Add additional wait period for algorithm rollover

author Matthijs Mekking <matthijs@isc.org>

Thu, 20 Feb 2020 15:00:50 +0000 (16:00 +0100)

committer Matthijs Mekking <matthijs@isc.org>

Fri, 6 Mar 2020 14:57:48 +0000 (15:57 +0100)
author Matthijs Mekking <matthijs@isc.org>
Thu, 20 Feb 2020 15:00:50 +0000 (16:00 +0100)
committer Matthijs Mekking <matthijs@isc.org>
Fri, 6 Mar 2020 14:57:48 +0000 (15:57 +0100)
diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh

index 98239093c5c7e94483e189f8bc8992dcc346c076..cf2f2452ce2ad6aee4ce61821e3993f05184ae0f 100644 (file)
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -22,4 +22,4 @@ rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
  rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
  rm -f ns*/managed-keys.bind
  rm -f ns*/*.mkeys
-rm -f ns*/zones ns*/*.db.infile
+rm -f ns*/zones* ns*/*.db.infile
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh

index 09d8bd0d791871edb46fb57feccf2f034a823cf0..cae347553527ef35e657d8730902d4c34ca07a72 100644 (file)
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -19,6 +19,7 @@ setup() {
         echo_i "setting up zone: $zone"
         zonefile="${zone}.db"
         infile="${zone}.db.infile"
+       echo "$zone" >> zones.2
  }
  
  private_type_record() {
@@ -46,7 +47,6 @@ U="UNRETENTIVE"
  # Step 1:
  # Introduce the first key. This will immediately be active.
  setup step1.algorithm-roll.kasp
-echo "$zone" >> zones
  KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
  ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
  TactN="now"
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh

index f1cef6cd528f1bd3f6d131166d78da21117a3a69..d5f6b1808a214506d497ae6efb5b68e3a1ba77ee 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -465,6 +465,9 @@ dnssec_verify()
         status=$((status+ret))
  }
  
+# Default next key event threshold. May be extended by wait periods.
+next_key_event_threshold=100
+
  ###############################################################################
  # Tests                                                                       #
  ###############################################################################
@@ -611,7 +614,6 @@ check_key "KEY1" "$id"
  test "$ret" -eq 0 || echo_i "failed"
  status=$((status+ret))
  
-
  #
  # named
  #
@@ -649,6 +651,8 @@ done
  test "$ret" -eq 0 || echo_i "failed"
  status=$((status+ret))
  
+next_key_event_threshold=$((next_key_event_threshold+i))
+
  #
  # Zone: default.kasp.
  #
@@ -1632,10 +1636,10 @@ check_next_key_event() {
         # Get the latest next key event.
         _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1)
  
-       # The next key event time must within 60 seconds of the
+       # The next key event time must within threshold of the
         # expected time.
-       _expectmin=$((_expect-60))
-       _expectmax=$((_expect+60))
+       _expectmin=$((_expect-next_key_event_threshold))
+       _expectmax=$((_expect+next_key_event_threshold))
  
         test $_expectmin -le "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})"
         test $_expectmax -ge "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})"
@@ -2272,6 +2276,34 @@ echo_i "reconfig dnssec-policy to trigger algorithm rollover"
  copy_setports ns6/named2.conf.in ns6/named.conf
  rndc_reconfig ns6 10.53.0.6
  
+#  The NSEC record at the apex of the zone and its RRSIG records are
+#  added as part of the last step in signing a zone.  We wait for the
+#  NSEC records to appear before proceeding with a counter to prevent
+#  infinite loops if there is a error.
+#
+n=$((n+1))
+echo_i "waiting for reconfig signing changes to take effect ($n)"
+i=0
+while [ $i -lt 30 ]
+do
+       ret=0
+       while read -r zone
+       do
+               dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || ret=1
+               grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1
+               grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1
+       done < ns6/zones.2
+
+       i=$((i+1))
+       if [ $ret = 0 ]; then break; fi
+       echo_i "waiting ... ($i)"
+       sleep 1
+done
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+next_key_event_threshold=$((next_key_event_threshold+i))
+
  #
  # Testing KSK/ZSK algorithm rollover.
  #
author	Matthijs Mekking <matthijs@isc.org>
	Thu, 20 Feb 2020 15:00:50 +0000 (16:00 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Fri, 6 Mar 2020 14:57:48 +0000 (15:57 +0100)
bin/tests/system/kasp/clean.sh		patch \| blob \| blame \| history
bin/tests/system/kasp/ns6/setup.sh		patch \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		patch \| blob \| blame \| history