From: Matthijs Mekking Date: Fri, 28 Nov 2025 08:59:51 +0000 (+0100) Subject: rollover-enable-dnssec: From setup.sh to pytest bootstrap X-Git-Tag: v9.21.17~22^2~8 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ef2a824df68c06344d210c9dda17cb5177e31961;p=thirdparty%2Fbind9.git rollover-enable-dnssec: From setup.sh to pytest bootstrap Symlink ns1 and ns2 to rollover/ns1 and rollover/ns2. Symlink ns3/template.db.j2.manual to rollover/ns3/template.db.j2.manual. Since the bootstrapping is done before the templates are rendered automatically, replace @DEFAULT_ALGORITHM_NUMBER@ in ns3/kasp.conf.j2 to 13 and rename to ns3/kasp.conf. This test introduces an unsigned delegation, adjust render_and_sign_zone and configure_tld accordingly. --- diff --git a/bin/tests/system/rollover-enable-dnssec/ns1 b/bin/tests/system/rollover-enable-dnssec/ns1 new file mode 120000 index 00000000000..76608beaedd --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns1 @@ -0,0 +1 @@ +../rollover/ns1 \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/ns2 b/bin/tests/system/rollover-enable-dnssec/ns2 new file mode 120000 index 00000000000..41a09bb648b --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns2 @@ -0,0 +1 @@ +../rollover/ns2 \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf.j2 b/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf similarity index 89% rename from bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf.j2 rename to bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf index 1f0c0773d2c..a3dacfeab3c 100644 --- a/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf.j2 +++ b/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf @@ -26,7 +26,7 @@ dnssec-policy "enable-dnssec-autosign" { parent-ds-ttl 2h; keys { - csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; + csk lifetime unlimited algorithm 13; }; }; @@ -47,6 +47,6 @@ dnssec-policy "enable-dnssec-manual" { parent-ds-ttl 2h; keys { - csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; + csk lifetime unlimited algorithm 13; }; }; diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/template.db.in b/bin/tests/system/rollover-enable-dnssec/ns3/template.db.in deleted file mode 120000 index ce6d526285a..00000000000 --- a/bin/tests/system/rollover-enable-dnssec/ns3/template.db.in +++ /dev/null @@ -1 +0,0 @@ -../../rollover/ns3/template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/template.db.j2.manual b/bin/tests/system/rollover-enable-dnssec/ns3/template.db.j2.manual new file mode 120000 index 00000000000..38619a01b24 --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns3/template.db.j2.manual @@ -0,0 +1 @@ +../../rollover/ns3/template.db.j2.manual \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/trusted.conf.j2 b/bin/tests/system/rollover-enable-dnssec/ns3/trusted.conf.j2 new file mode 120000 index 00000000000..cb0be77b220 --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns3/trusted.conf.j2 @@ -0,0 +1 @@ +../../_common/trusted.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/setup.sh b/bin/tests/system/rollover-enable-dnssec/setup.sh deleted file mode 100644 index 17ee3a79f95..00000000000 --- a/bin/tests/system/rollover-enable-dnssec/setup.sh +++ /dev/null @@ -1,102 +0,0 @@ -#!/bin/sh -e - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -# shellcheck source=conf.sh -. ../conf.sh - -cd "ns3" - -setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" - echo "$zone" >>zones -} - -# Set in the key state files the Predecessor/Successor fields. -# Key $1 is the predecessor of key $2. -key_successor() { - id1=$(keyfile_to_key_id "$1") - id2=$(keyfile_to_key_id "$2") - echo "Predecessor: ${id1}" >>"${2}.state" - echo "Successor: ${id2}" >>"${1}.state" -} - -# Make lines shorter by storing key states in environment variables. -H="HIDDEN" -R="RUMOURED" -O="OMNIPRESENT" -U="UNRETENTIVE" - -# -# The zones at enable-dnssec.