Change inline system test

The inline system test tests 'auto-dnssec' in conjunction with 'inline-signing'. Change the tests to make use of 'dnssec-policy'. Remove some tests that no longer make sense: - The 'retransfer3.' zone tests changing the parameters with 'rndc signing -nsec3param'. This command is going away and NSEC3 parameters now need to be configured with nsec3param within 'dnssec-policy'. - The 'inactivezsk.' and 'inactiveksk.' zones test whether the ZSK take over signing if the KSK is inactive, or vice versa. This fallback mode longer makes sense when using a DNSSEC policy. Some tests need to be adapted more than just changing 'auto-dnssec' to 'dnssec-policy': - The 'delayedkeys.' zone first needs to be configured as insecure, then we can change it to start signing. Previously, no existing keys means that you cannot sign the zone, with 'dnssec-policy' new keys will be created. - The 'updated.' zone needs to have key states in a specific state so that the minimal journal check still works (otherwise CDS/ CDNSKEY and related records will be in the journal too). - External keys are now added to the unsigned zone and no longer are maintained with key files. Adjust the 'externalkey.' zone accordingly. - The 'nsec3-loop.' zone requires three signing keys. Since 'dnssec-policy' will ignore duplicates in the 'keys' section, create RSASHA256 keys with different role and/or key length. Finally, the 'externalkey.' zone checks for an expected number of DNSKEY and RRSIG records in the response. This used to be 3 DNSKEY and 2 RRSIG records. Due to logic behavior changes (key timing metadata is no longer authoritative, these expected values are changed to 4 DNSKEY records (two signing keys and two external keys per algorithm) and 1 RRSIG record (one active KSK per signing algorithm).
2025-08-30 05:57:52 +00:00 · 2023-06-19 16:21:11 +02:00 · 2023-06-19 16:21:11 +02:00 · f4eb3ba459
commit f4eb3ba459
parent d3bf732697
13 changed files with 164 additions and 284 deletions
--- a/bin/tests/system/inline/clean.sh
+++ b/bin/tests/system/inline/clean.sh
@ -24,4 +24,4 @@ rm -rf ./*/*.jbk \
   ./*/*.db ./*/*.db.signed ./*/*.db.jnl ./*/*.db.signed.jnl \
   ./*.out ./*.out* ./*/*.out ./*/*.out* \
   ./*/*.bk ./*/*.bk.jnl ./*/*.bk.signed ./*/*.bk.signed.jnl \
-   ns3/a-file ns3/removedkeys
+   ns3/a-file ns3/removedkeys ns3/delayedkeys.conf
--- a/bin/tests/system/inline/ns1/root.db.in
+++ b/bin/tests/system/inline/ns1/root.db.in
@ -48,12 +48,3 @@ ns3.nsec3.		A	10.53.0.3

 externalkey.		NS	ns3.externalkey.
 ns3.externalkey.	A	10.53.0.3
-
-retransfer3.		NS	ns3.retransfer.
-ns3.retransfer3.	A	10.53.0.3
-
-inactiveksk.		NS	ns3.inactiveksk.
-ns3.inactiveksk.	A	10.53.0.3
-
-inactivezsk.		NS	ns3.inactivezsk.
-ns3.inactivezsk.	A	10.53.0.3
--- a/bin/tests/system/inline/ns2/named.conf.in
+++ b/bin/tests/system/inline/ns2/named.conf.in
@ -47,32 +47,12 @@ zone "retransfer" {
 	notify no;
 };

-zone "retransfer3" {
-	type primary;
-	file "retransfer3.db";
-	allow-update { any; };
-	allow-transfer { none; };	// changed dynamically by tests.sh
-	notify no;
-};
-
 zone "nsec3-loop" {
 	type primary;
 	file "nsec3-loop.db";
 	notify no;
 };

