diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index b846786c03..74561aea2d 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -1168,7 +1168,7 @@ def check_subdomain( def check_rollover_step(server, config, policy, step): zone = step["zone"] keyprops = step["keyprops"] - nextev = step["nextev"] + nextev = step.get("nextev", None) cdss = step.get("cdss", None) keyrelationships = step.get("keyrelationships", None) smooth = step.get("smooth", False) @@ -1244,7 +1244,8 @@ def check_rollover_step(server, config, policy, step): def check_next_key_event(): return next_key_event_equals(server, zone, nextev) - isctest.run.retry_with_timeout(check_next_key_event, timeout=5) + if nextev is not None: + isctest.run.retry_with_timeout(check_next_key_event, timeout=5) def verify_update_is_signed(server, fqdn, qname, qtype, rdata, ksks, zsks, tsig=None): diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py index 5a794d9e6e..02f07969b2 100644 --- a/bin/tests/system/rollover/tests_rollover.py +++ b/bin/tests/system/rollover/tests_rollover.py @@ -564,51 +564,52 @@ def test_rollover_ksk_doubleksk(servers): iret = Iret(config, zsk=False, ksk=True) # Test #2375: Scheduled rollovers are happening faster than they can finish. - zone = "three-is-a-crowd.kasp" isctest.log.info( "check that fast rollovers do not remove dependent keys from zone (#2375)" ) offset1 = -int(timedelta(days=60).total_seconds()) offset2 = -int(timedelta(hours=27).total_seconds()) - isctest.kasp.check_dnssec_verify(server, zone) - keyprops = [ - f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}", - f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}", - f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}", - ] - expected = isctest.kasp.policy_to_properties(ttl, keyprops) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) - ksks = [k for k in keys if k.is_ksk()] - zsks = [k for k in keys if not k.is_ksk()] - isctest.kasp.check_keys(zone, keys, expected) - expected[0].metadata["Successor"] = expected[1].key.tag - expected[1].metadata["Predecessor"] = expected[0].key.tag - isctest.kasp.check_keyrelationships(keys, expected) - for kp in expected: - kp.set_expected_keytimes(config, offset=None) - isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + zone = "three-is-a-crowd.kasp" + step = { + "zone": zone, + "cdss": cdss, + "keyprops": [ + f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}", + f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}", + f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}", + ], + "keyrelationships": [0, 1], + } + isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step) + # Rollover successor KSK (with DS in rumoured state). + expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"]) + keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + isctest.kasp.check_keys(zone, keys, expected) key = expected[1].key now = KeyTimingMetadata.now() with server.watch_log_from_here() as watcher: server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}") watcher.wait_for_line(f"keymgr: {zone} done") - isctest.kasp.check_dnssec_verify(server, zone) + # We now expect four keys (3x KSK, 1x ZSK). - keyprops = [ - f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}", - f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}", - f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0", - f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}", - ] - expected = isctest.kasp.policy_to_properties(ttl, keyprops) + step = { + "zone": zone, + "cdss": cdss, + "keyprops": [ + f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}", + f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}", + f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0", + f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}", + ], + "check-keytimes": False, # checked manually with modified values + } + isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step) + + expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"]) keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) - ksks = [k for k in keys if k.is_ksk()] - zsks = [k for k in keys if not k.is_ksk()] isctest.kasp.check_keys(zone, keys, expected) + expected[0].metadata["Successor"] = expected[1].key.tag expected[1].metadata["Predecessor"] = expected[0].key.tag # Three is a crowd scenario. @@ -617,10 +618,9 @@ def test_rollover_ksk_doubleksk(servers): isctest.kasp.check_keyrelationships(keys, expected) for kp in expected: kp.set_expected_keytimes(config, offset=None) + # The first successor KSK is already being retired. expected[1].timing["Retired"] = now + ipub expected[1].timing["Removed"] = now + ipub + iret + isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss) - isctest.kasp.check_subdomain(server, zone, ksks, zsks)