summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/coverage
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/coverage
parentInitial commit. (diff)
downloadbind9-upstream.tar.xz
bind9-upstream.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--bin/tests/system/coverage/01-ksk-inactive/README10
-rw-r--r--bin/tests/system/coverage/01-ksk-inactive/expect6
-rw-r--r--bin/tests/system/coverage/02-zsk-inactive/README10
-rw-r--r--bin/tests/system/coverage/02-zsk-inactive/expect6
-rw-r--r--bin/tests/system/coverage/03-ksk-unpublished/README10
-rw-r--r--bin/tests/system/coverage/03-ksk-unpublished/expect8
-rw-r--r--bin/tests/system/coverage/04-zsk-unpublished/README10
-rw-r--r--bin/tests/system/coverage/04-zsk-unpublished/expect8
-rw-r--r--bin/tests/system/coverage/05-ksk-unpub-active/README12
-rw-r--r--bin/tests/system/coverage/05-ksk-unpub-active/expect8
-rw-r--r--bin/tests/system/coverage/06-zsk-unpub-active/README12
-rw-r--r--bin/tests/system/coverage/06-zsk-unpub-active/expect8
-rw-r--r--bin/tests/system/coverage/07-ksk-ttl/README4
-rw-r--r--bin/tests/system/coverage/07-ksk-ttl/expect9
-rw-r--r--bin/tests/system/coverage/08-zsk-ttl/README4
-rw-r--r--bin/tests/system/coverage/08-zsk-ttl/expect9
-rw-r--r--bin/tests/system/coverage/09-check-zsk/README6
-rw-r--r--bin/tests/system/coverage/09-check-zsk/expect6
-rw-r--r--bin/tests/system/coverage/10-check-ksk/README7
-rw-r--r--bin/tests/system/coverage/10-check-ksk/expect6
-rw-r--r--bin/tests/system/coverage/11-cutoff/README10
-rw-r--r--bin/tests/system/coverage/11-cutoff/expect6
-rw-r--r--bin/tests/system/coverage/12-ksk-deletion/expect6
-rw-r--r--bin/tests/system/coverage/13-dotted-dotless/expect7
-rw-r--r--bin/tests/system/coverage/clean.sh19
-rw-r--r--bin/tests/system/coverage/setup.sh119
-rw-r--r--bin/tests/system/coverage/tests.sh87
27 files changed, 413 insertions, 0 deletions
diff --git a/bin/tests/system/coverage/01-ksk-inactive/README b/bin/tests/system/coverage/01-ksk-inactive/README
new file mode 100644
index 0000000..8102593
--- /dev/null
+++ b/bin/tests/system/coverage/01-ksk-inactive/README
@@ -0,0 +1,10 @@
+This set includes one KSK rollover. The KSK is deactivated prior to
+its replacement being activated. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-31-Jul (20:59:14):
+ Inactive: example.com/007/45435 (KSK)
+No KSK's are active
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/01-ksk-inactive/expect b/bin/tests/system/coverage/01-ksk-inactive/expect
new file mode 100644
index 0000000..3d342b1
--- /dev/null
+++ b/bin/tests/system/coverage/01-ksk-inactive/expect
@@ -0,0 +1,6 @@
+args="-d 1h -m 2h"
+warn=0
+error=1
+ok=1
+retcode=1
+match="No KSK's are active"
diff --git a/bin/tests/system/coverage/02-zsk-inactive/README b/bin/tests/system/coverage/02-zsk-inactive/README
new file mode 100644
index 0000000..5d3fed1
--- /dev/null
+++ b/bin/tests/system/coverage/02-zsk-inactive/README
@@ -0,0 +1,10 @@
+This set includes one ZSK rollover. The first ZSK is deactivated
+prior to its replacement being activated. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
+
+Checking ZSK events for zone example.com, algorithm 7:
+ERROR: After 2012-05-Dec (20:39:32):
+ Inactive: example.com/005/08376 (ZSK)
+No ZSK's are active
diff --git a/bin/tests/system/coverage/02-zsk-inactive/expect b/bin/tests/system/coverage/02-zsk-inactive/expect
new file mode 100644
index 0000000..a905b58
--- /dev/null
+++ b/bin/tests/system/coverage/02-zsk-inactive/expect
@@ -0,0 +1,6 @@
+args="-d 1h -m 2h"
+warn=0
+error=1
+ok=1
+retcode=1
+match="No ZSK's are active"
diff --git a/bin/tests/system/coverage/03-ksk-unpublished/README b/bin/tests/system/coverage/03-ksk-unpublished/README
new file mode 100644
index 0000000..7d8a301
--- /dev/null
+++ b/bin/tests/system/coverage/03-ksk-unpublished/README
@@ -0,0 +1,10 @@
+This set contains one KSK rollover. The KSK is unpublished before its
+successor is published. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-06-Oct (21:07:57):
+ Delete: example.com/007/23040 (KSK)
+No KSK's are published
