3177. [func] 'rndc keydone', remove the indicator record that

named has finished signing the zone with the corresponding key. [RT #26206]

3177. [func] 'rndc keydone', remove the indicator record that
named has finished signing the zone with the corresponding key. [RT #26206]
b1c6de54 · Mark Andrews · 4aa19ee1 · b1c6de54 · b1c6de54 · b1c6de54
Commit b1c6de54 authored Oct 25, 2011 by Mark Andrews
--- a/CHANGES
+++ b/CHANGES
+3177.	[func]		'rndc keydone', remove the indicator record that
+			named has finished signing the zone with the
+			corresponding key.  [RT #26206]
+
 3176.	[doc]		Corrected example code and added a README to the
 			sample external DLZ module in contrib/dlz/example.
 			[RT #26215]

--- a/bin/dnssec/dnssec-dsfromkey.c
+++ b/bin/dnssec/dnssec-dsfromkey.c
@@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: dnssec-dsfromkey.c,v 1.23 2011/09/03 05:51:29 each Exp $ */
+/* $Id: dnssec-dsfromkey.c,v 1.24 2011/10/25 01:54:18 marka Exp $ */

 /*! \file */

@@ -62,6 +62,7 @@ static dns_rdataclass_t rdclass;
 static dns_fixedname_t	fixed;
 static dns_name_t	*name = NULL;
 static isc_mem_t	*mctx = NULL;
+static isc_uint32_t	ttl;

 static isc_result_t
 initname(char *setname) {
@@ -294,6 +295,9 @@ emit(unsigned int dtype, isc_boolean_t showall, char *lookaside,
 	isc_buffer_usedregion(&nameb, &r);
 	printf("%.*s ", (int)r.length, r.base);

+	if (ttl != 0U)
+		printf("%u ", ttl);
+
 	isc_buffer_usedregion(&classb, &r);
 	printf("%.*s", (int)r.length, r.base);

@@ -329,6 +333,7 @@ usage(void) {
 	fprintf(stderr, "    -l: add lookaside zone and print DLV records\n");
 	fprintf(stderr, "    -s: read keyset from keyset-<dnsname> file\n");
 	fprintf(stderr, "    -c class: rdata class for DS set (default: IN)\n");
+	fprintf(stderr, "    -T TTL\n");
 	fprintf(stderr, "    -f file: read keyset from zone file\n");
 	fprintf(stderr, "    -A: when used with -f, "
 			"include all keys in DS set, not just KSKs\n");
@@ -368,7 +373,7 @@ main(int argc, char **argv) {
 	isc_commandline_errprint = ISC_FALSE;

 	while ((ch = isc_commandline_parse(argc, argv,
-					   "12Aa:c:d:Ff:K:l:sv:h")) != -1) {
+					   "12Aa:c:d:Ff:K:l:sT:v:h")) != -1) {
 		switch (ch) {
 		case '1':
 			dtype = DNS_DSDIGEST_SHA1;
@@ -408,6 +413,9 @@ main(int argc, char **argv) {
 		case 's':
 			usekeyset = ISC_TRUE;
 			break;
+		case 'T':
+			ttl = atol(isc_commandline_argument);
+			break;
 		case 'v':
 			verbose = strtol(isc_commandline_argument, &endp, 0);
 			if (*endp != '\0')

--- a/bin/dnssec/dnssec-dsfromkey.docbook
+++ b/bin/dnssec/dnssec-dsfromkey.docbook
@@ -17,7 +17,7 @@
 - PERFORMANCE OF THIS SOFTWARE.
 -->

-<!-- $Id: dnssec-dsfromkey.docbook,v 1.16 2011/03/27 06:39:59 marka Exp $ -->
+<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011/10/25 01:54:18 marka Exp $ -->
 <refentry id="man.dnssec-dsfromkey">
  <refentryinfo>
    <date>August 26, 2009</date>
@@ -52,6 +52,7 @@
      <arg><option>-2</option></arg>
      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
+      <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
      <arg choice="req">keyfile</arg>
    </cmdsynopsis>
    <cmdsynopsis>
@@ -64,6 +65,7 @@
      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
      <arg><option>-s</option></arg>
      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+      <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
      <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
      <arg><option>-A</option></arg>
      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
@@ -113,6 +115,15 @@
        </listitem>
      </varlistentry>