$tld represent the various steps of the -# initial signing of a zone. -# - -for tld in autosign manual; do - # Step 1: - # This is an unsigned zone and named should perform the initial steps of - # introducing the DNSSEC records in the right order. - setup step1.enable-dnssec.$tld - cp template.db.in $zonefile - - # Step 2: - # The DNSKEY has been published long enough to become OMNIPRESENT. - setup step2.enable-dnssec.$tld - # DNSKEY TTL: 300 seconds - # zone-propagation-delay: 5 minutes (300 seconds) - # publish-safety: 5 minutes (300 seconds) - # Total: 900 seconds - TpubN="now-900s" - keytimes="-P ${TpubN} -A ${TpubN}" - CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) - $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 - cat template.db.in "${CSK}.key" >"$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - - # Step 3: - # The zone signatures have been published long enough to become OMNIPRESENT. - setup step3.enable-dnssec.$tld - # Passed time since publication: - # max-zone-ttl: 12 hours (43200 seconds) - # zone-propagation-delay: 5 minutes (300 seconds) - TpubN="now-43500s" - # We can submit the DS now. - keytimes="-P ${TpubN} -A ${TpubN}" - CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) - $SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 - cat template.db.in "${CSK}.key" >"$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - - # Step 4: - # The DS has been submitted long enough ago to become OMNIPRESENT. - setup step4.enable-dnssec.$tld - # DS TTL: 2 hour (7200 seconds) - # parent-propagation-delay: 1 hour (3600 seconds) - # Total aditional time: 10800 seconds - # 43500 + 10800 = 54300 - TpubN="now-54300s" - TsbmN="now-10800s" - keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}" - CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) - $SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1 - cat template.db.in "${CSK}.key" >"$infile" - private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" - cp $infile $zonefile - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 -done diff --git a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py index ddcb6a5c797..23d47bdbb69 100644 --- a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py +++ b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py @@ -23,6 +23,11 @@ from rollover.common import ( CDSS, TIMEDELTA, ) +from rollover.setup import ( + configure_root, + configure_tld, + configure_enable_dnssec, +) CONFIG = { "dnskey-ttl": TIMEDELTA["PT5M"], @@ -47,6 +52,30 @@ OFFSETS["step3"] = -int(IRETZSK.total_seconds()) OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds()) +def bootstrap(): + data = { + "tlds": [], + "trust_anchors": [], + } + + tlds = [] + for tld_name in [ + "autosign", + "manual", + ]: + delegations = configure_enable_dnssec(tld_name, f"{POLICY}-{tld_name}") + + tld = configure_tld(tld_name, delegations) + tlds.append(tld) + + data["tlds"].append(tld_name) + + ta = configure_root(tlds) + data["trust_anchors"].append(ta) + + return data + + @pytest.mark.parametrize( "tld", [ diff --git a/bin/tests/system/rollover/setup.py b/bin/tests/system/rollover/setup.py index 2d7f178ca17..d4b35be6156 100644 --- a/bin/tests/system/rollover/setup.py +++ b/bin/tests/system/rollover/setup.py @@ -37,7 +37,11 @@ def configure_tld(zonename: str, delegations: List[Zone]) -> Zone: isctest.log.info(f"create {zonename} zone with delegations and sign") for zone in delegations: - shutil.copy(f"{zone.ns.name}/dsset-{zone.name}.", "ns2/") + try: + shutil.copy(f"{zone.ns.name}/dsset-{zone.name}.", "ns2/") + except FileNotFoundError: + # Some delegations are unsigned. + pass ksk_name = keygen(f"-f KSK {zonename}", cwd="ns2").strip() zsk_name = keygen(f"{zonename}", cwd="ns2").strip() @@ -113,7 +117,9 @@ def set_key_relationship(key1: str, key2: str): statefile.write(f"Predecessor: {predecessor.tag}\n") -def render_and_sign_zone(zonename: str, keys: List[str], extra_options: str = ""): +def