]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Remove dupsigs system test
authorMatthijs Mekking <matthijs@isc.org>
Tue, 27 Jun 2023 14:25:30 +0000 (16:25 +0200)
committerMatthijs Mekking <matthijs@isc.org>
Thu, 20 Jul 2023 09:04:23 +0000 (11:04 +0200)
This test uses key timing metadata to do rollovers, this is no longer
applicable with 'dnssec-policy'. Note that with 'dnssec-policy' key
timing metadata is still written, but it is not used for determining
what and when to do key rollovers.

12 files changed:
bin/tests/system/Makefile.am
bin/tests/system/conf.sh.common
bin/tests/system/conftest.py
bin/tests/system/dupsigs/check_journal.pl [deleted file]
bin/tests/system/dupsigs/clean.sh [deleted file]
bin/tests/system/dupsigs/ns1/named.args [deleted file]
bin/tests/system/dupsigs/ns1/named.conf.in [deleted file]
bin/tests/system/dupsigs/ns1/reset_keys.sh [deleted file]
bin/tests/system/dupsigs/ns1/signing.test.db.in [deleted file]
bin/tests/system/dupsigs/setup.sh [deleted file]
bin/tests/system/dupsigs/tests.sh [deleted file]
bin/tests/system/dupsigs/tests_sh_dupsigs.py [deleted file]

index 245d02240c5be0173e7f24f798b952628915e383..ac4e3e0b6b3ba8e9188c90ed22512af365373695 100644 (file)
@@ -104,7 +104,6 @@ TESTS +=                    \
        dlzexternal             \
        dns64                   \
        dsdigest                \
-       dupsigs                 \
        dyndb                   \
        ecdsa                   \
        eddsa                   \
index 696f6c24541aabafd14bc720e553e97d802dbebf..83cf726aa3f7e8104be711e7a5e71826eb913f1a 100644 (file)
@@ -42,7 +42,6 @@ export LANG=C
 PARALLEL_COMMON="
 rpzrecurse
 serve-stale
-dupsigs
 acl
 additional
 addzone
index 31ad1174e910b4f18628488ca4bf6aa6524da59e..f8c7e9c9e57249778ab1246c96d2aae7ded99865 100644 (file)
@@ -96,7 +96,6 @@ else:
     PORTS_PER_TEST = 20
     PRIORITY_TESTS = [
         # Tests that are scheduled first. Speeds up parallel execution.
-        "dupsigs/",
         "rpz/",
         "rpzrecurse/",
         "serve-stale/",
diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl
deleted file mode 100644 (file)
index 0747432..0000000
+++ /dev/null
@@ -1,206 +0,0 @@
-#!/usr/bin/env perl
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-use strict;
-use warnings;
-
-sub process_changeset;
-
-my @changeset;
-
-while( my $line = <> ) {
-    chomp $line;
-
-    if( $line =~ /^(?<op>add|del) (?<label>\S+)\s+(?<ttl>\d+)\s+IN\s+(?<rrtype>\S+)\s+(?<rdata>.*)/ ) {
-        my $change = {
-            op     => $+{op},
-            label  => $+{label},
-            ttl    => $+{ttl},
-            rrtype => $+{rrtype},
-            rdata  => $+{rdata},
-        };
-
-        if( $change->{op} eq 'del' and $change->{rrtype} eq 'SOA' ) {
-            if( @changeset ) {
-                process_changeset( @changeset );
-                @changeset = ();
-            }
-        }
-
-        push @changeset, $change;
-    }
-    else {
-        die "error parsing journal data";
-    }
-}
-
-if( @changeset ) {
-    process_changeset( @changeset );
-}
-
-{
-    my %rrsig_db;
-    my %keys;
-    my $apex;
-
-    sub process_changeset {
-        my @changeset = @_;
-
-        if( not $apex ) {
-            # the first record of the first changeset is guaranteed to be the apex
-            $apex = $changeset[0]{label};
-        }
-
-        my $newserial;
-        my %touched_rrsigs;
-        my %touched_keys;
-
-        foreach my $change( @changeset ) {
-            if( $change->{rrtype} eq 'SOA' ) {
-                if( $change->{op} eq 'add' ) {
-                    if( $change->{rdata} !~ /^\S+ \S+ (?<serial>\d+)/ ) {
-                        die "unable to parse SOA";
-                    }
-
-                    $newserial = $+{serial};
-                }
-            }
-            elsif( $change->{rrtype} eq 'NSEC' ) {
-                ; # do nothing
-            }
-            elsif( $change->{rrtype} eq 'DNSKEY' ) {
-                ; # ignore for now
-            }
-            elsif( $change->{rrtype} eq 'TYPE65534' and $change->{label} eq $apex ) {
-                # key status
