return False
-def test_rndc_deadlock(servers):
+def test_rndc_deadlock(ns3):
"""
Test whether running "rndc addzone", "rndc modzone", and "rndc delzone"
commands concurrently does not trigger a deadlock
"""
test_state = {"finished": False}
- ns3 = servers["ns3"]
# Create 4 worker threads running "rndc" commands in a loop.
with concurrent.futures.ThreadPoolExecutor() as executor:
@pytest.mark.parametrize("params", checkds_tests, ids=lambda t: t.zone)
-def test_checkds(servers, params):
+def test_checkds(ns2, ns9, params):
# Wait until the provided zone is signed and then verify its DNSSEC data.
- zone_check(servers["ns9"], params.zone)
+ zone_check(ns9, params.zone)
# Wait up to 10 seconds until all the expected log lines are found in the
# log file for the provided server. Rekey every second if necessary.
time_remaining = 10
for log_string in params.logs_to_wait_for:
line = f"zone {params.zone}/IN (signed): checkds: {log_string}"
- while line not in servers["ns9"].log:
+ while line not in ns9.log:
rekey(params.zone)
time_remaining -= 1
assert time_remaining, f'Timed out waiting for "{log_string}" to be logged'
# Check whether key states on the parent server provided match
# expectations.
- keystate_check(servers["ns2"], params.zone, params.expected_parent_state)
+ keystate_check(ns2, params.zone, params.expected_parent_state)
# information regarding copyright ownership.
-def test_configloading_log(servers):
+def test_configloading_log(ns1):
"""
This test is a "guard/warning" to make sure the named.conf loading
(parsing) is done outside of the exclusive mode (so, named is still able to
is currently based on logging, so it's quite brittle.
"""
- server = servers["ns1"]
log_sequence = [
"load_configuration",
"parsing user configuration from ",
"loop exclusive mode: starting",
]
- with server.watch_log_from_start() as watcher:
+ with ns1.watch_log_from_start() as watcher:
watcher.wait_for_sequence(log_sequence)
- with server.watch_log_from_here() as watcher:
- server.rndc("reconfig")
+ with ns1.watch_log_from_here() as watcher:
+ ns1.rndc("reconfig")
watcher.wait_for_sequence(log_sequence)
- with server.watch_log_from_here() as watcher:
- server.rndc("reload")
+ with ns1.watch_log_from_here() as watcher:
+ ns1.rndc("reload")
watcher.wait_for_sequence(log_sequence)
except ValueError:
continue
return instances
+
+
+@pytest.fixture(scope="module")
+def ns1(servers):
+ return servers["ns1"]
+
+
+@pytest.fixture(scope="module")
+def ns2(servers):
+ return servers["ns2"]
+
+
+@pytest.fixture(scope="module")
+def ns3(servers):
+ return servers["ns3"]
+
+
+@pytest.fixture(scope="module")
+def ns4(servers):
+ return servers["ns4"]
+
+
+@pytest.fixture(scope="module")
+def ns5(servers):
+ return servers["ns5"]
+
+
+@pytest.fixture(scope="module")
+def ns6(servers):
+ return servers["ns6"]
+
+
+@pytest.fixture(scope="module")
+def ns7(servers):
+ return servers["ns7"]
+
+
+@pytest.fixture(scope="module")
+def ns8(servers):
+ return servers["ns8"]
+
+
+@pytest.fixture(scope="module")
+def ns9(servers):
+ return servers["ns9"]
+
+
+@pytest.fixture(scope="module")
+def ns10(servers):
+ return servers["ns10"]
import dns.message
-def test_database(servers, templates):
+def test_database(ns1, templates):
msg = dns.message.make_query("database.", "SOA")
# checking pre reload zone
)
templates.render("ns1/named.conf", {"rname": "marka.isc.org."})
- with servers["ns1"].watch_log_from_here() as watcher:
- servers["ns1"].rndc("reload")
+ with ns1.watch_log_from_here() as watcher:
+ ns1.rndc("reload")
watcher.wait_for_line("all zones loaded")
# checking post reload zone
import isctest
-def test_emptyzones(servers, templates):
+def test_emptyzones(ns1, templates):
# check that switching to automatic empty zones works
- ns1 = servers["ns1"]
with ns1.watch_log_from_here() as watcher:
ns1.rndc("reload")
watcher.wait_for_line("all zones loaded")
),
],
)
-def test_kasp_case(servers, params):
+def test_kasp_case(servers, ns3, params):
# Test many different configurations and expected keys and states after
# initial startup.
- server = servers["ns3"]
- keydir = server.identifier
+ keydir = ns3.identifier
# Get test parameters.
zone = params["zone"]
isctest.log.info(f"check test case zone {zone} policy {policy}")
# First make sure the zone is signed.
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
# Key properties.
expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=params["key-properties"])
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
offset = params["offset"] if "offset" in params else None
if "rumoured" not in params:
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
+ check_all(ns3, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
if "additional-tests" in params:
params["servers"] = servers
param("3", "no", "yes", "view2"),
],
)
-def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers):
+def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, ns4):
zone = "example.net"
policy = "test"
- server = servers["ns4"]
view = f"example{number}"
tsig = f"{os.environ['DEFAULT_HMAC']}:keyforview{number}:{KASP_INHERIT_TSIG_SECRET[f'view{number}']}"
key1 = KeyProperties.default()
key1.metadata["Algorithm"] = ECDSAP384SHA384.number
key1.metadata["Length"] = ECDSAP384SHA384.bits
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns4.identifier)
- isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig)
+ isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig)
isctest.kasp.check_keys(zone, keys, [key1])
set_keytimes_default_policy(key1)
isctest.kasp.check_keytimes(keys, [key1])
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy, view=view)
- isctest.kasp.check_apex(server, zone, keys, [], tsig=tsig)
+ isctest.kasp.check_dnssecstatus(ns4, zone, keys, policy=policy, view=view)
+ isctest.kasp.check_apex(ns4, zone, keys, [], tsig=tsig)
# check zonestatus
- response = server.rndc(f"zonestatus {zone} in {view}", log=False)
+ response = ns4.rndc(f"zonestatus {zone} in {view}", log=False)
assert f"dynamic: {dynamic}" in response
assert f"inline signing: {inline_signing}" in response
# check subdomain
keyring = dns.tsig.Key(tsigkey[1], tsigkey[2], tsigkey[0])
query.use_tsig(keyring)
try:
- response = isctest.query.tcp(query, server.ip, server.ports.dns, timeout=3)
+ response = isctest.query.tcp(query, ns4.ip, ns4.ports.dns, timeout=3)
except dns.exception.Timeout:
- isctest.log.debug(f"query timeout for query {qname} {qtype} to {server.ip}")
+ isctest.log.debug(f"query timeout for query {qname} {qtype} to {ns4.ip}")
response = None
assert response.rcode() == dns.rcode.NOERROR
match = f'{qname} 300 IN TXT "{rdata}"'
isctest.kasp.check_signatures(rrsigs, qtype, fqdn, keys, [])
-def test_kasp_default(servers):
- server = servers["ns3"]
-
+def test_kasp_default(ns3):
