Fix statschannel system test

The manykeys test case relies on keys being removed. Make sure the
zone is fully signed with the keys that will stay, so the other keys
may be removed safely.

This means the expected number of signatures generated and refreshed
will change. The CDS and CDNSKEY RRset also need to be signed now.

Configure the test case with sig-signing-signatures 100, large enough
that the entire zone is processed in a single step.

diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in
index 342d03b5616da8c83cadc47a2723fd3bc9579a42..c2f4c1f27889cb7efb1b076dd16b107f01b8549a 100644 (file)
--- a/bin/tests/system/statschannel/ns2/named.conf.in
+++ b/bin/tests/system/statschannel/ns2/named.conf.in
@@ -24,6 +24,7 @@ options {
        notify no;
        minimal-responses no;
        version none;  // make statistics independent of the version number
+       sig-signing-signatures 100;
 };
 
 statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };

diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in
index c726ae42203ffc2b72a2ce12a2002a6d2bcaab1f..f93bf94e7569a4f419034629527116df80ba0ada 100644 (file)
--- a/bin/tests/system/statschannel/ns2/named2.conf.in
+++ b/bin/tests/system/statschannel/ns2/named2.conf.in
@@ -24,6 +24,7 @@ options {
        notify no;
        minimal-responses no;
        version none;  // make statistics independent of the version number
+       sig-signing-signatures 100;
 };
 
 statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };

diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh
index b9d2ed72d31493aba7a28d530f01ca1a585efa82..a4df397a2ac9177a84230216fec4693d9a6350a1 100644 (file)
--- a/bin/tests/system/statschannel/ns2/sign.sh
+++ b/bin/tests/system/statschannel/ns2/sign.sh
@@ -16,13 +16,18 @@
 
 set -e
 
+longago="now-1y"
+keytimes="-P ${longago} -A ${longago}"
+O="omnipresent"
+
 zone=dnssec.
 infile=dnssec.db.in
-zonefile=dnssec.db.signed
+zonefile=dnssec.db
+cp $infile $zonefile
 ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" -f KSK "$zone")
 zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" "$zone")
 # Sign deliberately with a very short expiration date.
-"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
+"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1
 id=$(keyfile_to_key_id "$ksk")
 echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.ksk.id
 id=$(keyfile_to_key_id "$zsk")
@@ -30,16 +35,22 @@ echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.zsk.id
 
 zone=manykeys.
 infile=manykeys.db.in
-zonefile=manykeys.db.signed
-ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone")
-zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone")
+zonefile=manykeys.db
+cp $infile $zonefile
+ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK $keytimes -P sync $longago "$zone")
+zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 $keytimes "$zone")
+$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$ksk8" >settime.out.$zone 2>&1
+$SETTIME -s -g $O -k $O $longago -z $O $longago "$zsk8" >settime.out.$zone 2>&1
+cat $ksk8.key $zsk8.key >>$zonefile
 ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone")
 zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone")
+cat $ksk13.key $zsk13.key >>$zonefile
 ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone")
 zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone")
+cat $ksk14.key $zsk14.key >>$zonefile
 # Sign deliberately with a very short expiration date.
 # Disable zone verification (-P) as records may expire before signing is complete
-"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
+"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1
 id=$(keyfile_to_key_id "$ksk8")
 echo "8+$id" >manykeys.ksk8.id
 id=$(keyfile_to_key_id "$zsk8")

diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh
index 8a343fe1b53187abc2771cd630223fcfb8dd1ff6..f6816493311ec9286b905ccb50671589c74a5da2 100644 (file)
--- a/bin/tests/system/statschannel/tests.sh
+++ b/bin/tests/system/statschannel/tests.sh
@@ -392,22 +392,22 @@ ksk13_id=$(cat ns2/$zone.ksk13.id)
 zsk13_id=$(cat ns2/$zone.zsk13.id)
 ksk14_id=$(cat ns2/$zone.ksk14.id)
 zsk14_id=$(cat ns2/$zone.zsk14.id)
-# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one
-# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire
-# almost right away, this should trigger 10 zsk and 1 ksk sign operations per
-# key.
+# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and the
+# DNSKEY, CDS, and CDNSKEY RRsets with the KSKs. So starting named with
+# signatures that expire almost right away, this should trigger 10 zsk and 3
+# ksk sign operations per key.
 echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect
 echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect
 echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect
-echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect
 echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect
 echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect
 echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect
-echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect
 cat zones.expect | sort >zones.expect.$n
 rm -f zones.expect
 # Fetch and check the dnssec sign statistics.
@@ -437,15 +437,15 @@ ret=0
 echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect
 echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect
 echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect
-echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect
 echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect
 echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect
 echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect
-echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect
-echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect
+echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect
+echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect
 cat zones.expect | sort >zones.expect.$n
 rm -f zones.expect
 # Fetch and check the dnssec sign statistics.
@@ -466,15 +466,15 @@ n=$((n + 1))
 ret=0
 copy_setports ns2/named2.conf.in ns2/named.conf
 $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /'
-# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC,
-# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should
-# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly)
-# counted double, one time because of zone_resigninc and one time because of
-# zone_nsec3chain. So +5 zsk in total.
+# This should trigger the resign of DNSKEY, CDS, and CDNSKEY (+3 ksk),
+# and SOA, NSEC, TYPE65534 (+3 zsk). The dnssec-sign statistics for the
+# removed keys should be cleared and thus no longer visible. But NSEC and SOA
+# are (mistakenly) counted double, one time because of zone_resigninc and one
+# time because of zone_nsec3chain. So +5 zsk in total.
 echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect
-echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect
+echo "${refresh_prefix} ${ksk8_id}: 6" >>zones.expect
 echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect
-echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect
+echo "${sign_prefix} ${ksk8_id}: 6" >>zones.expect
 cat zones.expect | sort >zones.expect.$n
 rm -f zones.expect
 # Fetch and check the dnssec sign statistics.

diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py
index 21f240224392a42ed1ab2b30e374109428727b93..6a2dbc9f9662e0b32f0587f1b4588af2d577c57a 100755 (executable)
--- a/bin/tests/system/statschannel/tests_json.py
+++ b/bin/tests/system/statschannel/tests_json.py
@@ -31,8 +31,11 @@ pytestmark = [
             "ns2/dsset-*",
             "ns2/K*",
             "ns2/dnssec.db.signed",
+            "ns2/dnssec.db",
             "ns2/dnssec.*.id",
+            "ns2/manykeys.db",
             "ns2/manykeys.*.id",
+            "ns2/settime.out.*",
             "ns2/signzone.out.*",
             "ns3/_default.nzd",
             "ns3/example-tcp.db",

diff --git a/bin/tests/system/statschannel/tests_sh_statschannel.py b/bin/tests/system/statschannel/tests_sh_statschannel.py
index 2f7a826aa4bb1f4c6440809ee101b8430d2c9f74..7b5788010d6593404005455e37ac22b7c16de167 100644 (file)
--- a/bin/tests/system/statschannel/tests_sh_statschannel.py
+++ b/bin/tests/system/statschannel/tests_sh_statschannel.py
@@ -31,11 +31,15 @@ pytestmark = pytest.mark.extra_artifacts(
         "zones*",
         "ns2/*.jnl",
         "ns2/*.signed",
+        "ns2/*.db",
         "ns2/dsset-*",
         "ns2/K*",
+        "ns2/dnssec.db",
         "ns2/dnssec.*.id",
+        "ns2/manykeys.db",
         "ns2/manykeys.*.id",
         "ns2/named.stats",
+        "ns2/settime.out.*",
         "ns2/signzone.out.*",
         "ns3/_default.nzf*",
         "ns3/_default.nzd*",

diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py
index 796eea9d2446292ddc15fc6b887b8637fe089a76..59fbcf0b06c12841f5b46127253b98ce766fc669 100755 (executable)
--- a/bin/tests/system/statschannel/tests_xml.py
+++ b/bin/tests/system/statschannel/tests_xml.py
@@ -31,8 +31,11 @@ pytestmark = [
             "ns2/*.jnl",
             "ns2/*.signed",
             "ns2/dsset-*",
+            "ns2/dnssec.db",
             "ns2/dnssec.*.id",
+            "ns2/manykeys.db",
             "ns2/manykeys.*.id",
+            "ns2/settime.out.*",
             "ns2/signzone.out.*",
             "ns3/_default.nzd",
             "ns3/example-tcp.db",