From: Nicki Křížek Date: Fri, 30 May 2025 15:21:36 +0000 (+0200) Subject: Use a single named.conf template in rollover test X-Git-Tag: v9.21.11~38^2~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=784a252425fdbea436ecb48b9992253623ac4f68;p=thirdparty%2Fbind9.git Use a single named.conf template in rollover test Rather than using multiple slightly modified named.conf files, use a single template which can be rendered differently based on an input argument -- in this case, csk_roll. --- diff --git a/bin/tests/system/rollover/ns6/named.conf.j2 b/bin/tests/system/rollover/ns6/named.conf.j2 index 85861a01009..412626e18b3 100644 --- a/bin/tests/system/rollover/ns6/named.conf.j2 +++ b/bin/tests/system/rollover/ns6/named.conf.j2 @@ -13,8 +13,11 @@ // NS6 +{% set csk_roll = csk_roll | default(False) %} +{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %} + include "kasp.conf"; -include "csk1.conf"; +include "@_csk_file@"; options { query-source address 10.53.0.6; @@ -26,7 +29,7 @@ options { listen-on-v6 { none; }; allow-transfer { any; }; recursion no; - key-directory "."; + key-directory "."; // TODO if csk_roll? dnssec-validation no; }; @@ -53,68 +56,159 @@ zone "dynamic2inline.kasp" { }; /* Lifetime changes. */ +{% set _policy = "short-lifetime" if not csk_roll else "long-lifetime" %} zone longer-lifetime { type primary; file "longer-lifetime.db"; - dnssec-policy short-lifetime; + dnssec-policy @_policy@; }; +{% set _policy = "long-lifetime" if not csk_roll else "short-lifetime" %} zone shorter-lifetime { type primary; file "shorter-lifetime.db"; - dnssec-policy long-lifetime; + dnssec-policy @_policy@; }; +{% set _policy = "unlimited-lifetime" if not csk_roll else "short-lifetime" %} zone limit-lifetime { type primary; file "limit-lifetime.db"; - dnssec-policy unlimited-lifetime; + dnssec-policy @_policy@; }; +{% set _policy = "short-lifetime" if not csk_roll else "unlimited-lifetime" %} zone unlimit-lifetime { type primary; file "unlimit-lifetime.db"; - dnssec-policy short-lifetime; + dnssec-policy @_policy@; }; -/* These zones are going insecure. */ +/* Zones for testing going insecure. */ +{% set _policy = "unsigning" if not csk_roll else "insecure" %} zone "step1.going-insecure.kasp" { type primary; file "step1.going-insecure.kasp.db"; - dnssec-policy "unsigning"; + dnssec-policy @_policy@; +}; + +{% if csk_roll %} // TODO maybe omit? +zone "step2.going-insecure.kasp" { + type primary; + file "step2.going-insecure.kasp.db"; + dnssec-policy "insecure"; }; +{% endif %} +{% set _policy = "unsigning" if not csk_roll else "insecure" %} zone "step1.going-insecure-dynamic.kasp" { type primary; file "step1.going-insecure-dynamic.kasp.db"; - dnssec-policy "unsigning"; + dnssec-policy @_policy@; + inline-signing no; + allow-update { any; }; +}; + +{% if csk_roll %} // TODO maybe omit? +zone "step2.going-insecure-dynamic.kasp" { + type primary; + file "step2.going-insecure-dynamic.kasp.db"; + dnssec-policy insecure; inline-signing no; allow-update { any; }; }; +{% endif %} +{% set _policy = "default" if not csk_roll else "none" %} zone "step1.going-straight-to-none.kasp" { type primary; file "step1.going-straight-to-none.kasp.db"; - dnssec-policy "default"; + dnssec-policy @_policy@; }; +{% set _policy = "default" if not csk_roll else "none" %} zone "step1.going-straight-to-none-dynamic.kasp" { type primary; file "step1.going-straight-to-none-dynamic.kasp.db.signed"; inline-signing no; - dnssec-policy "default"; + dnssec-policy @_policy@; allow-update { any; }; }; -/* These are alorithm rollover test zones. */ +/* Zones for testing KSK/ZSK algorithm roll. */ +{% set _policy = "rsasha256" if not csk_roll else "ecdsa256" %} zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; - dnssec-policy "rsasha256"; + dnssec-policy @_policy@; +}; + +{% if csk_roll %} +zone "step2.algorithm-roll.kasp" { + type primary; + file "step2.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step3.algorithm-roll.kasp" { + type primary; + file "step3.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step4.algorithm-roll.kasp" { + type primary; + file "step4.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step5.algorithm-roll.kasp" { + type primary; + file "step5.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; }; +zone "step6.algorithm-roll.kasp" { + type primary; + file "step6.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; +{% endif %} + zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; dnssec-policy "csk-algoroll"; }; + +{% if csk_roll %} +zone "step2.csk-algorithm-roll.kasp" { + type primary; + file "step2.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step3.csk-algorithm-roll.kasp" { + type primary; + file "step3.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step4.csk-algorithm-roll.kasp" { + type primary; + file "step4.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step5.csk-algorithm-roll.kasp" { + type primary; + file "step5.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step6.csk-algorithm-roll.kasp" { + type primary; + file "step6.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; +{% endif %} diff --git a/bin/tests/system/rollover/ns6/named2.conf.j2 b/bin/tests/system/rollover/ns6/named2.conf.j2 deleted file mode 100644 index 23511e886c0..00000000000 --- a/bin/tests/system/rollover/ns6/named2.conf.j2 +++ /dev/null @@ -1,198 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -// NS6 - -include "kasp.conf"; -include "csk2.conf"; - -options { - query-source address 10.53.0.6; - notify-source 10.53.0.6; - transfer-source 10.53.0.6; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.6; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; - dnssec-validation no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -zone "." { - type hint; - file "../../_common/root.hint.blackhole"; -}; - -/* This zone switch from dynamic to inline-signing. */ -zone "dynamic2inline.kasp" { - type primary; - file "dynamic2inline.kasp.db"; - allow-update { any; }; - dnssec-policy "default"; -}; - -/* Lifetime changes. */ -zone longer-lifetime { - type primary; - file "longer-lifetime.db"; - dnssec-policy long-lifetime; -}; - -zone shorter-lifetime { - type primary; - file "shorter-lifetime.db"; - dnssec-policy short-lifetime; -}; - -zone limit-lifetime { - type primary; - file "limit-lifetime.db"; - dnssec-policy short-lifetime; -}; - -zone unlimit-lifetime { - type primary; - file "unlimit-lifetime.db"; - dnssec-policy unlimited-lifetime; -}; - -/* Zones for testing going insecure. */ -zone "step1.going-insecure.kasp" { - type primary; - file "step1.going-insecure.kasp.db"; - dnssec-policy "insecure"; -}; - -zone "step2.going-insecure.kasp" { - type primary; - file "step2.going-insecure.kasp.db"; - dnssec-policy "insecure"; -}; - -zone "step1.going-insecure-dynamic.kasp" { - type primary; - file "step1.going-insecure-dynamic.kasp.db"; - inline-signing no; - dnssec-policy "insecure"; - allow-update { any; }; -}; - -zone "step2.going-insecure-dynamic.kasp" { - type primary; - file "step2.going-insecure-dynamic.kasp.db"; - inline-signing no; - dnssec-policy "insecure"; - allow-update { any; }; -}; - -zone "step1.going-straight-to-none.kasp" { - type primary; - file "step1.going-straight-to-none.kasp.db"; - dnssec-policy "none"; -}; - -zone "step1.going-straight-to-none-dynamic.kasp" { - type primary; - file "step1.going-straight-to-none-dynamic.kasp.db.signed"; - inline-signing no; - dnssec-policy "none"; - allow-update { any; }; -}; - -/* - * Zones for testing KSK/ZSK algorithm roll. - */ -zone "step1.algorithm-roll.kasp" { - type primary; - file "step1.algorithm-roll.kasp.db"; - dnssec-policy "ecdsa256"; -}; - -zone "step2.algorithm-roll.kasp" { - type primary; - file "step2.algorithm-roll.kasp.db"; - dnssec-policy "ecdsa256"; -}; - -zone "step3.algorithm-roll.kasp" { - type primary; - file "step3.algorithm-roll.kasp.db"; - dnssec-policy "ecdsa256"; -}; - -zone "step4.algorithm-roll.kasp" { - type primary; - file "step4.algorithm-roll.kasp.db"; - dnssec-policy "ecdsa256"; -}; - -zone "step5.algorithm-roll.kasp" { - type primary; - file "step5.algorithm-roll.kasp.db"; - dnssec-policy "ecdsa256"; -}; - -zone "step6.algorithm-roll.kasp" { - type primary; - file "step6.algorithm-roll.kasp.db"; - dnssec-policy "ecdsa256"; -}; - -/* - * Zones for testing CSK algorithm roll. - */ -zone "step1.csk-algorithm-roll.kasp" { - type primary; - file "step1.csk-algorithm-roll.kasp.db"; - dnssec-policy "csk-algoroll"; -}; - -zone "step2.csk-algorithm-roll.kasp" { - type primary; - file "step2.csk-algorithm-roll.kasp.db"; - dnssec-policy "csk-algoroll"; -}; - -zone "step3.csk-algorithm-roll.kasp" { - type primary; - file "step3.csk-algorithm-roll.kasp.db"; - dnssec-policy "csk-algoroll"; -}; - -zone "step4.csk-algorithm-roll.kasp" { - type primary; - file "step4.csk-algorithm-roll.kasp.db"; - dnssec-policy "csk-algoroll"; -}; - -zone "step5.csk-algorithm-roll.kasp" { - type primary; - file "step5.csk-algorithm-roll.kasp.db"; - dnssec-policy "csk-algoroll"; -}; - -zone "step6.csk-algorithm-roll.kasp" { - type primary; - file "step6.csk-algorithm-roll.kasp.db"; - dnssec-policy "csk-algoroll"; -}; diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py index c42f3ef0658..c7d4bed6ef7 100644 --- a/bin/tests/system/rollover/tests_rollover.py +++ b/bin/tests/system/rollover/tests_rollover.py @@ -10,7 +10,6 @@ # information regarding copyright ownership. import os -import shutil from datetime import timedelta @@ -1275,7 +1274,7 @@ def test_rollover_csk_roll2(servers): check_rollover_step(server, config, policy, step) -def test_rollover_policy_changes(servers): +def test_rollover_policy_changes(servers, templates): server = servers["ns6"] cdss = ["CDNSKEY", "CDS (SHA-256)"] alg = os.environ["DEFAULT_ALGORITHM_NUMBER"] @@ -1445,7 +1444,7 @@ def test_rollover_policy_changes(servers): # Reconfigure, changing DNSSEC policies and other configuration options, # triggering algorithm rollovers and other dnssec-policy changes. - shutil.copyfile("ns6/named2.conf", "ns6/named.conf") + templates.render("ns6/named.conf", {"csk_roll": True}) server.rndc("reconfig") # Calculate time passed to correctly check for next key events. now = KeyTimingMetadata.now()