Add islands of trust to mkeys test

This adds an island of trust that is reachable from the root
where the trust anchors are added to island.conf.

This add an island of trust that is not reachable from the root
where the trust anchors are added to private.conf.

bin/tests/system/mkeys/clean.sh

@@ -12,17 +12,22 @@
 # information regarding copyright ownership.
 
 rm -f */K* */*.signed */trusted.conf */*.jnl */*.bk
+rm -f */island.conf
+rm -f */private.conf
 rm -f */managed*.conf ns1/managed.key ns1/managed.key.id
 rm -f */managed-keys.bind* */named.secroots
 rm -f */named.conf
-rm -f ns3/broken.conf
 rm -f */named.memstats */named.run */named.run.prev
 rm -f dig.out* delv.out* rndc.out* signer.out*
 rm -f dsset-. ns1/dsset-.
-rm -f ns1/zone.key
 rm -f ns*/managed-keys.bind*
 rm -f ns*/named.lock
+rm -f ns1/dsset-sub.tld.
+rm -f ns1/dsset-tld.
 rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
+rm -f ns1/zone.key
+rm -f ns3/broken.conf
+rm -f ns4/dsset-sub.foo.
 rm -f ns5/named.args
 rm -f ns7/view1.mkeys ns7/view2.mkeys
 rm -rf ns4/nope

bin/tests/system/mkeys/ns1/named1.conf.in

@@ -47,3 +47,13 @@ zone "." {
 	allow-update { any; };
 	auto-dnssec maintain;
 };
+
+zone "tld" {
+	type primary;
+	file "tld.db.signed";
+};
+
+zone "sub.tld" {
+	type primary;
+	file "sub.tld.db.signed";
+};

bin/tests/system/mkeys/ns1/named2.conf.in

@@ -45,3 +45,13 @@ zone "." {
 	type primary;
 	file "root.db.signed";
 };
+
+zone "tld" {
+	type primary;
+	file "tld.db.signed";
+};
+
+zone "sub.tld" {
+	type primary;
+	file "sub.tld.db.signed";
+};

bin/tests/system/mkeys/ns1/named3.conf.in

@@ -39,3 +39,13 @@ zone "." {
 	type primary;
 	file "root.db.signed";
 };
+
+zone "tld" {
+	type primary;
+	file "tld.db.signed";
+};
+
+zone "sub.tld" {
+	type primary;
+	file "sub.tld.db.signed";
+};

bin/tests/system/mkeys/ns1/root.db

@@ -23,3 +23,6 @@ a.root-servers.nil.    A       10.53.0.1
 ; no delegation
 
 example.               TXT     "This is a test."
+
+tld.		       NS      ns.tld.
+ns.tld.		       A       10.53.0.1

bin/tests/system/mkeys/ns1/sign.sh

@@ -13,6 +13,24 @@
 
 . ../../conf.sh
 
+zone=sub.tld
+zonefile=sub.tld.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+keyfile_to_initial_ds $keyname > island.conf
+cp island.conf ../ns5/island.conf
+
+zone=tld
+zonefile=tld.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+
 zone=.
 zonefile=root.db
 

bin/tests/system/mkeys/ns1/sub.tld.db

@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+sub.tld.               IN SOA  marka.isc.org. ns.sub.tld. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+sub.tld.	       NS      ns.sub.tld.
+ns.sub.tld.	       A       10.53.0.1

bin/tests/system/mkeys/ns1/tld.db

@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+tld.                   IN SOA  marka.isc.org. ns.tld. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+tld.		       NS      ns.tld.
+ns.tld.		       A       10.53.0.1
+sub.tld.	       NS      ns.sub.tld.
+ns.sub.tld.	       A       10.53.0.1

bin/tests/system/mkeys/ns4/named.conf.in

@@ -41,3 +41,8 @@ zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
+
+zone "sub.foo" {
+	type primary;
+	file "sub.foo.db.signed";
+};

bin/tests/system/mkeys/ns4/sign.sh

@@ -0,0 +1,24 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+. ../../conf.sh
+
+zone=sub.foo
+zonefile=sub.foo.db
+
+keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone)
+zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone)
+
+$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null
+keyfile_to_initial_ds $keyname > private.conf
+cp private.conf ../ns5/private.conf