+      <varlistentry>
+        <term>-T <replaceable class="parameter">TTL</replaceable></term>
+        <listitem>
+          <para>
+            Specifies the TTL of the DS records.
+          </para>
+	  </listitem>
+      </varlistentry>
+
      <varlistentry>
        <term>-K <replaceable class="parameter">directory</replaceable></term>
        <listitem>

--- a/bin/named/control.c
+++ b/bin/named/control.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: control.c,v 1.44 2011/08/02 20:36:11 each Exp $ */
+/* $Id: control.c,v 1.45 2011/10/25 01:54:18 marka Exp $ */

 /*! \file */

@@ -205,6 +205,8 @@ ns_control_docommand(isccc_sexpr_t *message, isc_buffer_t *text) {
 		result = ns_server_add_zone(ns_g_server, command);
 	} else if (command_compare(command, NS_COMMAND_DELZONE)) {
 		result = ns_server_del_zone(ns_g_server, command);
+	} else if (command_compare(command, NS_COMMAND_KEYDONE)) {
+		result = ns_server_keydone(ns_g_server, command);
 	} else {
 		isc_log_write(ns_g_lctx, NS_LOGCATEGORY_GENERAL,
 			      NS_LOGMODULE_CONTROL, ISC_LOG_WARNING,

--- a/bin/named/include/named/control.h
+++ b/bin/named/include/named/control.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: control.h,v 1.34 2011/08/02 20:36:12 each Exp $ */
+/* $Id: control.h,v 1.35 2011/10/25 01:54:19 marka Exp $ */

 #ifndef NAMED_CONTROL_H
 #define NAMED_CONTROL_H 1
@@ -64,6 +64,7 @@
 #define NS_COMMAND_ADDZONE	"addzone"
 #define NS_COMMAND_DELZONE	"delzone"
 #define NS_COMMAND_SYNC		"sync"
+#define NS_COMMAND_KEYDONE	"keydone"

 isc_result_t
 ns_controls_create(ns_server_t *server, ns_controls_t **ctrlsp);

--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.h,v 1.113 2011/08/02 20:36:12 each Exp $ */
+/* $Id: server.h,v 1.114 2011/10/25 01:54:19 marka Exp $ */

 #ifndef NAMED_SERVER_H
 #define NAMED_SERVER_H 1
@@ -342,4 +342,10 @@ ns_server_add_zone(ns_server_t *server, char *args);
 isc_result_t
 ns_server_del_zone(ns_server_t *server, char *args);

+/*%
+ * Deletes the matching key done private record from the zone.
+ */
+isc_result_t
+ns_server_keydone(ns_server_t *server, char *args);
+
 #endif /* NAMED_SERVER_H */
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: server.c,v 1.622 2011/10/14 05:38:49 marka Exp $ */
+/* $Id: server.c,v 1.623 2011/10/25 01:54:19 marka Exp $ */

 /*! \file */

@@ -5912,7 +5912,7 @@ next_token(char **stringp, const char *delim) {
 */
 static isc_result_t
 zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,
-	       const char **zonename)
+	       const char **zonename, isc_boolean_t skip)
 {
 	char *input, *ptr;
 	const char *zonetxt;
@@ -5928,10 +5928,12 @@ zone_from_args(ns_server_t *server, char *args, dns_zone_t **zonep,

 	input = args;

-	/* Skip the command name. */
-	ptr = next_token(&input, " \t");
-	if (ptr == NULL)
-		return (ISC_R_UNEXPECTEDEND);
+	if (skip) {
+		/* Skip the command name. */
+		ptr = next_token(&input, " \t");
+		if (ptr == NULL)
+			return (ISC_R_UNEXPECTEDEND);
+	}

 	/* Look for the zone name. */
 	zonetxt = next_token(&input, " \t");
@@ -5999,7 +6001,7 @@ ns_server_retransfercommand(ns_server_t *server, char *args) {
 	dns_zone_t *zone = NULL;
 	dns_zonetype_t type;

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -6023,7 +6025,7 @@ ns_server_reloadcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	dns_zonetype_t type;
 	const char *msg = NULL;

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -6083,7 +6085,7 @@ ns_server_notifycommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	dns_zone_t *zone = NULL;
 	const unsigned char msg[] = "zone notify queued";

