Convert more kasp test cases to pytest

These test cases follow the same pattern as many other, but all require
some additional checks. These are set in "additional-tests".

The "zsk-missing.autosign" zone is special handled, as it expects the
KSK to sign the SOA RRset (because the ZSK is unavailable).

The kasp/ns3/setup.sh script is updated so the SyncPublish is not set
(named will initialize it correctly). For the test zones that have
missing private key files we do need to set the expected key timing
metadata.

Remove the counterparts for the newly added test from the kasp shell
tests script.

diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py
index 5b39b9fffdd43356943df3d47c2f28843ca7c109..fc00a4df0ce5ded3368d544d41828812a5efc4e6 100644 (file)
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -1108,6 +1108,98 @@ def verify_update_is_signed(server, fqdn, qname, qtype, rdata, ksks, zsks, tsig=
     return True
 
 
+def verify_rrsig_is_refreshed(
+    server, fqdn, zonefile, qname, qtype, ksks, zsks, tsig=None
+):
+    """
+    Verify signature for RRset has been refreshed.
+    """
+    response = _query(server, qname, qtype, tsig=tsig)
+
+    if response.rcode() != dns.rcode.NOERROR:
+        return False
+
+    rrtype = dns.rdatatype.to_text(qtype)
+    match = f"{qname}. {DEFAULT_TTL} IN {rrtype}"
+    rrsigs = []
+    for rrset in response.answer:
+        if rrset.match(
+            dns.name.from_text(qname), dns.rdataclass.IN, dns.rdatatype.RRSIG, qtype
+        ):
+            rrsigs.append(rrset)
+        elif not match in rrset.to_text():
+            return False
+
+    if len(rrsigs) == 0:
+        return False
+
+    tmp_zonefile = f"{zonefile}.tmp"
+    isctest.run.cmd(
+        [
+            os.environ["CHECKZONE"],
+            "-D",
+            "-q",
+            "-o",
+            tmp_zonefile,
+            "-f",
+            "raw",
+            fqdn,
+            zonefile,
+        ],
+    )
+
+    zone = dns.zone.from_file(tmp_zonefile, fqdn)
+    for rrsig in rrsigs:
+        if isctest.util.zone_contains(zone, rrsig):
+            return False
+
+    # Zone is updated, ready to verify the signatures.
+    check_signatures(rrsigs, qtype, fqdn, ksks, zsks)
+
+    return True
+
+
+def verify_rrsig_is_reused(server, fqdn, zonefile, qname, qtype, ksks, zsks, tsig=None):
+    """
+    Verify signature for RRset has been reused.
+    """
+    response = _query(server, qname, qtype, tsig=tsig)
+
+    assert response.rcode() == dns.rcode.NOERROR
+
+    rrtype = dns.rdatatype.to_text(qtype)
+    match = f"{qname}. {DEFAULT_TTL} IN {rrtype}"
+    rrsigs = []
+    for rrset in response.answer:
+        if rrset.match(
+            dns.name.from_text(qname), dns.rdataclass.IN, dns.rdatatype.RRSIG, qtype
+        ):
+            rrsigs.append(rrset)
+        else:
+            assert match in rrset.to_text()
+
+    tmp_zonefile = f"{zonefile}.tmp"
+    isctest.run.cmd(
+        [
+            os.environ["CHECKZONE"],
+            "-D",
+            "-q",
+            "-o",
+            tmp_zonefile,
+            "-f",
+            "raw",
+            fqdn,
+            zonefile,
+        ],
+    )
+
+    zone = dns.zone.from_file(tmp_zonefile, dns.name.from_text(fqdn), relativize=False)
+    for rrsig in rrsigs:
+        assert isctest.util.zone_contains(zone, rrsig)
+
+    check_signatures(rrsigs, qtype, fqdn, ksks, zsks)
+
+
 def next_key_event_equals(server, zone, next_event):
     if next_event is None:
         # No next key event check.
@@ -1202,6 +1294,7 @@ def policy_to_properties(ttl, keys: List[str]) -> List[KeyProperties]:
     Then, optional data for specific tests may follow:
     - "goal", "dnskey", "krrsig", "zrrsig", "ds", followed by a value,
       sets the given state to the specific value
+    - "missing", set if the private key file for this key is not available.
     - "offset", an offset for testing key rollover timings
     """
     proplist = []
@@ -1252,6 +1345,8 @@ def policy_to_properties(ttl, keys: List[str]) -> List[KeyProperties]:
             elif line[i].startswith("offset:"):
                 keyval = line[i].split(":")
                 keyprop.properties["offset"] = timedelta(seconds=int(keyval[1]))
+            elif line[i] == "missing":
+                keyprop.properties["private"] = False
             else:
                 assert False, f"undefined optional data {line[i]}"
 