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/03-ksk-unpublished/expect b/bin/tests/system/coverage/03-ksk-unpublished/expect
new file mode 100644
index 0000000..07bbff1
--- /dev/null
+++ b/bin/tests/system/coverage/03-ksk-unpublished/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (KSK) is scheduled for
+deletion before inactivation
+No KSK's are published"
diff --git a/bin/tests/system/coverage/04-zsk-unpublished/README b/bin/tests/system/coverage/04-zsk-unpublished/README
new file mode 100644
index 0000000..5077abf
--- /dev/null
+++ b/bin/tests/system/coverage/04-zsk-unpublished/README
@@ -0,0 +1,10 @@
+This set contains one ZSK rollover. The ZSK is unpublished before its
+successor is published. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
+
+Checking ZSK events for zone example.com, algorithm 7:
+ERROR: After 2012-06-Oct (21:13:45):
+ Delete: example.com/007/25967 (ZSK)
+No ZSK's are published
diff --git a/bin/tests/system/coverage/04-zsk-unpublished/expect b/bin/tests/system/coverage/04-zsk-unpublished/expect
new file mode 100644
index 0000000..450ec24
--- /dev/null
+++ b/bin/tests/system/coverage/04-zsk-unpublished/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (ZSK) is scheduled for
+deletion before inactivation
+No ZSK's are published"
diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/README b/bin/tests/system/coverage/05-ksk-unpub-active/README
new file mode 100644
index 0000000..119c1b2
--- /dev/null
+++ b/bin/tests/system/coverage/05-ksk-unpub-active/README
@@ -0,0 +1,12 @@
+This set includes one KSK rollover. The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-05-Dec (21:22:19):
+ Delete: example.com/007/06219 (KSK)
+ Publish: example.com/007/20559 (KSK)
+No KSK's are both active and published
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/05-ksk-unpub-active/expect b/bin/tests/system/coverage/05-ksk-unpub-active/expect
new file mode 100644
index 0000000..2edfa0e
--- /dev/null
+++ b/bin/tests/system/coverage/05-ksk-unpub-active/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (KSK) is scheduled for
+deletion before inactivation
+No KSK's are both active and published"
diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/README b/bin/tests/system/coverage/06-zsk-unpub-active/README
new file mode 100644
index 0000000..84833f8
--- /dev/null
+++ b/bin/tests/system/coverage/06-zsk-unpub-active/README
@@ -0,0 +1,12 @@
+This set includes one KSK rollover. The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
+
+Checking ZSK events for zone example.com, algorithm 7:
+ERROR: After 2012-05-Dec (20:44:18):
+ Delete: example.com/007/26369 (ZSK)
+ Publish: example.com/007/21029 (ZSK)
+No ZSK's are both active and published
diff --git a/bin/tests/system/coverage/06-zsk-unpub-active/expect b/bin/tests/system/coverage/06-zsk-unpub-active/expect
new file mode 100644
index 0000000..0ef5b15
--- /dev/null
+++ b/bin/tests/system/coverage/06-zsk-unpub-active/expect
@@ -0,0 +1,8 @@
+args="-d 1h -m 2h"
+warn=1
+error=1
+ok=1
+retcode=1
+match="WARNING: Key .* (ZSK) is scheduled for
+deletion before inactivation
+No ZSK's are both active and published"
diff --git a/bin/tests/system/coverage/07-ksk-ttl/README b/bin/tests/system/coverage/07-ksk-ttl/README
new file mode 100644
index 0000000..2659099
--- /dev/null
+++ b/bin/tests/system/coverage/07-ksk-ttl/README
@@ -0,0 +1,4 @@
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
+
+Expected tool output TBD.
diff --git a/bin/tests/system/coverage/07-ksk-ttl/expect b/bin/tests/system/coverage/07-ksk-ttl/expect
new file mode 100644
index 0000000..eade21a
--- /dev/null
+++ b/bin/tests/system/coverage/07-ksk-ttl/expect
@@ -0,0 +1,9 @@
+args="-d 1w -m 2w"
+warn=1
+error=0
+ok=2
+retcode=0
+match="WARNING: Key .* (KSK) is activated too soon
+after publication
+Activation should be at least 7 days after
+publication."
diff --git a/bin/tests/system/coverage/08-zsk-ttl/README b/bin/tests/system/coverage/08-zsk-ttl/README
new file mode 100644
index 0000000..2659099
--- /dev/null
+++ b/bin/tests/system/coverage/08-zsk-ttl/README
@@ -0,0 +1,4 @@
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
+
+Expected tool output TBD.
