mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

temporarily disable jitter tests in the 'autosign' system test

Browse Source 
the current method used for testing distribution of signatures
is failure-prone. we need to replace it with something both
effective and portable, but in the meantime we're commenting
out the jitter test.
This commit is contained in:
Evan Hunt
2019-11-07 09:09:28 -08:00
parent 65860c8000
commit e17b7ee05a
1 changed files with 55 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
bin/tests/system/autosign/tests.sh
View File

@@ -373,14 +373,24 @@ done
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
# Check jitter distribution.
echo_i "checking expired signatures were jittered correctly ($n)" # XXX temporarily disable jitter test below until we have a better and more
ret=0 # portable method for evaluating the evenness of the distribution.
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 if false; then
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1` # Check jitter distribution.
if [ $ret != 0 ]; then echo_i "failed"; fi echo_i "checking expired signatures were jittered correctly ($n)"
status=`expr $status + $ret` ret=0
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# XXX temporarily disabled
else
echowarn "I:autosign:jitter tests disabled"
fi
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)" echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
ret=0 ret=0
@@ -984,35 +994,44 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
echo_i "checking jitter in a newly signed NSEC3 zone ($n)" # XXX temporarily disable jitter test below until we have a better and more
ret=0 # portable method for evaluating the evenness of the distribution.
# Use DNS UPDATE to add an NSEC3PARAM record into the zone. if false; then
$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
server 10.53.0.3 ${PORT} echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
zone jitter.nsec3.example. ret=0
update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF # Use DNS UPDATE to add an NSEC3PARAM record into the zone.
send $NSUPDATE > nsupdate.out.test$n 2>&1 <<-END || ret=1
server 10.53.0.3 ${PORT}
zone jitter.nsec3.example.
update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END END
[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed" [ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
# Create DNSSEC keys in the zone directory. # Create DNSSEC keys in the zone directory.
$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null $KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
# Trigger zone signing. # Trigger zone signing.
$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i $RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
# Wait until zone has been signed. # Wait until zone has been signed.
for i in 0 1 2 3 4 5 6 7 8 9; do for i in 0 1 2 3 4 5 6 7 8 9; do
failed=0 failed=0
$DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1 $DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1 grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1
[ $failed -eq 0 ] && break [ $failed -eq 0 ] && break
echo_i "waiting ... ($i)" echo_i "waiting ... ($i)"
sleep 2 sleep 2
done done
[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1 [ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1
# Check jitter distribution. # Check jitter distribution.
checkjitter dig.out.ns3.test$n || ret=1 checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1` n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret` status=`expr $status + $ret`
# XXX temporarily disabled
else
echowarn "I:autosign:jitter tests disabled"
fi
echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)" echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
ret=0 ret=0