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -6108,7 +6110,7 @@ ns_server_refreshcommand(ns_server_t *server, char *args, isc_buffer_t *text) {
 	const unsigned char msg2[] = "not a slave or stub zone";
 	dns_zonetype_t type;

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -7216,7 +7218,7 @@ ns_server_rekey(ns_server_t *server, char *args) {
 	if (strncasecmp(args, NS_COMMAND_SIGN, strlen(NS_COMMAND_SIGN)) == 0)
 	    fullsign = ISC_TRUE;

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL)
@@ -7283,7 +7285,7 @@ ns_server_sync(ns_server_t *server, char *args, isc_buffer_t *text) {
 		(void) next_token(&args, " \t");
 	}

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);

@@ -7359,7 +7361,7 @@ ns_server_freeze(ns_server_t *server, isc_boolean_t freeze, char *args,
 	isc_boolean_t frozen;
 	const char *msg = NULL;

-	result = zone_from_args(server, args, &zone, NULL);
+	result = zone_from_args(server, args, &zone, NULL, ISC_TRUE);
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -7687,7 +7689,7 @@ ns_server_del_zone(ns_server_t *server, char *args) {
 	FILE		      *ifp = NULL, *ofp = NULL;

 	/* Parse parameters */
-	CHECK(zone_from_args(server, args, &zone, &zonename));
+	CHECK(zone_from_args(server, args, &zone, &zonename, ISC_TRUE));
 	if (result != ISC_R_SUCCESS)
 		return (result);
 	if (zone == NULL) {
@@ -7855,3 +7857,47 @@ newzone_cfgctx_destroy(void **cfgp) {
 	isc_mem_putanddetach(&cfg->mctx, cfg, sizeof(*cfg));
 	*cfgp = NULL;
 }
+
+/*
+ * Act on a "keydone" command from the command channel.
+ */
+isc_result_t
+ns_server_keydone(ns_server_t *server, char *args) {
+	isc_result_t result;
+	dns_zone_t *zone = NULL;
+	const char *ptr = NULL;
+
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+
+	ptr = next_token(&args, " \t");
+	if (ptr == NULL)
+		return (ISC_R_UNEXPECTEDEND);
+	/*
+	 * Is the rdata sane?
+	 */
+	if (strspn(ptr, "0123456789ABCDEFabcdef") != 10U ||
+	    strncmp(ptr, "00", 2) == 0 || strcmp(ptr + 6, "0001") != 0)
+		return (DNS_R_SYNTAX);
+
+	/*
+	 * Find the zone.
+	 */
+	result = zone_from_args(server, args, &zone, NULL, ISC_FALSE);
+	if (result != ISC_R_SUCCESS)
+		return (result);
+	if (zone == NULL)
+		return(ISC_R_NOTFOUND);
+
+	if (dns_zone_gettype(zone) != dns_zone_master) {
+		result = DNS_R_NOTMASTER;
+		goto cleanup;
+	}
+
+	result = dns_zone_keydone(zone, ptr);
+
+ cleanup:
+	dns_zone_detach(&zone);
+	return (result);
+}
--- a/bin/rndc/rndc.c
+++ b/bin/rndc/rndc.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: rndc.c,v 1.134 2011/03/21 15:39:05 each Exp $ */
+/* $Id: rndc.c,v 1.135 2011/10/25 01:54:19 marka Exp $ */

 /*! \file */

@@ -154,6 +154,9 @@ command is one of the following:\n\
 		Add zone to given view. Requires new-zone-file option.\n\
  delzone [\"file\"] zone [class [view]]\n\
 		Removes zone from given view. Requires new-zone-file option.\n\
+  keydone rdata zone [class [view]]\n\
+		Remove the private record with the corresponding rdata from\n\
+		the given zone.\n\
 \n\
 * == not yet implemented\n\
 Version: %s\n",

--- a/bin/tests/system/inline/clean.sh
+++ b/bin/tests/system/inline/clean.sh
@@ -12,11 +12,15 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: clean.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
+# $Id: clean.sh,v 1.4 2011/10/25 01:54:19 marka Exp $

 rm -f */named.memstats
 rm -f */named.run
 rm -f */trusted.conf
+rm -f ns1/K*
+rm -f ns1/dsset-*
+rm -f ns1/root.db
+rm -f ns1/root.db.signed
 rm -f ns2/bits.db
 rm -f ns2/bits.db.jnl
 rm -f ns3/K*

