mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00
Code Issues Releases Wiki Activity
bind/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

325 lines
12 KiB
Python
Raw Normal View History

Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# pylint: disable=redefined-outer-name,unused-import
import pytest
import isctest
from isctest.kasp import KeyTimingMetadata
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
from isctest.util import param
Use full path for shared test code imports in rollover tests Previously, symlinks and relative directory imports were used in test modules. This caused a name clash when a shared code module "common.py" was introduced for a different test. To avoid the issue, use full paths in imports.
2025-08-04 16:30:41 +02:00
from rollover.common import (
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
pytestmark,
alg,
size,
CDSS,
ALGOROLL_CONFIG,
ALGOROLL_IPUB,
ALGOROLL_IPUBC,
ALGOROLL_IRET,
ALGOROLL_IRETKSK,
ALGOROLL_KEYTTLPROP,
ALGOROLL_OFFSETS,
ALGOROLL_OFFVAL,
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
DURATION,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
TIMEDELTA,
)
CONFIG = ALGOROLL_CONFIG
POLICY = "csk-algoroll"
TIME_PASSED = 0 # set in reconfigure() fixture
@pytest.fixture(scope="module", autouse=True)
Add nsX fixtures to system tests Many of our test cases only use a single NamedInstance from the `servers` fixture. Introduce `nsX` helper fixtures to simplify these tests and reduce boilterplate code further. Specifically, the test no longer has to either define its own variable to extract a single server from the list, or use the longer servers["nsX"] syntax. While this may seem minor, the amount of times it is repeated across the tests justifies the change. It also promotes using more explicit server identification, i.e. `nsX`, rather than generic `server`. This also improves the clarity of the tests and may be helpful in traceback during debugging as well.
2025-07-08 15:26:09 +02:00
def reconfigure(ns6, templates):
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
global TIME_PASSED # pylint: disable=global-statement
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, "step1.csk-algorithm-roll.kasp")
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
templates.render("ns6/named.conf", {"csk_roll": True})
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
start_time = KeyTimingMetadata.now()
Add nsX fixtures to system tests Many of our test cases only use a single NamedInstance from the `servers` fixture. Introduce `nsX` helper fixtures to simplify these tests and reduce boilterplate code further. Specifically, the test no longer has to either define its own variable to extract a single server from the list, or use the longer servers["nsX"] syntax. While this may seem minor, the amount of times it is repeated across the tests justifies the change. It also promotes using more explicit server identification, i.e. `nsX`, rather than generic `server`. This also improves the clarity of the tests and may be helpful in traceback during debugging as well.
2025-07-08 15:26:09 +02:00
ns6.reconfigure()
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
# Calculate time passed to correctly check for next key events.
TIME_PASSED = KeyTimingMetadata.now().value - start_time.value
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
@pytest.mark.parametrize(
"tld",
[
param("kasp"),
param("manual"),
],
)
def test_algoroll_csk_reconfig_step1(tld, ns6, alg, size):
zone = f"step1.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
if tld == "manual":
# Same as initial.
step = {
"zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}",
],
"manual-mode": True,
"nextev": None,
}
keys = isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
# Check logs.
tag = keys[0].key.tag
msg1 = f"keymgr-manual-mode: block retire DNSKEY {zone}/RSASHA256/{tag} (CSK)"
msg2 = f"keymgr-manual-mode: block new key generation for zone {zone} (policy {policy})"
ns6.log.expect(msg1)
ns6.log.expect(msg2)
# Force step.
with ns6.watch_log_from_here() as watcher:
ns6.rndc(f"dnssec -step {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
# Check state after step.
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
step = {
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
"zone": zone,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing.
