From 6bb862d10f007cc22ee22f9a1dcba899700bedc8 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 28 Mar 2023 12:00:56 +0200 Subject: [PATCH] Add test cases for 'checkds yes' Add the test cases for automatic parental-agents, i.e. when 'checkds' is set to 'yes'. Split out the special cases that use a reference or a resolver as parental-agent so that the common use cases can be tested with the same function. --- bin/tests/system/checkds/ns2/ns2-4-5.db.in | 4 + bin/tests/system/checkds/ns2/ns2-4-6.db.in | 4 + bin/tests/system/checkds/ns2/ns2-4.db.in | 4 + bin/tests/system/checkds/ns2/ns2-5-7.db.in | 4 + bin/tests/system/checkds/ns2/ns2.db.in | 8 + bin/tests/system/checkds/ns2/ns5-6-7.db.in | 4 + bin/tests/system/checkds/ns2/ns5-7.db.in | 4 + bin/tests/system/checkds/ns2/ns5.db.in | 10 + bin/tests/system/checkds/ns2/ns6.db.in | 8 + bin/tests/system/checkds/ns5/ns2-4-5.db.in | 4 + bin/tests/system/checkds/ns5/ns2-4-6.db.in | 4 + bin/tests/system/checkds/ns5/ns2-4.db.in | 4 + bin/tests/system/checkds/ns5/ns2-5-7.db.in | 4 + bin/tests/system/checkds/ns5/ns2.db.in | 8 + bin/tests/system/checkds/ns5/ns5-6-7.db.in | 4 + bin/tests/system/checkds/ns5/ns5-7.db.in | 4 + bin/tests/system/checkds/ns5/ns5.db.in | 10 + bin/tests/system/checkds/ns5/ns6.db.in | 8 + bin/tests/system/checkds/ns9/named.conf.in | 97 ++++++++ bin/tests/system/checkds/ns9/setup.sh | 4 +- bin/tests/system/checkds/tests_checkds.py | 252 ++++++++++++--------- 21 files changed, 348 insertions(+), 105 deletions(-) diff --git a/bin/tests/system/checkds/ns2/ns2-4-5.db.in b/bin/tests/system/checkds/ns2/ns2-4-5.db.in index 9ea5b889c2..3a8b69432e 100644 --- a/bin/tests/system/checkds/ns2/ns2-4-5.db.in +++ b/bin/tests/system/checkds/ns2/ns2-4-5.db.in @@ -28,3 +28,7 @@ ns5 A 10.53.0.5 $ORIGIN explicit.dspublish.ns2-4-5. incomplete NS ns9.incomplete ns9.imcomplete A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-4-6.db.in b/bin/tests/system/checkds/ns2/ns2-4-6.db.in index f30962852b..b29fabc982 100644 --- a/bin/tests/system/checkds/ns2/ns2-4-6.db.in +++ b/bin/tests/system/checkds/ns2/ns2-4-6.db.in @@ -28,3 +28,7 @@ ns6 A 10.53.0.6 $ORIGIN explicit.dspublish.ns2-4-6. bad NS ns9.bad ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-4.db.in b/bin/tests/system/checkds/ns2/ns2-4.db.in index 5ed06dbb92..86b050a872 100644 --- a/bin/tests/system/checkds/ns2/ns2-4.db.in +++ b/bin/tests/system/checkds/ns2/ns2-4.db.in @@ -26,3 +26,7 @@ ns4 A 10.53.0.4 $ORIGIN explicit.dspublish.ns2-4. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2-5-7.db.in b/bin/tests/system/checkds/ns2/ns2-5-7.db.in index 689f316e5c..b1fe39c6a5 100644 --- a/bin/tests/system/checkds/ns2/ns2-5-7.db.in +++ b/bin/tests/system/checkds/ns2/ns2-5-7.db.in @@ -28,3 +28,7 @@ ns7 A 10.53.0.7 $ORIGIN explicit.dsremoved.ns2-5-7. incomplete NS ns9.incomplete ns9.incomplete A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns2.db.in b/bin/tests/system/checkds/ns2/ns2.db.in index 200129ef1b..bd4a635e4f 100644 --- a/bin/tests/system/checkds/ns2/ns2.db.in +++ b/bin/tests/system/checkds/ns2/ns2.db.in @@ -29,6 +29,14 @@ ns9.good A 10.53.0.9 ns9.reference A 10.53.0.9 ns9.resolver A 10.53.0.9 +$ORIGIN yes.