mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-05 17:15:31 +00:00
Code Issues Releases Wiki Activity
Files
42b034460f176dae018a6290b5dc186617611b09
bind/bin/tests/system/rollover/tests_rollover_manual.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

158 lines
6.2 KiB
Python
Raw Normal View History

Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
from datetime import timedelta
Isolate rollover-multisigner test case
2025-06-11 16:33:53 +02:00
import os
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
import isctest
Clean up rollover test case
2025-06-11 16:35:03 +02:00
from isctest.kasp import KeyTimingMetadata, Ipub, Iret
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
Clean up rollover test case
2025-06-11 16:35:03 +02:00
from common import pytestmark # pylint: disable=unused-import
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
def test_rollover_manual(servers):
server = servers["ns3"]
policy = "manual-rollover"
config = {
"dnskey-ttl": timedelta(hours=1),
"ds-ttl": timedelta(days=1),
"max-zone-ttl": timedelta(days=1),
"parent-propagation-delay": timedelta(hours=1),
"publish-safety": timedelta(hours=1),
"retire-safety": timedelta(hours=1),
"signatures-refresh": timedelta(days=7),
"signatures-validity": timedelta(days=14),
"zone-propagation-delay": timedelta(minutes=5),
}
ttl = int(config["dnskey-ttl"].total_seconds())
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
size = os.environ["DEFAULT_BITS"]
zone = "manual-rollover.kasp"
Convert csk rollover test cases to pytest Move the 'csk-roll1' and 'csk-roll2' zones to the rollover test dir and convert CSK rollover tests to pytest. The DS swap spans multiple steps. Only the first time we should check if the "CDS is now published" log is there, and only the first time we should run 'rndc dnssec -checkds' on the keys. Add a new key to the step dictionary to disable the DS swap checks. This made me realize that we need to check for "is not None" in case the value in the dictionary is False. Update check_rollover_step() accordingly, and also add a log message which step/zone we are currently checking.
2025-03-19 10:10:13 +01:00
unstable rollover/tests_rollover.py::test_rollover_manual The state files need to be written before trying to identify zsk/ksk keys. Wait for "keymgr: manual-rollover.kasp done" to appear in named.run first.
2025-06-17 14:32:49 +10:00
with server.watch_log_from_start() as watcher:
watcher.wait_for_line(f"keymgr: {zone} done")
Convert csk rollover test cases to pytest Move the 'csk-roll1' and 'csk-roll2' zones to the rollover test dir and convert CSK rollover tests to pytest. The DS swap spans multiple steps. Only the first time we should check if the "CDS is now published" log is there, and only the first time we should run 'rndc dnssec -checkds' on the keys. Add a new key to the step dictionary to disable the DS swap checks. This made me realize that we need to check for "is not None" in case the value in the dictionary is False. Update check_rollover_step() accordingly, and also add a log message which step/zone we are currently checking.
2025-03-19 10:10:13 +01:00
isctest.kasp.check_dnssec_verify(server, zone)
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
key_properties = [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
isctest.kasp.check_keys(zone, keys, expected)
offset = -timedelta(days=7)
for kp in expected:
kp.set_expected_keytimes(config, offset=offset)
isctest.kasp.check_keytimes(keys, expected)
isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
isctest.kasp.check_apex(server, zone, ksks, zsks)
isctest.kasp.check_subdomain(server, zone, ksks, zsks)
# Schedule KSK rollover in six months.
assert len(ksks) == 1
ksk = ksks[0]
startroll = expected[0].timing["Active"] + timedelta(days=30 * 6)
expected[0].timing["Retired"] = startroll + Ipub(config)
expected[0].timing["Removed"] = expected[0].timing["Retired"] + Iret(
config, zsk=False, ksk=True
)
with server.watch_log_from_here() as watcher:
server.rndc(f"dnssec -rollover -key {ksk.tag} -when {startroll} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
Convert csk rollover test cases to pytest Move the 'csk-roll1' and 'csk-roll2' zones to the rollover test dir and convert CSK rollover tests to pytest. The DS swap spans multiple steps. Only the first time we should check if the "CDS is now published" log is there, and only the first time we should run 'rndc dnssec -checkds' on the keys. Add a new key to the step dictionary to disable the DS swap checks. This made me realize that we need to check for "is not None" in case the value in the dictionary is False. Update check_rollover_step() accordingly, and also add a log message which step/zone we are currently checking.