-                if( $change->{rdata} !~ /^\\# (?<datasize>\d+) (?<data>[0-9A-F]+)$/ ) {
-                    die "unable to parse key status record";
-                }
-
-                my $datasize = $+{datasize};
-                my $data = $+{data};
-
-                if( $datasize == 5 ) {
-                    my( $alg, $id, $flag_del, $flag_done ) = unpack 'CnCC', pack( 'H10', $data );
-
-                    if( $change->{op} eq 'add' ) {
-                        if( not exists $keys{$id} ) {
-                            $touched_keys{$id} //= 1;
-
-                            $keys{$id} = {
-                                $data        => 1,
-                                rrs          => 1,
-                                done_signing => $flag_done,
-                                deleting     => $flag_del,
-                            };
-                        }
-                        else {
-                            if( not exists $keys{$id}{$data} ) {
-                                my $keydata = $keys{$id};
-                                $touched_keys{$id} = { %$keydata };
-
-                                $keydata->{rrs}++;
-                                $keydata->{$data} = 1;
-                                $keydata->{done_signing} += $flag_done;
-                                $keydata->{deleting} += $flag_del;
-                            }
-                        }
-                    }
-                    else {
-                        # this logic relies upon the convention that there won't
-                        # ever be multiple records with the same flag set
-                        if( exists $keys{$id} ) {
-                            my $keydata = $keys{$id};
-
-                            if( exists $keydata->{$data} ) {
-                                $touched_keys{$id} = { %$keydata };
-
-                                $keydata->{rrs}--;
-                                delete $keydata->{$data};
-                                $keydata->{done_signing} -= $flag_done;
-                                $keydata->{deleting} -= $flag_del;
-
-                                if( $keydata->{rrs} == 0 ) {
-                                    delete $keys{$id};
-                                }
-                            }
-                        }
-                    }
-                }
-                else {
-                    die "unexpected key status record content";
-                }
-            }
-            elsif( $change->{rrtype} eq 'RRSIG' ) {
-                if( $change->{rdata} !~ /^(?<covers>\S+) \d+ \d+ \d+ (?<validity_end>\d+) (?<validity_start>\d+) (?<signing_key>\d+)/ ) {
-                    die "unable to parse RRSIG rdata";
-                }
-
-                $change->{covers} = $+{covers};
-                $change->{validity_end} = $+{validity_end};
-                $change->{validity_start} = $+{validity_start};
-                $change->{signing_key} = $+{signing_key};
-
-                my $db_key = $change->{label} . ':' . $change->{covers};
-
-                $rrsig_db{$db_key} //= {};
-                $touched_rrsigs{$db_key} = 1;
-
-                if( $change->{op} eq 'add' ) {
-                    $rrsig_db{$db_key}{ $change->{signing_key} } = 1;
-                }
-                else {
-                    # del
-                    delete $rrsig_db{$db_key}{ $change->{signing_key} };
-                }
-            }
-        }
-
-        foreach my $key_id( sort keys %touched_keys ) {
-            my $old_data;
-            my $new_data;
-
-            if( ref $touched_keys{$key_id} ) {
-                $old_data = $touched_keys{$key_id};
-            }
-
-            if( exists $keys{$key_id} ) {
-                $new_data = $keys{$key_id};
-            }
-
-            if( $old_data ) {
-                if( $new_data ) {
-                    print "at serial $newserial key $key_id status changed from ($old_data->{deleting},$old_data->{done_signing}) to ($new_data->{deleting},$new_data->{done_signing})\n";
-                }
-                else {
-                    print "at serial $newserial key $key_id status removed from zone\n";
