From: Matthijs Mekking Date: Fri, 28 Nov 2025 10:59:00 +0000 (+0100) Subject: rollover-multisigner: Update templates X-Git-Tag: v9.21.17~22^2~4 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b6c091d1130c0ba4c49e603b78758dbe493da7e0;p=thirdparty%2Fbind9.git rollover-multisigner: Update templates This test does not require a trust chain. However, it does have a setup script. Rewrite the setup shell script to a pytest bootstrap method. --- diff --git a/bin/tests/system/rollover-lifetime/ns3/limit-lifetime.db b/bin/tests/system/rollover-lifetime/ns3/limit-lifetime.db index ce6d526285a..e9d5917b1f4 120000 --- a/bin/tests/system/rollover-lifetime/ns3/limit-lifetime.db +++ b/bin/tests/system/rollover-lifetime/ns3/limit-lifetime.db @@ -1 +1 @@ -../../rollover/ns3/template.db.in \ No newline at end of file +template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-lifetime/ns3/longer-lifetime.db b/bin/tests/system/rollover-lifetime/ns3/longer-lifetime.db index ce6d526285a..e9d5917b1f4 120000 --- a/bin/tests/system/rollover-lifetime/ns3/longer-lifetime.db +++ b/bin/tests/system/rollover-lifetime/ns3/longer-lifetime.db @@ -1 +1 @@ -../../rollover/ns3/template.db.in \ No newline at end of file +template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-lifetime/ns3/shorter-lifetime.db b/bin/tests/system/rollover-lifetime/ns3/shorter-lifetime.db index ce6d526285a..e9d5917b1f4 120000 --- a/bin/tests/system/rollover-lifetime/ns3/shorter-lifetime.db +++ b/bin/tests/system/rollover-lifetime/ns3/shorter-lifetime.db @@ -1 +1 @@ -../../rollover/ns3/template.db.in \ No newline at end of file +template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-lifetime/ns3/template.db.in b/bin/tests/system/rollover-lifetime/ns3/template.db.in new file mode 100644 index 00000000000..010b05b3cb3 --- /dev/null +++ b/bin/tests/system/rollover-lifetime/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/rollover-lifetime/ns3/unlimit-lifetime.db b/bin/tests/system/rollover-lifetime/ns3/unlimit-lifetime.db index ce6d526285a..e9d5917b1f4 120000 --- a/bin/tests/system/rollover-lifetime/ns3/unlimit-lifetime.db +++ b/bin/tests/system/rollover-lifetime/ns3/unlimit-lifetime.db @@ -1 +1 @@ -../../rollover/ns3/template.db.in \ No newline at end of file +template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-multisigner/ns3/template.db.j2.manual b/bin/tests/system/rollover-multisigner/ns3/template.db.j2.manual new file mode 120000 index 00000000000..38619a01b24 --- /dev/null +++ b/bin/tests/system/rollover-multisigner/ns3/template.db.j2.manual @@ -0,0 +1 @@ +../../rollover/ns3/template.db.j2.manual \ No newline at end of file diff --git a/bin/tests/system/rollover-multisigner/setup.sh b/bin/tests/system/rollover-multisigner/setup.sh deleted file mode 100644 index d9937adb088..00000000000 --- a/bin/tests/system/rollover-multisigner/setup.sh +++ /dev/null @@ -1,67 +0,0 @@ -#!/bin/sh -e - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# shellcheck source=conf.sh -. ../conf.sh - -cd "ns3" - -setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >>zones -} - -# Set in the key state files the Predecessor/Successor fields. -# Key $1 is the predecessor of key $2. -key_successor() { - id1=$(keyfile_to_key_id "$1") - id2=$(keyfile_to_key_id "$2") - echo "Predecessor: ${id1}" >>"${2}.state" - echo "Successor: ${id2}" >>"${1}.state" -} - -# Make lines shorter by storing key states in environment variables. -H="HIDDEN" -R="RUMOURED" -O="OMNIPRESENT" -U="UNRETENTIVE" - -# Multi-signer zones. -setup "multisigner-model2.kasp" -cp template.db.in "$zonefile" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.2) -cat "${KSK}.key" | grep -v ";.