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + $ORIGIN explicit.dsremoved.ns2. still-there NS ns9.still-there ns9.still-there A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-6-7.db.in b/bin/tests/system/checkds/ns2/ns5-6-7.db.in index 5a4200bda9..6be4649886 100644 --- a/bin/tests/system/checkds/ns2/ns5-6-7.db.in +++ b/bin/tests/system/checkds/ns2/ns5-6-7.db.in @@ -28,3 +28,7 @@ ns7 A 10.53.0.7 $ORIGIN explicit.dsremoved.ns5-6-7. bad NS ns9.bad ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5-7.db.in b/bin/tests/system/checkds/ns2/ns5-7.db.in index f051c5eafb..5d66b990b5 100644 --- a/bin/tests/system/checkds/ns2/ns5-7.db.in +++ b/bin/tests/system/checkds/ns2/ns5-7.db.in @@ -26,3 +26,7 @@ ns7 A 10.53.0.7 $ORIGIN explicit.dsremoved.ns5-7. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns5.db.in b/bin/tests/system/checkds/ns2/ns5.db.in index 33449d340c..4501776a3e 100644 --- a/bin/tests/system/checkds/ns2/ns5.db.in +++ b/bin/tests/system/checkds/ns2/ns5.db.in @@ -25,8 +25,18 @@ $ORIGIN explicit.dspublish.ns5. not-yet NS ns9.not-yet ns9.not-yet A 10.53.0.9 +$ORIGIN yes.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + $ORIGIN explicit.dsremoved.ns5. good NS ns9.good resolver NS ns9.resolver ns9.good A 10.53.0.9 ns9.resolver A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns2/ns6.db.in b/bin/tests/system/checkds/ns2/ns6.db.in index 27cbb03d99..59e28543e0 100644 --- a/bin/tests/system/checkds/ns2/ns6.db.in +++ b/bin/tests/system/checkds/ns2/ns6.db.in @@ -28,3 +28,11 @@ ns9.bad A 10.53.0.9 $ORIGIN explicit.dsremoved.ns6. bad NS ns9.bad ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4-5.db.in b/bin/tests/system/checkds/ns5/ns2-4-5.db.in index 9ea5b889c2..3a8b69432e 100644 --- a/bin/tests/system/checkds/ns5/ns2-4-5.db.in +++ b/bin/tests/system/checkds/ns5/ns2-4-5.db.in @@ -28,3 +28,7 @@ ns5 A 10.53.0.5 $ORIGIN explicit.dspublish.ns2-4-5. incomplete NS ns9.incomplete ns9.imcomplete A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-5. +incomplete NS ns9.incomplete +ns9.imcomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4-6.db.in b/bin/tests/system/checkds/ns5/ns2-4-6.db.in index f30962852b..b29fabc982 100644 --- a/bin/tests/system/checkds/ns5/ns2-4-6.db.in +++ b/bin/tests/system/checkds/ns5/ns2-4-6.db.in @@ -28,3 +28,7 @@ ns6 A 10.53.0.6 $ORIGIN explicit.dspublish.ns2-4-6. bad NS ns9.bad ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4-6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-4.db.in b/bin/tests/system/checkds/ns5/ns2-4.db.in index 5ed06dbb92..86b050a872 100644 --- a/bin/tests/system/checkds/ns5/ns2-4.db.in +++ b/bin/tests/system/checkds/ns5/ns2-4.db.in @@ -26,3 +26,7 @@ ns4 A 10.53.0.4 $ORIGIN explicit.dspublish.ns2-4. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN yes.dspublish.ns2-4. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2-5-7.db.in b/bin/tests/system/checkds/ns5/ns2-5-7.db.in index 689f316e5c..b1fe39c6a5 100644 --- a/bin/tests/system/checkds/ns5/ns2-5-7.db.in +++ b/bin/tests/system/checkds/ns5/ns2-5-7.db.in @@ -28,3 +28,7 @@ ns7 A 10.53.0.7 $ORIGIN explicit.dsremoved.ns2-5-7. incomplete NS ns9.incomplete ns9.incomplete A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2-5-7. +incomplete NS ns9.incomplete +ns9.incomplete A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns2.db.in b/bin/tests/system/checkds/ns5/ns2.db.in index 200129ef1b..bd4a635e4f 100644 --- a/bin/tests/system/checkds/ns5/ns2.db.in +++ b/bin/tests/system/checkds/ns5/ns2.db.in @@ -29,6 +29,14 @@ ns9.good A 10.53.0.9 ns9.reference A 10.53.0.9 ns9.resolver A 10.53.0.9 +$ORIGIN yes.dspublish.ns2. +good NS ns9.good +ns9.good A 10.53.0.9 + $ORIGIN explicit.dsremoved.ns2. still-there NS ns9.still-there ns9.still-there A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns2. +still-there NS ns9.still-there +ns9.still-there A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-6-7.db.in b/bin/tests/system/checkds/ns5/ns5-6-7.db.in index 5a4200bda9..6be4649886 100644 --- a/bin/tests/system/checkds/ns5/ns5-6-7.db.in +++ b/bin/tests/system/checkds/ns5/ns5-6-7.db.in @@ -28,3 +28,7 @@ ns7 A 10.53.0.7 $ORIGIN explicit.dsremoved.ns5-6-7. bad NS ns9.bad ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-6-7. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5-7.db.in b/bin/tests/system/checkds/ns5/ns5-7.db.in index f051c5eafb..5d66b990b5 100644 --- a/bin/tests/system/checkds/ns5/ns5-7.db.in +++ b/bin/tests/system/checkds/ns5/ns5-7.db.in @@ -26,3 +26,7 @@ ns7 A 10.53.0.7 $ORIGIN explicit.dsremoved.ns5-7. good NS ns9.good ns9.good A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5-7. +good NS ns9.good +ns9.good A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns5.db.in b/bin/tests/system/checkds/ns5/ns5.db.in index 33449d340c..4501776a3e 100644 --- a/bin/tests/system/checkds/ns5/ns5.db.in +++ b/bin/tests/system/checkds/ns5/ns5.db.in @@ -25,8 +25,18 @@ $ORIGIN explicit.dspublish.ns5. not-yet NS ns9.not-yet ns9.not-yet A 10.53.0.9 +$ORIGIN yes.dspublish.ns5. +not-yet NS ns9.not-yet +ns9.not-yet A 10.53.0.9 + $ORIGIN explicit.dsremoved.ns5. good NS ns9.good resolver NS ns9.resolver ns9.good A 10.53.0.9 ns9.resolver A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns5. +good NS ns9.good +resolver NS ns9.resolver +ns9.good A 10.53.0.9 +ns9.resolver A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns5/ns6.db.in b/bin/tests/system/checkds/ns5/ns6.db.in index 27cbb03d99..59e28543e0 100644 --- a/bin/tests/system/checkds/ns5/ns6.db.in +++ b/bin/tests/system/checkds/ns5/ns6.db.in @@ -28,3 +28,11 @@ ns9.bad A 10.53.0.9 $ORIGIN explicit.dsremoved.ns6. bad NS ns9.bad ns9.bad A 10.53.0.9 + +$ORIGIN yes.dspublish.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 + +$ORIGIN yes.dsremoved.ns6. +bad NS ns9.bad +ns9.bad A 10.53.0.9 diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index e9c6075efc..6697e5fc2e 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -78,6 +78,15 @@ zone "resolver.explicit.dspublish.ns2" { }; }; +/* Same as above, but now with auto parental agents. */ +zone "good.yes.dspublish.ns2" { + type primary; + file "good.yes.dspublish.ns2.db"; + inline-signing yes; + dnssec-policy "default"; + checkds yes; +}; + /* * 1. Enabling DNSSEC * 1.1 - With one parental agent @@ -93,6 +102,14 @@ zone "not-yet.explicit.dspublish.ns5" { }; }; +zone "not-yet.yes.dspublish.ns5" { + type primary; + file "not-yet.yes.dspublish.ns5.db"; + inline-signing yes; + dnssec-policy "default"; + checkds yes; +}; + /* * 1. Enabling DNSSEC * 1.1 - With one parental agent @@ -108,6 +125,14 @@ zone "bad.explicit.dspublish.ns6" { }; }; +zone "bad.yes.dspublish.ns6" { + type primary; + file "bad.yes.dspublish.ns6.db"; + inline-signing yes; + dnssec-policy "default"; + checkds yes; +}; + /* * 1. Enabling DNSSEC * 1.1 - With one parental agent @@ -131,6 +156,14 @@ zone "good.explicit.dspublish.ns2-4" { }; }; +zone "good.yes.dspublish.ns2-4" { + type primary; + file "good.yes.dspublish.ns2-4.db"; + inline-signing yes; + dnssec-policy "default"; + checkds yes; +}; + /* * 1. Enabling DNSSEC * 1.2 - With multiple parental agent @@ -148,6 +181,14 @@ zone "incomplete.explicit.dspublish.ns2-4-5" { }; }; +zone "incomplete.yes.dspublish.ns2-4-5" { + type primary; + file "incomplete.yes.dspublish.ns2-4-5.db"; + inline-signing yes; + dnssec-policy "default"; + checkds yes; +}; + /* * 1. Enabling DNSSEC * 1.2 - With multiple parental agent @@ -165,6 +206,14 @@ zone "bad.explicit.dspublish.ns2-4-6" { }; }; +zone "bad.yes.dspublish.ns2-4-6" { + type primary; + file "bad.yes.dspublish.ns2-4-6.db"; + inline-signing yes; + dnssec-policy "default"; + checkds yes; +}; + /* * 1. Enabling DNSSEC * 1.2 - With multiple parental agent @@ -199,6 +248,14 @@ zone "resolver.explicit.dsremoved.ns5" { }; }; +zone "good.yes.dsremoved.ns5" { + type primary; + file "good.yes.dsremoved.ns5.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds yes; +}; + /* * 2. Going insecure * 2.1 - With one parental agent @@ -214,6 +271,14 @@ zone "still-there.explicit.dsremoved.ns2" { }; }; +zone "still-there.yes.dsremoved.ns2" { + type primary; + file "still-there.yes.dsremoved.ns2.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds yes; +}; + /* * 2. Going insecure * 2.1 - With one parental agent @@ -229,6 +294,14 @@ zone "bad.explicit.dsremoved.ns6" { }; }; +zone "bad.yes.dsremoved.ns6" { + type primary; + file "bad.yes.dsremoved.ns6.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds yes; +}; + /* * 2. Going insecure * 2.1 - With one parental agent @@ -252,6 +325,14 @@ zone "good.explicit.dsremoved.ns5-7" { }; }; +zone "good.yes.dsremoved.ns5-7" { + type primary; + file "good.yes.dsremoved.ns5-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds yes; +}; + /* * 2. Going insecure * 2.2. - With multiple parental agents @@ -269,6 +350,14 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" { }; }; +zone "incomplete.yes.dsremoved.ns2-5-7" { + type primary; + file "incomplete.yes.dsremoved.ns2-5-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds yes; +}; + /* * 2. Going insecure * 2.2. - With multiple parental agents @@ -286,6 +375,14 @@ zone "bad.explicit.dsremoved.ns5-6-7" { }; }; +zone "bad.yes.dsremoved.ns5-6-7" { + type primary; + file "bad.yes.dsremoved.ns5-6-7.db"; + inline-signing yes; + dnssec-policy "insecure"; + checkds yes; +}; + /* * 2. Going insecure * 2.2. - With multiple parental agents diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index cb399c2288..a83a8cb633 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -33,7 +33,7 @@ T="now-30d" Y="now-1y" # DS Publication. -for checkds in explicit +for checkds in explicit yes do for zn in \ good.${checkds}.dspublish.ns2 \ @@ -60,7 +60,7 @@ do done # DS Withdrawal. -for checkds in explicit +for checkds in explicit yes do for zn in \ good.