--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import os
+import shutil
+import time
+
+import dns.update
+import pytest
+
+pytest.importorskip("dns", minversion="2.0.0")
+import isctest
+import isctest.mark
+from isctest.vars.algorithms import RSASHA1
+from nsec3.common import (
+ ALGORITHM,
+ SIZE,
+ default_config,
+ pytestmark,
+ check_nsec3_case,
+)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def after_servers_start(ns3, templates):
+
+ def check_soa_update():
+ query = isctest.query.create(fqdn, dns.rdatatype.SOA)
+ response = isctest.query.tcp(query, ns3.ip, attempts=1, timeout=2)
+ rrset = response.get_rrset(
+ response.answer,
+ dns.name.from_text(fqdn),
+ dns.rdataclass.IN,
+ dns.rdatatype.SOA,
+ )
+ return rrset[0].minimum == 900
+
+ nsdir = ns3.identifier
+
+ zone = "nsec3-change.kasp"
+ fqdn = f"{zone}."
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
+ shutil.copyfile(f"{nsdir}/template2.db.in", f"{nsdir}/{zone}.db")
+ ns3.rndc(f"reload {zone}")
+
+ isctest.run.retry_with_timeout(check_soa_update, timeout=10)
+ # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
+
+ # Reconfigure.
+ templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
+ templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
+
+ # Wait for the NSEC3 chain is finished rebuilding.
+ messages = [
+ f"zone {zone}/IN (signed): generated salt",
+ f"zone_nsec3chain: zone {zone}/IN (signed): enter",
+ f"add {zone}. 900 IN NSEC3PARAM 1 0 0",
+ f"zone_needdump: zone {zone}/IN (signed): enter",
+ ]
+ with ns3.watch_log_from_start() as watcher:
+ ns3.reconfigure()
+ watcher.wait_for_sequence(messages)
+
+
+def test_nsec3_case(ns3):
+ # Get test parameters.
+ params = {
+ "zone": "nsec3-change.kasp",
+ "policy": "nsec3",
+ "soa-minimum": 900,
+ "nsec3param": {
+ "optout": 1,
+ "salt-length": 8,
+ },
+ "key-properties": [
+ f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ }
+ zone = params["zone"]
+
+ # First make sure the zone is properly signed.
+ isctest.kasp.wait_keymgr_done(ns3, zone, reconfig=True)
+
+ # Test case.
+ check_nsec3_case(ns3, params)
+
+ # Using rndc signing -nsec3param (should fail)
+ isctest.log.info(f"use rndc signing -nsec3param {zone} to change NSEC3 settings")
+ response = ns3.rndc(f"signing -nsec3param 1 1 12 ffff {zone}")
+ assert "zone uses dnssec-policy, use rndc dnssec command instead" in response
@pytest.fixture(scope="module", autouse=True)
def after_servers_start(ns3, templates):
-
- def wait_for_soa_update():
- match = "20 20 1814400 900"
-
- for _ in range(5):
- query = isctest.query.create(fqdn, dns.rdatatype.SOA)
- response = isctest.query.tcp(query, ns3.ip)
- rrset = response.get_rrset(
- response.answer,
- dns.name.from_text(fqdn),
- dns.rdataclass.IN,
- dns.rdatatype.SOA,
- )
- if match in str(rrset[0]):
- return True
-
- return False
-
- nsdir = ns3.identifier
-
- # Extra test for nsec3-change.kasp.
- zone = "nsec3-change.kasp"
- fqdn = f"{zone}."
- isctest.kasp.wait_keymgr_done(ns3, zone)
- shutil.copyfile(f"{nsdir}/template2.db.in", f"{nsdir}/{zone}.db")
- ns3.rndc(f"reload {zone}")
-
- isctest.run.retry_with_timeout(wait_for_soa_update, timeout=5)
- # After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
-
# Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
with_rsasha1 = "RSASHA1_SUPPORTED"
assert with_rsasha1 in os.environ, f"{with_rsasha1} env variable undefined"
isctest.kasp.check_dnssec_verify(ns3, zone)
# Reconfigure.
- templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
- templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
+ templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True})
+ templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True})
ns3.reconfigure()
},
id="nsec3-dynamic.kasp",
),
- pytest.param(
- {
- "zone": "nsec3-change.kasp",
- "policy": "nsec3",
- "soa-minimum": 900,
- "nsec3param": {
- "optout": 1,
- "salt-length": 8,
- },
- "key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
- ],
- },
- id="nsec3-change.kasp",
- ),
pytest.param(
{
"zone": "nsec3-dynamic-change.kasp",
# Test case.
check_nsec3_case(ns3, params)
- # Extra test for nsec3-change.kasp.
- if zone == "nsec3-change.kasp":
- # Using rndc signing -nsec3param (should fail)
- isctest.log.info(
- f"use rndc signing -nsec3param {zone} to change NSEC3 settings"
- )
- response = ns3.rndc(f"signing -nsec3param 1 1 12 ffff {zone}")
- assert "zone uses dnssec-policy, use rndc dnssec command instead" in response
-
def test_nsec3_ent(ns3, templates):
# Zone: nsec3-ent.kasp (regression test for #5108)
projects / thirdparty / bind9.git / commitdiff