render_and_sign_zone( + zonename: str, keys: List[str], signing: bool = True, extra_options: str = "" +): dnskeys = [] privaterrs = [] for key_name in keys: @@ -132,8 +138,11 @@ def render_and_sign_zone(zonename: str, keys: List[str], extra_options: str = "" } templates.render(f"ns3/{outfile}", tdata, template=f"ns3/{template}") - signer = CmdHelper("SIGNER", "-S -g -x -s now-1h -e now+2w -O raw") - signer(f"{extra_options} -o {zonename} -f {outfile}.signed {outfile}", cwd="ns3") + if signing: + signer = CmdHelper("SIGNER", "-S -g -x -s now-1h -e now+2w -O raw") + signer( + f"{extra_options} -o {zonename} -f {outfile}.signed {outfile}", cwd="ns3" + ) def configure_algo_csk(tld: str, policy: str, reconfig: bool = False) -> List[Zone]: @@ -1194,3 +1203,83 @@ def configure_cskroll2(tld: str, policy: str) -> List[Zone]: render_and_sign_zone(zonename, [csk1_name, csk2_name], extra_options=f"-z -G {cds}") return zones + + +def configure_enable_dnssec(tld: str, policy: str) -> List[Zone]: + # The zones at enable-dnssec.$tld represent the various steps of the + # initial signing of a zone. + zones = [] + zone = f"enable-dnssec.{tld}" + keygen = CmdHelper("KEYGEN", f"-k {policy} -l kasp.conf") + settime = CmdHelper("SETTIME", "-s") + + # Step 1: + # This is an unsigned zone and named should perform the initial steps of + # introducing the DNSSEC records in the right order. + zonename = f"step1.{zone}" + zones.append(Zone(zonename, f"{zonename}.db", Nameserver("ns3", "10.53.0.3"))) + isctest.log.info(f"setup {zonename}") + render_and_sign_zone(zonename, [], signing=False) + + # Step 2: + # The DNSKEY has been published long enough to become OMNIPRESENT. + zonename = f"step2.{zone}" + zones.append(Zone(zonename, f"{zonename}.db", Nameserver("ns3", "10.53.0.3"))) + isctest.log.info(f"setup {zonename}") + # DNSKEY TTL: 300 seconds + # zone-propagation-delay: 5 minutes (300 seconds) + # publish-safety: 5 minutes (300 seconds) + # Total: 900 seconds + TpubN = "now-900s" + keytimes = f"-P {TpubN} -A {TpubN}" + # Key generation. + csk_name = keygen(f"{keytimes} {zonename}", cwd="ns3").strip() + settime( + f"-g OMNIPRESENT -k RUMOURED {TpubN} -r RUMOURED {TpubN} -z RUMOURED {TpubN} -d HIDDEN {TpubN} {csk_name}", + cwd="ns3", + ) + # Signing. + render_and_sign_zone(zonename, [csk_name], extra_options="-z") + + # Step 3: + # The zone signatures have been published long enough to become OMNIPRESENT. + zonename = f"step3.{zone}" + zones.append(Zone(zonename, f"{zonename}.db", Nameserver("ns3", "10.53.0.3"))) + isctest.log.info(f"setup {zonename}") + # Passed time since publication: + # max-zone-ttl: 12 hours (43200 seconds) + # zone-propagation-delay: 5 minutes (300 seconds) + # We can submit the DS now. + TpubN = "now-43500s" + keytimes = f"-P {TpubN} -A {TpubN}" + # Key generation. + csk_name = keygen(f"{keytimes} {zonename}", cwd="ns3").strip() + settime( + f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -r OMNIPRESENT {TpubN} -z RUMOURED {TpubN} -d HIDDEN {TpubN} {csk_name}", + cwd="ns3", + ) + # Signing. + render_and_sign_zone(zonename, [csk_name], extra_options="-z") + + # Step 4: + # The DS has been submitted long enough ago to become OMNIPRESENT. + zonename = f"step4.{zone}" + zones.append(Zone(zonename, f"{zonename}.db", Nameserver("ns3", "10.53.0.3"))) + isctest.log.info(f"setup {zonename}") + # DS TTL: 2 hour (7200 seconds) + # parent-propagation-delay: 1 hour (3600 seconds) + # Total aditional time: 10800 seconds + # 43500 + 10800 = 54300 + TpubN = "now-54300s" + TsbmN = "now-10800s" + keytimes = f"-P {TpubN} -A {TpubN} -P sync {TsbmN}" + # Key generation. + csk_name = keygen(f"{keytimes} {zonename}", cwd="ns3").strip() + settime( + f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -r OMNIPRESENT {TpubN} -z OMNIPRESENT {TsbmN} -d RUMOURED {TpubN} -P ds {TsbmN} {csk_name}", + cwd="ns3", + ) + # Signing. + render_and_sign_zone(zonename, [csk_name], extra_options="-z") + + return zones