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 76fe7b4a8198e4561e5dee6b126c433a2c32bb8e..b6062dad222b6908823ec2d4be734022f51d0c49 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -200,13 +200,14 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
 $SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}" $infile >signer.out.$zone.1 2>&1
 
+# Treat the next zones as if they were signed six months ago.
+T="now-6mo"
+keytimes="-P $T -A $T"
+
 # These signatures are set to expire long in the past, update immediately.
 setup expired-sigs.autosign
-T="now-6mo"
-ksktimes="-P $T -A $T -P sync $T"
-zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
@@ -217,8 +218,6 @@ $SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $in
 
 # The DNSKEY's TTLs do not match the policy.
 setup dnskey-ttl-mismatch.autosign
-T="now-6mo"
-keytimes="-P $T -A $T"
 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 $keytimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
@@ -229,11 +228,8 @@ $SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone
 
 # These signatures are still good, and can be reused.
 setup fresh-sigs.autosign
-T="now-6mo"
-ksktimes="-P $T -A $T -P sync $T"
-zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
@@ -244,11 +240,8 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
 
 # These signatures are still good, but not fresh enough, update immediately.
 setup unfresh-sigs.autosign
-T="now-6mo"
-ksktimes="-P $T -A $T -P sync $T"
-zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
@@ -259,11 +252,13 @@ $SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infil
 
 # These signatures are still good, but the private KSK is missing.
 setup ksk-missing.autosign
-T="now-6mo"
-ksktimes="-P $T -A $T -P sync $T"
-zsktimes="-P $T -A $T"
+# KSK file will be gone missing, so we set expected times during setup.
+TI="now+550d"     # Lifetime of 2 years minus 6 months equals 550 days
+TD="now+13226h"   # 550 days plus retire time of 1 day 2 hours equals 13226 hours
+TS="now-257755mi" # 6 months minus 1 day, 5 minutes equals 257695 minutes
+ksktimes="$keytimes -P sync $TS -I $TI -D $TD"
 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
@@ -278,10 +273,11 @@ rm -f "${KSK}".private
 
 # These signatures are still good, but the private ZSK is missing.
 setup zsk-missing.autosign
-T="now-6mo"
-ksktimes="-P $T -A $T -P sync $T"
-zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+# ZSK file will be gone missing, so we set expected times during setup.
+TI="now+185d"     # Lifetime of 1 year minus 6 months equals 185 days
+TD="now+277985mi" # 185 days plus retire time (sign delay, retire safety, propagation, zone TTL)
+zsktimes="$keytimes -I $TI -D $TD"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
@@ -298,11 +294,8 @@ rm -f "${ZSK}".private
 # These signatures are still good, but the key files will be removed
 # before a second run of reconfiguring keys.
 setup keyfiles-missing.autosign
-T="now-6mo"
-ksktimes="-P $T -A $T -P sync $T"
-zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
 $SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
 $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
@@ -313,7 +306,6 @@ $SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infil
 