-zone "inactiveksk" {
-	type primary;
-	file "inactiveksk.db";
-	allow-update { any; };
-};
-
-zone "inactivezsk" {
-	type primary;
-	file "inactivezsk.db";
-	allow-update { any; };
-};
-
 zone "nokeys" {
 	type primary;
 	file "nokeys.db";
--- a/bin/tests/system/inline/ns3/delayedkeys.conf.1
+++ b/bin/tests/system/inline/ns3/delayedkeys.conf.1
@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "delayedkeys" {
+	type primary;
+	file "delayedkeys.db";
+	inline-signing yes;
+	dnssec-policy insecure;
+};
--- a/bin/tests/system/inline/ns3/delayedkeys.conf.2
+++ b/bin/tests/system/inline/ns3/delayedkeys.conf.2
@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+zone "delayedkeys" {
+	type primary;
+	file "delayedkeys.db";
+	inline-signing yes;
+	dnssec-policy inline;
+};
--- a/bin/tests/system/inline/ns3/named.conf.in
+++ b/bin/tests/system/inline/ns3/named.conf.in
@ -35,11 +35,35 @@ options {
 	dnssec-validation no;
 };

+dnssec-policy "inline" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "nsec3" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+	nsec3param iterations 0 optout no salt-length 0;
+};
+
+dnssec-policy "external" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
+	};
+};
+
 zone "bits" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	allow-update-forwarding { any; };
 	file "bits.bk";
 	sig-signing-signatures 1;	// force incremental processing
@ -51,7 +75,7 @@ zone "noixfr" {
 	type secondary;
 	primaries { 10.53.0.4; };
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	allow-update-forwarding { any; };
 	file "noixfr.bk";
 };
@ -59,7 +83,7 @@ zone "noixfr" {
 zone "primary" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "primary.db";
 	notify explicit;
 	also-notify {
@ -70,7 +94,7 @@ zone "primary" {
 zone "dynamic" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	allow-update { any; };
 	file "dynamic.db";
 };
@ -78,7 +102,7 @@ zone "dynamic" {
 zone "updated" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	allow-update { none; };
 	file "updated.db";
 };
@ -86,7 +110,7 @@ zone "updated" {
 zone "expired" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	allow-update { any; };
 	file "expired.db";
 };
@ -95,14 +119,14 @@ zone "retransfer" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "retransfer.bk";
 };

 zone "nsec3" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy nsec3;
 	allow-update { any; };
 	file "nsec3.db";
 };
@ -110,56 +134,23 @@ zone "nsec3" {
 zone "externalkey" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
-	dnssec-dnskey-kskonly no;
+	dnssec-policy external;
 	allow-update { any; };
 	file "externalkey.db";
 };

-zone "retransfer3" {
-	type secondary;
-	primaries { 10.53.0.2; };
-	inline-signing yes;
-	auto-dnssec maintain;
-	file "retransfer3.bk";
-};
-
-zone "inactiveksk" {
-	type secondary;
-	primaries { 10.53.0.2; };
-	inline-signing yes;
-	auto-dnssec maintain;
-	dnssec-dnskey-kskonly yes;
-	file "inactiveksk.bk";
-};
-
-zone "inactivezsk" {
-	type secondary;
-	primaries { 10.53.0.2; };
-	inline-signing yes;
-	auto-dnssec maintain;
-	file "inactivezsk.bk";
-};
-
 zone "nokeys" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy insecure;
 	file "nokeys.bk";
 };

-zone "delayedkeys" {
-	type primary;
-	inline-signing yes;
-	auto-dnssec maintain;
-	file "delayedkeys.db";
-};
-
 zone "removedkeys-primary" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	allow-update { any; };
 	also-notify { 10.53.0.2; };
 	file "removedkeys-primary.db";
@ -169,7 +160,7 @@ zone "removedkeys-secondary" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "removedkeys-secondary.bk";
 };