# check the zone with default kasp policy has loaded and is signed.
isctest.log.info("check a zone with the default policy is signed")
zone = "default.kasp"
]
expected = isctest.kasp.policy_to_properties(ttl=3600, keys=keyprops)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
set_keytimes_default_policy(expected[0])
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, keys, [])
+ check_all(ns3, zone, policy, keys, [])
# Trigger a keymgr run. Make sure the key files are not touched if there
# are no modifications to the key metadata.
pubkey_stat = os.stat(key.keyfile)
state_stat = os.stat(key.statefile)
- with server.watch_log_from_here() as watcher:
- server.rndc(f"loadkeys {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"loadkeys {zone}", log=False)
watcher.wait_for_line(f"keymgr: {zone} done")
assert privkey_stat.st_mtime == os.stat(key.privatefile).st_mtime
assert state_stat.st_mtime == os.stat(key.statefile).st_mtime
# again
- with server.watch_log_from_here() as watcher:
- server.rndc(f"loadkeys {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"loadkeys {zone}", log=False)
watcher.wait_for_line(f"keymgr: {zone} done")
assert privkey_stat.st_mtime == os.stat(key.privatefile).st_mtime
# modify unsigned zone file and check that new record is signed.
isctest.log.info("check that an updated zone signs the new record")
shutil.copyfile("ns3/template2.db.in", f"ns3/{zone}.db")
- server.rndc(f"reload {zone}", log=False)
+ ns3.rndc(f"reload {zone}", log=False)
def update_is_signed():
parts = update.split()
qtype = dns.rdatatype.from_text(parts[1])
rdata = parts[2]
return isctest.kasp.verify_update_is_signed(
- server, zone, qname, qtype, rdata, keys, []
+ ns3, zone, qname, qtype, rdata, keys, []
)
expected_updates = [f"a.{zone}. A 10.0.0.11", f"d.{zone}. A 10.0.0.44"]
isctest.log.info("check that missing private key doesn't trigger rollover")
shutil.move(f"{key.privatefile}", f"{key.path}.offline")
expectmsg = "zone_rekey:zone_verifykeys failed: some key files are missing"
- with server.watch_log_from_here() as watcher:
- server.rndc(f"loadkeys {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"loadkeys {zone}", log=False)
watcher.wait_for_line(f"zone {zone}/IN (signed): {expectmsg}")
# Nothing has changed.
expected[0].properties["private"] = False
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, keys, [])
+ check_all(ns3, zone, policy, keys, [])
# A zone that uses inline-signing.
isctest.log.info("check an inline-signed zone with the default policy is signed")
key1 = KeyProperties.default()
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
expected = [key1]
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
set_keytimes_default_policy(key1)
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, keys, [])
-
+ check_all(ns3, zone, policy, keys, [])
-def test_kasp_dynamic(servers):
- # Dynamic update test cases.
- server = servers["ns3"]
+def test_kasp_dynamic(ns3):
# Standard dynamic zone.
isctest.log.info("check dynamic zone is updated and signed after update")
zone = "dynamic.kasp"
key1 = KeyProperties.default()
expected = [key1]
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
set_keytimes_default_policy(key1)
expected = [key1]
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, keys, [])
+ check_all(ns3, zone, policy, keys, [])
def update_is_signed():
parts = update.split()
qtype = dns.rdatatype.from_text(parts[1])
rdata = parts[2]
return isctest.kasp.verify_update_is_signed(
- server, zone, qname, qtype, rdata, keys, []
+ ns3, zone, qname, qtype, rdata, keys, []
)
update_msg = dns.update.UpdateMessage(zone)
update_msg.delete(f"a.{zone}.", "A", "10.0.0.1")
update_msg.add(f"a.{zone}.", 300, "A", "10.0.0.101")
update_msg.add(f"d.{zone}.", 300, "A", "10.0.0.4")
- server.nsupdate(update_msg)
+ ns3.nsupdate(update_msg)
expected_updates = [f"a.{zone}. A 10.0.0.101", f"d.{zone}. A 10.0.0.4"]
for update in expected_updates:
update_msg.add(f"a.{zone}.", 300, "A", "10.0.0.1")
update_msg.delete(f"a.{zone}.", "A", "10.0.0.101")
update_msg.delete(f"d.{zone}.", "A", "10.0.0.4")
- server.nsupdate(update_msg)
+ ns3.nsupdate(update_msg)
update = f"a.{zone}. A 10.0.0.1"
isctest.run.retry_with_timeout(update_is_signed, timeout=5)
# Update zone with freeze/thaw.
isctest.log.info("check dynamic zone is updated and signed after freeze and thaw")
- with server.watch_log_from_here() as watcher:
- server.rndc(f"freeze {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"freeze {zone}", log=False)
watcher.wait_for_line(f"freezing zone '{zone}/IN': success")
time.sleep(1)
zonefile.write(f"d.{zone}. 300 A 10.0.0.44\n")
time.sleep(1)
- with server.watch_log_from_here() as watcher:
- server.rndc(f"thaw {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"thaw {zone}", log=False)
watcher.wait_for_line(f"thawing zone '{zone}/IN': success")
expected_updates = [f"a.{zone}. A 10.0.0.1", f"d.{zone}. A 10.0.0.44"]
key1 = KeyProperties.default()
expected = [key1]
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
set_keytimes_default_policy(key1)
expected = [key1]
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, keys, [])
+ check_all(ns3, zone, policy, keys, [])
# Update zone with freeze/thaw.
isctest.log.info(
"check dynamic inline-signed zone is updated and signed after freeze and thaw"
)
- with server.watch_log_from_here() as watcher:
- server.rndc(f"freeze {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"freeze {zone}", log=False)
watcher.wait_for_line(f"freezing zone '{zone}/IN': success")
time.sleep(1)
shutil.copyfile("ns3/template2.db.in", f"ns3/{zone}.db")
time.sleep(1)
- with server.watch_log_from_here() as watcher:
- server.rndc(f"thaw {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"thaw {zone}", log=False)
watcher.wait_for_line(f"thawing zone '{zone}/IN': success")
expected_updates = [f"a.{zone}. A 10.0.0.11", f"d.{zone}. A 10.0.0.44"]
key1.metadata["DSState"] = "omnipresent"
expected = [key1]
keys = isctest.kasp.keydir_to_keylist(zone, "ns3/keys")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
- check_all(server, zone, policy, keys, [])
+ check_all(ns3, zone, policy, keys, [])