 # These signatures are already expired, and the private ZSK is retired.
 setup zsk-retired.autosign
-T="now-6mo"
 ksktimes="-P $T -A $T -P sync $T"
 zsktimes="-P $T -A $T -I now"
 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index ec9e72e3001891bd9a6f74cf3cff7d07cc7ddad3..7429b869dfdd3e3c0dd980d8b44900bb42990980 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -514,47 +514,6 @@ check_apex
 check_subdomain
 dnssec_verify
 
-#
-# Zone: secondary.kasp.
-#
-set_zone "secondary.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Update zone.
-n=$((n + 1))
-echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)"
-ret=0
-cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db
-rndccmd 10.53.0.2 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed"
-
-_wait_for_done_subdomains() {
-  ret=0
-  dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
-  grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
-  grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" >/dev/null || return 1
-  check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
-  if [ $ret -gt 0 ]; then return $ret; fi
-
-  dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.d" || return 1
-  grep "status: NOERROR" "dig.out.$DIR.test$n.d" >/dev/null || return 1
-  grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" >/dev/null || return 1
-  check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
-  return $ret
-}
-retry_quiet 5 _wait_for_done_subdomains || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
 # TODO: we might want to test:
 # - configuring a zone with too many active keys (should trigger retire).
 # - configuring a zone with keys not matching the policy.
@@ -593,10 +552,10 @@ set_keytimes_autosign_policy() {
 }
 
 #
-# Zone: expired-sigs.autosign.
+# Zone: zsk-retired.autosign.
 #
-set_zone "expired-sigs.autosign"
-set_policy "autosign" "2" "300"
+set_zone "zsk-retired.autosign"
+set_policy "autosign" "3" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear "KEY1"
@@ -625,181 +584,6 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
 # Expect only two keys.
 key_clear "KEY3"
 key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Verify all signatures have been refreshed.
-check_rrsig_refresh() {
-  # Apex.
-  _qtypes="DNSKEY SOA NS NSEC"
-  for _qtype in $_qtypes; do
-    n=$((n + 1))
-    echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
-    ret=0
-    dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
-    grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-    grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-    # If this exact RRSIG is also in the zone file it is not refreshed.
-    _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
-    grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
-    test "$ret" -eq 0 || echo_i "failed"
-    status=$((status + ret))
-  done
-
-  # Below apex.
-  _labels="a b c ns3"
-  for _label in $_labels; do
-    _qtypes="A NSEC"
-    for _qtype in $_qtypes; do
-      n=$((n + 1))
-      echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
-      ret=0
-      dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
-      grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-      grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-      _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
-      grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
-      test "$ret" -eq 0 || echo_i "failed"
-      status=$((status + ret))
-    done
-  done
-}
-
-check_rrsig_refresh
-
-#
-# Zone: fresh-sigs.autosign.
-#
-set_zone "fresh-sigs.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Verify signature reuse.
-check_rrsig_reuse() {
-  # Apex.
-  _qtypes="NS NSEC"
-  for _qtype in $_qtypes; do
-    n=$((n + 1))
-    echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
-    ret=0
-    dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
-    grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-    grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-    # If this exact RRSIG is also in the signed zone file it is not refreshed.
-    _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
-    $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
-    grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
-    test "$ret" -eq 0 || echo_i "failed"
-    status=$((status + ret))
-  done
-
-  # Below apex.
-  _labels="a b c ns3"
-  for _label in $_labels; do
-    _qtypes="A NSEC"
-    for _qtype in $_qtypes; do
-      n=$((n + 1))
-      echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
-      ret=0
-      dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
-      grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
-      grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
-      # If this exact RRSIG is also in the signed zone file it is not refreshed.
-      _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
-      $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
-      grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
-      test "$ret" -eq 0 || echo_i "failed"
-      status=$((status + ret))
-    done
-  done
-}
-
-check_rrsig_reuse
-
-#
-# Zone: unfresh-sigs.autosign.
-#
-set_zone "unfresh-sigs.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-check_rrsig_refresh
-
-#
-# Zone: ksk-missing.autosign.
-#
-set_zone "ksk-missing.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-# Skip checking the private file, because it is missing.
-key_set "KEY1" "PRIVATE" "no"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-dnssec_verify
-
-# Restore the PRIVATE variable.
-key_set "KEY1" "PRIVATE" "yes"
-
-#
-# Zone: zsk-missing.autosign.
-#
-set_zone "zsk-missing.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-# Skip checking the private file, because it is missing.
-key_set "KEY2" "PRIVATE" "no"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# For the apex, we expect the SOA to be signed with the KSK because the ZSK is
-# offline. Temporary treat KEY1 as a zone signing key too.
-set_keyrole "KEY1" "csk"
-set_zonesigning "KEY1" "yes"
-set_zonesigning "KEY2" "no"
-check_apex
-set_keyrole "KEY1" "ksk"
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
-check_subdomain
-dnssec_verify
-
-# Restore the PRIVATE variable.
-key_set "KEY2" "PRIVATE" "yes"
-
-#
-# Zone: zsk-retired.autosign.
-#
-set_zone "zsk-retired.autosign"
-set_policy "autosign" "3" "300"
-set_server "ns3" "10.53.0.3"
 # The third key is not yet expected to be signing.
 set_keyrole "KEY3" "zsk"
 set_keylifetime "KEY3" "31536000"
@@ -846,7 +630,7 @@ check_keytimes
 check_apex
 check_subdomain
 dnssec_verify
-check_rrsig_refresh
+#check_rrsig_refresh
 
