From: Matthijs Mekking Date: Tue, 3 Jun 2025 12:38:28 +0000 (+0200) Subject: Test purge-keys with views X-Git-Tag: v9.21.10~46^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=752d8617f558130cc552cae0e903aca318a3ef02;p=thirdparty%2Fbind9.git Test purge-keys with views Create a test scenario where a signed zone is in multiple views and then a key may be purged. This is a bug case where the key files are removed by one view and then the other view starts complaining. --- diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index df02b2d4629..ac4406371b5 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -13,6 +13,8 @@ // NS4 +include "purgekeys.conf"; + key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; @@ -154,6 +156,12 @@ view "example1" { inline-signing no; file "example1.db"; }; + + zone "purgekeys.kasp" { + type primary; + file "purgekeys.kasp.example1.db"; + dnssec-policy "purgekeys"; + }; }; view "example2" { @@ -163,6 +171,12 @@ view "example2" { type primary; file "example2.db"; }; + + zone "purgekeys.kasp" { + type primary; + file "purgekeys.kasp.example2.db"; + dnssec-policy "purgekeys"; + }; }; view "example3" { diff --git a/bin/tests/system/kasp/ns4/purgekeys1.conf b/bin/tests/system/kasp/ns4/purgekeys1.conf new file mode 100644 index 00000000000..9845c8936cf --- /dev/null +++ b/bin/tests/system/kasp/ns4/purgekeys1.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "purgekeys" { + keys { + ksk key-directory lifetime 0 algorithm 13; + zsk key-directory lifetime P30D algorithm 13; + }; + /* + * Initially set to 0, so no keys are purged. Keys that are no longer + * in use will still be in the zone's keyring, one per view. After + * reconfig the purge-keys value is set to 7 days, at least one key + * will be eligible for purging, and should be purged from both + * keyrings without issues. + */ + purge-keys 0; + //purge-keys P7D; +}; diff --git a/bin/tests/system/kasp/ns4/purgekeys2.conf b/bin/tests/system/kasp/ns4/purgekeys2.conf new file mode 100644 index 00000000000..62376c1fd7a --- /dev/null +++ b/bin/tests/system/kasp/ns4/purgekeys2.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "purgekeys" { + keys { + ksk key-directory lifetime 0 algorithm 13; + zsk key-directory lifetime P30D algorithm 13; + }; + //purge-keys 0; + purge-keys P7D; +}; diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh index c488bc45881..2b1c9d7944b 100644 --- a/bin/tests/system/kasp/ns4/setup.sh +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -30,3 +30,22 @@ done cp example1.db.in example1.db cp example2.db.in example2.db + +# Regression test for GL #5315 +cp purgekeys1.conf purgekeys.conf +cp example1.db.in purgekeys.kasp.example1.db +cp example2.db.in purgekeys.kasp.example2.db + +zone="purgekeys.kasp" +H="HIDDEN" +O="OMNIPRESENT" +T="now-9mo" +# KSK omnipresent +KSK=$($KEYGEN -fk -a 13 -L 3600 $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +# ZSK omnipresent +ZSK1=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK1" >settime.out.$zone.2 2>&1 +# ZSK hidden (may be purged) +ZSK2=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $T -z $H $T "$ZSK2" >settime.out.$zone.2 2>&1 diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 542f7f496c7..e6bc020554a 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -78,6 +78,8 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/policies/*.conf", "ns3/legacy-keys.*", "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed", + "ns4/purgekeys.conf", + "ns4/purgekeys2.conf", ] ) @@ -1566,6 +1568,33 @@ def test_kasp_zsk_retired(servers): server.log.prohibit(msg) +def test_kasp_purge_keys(servers): + zone = "purgekeys.kasp" + server = servers["ns4"] + + tsig1 = ( + f"{os.environ['DEFAULT_HMAC']}:keyforview1:{KASP_INHERIT_TSIG_SECRET['view1']}" + ) + tsig2 = ( + f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}" + ) + + isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig1) + isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig2) + + # Reconfig, make sure the purged key is not an issue when verifying keys. + shutil.copyfile("ns4/purgekeys2.conf", "ns4/purgekeys.conf") + with server.watch_log_from_here() as watcher: + server.rndc("reconfig", log=False) + watcher.wait_for_line(f"keymgr: {zone} done") + + msg = f"zone {zone}/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" + server.log.prohibit(msg) + + msg = f"zone {zone}/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" + server.log.prohibit(msg) + + def test_kasp_reload_restart(servers): server = servers["ns6"] zone = "example"