# Ensure no zone_resigninc for the unsigned version of the zone is triggered.
assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run"
-def test_kasp_checkds(servers):
- server = servers["ns3"]
-
+def test_kasp_checkds(ns3):
def wait_for_metadata():
return isctest.util.file_contents_contain(ksk.statefile, metadata)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if k.is_zsk()]
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
- check_all(server, zone, policy, ksks, zsks)
+ check_all(ns3, zone, policy, ksks, zsks)
now = KeyTimingMetadata.now()
ksk = ksks[0]
isctest.log.info("check if checkds -publish correctly sets DSPublish")
- server.rndc(f"dnssec -checkds -when {now} published {zone}", log=False)
+ ns3.rndc(f"dnssec -checkds -when {now} published {zone}", log=False)
metadata = f"DSPublish: {now}"
isctest.run.retry_with_timeout(wait_for_metadata, timeout=3)
expected[0].metadata["DSState"] = "rumoured"
isctest.kasp.check_keys(zone, keys, expected)
isctest.log.info("check if checkds -withdrawn correctly sets DSRemoved")
- server.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False)
+ ns3.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False)
metadata = f"DSRemoved: {now}"
isctest.run.retry_with_timeout(wait_for_metadata, timeout=3)
expected[0].metadata["DSState"] = "unretentive"
isctest.kasp.check_keys(zone, keys, expected)
-def test_kasp_checkds_doubleksk(servers):
- server = servers["ns3"]
-
+def test_kasp_checkds_doubleksk(ns3):
def wait_for_metadata():
return isctest.util.file_contents_contain(ksk.statefile, metadata)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if k.is_zsk()]
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
- check_all(server, zone, policy, ksks, zsks)
+ check_all(ns3, zone, policy, ksks, zsks)
now = KeyTimingMetadata.now()
ksk = ksks[0]
isctest.log.info("check invalid checkds commands")
def check_error():
- response = server.rndc(test["command"], log=False)
+ response = ns3.rndc(test["command"], log=False)
assert test["error"] in response
test_cases = [
check_error()
isctest.log.info("check if checkds -publish -key correctly sets DSPublish")
- server.rndc(
- f"dnssec -checkds -when {now} -key {ksk.tag} published {zone}", log=False
- )
+ ns3.rndc(f"dnssec -checkds -when {now} -key {ksk.tag} published {zone}", log=False)
metadata = f"DSPublish: {now}"
isctest.run.retry_with_timeout(wait_for_metadata, timeout=3)
expected[0].metadata["DSState"] = "rumoured"
isctest.log.info("check if checkds -withdrawn -key correctly sets DSRemoved")
ksk = ksks[1]
- server.rndc(
- f"dnssec -checkds -when {now} -key {ksk.tag} withdrawn {zone}", log=False
- )
+ ns3.rndc(f"dnssec -checkds -when {now} -key {ksk.tag} withdrawn {zone}", log=False)
metadata = f"DSRemoved: {now}"
isctest.run.retry_with_timeout(wait_for_metadata, timeout=3)
expected[1].metadata["DSState"] = "unretentive"
isctest.kasp.check_keys(zone, keys, expected)
-def test_kasp_checkds_csk(servers):
- server = servers["ns3"]
-
+def test_kasp_checkds_csk(ns3):
def wait_for_metadata():
return isctest.util.file_contents_contain(ksk.statefile, metadata)
]
expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
- check_all(server, zone, policy, keys, [])
+ check_all(ns3, zone, policy, keys, [])
now = KeyTimingMetadata.now()
ksk = keys[0]
isctest.log.info("check if checkds -publish csk correctly sets DSPublish")
- server.rndc(f"dnssec -checkds -when {now} published {zone}", log=False)
+ ns3.rndc(f"dnssec -checkds -when {now} published {zone}", log=False)
metadata = f"DSPublish: {now}"
isctest.run.retry_with_timeout(wait_for_metadata, timeout=3)
expected[0].metadata["DSState"] = "rumoured"
isctest.kasp.check_keys(zone, keys, expected)
isctest.log.info("check if checkds -withdrawn csk correctly sets DSRemoved")
- server.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False)
+ ns3.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False)
metadata = f"DSRemoved: {now}"
isctest.run.retry_with_timeout(wait_for_metadata, timeout=3)
expected[0].metadata["DSState"] = "unretentive"
isctest.kasp.check_keys(zone, keys, expected)
-def test_kasp_special_characters(servers):
- server = servers["ns3"]
-
+def test_kasp_special_characters(ns3):
# A zone with special characters.
isctest.log.info("check special characters")
zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp'
# It is non-trivial to adapt the tests to deal with all possible different
# escaping characters, so we will just try to verify the zone.
- isctest.kasp.check_dnssec_verify(server, zone)
-
+ isctest.kasp.check_dnssec_verify(ns3, zone)
-def test_kasp_insecure(servers):
- server = servers["ns3"]
+def test_kasp_insecure(ns3):
# Insecure zones.
isctest.log.info("check insecure zones")
expected = []
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
isctest.kasp.check_keys(zone, keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy="insecure")
- isctest.kasp.check_apex(server, zone, keys, [])
- isctest.kasp.check_subdomain(server, zone, keys, [])
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy="insecure")
+ isctest.kasp.check_apex(ns3, zone, keys, [])
+ isctest.kasp.check_subdomain(ns3, zone, keys, [])
zone = "unsigned.kasp"
expected = []
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
isctest.kasp.check_keys(zone, keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=None)
- isctest.kasp.check_apex(server, zone, keys, [])
- isctest.kasp.check_subdomain(server, zone, keys, [])
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=None)
+ isctest.kasp.check_apex(ns3, zone, keys, [])
+ isctest.kasp.check_subdomain(ns3, zone, keys, [])
# Make sure the zone file is untouched.
isctest.check.file_contents_equal(f"ns3/{zone}.db.infile", f"ns3/{zone}.db")
-def test_kasp_bad_maxzonettl(servers):
- server = servers["ns3"]
-
+def test_kasp_bad_maxzonettl(ns3):
# check that max-zone-ttl rejects zones with too high TTL.
isctest.log.info("check max-zone-ttl rejects zones with too high TTL")
zone = "max-zone-ttl.kasp"
- assert f"loading from master file {zone}.db failed: out of range" in server.log
+ assert f"loading from master file {zone}.db failed: out of range" in ns3.log
def test_kasp_dnssec_keygen():
isctest.kasp.check_keytimes(keys, expected)
-def test_kasp_zsk_retired(servers):
- server = servers["ns3"]
-
+def test_kasp_zsk_retired(ns3):
config = {
"dnskey-ttl": timedelta(seconds=300),
"ds-ttl": timedelta(days=1),
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
offset = -timedelta(days=30 * 6)
expected[2].timing["ZRRSIGChange"] = None
isctest.kasp.check_keytimes(keys, expected)
- check_all(server, zone, policy, ksks, zsks)
+ check_all(ns3, zone, policy, ksks, zsks)
queries = [
f"{zone} DNSKEY",
qname = parts[0]
qtype = dns.rdatatype.from_text(parts[1])
return isctest.kasp.verify_rrsig_is_refreshed(
- server, zone, f"ns3/{zone}.db.signed", qname, qtype, ksks, zsks
+ ns3, zone, f"ns3/{zone}.db.signed", qname, qtype, ksks, zsks
)
for query in queries:
isctest.run.retry_with_timeout(rrsig_is_refreshed, timeout=5)