bin/tests/system/mkeys/ns4/sub.foo.db

@@ -0,0 +1,21 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+sub.foo.               IN SOA  marka.isc.org. ns.foo. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+sub.foo.	       NS      ns.sub.foo.
+ns.sub.foo.	       A       10.53.0.4

bin/tests/system/mkeys/ns5/foo.db

@@ -0,0 +1,23 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 20
+foo.                   IN SOA  marka.isc.org. ns.foo. (
+                               2000042100      ; serial
+                               600             ; refresh
+                               600             ; retry
+                               1200            ; expire
+                               2               ; minimum
+                               )
+foo.		       NS      ns.foo.
+ns.foo.		       A       10.53.0.5
+sub.foo.	       NS      ns.sub.foo.
+ns.sub.foo.	       A       10.53.0.4

bin/tests/system/mkeys/ns5/named.conf.in

@@ -41,3 +41,11 @@ zone "." {
 	type hint;
 	file "../../common/root.hint";
 };
+
+zone "foo" {
+	type primary;
+	file "foo.db";
+};
+
+include "island.conf";
+include "private.conf";

bin/tests/system/mkeys/setup.sh

@@ -31,6 +31,7 @@ copy_setports ns7/named.conf.in ns7/named.conf
 cp ns5/named1.args ns5/named.args
 
 ( cd ns1 && $SHELL sign.sh )
+( cd ns4 && $SHELL sign.sh )
 ( cd ns6 && $SHELL setup.sh )
 
 cp ns2/managed.conf ns2/managed1.conf

bin/tests/system/mkeys/tests.sh

@@ -722,7 +722,9 @@ ret=0
 stop_server --use-rndc --port "${CONTROLPORT}" ns5
 nextpart ns5/named.run > /dev/null
 start_server --noclean --restart --port "${PORT}" ns5
-wait_for_log 20 "Returned from key fetch in keyfetch_done()" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.':" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld':" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo':" ns5/named.run || ret=1
 # ns5/named.run will contain logs from both the old instance and the new
 # instance.  In order for the test to pass, both must attempt a fetch.
 count=$(grep -c "Creating key fetch" ns5/named.run) || true
@@ -730,6 +732,23 @@ count=$(grep -c "Creating key fetch" ns5/named.run) || true
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and islands of trust root unreachable ($n)"
+ret=0
+mkeys_sync_on 5
+mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
+# there should be three keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# three lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# one indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 1 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 n=$((n+1))
 echo_i "check key refreshes are resumed after root servers become available ($n)"
 ret=0
@@ -741,7 +760,9 @@ rm -f ns5/managed-keys.bind*
 cp ns5/named2.args ns5/named.args
 nextpart ns5/named.run > /dev/null
 start_server --noclean --restart --port "${PORT}" ns5
-wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': failure" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
 mkeys_secroots_on 5 || ret=1
 grep '; initializing managed' ns5/named.secroots > /dev/null 2>&1 || ret=1
 # ns1 should still REFUSE queries from ns5, so resolving should be impossible
@@ -754,7 +775,9 @@ copy_setports ns1/named3.conf.in ns1/named.conf
 rm -f ns1/root.db.signed.jnl
 nextpart ns5/named.run > /dev/null
 mkeys_reconfig_on 1 || ret=1
-wait_for_log 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for '.': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.tld': success" ns5/named.run || ret=1
+wait_for_log_peek 20 "Returned from key fetch in keyfetch_done() for 'sub.foo': success" ns5/named.run || ret=1
 mkeys_secroots_on 5 || ret=1
 grep '; managed' ns5/named.secroots > /dev/null || ret=1
 # ns1 should not longer REFUSE queries from ns5, so managed keys should be
@@ -835,5 +858,22 @@ grep "refreshing managed keys for 'view2'" rndc.out.ns7.view2.test$n > /dev/null
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+n=$((n+1))
+echo_i "check 'rndc managed-keys' and islands of trust now that root is reachable ($n)"
+ret=0
+mkeys_sync_on 5
+mkeys_status_on 5 > rndc.out.$n 2>&1 || ret=1
+# there should be three keys listed now
+count=$(grep -c "keyid: " rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# theee lines indicating trust status
+count=$(grep -c "trust" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+# three indicates current trust
+count=$(grep -c "trusted since" rndc.out.$n) || true
+[ "$count" -eq 3 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1