mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 14:07:59 +00:00
Code Issues Releases Wiki Activity

Remove dupsigs system test

Browse Source 
This test uses key timing metadata to do rollovers, this is no longer
applicable with 'dnssec-policy'. Note that with 'dnssec-policy' key
timing metadata is still written, but it is not used for determining
what and when to do key rollovers.
This commit is contained in:
Matthijs Mekking
2023-06-27 16:25:30 +02:00
parent f0c164954e
commit ee3ae4d7d5
12 changed files with 0 additions and 493 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tests/system/Makefile.am
View File

@@ -104,7 +104,6 @@ TESTS += \
dlzexternal \
dns64 \
dsdigest \
dupsigs \
dyndb \
ecdsa \
eddsa \

1
bin/tests/system/conf.sh.common
View File

@@ -42,7 +42,6 @@ export LANG=C
PARALLEL_COMMON="
rpzrecurse
serve-stale
dupsigs
acl
additional
addzone

1
bin/tests/system/conftest.py
View File

@@ -96,7 +96,6 @@ else:
PORTS_PER_TEST = 20
PRIORITY_TESTS = [
# Tests that are scheduled first. Speeds up parallel execution.
"dupsigs/",
"rpz/",
"rpzrecurse/",
"serve-stale/",

206
bin/tests/system/dupsigs/check_journal.pl
View File

@@ -1,206 +0,0 @@
#!/usr/bin/env perl
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
use strict;
use warnings;
sub process_changeset;
my @changeset;
while( my $line = <> ) {
chomp $line;
if( $line =~ /^(?<op>add|del) (?<label>\S+)\s+(?<ttl>\d+)\s+IN\s+(?<rrtype>\S+)\s+(?<rdata>.*)/ ) {
my $change = {
op => $+{op},
label => $+{label},
ttl => $+{ttl},
rrtype => $+{rrtype},
rdata => $+{rdata},
};
if( $change->{op} eq 'del' and $change->{rrtype} eq 'SOA' ) {
if( @changeset ) {
process_changeset( @changeset );
@changeset = ();
}
}
push @changeset, $change;
}
else {
die "error parsing journal data";
}
}
if( @changeset ) {
process_changeset( @changeset );
}
{
my %rrsig_db;
my %keys;
my $apex;
sub process_changeset {
my @changeset = @_;
if( not $apex ) {
# the first record of the first changeset is guaranteed to be the apex
$apex = $changeset[0]{label};
}
my $newserial;
my %touched_rrsigs;
my %touched_keys;
foreach my $change( @changeset ) {
if( $change->{rrtype} eq 'SOA' ) {
if( $change->{op} eq 'add' ) {
if( $change->{rdata} !~ /^\S+ \S+ (?<serial>\d+)/ ) {
die "unable to parse SOA";
}
$newserial = $+{serial};
}
}
elsif( $change->{rrtype} eq 'NSEC' ) {
; # do nothing
}
elsif( $change->{rrtype} eq 'DNSKEY' ) {
; # ignore for now
}
elsif( $change->{rrtype} eq 'TYPE65534' and $change->{label} eq $apex ) {
# key status
if( $change->{rdata} !~ /^\\# (?<datasize>\d+) (?<data>[0-9A-F]+)$/ ) {
die "unable to parse key status record";