# Load again, make sure the purged key is not an issue when verifying keys.
- with server.watch_log_from_here() as watcher:
- server.rndc(f"loadkeys {zone}", log=False)
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"loadkeys {zone}", log=False)
watcher.wait_for_line(f"keymgr: {zone} done")
msg = f"zone {zone}/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
- server.log.prohibit(msg)
+ ns3.log.prohibit(msg)
-def test_kasp_purge_keys(servers):
+def test_kasp_purge_keys(ns4):
zone = "purgekeys.kasp"
- server = servers["ns4"]
-
tsig1 = (
f"{os.environ['DEFAULT_HMAC']}:keyforview1:{KASP_INHERIT_TSIG_SECRET['view1']}"
)
f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}"
)
- isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig1)
- isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig2)
+ isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig1)
+ isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig2)
# Reconfig, make sure the purged key is not an issue when verifying keys.
shutil.copyfile("ns4/purgekeys2.conf", "ns4/purgekeys.conf")
- with server.watch_log_from_here() as watcher:
- server.rndc("reconfig", log=False)
+ with ns4.watch_log_from_here() as watcher:
+ ns4.rndc("reconfig", log=False)
watcher.wait_for_line(f"keymgr: {zone} done")
msg = f"zone {zone}/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
- server.log.prohibit(msg)
+ ns4.log.prohibit(msg)
msg = f"zone {zone}/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing"
- server.log.prohibit(msg)
+ ns4.log.prohibit(msg)
-def test_kasp_reload_restart(servers):
- server = servers["ns6"]
+def test_kasp_reload_restart(ns6):
zone = "example"
def query_soa(qname):
qtype = dns.rdatatype.SOA
query = dns.message.make_query(fqdn, qtype, use_edns=True, want_dnssec=True)
try:
- response = isctest.query.tcp(query, server.ip, server.ports.dns, timeout=3)
+ response = isctest.query.tcp(query, ns6.ip, ns6.ports.dns, timeout=3)
except dns.exception.Timeout:
- isctest.log.debug(f"query timeout for query {qname} SOA to {server.ip}")
+ isctest.log.debug(f"query timeout for query {qname} SOA to {ns6.ip}")
return 0, 0
assert response.rcode() == dns.rcode.NOERROR
assert ttl1 == 300
shutil.copyfile(f"ns6/{zone}2.db.in", f"ns6/{zone}.db")
- with server.watch_log_from_here() as watcher:
- server.rndc("reload", log=False)
+ with ns6.watch_log_from_here() as watcher:
+ ns6.rndc("reload", log=False)
watcher.wait_for_line("all zones loaded")
newttl = 300
soa1, ttl1 = query_soa(zone)
assert ttl1 == 300
- server.stop()
+ ns6.stop()
shutil.copyfile(f"ns6/{zone}3.db.in", f"ns6/{zone}.db")
os.unlink(f"ns6/{zone}.db.jnl")
- with server.watch_log_from_here() as watcher:
- server.start(["--noclean", "--restart", "--port", os.environ["PORT"]])
+ with ns6.watch_log_from_here() as watcher:
+ ns6.start(["--noclean", "--restart", "--port", os.environ["PORT"]])
watcher.wait_for_line("all zones loaded")
newttl = 400
)
-def test_dig_tcp_keepalive_handling(named_port, servers):
+def test_dig_tcp_keepalive_handling(named_port, ns2):
def get_keepalive_options_received():
- servers["ns2"].rndc("stats", log=False)
+ ns2.rndc("stats", log=False)
options_received = 0
with open("ns2/named.stats", "r", encoding="utf-8") as ns2_stats_file:
for line in ns2_stats_file:
)
isctest.log.info("check a re-configured keepalive value")
- response = servers["ns2"].rndc("tcp-timeouts 300 300 300 200 100", log=False)
+ response = ns2.rndc("tcp-timeouts 300 300 300 200 100", log=False)
assert "tcp-initial-timeout=300" in response
assert "tcp-idle-timeout=300" in response
assert "tcp-keepalive-timeout=300" in response
assert "dnssec-ksr: fatal: 'sign' requires a KSR file" in err
-def test_ksr_common(servers):
+def test_ksr_common(ns1):
# common test cases (1)
zone = "common.test"
policy = "common"
)
# add zone
- ns1 = servers["ns1"]
ns1.rndc(
f"addzone {zone} "
+ "{ type primary; file "
isctest.kasp.check_subdomain(ns1, zone, ksks, overlapping_zsks, offline_ksk=True)
-def test_ksr_lastbundle(servers):
+def test_ksr_lastbundle(ns1):
zone = "last-bundle.test"
policy = "common"
n = 1
check_signedkeyresponse(out, zone, ksks, zsks, then, until, refresh)
# add zone
- ns1 = servers["ns1"]
ns1.rndc(
f"addzone {zone} "
+ "{ type primary; file "
assert f"zone {zone}/IN (signed): zone_rekey: {warning}" in ns1.log
-def test_ksr_inthemiddle(servers):
+def test_ksr_inthemiddle(ns1):
zone = "in-the-middle.test"
policy = "common"
n = 1
check_signedkeyresponse(out, zone, ksks, zsks, then, until, refresh)
# add zone
- ns1 = servers["ns1"]
ns1.rndc(
f"addzone {zone} "
+ "{ type primary; file "
assert line in server.log
-def test_ksr_rekey_logs_error(servers):
+def test_ksr_rekey_logs_error(ns1):
# check that an SKR that is too old logs error
- check_ksr_rekey_logs_error(
- servers["ns1"], "past.test", "common", -63072000, -31536000
- )
+ check_ksr_rekey_logs_error(ns1, "past.test", "common", -63072000, -31536000)
# check that an SKR that is too new logs error
- check_ksr_rekey_logs_error(
- servers["ns1"], "future.test", "common", 2592000, 31536000
- )
+ check_ksr_rekey_logs_error(ns1, "future.test", "common", 2592000, 31536000)
-def test_ksr_unlimited(servers):
+def test_ksr_unlimited(ns1):
zone = "unlimited.test"
policy = "unlimited"
n = 1
check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh)
# add zone
- ns1 = servers["ns1"]
ns1.rndc(
f"addzone {zone} "
+ "{ type primary; file "
isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True)
-def test_ksr_twotone(servers):
+def test_ksr_twotone(ns1):
zone = "two-tone.test"
policy = "two-tone"
n = 1
check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh)
# add zone
- ns1 = servers["ns1"]
ns1.rndc(
f"addzone {zone} "
+ "{ type primary; file "
isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True)
-def test_ksr_kskroll(servers):
+def test_ksr_kskroll(ns1):
zone = "ksk-roll.test"
policy = "ksk-roll"
n = 1