${checkds}.dsremoved.ns5 \ diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py index ef6bec143e..fff3c49e28 100755 --- a/bin/tests/system/checkds/tests_checkds.py +++ b/bin/tests/system/checkds/tests_checkds.py @@ -249,7 +249,7 @@ def wait_for_log(filename, log): assert found -def test_checkds_dspublished(named_port): +def checkds_dspublished(named_port, checkds): # We create resolver instances that will be used to send queries. server = dns.resolver.Resolver() server.nameservers = ["10.53.0.9"] @@ -265,55 +265,44 @@ def test_checkds_dspublished(named_port): # # The simple case. - zone_check(server, "good.explicit.dspublish.ns2.") + zone_check(server, "good.{}.dspublish.ns2.".format(checkds)) wait_for_log( "ns9/named.run", - "zone good.explicit.dspublish.ns2/IN (signed): checkds: " - "DS response from 10.53.0.2", + "zone good.{}.dspublish.ns2/IN (signed): checkds: " + "DS response from 10.53.0.2".format(checkds), ) - keystate_check(parent, "good.explicit.dspublish.ns2.", "DSPublish") - - # Using a reference to parental-agents. - zone_check(server, "reference.explicit.dspublish.ns2.") - wait_for_log( - "ns9/named.run", - "zone reference.explicit.dspublish.ns2/IN (signed): " - "checkds: DS response from 10.53.0.2", - ) - keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish") - - # Using a resolver as parental-agent (ns3). - zone_check(server, "resolver.explicit.dspublish.ns2.") - wait_for_log( - "ns9/named.run", - "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: " - "DS response from 10.53.0.3", - ) - keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish") + keystate_check(parent, "good.{}.dspublish.ns2.".format(checkds), "DSPublish") # # 1.1.2: DS is not published in parent. # parental-agents: ns5 # - zone_check(server, "not-yet.explicit.dspublish.ns5.") + zone_check(server, "not-yet.{}.dspublish.ns5.".format(checkds)) wait_for_log( "ns9/named.run", - "zone not-yet.explicit.dspublish.ns5/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone not-yet.{}.dspublish.ns5/IN (signed): checkds: " + "empty DS response from 10.53.0.5".format(checkds), ) - keystate_check(parent, "not-yet.explicit.dspublish.ns5.", "!DSPublish") + keystate_check(parent, "not-yet.{}.dspublish.ns5.".format(checkds), "!DSPublish") # # 1.1.3: The parental agent is badly configured. # parental-agents: ns6 # - zone_check(server, "bad.explicit.dspublish.ns6.") - wait_for_log( - "ns9/named.run", - "zone bad.explicit.dspublish.ns6/IN (signed): checkds: " - "bad DS response from 10.53.0.6", - ) - keystate_check(parent, "bad.explicit.dspublish.ns6.", "!DSPublish") + zone_check(server, "bad.{}.dspublish.ns6.".format(checkds)) + if checkds == "explicit": + wait_for_log( + "ns9/named.run", + "zone bad.{}.dspublish.ns6/IN (signed): checkds: " + "bad DS response from 10.53.0.6".format(checkds), + ) + elif checkds == "yes": + wait_for_log( + "ns9/named.run", + "zone bad.{}.dspublish.ns6/IN (signed): checkds: " + "error during parental-agents processing".format(checkds), + ) + keystate_check(parent, "bad.{}.dspublish.ns6.".format(checkds), "!DSPublish") # # 1.1.4: DS is published, but has bogus signature. @@ -324,62 +313,62 @@ def test_checkds_dspublished(named_port): # 1.2.1: DS is correctly published in all parents. # parental-agents: ns2, ns4 # - zone_check(server, "good.explicit.dspublish.ns2-4.") + zone_check(server, "good.{}.dspublish.ns2-4.".format(checkds)) wait_for_log( "ns9/named.run", - "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: " - "DS response from 10.53.0.2", + "zone good.