Test purge-keys with views

Create a test scenario where a signed zone is in multiple views and
then a key may be purged. This is a bug case where the key files are
removed by one view and then the other view starts complaining.

diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in
index df02b2d46291511281010dc12e4cb15d8d38c9a4..ac4406371b59cca9be85752712f0cf07dcf281ad 100644 (file)
--- a/bin/tests/system/kasp/ns4/named.conf.in
+++ b/bin/tests/system/kasp/ns4/named.conf.in
@@ -13,6 +13,8 @@
 
 // NS4
 
+include "purgekeys.conf";
+
 key rndc_key {
        secret "1234abcd8765";
        algorithm @DEFAULT_HMAC@;
@@ -154,6 +156,12 @@ view "example1" {
                inline-signing no;
                file "example1.db";
        };
+
+       zone "purgekeys.kasp" {
+               type primary;
+               file "purgekeys.kasp.example1.db";
+               dnssec-policy "purgekeys";
+       };
 };
 
 view "example2" {
@@ -163,6 +171,12 @@ view "example2" {
                type primary;
                file "example2.db";
        };
+
+       zone "purgekeys.kasp" {
+               type primary;
+               file "purgekeys.kasp.example2.db";
+               dnssec-policy "purgekeys";
+       };
 };
 
 view "example3" {

diff --git a/bin/tests/system/kasp/ns4/purgekeys1.conf b/bin/tests/system/kasp/ns4/purgekeys1.conf
new file mode 100644 (file)
index 0000000..9845c89
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/purgekeys1.conf
@@ -0,0 +1,28 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "purgekeys" {
+       keys {
+               ksk key-directory lifetime 0 algorithm 13;
+               zsk key-directory lifetime P30D algorithm 13;
+       };
+       /*
+        * Initially set to 0, so no keys are purged. Keys that are no longer
+        * in use will still be in the zone's keyring, one per view. After
+        * reconfig the purge-keys value is set to 7 days, at least one key
+        * will be eligible for purging, and should be purged from both
+        * keyrings without issues.
+        */
+       purge-keys 0;
+       //purge-keys P7D;
+};

diff --git a/bin/tests/system/kasp/ns4/purgekeys2.conf b/bin/tests/system/kasp/ns4/purgekeys2.conf
new file mode 100644 (file)
index 0000000..62376c1
--- /dev/null
+++ b/bin/tests/system/kasp/ns4/purgekeys2.conf
@@ -0,0 +1,21 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "purgekeys" {
+       keys {
+               ksk key-directory lifetime 0 algorithm 13;
+               zsk key-directory lifetime P30D algorithm 13;
+       };
+       //purge-keys 0;
+       purge-keys P7D;
+};

diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh
index c488bc4588146ecc963619e80835ff985a24a20d..2b1c9d7944b68a4befddd241309874168a9961a2 100644 (file)
--- a/bin/tests/system/kasp/ns4/setup.sh
+++ b/bin/tests/system/kasp/ns4/setup.sh
@@ -30,3 +30,22 @@ done
 
 cp example1.db.in example1.db
 cp example2.db.in example2.db
+
+# Regression test for GL #5315
+cp purgekeys1.conf purgekeys.conf
+cp example1.db.in purgekeys.kasp.example1.db
+cp example2.db.in purgekeys.kasp.example2.db
+
+zone="purgekeys.kasp"
+H="HIDDEN"
+O="OMNIPRESENT"
+T="now-9mo"
+# KSK omnipresent
+KSK=$($KEYGEN -fk -a 13 -L 3600 $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+# ZSK omnipresent
+ZSK1=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK1" >settime.out.$zone.2 2>&1
+# ZSK hidden (may be purged)
+ZSK2=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $T -z $H $T "$ZSK2" >settime.out.$zone.2 2>&1

diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py
index 542f7f496c7ba532501bc9a3d5c14ef28865cc4b..e6bc020554a272ffa9a0bceee25e8290d54e0820 100644 (file)
--- a/bin/tests/system/kasp/tests_kasp.py
+++ b/bin/tests/system/kasp/tests_kasp.py
@@ -78,6 +78,8 @@ pytestmark = pytest.mark.extra_artifacts(
         "ns*/policies/*.conf",
         "ns3/legacy-keys.*",
         "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed",
+        "ns4/purgekeys.conf",
+        "ns4/purgekeys2.conf",
     ]
 )
 
@@ -1566,6 +1568,33 @@ def test_kasp_zsk_retired(servers):
     server.log.prohibit(msg)
 
 
+def test_kasp_purge_keys(servers):
+    zone = "purgekeys.kasp"
+    server = servers["ns4"]
+
+    tsig1 = (
+        f"{os.environ['DEFAULT_HMAC']}:keyforview1:{KASP_INHERIT_TSIG_SECRET['view1']}"
+    )
+    tsig2 = (
+        f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}"
+    )
+
+    isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig1)
+    isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig2)
+
+    # Reconfig, make sure the purged key is not an issue when verifying keys.
+    shutil.copyfile("ns4/purgekeys2.conf", "ns4/purgekeys.conf")
+    with server.watch_log_from_here() as watcher:
+        server.rndc("reconfig", log=False)
+        watcher.wait_for_line(f"keymgr: {zone} done")
+
+    msg = f"zone {zone}/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
+    server.log.prohibit(msg)
+
+    msg = f"zone {zone}/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
+    server.log.prohibit(msg)
+
+
 def test_kasp_reload_restart(servers):
     server = servers["ns6"]
     zone = "example"