}
my $datasize = $+{datasize};
my $data = $+{data};
if( $datasize == 5 ) {
my( $alg, $id, $flag_del, $flag_done ) = unpack 'CnCC', pack( 'H10', $data );
if( $change->{op} eq 'add' ) {
if( not exists $keys{$id} ) {
$touched_keys{$id} //= 1;
$keys{$id} = {
$data => 1,
rrs => 1,
done_signing => $flag_done,
deleting => $flag_del,
};
}
else {
if( not exists $keys{$id}{$data} ) {
my $keydata = $keys{$id};
$touched_keys{$id} = { %$keydata };
$keydata->{rrs}++;
$keydata->{$data} = 1;
$keydata->{done_signing} += $flag_done;
$keydata->{deleting} += $flag_del;
}
}
}
else {
# this logic relies upon the convention that there won't
# ever be multiple records with the same flag set
if( exists $keys{$id} ) {
my $keydata = $keys{$id};
if( exists $keydata->{$data} ) {
$touched_keys{$id} = { %$keydata };
$keydata->{rrs}--;
delete $keydata->{$data};
$keydata->{done_signing} -= $flag_done;
$keydata->{deleting} -= $flag_del;
if( $keydata->{rrs} == 0 ) {
delete $keys{$id};
}
}
}
}
}
else {
die "unexpected key status record content";
}
}
elsif( $change->{rrtype} eq 'RRSIG' ) {
if( $change->{rdata} !~ /^(?<covers>\S+) \d+ \d+ \d+ (?<validity_end>\d+) (?<validity_start>\d+) (?<signing_key>\d+)/ ) {
die "unable to parse RRSIG rdata";
}
$change->{covers} = $+{covers};
$change->{validity_end} = $+{validity_end};
$change->{validity_start} = $+{validity_start};
$change->{signing_key} = $+{signing_key};
my $db_key = $change->{label} . ':' . $change->{covers};
$rrsig_db{$db_key} //= {};
$touched_rrsigs{$db_key} = 1;
if( $change->{op} eq 'add' ) {
$rrsig_db{$db_key}{ $change->{signing_key} } = 1;
}
else {
# del
delete $rrsig_db{$db_key}{ $change->{signing_key} };
}
}
}
foreach my $key_id( sort keys %touched_keys ) {
my $old_data;
my $new_data;
if( ref $touched_keys{$key_id} ) {
$old_data = $touched_keys{$key_id};
}
if( exists $keys{$key_id} ) {
$new_data = $keys{$key_id};
}
if( $old_data ) {
if( $new_data ) {
print "at serial $newserial key $key_id status changed from ($old_data->{deleting},$old_data->{done_signing}) to ($new_data->{deleting},$new_data->{done_signing})\n";
}
else {
print "at serial $newserial key $key_id status removed from zone\n";
}
}
else {
print "at serial $newserial key $key_id status added with flags ($new_data->{deleting},$new_data->{done_signing})\n";
}
}
foreach my $rrsig_id( sort keys %touched_rrsigs ) {
my $n_signing_keys = keys %{ $rrsig_db{$rrsig_id} };
if( $n_signing_keys == 0 ) {
print "at serial $newserial $rrsig_id went unsigned\n";
}
elsif( $n_signing_keys > 1 ) {
my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
}
}
}
}