@ -177,5 +168,7 @@ zone "unsupported" {
 	type primary;
 	file "unsupported.db";
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 };
+
+include "delayedkeys.conf";
--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@ -49,10 +49,12 @@ $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
 zone=updated
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
-$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
-$SIGNER -S -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
+zsk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
+ksk=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+$SETTIME -s -g OMNIPRESENT -k RUMOURED now -z RUMOURED now "$zsk" > settime.out.updated.1 2>&1
+$SETTIME -s -g OMNIPRESENT -k RUMOURED now -r RUMOURED now -d HIDDEN now "$ksk" > settime.out.updated.2 2>&1
+$DSFROMKEY -T 1200 $ksk >> ../ns1/root.db
+$SIGNER -S -x -O raw -L 2000042407 -o ${zone} ${zone}.db > /dev/null
 cp primary2.db.in updated.db

 # signatures are expired and should be regenerated on startup
@ -77,31 +79,6 @@ rm -f K${zone}.+*+*.private
 keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
 $DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

-zone=retransfer3
-rm -f K${zone}.+*+*.key
-rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
-$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
-
-zone=inactiveksk
-rm -f K${zone}.+*+*.key
-rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 -f KSK $zone)
-keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
-$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
-
-zone=inactivezsk
-rm -f K${zone}.+*+*.key
-rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -P now -A now+3600 $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
-keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${ALTERNATIVE_ALGORITHM} -n zone -f KSK $zone)
-$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
-
 zone=delayedkeys
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
@ -136,6 +113,7 @@ do
 done

 zone=externalkey
+zonefile=${zone}.db
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private

@ -147,13 +125,10 @@ do
    k4=$($KEYGEN -q -a $alg -n zone -f KSK $zone)
    $DSFROMKEY -T 1200 $k4 >> ../ns1/root.db

-    # Convert k1 and k2 in to External Keys.
+    cat $k1.key $k2.key >> $zonefile
+
+    rm -f $k1.key
    rm -f $k1.private
-    mv $k1.key a-file
-    $IMPORTKEY -P now -D now+3600 -f a-file $zone > /dev/null 2>&1 ||
-        ( echo_i "importkey failed: $alg" )
+    rm -f $k2.key
    rm -f $k2.private
-    mv $k2.key a-file
-    $IMPORTKEY -f a-file $zone > /dev/null 2>&1 ||
-        ( echo_i "importkey failed: $alg" )
 done
--- a/bin/tests/system/inline/ns5/named.conf.post
+++ b/bin/tests/system/inline/ns5/named.conf.post
@ -33,10 +33,17 @@ options {
 	servfail-ttl 0;
 };

+dnssec-policy "inline" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
 zone "bits" {
 	type secondary;
 	primaries { 10.53.0.2; };
 	file "bits.bk";
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	inline-signing yes;
 };
--- a/bin/tests/system/inline/ns7/named.conf.in
+++ b/bin/tests/system/inline/ns7/named.conf.in
@ -48,3 +48,13 @@ options {
 	sig-signing-nodes 100;
 	sig-signing-signatures 10;
 };
+
+dnssec-policy "nsec3" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm RSASHA256 2048;
+		zsk key-directory lifetime unlimited algorithm RSASHA256 2048;
+		zsk key-directory lifetime unlimited algorithm RSASHA256 1024;
+	};
+
+	nsec3param iterations 0 optout no salt-length 0;
+};
--- a/bin/tests/system/inline/ns7/sign.sh
+++ b/bin/tests/system/inline/ns7/sign.sh
@ -19,6 +19,6 @@
 zone=nsec3-loop
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone $zone)
-keyname=$($KEYGEN -q -a ${DEFAULT_ALGORITHM} -n zone -f KSK $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 1024 -n zone $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone $zone)
+keyname=$($KEYGEN -q -a RSASHA256 -b 2048 -n zone -f KSK $zone)
--- a/bin/tests/system/inline/ns8/named.conf.in
+++ b/bin/tests/system/inline/ns8/named.conf.in
@ -36,128 +36,135 @@ options {
 	dnssec-validation no;
 };

