From: Nicki Křížek Date: Fri, 6 Jun 2025 11:25:46 +0000 (+0200) Subject: Isolate rollover-straight2none test X-Git-Tag: v9.21.11~38^2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=519f9082dfc31884a40ed46c883a4738cc17632c;p=thirdparty%2Fbind9.git Isolate rollover-straight2none test --- diff --git a/bin/tests/system/rollover-straight2none/common.py b/bin/tests/system/rollover-straight2none/common.py new file mode 120000 index 00000000000..64b8084c5ac --- /dev/null +++ b/bin/tests/system/rollover-straight2none/common.py @@ -0,0 +1 @@ +../rollover/common.py \ No newline at end of file diff --git a/bin/tests/system/rollover-straight2none/ns6/kasp.conf.j2 b/bin/tests/system/rollover-straight2none/ns6/kasp.conf.j2 new file mode 120000 index 00000000000..4a8da1d4465 --- /dev/null +++ b/bin/tests/system/rollover-straight2none/ns6/kasp.conf.j2 @@ -0,0 +1 @@ +../../rollover-going-insecure/ns6/kasp.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/rollover-straight2none/ns6/named.common.conf.j2 b/bin/tests/system/rollover-straight2none/ns6/named.common.conf.j2 new file mode 120000 index 00000000000..6b841ab2ad3 --- /dev/null +++ b/bin/tests/system/rollover-straight2none/ns6/named.common.conf.j2 @@ -0,0 +1 @@ +../../rollover-dynamic2inline/ns6/named.common.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/rollover-straight2none/ns6/named.conf.j2 b/bin/tests/system/rollover-straight2none/ns6/named.conf.j2 new file mode 100644 index 00000000000..f490a3ceecc --- /dev/null +++ b/bin/tests/system/rollover-straight2none/ns6/named.conf.j2 @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +{% set policy = policy | default("default") %} + +include "kasp.conf"; +include "named.common.conf"; + +zone "going-straight-to-none.kasp" { + type primary; + file "going-straight-to-none.kasp.db"; + dnssec-policy @policy@; +}; + +zone "going-straight-to-none-dynamic.kasp" { + type primary; + file "going-straight-to-none-dynamic.kasp.db.signed"; + inline-signing no; + dnssec-policy @policy@; + allow-update { any; }; +}; diff --git a/bin/tests/system/rollover-straight2none/ns6/template.db.in b/bin/tests/system/rollover-straight2none/ns6/template.db.in new file mode 120000 index 00000000000..21598660d1e --- /dev/null +++ b/bin/tests/system/rollover-straight2none/ns6/template.db.in @@ -0,0 +1 @@ +../../rollover-dynamic2inline/ns6/template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-straight2none/setup.sh b/bin/tests/system/rollover-straight2none/setup.sh new file mode 100644 index 00000000000..2a42dba557f --- /dev/null +++ b/bin/tests/system/rollover-straight2none/setup.sh @@ -0,0 +1,53 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +cd "ns6" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# These zones are going straight to "none" policy. This is undefined behavior. +T="now-10d" +S="now-12955mi" +csktimes="-P $T -A $T -P sync $S" + +setup going-straight-to-none.kasp +echo "$zone" >>zones +CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +setup going-straight-to-none-dynamic.kasp +echo "$zone" >>zones +CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py new file mode 100644 index 00000000000..15f1253f9a7 --- /dev/null +++ b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py @@ -0,0 +1,46 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=redefined-outer-name,unused-import + +import pytest + +import isctest +from common import ( + pytestmark, + alg, + size, + CDSS, + DURATION, + DEFAULT_CONFIG, +) + + +@pytest.mark.parametrize( + "zone", + [ + "going-straight-to-none.kasp", + "going-straight-to-none-dynamic.kasp", + ], +) +def test_straight2none_initial(zone, servers, alg, size): + config = DEFAULT_CONFIG + policy = "default" + + step = { + "zone": zone, + "cdss": CDSS, + "keyprops": [ + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}", + ], + "nextev": None, + } + isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) diff --git a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py new file mode 100644 index 00000000000..58663f5e374 --- /dev/null +++ b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py @@ -0,0 +1,54 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=redefined-outer-name,unused-import + +import pytest + +import isctest +from common import ( + pytestmark, + alg, + size, + CDSS, + DURATION, + DEFAULT_CONFIG, +) + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure_policy(servers, templates): + templates.render("ns6/named.conf", {"policy": "none"}) + servers["ns6"].reconfigure() + + +@pytest.mark.parametrize( + "zone", + [ + "going-straight-to-none.kasp", + "going-straight-to-none-dynamic.kasp", + ], +) +def test_straight2none_reconfig(zone, servers, alg, size): + config = DEFAULT_CONFIG + policy = None + + step = { + "zone": zone, + "cdss": CDSS, + # These zones will go bogus after signatures expire, but + # remain validly signed for now. + "keyprops": [ + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}", + ], + "nextev": None, + } + isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) diff --git a/bin/tests/system/rollover/ns6/named.conf.j2 b/bin/tests/system/rollover/ns6/named.conf.j2 index 9c4886f6ccc..7bf7a2d3f0f 100644 --- a/bin/tests/system/rollover/ns6/named.conf.j2 +++ b/bin/tests/system/rollover/ns6/named.conf.j2 @@ -21,22 +21,6 @@ include "@_csk_file@"; include "named.common.conf"; -{% set _policy = "default" if not csk_roll else "none" %} -zone "step1.going-straight-to-none.kasp" { - type primary; - file "step1.going-straight-to-none.kasp.db"; - dnssec-policy @_policy@; -}; - -{% set _policy = "default" if not csk_roll else "none" %} -zone "step1.going-straight-to-none-dynamic.kasp" { - type primary; - file "step1.going-straight-to-none-dynamic.kasp.db.signed"; - inline-signing no; - dnssec-policy @_policy@; - allow-update { any; }; -}; - /* Zones for testing KSK/ZSK algorithm roll. */ {% set _policy = "rsasha256" if not csk_roll else "ecdsa256" %} zone "step1.algorithm-roll.kasp" { diff --git a/bin/tests/system/rollover/ns6/setup.sh b/bin/tests/system/rollover/ns6/setup.sh index d03a27a552c..6f062a11501 100644 --- a/bin/tests/system/rollover/ns6/setup.sh +++ b/bin/tests/system/rollover/ns6/setup.sh @@ -29,29 +29,6 @@ R="RUMOURED" O="OMNIPRESENT" U="UNRETENTIVE" -# These zones are going straight to "none" policy. This is undefined behavior. -T="now-10d" -S="now-12955mi" -csktimes="-P $T -A $T -P sync $S" - -setup step1.going-straight-to-none.kasp -echo "$zone" >>zones -CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -setup step1.going-straight-to-none-dynamic.kasp -echo "$zone" >>zones -CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - # # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK # algorithm rollover. diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py index feda32edc8b..2449c4d7058 100644 --- a/bin/tests/system/rollover/tests_rollover.py +++ b/bin/tests/system/rollover/tests_rollover.py @@ -1161,25 +1161,6 @@ def test_rollover_policy_changes(servers, templates): start_time = KeyTimingMetadata.now() - # Test going straight to none. - isctest.log.info("check going straight to none") - zones = [ - "step1.going-straight-to-none.kasp", - "step1.going-straight-to-none-dynamic.kasp", - ] - for zone in zones: - step = { - "zone": zone, - "cdss": cdss, - "config": default_config, - "policy": "default", - "keyprops": [ - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}", - ], - "nextev": None, - } - steps.append(step) - # Test algorithm rollover (KSK/ZSK split). isctest.log.info("check algorithm rollover ksk/zsk split") offset = -timedelta(days=7) @@ -1222,27 +1203,6 @@ def test_rollover_policy_changes(servers, templates): now = KeyTimingMetadata.now() time_passed = now.value - start_time.value - # Test going straight to none. - isctest.log.info("check going straight to none (after reconfig)") - zones = [ - "step1.going-straight-to-none.kasp", - "step1.going-straight-to-none-dynamic.kasp", - ] - for zone in zones: - step = { - "zone": zone, - "cdss": cdss, - "config": default_config, - "policy": None, - # These zones will go bogus after signatures expire, but - # remain validly signed for now. - "keyprops": [ - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}", - ], - "nextev": None, - } - steps.append(step) - # Test algorithm rollover (KSK/ZSK split) (after reconfig). isctest.log.info("check algorithm rollover ksk/zsk split (after reconfig)") offset = -timedelta(days=7)