--- a/bin/tests/system/inline/ns1/named.conf
+++ b/bin/tests/system/inline/ns1/named.conf
@@ -14,7 +14,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */
+/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */

 // NS1

@@ -39,4 +39,4 @@ zone "." {
 	file "root.db.signed";
 };

-// include "trusted.conf";
+include "trusted.conf";
--- a/bin/tests/system/inline/ns1/root.db.in
+++ b/bin/tests/system/inline/ns1/root.db.in
+; Copyright (C) 2004, 2007  Internet Systems Consortium, Inc. ("ISC")
+; Copyright (C) 2000, 2001  Internet Software Consortium.
+;
+; Permission to use, copy, modify, and/or distribute this software for any
+; purpose with or without fee is hereby granted, provided that the above
+; copyright notice and this permission notice appear in all copies.
+;
+; THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+; REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+; AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+; INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+; LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+; PERFORMANCE OF THIS SOFTWARE.
+
+; $Id: root.db.in,v 1.2 2011/10/25 01:54:20 marka Exp $
+
+$TTL 300
+. 			IN SOA	gson.nominum.com. a.root.servers.nil. (
+				2000042100   	; serial
+				600         	; refresh
+				600         	; retry
+				1200    	; expire
+				600       	; minimum
+				)
+.			NS	a.root-servers.nil.
+a.root-servers.nil.	A	10.53.0.1
+
+bits.			NS	ns3.bits.
+ns3.bits.		A	10.53.0.3
+bits.			NS	ns4.bits.
+ns4.bits.		A	10.53.0.4
+
+noixfr.			NS	ns3.noixfr.
+ns3.noixfr.		A	10.53.0.3
--- a/bin/tests/system/inline/ns1/sign.sh
+++ b/bin/tests/system/inline/ns1/sign.sh
+#!/bin/sh -e
+#
+# Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+#
+# Permission to use, copy, modify, and/or distribute this software for any
+# purpose with or without fee is hereby granted, provided that the above
+# copyright notice and this permission notice appear in all copies.
+#
+# THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+# REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+# AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+# LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+# PERFORMANCE OF THIS SOFTWARE.
+
+# $Id: sign.sh,v 1.2 2011/10/25 01:54:20 marka Exp $
+
+SYSTEMTESTTOP=../..
+. $SYSTEMTESTTOP/conf.sh
+
+RANDFILE=../random.data
+
+zone=.
+rm -f K.+*+*.key
+rm -f K.+*+*.private
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
+keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+$SIGNER -S -x -T 1200 -o ${zone} root.db
+
+cat ${keyname}.key | grep -v '^; ' | $PERL -n -e '
+local ($dn, $class, $type, $flags, $proto, $alg, @rest) = split;
+local $key = join("", @rest);
+print <<EOF
+trusted-keys {
+    "$dn" $flags $proto $alg "$key";
+};
+EOF
+' > trusted.conf
+
+cp trusted.conf ../ns6/trusted.conf
--- a/bin/tests/system/inline/ns3/named.conf
+++ b/bin/tests/system/inline/ns3/named.conf
@@ -14,11 +14,13 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: named.conf,v 1.2 2011/08/30 23:46:52 tbox Exp $ */
+/* $Id: named.conf,v 1.3 2011/10/25 01:54:20 marka Exp $ */

-// NS2
+// NS3

-controls { /* empty */ };
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; };

 options {
 	query-source address 10.53.0.3;

--- a/bin/tests/system/inline/ns3/sign.sh
+++ b/bin/tests/system/inline/ns3/sign.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: sign.sh,v 1.2 2011/08/30 23:46:52 tbox Exp $
+# $Id: sign.sh,v 1.3 2011/10/25 01:54:20 marka Exp $