+dnssec-policy "inline" {
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
 zone "example01.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example01.com.db";
 };

 zone "example02.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example02.com.db";
 };

 zone "example03.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example03.com.db";
 };

 zone "example04.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example04.com.db";
 };

 zone "example05.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example05.com.db";
 };

 zone "example06.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example06.com.db";
 };

 zone "example07.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example07.com.db";
 };

 zone "example08.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example08.com.db";
 };

 zone "example09.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example09.com.db";
 };

 zone "example10.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example10.com.db";
 };

 zone "example11.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example11.com.db";
 };

 zone "example12.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example12.com.db";
 };

 zone "example13.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example13.com.db";
 };

 zone "example14.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example14.com.db";
 };

 zone "example15.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example15.com.db";
 };

 zone "example16.com" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example16.com.db";
 };

 zone example {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "example.db";
 };

 zone "unsigned-serial-test" {
 	type primary;
 	inline-signing yes;
-	auto-dnssec maintain;
+	dnssec-policy inline;
 	file "unsigned-serial-test.db";
 };
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@ -18,12 +18,9 @@ cp ns1/root.db.in ns1/root.db
 touch ns2/trusted.conf
 cp ns2/nsec3-loop.db.in ns2/nsec3-loop.db
 cp ns2/bits.db.in ns2/bits.db
-cp ns2/bits.db.in ns2/inactiveksk.db
-cp ns2/bits.db.in ns2/inactivezsk.db
 cp ns2/bits.db.in ns2/nokeys.db
 cp ns2/bits.db.in ns2/removedkeys-secondary.db
 cp ns2/bits.db.in ns2/retransfer.db
-cp ns2/bits.db.in ns2/retransfer3.db

 cp ns3/primary.db.in ns3/primary.db
 cp ns3/primary.db.in ns3/dynamic.db
@ -44,6 +41,7 @@ cp ns4/noixfr.db.in ns4/noixfr.db
 copy_setports ns1/named.conf.in ns1/named.conf
 copy_setports ns2/named.conf.in ns2/named.conf
 copy_setports ns3/named.conf.in ns3/named.conf
+cp ns3/delayedkeys.conf.1 ns3/delayedkeys.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.pre ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@ -36,8 +36,7 @@ status=0
 n=0
 ret=0

-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - nsec3 > /dev/null 2>&1 || ret=1
-
+# Make sure nsec3 zone is NSEC3 signed.
 for i in 1 2 3 4 5 6 7 8 9 0
 do
 	nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.3 nsec3param nsec3.) || ret=1
@ -65,15 +64,12 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking that the zone is signed on initial transfer ($n)"
 ret=0
-for i in 1 2 3 4 5 6 7 8 9 10 1 2 3 4 5 6 7 8 9 10
-do
-	ret=0
-	$RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1
-	keys=$(grep '^Done signing' signing.out.test$n | wc -l)
-	[ $keys = 2 ] || ret=1
-	if [ $ret = 0 ]; then break; fi
-	sleep 1
-done
+zone_is_signed() {
+	$DIG $DIGOPTS @10.53.0.3 bits. AXFR > dig.out.ns3.test$n || return 1
+        $VERIFY -z -o bits. dig.out.ns3.test$n > verify.out.bits.test$n || return 1
+	return 0
+}
+retry_quiet 10 zone_is_signed || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

@ -93,7 +89,7 @@ $RNDCCMD 10.53.0.3 signing -list bits > signing.out.test$n 2>&1 || ret=1
 keys=$(sed -n -e 's/Done signing with key \(.*\)$/\1/p' signing.out.test$n)
 for key in $keys; do
 	$RNDCCMD 10.53.0.3 signing -clear ${key} bits > /dev/null || ret=1
-	break;	# We only want to remove 1 record for now.
+	break;  # We only want to remove 1 record for now.
 done 2>&1 |sed 's/^/ns3 /' | cat_i

 for i in 1 2 3 4 5 6 7 8 9 10
@ -113,6 +109,7 @@ n=$((n + 1))
 echo_i "checking private type was properly signed ($n)"
 ret=0
 $DIG $DIGOPTS @10.53.0.6 bits TYPE65534 > dig.out.ns6.test$n || ret=1
+# One private type record, one signature
 grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
 grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1