2025-03-19 10:10:13 +01:00
isctest.kasp.check_dnssec_verify(server, zone)
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
isctest.kasp.check_keys(zone, keys, expected)
isctest.kasp.check_keytimes(keys, expected)
isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
isctest.kasp.check_apex(server, zone, ksks, zsks)
isctest.kasp.check_subdomain(server, zone, ksks, zsks)
# Schedule KSK rollover now.
now = KeyTimingMetadata.now()
with server.watch_log_from_here() as watcher:
server.rndc(f"dnssec -rollover -key {ksk.tag} -when {now} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
Convert csk rollover test cases to pytest Move the 'csk-roll1' and 'csk-roll2' zones to the rollover test dir and convert CSK rollover tests to pytest. The DS swap spans multiple steps. Only the first time we should check if the "CDS is now published" log is there, and only the first time we should run 'rndc dnssec -checkds' on the keys. Add a new key to the step dictionary to disable the DS swap checks. This made me realize that we need to check for "is not None" in case the value in the dictionary is False. Update check_rollover_step() accordingly, and also add a log message which step/zone we are currently checking.
2025-03-19 10:10:13 +01:00
isctest.kasp.check_dnssec_verify(server, zone)
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
key_properties = [
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
isctest.kasp.check_keys(zone, keys, expected)
expected[0].metadata["Successor"] = expected[1].key.tag
expected[1].metadata["Predecessor"] = expected[0].key.tag
isctest.kasp.check_keyrelationships(keys, expected)
for kp in expected:
off = offset
if "Predecessor" in kp.metadata:
off = 0
kp.set_expected_keytimes(config, offset=off)
expected[0].timing["Retired"] = now + Ipub(config)
expected[0].timing["Removed"] = expected[0].timing["Retired"] + Iret(
config, zsk=False, ksk=True
)
isctest.kasp.check_keytimes(keys, expected)
isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
isctest.kasp.check_apex(server, zone, ksks, zsks)
isctest.kasp.check_subdomain(server, zone, ksks, zsks)
# Schedule ZSK rollover now.
assert len(zsks) == 1
zsk = zsks[0]
now = KeyTimingMetadata.now()
with server.watch_log_from_here() as watcher:
server.rndc(f"dnssec -rollover -key {zsk.tag} -when {now} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
Convert csk rollover test cases to pytest Move the 'csk-roll1' and 'csk-roll2' zones to the rollover test dir and convert CSK rollover tests to pytest. The DS swap spans multiple steps. Only the first time we should check if the "CDS is now published" log is there, and only the first time we should run 'rndc dnssec -checkds' on the keys. Add a new key to the step dictionary to disable the DS swap checks. This made me realize that we need to check for "is not None" in case the value in the dictionary is False. Update check_rollover_step() accordingly, and also add a log message which step/zone we are currently checking.
2025-03-19 10:10:13 +01:00
isctest.kasp.check_dnssec_verify(server, zone)
Move rollover test cases to separate test dir In order to keep the kasp system test somewhat approachable, let's move all rollover scenarios to its own test directory. Starting with the manual rollover test cases. A new test function is added to 'isctest.kasp', to verify that the relationship metadata (Predecessor, Successor) is set correctly. The configuration and setup for the zone 'manual-rollover.kasp' are almost copied verbatim, the only exception is the keytimes. Similar to the test kasp cases, we no longer set "SyncPublish/PublishCDS" in the setup script. In addition to that, the offset is changed from one day ago to one week ago, so that the key states match the timing metadata (one day is too short to move a key from "hidden" to "omnipresent").
2025-02-28 15:52:20 +01:00
key_properties = [
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
isctest.kasp.check_keys(zone, keys, expected)
expected[0].metadata["Successor"] = expected[1].key.tag
expected[1].metadata["Predecessor"] = expected[0].key.tag
expected[2].metadata["Successor"] = expected[3].key.tag
expected[3].metadata["Predecessor"] = expected[2].key.tag
isctest.kasp.check_keyrelationships(keys, expected)
# Try to schedule a ZSK rollover for an inactive key (should fail).
zsk = expected[3].key
response = server.rndc(f"dnssec -rollover -key {zsk.tag} {zone}")
assert "key is not actively signing" in response
Reference in New Issue Copy Permalink