From 2e5a2f4e819415cbfa4023bee2c3333a4b3ea58c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 4 Sep 2024 15:54:53 +0200 Subject: [PATCH] Allow empty CDNSKEY/CDS RRset in ksr system test When the zone is initially signed, the CDNSKEY/CDS RRset is not immediately published. The DNSKEY and signatures must propagate first. Adjust the test to allow for this case. (cherry picked from commit 708927e03d152983557b6a2d0d40888e0ccffad5) --- bin/tests/system/isctest/kasp.py | 19 +++++++++++-------- bin/tests/system/ksr/tests_ksr.py | 26 ++++++++++++++++++++++---- 2 files changed, 33 insertions(+), 12 deletions(-) diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index 7dd2c1d502..1fbb489319 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -431,8 +431,11 @@ def _check_dnskeys(dnskeys, keys, cdnskey=False): has_dnskey = True break - assert has_dnskey - numkeys += 1 + if not cdnskey: + assert has_dnskey + + if has_dnskey: + numkeys += 1 return numkeys @@ -541,17 +544,17 @@ def check_apex(server, zone, ksks, zsks): # test cdnskey query cdnskeys, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDNSKEY) - assert len(cdnskeys) > 0 check_dnskeys(cdnskeys, ksks, zsks, cdnskey=True) - assert len(rrsigs) > 0 - check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks) + if len(cdnskeys) > 0: + assert len(rrsigs) > 0 + check_signatures(rrsigs, dns.rdatatype.CDNSKEY, fqdn, ksks, zsks) # test cds query cds, rrsigs = _query_rrset(server, fqdn, dns.rdatatype.CDS) - assert len(cds) > 0 check_cds(cds, ksks) - assert len(rrsigs) > 0 - check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks) + if len(cds) > 0: + assert len(rrsigs) > 0 + check_signatures(rrsigs, dns.rdatatype.CDS, fqdn, ksks, zsks) def check_subdomain(server, zone, ksks, zsks): diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index 3790003f33..3c9f4ee85e 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -324,10 +324,17 @@ def check_signedkeyresponse( line_no += 1 # expect cdnskey + have_cdnskey = False if cdnskey: for key in sorted(ksks): - published = key.get_timing("Publish") - removed = key.get_timing("Delete", must_exist=False) + published = key.get_timing("SyncPublish") + if between(published, inception, next_bundle): + next_bundle = published + + removed = key.get_timing("SyncDelete", must_exist=False) + if between(removed, inception, next_bundle): + next_bundle = removed + if published > inception: continue if removed is not None and inception >= removed: @@ -336,7 +343,9 @@ def check_signedkeyresponse( # the cdnskey of this ksk must be in the ksr assert key.dnskey_equals(lines[line_no], cdnskey=True) line_no += 1 + have_cdnskey = True + if have_cdnskey: # expect rrsig(cdnskey) for key in sorted(ksks): active = key.get_timing("Activate") @@ -354,10 +363,17 @@ def check_signedkeyresponse( line_no += 1 # expect cds + have_cds = False if cds != "": for key in sorted(ksks): - published = key.get_timing("Publish") - removed = key.get_timing("Delete", must_exist=False) + published = key.get_timing("SyncPublish") + if between(published, inception, next_bundle): + next_bundle = published + + removed = key.get_timing("SyncDelete", must_exist=False) + if between(removed, inception, next_bundle): + next_bundle = removed + if published > inception: continue if removed is not None and inception >= removed: @@ -368,7 +384,9 @@ def check_signedkeyresponse( for alg in expected_cds: assert key.cds_equals(lines[line_no], alg.strip()) line_no += 1 + have_cds = True + if have_cds: # expect rrsig(cds) for key in sorted(ksks): active = key.get_timing("Activate")