check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh)
# add zone
- ns1 = servers["ns1"]
ns1.rndc(
f"addzone {zone} "
+ "{ type primary; file "
]
-def test_nzd2nzf(servers):
+def test_nzd2nzf(ns1):
zone_data = '"added.example" { type primary; file "added.db"; };'
msg = dns.message.make_query("a.added.example.", "A")
# query for non-existing zone data
- res = isctest.query.tcp(msg, servers["ns1"].ip)
+ res = isctest.query.tcp(msg, ns1.ip)
isctest.check.refused(res)
# add new zone into the default NZD using "rndc addzone"
- servers["ns1"].rndc(f"addzone {zone_data}", log=False)
+ ns1.rndc(f"addzone {zone_data}", log=False)
# query for existing zone data
- res = isctest.query.tcp(msg, servers["ns1"].ip)
+ res = isctest.query.tcp(msg, ns1.ip)
isctest.check.noerror(res)
- servers["ns1"].stop()
+ ns1.stop()
# dump "_default.nzd" to "_default.nzf" and check that it contains the expected content
cfg_dir = "ns1"
os.remove(nzd_filename)
# start ns1 again, it should migrate "_default.nzf" to "_default.nzd"
- servers["ns1"].start(["--noclean", "--restart", "--port", os.environ["PORT"]])
+ ns1.start(["--noclean", "--restart", "--port", os.environ["PORT"]])
# query for zone data from the migrated zone config
- res = isctest.query.tcp(msg, servers["ns1"].ip)
+ res = isctest.query.tcp(msg, ns1.ip)
isctest.check.noerror(res)
)
-def test_algoroll_csk_initial(servers):
+def test_algoroll_csk_initial(ns6):
config = ALGOROLL_CONFIG
policy = "csk-algoroll"
],
"nextev": TIMEDELTA["PT1H"],
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
+def reconfigure(ns6, templates):
global TIME_PASSED # pylint: disable=global-statement
start_time = KeyTimingMetadata.now()
templates.render("ns6/named.conf", {"csk_roll": True})
- servers["ns6"].reconfigure()
+ ns6.reconfigure()
# Calculate time passed to correctly check for next key events.
TIME_PASSED = KeyTimingMetadata.now().value - start_time.value
-def test_algoroll_csk_reconfig_step1(servers, alg, size):
+def test_algoroll_csk_reconfig_step1(ns6, alg, size):
step = {
"zone": "step1.csk-algorithm-roll.kasp",
"cdss": CDSS,
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ALGOROLL_IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_csk_reconfig_step2(servers, alg, size):
+def test_algoroll_csk_reconfig_step2(ns6, alg, size):
step = {
"zone": "step2.csk-algorithm-roll.kasp",
"cdss": CDSS,
# the time passed between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_csk_reconfig_step3(servers, alg, size):
+def test_algoroll_csk_reconfig_step3(ns6, alg, size):
step = {
"zone": "step3.csk-algorithm-roll.kasp",
"cdss": CDSS,
# after the publication interval of the parent side.
"nextev": ALGOROLL_IRETKSK - TIME_PASSED,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_csk_reconfig_step4(servers, alg, size):
+def test_algoroll_csk_reconfig_step4(ns6, alg, size):
step = {
"zone": "step4.csk-algorithm-roll.kasp",
"cdss": CDSS,
# This happens after the DNSKEY TTL plus zone propagation delay.
"nextev": ALGOROLL_KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_csk_reconfig_step5(servers, alg, size):
+def test_algoroll_csk_reconfig_step5(ns6, alg, size):
step = {
"zone": "step5.csk-algorithm-roll.kasp",
"cdss": CDSS,
# between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_csk_reconfig_step6(servers, alg, size):
+def test_algoroll_csk_reconfig_step6(ns6, alg, size):
step = {
"zone": "step6.csk-algorithm-roll.kasp",
"cdss": CDSS,
# loadkeys interval.
"nextev": TIMEDELTA["PT1H"],
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
)
-def test_algoroll_ksk_zsk_initial(servers):
+def test_algoroll_ksk_zsk_initial(ns6):
config = ALGOROLL_CONFIG
policy = "rsasha256"
],
"nextev": TIMEDELTA["PT1H"],
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
@pytest.fixture(scope="module", autouse=True)
-def reconfigure(servers, templates):
+def reconfigure(ns6, templates):
global TIME_PASSED # pylint: disable=global-statement
start_time = KeyTimingMetadata.now()
templates.render("ns6/named.conf", {"alg_roll": True})
- servers["ns6"].reconfigure()
+ ns6.reconfigure()
# Calculate time passed to correctly check for next key events.
TIME_PASSED = KeyTimingMetadata.now().value - start_time.value
-def test_algoroll_ksk_zsk_reconfig_step1(servers, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step1(ns6, alg, size):
step = {
"zone": "step1.algorithm-roll.kasp",
"cdss": CDSS,
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ALGOROLL_IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_ksk_zsk_reconfig_step2(servers, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step2(ns6, alg, size):
step = {
"zone": "step2.algorithm-roll.kasp",
"cdss": CDSS,
# key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_ksk_zsk_reconfig_step3(servers, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step3(ns6, alg, size):
step = {
"zone": "step3.algorithm-roll.kasp",
"cdss": CDSS,
# after the retire interval.
"nextev": ALGOROLL_IRETKSK - TIME_PASSED,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_ksk_zsk_reconfig_step4(servers, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step4(ns6, alg, size):
step = {
"zone": "step4.algorithm-roll.kasp",
"cdss": CDSS,
# This happens after the DNSKEY TTL plus zone propagation delay.
"nextev": ALGOROLL_KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step5(ns6, alg, size):
step = {
"zone": "step5.algorithm-roll.kasp",
"cdss": CDSS,
# between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
-def test_algoroll_ksk_zsk_reconfig_step6(servers, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step6(ns6, alg, size):
step = {
"zone": "step6.algorithm-roll.kasp",
"cdss": CDSS,
# loadkeys interval.
"nextev": TIMEDELTA["PT1H"],
}
- isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step)
OFFSETS["step8-s"] = OFFSETS["step7-s"] - int(CONFIG["purge-keys"].total_seconds())
-def test_csk_roll1_step1(alg, size, servers):
+def test_csk_roll1_step1(alg, size, ns3):
