Revive dupsigs system test

Correctly source conf.sh in dupsigs test scripts (fix issue introduced by 093af1c00a). Update dupsigs test for dnssec-dnskey-kskonly default. Since v9.17.20, the dnssec-dnskey-kskonly is set to yes. Update the test to not expect the additional RRSIG with ZSK for DNSKEY. Speed up the test from 20 minutes to 2.5 minutes and make it part of the default test suite executed in CI. - decrease number of records to sign from 2000 to 500 - decrease the signing interval by a factor of 6 - shorten the final part of the test after last signing (since nothing new happens there) Finally, clarify misleading comments about (in)sufficient time for zone re-signing. The time used in the test is in fact sufficient for the re-signing to happen. If it wasn't, the previous ZSK would end up being deleted while its signatures would still be present, which is a situation where duplicate signatures can still happen.
2025-08-31 14:35:26 +00:00 · 2022-10-18 17:16:27 +02:00
parent 7495deea3e
commit cb0a2ae1dd
8 changed files with 21 additions and 25 deletions
--- a/bin/tests/system/Makefile.am
+++ b/bin/tests/system/Makefile.am
@@ -101,6 +101,7 @@ TESTS +=			\
 	dns64			\
 	dscp			\
 	dsdigest		\
+	dupsigs			\
 	dyndb			\
 	ecdsa			\
 	eddsa			\
@@ -162,10 +163,6 @@ TESTS +=			\
 	xferquota		\
 	zonechecks

-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.
-# TESTS += dupsigs
-
 if HAVE_LMDB
 TESTS += nzd2nzf
 endif # HAVE_LMDB
--- a/bin/tests/system/conf.sh.common
+++ b/bin/tests/system/conf.sh.common
@@ -26,8 +26,6 @@ export LANG=C
 #
 # Common lists of system tests to run.
 #
-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.

 #
 # These tests can use ports assigned by the caller (other than 5300
@@ -41,7 +39,10 @@ export LANG=C
 # rpzrecurse are scheduled first, in order to get more benefit from
 # parallelism.
 #
-PARALLEL_COMMON="rpzrecurse serve-stale
+PARALLEL_COMMON="
+rpzrecurse
+serve-stale
+dupsigs
 acl
 additional
 addzone
--- a/bin/tests/system/dupsigs/check_journal.pl
+++ b/bin/tests/system/dupsigs/check_journal.pl
@@ -197,11 +197,6 @@ if( @changeset ) {
            if( $n_signing_keys == 0 ) {
                print "at serial $newserial $rrsig_id went unsigned\n";
            }
-            elsif( $rrsig_id =~ /:DNSKEY$/ ) {
-                if( $n_signing_keys != 2 ) {
-                    print "at serial $newserial $rrsig_id was signed $n_signing_keys time(s) when it should have been signed twice\n";
-                }
-            }
            elsif( $n_signing_keys > 1 ) {
                my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
                print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
--- a/bin/tests/system/dupsigs/clean.sh
+++ b/bin/tests/system/dupsigs/clean.sh
@@ -9,6 +9,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.

+rm -f dig.out*
 rm -f ns1/named.conf
 rm -f ns1/named.lock
 rm -f ns1/named.memstats
--- a/bin/tests/system/dupsigs/ns1/named.conf.in
+++ b/bin/tests/system/dupsigs/ns1/named.conf.in
@@ -29,5 +29,5 @@ zone "signing.test" {
 	key-directory "keys/signing.test";
 	inline-signing yes;
 	auto-dnssec maintain;
-	sig-validity-interval 120 30;
+	sig-validity-interval 20 5;
 };
--- a/bin/tests/system/dupsigs/ns1/reset_keys.sh
+++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh
@@ -11,7 +11,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.

-. ../conf.sh
+. ../../conf.sh

 zone=signing.test
 rm -rf keys/signing.test
@@ -52,14 +52,14 @@ $SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
 $SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0

 # schedule the first roll
-R1=`expr $BASE + 300`
+R1=`expr $BASE + 50`
 R1T=`timetodnssec $R1`

 $SETTIME -I $R1T $KEYDIR/$ZSK0
 $SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1

 # schedule the second roll (which includes the delete of the first key)
-R2=`expr $R1 + 300`
+R2=`expr $R1 + 50`
 R2T=`timetodnssec $R2`
 DT=$R2
 DTT=`timetodnssec $DT`
@@ -69,8 +69,7 @@ $SETTIME -I $R2T $KEYDIR/$ZSK1
 $SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2

 # schedule the third roll
-# this isn't long enough for the signing to complete
-R3=`expr $R2 + 60`
+R3=`expr $R2 + 25`
 R3T=`timetodnssec $R3`

 $SETTIME -D $R3T $KEYDIR/$ZSK1
@@ -89,8 +88,10 @@ echo ZSK4=$ZSK4
 exit

 # schedule the fourth roll
-# this isn't long enough for the signing to complete
-R4=`expr $R3 + 30`
+# this isn't long enough for the signing to complete and would result in
+# duplicate signatures, see
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
+R4=`expr $R3 + 10`
 R4T=`timetodnssec $R4`

 $SETTIME -D $R4T $KEYDIR/$ZSK2
--- a/bin/tests/system/dupsigs/ns1/signing.test.db.in
+++ b/bin/tests/system/dupsigs/ns1/signing.test.db.in
@@ -15,4 +15,4 @@ $TTL 3600
 ns   A    127.0.0.1
 ns   AAAA ::1

-$GENERATE 0-1999 a${0,4,d} AAAA ::$
+$GENERATE 0-499 a${0,4,d} AAAA ::$
--- a/bin/tests/system/dupsigs/tests.sh
+++ b/bin/tests/system/dupsigs/tests.sh
@@ -13,8 +13,9 @@

 status=0
 start=`date +%s`
-end=`expr $start + 1200`
-now=$start
+end=`expr $start + 150`
+sleep 10  # wait for a bit for the initial signing
+now=`expr $start + 10`
 while test $now -lt $end
 do
 	et=`expr $now - $start`
@@ -23,12 +24,12 @@ do
 	$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
 	awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c
 	lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
-	if [ ${et} -ne 0 -a ${lines} -ne 4009 ]
+	if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
 	then
 		echo_i "failed"
 		status=`expr $status + 1`
 	fi
-	sleep 20
+	sleep 5
 	now=`date +%s`
 done