Commit fcd34abb authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Test rndc rollover inactive key

When users (accidentally) try to roll an inactive key, throw an error.
parent e826faca
......@@ -2802,6 +2802,15 @@ check_apex
check_subdomain
dnssec_verify
# Try to schedule a ZSK rollover for an inactive key (should fail).
n=$((n+1))
echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
ret=0
rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
grep "key is not active and cannot be rolled" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
#
# Testing DNSSEC introduction.
#
......
......@@ -2181,7 +2181,7 @@ dns_keymgr_rollover(dns_kasp_t *kasp, dns_dnsseckeylist_t *keyring,
}
result = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active);
if (result != ISC_R_SUCCESS) {
if (result != ISC_R_SUCCESS || active > now) {
return (ISC_R_UNEXPECTED);
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment