This improves keytime testing on CSK rollover. It now
tests for specific times, and also tests for SyncPublish and
Removed keytimes.
Since an "active key" for ZSK and KSK means something
different, this makes it tricky to decide when a CSK is
active. An "active key" intuitively means the key is signing
so we say a CSK is active when it is creating zone signatures.
This change means a lot of timings for the CSK rollover tests
need to be adjusted.
The keymgr code needs a slight change on calculating the
prepublication time: For a KSK we need to include the parent
registration delay, but for CSK we look at the zone signing
property and stick with the ZSK prepublication calculation.
Registration delay is not part of the Iret retire interval, thus
removed from the calculation when setting the Delete time metadata.
Include the registration delay in prepublication time, because
we need to prepublish the key sooner than just the Ipub
publication interval.
This commit adds testing keytiming metadata. In order to facilitate
this, the kasp system test undergoes a few changes:
1. When finding a key file, rather than only saving the key ID,
also save the base filename and creation date with `key_save`.
These can be used later to set expected key times.
2. Add a test function `set_addkeytime` that takes a key, which
keytiming to update, a datetime in keytiming format, and a number
(seconds) to add, and sets the new time in the given keytime
parameter of the given key. This is used to set the expected key
times.
3. Split `check_keys` in `check_keys` and `check_keytimes`. First we
need to find the keyfile before we can check the keytimes.
We need to retrieve the creation date (and sometimes other
keytimes) to determine the other expected key times.
4. Add helper functions to set the expected key times per policy.
This avoids lots of duplication.
Check for keytimes for the first test cases (all that do not cover
rollovers).
After removing dnssec-settime calls that set key rollover
relationship, we can adjust the counts in test output filenames.
Also fix a couple of more wrong counts in output filenames.
Using dnssec-setttime after dnssec-keygen in the kasp system test
can lead to off by one second failures, so reduce the usage of
dnssec-settime in the setup scripts. This commit deals with
setting the key rollover relationship (predecessor/successor).
In the kasp system test, we are going to set the keytimes on
dnssec-keygen so we can test them against the key creation time.
This prevents off by one second in the test, something that can
happen if you set those times with dnssec-settime after
dnssec-keygen.
Also fix some test output filenames.
While kasp relies on key states to determine when a key needs to
be published or be used for signing, the keytimes are used by
operators to get some expectation of key publication and usage.
Update the code such that these keytimes are set appropriately.
That means:
- Print "PublishCDS" and "DeleteCDS" times in the state files.
- The keymgr sets the "Removed" and "PublishCDS" times and derives
those from the dnssec-policy.
- Tweak setting of the "Retired" time, when retiring keys, only
update the time to now when the retire time is not yet set, or is
in the future.
This also fixes a bug in "keymgr_transition_time" where we may wait
too long before zone signatrues become omnipresent or hidden. Not
only can we skip waiting the sign delay Dsgn if there is no
predecessor, we can also skip it if there is no successor.
Finally, this commit moves setting the lifetime, reducing two calls
to one.
For testing purposes mainly, we want to allow set keytimings on
generated keys, such that we don't have to "keygen/settime" which
can result in one second off times.
Certain rules of the BIND development process are not codified anywhere
and/or are used inconsistently. In an attempt to improve this
situation, add a GitLab CI job which uses Danger Python to add comments
to merge requests when certain expectations are not met. Two categories
of feedback are used, only one of which - fail() - causes the GitLab CI
job to fail. Exclude dangerfile.py from Python QA checks as the way the
contents of that file are evaluated triggers a lot of Flake8 and PyLint
warnings.
in addition to being more efficient, this prevents a possible crash by
looking up the node name before the tree sructure can be changed when
cleaning up dead nodes in addrdataset().