@ -122,7 +119,7 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking removal of remaining private type record via 'rndc signing -clear all' ($n)"
 ret=0
-$RNDCCMD 10.53.0.3 signing -clear all bits > /dev/null || ret=1
+$RNDCCMD 10.53.0.3 signing -clear all bits > signing.out.test$n.clear || ret=1

 for i in 1 2 3 4 5 6 7 8 9 10
 do
@ -434,8 +431,8 @@ status=$((status + ret))
 n=$((n + 1))
 echo_i "checking primary zone that was updated while offline is correct ($n)"
 ret=0
-$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns2.soa.test$n || ret=1
-serial=$(awk '{print $3}' dig.out.ns2.soa.test$n)
+$DIG $DIGOPTS +nodnssec +short @10.53.0.3 updated SOA >dig.out.ns3.soa.test$n || ret=1
+serial=$(awk '{print $3}' dig.out.ns3.soa.test$n)
 # serial should have changed
 [ "$serial" = "2000042407" ] && ret=1
 # e.updated should exist and should be signed
@ -446,7 +443,7 @@ grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ret=1
 # of primary2.db, and should show a minimal diff: no more than 8 added
 # records (SOA/RRSIG, 2 x NSEC/RRSIG, A/RRSIG), and 4 removed records
 # (SOA/RRSIG, NSEC/RRSIG).
-$JOURNALPRINT ns3/updated.db.signed.jnl >journalprint.out.test$n || ret=1
+$JOURNALPRINT ns3/updated.db.signed.jnl > journalprint.out.test$n || ret=1
 serial=$(awk '/Source serial =/ {print $4}' journalprint.out.test$n)
 [ "$serial" = "2000042408" ] || ret=1
 diffsize=$(wc -l < journalprint.out.test$n)
@ -791,65 +788,6 @@ done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

