Convert more kasp test cases to pytest

These test cases follow the same pattern as many other, but all require some additional checks. These are set in "additional-tests". The "zsk-missing.autosign" zone is special handled, as it expects the KSK to sign the SOA RRset (because the ZSK is unavailable). The kasp/ns3/setup.sh script is updated so the SyncPublish is not set (named will initialize it correctly). For the test zones that have missing private key files we do need to set the expected key timing metadata. Remove the counterparts for the newly added test from the kasp shell tests script. (cherry picked from commit 5f23f750c2)
2025-08-31 14:35:26 +00:00 · 2025-03-17 14:53:55 +01:00
parent 76edf2deb6
commit a996e18417
4 changed files with 361 additions and 412 deletions
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -514,47 +514,6 @@ check_apex
 check_subdomain
 dnssec_verify

-#
-# Zone: secondary.kasp.
-#
-set_zone "secondary.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Update zone.
-n=$((n + 1))
-echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)"
-ret=0
-cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db
-rndccmd 10.53.0.2 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed"
-
-_wait_for_done_subdomains() {
-  ret=0
-  dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
-  grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
-  grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" >/dev/null || return 1
-  check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
-  if [ $ret -gt 0 ]; then return $ret; fi
-
-  dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.d" || return 1
-  grep "status: NOERROR" "dig.out.$DIR.test$n.d" >/dev/null || return 1
-  grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" >/dev/null || return 1
-  check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
-  return $ret
-}
-retry_quiet 5 _wait_for_done_subdomains || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 # TODO: we might want to test:
 # - configuring a zone with too many active keys (should trigger retire).
 # - configuring a zone with keys not matching the policy.
@@ -593,10 +552,10 @@ set_keytimes_autosign_policy() {
 }

 #
-# Zone: expired-sigs.autosign.
+# Zone: zsk-retired.autosign.
 #
-set_zone "expired-sigs.autosign"
-set_policy "autosign" "2" "300"
+set_zone "zsk-retired.autosign"
+set_policy "autosign" "3" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear "KEY1"
@@ -625,181 +584,6 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 # Expect only two keys.
 key_clear "KEY3"
 key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Verify all signatures have been refreshed.
-check_rrsig_refresh() {
-  # Apex.
-  _qtypes="DNSKEY SOA NS NSEC"
-  for _qtype in $_qtypes; do
-    n=$((n + 1))
-    echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
-    ret=0
-    dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
-    grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-    grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-    # If this exact RRSIG is also in the zone file it is not refreshed.
-    _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
-    grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
-    test "$ret" -eq 0 || echo_i "failed"
-    status=$((status + ret))
-  done
-
-  # Below apex.
-  _labels="a b c ns3"
-  for _label in $_labels; do
-    _qtypes="A NSEC"
-    for _qtype in $_qtypes; do
-      n=$((n + 1))
-      echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
-      ret=0
-      dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
-      grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-      grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-      _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
-      grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
-      test "$ret" -eq 0 || echo_i "failed"
-      status=$((status + ret))
-    done
-  done
-}
-
-check_rrsig_refresh
-
-#
-# Zone: fresh-sigs.autosign.
-#
-set_zone "fresh-sigs.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Verify signature reuse.
-check_rrsig_reuse() {
-  # Apex.
-  _qtypes="NS NSEC"
-  for _qtype in $_qtypes; do
-    n=$((n + 1))
-    echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
-    ret=0
-    dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
-    grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-    grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-    # If this exact RRSIG is also in the signed zone file it is not refreshed.
-    _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
-    $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
-    grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
-    test "$ret" -eq 0 || echo_i "failed"
-    status=$((status + ret))
-  done
-
-  # Below apex.
-  _labels="a b c ns3"
-  for _label in $_labels; do
-    _qtypes="A NSEC"
-    for _qtype in $_qtypes; do
-      n=$((n + 1))
-      echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
-      ret=0
-      dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
-      grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-      grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-      # If this exact RRSIG is also in the signed zone file it is not refreshed.
-      _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
-      $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
-      grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
-      test "$ret" -eq 0 || echo_i "failed"
-      status=$((status + ret))
-    done
-  done
-}
-
-check_rrsig_reuse
-
-#
-# Zone: unfresh-sigs.autosign.
-#
-set_zone "unfresh-sigs.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-check_rrsig_refresh
-
-#
-# Zone: ksk-missing.autosign.
-#
-set_zone "ksk-missing.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-# Skip checking the private file, because it is missing.
-key_set "KEY1" "PRIVATE" "no"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-dnssec_verify
-
-# Restore the PRIVATE variable.
-key_set "KEY1" "PRIVATE" "yes"
-
-#
-# Zone: zsk-missing.autosign.
-#
-set_zone "zsk-missing.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-# Skip checking the private file, because it is missing.
-key_set "KEY2" "PRIVATE" "no"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# For the apex, we expect the SOA to be signed with the KSK because the ZSK is
-# offline. Temporary treat KEY1 as a zone signing key too.
-set_keyrole "KEY1" "csk"
-set_zonesigning "KEY1" "yes"
-set_zonesigning "KEY2" "no"
-check_apex
-set_keyrole "KEY1" "ksk"
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
-check_subdomain
-dnssec_verify
-
-# Restore the PRIVATE variable.
-key_set "KEY2" "PRIVATE" "yes"
-
-#
-# Zone: zsk-retired.autosign.
-#
-set_zone "zsk-retired.autosign"
-set_policy "autosign" "3" "300"
-set_server "ns3" "10.53.0.3"
 # The third key is not yet expected to be signing.
 set_keyrole "KEY3" "zsk"
 set_keylifetime "KEY3" "31536000"
@@ -846,7 +630,7 @@ check_keytimes
 check_apex
 check_subdomain
 dnssec_verify
-check_rrsig_refresh
+#check_rrsig_refresh