diff --git a/bin/tests/system/coverage/08-zsk-ttl/expect b/bin/tests/system/coverage/08-zsk-ttl/expect
new file mode 100644
index 0000000..150c9cd
--- /dev/null
+++ b/bin/tests/system/coverage/08-zsk-ttl/expect
@@ -0,0 +1,9 @@
+args="-d 1w -m 2w"
+warn=1
+error=0
+ok=2
+retcode=0
+match="WARNING: Key .* (ZSK) is activated too soon
+after publication
+Activation should be at least 7 days after
+publication."
diff --git a/bin/tests/system/coverage/09-check-zsk/README b/bin/tests/system/coverage/09-check-zsk/README
new file mode 100644
index 0000000..bc5edc8
--- /dev/null
+++ b/bin/tests/system/coverage/09-check-zsk/README
@@ -0,0 +1,6 @@
+This set includes one KSK rollover. The KSK is deactivated prior to
+its replacement being activated; however, as we are only checking ZSK's,
+we should not detect the error. Tool output should resemble:
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/09-check-zsk/expect b/bin/tests/system/coverage/09-check-zsk/expect
new file mode 100644
index 0000000..d56c4bf
--- /dev/null
+++ b/bin/tests/system/coverage/09-check-zsk/expect
@@ -0,0 +1,6 @@
+args="-z -d 1h -m 2h"
+warn=0
+error=0
+ok=1
+retcode=0
+match=""
diff --git a/bin/tests/system/coverage/10-check-ksk/README b/bin/tests/system/coverage/10-check-ksk/README
new file mode 100644
index 0000000..948364d
--- /dev/null
+++ b/bin/tests/system/coverage/10-check-ksk/README
@@ -0,0 +1,7 @@
+This set includes one ZSK rollover. The first ZSK is deactivated
+prior to its replacement being activated; however, as we are only
+checking KSKs, we should not detect the error. Tool output should
+resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/10-check-ksk/expect b/bin/tests/system/coverage/10-check-ksk/expect
new file mode 100644
index 0000000..a03d2aa
--- /dev/null
+++ b/bin/tests/system/coverage/10-check-ksk/expect
@@ -0,0 +1,6 @@
+args="-k -d 1h -m 2h"
+warn=0
+error=0
+ok=1
+retcode=0
+match=""
diff --git a/bin/tests/system/coverage/11-cutoff/README b/bin/tests/system/coverage/11-cutoff/README
new file mode 100644
index 0000000..8102593
--- /dev/null
+++ b/bin/tests/system/coverage/11-cutoff/README
@@ -0,0 +1,10 @@
+This set includes one KSK rollover. The KSK is deactivated prior to
+its replacement being activated. Tool output should resemble:
+
+Checking KSK events for zone example.com, algorithm 7:
+ERROR: After 2012-31-Jul (20:59:14):
+ Inactive: example.com/007/45435 (KSK)
+No KSK's are active
+
+Checking ZSK events for zone example.com, algorithm 7:
+OK
diff --git a/bin/tests/system/coverage/11-cutoff/expect b/bin/tests/system/coverage/11-cutoff/expect
new file mode 100644
index 0000000..bdf29d0
--- /dev/null
+++ b/bin/tests/system/coverage/11-cutoff/expect
@@ -0,0 +1,6 @@
+args="-l 1y -d 1h -m 2h"
+warn=0
+error=0
+ok=2
+retcode=0
+match=""
diff --git a/bin/tests/system/coverage/12-ksk-deletion/expect b/bin/tests/system/coverage/12-ksk-deletion/expect
new file mode 100644
index 0000000..898c0bf
--- /dev/null
+++ b/bin/tests/system/coverage/12-ksk-deletion/expect
@@ -0,0 +1,6 @@
+args=
+warn=4
+error=1
+ok=1
+retcode=1
+match=0
diff --git a/bin/tests/system/coverage/13-dotted-dotless/expect b/bin/tests/system/coverage/13-dotted-dotless/expect
new file mode 100644
index 0000000..5760d29
--- /dev/null
+++ b/bin/tests/system/coverage/13-dotted-dotless/expect
@@ -0,0 +1,7 @@
+args="-z -m2h"
+warn=0
+error=0
+ok=2
+retcode=0
+match=
+zones="one.example. two.example"
diff --git a/bin/tests/system/coverage/clean.sh b/bin/tests/system/coverage/clean.sh
new file mode 100644
index 0000000..5527946
--- /dev/null
+++ b/bin/tests/system/coverage/clean.sh
@@ -0,0 +1,19 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f named-compilezone
+rm -f */K*.key
+rm -f */K*.private
+rm -rf coverage.*
+rm -rf dotted-dotless
+rm -f ns*/named.lock
diff --git a/bin/tests/system/coverage/setup.sh b/bin/tests/system/coverage/setup.sh
new file mode 100644
index 0000000..7de73b8
--- /dev/null
+++ b/bin/tests/system/coverage/setup.sh
@@ -0,0 +1,119 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+$SHELL clean.sh
+
+ln -s $CHECKZONE named-compilezone
+
+# Test 1: KSK goes inactive before successor is active
+dir=01-ksk-inactive
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 2: ZSK goes inactive before successor is active
+dir=02-zsk-inactive
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 3: KSK is unpublished before its successor is published
+dir=03-ksk-unpublished
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 4: ZSK is unpublished before its successor is published
+dir=04-zsk-unpublished
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 5: KSK deleted and successor published before KSK is deactivated
+# and successor activated.
