm -f dig.out.*
 rm -f ns3/nzf-*
 rm -f rndc.out.ns*
+rm -f ns3/remove-dnskeys.db*
+rm -rf ns3/oldkeys

bin/tests/system/inline/ns1/root.db.in

@@ -4,8 +4,6 @@
 ; License, v. 2.0. If a copy of the MPL was not distributed with this
 ; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 
-; $Id: root.db.in,v 1.8 2012/02/23 06:53:15 marka Exp $
-
 $TTL 300
 . 			IN SOA	gson.nominum.com. a.root.servers.nil. (
 				2000042100   	; serial
@@ -54,3 +52,6 @@ ns3.inactiveksk.	A	10.53.0.3
 
 inactivezsk.		NS	ns3.inactivezsk.
 ns3.inactivezsk.	A	10.53.0.3
+
+remove-dnskeys		NS	ns3.remove-dnskeys
+ns3.remove-dnskeys	A	10.53.0.3

bin/tests/system/inline/ns2/named.conf

@@ -6,8 +6,6 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-/* $Id: named.conf,v 1.4 2012/02/23 07:09:28 tbox Exp $ */
-
 // NS2
 
 include "../../common/rndc.key";
@@ -65,3 +63,9 @@ zone "inactivezsk" {
 	file "inactivezsk.db";
 	allow-update { any; };
 };
+
+zone "remove-dnskeys" {
+	type master;
+	file "remove-dnskeys.db";
+	allow-update { any; };
+};

bin/tests/system/inline/ns2/remove-dnskeys.db

@@ -0,0 +1,23 @@
+; Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+
+; NOTE: This zone's data has been crafted in order to reproduce a very specific
+; scenario (see ns7/named.conf for more details).  Please do not modify this
+; file.
+
+$TTL 300	; 5 minutes
+@			IN SOA	ns2 . (
+				1 ; serial
+				20         ; refresh (20 seconds)
+				20         ; retry (20 seconds)
+				1814400    ; expire (3 weeks)
+				3600       ; minimum (1 hour)
+				)
+			NS	ns3
+ns2			A	10.53.0.2
+ns3			A	10.53.0.3
+foo			A	1.2.3.4
+bar			A	5.6.7.8

bin/tests/system/inline/ns3/named.conf

@@ -6,8 +6,6 @@
  * file, You can obtain one at http://mozilla.org/MPL/2.0/.
  */
 
-/* $Id: named.conf,v 1.8 2012/02/23 06:53:15 marka Exp $ */
-
 // NS3
 
 include "../../common/rndc.key";
@@ -129,3 +127,12 @@ zone "inactivezsk" {
 	auto-dnssec maintain;
 	file "inactivezsk.bk";
 };
+
+
+zone "remove-dnskeys" {
+	type slave;
+	masters { 10.53.0.2; };
+	inline-signing yes;
+	auto-dnssec maintain;
+	file "remove-dnskeys.db";
+};

bin/tests/system/inline/ns3/sign.sh

@@ -93,6 +93,15 @@ keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA256 -b 1024 -n zone -f KSK $zone`
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 
+zone=remove-dnskeys
+rm -f K${zone}.+*+*.key
+rm -f K${zone}.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a 8 -b 1024 -n zone -P now -A now $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a 8 -b 1024 -n zone -P now -A now-2d -I now-1d $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a 8 -b 1024 -n zone -P now -A now-3d -I now-2d $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a 8 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
+
 for s in a c d h k l m q z
 do
 	zone=test-$s

bin/tests/system/inline/tests.sh

@@ -15,7 +15,6 @@ status=0
 n=0
 
 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1
-
 for i in 1 2 3 4 5 6 7 8 9 0
 do
 	nsec3param=`$DIG +short @10.53.0.3 -p 5300 nsec3param nsec3.`
@@ -23,6 +22,14 @@ do
 	sleep 1
 done
 
