mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 16:15:27 +00:00
Code Issues Releases Wiki Activity

Use common test functions for three-is-a-crowd test

Browse Source 
Previously, a lot of the checking was re-implemented and duplicated from
check_rollover_step(). Use that function where possible and only
override the needed checks.
This commit is contained in:
Nicki Křížek
2025-06-10 16:03:26 +02:00
parent bd5a55c5b7
commit d6dffe6603
2 changed files with 37 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
bin/tests/system/isctest/kasp.py
View File

@@ -1168,7 +1168,7 @@ def check_subdomain(
def check_rollover_step(server, config, policy, step): def check_rollover_step(server, config, policy, step):
zone = step["zone"] zone = step["zone"]
keyprops = step["keyprops"] keyprops = step["keyprops"]
nextev = step["nextev"] nextev = step.get("nextev", None)
cdss = step.get("cdss", None) cdss = step.get("cdss", None)
keyrelationships = step.get("keyrelationships", None) keyrelationships = step.get("keyrelationships", None)
smooth = step.get("smooth", False) smooth = step.get("smooth", False)
@@ -1244,7 +1244,8 @@ def check_rollover_step(server, config, policy, step):
def check_next_key_event(): def check_next_key_event():
return next_key_event_equals(server, zone, nextev) return next_key_event_equals(server, zone, nextev)
isctest.run.retry_with_timeout(check_next_key_event, timeout=5) if nextev is not None:
isctest.run.retry_with_timeout(check_next_key_event, timeout=5)
def verify_update_is_signed(server, fqdn, qname, qtype, rdata, ksks, zsks, tsig=None): def verify_update_is_signed(server, fqdn, qname, qtype, rdata, ksks, zsks, tsig=None):

68
bin/tests/system/rollover/tests_rollover.py
View File

@@ -564,51 +564,52 @@ def test_rollover_ksk_doubleksk(servers):
iret = Iret(config, zsk=False, ksk=True) iret = Iret(config, zsk=False, ksk=True)
# Test #2375: Scheduled rollovers are happening faster than they can finish. # Test #2375: Scheduled rollovers are happening faster than they can finish.
zone = "three-is-a-crowd.kasp"
isctest.log.info( isctest.log.info(
"check that fast rollovers do not remove dependent keys from zone (#2375)" "check that fast rollovers do not remove dependent keys from zone (#2375)"
) )
offset1 = -int(timedelta(days=60).total_seconds()) offset1 = -int(timedelta(days=60).total_seconds())
offset2 = -int(timedelta(hours=27).total_seconds()) offset2 = -int(timedelta(hours=27).total_seconds())
isctest.kasp.check_dnssec_verify(server, zone) zone = "three-is-a-crowd.kasp"
keyprops = [ step = {
f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}", "zone": zone,
f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}", "cdss": cdss,
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}", "keyprops": [
] f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
expected = isctest.kasp.policy_to_properties(ttl, keyprops) f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
ksks = [k for k in keys if k.is_ksk()] ],
zsks = [k for k in keys if not k.is_ksk()] "keyrelationships": [0, 1],
isctest.kasp.check_keys(zone, keys, expected) }
expected[0].metadata["Successor"] = expected[1].key.tag isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step)
expected[1].metadata["Predecessor"] = expected[0].key.tag
isctest.kasp.check_keyrelationships(keys, expected)
for kp in expected:
kp.set_expected_keytimes(config, offset=None)
isctest.kasp.check_keytimes(keys, expected)
isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss)
isctest.kasp.check_subdomain(server, zone, ksks, zsks)
# Rollover successor KSK (with DS in rumoured state). # Rollover successor KSK (with DS in rumoured state).
expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"])
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
isctest.kasp.check_keys(zone, keys, expected)
key = expected[1].key key = expected[1].key
now = KeyTimingMetadata.now() now = KeyTimingMetadata.now()
with server.watch_log_from_here() as watcher: with server.watch_log_from_here() as watcher:
server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}") server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done") watcher.wait_for_line(f"keymgr: {zone} done")
isctest.kasp.check_dnssec_verify(server, zone)
# We now expect four keys (3x KSK, 1x ZSK). # We now expect four keys (3x KSK, 1x ZSK).
keyprops = [ step = {
f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}", "zone": zone,
f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}", "cdss": cdss,
f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0", "keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}", f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
] f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
expected = isctest.kasp.policy_to_properties(ttl, keyprops) f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
],
"check-keytimes": False, # checked manually with modified values
}
isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step)
expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"])
keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
isctest.kasp.check_keys(zone, keys, expected) isctest.kasp.check_keys(zone, keys, expected)
expected[0].metadata["Successor"] = expected[1].key.tag expected[0].metadata["Successor"] = expected[1].key.tag
expected[1].metadata["Predecessor"] = expected[0].key.tag expected[1].metadata["Predecessor"] = expected[0].key.tag
# Three is a crowd scenario. # Three is a crowd scenario.
@@ -617,10 +618,9 @@ def test_rollover_ksk_doubleksk(servers):
isctest.kasp.check_keyrelationships(keys, expected) isctest.kasp.check_keyrelationships(keys, expected)
for kp in expected: for kp in expected:
kp.set_expected_keytimes(config, offset=None) kp.set_expected_keytimes(config, offset=None)
# The first successor KSK is already being retired. # The first successor KSK is already being retired.
expected[1].timing["Retired"] = now + ipub expected[1].timing["Retired"] = now + ipub
expected[1].timing["Removed"] = now + ipub + iret expected[1].timing["Removed"] = now + ipub + iret
isctest.kasp.check_keytimes(keys, expected) isctest.kasp.check_keytimes(keys, expected)
isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss)
isctest.kasp.check_subdomain(server, zone, ksks, zsks)