step = {
# Introduce the first key. This will immediately be active.
"zone": "step1.csk-roll1.autosign",
# registration delay).
"nextev": CSK_LIFETIME - IPUB - timedelta(days=7),
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step2(alg, size, servers):
+def test_csk_roll1_step2(alg, size, ns3):
step = {
# Successor CSK is prepublished (signs DNSKEY RRset, but not yet
# other RRsets).
# Next key event is when the successor CSK becomes OMNIPRESENT.
"nextev": IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step3(alg, size, servers):
+def test_csk_roll1_step3(alg, size, ns3):
step = {
# Successor CSK becomes omnipresent, meaning we can start signing
# the remainder of the zone with the successor CSK, and we can
# from the predecessor ZSK.
"smooth": True,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step4(alg, size, servers):
+def test_csk_roll1_step4(alg, size, ns3):
step = {
"zone": "step4.csk-roll1.autosign",
"cdss": CDSS,
# We already swapped the DS in the previous step, so disable ds-swap.
"ds-swap": False,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step5(alg, size, servers):
+def test_csk_roll1_step5(alg, size, ns3):
step = {
"zone": "step5.csk-roll1.autosign",
"cdss": CDSS,
# CSK.
"nextev": SIGNDELAY,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step6(alg, size, servers):
+def test_csk_roll1_step6(alg, size, ns3):
step = {
"zone": "step6.csk-roll1.autosign",
"cdss": CDSS,
# This is the DNSKEY TTL plus zone propagation delay.
"nextev": KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step7(alg, size, servers):
+def test_csk_roll1_step7(alg, size, ns3):
step = {
"zone": "step7.csk-roll1.autosign",
"cdss": CDSS,
# minus the prepublication time.
"nextev": CSK_LIFETIME - IRETZSK - IPUB - KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll1_step8(alg, size, servers):
+def test_csk_roll1_step8(alg, size, ns3):
step = {
"zone": "step8.csk-roll1.autosign",
"cdss": CDSS,
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
OFFSETS["step7-s"] = OFFSETS["step6-s"] - int(timedelta(days=90).total_seconds())
-def test_csk_roll2_step1(alg, size, servers):
+def test_csk_roll2_step1(alg, size, ns3):
step = {
# Introduce the first key. This will immediately be active.
"zone": "step1.csk-roll2.autosign",
# registration delay).
"nextev": CSK_LIFETIME - IPUB - TIMEDELTA["P7D"],
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll2_step2(alg, size, servers):
+def test_csk_roll2_step2(alg, size, ns3):
step = {
# Successor CSK is prepublished (signs DNSKEY RRset, but not yet
# other RRsets).
# Next key event is when the successor CSK becomes OMNIPRESENT.
"nextev": IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll2_step3(alg, size, servers):
+def test_csk_roll2_step3(alg, size, ns3):
step = {
# Successor CSK becomes omnipresent, meaning we can start signing
# the remainder of the zone with the successor CSK, and we can
# from the predecessor ZSK.
"smooth": True,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll2_step4(alg, size, servers):
+def test_csk_roll2_step4(alg, size, ns3):
step = {
"zone": "step4.csk-roll2.autosign",
"cdss": CDSS,
# We already swapped the DS in the previous step, so disable ds-swap.
"ds-swap": False,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll2_step5(alg, size, servers):
+def test_csk_roll2_step5(alg, size, ns3):
step = {
"zone": "step5.csk-roll2.autosign",
"cdss": CDSS,
# This is the DNSKEY TTL plus zone propagation delay.
"nextev": KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll2_step6(alg, size, servers):
+def test_csk_roll2_step6(alg, size, ns3):
step = {
"zone": "step6.csk-roll2.autosign",
"cdss": CDSS,
# This is the Lcsk, minus time passed since the key was published.
"nextev": CSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_csk_roll2_step7(alg, size, servers):
+def test_csk_roll2_step7(alg, size, ns3):
step = {
"zone": "step7.csk-roll2.autosign",
"cdss": CDSS,
"keyrelationships": [0, 1],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
)
-def test_dynamic2inline(alg, size, servers, templates):
+def test_dynamic2inline(alg, size, ns6, templates):
config = DEFAULT_CONFIG
policy = "default"
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
templates.render("ns6/named.conf", {"change_lifetime": True})
- servers["ns6"].reconfigure()
+ ns6.reconfigure()
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds())
-def test_rollover_enable_dnssec_step1(alg, size, servers):
+def test_rollover_enable_dnssec_step1(alg, size, ns3):
step = {
"zone": "step1.enable-dnssec.autosign",
"cdss": CDSS,
# after the publication interval.
"nextev": IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_rollover_enable_dnssec_step2(alg, size, servers):
+def test_rollover_enable_dnssec_step2(alg, size, ns3):
step = {
"zone": "step2.enable-dnssec.autosign",
"cdss": CDSS,
# Minus the time already elapsed.
"nextev": IRETZSK - IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_rollover_enable_dnssec_step3(alg, size, servers):
+def test_rollover_enable_dnssec_step3(alg, size, ns3):
step = {
"zone": "step3.enable-dnssec.autosign",
"cdss": CDSS,
# This is after the retire interval.
"nextev": IRETKSK,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_rollover_enable_dnssec_step4(alg, size, servers):
+def test_rollover_enable_dnssec_step4(alg, size, ns3):
step = {
"zone": "step4.enable-dnssec.autosign",
"cdss": CDSS,
# established. So we fall back to the default loadkeys interval.
"nextev": TIMEDELTA["PT1H"],
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
"going-insecure-dynamic.kasp",
],
)
-def test_going_insecure_initial(zone, servers, alg, size):
+def test_going_insecure_initial(zone, ns6, alg, size):
config = UNSIGNING_CONFIG
policy = "unsigning"
step = {
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
@pytest.fixture(scope="module", autouse=True)
-def reconfigure_policy(servers, templates):
+def reconfigure_policy(ns6, templates):
templates.render("ns6/named.conf", {"policy": "insecure"})
- servers["ns6"].reconfigure()
+ ns6.reconfigure()
@pytest.mark.parametrize(
"going-insecure-dynamic.kasp",
],
)
-def test_going_insecure_reconfig_step1(zone, alg, size, servers):
+def test_going_insecure_reconfig_step1(zone, alg, size, ns6):
config = DEFAULT_CONFIG
policy = "insecure"
"cds-delete": True,
"check-keytimes": False,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
@pytest.mark.parametrize(
"going-insecure-dynamic.kasp",
],
)
-def test_going_insecure_reconfig_step2(zone, alg, size, servers):
+def test_going_insecure_reconfig_step2(zone, alg, size, ns6):
config = DEFAULT_CONFIG
policy = "insecure"
"zone-signed": False,
"check-keytimes": False,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds())
-def test_rollover_ksk_three_is_a_crowd(alg, size, servers):
+def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
"""Test #2375: Scheduled rollovers are happening faster than they can finish."""
