mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

Add log check in multisigner system test

Browse Source 
When we add DNSKEY records via dynamic update, this should no longer
trigger signing the zone with these keys. This currently happens when
'find_zone_keys()' looks up the keys by inspecting the DNSKEY RRset,
then attempting to read the corresponding key files.

Add checks that inspect the logs whether an attempt to read the key
files for the newly added keys was done (and failed because these files
are not available).
This commit is contained in:
Matthijs Mekking
2023-06-13 15:59:53 +02:00
parent 2633732fb1
commit cda1ae69ac
1 changed files with 24 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
bin/tests/system/multisigner/tests.sh
View File

@@ -132,10 +132,19 @@ echo server "${SERVER}" "${PORT}"
echo update add $(cat "ns4/${ZONE}.zsk")
echo send
) | $NSUPDATE
# Check the new DNSKEY RRset.
n=$((n+1))
echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
retry_quiet 10 zsks_are_published || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Check the logs for find zone keys errors.
n=$((n+1))
ret=0
echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Verify again.
dnssec_verify
@@ -149,10 +158,19 @@ echo server "${SERVER}" "${PORT}"
echo update add $(cat "ns3/${ZONE}.zsk")
echo send
) | $NSUPDATE
# Check the new DNSKEY RRset.
n=$((n+1))
echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
retry_quiet 10 zsks_are_published || ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Check the logs for find zone keys errors.
n=$((n+1))
ret=0
echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)"
grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Verify again.
dnssec_verify
no_dnssec_in_journal
@@ -446,6 +464,9 @@ test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
dnssec_verify
no_dnssec_in_journal
grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# NS4
set_server "ns4" "10.53.0.4"
echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)"
@@ -454,6 +475,9 @@ test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
dnssec_verify
no_dnssec_in_journal
grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
n=$((n+1))
echo_i "remove dnskey record: remove ns3 and ns4 DNSKEY records from primary ns5 ($n)"