Test changing from dynamic to inline-signing

Add a kasp system test that reconfigures a dnssec-policy zone from
maintaining DNSSEC records directly to the zone to using inline-signing.

Add a similar test case to the nsec3 system test, testing the same
thing but now with NSEC3 in use.

bin/tests/system/kasp/ns6/named.conf.in

@@ -38,6 +38,14 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+	type primary;
+	file "dynamic2inline.kasp.db";
+	allow-update { any; };
+	dnssec-policy "default";
+};
+
 /* These zones are going insecure. */
 zone "step1.going-insecure.kasp" {
 	type primary;

bin/tests/system/kasp/ns6/named2.conf.in

@@ -37,6 +37,15 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+	type primary;
+	file "dynamic2inline.kasp.db";
+	allow-update { any; };
+	inline-signing yes;
+	dnssec-policy "default";
+};
+
 /* Zones for testing going insecure. */
 zone "step1.going-insecure.kasp" {
         type primary;

bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in

@@ -20,6 +20,10 @@ dnssec-policy "unsigning" {
 	};
 };
 
+dnssec-policy "nsec3" {
+	nsec3param iterations 0 optout no salt-length 0;
+};
+
 dnssec-policy "rsasha256" {
 	signatures-refresh P5D;
 	signatures-validity 30d;

bin/tests/system/kasp/ns6/setup.sh

@@ -389,3 +389,6 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 #
 echo "example" >> zones
 cp example.db.in example.db
+
+setup "dynamic2inline.kasp"
+cp template.db.in $zonefile

bin/tests/system/kasp/tests.sh

@@ -3540,6 +3540,34 @@ set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # TODO (GL #2471).
 
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
 #
 # Testing algorithm rollover.
 #
@@ -3807,6 +3835,34 @@ wait_for_done_signing() {
 	status=$((status+ret))
 }
 
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
 #
 # Testing going insecure.
 #

bin/tests/system/nsec3/ns3/named.conf.in

@@ -184,3 +184,11 @@ zone "nsec3-fails-to-load.kasp" {
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
+
+/* The zone switches from dynamic to inline-signing. */
+zone "nsec3-dynamic-to-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-to-inline.kasp.db";
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};

bin/tests/system/nsec3/ns3/named2.conf.in

@@ -193,3 +193,12 @@ zone "nsec3-fails-to-load.kasp" {
 	dnssec-policy "nsec3";
 	allow-update { any; };
 };
+
+/* The zone switches from dynamic to inline-signing. */
+zone "nsec3-dynamic-to-inline.kasp" {
+	type primary;
+	file "nsec3-dynamic-to-inline.kasp.db";
+	inline-signing yes;
+	dnssec-policy "nsec3";
+	allow-update { any; };
+};

bin/tests/system/nsec3/ns3/setup.sh

@@ -25,7 +25,8 @@ setup() {
 }
 
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
-	  nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change
+	  nsec3-to-optout nsec3-from-optout nsec3-dynamic \
+	  nsec3-dynamic-change nsec3-dynamic-to-inline
 do
 	setup "${zn}.kasp"
 done

bin/tests/system/nsec3/tests.sh

@@ -297,6 +297,13 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-dynamic-to-inline.kasp.
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
@@ -419,6 +426,13 @@ set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
+# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
 set_nsec3param "1" "11" "8"