{}.dspublish.ns2-4/IN (signed): checkds: " + "DS response from 10.53.0.2".format(checkds), ) wait_for_log( "ns9/named.run", - "zone good.explicit.dspublish.ns2-4/IN (signed): checkds: " - "DS response from 10.53.0.4", + "zone good.{}.dspublish.ns2-4/IN (signed): checkds: " + "DS response from 10.53.0.4".format(checkds), ) - keystate_check(parent, "good.explicit.dspublish.ns2-4.", "DSPublish") + keystate_check(parent, "good.{}.dspublish.ns2-4.".format(checkds), "DSPublish") # # 1.2.2: DS is not published in some parents. # parental-agents: ns2, ns4, ns5 # - zone_check(server, "incomplete.explicit.dspublish.ns2-4-5.") + zone_check(server, "incomplete.{}.dspublish.ns2-4-5.".format(checkds)) wait_for_log( "ns9/named.run", - "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: " - "DS response from 10.53.0.2", + "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: " + "DS response from 10.53.0.2".format(checkds), ) wait_for_log( "ns9/named.run", - "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: " - "DS response from 10.53.0.4", + "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: " + "DS response from 10.53.0.4".format(checkds), ) wait_for_log( "ns9/named.run", - "zone incomplete.explicit.dspublish.ns2-4-5/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone incomplete.{}.dspublish.ns2-4-5/IN (signed): checkds: " + "empty DS response from 10.53.0.5".format(checkds), ) - keystate_check(parent, "incomplete.explicit.dspublish.ns2-4-5.", "!DSPublish") + keystate_check(parent, "incomplete.{}.dspublish.ns2-4-5.".format(checkds), "!DSPublish") # # 1.2.3: One parental agent is badly configured. # parental-agents: ns2, ns4, ns6 # - zone_check(server, "bad.explicit.dspublish.ns2-4-6.") + zone_check(server, "bad.{}.dspublish.ns2-4-6.".format(checkds)) wait_for_log( "ns9/named.run", - "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: " - "DS response from 10.53.0.2", + "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: " + "DS response from 10.53.0.2".format(checkds), ) wait_for_log( "ns9/named.run", - "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: " - "DS response from 10.53.0.4", + "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: " + "DS response from 10.53.0.4".format(checkds), ) wait_for_log( "ns9/named.run", - "zone bad.explicit.dspublish.ns2-4-6/IN (signed): checkds: " - "bad DS response from 10.53.0.6", + "zone bad.{}.dspublish.ns2-4-6/IN (signed): checkds: " + "bad DS response from 10.53.0.6".format(checkds), ) - keystate_check(parent, "bad.explicit.dspublish.ns2-4-6.", "!DSPublish") + keystate_check(parent, "bad.{}.dspublish.ns2-4-6.".format(checkds), "!DSPublish") # # 1.2.4: DS is completely published, bogus signature. @@ -390,7 +379,7 @@ def test_checkds_dspublished(named_port): # TBD: Check with TLS -def test_checkds_dswithdrawn(named_port): +def checkds_dswithdrawn(named_port, checkds): # We create resolver instances that will be used to send queries. server = dns.resolver.Resolver() server.nameservers = ["10.53.0.9"] @@ -406,46 +395,44 @@ def test_checkds_dswithdrawn(named_port): # # The simple case. - zone_check(server, "good.explicit.dsremoved.ns5.") + zone_check(server, "good.{}.dsremoved.ns5.".format(checkds)) wait_for_log( "ns9/named.run", - "zone good.explicit.dsremoved.ns5/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone good.