Add checkconf tests for [#2463]

Add two tests to make sure named-checkconf catches key-directory issues where a zone in multiple views uses the same directory but has different dnssec-policies. One test sets the key-directory specifically, the other inherits the default key-directory (NULL, aka the working directory). Also update the good.conf test to allow zones in different views with the same key-directory if they use the same dnssec-policy. Also allow zones in different views with different key-directories if they use different dnssec-policies. Also allow zones in different views with the same key-directories if only one view uses a dnssec-policy (the other is set to "none"). Also allow zones in different views with the same key-directories if no views uses a dnssec-policy (zone in both views has the dnssec-policy set to "none").
2025-08-30 14:07:59 +00:00 · 2021-05-04 16:30:17 +02:00
parent 494e8b2cbd
commit df1aecd5ff
5 changed files with 140 additions and 0 deletions
--- a/bin/tests/system/checkconf/bad-kasp-keydir1.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir1.conf
@@ -0,0 +1,42 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key "keyforview1" {
+	algorithm "hmac-sha1";
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm "hmac-sha1";
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		key-directory ".";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		key-directory ".";
+		file "example2.db";
+	};
+};
--- a/bin/tests/system/checkconf/bad-kasp-keydir2.conf
+++ b/bin/tests/system/checkconf/bad-kasp-keydir2.conf
@@ -0,0 +1,40 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+key "keyforview1" {
+	algorithm "hmac-sha1";
+	secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "keyforview2" {
+	algorithm "hmac-sha1";
+	secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "example1" {
+	match-clients { key "keyforview1"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "default";
+		file "example1.db";
+	};
+};
+
+view "example2" {
+	match-clients { key "keyforview2"; };
+
+	zone "example.net" {
+		type primary;
+		dnssec-policy "insecure";
+		file "example2.db";
+	};
+};
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@@ -192,7 +192,53 @@ view "fourth" {
 		file "dnssec-none.db";
 		dnssec-policy "none";
 	};
+	zone "dnssec-view1" {
+		type master;
+		file "dnssec-view41.db";
+		dnssec-policy "test";
+	};
+	zone "dnssec-view2" {
+		type master;
+		file "dnssec-view42.db";
+	};
+	zone "dnssec-view3" {
+		type master;
+		file "dnssec-view43.db";
+		dnssec-policy "none";
+		key-directory "keys";
+	};
+	zone "dnssec-view4" {
+		type master;
+		file "dnssec-view44.db";
+		dnssec-policy "none";
+	};
 	dnssec-policy "default";
+	key-directory ".";
+};
+view "fifth" {
+	zone "dnssec-view1" {
+		type master;
+		file "dnssec-view51.db";
+		dnssec-policy "test";
+	};
+	zone "dnssec-view2" {
+		type master;
+		file "dnssec-view52.db";
+		dnssec-policy "test";
+		key-directory "keys";
+	};
+	zone "dnssec-view3" {
+		type master;
+		file "dnssec-view53.db";
+		dnssec-policy "default";
+		key-directory "keys";
+	};
+	zone "dnssec-view4" {
+		type master;
+		file "dnssec-view54.db";
+		dnssec-policy "none";
+	};
+	key-directory ".";
 };
 view "chaos" chaos {
 	zone "hostname.bind" chaos {
--- a/bin/tests/system/checkconf/good.zonelist
+++ b/bin/tests/system/checkconf/good.zonelist
@@ -13,4 +13,12 @@ dnssec-test IN fourth master
 dnssec-default IN fourth master
 dnssec-inherit IN fourth master
 dnssec-none IN fourth master
+dnssec-view1 IN fourth master
+dnssec-view2 IN fourth master
+dnssec-view3 IN fourth master
+dnssec-view4 IN fourth master
+dnssec-view1 IN fifth master
+dnssec-view2 IN fifth master
+dnssec-view3 IN fifth master
+dnssec-view4 IN fifth master
 hostname.bind chaos chaos master
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -12,6 +12,8 @@
 status=0
 n=0

+mkdir keys
+
 n=`expr $n + 1`
 echo_i "checking that named-checkconf handles a known good config ($n)"
 ret=0
@@ -549,5 +551,7 @@ grep "exceeds 100%" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`

+rmdir keys
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1