 # Load again, make sure the purged key is not an issue when verifying keys.
 echo_i "load keys for $ZONE, making sure a recently purged key is not an issue when verifying keys ($n)"
@@ -857,164 +641,6 @@ grep "zone $ZONE/IN (signed): zone_rekey:zone_verifykeys failed: some key files
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
-#
-# Zone: legacy-keys.kasp.
-#
-set_zone "legacy-keys.kasp"
-# This zone has two active keys and two old keys left in key directory, so
-# expect 4 key files.
-set_policy "migrate-to-dnssec-policy" "4" "1234"
-set_server "ns3" "10.53.0.3"
-
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "16070400"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "16070400"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-# Two keys only.
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Make sure the correct legacy keys were used (and not the removed predecessor
-# keys).
-n=$((n + 1))
-echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)"
-ret=0
-kskfile=$(cat ns3/legacy-keys.kasp.ksk)
-basefile=$(key_get KEY1 BASEFILE)
-echo_i "filename: $basefile (expect $kskfile)"
-test "$DIR/$kskfile" = "$basefile" || ret=1
-zskfile=$(cat ns3/legacy-keys.kasp.zsk)
-basefile=$(key_get KEY2 BASEFILE)
-echo_i "filename: $basefile (expect $zskfile)"
-test "$DIR/$zskfile" = "$basefile" || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-# KSK times.
-created=$(key_get KEY1 CREATED)
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
-published=$(awk '{print $3}' <published.test${n}.key1)
-set_keytime "KEY1" "PUBLISHED" "${published}"
-set_keytime "KEY1" "ACTIVE" "${published}"
-published=$(key_get KEY1 PUBLISHED)
-# The DS can be published if the zone is fully signed.
-# This happens after max-zone-ttl (1d) plus
-# zone-propagation-delay (300s) = 86400 + 300 = 86700.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
-# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
-# The key is removed after the retire time plus DS TTL (1d), parent
-# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600.
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
-# ZSK times.
-created=$(key_get KEY2 CREATED)
-keyfile=$(key_get KEY2 BASEFILE)
-grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
-published=$(awk '{print $3}' <published.test${n}.key2)
-set_keytime "KEY2" "PUBLISHED" "${published}"
-set_keytime "KEY2" "ACTIVE" "${published}"
-published=$(key_get KEY2 PUBLISHED)
-# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
-# The key is removed after the retire time plus max zone ttl (1d), zone
-# propagation delay (300s), retire safety (1h), and sign delay (signature
-# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900.
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
-
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: keyfiles-missing.autosign.
-#
-set_zone "keyfiles-missing.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "63072000"
-set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "31536000"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-# Both KSK and ZSK stay OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-# All good, now remove key files and reload keys.
-rm_keyfiles() {
-  _basefile=$(key_get "$1" BASEFILE)
-  echo_i "remove key files $_basefile"
-  _keyfile="${_basefile}.key"
-  _privatefile="${_basefile}.private"
-  _statefile="${_basefile}.state"
-  rm -f $_keyfile
-  rm -f $_privatefile
-  rm -f $_statefile
-}
-rm_keyfiles "KEY1"
-rm_keyfiles "KEY2"
-
-rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
-wait_for_log 3 "zone $ZONE/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing" $DIR/named.run || ret=1
-# Check keys again, make sure no new keys are created.
-set_policy "autosign" "0" "300"
-key_clear "KEY1"
-key_clear "KEY2"
-check_keys
-# Zone is still signed correctly.
-dnssec_verify
-
 #
 # Test dnssec-policy inheritance.
 #

diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py
index 0f93a690ee502db0514689ffef6975cd9f525340..eba8e7327720399e51761b95197c967feedc543c 100644 (file)
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -80,9 +80,11 @@ pytestmark = pytest.mark.extra_artifacts(
 )
 
 
-def check_all(server, zone, policy, ksks, zsks, tsig=None):
+def check_all(server, zone, policy, ksks, zsks, zsk_missing=False, tsig=None):
     isctest.kasp.check_dnssecstatus(server, zone, ksks + zsks, policy=policy)
-    isctest.kasp.check_apex(server, zone, ksks, zsks, tsig=tsig)
+    isctest.kasp.check_apex(
+        server, zone, ksks, zsks, zsk_missing=zsk_missing, tsig=tsig
+    )
     isctest.kasp.check_subdomain(server, zone, ksks, zsks, tsig=tsig)
     isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig)
 
@@ -169,6 +171,128 @@ def test_kasp_cases(servers):
             f"zsk {lifetime['P1Y']} {alg} {sizes[2]} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
         ]
 
+    # Additional test functions.
+    def test_ixfr_is_signed(
+        expected_updates, zone=None, policy=None, ksks=None, zsks=None
+    ):
+        isctest.log.info(f"check that the zone {zone} is correctly signed after ixfr")
+        isctest.log.debug(
+            f"expected updates {expected_updates} policy {policy} ksks {ksks} zsks {zsks}"
+        )
+
+        shutil.copyfile(f"ns2/{zone}.db.in2", f"ns2/{zone}.db")
+        servers["ns2"].rndc(f"reload {zone}", log=False)
+
+        def update_is_signed():
+            parts = update.split()
+            qname = parts[0]
+            qtype = dns.rdatatype.from_text(parts[1])
+            rdata = parts[2]
+            return isctest.kasp.verify_update_is_signed(
+                server, zone, qname, qtype, rdata, ksks, zsks
+            )
+
+        for update in expected_updates:
+            isctest.run.retry_with_timeout(update_is_signed, timeout=5)
+
+    def test_rrsig_refresh(zone=None, policy=None, ksks=None, zsks=None):
+        # pylint: disable=unused-argument
+        isctest.log.info(f"check that the zone {zone} refreshes expired signatures")
+
+        def rrsig_is_refreshed():
+            parts = query.split()
+            qname = parts[0]
+            qtype = dns.rdatatype.from_text(parts[1])
+            return isctest.kasp.check_rrsig_is_refreshed(
+                server, zone, f"ns3/{zone}.db.signed", qname, qtype, ksks, zsks
+            )
+
+        queries = [
+            f"{zone} DNSKEY",
+            f"{zone} SOA",
+            f"{zone} NS",
+            f"{zone} NSEC",
+            f"a.{zone} A",
+            f"a.{zone} NSEC",
+            f"b.{zone} A",
+            f"b.{zone} NSEC",
+            f"c.{zone} A",
+            f"c.{zone} NSEC",
+            f"ns3.{zone} A",
+            f"ns3.{zone} NSEC",
+        ]
+
+        for query in queries:
+            isctest.run.retry_with_timeout(rrsig_is_refreshed, timeout=5)
+
+    def test_rrsig_reuse(zone=None, policy=None, ksks=None, zsks=None):