-n=$((n + 1))
-echo_i "check 'rndc signing -nsec3param' requests are queued for zones which are not loaded ($n)"
-ret=0
-# The "retransfer3" zone is configured with "allow-transfer { none; };" on ns2,
-# which means it should not yet be available on ns3.
-$DIG $DIGOPTS @10.53.0.3 retransfer3 SOA > dig.out.ns3.pre.test$n || ret=1
-grep "status: SERVFAIL" dig.out.ns3.pre.test$n > /dev/null || ret=1
-# Switch the zone to NSEC3.  An "NSEC3 -> NSEC -> NSEC3" sequence is used purely
-# to test that multiple queued "rndc signing -nsec3param" requests are handled
-# properly.
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
-$RNDCCMD 10.53.0.3 signing -nsec3param none retransfer3 > /dev/null 2>&1 || ret=1
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
-# Reconfigure ns2 to allow outgoing transfers for the "retransfer3" zone.
-sed "s|\(allow-transfer { none; };.*\)|// \1|;" ns2/named.conf > ns2/named.conf.new
-mv ns2/named.conf.new ns2/named.conf
-$RNDCCMD 10.53.0.2 reconfig || ret=1
-# Request ns3 to retransfer the "retransfer3" zone.
-$RNDCCMD 10.53.0.3 retransfer retransfer3 || ret=1
-# Check whether "retransfer3" uses NSEC3 as requested.
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ret=0
-	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n.$i || ret=1
-	grep "status: NXDOMAIN" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
-	grep "NSEC3" dig.out.ns3.post.test$n.$i > /dev/null || ret=1
-	test $ret -eq 0 && break
-	sleep 1
-done
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "check rndc retransfer of a inline nsec3 secondary retains nsec3 ($n)"
-ret=0
-$RNDCCMD 10.53.0.3 signing -nsec3param 1 0 0 - retransfer3 > /dev/null 2>&1 || ret=1
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.pre.test$n || ret=1
-	grep "status: NXDOMAIN" dig.out.ns3.pre.test$n > /dev/null || ans=1
-	grep "NSEC3" dig.out.ns3.pre.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
-done
-$RNDCCMD 10.53.0.3 retransfer retransfer3 2>&1 || ret=1
-for i in 0 1 2 3 4 5 6 7 8 9
-do
-	ans=0
-	$DIG $DIGOPTS @10.53.0.3 nonexist.retransfer3 A > dig.out.ns3.post.test$n || ret=1
-	grep "status: NXDOMAIN" dig.out.ns3.post.test$n > /dev/null || ans=1
-	grep "NSEC3" dig.out.ns3.post.test$n > /dev/null || ans=1
-	[ $ans = 0 ] && break
-	sleep 1
-done
-[ $ans = 1 ] && ret=1
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
 # NOTE: The test below should be considered fragile.  More details can be found
 # in the comment inside ns7/named.conf.
 n=$((n + 1))
@ -858,7 +796,7 @@ ret=0
 zone=nsec3-loop
 # Add secondary zone using rndc
 $RNDCCMD 10.53.0.7 addzone $zone \
-	'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; auto-dnssec maintain; };' || ret=1
+	'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy default; };' || ret=1
 # Wait until secondary zone is fully signed using NSEC
 for i in 1 2 3 4 5 6 7 8 9 0
 do
@ -869,15 +807,18 @@ do
 	sleep 1
 done
 # Switch secondary zone to NSEC3
-$RNDCCMD 10.53.0.7 signing -nsec3param 1 0 2 12345678 $zone > /dev/null 2>&1 || ret=1
+$RNDCCMD 10.53.0.7 modzone $zone \
+	'{ type secondary; primaries { 10.53.0.2; }; file "'$zone'.db"; inline-signing yes; dnssec-policy nsec3; };' || ret=1
 # Wait until secondary zone is fully signed using NSEC3
 for i in 1 2 3 4 5 6 7 8 9 0
 do
 	ret=1
-	nsec3param=$($DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone) || ret=1
-	test "$nsec3param" = "1 0 2 12345678" && ret=0 && break
+	$DIG $DIGOPTS +nodnssec +short @10.53.0.7 nsec3param $zone > dig.out.ns7.test$n
+	nsec3param=$(cat dig.out.ns7.test$n)
+	test "$nsec3param" = "1 0 0 -" && ret=0 && break
 	sleep 1
 done
+
 # Attempt to retransfer the secondary zone from primary
 $RNDCCMD 10.53.0.7 retransfer $zone || ret=1
 # Check whether the signer managed to fully sign the retransferred zone by
@ -1013,7 +954,7 @@ $RNDCCMD 10.53.0.2 addzone test-$zone \
 $DIG $DIGOPTS @10.53.0.2 test-$zone SOA > dig.out.ns2.$zone.test$n || ret=1
 grep "status: NOERROR," dig.out.ns2.$zone.test$n  > /dev/null || { ret=1; cat dig.out.ns2.$zone.test$n; }
 $RNDCCMD 10.53.0.3 addzone test-$zone \
-	'{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; auto-dnssec maintain; allow-transfer { any; }; };' || ret=1
+	'{ type secondary; primaries { 10.53.0.2; }; file "'test-$zone.bk'"; inline-signing yes; dnssec-policy default; allow-transfer { any; }; };' || ret=1
 $RNDCCMD 10.53.0.3 delzone test-$zone > /dev/null 2>&1 || ret=1
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
@ -1036,8 +977,8 @@ do

   dnskeys=$(grep "IN.DNSKEY.25[67] [0-9]* $alg " dig.out.ns3.test$n | wc -l)
   rrsigs=$(grep "RRSIG.DNSKEY $alg " dig.out.ns3.test$n | wc -l)
-   test ${dnskeys:-0} -eq 3 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
-   test ${rrsigs:-0} -eq 2 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
+   test ${dnskeys:-0} -eq 4 || { echo_i "failed $alg (dnskeys ${dnskeys:-0})"; ret=1; }
+   test ${rrsigs:-0} -eq 1 || { echo_i "failed $alg (rrsigs ${rrsigs:-0})"; ret=1; }
 done
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))
@ -1133,70 +1074,6 @@ retry_quiet 5 wait_for_serial 10.53.0.2 bits. "${oldserial:-1}" dig.out.ns2.post
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status + ret))

