mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-30 14:07:59 +00:00
Test rndc skr import
Test importing a Signed Key Response. Files should be loaded and once loaded the correct bundle should be used. Alsoe test cases where the bundle is not the first bundle in the SKR.
This commit is contained in:
Matthijs Mekking
@@ -20,6 +20,10 @@ mkdir offline
|
||||
|
||||
# Zone files
|
||||
cp template.db.in common.test.db
|
||||
cp template.db.in past.test.db
|
||||
cp template.db.in future.test.db
|
||||
cp template.db.in last-bundle.test.db
|
||||
cp template.db.in in-the-middle.test.db
|
||||
|
||||
# Create KSK for the various policies.
|
||||
create_ksk() {
|
||||
@@ -35,5 +39,9 @@ create_ksk() {
|
||||
done
|
||||
}
|
||||
create_ksk common.test common
|
||||
create_ksk past.test common
|
||||
create_ksk future.test common
|
||||
create_ksk last-bundle.test common
|
||||
create_ksk in-the-middle.test common
|
||||
create_ksk unlimited.test unlimited
|
||||
create_ksk two-tone.test two-tone
|
||||
|
||||
@@ -544,6 +544,420 @@ ksr common -K ns1 -i $now -e +2y -K ns1/offline -f ksr.request.expect sign commo
|
||||
start=$(cat ns1/$zsk1.state | grep "Generated" | awk '{print $2}')
|
||||
end=$(addtime $start 63072000) # two years
|
||||
check_skr "common.test" "ns1/offline" "ksr.sign.out.$n" $start $end 4 || ret=1
|
||||
# Save response for skr import operation.
|
||||
cp ksr.sign.out.$n ns1/common.test.skr
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Add zone: common
|
||||
n=$((n + 1))
|
||||
echo_i "add zone 'common.test' ($n)"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.1 addzone 'common.test { type primary; file "common.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Import skr: common
|
||||
n=$((n + 1))
|
||||
echo_i "import ksr to zone 'common.test' ($n)"
|
||||
ret=0
|
||||
sleep 2
|
||||
$RNDCCMD 10.53.0.1 skr -import common.test.skr common.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Test that common.test is signed and uses the right DNSKEY and RRSIG records.
|
||||
n=$((n + 1))
|
||||
echo_i "test zone 'common.test' is correctly signed ($n)"
|
||||
ret=0
|
||||
|
||||
set_zone "common.test"
|
||||
set_policy "common" "4" "3600"
|
||||
set_server "ns1" "10.53.0.1"
|
||||
# Only ZSKs
|
||||
set_keyrole "KEY1" "zsk"
|
||||
set_keylifetime "KEY1" "16070400"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "no"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
|
||||
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keylifetime "KEY2" "16070400"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "no"
|
||||
set_zonesigning "KEY2" "no"
|
||||
set_keystate "KEY2" "GOAL" "hidden"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keylifetime "KEY3" "16070400"
|
||||
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY3" "no"
|
||||
set_zonesigning "KEY3" "no"
|
||||
set_keystate "KEY3" "GOAL" "hidden"
|
||||
set_keystate "KEY3" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
set_keyrole "KEY4" "zsk"
|
||||
set_keylifetime "KEY4" "16070400"
|
||||
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY4" "no"
|
||||
set_zonesigning "KEY4" "no"
|
||||
set_keystate "KEY4" "GOAL" "hidden"
|
||||
set_keystate "KEY4" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
MAXDEPTH=1
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# For checking the apex, we need to store the expected KSK metadata.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
set_policy "common" "1" "3600"
|
||||
set_server "ns1/offline" "10.53.0.1"
|
||||
set_keyrole "KEY2" "ksk"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "yes"
|
||||
set_zonesigning "KEY2" "no"
|
||||
check_keys "keep"
|
||||
|
||||
DIR="ns1"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_DS" "omnipresent"
|
||||
check_apex
|
||||
|
||||
# Check that key id's match expected keys
|
||||
n=$((n + 1))
|
||||
zsk1=$(cat common.test.$DEFAULT_ALGORITHM_NUMBER.zsk1.id)
|
||||
key1=$(key_get "KEY1" BASEFILE)
|
||||
echo_i "check that published zsk $zsk1 matches first key $key1 in bundle ($n)"
|
||||
ret=0
|
||||
[ "ns1/$zsk1" = "$key1" ] || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
ksk=$(cat common.test.ksk1.id)
|
||||
key2=$(key_get "KEY2" BASEFILE)
|
||||
echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
|
||||
ret=0
|
||||
[ "ns1/offline/$ksk" = "$key2" ] || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Key generation: last-bundle
|
||||
n=$((n + 1))
|
||||
echo_i "generate keys for testing an SKR that is in the last bundle ($n)"
|
||||
ret=0
|
||||
ksr common -K ns1 -i -1y -e +1d keygen last-bundle.test >ksr.keygen.out.$n 2>&1 || ret=1
|
||||
num=$(cat ksr.keygen.out.$n | wc -l)
|
||||
[ $num -eq 2 ] || ret=1
|
||||
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
||||
ksr_check_keys last-bundle.test ns1 -31536000 || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Create request: last-bundle
|
||||
n=$((n + 1))
|
||||
echo_i "create ksr for last bundle test ($n)"
|
||||
ret=0
|
||||
ksr common -K ns1 -i -1y -e +1d request last-bundle.test >ksr.request.out.$n 2>&1 || ret=1
|
||||
cp ksr.request.out.$n last-bundle.test.ksr
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Sign request: last-bundle
|
||||
n=$((n + 1))
|
||||
echo_i "create skr for last bundle test ($n)"
|
||||
ret=0
|
||||
ksr common -i -1y -e +1d -K ns1/offline -f last-bundle.test.ksr sign last-bundle.test >ksr.sign.out.$n 2>&1 || ret=1
|
||||
cp ksr.sign.out.$n ns1/last-bundle.test.skr
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Add zone: last-bundle
|
||||
n=$((n + 1))
|
||||
echo_i "add zone 'last-bundle.test' ($n)"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.1 addzone 'last-bundle.test { type primary; file "last-bundle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Import skr: last-bundle
|
||||
n=$((n + 1))
|
||||
echo_i "import ksr to zone 'last-bundle.test' ($n)"
|
||||
ret=0
|
||||
sleep 2
|
||||
$RNDCCMD 10.53.0.1 skr -import last-bundle.test.skr last-bundle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Test that last-bundle.test is signed and uses the right DNSKEY and RRSIG records.