+for i in 1 2 3 4 5 6 7 8 9 0
+do
+	l=`$DIG +short @10.53.0.3 -p 5300 soa remove-dnskeys | wc -l`
+	test $l -eq 1 && break
+	sleep 1
+done
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 signing -nsec3param 1 0 10 4B41524C remove-dnskeys > /dev/null 2>&1
+
 # Loop until retransfer3 has been transferred.
 for i in 1 2 3 4 5 6 7 8 9 0
 do
@@ -43,7 +50,7 @@ echo "I:checking that rrsigs are replaced with ksk only ($n)"
 ret=0
 $DIG @10.53.0.3 -p 5300 axfr nsec3. |
 	awk '/RRSIG NSEC3/ {a[$1]++} END { for (i in a) {if (a[i] != 1) exit (1)}}' || ret=1
-#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC" 
+#$DIG @10.53.0.3 -p 5300 axfr nsec3. | grep -w NSEC | grep -v "IN.RRSIG.NSEC"
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
@@ -450,7 +457,7 @@ EOF
 [ -f ns3/dynamic.db.jnl ] || { ret=1 ; echo "I:journal does not exist (posttest)" ; }
 
 for i in 1 2 3 4 5 6 7 8 9 10
-do 
+do
 	ans=0
 	$DIG $DIGOPTS @10.53.0.3 -p 5300 e.dynamic > dig.out.ns3.test$n
 	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
@@ -645,7 +652,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I:checking rndc freeze/thaw of dynamic inline zone ($n)"
 ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || ret=1 
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 freeze dynamic > freeze.test$n 2>&1 || ret=1
 sleep 1
 awk '$2 == ";" && $3 == "serial" { printf("%d %s %s\n", $1 + 1, $2, $3); next; }
      { print; }
@@ -1090,8 +1097,8 @@ ret=0
 $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 zonestatus master > rndc.out.ns3.test$n
 grep "type: master" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
-
 status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo "I:check that zonestatus reports 'type: slave' for a inline slave zone ($n)"
 ret=0
@@ -1100,5 +1107,54 @@ grep "type: slave" rndc.out.ns3.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo "I:test DNSKEY removal using dnssec-settime ($n)"
+ret=0
+echo "before"
+$DIG -p 5300 axfr remove-dnskeys @10.53.0.3 | awk '$4 == "NSEC3" {print}'
+keys=`$DIG -p 5300 dnskey remove-dnskeys @10.53.0.3 +rrcomments |
+      awk '$4 == "DNSKEY" && $5 == 256 { printf "%05u\n", $NF }'`
+zsk=`$DIG -p 5300 soa remove-dnskeys @10.53.0.3 +dnssec |
+     awk '$4 == "RRSIG" && $5 == "SOA" { printf "%05u\n", $11 }'`
+for key in $keys -
+do
+	test "$key" = "$zsk" && continue
+	test "$key" = - && continue
+	$SETTIME -K ns3 -I +0 -D +0 Kremove-dnskeys.+008+$key
+done
+$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 loadkeys remove-dnskeys > /dev/null 2>&1
+mkdir -p ns3/oldkeys
+for key in $keys -
+do
+	test "$key" = "$zsk" && continue
+	test "$key" = - && continue
+	mv -f ns3/Kremove-dnskeys.+008+$key.key ns3/Kremove-dnskeys.+008+$key.private ns3/oldkeys
+done
+# wait for DNSKEY records to be removed
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	l=`$DIG -p 5300 dnskey remove-dnskeys @10.53.0.3 | awk '$4 == "DNSKEY" { print }' | wc -l`
+	test $l -le 2 && break
+done
+test $l -gt 2 && ret=1
+echo "after"
+# wait for TYPE65534 records to be removed
+$DIG -p 5300 axfr remove-dnskeys @10.53.0.3 | awk '$4 == "NSEC3" {print}'
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	l=`$DIG -p 5300 TYPE65534 remove-dnskeys @10.53.0.3 | awk '$4 == "TYPE65534" { print }' | wc -l`
+	test $l -eq 0 && break
+done
+echo "post"
+$DIG -p 5300 axfr remove-dnskeys @10.53.0.3 | awk '$4 == "NSEC3" {print}'
+# check the NSEC3 TTLs. they should all be 3600.
+l=`$DIG -p 5300 axfr remove-dnskeys @10.53.0.3 | awk '$4 == "NSEC3" && $2 == 3600 {print $2}' | sort -u | wc -l`
+test $l -eq 1 || ret=1
+l=`$DIG -p 5300 axfr remove-dnskeys @10.53.0.3 | awk '$4 == "NSEC3" && $2 != 3600 {print $2}' | sort -u | wc -l`
+test $l -eq 0 || ret=1
+set +x
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1