From: Matthijs Mekking Date: Mon, 4 Aug 2025 12:34:07 +0000 (+0200) Subject: Fix statschannel system test X-Git-Tag: v9.21.17~60^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=14a243a81dd6b438345d70ff7963ceaaedd85ee7;p=thirdparty%2Fbind9.git Fix statschannel system test The manykeys test case relies on keys being removed. Make sure the zone is fully signed with the keys that will stay, so the other keys may be removed safely. This means the expected number of signatures generated and refreshed will change. The CDS and CDNSKEY RRset also need to be signed now. Configure the test case with sig-signing-signatures 100, large enough that the entire zone is processed in a single step. --- diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in index 342d03b5616..c2f4c1f2788 100644 --- a/bin/tests/system/statschannel/ns2/named.conf.in +++ b/bin/tests/system/statschannel/ns2/named.conf.in @@ -24,6 +24,7 @@ options { notify no; minimal-responses no; version none; // make statistics independent of the version number + sig-signing-signatures 100; }; statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; }; diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in index c726ae42203..f93bf94e756 100644 --- a/bin/tests/system/statschannel/ns2/named2.conf.in +++ b/bin/tests/system/statschannel/ns2/named2.conf.in @@ -24,6 +24,7 @@ options { notify no; minimal-responses no; version none; // make statistics independent of the version number + sig-signing-signatures 100; }; statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; }; diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh index b9d2ed72d31..a4df397a2ac 100644 --- a/bin/tests/system/statschannel/ns2/sign.sh +++ b/bin/tests/system/statschannel/ns2/sign.sh @@ -16,13 +16,18 @@ set -e +longago="now-1y" +keytimes="-P ${longago} -A ${longago}" +O="omnipresent" + zone=dnssec. infile=dnssec.db.in -zonefile=dnssec.db.signed +zonefile=dnssec.db +cp $infile $zonefile ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" -f KSK "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" "$zone") # Sign deliberately with a very short expiration date. -"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1 id=$(keyfile_to_key_id "$ksk") echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.ksk.id id=$(keyfile_to_key_id "$zsk") @@ -30,16 +35,22 @@ echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.zsk.id zone=manykeys. infile=manykeys.db.in -zonefile=manykeys.db.signed -ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone") -zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone") +zonefile=manykeys.db +cp $infile $zonefile +ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK $keytimes -P sync $longago "$zone") +zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 $keytimes "$zone") +$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$ksk8" >settime.out.$zone 2>&1 +$SETTIME -s -g $O -k $O $longago -z $O $longago "$zsk8" >settime.out.$zone 2>&1 +cat $ksk8.key $zsk8.key >>$zonefile ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone") zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone") +cat $ksk13.key $zsk13.key >>$zonefile ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone") zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone") +cat $ksk14.key $zsk14.key >>$zonefile # Sign deliberately with a very short expiration date. # Disable zone verification (-P) as records may expire before signing is complete -"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1 id=$(keyfile_to_key_id "$ksk8") echo "8+$id" >manykeys.ksk8.id id=$(keyfile_to_key_id "$zsk8") diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh index 8a343fe1b53..f6816493311 100644 --- a/bin/tests/system/statschannel/tests.sh +++ b/bin/tests/system/statschannel/tests.sh @@ -392,22 +392,22 @@ ksk13_id=$(cat ns2/$zone.ksk13.id) zsk13_id=$(cat ns2/$zone.zsk13.id) ksk14_id=$(cat ns2/$zone.ksk14.id) zsk14_id=$(cat ns2/$zone.zsk14.id) -# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one -# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire -# almost right away, this should trigger 10 zsk and 1 ksk sign operations per -# key. +# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and the +# DNSKEY, CDS, and CDNSKEY RRsets with the KSKs. So starting named with +# signatures that expire almost right away, this should trigger 10 zsk and 3 +# ksk sign operations per key. echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. @@ -437,15 +437,15 @@ ret=0 echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. @@ -466,15 +466,15 @@ n=$((n + 1)) ret=0 copy_setports ns2/named2.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /' -# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC, -# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should -# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly) -# counted double, one time because of zone_resigninc and one time because of -# zone_nsec3chain. So +5 zsk in total. +# This should trigger the resign of DNSKEY, CDS, and CDNSKEY (+3 ksk), +# and SOA, NSEC, TYPE65534 (+3 zsk). The dnssec-sign statistics for the +# removed keys should be cleared and thus no longer visible. But NSEC and SOA +# are (mistakenly) counted double, one time because of zone_resigninc and one +# time because of zone_nsec3chain. So +5 zsk in total. echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect -echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 6" >>zones.expect echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect -echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 6" >>zones.expect cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py index 21f24022439..6a2dbc9f966 100755 --- a/bin/tests/system/statschannel/tests_json.py +++ b/bin/tests/system/statschannel/tests_json.py @@ -31,8 +31,11 @@ pytestmark = [ "ns2/dsset-*", "ns2/K*", "ns2/dnssec.db.signed", + "ns2/dnssec.db", "ns2/dnssec.*.id", + "ns2/manykeys.db", "ns2/manykeys.*.id", + "ns2/settime.out.*", "ns2/signzone.out.*", "ns3/_default.nzd", "ns3/example-tcp.db", diff --git a/bin/tests/system/statschannel/tests_sh_statschannel.py b/bin/tests/system/statschannel/tests_sh_statschannel.py index 2f7a826aa4b..7b5788010d6 100644 --- a/bin/tests/system/statschannel/tests_sh_statschannel.py +++ b/bin/tests/system/statschannel/tests_sh_statschannel.py @@ -31,11 +31,15 @@ pytestmark = pytest.mark.extra_artifacts( "zones*", "ns2/*.jnl", "ns2/*.signed", + "ns2/*.db", "ns2/dsset-*", "ns2/K*", + "ns2/dnssec.db", "ns2/dnssec.*.id", + "ns2/manykeys.db", "ns2/manykeys.*.id", "ns2/named.stats", + "ns2/settime.out.*", "ns2/signzone.out.*", "ns3/_default.nzf*", "ns3/_default.nzd*", diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py index 796eea9d244..59fbcf0b06c 100755 --- a/bin/tests/system/statschannel/tests_xml.py +++ b/bin/tests/system/statschannel/tests_xml.py @@ -31,8 +31,11 @@ pytestmark = [ "ns2/*.jnl", "ns2/*.signed", "ns2/dsset-*", + "ns2/dnssec.db", "ns2/dnssec.*.id", + "ns2/manykeys.db", "ns2/manykeys.*.id", + "ns2/settime.out.*", "ns2/signzone.out.*", "ns3/_default.nzd", "ns3/example-tcp.db",