- server = servers["ns3"]
zone = "three-is-a-crowd.kasp"
step = {
],
"keyrelationships": [0, 1],
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
# Rollover successor KSK (with DS in rumoured state).
expected = isctest.kasp.policy_to_properties(TTL, step["keyprops"])
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
isctest.kasp.check_keys(zone, keys, expected)
key = expected[1].key
now = KeyTimingMetadata.now()
- with server.watch_log_from_here() as watcher:
- server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}")
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
# We now expect four keys (3x KSK, 1x ZSK).
],
"check-keytimes": False, # checked manually with modified values
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
expected = isctest.kasp.policy_to_properties(TTL, step["keyprops"])
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
isctest.kasp.check_keys(zone, keys, expected)
expected[0].metadata["Successor"] = expected[1].key.tag
OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(KSK_CONFIG["purge-keys"].total_seconds())
-def test_ksk_doubleksk_step1(alg, size, servers):
+def test_ksk_doubleksk_step1(alg, size, ns3):
step = {
# Introduce the first key. This will immediately be active.
"zone": "step1.ksk-doubleksk.autosign",
# already passed).
"nextev": KSK_LIFETIME - KSK_IPUB - timedelta(days=7),
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
-def test_ksk_doubleksk_step2(alg, size, servers):
+def test_ksk_doubleksk_step2(alg, size, ns3):
step = {
# Successor KSK is prepublished (and signs DNSKEY RRset).
# KSK1 goal: omnipresent -> hidden
# Next key event is when the successor KSK becomes OMNIPRESENT.
"nextev": KSK_IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
-def test_ksk_doubleksk_step3(alg, size, servers):
+def test_ksk_doubleksk_step3(alg, size, ns3):
step = {
# The successor DNSKEY RRset has become omnipresent. The
# predecessor DS can be withdrawn and the successor DS can be
# successor DS. This is the the retire interval.
"nextev": KSK_IRET,
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
-def test_ksk_doubleksk_step4(alg, size, servers):
+def test_ksk_doubleksk_step4(alg, size, ns3):
step = {
# The predecessor DNSKEY may be removed, the successor DS is
# omnipresent.
# This is the DNSKEY TTL plus zone propagation delay.
"nextev": KSK_KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
-def test_ksk_doubleksk_step5(alg, size, servers):
+def test_ksk_doubleksk_step5(alg, size, ns3):
step = {
# The predecessor DNSKEY is long enough removed from the zone it
# has become hidden.
# This is the KSK lifetime minus Ipub minus Iret minus time elapsed.
"nextev": KSK_LIFETIME - KSK_IPUB - KSK_IRET - KSK_KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
-def test_ksk_doubleksk_step6(alg, size, servers):
+def test_ksk_doubleksk_step6(alg, size, ns3):
step = {
# Predecessor KSK is now purged.
"zone": "step6.ksk-doubleksk.autosign",
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step)
param("unlimit-lifetime", "short-lifetime", "P6M"),
],
)
-def test_lifetime_initial(zone, policy, lifetime, alg, size, servers):
+def test_lifetime_initial(zone, policy, lifetime, alg, size, ns6):
config = DEFAULT_CONFIG
step = {
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
@pytest.fixture(scope="module", autouse=True)
-def reconfigure_policy(servers, templates):
+def reconfigure_policy(ns6, templates):
templates.render("ns6/named.conf", {"change_lifetime": True})
- servers["ns6"].reconfigure()
+ ns6.reconfigure()
@pytest.mark.parametrize(
param("unlimit-lifetime", "unlimited-lifetime", 0),
],
)
-def test_lifetime_reconfig(zone, policy, lifetime, alg, size, servers):
+def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns6):
config = DEFAULT_CONFIG
step = {
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
)
-def test_rollover_multisigner(servers, alg, size):
- server = servers["ns3"]
+def test_rollover_multisigner(ns3, alg, size):
policy = "multisigner-model2"
config = {
"dnskey-ttl": timedelta(hours=1),
zone = "multisigner-model2.kasp"
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
expected2[0].properties["legacy"] = True
expected = expected + expected2
- ownkeys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ ownkeys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
extkeys = isctest.kasp.keydir_to_keylist(zone)
keys = ownkeys + extkeys
ksks = [k for k in ownkeys if k.is_ksk()]
for kp in expected:
kp.set_expected_keytimes(config)
isctest.kasp.check_keytimes(keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
# Update zone with ZSK from another provider for zone.
out = keygen(zone)
update_msg = dns.update.UpdateMessage(zone)
update_msg.add(f"{dnskey[0]}", 3600, "DNSKEY", rdata)
- server.nsupdate(update_msg)
+ ns3.nsupdate(update_msg)
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
keys = keys + newkeys
zsks = zsks + newkeys
isctest.kasp.check_keys(zone, keys, expected)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
# Remove ZSKs from the other providers for zone.
dnskey2 = extkeys[0].dnskey().split()
update_msg = dns.update.UpdateMessage(zone)
update_msg.delete(f"{dnskey[0]}", "DNSKEY", rdata)
update_msg.delete(f"{dnskey2[0]}", "DNSKEY", rdata2)
- server.nsupdate(update_msg)
+ ns3.nsupdate(update_msg)
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = ownkeys
ksks = [k for k in ownkeys if k.is_ksk()]
zsks = [k for k in ownkeys if not k.is_ksk()]
isctest.kasp.check_keys(zone, keys, expected)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
# A zone transitioning from single-signed to multi-signed. We should have
# the old omnipresent keys outside of the desired key range and the new
# keys in the desired key range.
zone = "single-to-multisigner.kasp"
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent tag-range:0-32767 offset:{offval}",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
)
isctest.kasp.check_keytimes(keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
"going-straight-to-none-dynamic.kasp",
],
)
-def test_straight2none_initial(zone, servers, alg, size):
+def test_straight2none_initial(zone, ns6, alg, size):
config = DEFAULT_CONFIG
policy = "default"
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
@pytest.fixture(scope="module", autouse=True)
-def reconfigure_policy(servers, templates):
+def reconfigure_policy(ns6, templates):
templates.render("ns6/named.conf", {"policy": "none"})
- servers["ns6"].reconfigure()
+ ns6.reconfigure()
@pytest.mark.parametrize(
"going-straight-to-none-dynamic.kasp",
],
)
-def test_straight2none_reconfig(zone, servers, alg, size):
+def test_straight2none_reconfig(zone, ns6, alg, size):
config = DEFAULT_CONFIG
policy = None
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
+ isctest.kasp.check_rollover_step(ns6, config, policy, step)
OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(CONFIG["purge-keys"].total_seconds())
-def test_zsk_prepub_step1(alg, size, servers):
+def test_zsk_prepub_step1(alg, size, ns3):
