diff --git a/bin/tests/system/mkeys/clean.sh b/bin/tests/system/mkeys/clean.sh index 3f297a22a2..045c9b21c5 100644 --- a/bin/tests/system/mkeys/clean.sh +++ b/bin/tests/system/mkeys/clean.sh @@ -25,6 +25,7 @@ rm -f ns*/named.lock rm -f ns1/dsset-sub.tld. rm -f ns1/dsset-tld. rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp +rm -f ns1/signer.out.* rm -f ns1/zone.key rm -f ns3/broken.conf rm -f ns4/dsset-sub.foo. diff --git a/bin/tests/system/mkeys/ns1/named1.conf.in b/bin/tests/system/mkeys/ns1/named1.conf.in index 0b3f068a27..4271668ea9 100644 --- a/bin/tests/system/mkeys/ns1/named1.conf.in +++ b/bin/tests/system/mkeys/ns1/named1.conf.in @@ -44,8 +44,6 @@ controls { zone "." { type primary; file "root.db.signed"; - allow-update { any; }; - auto-dnssec maintain; }; zone "tld" { diff --git a/bin/tests/system/mkeys/ns1/root.db b/bin/tests/system/mkeys/ns1/root.db index bc83788672..333ee45759 100644 --- a/bin/tests/system/mkeys/ns1/root.db +++ b/bin/tests/system/mkeys/ns1/root.db @@ -11,7 +11,7 @@ $TTL 20 . IN SOA gson.nominum.com. a.root.servers.nil. ( - 2000042100 ; serial + 1 ; serial 600 ; refresh 600 ; retry 1200 ; expire diff --git a/bin/tests/system/mkeys/ns1/sign.sh b/bin/tests/system/mkeys/ns1/sign.sh index 626e18f776..0a24811afc 100644 --- a/bin/tests/system/mkeys/ns1/sign.sh +++ b/bin/tests/system/mkeys/ns1/sign.sh @@ -37,7 +37,7 @@ zonefile=root.db keyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk $zone) zskkeyname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -q $zone) -$SIGNER -Sg -o $zone $zonefile > /dev/null 2>/dev/null +$SIGNER -Sg -N unixtime -o $zone $zonefile > /dev/null 2>/dev/null # Configure the resolving server with an initializing key. keyfile_to_initial_ds $keyname > managed.conf diff --git a/bin/tests/system/mkeys/tests.sh b/bin/tests/system/mkeys/tests.sh index a82cff8a78..68757fa824 100644 --- a/bin/tests/system/mkeys/tests.sh +++ b/bin/tests/system/mkeys/tests.sh @@ -41,11 +41,15 @@ mkeys_reload_on() ( wait_for_log 20 "loaded serial" "ns${nsidx}"/named.run || return 1 ) -mkeys_loadkeys_on() ( - nsidx=$1 - nextpart "ns${nsidx}"/named.run > /dev/null - rndccmd "10.53.0.${nsidx}" loadkeys . | sed "s/^/ns${nsidx} /" | cat_i - wait_for_log 20 "next key event" "ns${nsidx}"/named.run || return 1 +mkeys_resign_rootzone() ( + n=$1 + ( + cd ns1 + $SIGNER -PSg -N unixtime -o . root.db > signer.out.test$1 2>&1 + ) + nextpart ns1/named.run > /dev/null + rndccmd "10.53.0.1" reload . | sed "s/^/ns1 /" | cat_i + wait_for_log 20 "loaded serial" ns1/named.run || return 1 ) mkeys_refresh_on() ( @@ -137,7 +141,7 @@ n=$((n+1)) echo_i "check new trust anchor can be added ($n)" ret=0 standby1=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 mkeys_refresh_on 2 || ret=1 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 # there should be two keys listed now @@ -178,7 +182,7 @@ ret=0 mkeys_sync_on 2 || ret=1 t1=$(grep "trust pending" ns2/managed-keys.bind) || true $SETTIME -D now -K ns1 "$standby1" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different # timestamp to prevent false negatives caused by the acceptance timer getting @@ -199,7 +203,7 @@ echo_i "restore untrusted standby key, revoke original key ($n)" t1=$t2 $SETTIME -D none -K ns1 "$standby1" > /dev/null $SETTIME -R now -K ns1 "$original" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different # timestamp to prevent false negatives caused by the acceptance timer getting @@ -269,9 +273,9 @@ ret=0 echo_i "restore revoked key, ensure same result ($n)" t1=$t2 $SETTIME -R none -D now -K ns1 "$original" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 $SETTIME -D none -K ns1 "$original" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 # Less than a second may have passed since the last time ns2 received a # ./DNSKEY response from ns1. Ensure keys are refreshed at a different # timestamp to prevent false negatives caused by the acceptance timer getting @@ -347,7 +351,7 @@ echo_i "revoke original key, add new standby ($n)" ret=0 standby2=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) $SETTIME -R now -K ns1 "$original" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 mkeys_refresh_on 2 || ret=1 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 # three keys listed @@ -378,7 +382,7 @@ n=$((n+1)) echo_i "revoke standby before it is trusted ($n)" ret=0 standby3=$($KEYGEN -a ${DEFAULT_ALGORITHM} -qfk -K ns1 .) -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 mkeys_refresh_on 2 || ret=1 mkeys_status_on 2 > rndc.out.1.$n 2>&1 || ret=1 # four keys listed @@ -391,7 +395,7 @@ count=$(grep -c "trust revoked" rndc.out.1.$n) || true count=$(grep -c "trust pending" rndc.out.1.$n) || true [ "$count" -eq 2 ] || { echo_i "trust pending count ($count) != 2"; ret=1; } $SETTIME -R now -K ns1 "$standby3" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 mkeys_refresh_on 2 || ret=1 mkeys_status_on 2 > rndc.out.2.$n 2>&1 || ret=1 # now three keys listed @@ -404,7 +408,7 @@ count=$(grep -c "trust revoked" rndc.out.2.$n) || true count=$(grep -c "trust pending" rndc.out.2.$n) || true [ "$count" -eq 1 ] || { echo_i "trust pending count ($count) != 1"; ret=1; } $SETTIME -D now -K ns1 "$standby3" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -435,7 +439,7 @@ ret=0 $SETTIME -D now -K ns1 "$original" > /dev/null $SETTIME -R now -K ns1 "$standby1" > /dev/null $SETTIME -R now -K ns1 "$standby2" > /dev/null -mkeys_loadkeys_on 1 || ret=1 +mkeys_resign_rootzone $n || ret=1 mkeys_refresh_on 2 || ret=1 mkeys_status_on 2 > rndc.out.$n 2>&1 || ret=1 # two keys listed