f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ALGOROLL_IPUB,
}
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
@pytest.mark.parametrize(
"tld",
[
param("kasp"),
param("manual"),
],
)
def test_algoroll_csk_reconfig_step2(tld, ns6, alg, size):
zone = f"step2.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
# manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
step = {
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
"zone": zone,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing, but need to stay present
# until the new algorithm chain of trust has been established.
# Thus the expected key states of these keys stay the same.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
],
# Next key event is when all zone signatures are signed with the
# new algorithm. This is the child publication interval, minus
# the publication interval has already passed. Also, prevent
# intermittent false positives on slow platforms by subtracting
# the time passed between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
}
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
@pytest.mark.parametrize(
"tld",
[
param("kasp"),
param("manual"),
],
)
def test_algoroll_csk_reconfig_step3(tld, ns6, alg, size):
zone = f"step3.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
if tld == "manual":
# Same as step 2, but the zone signatures have become OMNIPRESENT.
step = {
"zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
],
"manual-mode": True,
"nextev": None,
}
keys = isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
# Check logs.
tag = keys[1].key.tag
msg = f"keymgr-manual-mode: block transition CSK {zone}/ECDSAP256SHA256/{tag} type DS state HIDDEN to state RUMOURED"
ns6.log.expect(msg)
# Force step.
with ns6.watch_log_from_here() as watcher:
ns6.rndc(f"dnssec -step {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
# Check logs.
tag = keys[0].key.tag
msg = f"keymgr-manual-mode: block transition CSK {zone}/RSASHA256/{tag} type DS state OMNIPRESENT to state UNRETENTIVE"
if msg in ns6.log:
# Force step.
isctest.log.debug(
f"keymgr-manual-mode blocking transition CSK {zone}/RSASHA256/{tag} type DS state OMNIPRESENT to state UNRETENTIVE, step again"
)
with ns6.watch_log_from_here() as watcher:
ns6.rndc(f"dnssec -step {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
step = {
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
"zone": zone,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
"cdss": CDSS,
"keyprops": [
# The DS can be swapped.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the publication interval of the parent side.
"nextev": ALGOROLL_IRETKSK - TIME_PASSED,
}
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
@pytest.mark.parametrize(
"tld",
[
param("kasp"),
param("manual"),
],
)
def test_algoroll_csk_reconfig_step4(tld, ns6, alg, size):
zone = f"step4.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
if tld == "manual":
# Same as step 3, but the DS has become HIDDEN/OMNIPRESENT.
step = {
"zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
"manual-mode": True,
"nextev": None,
}
keys = isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
# Check logs.
tag = keys[0].key.tag
msg = f"keymgr-manual-mode: block transition CSK {zone}/RSASHA256/{tag} type DNSKEY state OMNIPRESENT to state UNRETENTIVE"
ns6.log.expect(msg)
# Force step.
with ns6.watch_log_from_here() as watcher:
ns6.rndc(f"dnssec -step {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
step = {
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
"zone": zone,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
"cdss": CDSS,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
"nextev": ALGOROLL_KEYTTLPROP,
}
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
@pytest.mark.parametrize(
"tld",
[
param("kasp"),
param("manual"),
],
)
def test_algoroll_csk_reconfig_step5(tld, ns6, alg, size):
zone = f"step5.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
# manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
step = {
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
"zone": zone,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
"cdss": CDSS,
"keyprops": [
# The DNSKEY becomes HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
# minus the time already passed since the UNRETENTIVE state has
# been reached. Prevent intermittent false positives on slow
# platforms by subtracting the number of seconds which passed
# between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
}
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
@pytest.mark.parametrize(
"tld",
[
param("kasp"),
param("manual"),
],
)
def test_algoroll_csk_reconfig_step6(tld, ns6, alg, size):
zone = f"step6.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
# manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
step = {
Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones).
2025-07-08 13:46:01 +02:00
"zone": zone,
Isolate rollover-algo-csk test
2025-06-06 16:49:14 +02:00
"cdss": CDSS,
"keyprops": [
# The zone signatures are now HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default
# loadkeys interval.
"nextev": TIMEDELTA["PT1H"],
}
Test manual-mode with CSK algorithm rollover Update check_rollover_step to return the found keys. This can be used to test that keymgr-manual-mode messages are correctly logged. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-07-23 09:27:04 +02:00
isctest.kasp.check_rollover_step(ns6, CONFIG, policy, step)
Reference in New Issue Copy Permalink