{}.dsremoved.ns5/IN (signed): checkds: " + "empty DS response from 10.53.0.5".format(checkds), ) - keystate_check(parent, "good.explicit.dsremoved.ns5.", "DSRemoved") - - # Using a resolver as parental-agent (ns3). - zone_check(server, "resolver.explicit.dsremoved.ns5.") - wait_for_log( - "ns9/named.run", - "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: " - "empty DS response from 10.53.0.3", - ) - keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved") + keystate_check(parent, "good.{}.dsremoved.ns5.".format(checkds), "DSRemoved") # # 2.1.2: DS is published in the parent. # parental-agents: ns2 # - zone_check(server, "still-there.explicit.dsremoved.ns2.") + zone_check(server, "still-there.{}.dsremoved.ns2.".format(checkds)) wait_for_log( "ns9/named.run", - "zone still-there.explicit.dsremoved.ns2/IN (signed): checkds: " - "DS response from 10.53.0.2", + "zone still-there.{}.dsremoved.ns2/IN (signed): checkds: " + "DS response from 10.53.0.2".format(checkds), ) - keystate_check(parent, "still-there.explicit.dsremoved.ns2.", "!DSRemoved") + keystate_check(parent, "still-there.{}.dsremoved.ns2.".format(checkds), "!DSRemoved") # # 2.1.3: The parental agent is badly configured. # parental-agents: ns6 # - zone_check(server, "bad.explicit.dsremoved.ns6.") - wait_for_log( - "ns9/named.run", - "zone bad.explicit.dsremoved.ns6/IN (signed): checkds: " - "bad DS response from 10.53.0.6", - ) - keystate_check(parent, "bad.explicit.dsremoved.ns6.", "!DSRemoved") + zone_check(server, "bad.{}.dsremoved.ns6.".format(checkds)) + if checkds == "explicit": + wait_for_log( + "ns9/named.run", + "zone bad.{}.dsremoved.ns6/IN (signed): checkds: " + "bad DS response from 10.53.0.6".format(checkds), + ) + elif checkds == "yes": + wait_for_log( + "ns9/named.run", + "zone bad.{}.dsremoved.ns6/IN (signed): checkds: " + "error during parental-agents processing".format(checkds), + ) + keystate_check(parent, "bad.{}.dsremoved.ns6.".format(checkds), "!DSRemoved") # # 2.1.4: DS is withdrawn, but has bogus signature. @@ -456,64 +443,123 @@ def test_checkds_dswithdrawn(named_port): # 2.2.1: DS is correctly withdrawn from all parents. # parental-agents: ns5, ns7 # - zone_check(server, "good.explicit.dsremoved.ns5-7.") + zone_check(server, "good.{}.dsremoved.ns5-7.".format(checkds)) wait_for_log( "ns9/named.run", - "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone good.{}.dsremoved.ns5-7/IN (signed): checkds: " + "empty DS response from 10.53.0.5".format(checkds), ) wait_for_log( "ns9/named.run", - "zone good.explicit.dsremoved.ns5-7/IN (signed): checkds: " - "empty DS response from 10.53.0.7", + "zone good.{}.dsremoved.ns5-7/IN (signed): checkds: " + "empty DS response from 10.53.0.7".format(checkds), ) - keystate_check(parent, "good.explicit.dsremoved.ns5-7.", "DSRemoved") + keystate_check(parent, "good.{}.dsremoved.ns5-7.".format(checkds), "DSRemoved") # # 2.2.2: DS is not withdrawn from some parents. # parental-agents: ns2, ns5, ns7 # - zone_check(server, "incomplete.explicit.dsremoved.ns2-5-7.") + zone_check(server, "incomplete.{}.dsremoved.ns2-5-7.".format(checkds)) wait_for_log( "ns9/named.run", - "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: " - "DS response from 10.53.0.2", + "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: " + "DS response from 10.53.0.2".format(checkds), ) wait_for_log( "ns9/named.run", - "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: " + "empty DS response from 10.53.0.5".format(checkds), ) wait_for_log( "ns9/named.run", - "zone incomplete.explicit.dsremoved.ns2-5-7/IN (signed): checkds: " - "empty DS response from 10.53.0.7", + "zone incomplete.