diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index 51bf22f089..d6bd930d87 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -611,57 +611,6 @@ class Key: return self.path -def check_zone_is_signed(server, zone, tsig=None): - addr = server.ip - fqdn = f"{zone}." - - # wait until zone is fully signed - signed = False - for _ in range(10): - response = _query(server, fqdn, dns.rdatatype.NSEC, tsig=tsig) - if not isinstance(response, dns.message.Message): - isctest.log.debug(f"no response for {fqdn} NSEC from {addr}") - elif response.rcode() != dns.rcode.NOERROR: - rcode = dns.rcode.to_text(response.rcode()) - isctest.log.debug(f"{rcode} response for {fqdn} NSEC from {addr}") - else: - has_nsec = False - has_rrsig = False - for rr in response.answer: - if not has_nsec: - has_nsec = rr.match( - dns.name.from_text(fqdn), - dns.rdataclass.IN, - dns.rdatatype.NSEC, - dns.rdatatype.NONE, - ) - if not has_rrsig: - has_rrsig = rr.match( - dns.name.from_text(fqdn), - dns.rdataclass.IN, - dns.rdatatype.RRSIG, - dns.rdatatype.NSEC, - ) - - if not has_nsec: - isctest.log.debug( - f"missing apex {fqdn} NSEC record in response from {addr}" - ) - if not has_rrsig: - isctest.log.debug( - f"missing {fqdn} NSEC signature in response from {addr}" - ) - - signed = has_nsec and has_rrsig - - if signed: - break - - time.sleep(1) - - assert signed - - def check_keys(zone, keys, expected): """ Checks keys for a configured zone. This verifies: diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 178e602f48..6cbb87080b 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -166,7 +166,6 @@ def check_all(server, zone, policy, ksks, zsks, zsk_missing=False, tsig=None): server, zone, ksks, zsks, zsk_missing=zsk_missing, tsig=tsig ) isctest.kasp.check_subdomain(server, zone, ksks, zsks, tsig=tsig) - isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig) def set_keytimes_default_policy(kp): @@ -661,7 +660,7 @@ def test_kasp_case(servers, params): isctest.log.info(f"check test case zone {zone} policy {policy}") # First make sure the zone is signed. - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) # Key properties. expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=params["key-properties"]) @@ -679,6 +678,7 @@ def test_kasp_case(servers, params): ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) offset = params["offset"] if "offset" in params else None @@ -759,7 +759,7 @@ def test_kasp_inherit_signed(zone, policy, server_id, alg, tsig_kind, servers): key1.metadata["Length"] = alg.bits keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) - isctest.kasp.check_zone_is_signed(server, zone, tsig=tsig) + isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig) isctest.kasp.check_keys(zone, keys, [key1]) set_keytimes_default_policy(key1) isctest.kasp.check_keytimes(keys, [key1]) @@ -786,7 +786,7 @@ def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers): key1.metadata["Length"] = ECDSAP384SHA384.bits keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) - isctest.kasp.check_zone_is_signed(server, zone, tsig=tsig) + isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig) isctest.kasp.check_keys(zone, keys, [key1]) set_keytimes_default_policy(key1) isctest.kasp.check_keytimes(keys, [key1]) @@ -839,7 +839,7 @@ def test_kasp_default(servers): ] expected = isctest.kasp.policy_to_properties(ttl=3600, keys=keyprops) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(expected[0]) isctest.kasp.check_keytimes(keys, expected) @@ -900,6 +900,7 @@ def test_kasp_default(servers): watcher.wait_for_line(f"zone {zone}/IN (signed): {expectmsg}") # Nothing has changed. expected[0].properties["private"] = False + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) isctest.kasp.check_keytimes(keys, expected) check_all(server, zone, policy, keys, []) @@ -911,7 +912,7 @@ def test_kasp_default(servers): key1 = KeyProperties.default() keys = isctest.kasp.keydir_to_keylist(zone, "ns3") expected = [key1] - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(key1) isctest.kasp.check_keytimes(keys, expected) @@ -930,7 +931,7 @@ def test_kasp_dynamic(servers): key1 = KeyProperties.default() expected = [key1] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(key1) expected = [key1] @@ -1014,7 +1015,7 @@ def test_kasp_dynamic(servers): key1 = KeyProperties.default() expected = [key1] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(key1) expected = [key1] @@ -1053,7 +1054,7 @@ def test_kasp_dynamic(servers): key1.metadata["DSState"] = "omnipresent" expected = [key1] keys = isctest.kasp.keydir_to_keylist(zone, "ns3/keys") - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) check_all(server, zone, policy, keys, []) # Ensure no zone_resigninc for the unsigned version of the zone is triggered. @@ -1079,7 +1080,7 @@ def test_kasp_checkds(servers): keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if k.is_zsk()] - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) check_all(server, zone, policy, ksks, zsks) @@ -1123,7 +1124,7 @@ def test_kasp_checkds_doubleksk(servers): keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if k.is_zsk()] - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) check_all(server, zone, policy, ksks, zsks) @@ -1196,7 +1197,7 @@ def test_kasp_checkds_csk(servers): ] expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) check_all(server, zone, policy, keys, []) @@ -1482,7 +1483,7 @@ def test_kasp_zsk_retired(servers): keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] - isctest.kasp.check_zone_is_signed(server, zone) + isctest.kasp.check_dnssec_verify(server, zone) isctest.kasp.check_keys(zone, keys, expected) offset = -timedelta(days=30 * 6) diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index 15ccc02b28..a5aefa0b21 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -756,8 +756,6 @@ def test_ksr_common(servers): # test zone is correctly signed # - check rndc dnssec -status output isctest.kasp.check_dnssecstatus(ns1, zone, overlapping_zsks, policy=policy) - # - zone is signed - isctest.kasp.check_zone_is_signed(ns1, zone) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -831,8 +829,6 @@ def test_ksr_lastbundle(servers): # test zone is correctly signed # - check rndc dnssec -status output isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) - # - zone is signed - isctest.kasp.check_zone_is_signed(ns1, zone) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -911,8 +907,6 @@ def test_ksr_inthemiddle(servers): # test zone is correctly signed # - check rndc dnssec -status output isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) - # - zone is signed - isctest.kasp.check_zone_is_signed(ns1, zone) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -1106,8 +1100,6 @@ def test_ksr_unlimited(servers): # test zone is correctly signed # - check rndc dnssec -status output isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) - # - zone is signed - isctest.kasp.check_zone_is_signed(ns1, zone) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -1218,8 +1210,6 @@ def test_ksr_twotone(servers): # test zone is correctly signed # - check rndc dnssec -status output isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) - # - zone is signed - isctest.kasp.check_zone_is_signed(ns1, zone) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys @@ -1298,8 +1288,6 @@ def test_ksr_kskroll(servers): # test zone is correctly signed # - check rndc dnssec -status output isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) - # - zone is signed - isctest.kasp.check_zone_is_signed(ns1, zone) # - dnssec_verify isctest.kasp.check_dnssec_verify(ns1, zone) # - check keys