From 43d028eeb4192262cec577e84c70c3b92c19dc51 Mon Sep 17 00:00:00 2001
From: Libor Peltan <libor.peltan@nic.cz>
Date: Thu, 10 Dec 2020 14:31:02 +0100
Subject: [PATCH] zone backup: dont fail when public-only key is there

---
 src/knot/zone/backup.c                |  9 +++++----
 tests-extra/tests/zone/backup/test.py | 13 +++++++++++--
 2 files changed, 16 insertions(+), 6 deletions(-)

diff --git a/src/knot/zone/backup.c b/src/knot/zone/backup.c
index 934dc7b63..427a49e19 100644
--- a/src/knot/zone/backup.c
+++ b/src/knot/zone/backup.c
@@ -190,7 +190,7 @@ static conf_val_t get_zone_policy(conf_t *conf, const knot_dname_t *zone)
 	return policy;
 }
 
-#define LOG_FAIL(action) log_zone_warning(zone->name, "%s, %s failed (%s)\n", ctx->restore_mode ? "restore" : "backup", (action), knot_strerror(ret))
+#define LOG_FAIL(action) log_zone_warning(zone->name, "%s, %s failed (%s)", ctx->restore_mode ? "restore" : "backup", (action), knot_strerror(ret))
 
 static int backup_keystore(conf_t *conf, zone_t *zone, zone_backup_ctx_t *ctx)
 {
@@ -230,9 +230,10 @@ static int backup_keystore(conf_t *conf, zone_t *zone, zone_backup_ctx_t *ctx)
 	}
 	ptrnode_t *n;
 	WALK_LIST(n, key_params) {
-		if (ret == KNOT_EOK) {
-			ret = backup_key(n->d, from, to);
-			free_key_params(n->d);
+		key_params_t *parm = n->d;
+		if (ret == KNOT_EOK && !parm->is_pub_only) {
+			ret = backup_key(parm, from, to);
+			free_key_params(parm);
 		}
 	}
 	if (ret != KNOT_EOK) {
diff --git a/tests-extra/tests/zone/backup/test.py b/tests-extra/tests/zone/backup/test.py
index af3bb1aa3..b415de9d7 100644
--- a/tests-extra/tests/zone/backup/test.py
+++ b/tests-extra/tests/zone/backup/test.py
@@ -5,6 +5,7 @@
 from dnstest.test import Test
 from dnstest.module import ModOnlineSign
 from dnstest.utils import *
+from dnstest.keys import Keymgr
 import shutil
 import random
 
@@ -28,8 +29,10 @@ t.link(zones, master, slave)
 for z in zones:
     if random.choice([True, False]):
         master.dnssec(z).enable = True
+        master.dnssec(z).algorithm = "ECDSAP256SHA256"
+        master.dnssec(z).single_type_signing = False
     else:
-        master.add_module(z, ModOnlineSign())
+        master.add_module(z, ModOnlineSign(algorithm="ECDSAP256SHA256"))
     slave.zones[z.name].journal_content = "all"
     slave.zonefile_load = "none"
 
@@ -40,9 +43,15 @@ zone0_expire = 45   # zone zones[0] expiration time in its SOA
 valgrind_delay = 2 if slave.valgrind else 0  # allow a little time margin under Valgrind
 
 t.start()
-slave.zones_wait(zones)
+serials_init = slave.zones_wait(zones)
 start_time = int(t.uptime())
 
+for z in zones:
+    if master.dnssec(z).enable:
+        Keymgr.run_check(master.confile, z.name, "import-pub", "%s/%skey" % (t.data_dir, z.name))
+        master.ctl("zone-sign " + z.name)
+        slave.zone_wait(z, serials_init[z.name])
+
 master.ctl("zone-backup +backupdir %s" % backup_dir)
 slave.ctl("zone-backup %s %s +journal +backupdir %s +nozonefile" % \
           (zones[0].name, zones[1].name, slave_bck_dir))