24
bin/tests/system/dupsigs/clean.sh
View File

@@ -1,24 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
rm -f dig.out*
rm -f ns1/named.conf
rm -f ns1/named.lock
rm -f ns1/named.memstats
rm -f ns1/named.run
rm -f ns1/signing.test.db
rm -f ns1/signing.test.db.jbk
rm -f ns1/signing.test.db.signed
rm -f ns1/signing.test.db.signed.jnl
rm -f ns1/keys/signing.test/K*
rm -f ns1/managed-keys.bind*

1
bin/tests/system/dupsigs/ns1/named.args
View File

@@ -1 +0,0 @@
-D dupsigs-ns1 -X named.lock -m record -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T sigvalinsecs

34
bin/tests/system/dupsigs/ns1/named.conf.in
View File

@@ -1,34 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
recursion no;
max-journal-size unlimited;
port @PORT@;
listen-on { 10.53.0.1; };
listen-on-v6 { none; };
pid-file "named.pid";
dnssec-validation no;
};
zone "signing.test" {
type primary;
masterfile-format text;
allow-update { any; };
file "signing.test.db";
update-check-ksk yes;
key-directory "keys/signing.test";
inline-signing yes;
auto-dnssec maintain;
sig-validity-interval 20 5;
};

99
bin/tests/system/dupsigs/ns1/reset_keys.sh
View File

@@ -1,99 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../../conf.sh
zone=signing.test
rm -rf keys/signing.test
mkdir -p keys/signing.test
timetodnssec() {
$PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1}
}
KEYDIR=keys/signing.test
KSK=$($KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone)
ZSK0=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK1=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK2=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK3=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK4=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK5=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK6=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK7=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
# clear all times on all keys
for FILEN in keys/signing.test/*.key
do
$SETTIME -P none -A none -R none -I none -D none $FILEN
done
BASE=$(date +%s)
BASET=$(timetodnssec $BASE)
# reset the publish and activation time on the KSK
$SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
# reset the publish and activation time on the first ZSK
$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
# schedule the first roll
R1=$((BASE + 50))
R1T=$(timetodnssec $R1)
$SETTIME -I $R1T $KEYDIR/$ZSK0
$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
# schedule the second roll (which includes the delete of the first key)
R2=$((R1 + 50))
R2T=$(timetodnssec $R2)
DT=$R2
DTT=$(timetodnssec $DT)
$SETTIME -D $DTT $KEYDIR/$ZSK0
$SETTIME -I $R2T $KEYDIR/$ZSK1
$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
# schedule the third roll
R3=$((R2 + 25))
R3T=$(timetodnssec $R3)
$SETTIME -D $R3T $KEYDIR/$ZSK1
$SETTIME -I $R3T $KEYDIR/$ZSK2
$SETTIME -P $R2T -A $R3T $KEYDIR/$ZSK3
$SETTIME -P $R3T $KEYDIR/$ZSK4
echo KSK=$KSK
echo ZSK0=$ZSK0
echo ZSK1=$ZSK1
echo ZSK2=$ZSK2
echo ZSK3=$ZSK3
echo ZSK4=$ZSK4
exit
# schedule the fourth roll
# this isn't long enough for the signing to complete and would result in
# duplicate signatures, see
# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
R4=$((R3 + 10))
R4T=$(timetodnssec $R4)
$SETTIME -D $R4T $KEYDIR/$ZSK2
$SETTIME -I $R4T $KEYDIR/$ZSK3
$SETTIME -P $R3T -A $R4T $KEYDIR/$ZSK4

18
bin/tests/system/dupsigs/ns1/signing.test.db.in
View File

@@ -1,18 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 3600
@ IN SOA ns root.ns 1996072700 3600 1800 86400 60
@ NS ns
ns A 127.0.0.1
ns AAAA ::1
$GENERATE 0-499 a${0,4,d} AAAA ::$

23
bin/tests/system/dupsigs/setup.sh
View File

@@ -1,23 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
. ../conf.sh
$SHELL clean.sh
test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
copy_setports ns1/named.conf.in ns1/named.conf
cp -f ns1/signing.test.db.in ns1/signing.test.db
(cd ns1; $SHELL ./reset_keys.sh)

71
bin/tests/system/dupsigs/tests.sh
View File

@@ -1,71 +0,0 @@
#!/bin/sh
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
. ../conf.sh
status=0
# Wait for the zone to be fully signed before beginning test
#
# We expect the zone to have the following:
#
# - 5 signatures for signing.test.
# - 3 signatures for ns.signing.test.
# - 2 x 500 signatures for a{0000-0499}.signing.test.
#
# for a total of 1008.
fully_signed () {
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
awk 'BEGIN { lines = 0 }
$4 == "RRSIG" {lines++}
END { if (lines != 1008) exit(1) }' < "dig.out.ns1.axfr"
}
# Wait for the last NSEC record in the zone to be signed. This is a lightweight
# alternative to avoid many AXFR requests while waiting for the zone to be
# fully signed.
_wait_for_last_nsec_signed() {
$DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
return 0
}
echo_i "wait for the zone to be fully signed"
retry_quiet 60 _wait_for_last_nsec_signed
retry_quiet 10 fully_signed || status=1
if [ $status != 0 ]; then echo_i "failed"; fi
start=$(date +%s)
now=$start
end=$((start + 140))
while [ $now -lt $end ] && [ $status -eq 0 ]; do
et=$((now - start))
echo_i "............... $et ............"
$JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l)
if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
then
echo_i "failed"
status=$((status + 1))
fi
sleep 5
now=$(date +%s)
done
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1

14
bin/tests/system/dupsigs/tests_sh_dupsigs.py
View File

@@ -1,14 +0,0 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
def test_dupsigs(run_tests_sh):
run_tests_sh()