File _service:tar_scm_kernel_repo:backport-Test-dnss... of Package bind

File _service:tar_scm_kernel_repo:backport-Test-dnssec-policy-max-zone-ttl-rejects-zone-with-to.patch of Package bind

From 2022384b8dc7249671d521dc9ef5a292a960521d Mon Sep 17 00:00:00 2001
From: Matthijs Mekking <matthijs@isc.org>
Date: Wed, 13 Jul 2022 10:27:18 +0200
Subject: [PATCH] Test dnssec-policy max-zone-ttl rejects zone with too high
 TTL

Similar to the 'max-zone-ttl' zone option, the 'dnssec-policy' option
should reject zones with TTLs that are out of range.
Conflict: NA
Reference: https://gitlab.isc.org/isc-projects/bind9/-/commit/2022384b8dc7249671d521dc9ef5a292a960521d
---
 bin/tests/system/kasp/ns3/named.conf.in       |  9 +++++++
 .../system/kasp/ns3/policies/kasp.conf.in     |  4 ++++
 bin/tests/system/kasp/ns3/setup.sh            | 24 ++++++++-----------
 bin/tests/system/kasp/tests.sh                |  9 +++++++
 4 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index e229fd9158..64ae2aa402 100644
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -223,6 +223,15 @@ zone "ecdsa384.kasp" {
 	dnssec-policy "ecdsa384";
 };
 
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+	type primary;
+	file "max-zone-ttl.kasp.db";
+	dnssec-policy "ttl";
+};
+
 /*
  * Zones in different signing states.
  */
diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index d0ae96ce08..17b900c7b3 100644
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -132,3 +132,7 @@ dnssec-policy "checkds-csk" {
 		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
+
+dnssec-policy "ttl" {
+	max-zone-ttl 299;
+};
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 21c4c9126d..bc4a0fc11d 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -64,20 +64,16 @@ if [ -f ../ed448-supported.file ]; then
 	cat ed448.conf >> named.conf
 fi
 
-# Set up zone that stays unsigned.
-zone="unsigned.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $infile
-cp template.db.in $zonefile
-
-# Set up zone that stays unsigned.
-zone="insecure.kasp"
-echo_i "setting up zone: $zone"
-zonefile="${zone}.db"
-infile="${zone}.db.infile"
-cp template.db.in $zonefile
+# Set up zones that stay unsigned.
+for zn in unsigned insecure max-zone-ttl
+do
+	zone="${zn}.kasp"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+	cp template.db.in $infile
+	cp template.db.in $zonefile
+done
 
 # Some of these zones already have keys.
 zone="dnssec-keygen.kasp"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 4a458945a0..ff4d32cc7b 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -253,6 +253,15 @@ status=$((status+ret))
 
 next_key_event_threshold=$((next_key_event_threshold+i))
 
+# Test max-zone-ttl rejects zones with too high TTL.
+n=$((n+1))
+echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
+ret=0
+set_zone "max-zone-ttl.kasp"
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Zone: default.kasp.
 #
-- 
2.27.0