|
||||
n=$((n + 1))
|
||||
echo_i "test zone 'last-bundle.test' is correctly signed ($n)"
|
||||
ret=0
|
||||
|
||||
set_zone "last-bundle.test"
|
||||
set_policy "common" "2" "3600"
|
||||
set_server "ns1" "10.53.0.1"
|
||||
# Only ZSKs
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "zsk"
|
||||
set_keylifetime "KEY1" "16070400"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "no"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keylifetime "KEY2" "16070400"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "no"
|
||||
set_zonesigning "KEY2" "no"
|
||||
set_keystate "KEY2" "GOAL" "hidden"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
MAXDEPTH=1
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# For checking the apex, we need to store the expected KSK metadata.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
set_policy "common" "1" "3600"
|
||||
set_server "ns1/offline" "10.53.0.1"
|
||||
set_keyrole "KEY2" "ksk"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "yes"
|
||||
set_zonesigning "KEY2" "no"
|
||||
check_keys "keep"
|
||||
|
||||
DIR="ns1"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_DS" "omnipresent"
|
||||
check_apex
|
||||
|
||||
# Check that key id's match expected keys
|
||||
n=$((n + 1))
|
||||
zsk2=$(cat last-bundle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
||||
key1=$(key_get "KEY1" BASEFILE)
|
||||
echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)"
|
||||
ret=0
|
||||
[ "ns1/$zsk2" = "$key1" ] || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
ksk=$(cat last-bundle.test.ksk1.id)
|
||||
key2=$(key_get "KEY2" BASEFILE)
|
||||
echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
|
||||
ret=0
|
||||
[ "ns1/offline/$ksk" = "$key2" ] || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that last bundle warning is logged ($n)"
|
||||
wait_for_log 3 "zone last-bundle.test/IN (signed): zone_rekey: last bundle in skr, please import new skr file" ns1/named.run || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Key generation: in-the-middle
|
||||
n=$((n + 1))
|
||||
echo_i "generate keys for testing an SKR that is in the middle ($n)"
|
||||
ret=0
|
||||
ksr common -K ns1 -i -1y -e +1y keygen in-the-middle.test >ksr.keygen.out.$n 2>&1 || ret=1
|
||||
num=$(cat ksr.keygen.out.$n | wc -l)
|
||||
[ $num -eq 4 ] || ret=1
|
||||
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
||||
ksr_check_keys in-the-middle.test ns1 -31536000 || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Create request: in-the-middle
|
||||
n=$((n + 1))
|
||||
echo_i "create ksr for in the middle test ($n)"
|
||||
ret=0
|
||||
ksr common -K ns1 -i -1y -e +1y request in-the-middle.test >ksr.request.out.$n 2>&1 || ret=1
|
||||
cp ksr.request.out.$n in-the-middle.test.ksr
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Sign request: in-the-middle
|
||||
n=$((n + 1))
|
||||
echo_i "create skr for in the middle test ($n)"
|
||||
ret=0
|
||||
ksr common -i -1y -e +1y -K ns1/offline -f in-the-middle.test.ksr sign in-the-middle.test >ksr.sign.out.$n 2>&1 || ret=1
|
||||
cp ksr.sign.out.$n ns1/in-the-middle.test.skr
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Add zone: in-the-middle
|
||||
n=$((n + 1))
|
||||
echo_i "add zone 'in-the-middle.test' ($n)"
|
||||
ret=0
|
||||
$RNDCCMD 10.53.0.1 addzone 'in-the-middle.test { type primary; file "in-the-middle.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
# Import skr: in-the-middle
|
||||
n=$((n + 1))
|
||||
echo_i "import ksr to zone 'in-the-middle.test' ($n)"
|
||||
ret=0
|
||||
sleep 2
|
||||
$RNDCCMD 10.53.0.1 skr -import in-the-middle.test.skr in-the-middle.test 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Test that in-the-middle.test is signed and uses the right DNSKEY and RRSIG records.