-                }
-            }
-            else {
-                print "at serial $newserial key $key_id status added with flags ($new_data->{deleting},$new_data->{done_signing})\n";
-            }
-        }
-
-        foreach my $rrsig_id( sort keys %touched_rrsigs ) {
-            my $n_signing_keys = keys %{ $rrsig_db{$rrsig_id} };
-
-            if( $n_signing_keys == 0 ) {
-                print "at serial $newserial $rrsig_id went unsigned\n";
-            }
-            elsif( $n_signing_keys > 1 ) {
-                my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
-                print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
-            }
-        }
-    }
-}
diff --git a/bin/tests/system/dupsigs/clean.sh b/bin/tests/system/dupsigs/clean.sh
deleted file mode 100644 (file)
index 2af75a0..0000000
+++ /dev/null
@@ -1,24 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-rm -f dig.out*
-rm -f ns1/named.conf
-rm -f ns1/named.lock
-rm -f ns1/named.memstats
-rm -f ns1/named.run
-rm -f ns1/signing.test.db
-rm -f ns1/signing.test.db.jbk
-rm -f ns1/signing.test.db.signed
-rm -f ns1/signing.test.db.signed.jnl
-rm -f ns1/keys/signing.test/K*
-rm -f ns1/managed-keys.bind*
diff --git a/bin/tests/system/dupsigs/ns1/named.args b/bin/tests/system/dupsigs/ns1/named.args
deleted file mode 100644 (file)
index adf6968..0000000
+++ /dev/null
@@ -1 +0,0 @@
--D dupsigs-ns1 -X named.lock -m record -c named.conf -d 99 -g -U 4 -T maxcachesize=2097152 -T sigvalinsecs
diff --git a/bin/tests/system/dupsigs/ns1/named.conf.in b/bin/tests/system/dupsigs/ns1/named.conf.in
deleted file mode 100644 (file)
index d35eb79..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0.  If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
-       recursion no;
-       max-journal-size unlimited;
-       port @PORT@;
-       listen-on { 10.53.0.1; };
-       listen-on-v6 { none; };
-       pid-file "named.pid";
-       dnssec-validation no;
-};
-
-zone "signing.test" {
-       type primary;
-       masterfile-format text;
-       allow-update { any; };
-       file "signing.test.db";
-       update-check-ksk yes;
-       key-directory "keys/signing.test";
-       inline-signing yes;
-       auto-dnssec maintain;
-       sig-validity-interval 20 5;
-};
diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh
deleted file mode 100644 (file)
index 6f96c6a..0000000
+++ /dev/null
@@ -1,99 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../../conf.sh
-
-zone=signing.test
-rm -rf keys/signing.test
-mkdir -p keys/signing.test
-
-timetodnssec() {
-    $PERL -e 'my ($S,$M,$H,$d,$m,$y,$x) = gmtime(@ARGV[0]);
-             printf("%04u%02u%02u%02u%02u%02u\n", $y+1900,$m+1,$d,$H,$M,$S);' ${1}
-}
-
-KEYDIR=keys/signing.test
-KSK=$($KEYGEN -a RSASHA256 -K $KEYDIR -q -f KSK $zone)
-
-ZSK0=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK1=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK2=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK3=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK4=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK5=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK6=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK7=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK8=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-ZSK9=$($KEYGEN -a RSASHA256 -K $KEYDIR -q $zone)
-
-# clear all times on all keys
-for FILEN in keys/signing.test/*.key
-do
-    $SETTIME -P none -A none -R none -I none -D none $FILEN
-done
-
-BASE=$(date +%s)
-BASET=$(timetodnssec $BASE)
-
-# reset the publish and activation time on the KSK
-$SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
-
-# reset the publish and activation time on the first ZSK
-$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
-
-# schedule the first roll
-R1=$((BASE + 50))
-R1T=$(timetodnssec $R1)
-
-$SETTIME -I $R1T $KEYDIR/$ZSK0
-$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
-
-# schedule the second roll (which includes the delete of the first key)
-R2=$((R1 + 50))
-R2T=$(timetodnssec $R2)
-DT=$R2
-DTT=$(timetodnssec $DT)
-
-$SETTIME -D $DTT $KEYDIR/$ZSK0
-$SETTIME -I $R2T $KEYDIR/$ZSK1