step = {
# Introduce the first key. This will immediately be active.
"zone": "step1.zsk-prepub.autosign",
# already passed).
"nextev": ZSK_LIFETIME - IPUB - timedelta(days=7),
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_zsk_prepub_step2(alg, size, servers):
+def test_zsk_prepub_step2(alg, size, ns3):
step = {
# it is time to pre-publish the successor zsk.
# zsk1 goal: omnipresent -> hidden
# that is the dnskey ttl plus the zone propagation delay
"nextev": IPUB,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_zsk_prepub_step3(alg, size, servers):
+def test_zsk_prepub_step3(alg, size, ns3):
step = {
# predecessor zsk is no longer actively signing. successor zsk is
# now actively signing.
# from the predecessor zsk.
"smooth": True,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_zsk_prepub_step4(alg, size, servers):
+def test_zsk_prepub_step4(alg, size, ns3):
step = {
# predecessor zsk is no longer needed. all rrsets are signed with
# the successor zsk.
# this is the dnskey ttl plus zone propagation delay.
"nextev": KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_zsk_prepub_step5(alg, size, servers):
+def test_zsk_prepub_step5(alg, size, ns3):
step = {
# predecessor zsk is now removed.
# zsk1 dnskey: unretentive -> hidden
# elapsed.
"nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
-def test_zsk_prepub_step6(alg, size, servers):
+def test_zsk_prepub_step6(alg, size, ns3):
step = {
# predecessor zsk is now purged.
"zone": "step6.zsk-prepub.autosign",
],
"nextev": None,
}
- isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+ isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step)
from common import pytestmark # pylint: disable=unused-import
-def test_rollover_manual(servers):
- server = servers["ns3"]
+def test_rollover_manual(ns3):
policy = "manual-rollover"
config = {
"dnskey-ttl": timedelta(hours=1),
size = os.environ["DEFAULT_BITS"]
zone = "manual-rollover.kasp"
- with server.watch_log_from_start() as watcher:
+ with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(f"keymgr: {zone} done")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
kp.set_expected_keytimes(config, offset=offset)
isctest.kasp.check_keytimes(keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
# Schedule KSK rollover in six months.
assert len(ksks) == 1
config, zsk=False, ksk=True
)
- with server.watch_log_from_here() as watcher:
- server.rndc(f"dnssec -rollover -key {ksk.tag} -when {startroll} {zone}")
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"dnssec -rollover -key {ksk.tag} -when {startroll} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
isctest.kasp.check_keytimes(keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
# Schedule KSK rollover now.
now = KeyTimingMetadata.now()
- with server.watch_log_from_here() as watcher:
- server.rndc(f"dnssec -rollover -key {ksk.tag} -when {now} {zone}")
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"dnssec -rollover -key {ksk.tag} -when {now} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
)
isctest.kasp.check_keytimes(keys, expected)
- isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy)
- isctest.kasp.check_apex(server, zone, ksks, zsks)
- isctest.kasp.check_subdomain(server, zone, ksks, zsks)
+ isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy)
+ isctest.kasp.check_apex(ns3, zone, ksks, zsks)
+ isctest.kasp.check_subdomain(ns3, zone, ksks, zsks)
# Schedule ZSK rollover now.
assert len(zsks) == 1
zsk = zsks[0]
now = KeyTimingMetadata.now()
- with server.watch_log_from_here() as watcher:
- server.rndc(f"dnssec -rollover -key {zsk.tag} -when {now} {zone}")
+ with ns3.watch_log_from_here() as watcher:
+ ns3.rndc(f"dnssec -rollover -key {zsk.tag} -when {now} {zone}")
watcher.wait_for_line(f"keymgr: {zone} done")
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
- keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
ksks = [k for k in keys if k.is_ksk()]
zsks = [k for k in keys if not k.is_ksk()]
# Try to schedule a ZSK rollover for an inactive key (should fail).
zsk = expected[3].key
- response = server.rndc(f"dnssec -rollover -key {zsk.tag} {zone}")
+ response = ns3.rndc(f"dnssec -rollover -key {zsk.tag} {zone}")
assert "key is not actively signing" in response
@pytest.mark.requires_zones_loaded("ns1")
-def test_spf_log(servers):
+def test_spf_log(ns1):
for msg in (
"zone spf/IN: 'y.spf' found type SPF record but no SPF TXT record found",
"zone warn/IN: 'y.warn' found type SPF record but no SPF TXT record found",
"zone warn/IN: loaded serial 0",
"zone nowarn/IN: loaded serial 0",
):
- servers["ns1"].log.expect(msg)
+ ns1.log.expect(msg)
for msg in (
"zone nowarn/IN: 'y.nowarn' found type SPF record but no SPF TXT record found",
"zone warn/IN: 'warn' found type SPF record but no SPF TXT record found",
"zone nowarn/IN: 'nowarn' found type SPF record but no SPF TXT record found",
):
- servers["ns1"].log.prohibit(msg)
+ ns1.log.prohibit(msg)
)
-def test_stub_zones_availability(servers):
+def test_stub_zones_availability(ns3):
# check that the stub zone has been saved to disk
assert os.path.exists("ns3/child.example.st")
stub_zone_lookout_without_recursion()
stub_zone_lookout_with_recursion()
- servers["ns3"].stop()
- servers["ns3"].start(["--noclean", "--restart", "--port", os.environ["PORT"]])
+ ns3.stop()
+ ns3.start(["--noclean", "--restart", "--port", os.environ["PORT"]])
axfr_denied()
stub_zone_lookout_without_recursion()
error,
mangle_orig_id,
other,
- servers,
+ ns1,
named_port,
):
alg, mac = alg_and_mac
- ns1 = servers["ns1"]
msg = dns.message.make_query("example.com.", "AXFR")
msg.keyring = False # don't validate received TSIG
)
-def test_xferquota(named_port, servers):
+def test_xferquota(named_port, ns1, ns2):
# Changing test zone ensuring that the time stamp changes
time.sleep(1)
shutil.copyfile("ns1/changing2.db", "ns1/changing.db")
with open("ns1/named.pid", "r", encoding="utf-8") as pidfile:
pid = int(pidfile.read())
os.kill(pid, signal.SIGHUP)
- with servers["ns1"].watch_log_from_start() as watcher:
+ with ns1.watch_log_from_start() as watcher:
watcher.wait_for_line("received SIGHUP signal to reload zones")
def check_line_count():
f"transfer of 'changing/IN' from 10.53.0.1#{named_port}: "
f"Transfer completed: .*\\(serial 2\\)"
)
- with servers["ns2"].watch_log_from_start(timeout=30) as watcher:
+ with ns2.watch_log_from_start(timeout=30) as watcher:
watcher.wait_for_line(pattern)
query_and_compare(a_msg)
projects / thirdparty / bind9.git / commitdiff
