Test setting of inline-signing with dnssec-policy

When dnssec-policy is used, and the zone is not dynamic, BIND will
assume that the zone is inline-signed. Add test cases to verify this.

bin/tests/system/kasp.sh

@@ -864,6 +864,28 @@ check_dnssecstatus() {
 	status=$((status+ret))
 }
 
+# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
+# inline-signing is enabled.
+check_inlinesigning() {
+	_server=$1
+	_zone=$2
+	_view=$3
+
+	_rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
+	grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+}
+
+# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
+# the zone is dynamic.
+check_isdynamic() {
+	_server=$1
+	_zone=$2
+	_view=$3
+
+	_rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
+	grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+}
+
 # Check if RRset of type $1 in file $2 is signed with the right keys.
 # The right keys are the ones that expect a signature and matches the role $3.
 _check_signatures() {

bin/tests/system/kasp/clean.sh

@@ -29,7 +29,7 @@ rm -f ns*/zones ns*/*.db.infile
 rm -f ns*/*.zsk1 ns*/*.zsk2
 rm -f ns3/legacy-keys.*
 rm -f *.created published.test* retired.test*
-rm -f rndc.dnssec.*.out.*
+rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
 rm -f python.out.*
 rm -f *-supported.file
 rm -f created.key-* unused.key-*

bin/tests/system/kasp/ns4/named.conf.in

@@ -145,9 +145,12 @@ view "none" {
 view "example1" {
 	match-clients { key "keyforview1"; };
 
+	allow-update { any; };
+
 	zone "example.net" {
 		type primary;
 		file "example1.db";
+		// Dynamic zone, inline-signing disabled, policy inerhited.
 	};
 };
 
@@ -157,6 +160,7 @@ view "example2" {
 	zone "example.net" {
 		type primary;
 		file "example2.db";
+		// Static zone, inline-signing, policy inherited.
 	};
 };
 

bin/tests/system/kasp/tests.sh

@@ -1880,8 +1880,16 @@ set_keytimes_csk_policy
 check_keytimes
 check_apex
 dnssec_verify
+# check zonestatus
 n=$((n+1))
+echo_i "check $ZONE (view example1) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
+check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # check subdomain
+n=$((n+1))
 echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
 ret=0
 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
@@ -1897,8 +1905,16 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
 check_apex
 dnssec_verify
+# check zonestatus
 n=$((n+1))
+echo_i "check $ZONE (view example2) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
+check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # check subdomain
+n=$((n+1))
 echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
 ret=0
 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
@@ -1914,8 +1930,16 @@ check_keys
 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
 check_apex
 dnssec_verify
+# check zonestatus
 n=$((n+1))
+echo_i "check $ZONE (view example3) zonestatus ($n)"
+ret=0
+check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
+check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
 # check subdomain
+n=$((n+1))
 echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
 ret=0
 dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"