Add a test case for no -P sync

This is a follow-up from the test cases that were added long time ago that cover migrating to dnssec-policy. The test covers legacy keys that do not have the SyncPublish timing metadata set.
2025-08-22 01:59:26 +00:00 · 2025-07-29 10:15:00 +02:00 · 2025-07-29 10:15:00 +02:00 · dfdac550d8
commit dfdac550d8
parent 6499814835
3 changed files with 36 additions and 0 deletions
--- a/bin/tests/system/migrate2kasp/ns3/named.conf.j2
+++ b/bin/tests/system/migrate2kasp/ns3/named.conf.j2
@ -78,6 +78,14 @@ zone "omnipresent.kasp" {
 	allow-update { any; };
 };

+zone "no-syncpublish.kasp" {
+	type primary;
+	file "no-syncpublish.kasp.db";
+	dnssec-policy "timing-metadata";
+	inline-signing no;
+	allow-update { any; };
+};
+
 zone "migrate-nomatch-algnum.kasp" {
 	type primary;
 	file "migrate-nomatch-algnum.kasp.db";
--- a/bin/tests/system/migrate2kasp/ns3/setup.sh
+++ b/bin/tests/system/migrate2kasp/ns3/setup.sh
@ -146,3 +146,16 @@ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
+
+# Key states expected to be omnipresent after migration, except DS because -P sync is missing.
+setup no-syncpublish.kasp
+echo "$zone" >>zones
+Tsig="now-12h" # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tsig} -A ${Tsig}"
+zsktimes="-P ${Tsig} -A ${Tsig}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
--- a/bin/tests/system/migrate2kasp/tests_migrate2kasp.py
+++ b/bin/tests/system/migrate2kasp/tests_migrate2kasp.py
@ -199,6 +199,21 @@ lifetime = {
            },
            id="omnipresent.kasp",
        ),
+        # Testing key states derived from timing metadata: no SyncPublish.
+        pytest.param(
+            {
+                "zone": "no-syncpublish.kasp",
+                "policy": "timing-metadata",
+                "server": "ns3",
+                "config": timing_config,
+                "offset": -timedelta(hours=12),
+                "key-properties": [
+                    f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured",
+                    f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+                ],
+            },
+            id="no-syncpublish.kasp",
+        ),
        # Test migration to dnssec-policy, existing keys do not match key algorithm.
        pytest.param(
            {