From e17b7ee05aebeedbbbf8fc581eb9ae472a63e88a Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Thu, 7 Nov 2019 09:09:28 -0800 Subject: [PATCH] temporarily disable jitter tests in the 'autosign' system test the current method used for testing distribution of signatures is failure-prone. we need to replace it with something both effective and portable, but in the meantime we're commenting out the jitter test. --- bin/tests/system/autosign/tests.sh | 91 ++++++++++++++++++------------ 1 file changed, 55 insertions(+), 36 deletions(-) diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index a5fba84ab9..f64e8ba4c8 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -373,14 +373,24 @@ done n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -# Check jitter distribution. -echo_i "checking expired signatures were jittered correctly ($n)" -ret=0 -$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 -checkjitter dig.out.ns3.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` + +# XXX temporarily disable jitter test below until we have a better and more +# portable method for evaluating the evenness of the distribution. +if false; then + + # Check jitter distribution. + echo_i "checking expired signatures were jittered correctly ($n)" + ret=0 + $DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 + checkjitter dig.out.ns3.test$n || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +# XXX temporarily disabled +else + echowarn "I:autosign:jitter tests disabled" +fi echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" ret=0 @@ -984,35 +994,44 @@ n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` -echo_i "checking jitter in a newly signed NSEC3 zone ($n)" -ret=0 -# Use DNS UPDATE to add an NSEC3PARAM record into the zone. -$NSUPDATE > nsupdate.out.test$n 2>&1 < nsupdate.out.test$n 2>&1 <<-END || ret=1 + server 10.53.0.3 ${PORT} + zone jitter.nsec3.example. + update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF + send END -[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed" -# Create DNSSEC keys in the zone directory. -$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null -# Trigger zone signing. -$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i -# Wait until zone has been signed. -for i in 0 1 2 3 4 5 6 7 8 9; do - failed=0 - $DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1 - grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1 - [ $failed -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 -done -[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1 -# Check jitter distribution. -checkjitter dig.out.ns3.test$n || ret=1 -n=`expr $n + 1` -if [ $ret != 0 ]; then echo_i "failed"; fi -status=`expr $status + $ret` + [ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed" + # Create DNSSEC keys in the zone directory. + $KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null + # Trigger zone signing. + $RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i + # Wait until zone has been signed. + for i in 0 1 2 3 4 5 6 7 8 9; do + failed=0 + $DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1 + grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1 + [ $failed -eq 0 ] && break + echo_i "waiting ... ($i)" + sleep 2 + done + [ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1 + # Check jitter distribution. + checkjitter dig.out.ns3.test$n || ret=1 + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` + +# XXX temporarily disabled +else + echowarn "I:autosign:jitter tests disabled" +fi echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" ret=0