 SYSTEMTESTTOP=../..
 . $SYSTEMTESTTOP/conf.sh
@@ -26,9 +26,11 @@ rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db

 zone=noixfr
 rm -f K${zone}.+*+*.key
 rm -f K${zone}.+*+*.private
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 768 -n zone $zone`
 keyname=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -f KSK $zone`
+$DSFROMKEY -T 1200 $keyname >> ../ns1/root.db
--- a/bin/tests/system/inline/ns6/named.conf
+++ b/bin/tests/system/inline/ns6/named.conf
+/*
+ * Copyright (C) 2011  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $Id: named.conf,v 1.2 2011/10/25 01:54:21 marka Exp $ */
+
+// NS6
+
+include "../../common/rndc.key";
+
+controls { inet 10.53.0.6 port 9953 allow { any; } keys { rndc_key; }; };
+
+options {
+	query-source address 10.53.0.6;
+	notify-source 10.53.0.6;
+	transfer-source 10.53.0.6;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.6; };
+	listen-on-v6 { none; };
+	recursion yes;
+	notify yes;
+	notify-delay 0;
+};
+
+zone "." {
+	type hint;
+	file "../../common/root.hint";
+};
+
+include "trusted.conf";
--- a/bin/tests/system/inline/setup.sh
+++ b/bin/tests/system/inline/setup.sh
@@ -12,10 +12,13 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: setup.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
+# $Id: setup.sh,v 1.4 2011/10/25 01:54:19 marka Exp $

 sh clean.sh

+cp ns1/root.db.in ns1/root.db
+rm -f ns1/root.db.signed
+
 touch ns2/trusted.conf
 cp ns2/bits.db.in ns2/bits.db
 rm -f ns2/bits.db.jnl
@@ -39,3 +42,4 @@ cp ns5/named.conf.pre ns5/named.conf
 ../../../tools/genrandom 400 random.data

 (cd ns3; sh -e sign.sh)
+(cd ns1; sh -e sign.sh)
--- a/bin/tests/system/inline/tests.sh
+++ b/bin/tests/system/inline/tests.sh
@@ -14,7 +14,7 @@
 # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 # PERFORMANCE OF THIS SOFTWARE.

-# $Id: tests.sh,v 1.3 2011/10/12 00:10:19 marka Exp $
+# $Id: tests.sh,v 1.4 2011/10/25 01:54:20 marka Exp $

 SYSTEMTESTTOP=..
 . $SYSTEMTESTTOP/conf.sh
@@ -34,7 +34,7 @@ do
 	$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
 	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ret=1
 	grep "ANSWER: 3," dig.out.ns3.test$n > /dev/null || ret=1
-	records=`grep "TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001" dig.out.ns3.test$n | wc -l`
+	records=`grep 'TYPE65534.*05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001$' dig.out.ns3.test$n | wc -l`
 	[ $records = 2 ] || ret=1
 	if [ $ret = 0 ]; then break; fi
 	sleep 1
@@ -42,6 +42,75 @@ done
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

+n=`expr $n + 1`
+echo "I:checking removal of private type record via 'rndc keydone' ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
+for record in $records
+do
+	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1
+	break;	# We only want to remove 1 record for now.
+done 2>&1 |sed 's/^/I:ns3 /'
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+	grep "ANSWER: 2," dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking private type was properly signed ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.6 -p 5300 bits TYPE65534 > dig.out.ns6.test$n
+grep "ANSWER: 2," dig.out.ns6.test$n > /dev/null || ret=1
+grep "flags:.* ad[ ;]" dig.out.ns6.test$n > /dev/null || ret=1
+
+if [ $ret != 0 ]; then echo "I:failed"; fi
+status=`expr $status + $ret`
+
+n=`expr $n + 1`
+echo "I:checking removal of remaining private type record via 'rndc keydone' ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+records=`sed -n -e 's/.*TYPE65534.*\(05[0-9A-F][0-9A-F][0-9A-F][0-9A-F]0001\)$/\1/p' dig.out.ns3.test$n`
+for record in $records
+do
+	$RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 keydone "${record}" bits || ret=1
+done 2>&1 |sed 's/^/I:ns3 /'
+
+for i in 1 2 3 4 5 6 7 8 9 10
+do
+	ans=0
+	$DIG $DIGOPTS @10.53.0.3 -p 5300 bits TYPE65534 > dig.out.ns3.test$n
+	grep "ANSWER: 0," dig.out.ns3.test$n > /dev/null || ans=1
+	grep "status: NOERROR" dig.out.ns3.test$n > /dev/null || ans=1
+	[ $ans = 1 ] || break
+	sleep 1
+done
+[ $ans = 0 ] || ret=1
+
+if [ $ret != 0 ];