Test manual-mode while enabling DNSSEC

Similar to previous commit. Parametrize each test case and in case of manual-mode, execute additional checks. First a keymgr run should not change the existing key state (with exceptions of timing events such as moving from RUMOURED to OMNIPRESENT, and from UNRETENTIVE to HIDDEN). Appropriate messages must be logged. After enforcing the next step with 'rndc dnssec -step', the key state should be the same as if the step were to be taken automatically.
2025-08-22 10:10:06 +00:00 · 2025-07-24 14:57:35 +02:00 · 2025-07-24 14:57:35 +02:00 · 1df76e2c24
commit 1df76e2c24
parent 0aa5dee474
1 changed files with 95 additions and 12 deletions
--- a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py
+++ b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py
@ -11,8 +11,11 @@

 # pylint: disable=redefined-outer-name,unused-import

+import pytest
+
 import isctest
 from isctest.kasp import Ipub, IpubC, Iret
+from isctest.util import param
 from rollover.common import (
    pytestmark,
    alg,
@ -44,11 +47,40 @@ OFFSETS["step3"] = -int(IRETZSK.total_seconds())
 OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds())


-def test_rollover_enable_dnssec_step1(alg, size, ns3):
-    zone = "step1.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
+    zone = f"step1.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"

    isctest.kasp.wait_keymgr_done(ns3, zone)

+    if tld == "manual":
+        # Same as insecure.
+        step = {
+            "zone": zone,
+            "cdss": CDSS,
+            "keyprops": [],
+            "manual-mode": True,
+            "zone-signed": False,
+            "nextev": None,
+        }
+        isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
+
+        # Check logs.
+        msg = f"keymgr-manual-mode: block new key generation for zone {zone} (policy {policy})"
+        ns3.log.expect(msg)
+
+        # Force step.
+        with ns3.watch_log_from_here() as watcher:
+            ns3.rndc(f"dnssec -step {zone}")
+            watcher.wait_for_line(f"keymgr: {zone} done")
+
    step = {
        "zone": zone,
        "cdss": CDSS,
@ -59,14 +91,24 @@ def test_rollover_enable_dnssec_step1(alg, size, ns3):
        # after the publication interval.
        "nextev": IPUB,
    }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)


-def test_rollover_enable_dnssec_step2(alg, size, ns3):
-    zone = "step2.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
+    zone = f"step2.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"

    isctest.kasp.wait_keymgr_done(ns3, zone)

+    # manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
+
    step = {
        "zone": zone,
        "cdss": CDSS,
@ -81,14 +123,45 @@ def test_rollover_enable_dnssec_step2(alg, size, ns3):
        # Minus the time already elapsed.
        "nextev": IRETZSK - IPUB,
    }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)


-def test_rollover_enable_dnssec_step3(alg, size, ns3):
-    zone = "step3.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
+    zone = f"step3.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"

    isctest.kasp.wait_keymgr_done(ns3, zone)

+    if tld == "manual":
+        # Same as step 2, but zone signatures have become OMNIPRESENT.
+        step = {
+            "zone": zone,
+            "cdss": CDSS,
+            "keyprops": [
+                f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{OFFSETS['step3']}",
+            ],
+            "manual-mode": True,
+            "nextev": None,
+        }
+        keys = isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
+
+        # Check logs.
+        tag = keys[0].key.tag
+        msg = f"keymgr-manual-mode: block transition CSK {zone}/ECDSAP256SHA256/{tag} type DS state HIDDEN to state RUMOURED"
+        ns3.log.expect(msg)
+
+        # Force step.
+        with ns3.watch_log_from_here() as watcher:
+            ns3.rndc(f"dnssec -step {zone}")
+            watcher.wait_for_line(f"keymgr: {zone} done")
+
    step = {
        "zone": zone,
        "cdss": CDSS,
@ -102,14 +175,24 @@ def test_rollover_enable_dnssec_step3(alg, size, ns3):
        # This is after the retire interval.
        "nextev": IRETKSK,
    }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)


-def test_rollover_enable_dnssec_step4(alg, size, ns3):
-    zone = "step4.enable-dnssec.autosign"
+@pytest.mark.parametrize(
+    "tld",
+    [
+        param("autosign"),
+        param("manual"),
+    ],
+)
+def test_rollover_enable_dnssec_step4(tld, alg, size, ns3):
+    zone = f"step4.enable-dnssec.{tld}"
+    policy = f"{POLICY}-{tld}"

    isctest.kasp.wait_keymgr_done(ns3, zone)

+    # manual-mode: Nothing changing in the zone, no 'dnssec -step' required.
+
    step = {
        "zone": zone,
        "cdss": CDSS,
@ -122,4 +205,4 @@ def test_rollover_enable_dnssec_step4(alg, size, ns3):
        # established. So we fall back to the default loadkeys interval.
        "nextev": TIMEDELTA["PT1H"],
    }
-    isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
+    isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)