-n=$((n + 1))
-echo_i "testing that inline signing works with inactive ZSK and active KSK ($n)"
-ret=0
-
-$DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.pre.test$n || ret=1
-soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.pre.test$n)
-
-$NSUPDATE << EOF || ret=1
-server 10.53.0.2 ${PORT}
-update add added.inactivezsk 0 IN TXT added record
-send
-EOF
-
-for i in 1 2 3 4 5 6 7 8 9 10
-do
-    $DIG $DIGOPTS @10.53.0.3 soa inactivezsk  > dig.out.ns3.post.test$n || ret=1
-    soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns3.post.test$n)
-    test ${soa1:-0} -ne ${soa2:-0} && break
-    sleep 1
-done
-test ${soa1:-0} -ne ${soa2:-0} || ret=1
-
-$DIG $DIGOPTS @10.53.0.3 txt added.inactivezsk > dig.out.ns3.test$n || ret=1
-grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
-grep "RRSIG" dig.out.ns3.test$n > /dev/null || ret=1
-grep "TXT ${DEFAULT_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
-grep "TXT ${ALTERNATIVE_ALGORITHM_NUMBER} 2" dig.out.ns3.test$n > /dev/null || ret=1
-
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
-n=$((n + 1))
-echo_i "testing that inline signing works with inactive KSK and active ZSK ($n)"
-ret=0
-
-$DIG $DIGOPTS @10.53.0.3 axfr inactiveksk > dig.out.ns3.test$n || ret=1
-
-#
-#  check that DNSKEY is signed with ZSK for default algorithm
-#
-awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
-zskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null || ret=1
-awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
-kskid=$(awk -v alg=${DEFAULT_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1
-
-#
-#  check that DNSKEY is signed with KSK for alternative algorithm
-#
-awk='$4 == "DNSKEY" && $5 == 256 && $7 == alg { print }'
-zskid=$(awk -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -A -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${zskid} " dig.out.ns3.test$n > /dev/null && ret=1
-awk='$4 == "DNSKEY" && $5 == 257 && $7 == alg { print }'
-kskid=$(awk  -v alg=${ALTERNATIVE_ALGORITHM_NUMBER} "${awk}" dig.out.ns3.test$n |
-       $DSFROMKEY -2 -f - inactiveksk | awk '{ print $4}' )
-grep "DNSKEY ${ALTERNATIVE_ALGORITHM_NUMBER} 1 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1
-
-if [ $ret != 0 ]; then echo_i "failed"; fi
-status=$((status + ret))
-
 # Wait until an update to the raw part of a given inline signed zone is fully
 # processed.  As waiting for a fixed amount of time is suboptimal and there is
 # no single message that would signify both a successful modification and an
@ -1368,12 +1245,16 @@ ensure_sigs_only_in_journal() {
 n=$((n + 1))
 echo_i "checking that records added from a journal are scheduled to be resigned ($n)"
 ret=0
+zone="delayedkeys"
 # Signing keys for the "delayedkeys" zone are not yet accessible.  Thus, the
 # zone file for the signed version of the zone will contain no DNSSEC records.
 # Move keys into place now and load them, which will cause DNSSEC records to
 # only be present in the journal for the signed version of the zone.
 mv Kdelayedkeys* ns3/
-$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
+cp ns3/delayedkeys.conf.2 ns3/delayedkeys.conf
+$RNDCCMD 10.53.0.3 reconfig > /dev/null 2>&1 || ret=1
+
+#$RNDCCMD 10.53.0.3 loadkeys delayedkeys > rndc.out.ns3.pre.test$n 2>&1 || ret=1
 # Wait until the zone is signed.
 check_done_signing () (
    $RNDCCMD 10.53.0.3 signing -list delayedkeys > signing.out.test$n 2>&1 || true