*" >>"${zone}.db" -cat "${ZSK}.key" | grep -v ";.*" >>"${zone}.db" -# Import a ZSK of another provider into the DNSKEY RRset. -ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 -M 0:32767 $zone 2>keygen.out.$zone.3) -cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db" - -# We are changing an existing single-signed zone to multi-signed -# zone where the key tags do not match the dnssec-policy key tag range -setup single-to-multisigner.kasp -T="now-7d" -S="now-8635mi" # T - 1d5m -keytimes="-P $T -A $T" -cdstimes="-P sync $S" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 -f KSK $keytimes $cdstimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 $keytimes $zone 2>keygen.out.$zone.2) -$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" -$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}" $infile >signer.out.$zone.1 2>&1 -echo "Lifetime: 0" >>"${KSK}".state -echo "Lifetime: 0" >>"${ZSK}".state diff --git a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py index 9c4cc47b8b3..ccce44ce3a6 100644 --- a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py +++ b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py @@ -26,6 +26,70 @@ from rollover.common import ( alg, size, ) +from rollover.setup import CmdHelper, fake_lifetime, render_and_sign_zone + + +def bootstrap(): + templates = isctest.template.TemplateEngine(".") + + # Multi-signer zones. + keygen = CmdHelper("KEYGEN", "-a ECDSA256 -L 3600") + settime = CmdHelper("SETTIME", "-s") + + # Model 2. + zonename = "multisigner-model2.kasp" + isctest.log.info(f"setup {zonename}") + # Key generation. + ksk_name = keygen(f"-M 32768:65535 -f KSK {zonename}", cwd="ns3").strip() + zsk_name = keygen(f"-M 32768:65535 {zonename}", cwd="ns3").strip() + # Signing. + dnskeys = [] + for key_name in [ksk_name, zsk_name]: + key = isctest.kasp.Key(key_name, keydir="ns3") + dnskeys.append(key.dnskey) + # Import a ZSK of another provider into the DNSKEY RRset. + zsk_extra = keygen(f"-M 0:32767 {zonename}").strip() + key = isctest.kasp.Key(zsk_extra) + dnskeys.append(key.dnskey) + # Render zone file. + outfile = f"{zonename}.db" + templates = isctest.template.TemplateEngine(".") + template = "template.db.j2.manual" + tdata = { + "fqdn": f"{zonename}.", + "dnskeys": dnskeys, + "privaterrs": [], + } + templates.render(f"ns3/{outfile}", tdata, template=f"ns3/{template}") + + # We are changing an existing single-signed zone to multi-signed + # zone where the key tags do not match the dnssec-policy key tag range + zonename = "single-to-multisigner.kasp" + isctest.log.info(f"setup {zonename}") + # Timing metadata. + TpubN = "now-7d" + TsbmN = "now-8635mi" # T - 1d5m + keytimes = f"-P {TpubN} -A {TpubN}" + cdstimes = f"-P sync {TsbmN}" + # Key generation. + ksk_name = keygen( + f"-M 0:32767 -f KSK {keytimes} {cdstimes} {zonename}", cwd="ns3" + ).strip() + zsk_name = keygen(f"-M 0:32767 {keytimes} {zonename}", cwd="ns3").strip() + settime( + f"-g OMNIPRESENT -d OMNIPRESENT {TpubN} -k OMNIPRESENT {TpubN} -r OMNIPRESENT {TpubN} {ksk_name}", + cwd="ns3", + ) + settime( + f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -z OMNIPRESENT {TpubN} {zsk_name}", + cwd="ns3", + ) + # Signing. + fake_lifetime(ksk_name, 0) + fake_lifetime(zsk_name, 0) + render_and_sign_zone(zonename, [ksk_name, zsk_name]) + + return {} def test_rollover_multisigner(ns3, alg, size):