From cda1ae69acffa89f88c11039b2035b43b6c30294 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 13 Jun 2023 15:59:53 +0200 Subject: [PATCH] Add log check in multisigner system test When we add DNSKEY records via dynamic update, this should no longer trigger signing the zone with these keys. This currently happens when 'find_zone_keys()' looks up the keys by inspecting the DNSKEY RRset, then attempting to read the corresponding key files. Add checks that inspect the logs whether an attempt to read the key files for the newly added keys was done (and failed because these files are not available). --- bin/tests/system/multisigner/tests.sh | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/bin/tests/system/multisigner/tests.sh b/bin/tests/system/multisigner/tests.sh index aac1c2ecdc..5a209e7946 100644 --- a/bin/tests/system/multisigner/tests.sh +++ b/bin/tests/system/multisigner/tests.sh @@ -132,10 +132,19 @@ echo server "${SERVER}" "${PORT}" echo update add $(cat "ns4/${ZONE}.zsk") echo send ) | $NSUPDATE +# Check the new DNSKEY RRset. +n=$((n+1)) echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)" retry_quiet 10 zsks_are_published || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Check the logs for find zone keys errors. +n=$((n+1)) +ret=0 +echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)" +grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Verify again. dnssec_verify @@ -149,10 +158,19 @@ echo server "${SERVER}" "${PORT}" echo update add $(cat "ns3/${ZONE}.zsk") echo send ) | $NSUPDATE +# Check the new DNSKEY RRset. +n=$((n+1)) echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)" retry_quiet 10 zsks_are_published || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# Check the logs for find zone keys errors. +n=$((n+1)) +ret=0 +echo_i "make sure we did not try to sign with the keys added with nsupdate for zone ${ZONE} ($n)" +grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # Verify again. dnssec_verify no_dnssec_in_journal @@ -446,6 +464,9 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) dnssec_verify no_dnssec_in_journal +grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) # NS4 set_server "ns4" "10.53.0.4" echo_i "check server ${DIR} zone ${ZONE} DNSKEY RRset after update ($n)" @@ -454,6 +475,9 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) dnssec_verify no_dnssec_in_journal +grep "dns_dnssec_findzonekeys2: error reading ./K${ZONE}.*\.private: file not found" "${DIR}/named.run" && ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) n=$((n+1)) echo_i "remove dnskey record: remove ns3 and ns4 DNSKEY records from primary ns5 ($n)"