{}.dsremoved.ns2-5-7/IN (signed): checkds: " + "empty DS response from 10.53.0.7".format(checkds), ) - keystate_check(parent, "incomplete.explicit.dsremoved.ns2-5-7.", "!DSRemoved") + keystate_check(parent, "incomplete.{}.dsremoved.ns2-5-7.".format(checkds), "!DSRemoved") # # 2.2.3: One parental agent is badly configured. # parental-agents: ns5, ns6, ns7 # - zone_check(server, "bad.explicit.dsremoved.ns5-6-7.") + zone_check(server, "bad.{}.dsremoved.ns5-6-7.".format(checkds)) wait_for_log( "ns9/named.run", - "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: " - "empty DS response from 10.53.0.5", + "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: " + "empty DS response from 10.53.0.5".format(checkds), ) wait_for_log( "ns9/named.run", - "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: " - "empty DS response from 10.53.0.7", + "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: " + "empty DS response from 10.53.0.7".format(checkds), ) wait_for_log( "ns9/named.run", - "zone bad.explicit.dsremoved.ns5-6-7/IN (signed): checkds: " - "bad DS response from 10.53.0.6", + "zone bad.{}.dsremoved.ns5-6-7/IN (signed): checkds: " + "bad DS response from 10.53.0.6".format(checkds), ) - keystate_check(parent, "bad.explicit.dsremoved.ns5-6-7.", "!DSRemoved") + keystate_check(parent, "bad.{}.dsremoved.ns5-6-7.".format(checkds), "!DSRemoved") # # 2.2.4:: DS is removed completely, bogus signature. # # TBD + + +def test_checkds_reference(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # Using a reference to parental-agents. + zone_check(server, "reference.explicit.dspublish.ns2.") + wait_for_log( + "ns9/named.run", + "zone reference.explicit.dspublish.ns2/IN (signed): " + "checkds: DS response from 10.53.0.2", + ) + keystate_check(parent, "reference.explicit.dspublish.ns2.", "DSPublish") + + +def test_checkds_resolver(named_port): + # We create resolver instances that will be used to send queries. + server = dns.resolver.Resolver() + server.nameservers = ["10.53.0.9"] + server.port = named_port + + parent = dns.resolver.Resolver() + parent.nameservers = ["10.53.0.2"] + parent.port = named_port + + # Using a resolver as parental-agent (ns3). + zone_check(server, "resolver.explicit.dspublish.ns2.") + wait_for_log( + "ns9/named.run", + "zone resolver.explicit.dspublish.ns2/IN (signed): checkds: " + "DS response from 10.53.0.3", + ) + keystate_check(parent, "resolver.explicit.dspublish.ns2.", "DSPublish") + + # Using a resolver as parental-agent (ns3). + zone_check(server, "resolver.explicit.dsremoved.ns5.") + wait_for_log( + "ns9/named.run", + "zone resolver.explicit.dsremoved.ns5/IN (signed): checkds: " + "empty DS response from 10.53.0.3", + ) + keystate_check(parent, "resolver.explicit.dsremoved.ns5.", "DSRemoved") + + +def test_checkds_dspublished(named_port): + checkds_dspublished(named_port, "explicit") + checkds_dspublished(named_port, "yes") + + +def test_checkds_dswithdrawn(named_port): + checkds_dswithdrawn(named_port, "explicit") + checkds_dswithdrawn(named_port, "yes")