|
||||
n=$((n + 1))
|
||||
echo_i "test zone 'in-the-middle.test' is correctly signed ($n)"
|
||||
ret=0
|
||||
|
||||
set_zone "in-the-middle.test"
|
||||
set_policy "common" "4" "3600"
|
||||
set_server "ns1" "10.53.0.1"
|
||||
# Only ZSKs
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "zsk"
|
||||
set_keylifetime "KEY1" "16070400"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "no"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keylifetime "KEY2" "16070400"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "no"
|
||||
set_zonesigning "KEY2" "no"
|
||||
set_keystate "KEY2" "GOAL" "hidden"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
key_clear "KEY3"
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keylifetime "KEY3" "16070400"
|
||||
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY3" "no"
|
||||
set_zonesigning "KEY3" "no"
|
||||
set_keystate "KEY3" "GOAL" "hidden"
|
||||
set_keystate "KEY3" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
key_clear "KEY4"
|
||||
set_keyrole "KEY4" "zsk"
|
||||
set_keylifetime "KEY4" "16070400"
|
||||
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY4" "no"
|
||||
set_zonesigning "KEY4" "no"
|
||||
set_keystate "KEY4" "GOAL" "hidden"
|
||||
set_keystate "KEY4" "STATE_DNSKEY" "hidden"
|
||||
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
|
||||
|
||||
MAXDEPTH=1
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# For checking the apex, we need to store the expected KSK metadata.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
set_policy "common" "1" "3600"
|
||||
set_server "ns1/offline" "10.53.0.1"
|
||||
set_keyrole "KEY2" "ksk"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "yes"
|
||||
set_zonesigning "KEY2" "no"
|
||||
check_keys "keep"
|
||||
|
||||
DIR="ns1"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_DS" "omnipresent"
|
||||
check_apex
|
||||
|
||||
# Check that key id's match expected keys
|
||||
n=$((n + 1))
|
||||
zsk2=$(cat in-the-middle.test.$DEFAULT_ALGORITHM_NUMBER.zsk2.id)
|
||||
key1=$(key_get "KEY1" BASEFILE)
|
||||
echo_i "check that published zsk $zsk2 matches first key $key1 in bundle ($n)"
|
||||
ret=0
|
||||
[ "ns1/$zsk2" = "$key1" ] || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
ksk=$(cat in-the-middle.test.ksk1.id)
|
||||
key2=$(key_get "KEY2" BASEFILE)
|
||||
echo_i "check that published ksk $ksk matches ksk $key2 ($n)"
|
||||
ret=0
|
||||
[ "ns1/offline/$ksk" = "$key2" ] || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that no last bundle warning is logged ($n)"
|
||||
grep "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run && ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
# Test error conditions
|
||||
check_rekey_logs_error() {
|
||||
zone=$1
|
||||
inc=$2
|
||||
exp=$3
|
||||
offset=$4
|
||||
|
||||
# Key generation
|
||||
ksr common -K ns1 -i $inc -e $exp keygen $zone >ksr.keygen.out.$n 2>&1 || return 1
|
||||
num=$(cat ksr.keygen.out.$n | wc -l)
|
||||
[ $num -eq 2 ] || return 1
|
||||
set_zsk $DEFAULT_ALGORITHM_NUMBER $DEFAULT_BITS 16070400
|
||||
ksr_check_keys $zone ns1 $offset || return 1
|
||||
# Create request
|
||||
ksr common -K ns1 -i $inc -e $exp request $zone >ksr.request.out.$n 2>&1 || return 1
|
||||
cp ksr.request.out.$n $zone.ksr
|
||||
# Sign request
|
||||
ksr common -K ns1/offline -i $inc -e $exp -f $zone.ksr sign $zone >ksr.sign.out.$n 2>&1 || return 1
|
||||
cp ksr.sign.out.$n ns1/$zone.skr
|
||||
# Import skr
|
||||
$RNDCCMD 10.53.0.1 skr -import $zone.skr $zone 2>&1 | sed 's/^/I:ns1 /' || return 1
|
||||
# Test that rekey logs error
|
||||
wait_for_log 3 "zone $zone/IN (signed): zone_rekey failure: no available SKR bundle" ns1/named.run || return 1
|
||||
}
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that an SKR that is too old logs error ($n)"
|
||||
$RNDCCMD 10.53.0.1 addzone 'past.test { type primary; file "past.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
check_rekey_logs_error "past.test" -2y -1y -63072000 || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
n=$((n + 1))
|
||||
echo_i "check that an SKR that is too new logs error ($n)"
|
||||
$RNDCCMD 10.53.0.1 addzone 'future.test { type primary; file "future.test.db"; dnssec-policy common; };' 2>&1 | sed 's/^/I:ns1 /' || ret=1
|
||||
check_rekey_logs_error "future.test" +1mo +1y 2592000 || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
|
||||
|
||||
Reference in New Issue
Block a user