+        # pylint: disable=unused-argument
+        isctest.log.info(f"check that the zone {zone} reuses fresh signatures")
+
+        def rrsig_is_reused():
+            parts = query.split()
+            qname = parts[0]
+            qtype = dns.rdatatype.from_text(parts[1])
+            return isctest.kasp.check_rrsig_is_reused(
+                server, zone, f"{keydir}/{zone}.db.signed", qname, qtype, ksks, zsks
+            )
+
+        queries = [
+            f"{zone} NS",
+            f"{zone} NSEC",
+            f"a.{zone} A",
+            f"a.{zone} NSEC",
+            f"b.{zone} A",
+            f"b.{zone} NSEC",
+            f"c.{zone} A",
+            f"c.{zone} NSEC",
+            f"ns3.{zone} A",
+            f"ns3.{zone} NSEC",
+        ]
+
+        for query in queries:
+            rrsig_is_reused()
+
+    def test_legacy_keys(zone=None, policy=None, ksks=None, zsks=None):
+        # pylint: disable=unused-argument
+        isctest.log.info(f"check that the zone {zone} uses correct legacy keys")
+
+        assert len(ksks) == 1
+        assert len(zsks) == 1
+
+        # This assumes the zone has a policy that dictates one KSK and one ZSK.
+        # The right keys to be used are stored in "{zone}.ksk" and "{zone}.zsk".
+        with open(f"{keydir}/{zone}.ksk", "r", encoding="utf-8") as file:
+            kskfile = file.read()
+        with open(f"{keydir}/{zone}.zsk", "r", encoding="utf-8") as file:
+            zskfile = file.read()
+
+        assert f"{keydir}/{kskfile}".strip() == ksks[0].path
+        assert f"{keydir}/{zskfile}".strip() == zsks[0].path
+
+    def test_remove_keyfiles(zone=None, policy=None, ksks=None, zsks=None):
+        # pylint: disable=unused-argument
+        isctest.log.info(
+            "check that removing key files does not create new keys to be generated"
+        )
+
+        for k in ksks + zsks:
+            os.remove(k.keyfile)
+            os.remove(k.privatefile)
+            os.remove(k.statefile)
+
+        with server.watch_log_from_here() as watcher:
+            server.rndc(f"loadkeys {zone}", log=False)
+            watcher.wait_for_line(
+                f"zone {zone}/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
+            )
+
+        # Check keys again, make sure no new keys are created.
+        keys = isctest.kasp.keydir_to_keylist(zone, keydir)
+        isctest.kasp.check_keys(zone, keys, [])
+        # Zone is still signed correctly.
+        isctest.kasp.check_dnssec_verify(server, zone)
+
     # Test case function.
     def test_case():
         zone = test["zone"]
@@ -177,6 +301,7 @@ def test_kasp_cases(servers):
         pregenerated = False
         if test.get("pregenerated"):
             pregenerated = test["pregenerated"]
+        zsk_missing = zone == "zsk-missing.autosign"
 
         isctest.log.info(f"check test case zone {zone} policy {policy}")
 
@@ -203,7 +328,13 @@ def test_kasp_cases(servers):
 
         isctest.kasp.check_keytimes(keys, expected)
 
