Use common test functions for three-is-a-crowd test

author Nicki Křížek <nicki@isc.org>

Tue, 10 Jun 2025 14:03:26 +0000 (16:03 +0200)

committer Nicki Křížek <nicki@isc.org>

Fri, 18 Jul 2025 11:37:58 +0000 (13:37 +0200)
author Nicki Křížek <nicki@isc.org>
Tue, 10 Jun 2025 14:03:26 +0000 (16:03 +0200)
committer Nicki Křížek <nicki@isc.org>
Fri, 18 Jul 2025 11:37:58 +0000 (13:37 +0200)
diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py

index b846786c03c42ccbcd7a264537c77efaaaa2dbf8..74561aea2de29d3608e840d0fee6391ed18bd197 100644 (file)
--- a/bin/tests/system/isctest/kasp.py
+++ b/bin/tests/system/isctest/kasp.py
@@ -1168,7 +1168,7 @@ def check_subdomain(
  def check_rollover_step(server, config, policy, step):
      zone = step["zone"]
      keyprops = step["keyprops"]
-    nextev = step["nextev"]
+    nextev = step.get("nextev", None)
      cdss = step.get("cdss", None)
      keyrelationships = step.get("keyrelationships", None)
      smooth = step.get("smooth", False)
@@ -1244,7 +1244,8 @@ def check_rollover_step(server, config, policy, step):
      def check_next_key_event():
          return next_key_event_equals(server, zone, nextev)
  
-    isctest.run.retry_with_timeout(check_next_key_event, timeout=5)
+    if nextev is not None:
+        isctest.run.retry_with_timeout(check_next_key_event, timeout=5)
  
  
  def verify_update_is_signed(server, fqdn, qname, qtype, rdata, ksks, zsks, tsig=None):
diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py

index 5a794d9e6e7666b26aedb990b496f8f699237f64..02f07969b2de57abd7c3ad53cec273b0089ec975 100644 (file)
--- a/bin/tests/system/rollover/tests_rollover.py
+++ b/bin/tests/system/rollover/tests_rollover.py
@@ -564,51 +564,52 @@ def test_rollover_ksk_doubleksk(servers):
      iret = Iret(config, zsk=False, ksk=True)
  
      # Test #2375: Scheduled rollovers are happening faster than they can finish.
-    zone = "three-is-a-crowd.kasp"
      isctest.log.info(
          "check that fast rollovers do not remove dependent keys from zone (#2375)"
      )
      offset1 = -int(timedelta(days=60).total_seconds())
      offset2 = -int(timedelta(hours=27).total_seconds())
-    isctest.kasp.check_dnssec_verify(server, zone)
-    keyprops = [
-        f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
-        f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
-        f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
-    ]
-    expected = isctest.kasp.policy_to_properties(ttl, keyprops)
+    zone = "three-is-a-crowd.kasp"
+    step = {
+        "zone": zone,
+        "cdss": cdss,
+        "keyprops": [
+            f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
+            f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
+            f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
+        ],
+        "keyrelationships": [0, 1],
+    }
+    isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step)
+
+    # Rollover successor KSK (with DS in rumoured state).
+    expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"])
      keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
-    ksks = [k for k in keys if k.is_ksk()]
-    zsks = [k for k in keys if not k.is_ksk()]
      isctest.kasp.check_keys(zone, keys, expected)
-    expected[0].metadata["Successor"] = expected[1].key.tag
-    expected[1].metadata["Predecessor"] = expected[0].key.tag
-    isctest.kasp.check_keyrelationships(keys, expected)
-    for kp in expected:
-        kp.set_expected_keytimes(config, offset=None)
-    isctest.kasp.check_keytimes(keys, expected)
-    isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
-    isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss)
-    isctest.kasp.check_subdomain(server, zone, ksks, zsks)
-    # Rollover successor KSK (with DS in rumoured state).
      key = expected[1].key
      now = KeyTimingMetadata.now()
      with server.watch_log_from_here() as watcher:
          server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}")
          watcher.wait_for_line(f"keymgr: {zone} done")
-    isctest.kasp.check_dnssec_verify(server, zone)
+
      # We now expect four keys (3x KSK, 1x ZSK).
-    keyprops = [
-        f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
-        f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
-        f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
-        f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
-    ]
-    expected = isctest.kasp.policy_to_properties(ttl, keyprops)
+    step = {
+        "zone": zone,
+        "cdss": cdss,
+        "keyprops": [
+            f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offset1}",
+            f"ksk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offset2}",
+            f"ksk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
+            f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offset1}",
+        ],
+        "check-keytimes": False,  # checked manually with modified values
+    }
+    isctest.kasp.check_rollover_step(servers["ns3"], config, policy, step)
+
+    expected = isctest.kasp.policy_to_properties(ttl, step["keyprops"])
      keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
-    ksks = [k for k in keys if k.is_ksk()]
-    zsks = [k for k in keys if not k.is_ksk()]
      isctest.kasp.check_keys(zone, keys, expected)
+
      expected[0].metadata["Successor"] = expected[1].key.tag
      expected[1].metadata["Predecessor"] = expected[0].key.tag
      # Three is a crowd scenario.
@@ -617,10 +618,9 @@ def test_rollover_ksk_doubleksk(servers):
      isctest.kasp.check_keyrelationships(keys, expected)
      for kp in expected:
          kp.set_expected_keytimes(config, offset=None)
+
      # The first successor KSK is already being retired.
      expected[1].timing["Retired"] = now + ipub
      expected[1].timing["Removed"] = now + ipub + iret
+
      isctest.kasp.check_keytimes(keys, expected)
-    isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
-    isctest.kasp.check_apex(server, zone, ksks, zsks, cdss=cdss)
-    isctest.kasp.check_subdomain(server, zone, ksks, zsks)
author	Nicki Křížek <nicki@isc.org>
	Tue, 10 Jun 2025 14:03:26 +0000 (16:03 +0200)
committer	Nicki Křížek <nicki@isc.org>
	Fri, 18 Jul 2025 11:37:58 +0000 (13:37 +0200)
bin/tests/system/isctest/kasp.py		patch \| blob \| blame \| history
bin/tests/system/rollover/tests_rollover.py		patch \| blob \| blame \| history