 # Load again, make sure the purged key is not an issue when verifying keys.
 echo_i "load keys for $ZONE, making sure a recently purged key is not an issue when verifying keys ($n)"
@@ -857,164 +641,6 @@ grep "zone $ZONE/IN (signed): zone_rekey:zone_verifykeys failed: some key files
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))

-#
-# Zone: legacy-keys.kasp.
-#
-set_zone "legacy-keys.kasp"
-# This zone has two active keys and two old keys left in key directory, so
-# expect 4 key files.
-set_policy "migrate-to-dnssec-policy" "4" "1234"
-set_server "ns3" "10.53.0.3"
-
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "16070400"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "16070400"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-# Two keys only.
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Make sure the correct legacy keys were used (and not the removed predecessor
-# keys).
-n=$((n + 1))
-echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)"
-ret=0
-kskfile=$(cat ns3/legacy-keys.kasp.ksk)
-basefile=$(key_get KEY1 BASEFILE)
-echo_i "filename: $basefile (expect $kskfile)"
-test "$DIR/$kskfile" = "$basefile" || ret=1
-zskfile=$(cat ns3/legacy-keys.kasp.zsk)
-basefile=$(key_get KEY2 BASEFILE)
-echo_i "filename: $basefile (expect $zskfile)"
-test "$DIR/$zskfile" = "$basefile" || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-# KSK times.
-created=$(key_get KEY1 CREATED)
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
-published=$(awk '{print $3}' <published.test${n}.key1)
-set_keytime "KEY1" "PUBLISHED" "${published}"
-set_keytime "KEY1" "ACTIVE" "${published}"
-published=$(key_get KEY1 PUBLISHED)
-# The DS can be published if the zone is fully signed.
-# This happens after max-zone-ttl (1d) plus
-# zone-propagation-delay (300s) = 86400 + 300 = 86700.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
-# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
-# The key is removed after the retire time plus DS TTL (1d), parent
-# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600.
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
-# ZSK times.
-created=$(key_get KEY2 CREATED)
-keyfile=$(key_get KEY2 BASEFILE)
-grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
-published=$(awk '{print $3}' <published.test${n}.key2)
-set_keytime "KEY2" "PUBLISHED" "${published}"
-set_keytime "KEY2" "ACTIVE" "${published}"
-published=$(key_get KEY2 PUBLISHED)
-# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
-# The key is removed after the retire time plus max zone ttl (1d), zone
-# propagation delay (300s), retire safety (1h), and sign delay (signature
-# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900.
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
-
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: keyfiles-missing.autosign.
-#
-set_zone "keyfiles-missing.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "63072000"
-set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "31536000"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-# Both KSK and ZSK stay OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-# All good, now remove key files and reload keys.
-rm_keyfiles() {
-  _basefile=$(key_get "$1" BASEFILE)
-  echo_i "remove key files $_basefile"
-  _keyfile="${_basefile}.key"
-  _privatefile="${_basefile}.private"
-  _statefile="${_basefile}.state"
-  rm -f $_keyfile
-  rm -f $_privatefile
-  rm -f $_statefile
-}
-rm_keyfiles "KEY1"
-rm_keyfiles "KEY2"
-
-rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
-wait_for_log 3 "zone $ZONE/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing" $DIR/named.run || ret=1
-# Check keys again, make sure no new keys are created.
-set_policy "autosign" "0" "300"
-key_clear "KEY1"
-key_clear "KEY2"
-check_keys
-# Zone is still signed correctly.
-dnssec_verify
-
 #
 # Test dnssec-policy inheritance.
 #