-        check_all(server, zone, policy, ksks, zsks)
+        check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
+
+        if "additional-tests" in test:
+            for additional_test in test["additional-tests"]:
+                callback = additional_test["callback"]
+                arguments = additional_test["arguments"]
+                callback(*arguments, zone=zone, policy=policy, ksks=ksks, zsks=zsks)
 
     # Test cases.
     rsa_cases = []
@@ -231,6 +362,78 @@ def test_kasp_cases(servers):
             "offset": -timedelta(days=30 * 6),
             "key-properties": autosign_properties,
         },
+        {
+            "zone": "expired-sigs.autosign",
+            "policy": "autosign",
+            "config": autosign_config,
+            "offset": -timedelta(days=30 * 6),
+            "key-properties": autosign_properties,
+            "additional-tests": [
+                {
+                    "callback": test_rrsig_refresh,
+                    "arguments": [],
+                },
+            ],
+        },
+        {
+            "zone": "fresh-sigs.autosign",
+            "policy": "autosign",
+            "config": autosign_config,
+            "offset": -timedelta(days=30 * 6),
+            "key-properties": autosign_properties,
+            "additional-tests": [
+                {
+                    "callback": test_rrsig_reuse,
+                    "arguments": [],
+                },
+            ],
+        },
+        {
+            "zone": "unfresh-sigs.autosign",
+            "policy": "autosign",
+            "config": autosign_config,
+            "offset": -timedelta(days=30 * 6),
+            "key-properties": autosign_properties,
+            "additional-tests": [
+                {
+                    "callback": test_rrsig_refresh,
+                    "arguments": [],
+                },
+            ],
+        },
+        {
+            "zone": "keyfiles-missing.autosign",
+            "policy": "autosign",
+            "config": autosign_config,
+            "offset": -timedelta(days=30 * 6),
+            "key-properties": autosign_properties,
+            "additional-tests": [
+                {
+                    "callback": test_remove_keyfiles,
+                    "arguments": [],
+                },
+            ],
+        },
+        {
+            "zone": "ksk-missing.autosign",
+            "policy": "autosign",
+            "config": autosign_config,
+            "offset": -timedelta(days=30 * 6),
+            "key-properties": [
+                f"ksk 63072000 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent missing",
+                f"zsk 31536000 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+            ],
+        },
+        {
+            "zone": "zsk-missing.autosign",
+            "policy": "autosign",
+            "config": autosign_config,
+            "offset": -timedelta(days=30 * 6),
+            "key-properties": [
+                f"ksk 63072000 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+                f"zsk 31536000 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent missing",
+            ],
+        },
         {
             "zone": "dnssec-keygen.kasp",
             "policy": "rsasha256",
@@ -255,6 +458,22 @@ def test_kasp_cases(servers):
             "config": kasp_config,
             "key-properties": fips_properties(8),
         },
+        {
+            "zone": "legacy-keys.kasp",
+            "policy": "migrate-to-dnssec-policy",
+            "config": kasp_config,
+            "pregenerated": True,
+            "key-properties": [
+                "ksk 16070400 8 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+                "zsk 16070400 8 2048 goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+            ],
+            "additional-tests": [
+                {
+                    "callback": test_legacy_keys,
+                    "arguments": [],
+                },
+            ],
+        },
         {
             "zone": "pregenerated.kasp",
             "policy": "rsasha256",
@@ -274,6 +493,23 @@ def test_kasp_cases(servers):
             "config": kasp_config,
             "key-properties": fips_properties(10),
         },
+        {
+            "zone": "secondary.kasp",
+            "policy": "rsasha256",
+            "config": kasp_config,
+            "key-properties": fips_properties(8),
+            "additional-tests": [
+                {
+                    "callback": test_ixfr_is_signed,
+                    "arguments": [
+                        [
+                            "a.secondary.kasp. A 10.0.0.11",
+                            "d.secondary.kasp. A 10.0.0.4",
+                        ],
+                    ],
+                },
+            ],
+        },
         {
             "zone": "some-keys.kasp",
             "policy": "rsasha256",