-$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
-
-# schedule the third roll
-R3=$((R2 + 25))
-R3T=$(timetodnssec $R3)
-
-$SETTIME -D $R3T $KEYDIR/$ZSK1
-$SETTIME -I $R3T $KEYDIR/$ZSK2
-$SETTIME -P $R2T -A $R3T $KEYDIR/$ZSK3
-
-$SETTIME -P $R3T $KEYDIR/$ZSK4
-
-echo KSK=$KSK
-echo ZSK0=$ZSK0
-echo ZSK1=$ZSK1
-echo ZSK2=$ZSK2
-echo ZSK3=$ZSK3
-echo ZSK4=$ZSK4
-
-exit
-
-# schedule the fourth roll
-# this isn't long enough for the signing to complete and would result in
-# duplicate signatures, see
-# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
-R4=$((R3 + 10))
-R4T=$(timetodnssec $R4)
-
-$SETTIME -D $R4T $KEYDIR/$ZSK2
-$SETTIME -I $R4T $KEYDIR/$ZSK3
-$SETTIME -P $R3T -A $R4T $KEYDIR/$ZSK4
diff --git a/bin/tests/system/dupsigs/ns1/signing.test.db.in b/bin/tests/system/dupsigs/ns1/signing.test.db.in
deleted file mode 100644 (file)
index b522b6f..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; SPDX-License-Identifier: MPL-2.0
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0.  If a copy of the MPL was not distributed with this
-; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 3600
-@ IN SOA  ns root.ns 1996072700 3600 1800 86400 60
-@    NS   ns
-ns   A    127.0.0.1
-ns   AAAA ::1
-
-$GENERATE 0-499 a${0,4,d} AAAA ::$
diff --git a/bin/tests/system/dupsigs/setup.sh b/bin/tests/system/dupsigs/setup.sh
deleted file mode 100644 (file)
index 4ac8a8d..0000000
+++ /dev/null
@@ -1,23 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-. ../conf.sh
-
-$SHELL clean.sh
-
-test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
-
-copy_setports ns1/named.conf.in ns1/named.conf
-
-cp -f ns1/signing.test.db.in ns1/signing.test.db
-(cd ns1; $SHELL ./reset_keys.sh)
diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh
deleted file mode 100644 (file)
index 4ab3a73..0000000
+++ /dev/null
@@ -1,71 +0,0 @@
-#!/bin/sh
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-set -e
-
-. ../conf.sh
-
-status=0
-
-# Wait for the zone to be fully signed before beginning test
-#
-# We expect the zone to have the following:
-#
-# - 5 signatures for signing.test.
-# - 3 signatures for ns.signing.test.
-# - 2 x 500 signatures for a{0000-0499}.signing.test.
-#
-# for a total of 1008.
-fully_signed () {
-        $DIG axfr signing.test -p ${PORT} @10.53.0.1 > "dig.out.ns1.axfr"
-        awk 'BEGIN { lines = 0 }
-             $4 == "RRSIG" {lines++}
-             END { if (lines != 1008) exit(1) }' < "dig.out.ns1.axfr"
-}
-
-# Wait for the last NSEC record in the zone to be signed. This is a lightweight
-# alternative to avoid many AXFR requests while waiting for the zone to be
-# fully signed.
-_wait_for_last_nsec_signed() {
-        $DIG +dnssec a0499.signing.test -p ${PORT} @10.53.0.1 nsec > "dig.out.ns1.wait" || return 1
-        grep "signing.test\..*IN.*RRSIG.*signing.test" "dig.out.ns1.wait" > /dev/null || return 1
-        return 0
-}
-
-echo_i "wait for the zone to be fully signed"
-retry_quiet 60 _wait_for_last_nsec_signed
-retry_quiet 10 fully_signed || status=1
-if [ $status != 0 ]; then echo_i "failed"; fi
-
-start=$(date +%s)
-now=$start
-end=$((start + 140))
-
-while [ $now -lt $end ] && [ $status -eq 0 ]; do
-        et=$((now - start))
-       echo_i "............... $et ............"
-       $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl | cat_i
-       $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
-       awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c | cat_i
-       lines=$(awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l)
-       if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
-       then
-               echo_i "failed"
-                status=$((status + 1))
-       fi
-       sleep 5
-       now=$(date +%s)
-done
-
-echo_i "exit status: $status"
-[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/dupsigs/tests_sh_dupsigs.py b/bin/tests/system/dupsigs/tests_sh_dupsigs.py
deleted file mode 100644 (file)
index 1e065db..0000000
+++ /dev/null
@@ -1,14 +0,0 @@
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0.  If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-
-def test_dupsigs(run_tests_sh):
-    run_tests_sh()