+dir=05-ksk-unpub-active
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 6: ZSK deleted and successor published before ZSK is deactivated
+# and successor activated.
+dir=06-zsk-unpub-active
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 7: KSK rolled with insufficient delay after prepublication.
+dir=07-ksk-ttl
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+# allow only 1 day between publication and activation
+$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 8: ZSK rolled with insufficient delay after prepublication.
+dir=08-zsk-ttl
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+# allow only 1 day between publication and activation
+$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 9: KSK goes inactive before successor is active, but checking ZSKs
+dir=09-check-zsk
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=$($KEYGEN -q -K $dir -S $ksk1)
+$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+
+# Test 10: ZSK goes inactive before successor is active, but checking KSKs
+dir=10-check-ksk
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 11: ZSK goes inactive before successor is active, but after cutoff
+dir=11-cutoff
+zsk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com)
+$SETTIME -K $dir -I +18mo -D +2y $zsk1 > /dev/null 2>&1
+zsk2=$($KEYGEN -q -K $dir -S $zsk1)
+$SETTIME -K $dir -I +16mo $zsk1 > /dev/null 2>&1
+ksk1=$($KEYGEN -q -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com)
+
+# Test 12: Too early KSK deletion
+dir=12-ksk-deletion
+ksk1=$($KEYGEN -q -K $dir -f KSK -a 8 -b 2048 -I +40d -D +40d example.com)
+ksk2=$($KEYGEN -q -K $dir -S $ksk1.key example.com)
+
+# Test 13: check names with/without dots at the end
+dir=13-dotted-dotless
+zsk1=$($KEYGEN -q -K $dir -a rsasha256 one.example)
+zsk2=$($KEYGEN -q -K $dir -a rsasha256 two.example)
diff --git a/bin/tests/system/coverage/tests.sh b/bin/tests/system/coverage/tests.sh
new file mode 100644
index 0000000..e0da919
--- /dev/null
+++ b/bin/tests/system/coverage/tests.sh
@@ -0,0 +1,87 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+COVERAGE="$COVERAGE -c ./named-compilezone"
+
+status=0
+n=1
+
+matchall () {
+ file=$1
+ echo "$2" | while read matchline; do
+ grep "$matchline" $file > /dev/null 2>&1 || {
+ echo "FAIL"
+ return
+ }
+ done
+}
+
+echo_i "checking for DNSSEC key coverage issues"
+ret=0
+for dir in [0-9][0-9]-*; do
+ ret=0
+ echo_i "$dir"
+ args= warn= error= ok= retcode= match= zones=
+ . $dir/expect
+ $COVERAGE $args -K $dir ${zones:-example.com} > coverage.$n 2>&1
+
+ # check that return code matches expectations
+ found=$?
+ if [ $found -ne $retcode ]; then
+ echo "retcode was $found expected $retcode"
+ ret=1
+ fi
+
+ # check for correct number of errors
+ found=`grep ERROR coverage.$n | wc -l`
+ if [ $found -ne $error ]; then
+ echo "error count was $found expected $error"
+ ret=1
+ fi
+
+ # check for correct number of warnings
+ found=`grep WARNING coverage.$n | wc -l`
+ if [ $found -ne $warn ]; then
+ echo "warning count was $found expected $warn"
+ ret=1
+ fi
+
+ # check for correct number of OKs
+ found=`grep "No errors found" coverage.$n | wc -l`
+ if [ $found -ne $ok ]; then
+ echo "good count was $found expected $ok"
+ ret=1
+ fi
+
+ found=`matchall coverage.$n "$match"`
+ if [ "$found" = "FAIL" ]; then
+ echo "no match on '$match'"
+ ret=1
+ fi
+
+ found=`grep Traceback coverage.$n | wc -l`
+ if [ $found -ne 0 ]; then
+ echo "python exception detected"
+ ret=1
+ fi
+
+ n=`expr $n + 1`
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+done
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1