Speed up the test from 20 minutes to 2.5 minutes and make it part of the
default test suite executed in CI.
- decrease number of records to sign from 2000 to 500
- decrease the signing interval by a factor of 6
- shorten the final part of the test after last signing (since nothing
new happens there)
Finally, clarify misleading comments about (in)sufficient time for zone
re-signing. The time used in the test is in fact sufficient for the
re-signing to happen. If it wasn't, the previous ZSK would end up being
deleted while its signatures would still be present, which is a
situation where duplicate signatures can still happen.
(cherry picked from commit
cb0a2ae1dd9f36c7dfb909d06453cd2beba595ea)
#
# Common lists of system tests to run.
#
-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.
-#
# The following tests are hard-coded to use ports 5300 and 9953. For
# this reason, these must be run sequentially.
#
# rpzrecurse are scheduled first, in order to get more benefit from
# parallelism.
#
-PARALLEL_COMMON="dnssec rpzrecurse serve-stale \
+PARALLEL_COMMON="dnssec rpzrecurse serve-stale dupsigs \
acl \
additional \
addzone \
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+rm -f dig.out*
rm -f ns1/named.conf
rm -f ns1/named.lock
rm -f ns1/named.memstats
key-directory "keys/signing.test";
inline-signing yes;
auto-dnssec maintain;
- sig-validity-interval 120 30;
+ sig-validity-interval 20 5;
};
$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
# schedule the first roll
-R1=`expr $BASE + 300`
+R1=`expr $BASE + 50`
R1T=`timetodnssec $R1`
$SETTIME -I $R1T $KEYDIR/$ZSK0
$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
# schedule the second roll (which includes the delete of the first key)
-R2=`expr $R1 + 300`
+R2=`expr $R1 + 50`
R2T=`timetodnssec $R2`
DT=$R2
DTT=`timetodnssec $DT`
$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
# schedule the third roll
-# this isn't long enough for the signing to complete
-R3=`expr $R2 + 60`
+R3=`expr $R2 + 25`
R3T=`timetodnssec $R3`
$SETTIME -D $R3T $KEYDIR/$ZSK1
exit
# schedule the fourth roll
-# this isn't long enough for the signing to complete
-R4=`expr $R3 + 30`
+# this isn't long enough for the signing to complete and would result in
+# duplicate signatures, see
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
+R4=`expr $R3 + 10`
R4T=`timetodnssec $R4`
$SETTIME -D $R4T $KEYDIR/$ZSK2
ns A 127.0.0.1
ns AAAA ::1
-$GENERATE 0-1999 a${0,4,d} AAAA ::$
+$GENERATE 0-499 a${0,4,d} AAAA ::$
status=0
start=`date +%s`
-end=`expr $start + 1200`
-now=$start
+end=`expr $start + 150`
+sleep 10 # wait for a bit for the initial signing
+now=`expr $start + 10`
while test $now -lt $end
do
et=`expr $now - $start`
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c
lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
- if [ ${et} -ne 0 -a ${lines} -ne 4009 ]
+ if [ ${et} -ne 0 -a ${lines} -ne 1009 ]
then
echo_i "failed"
status=`expr $status + 1`
fi
- sleep 20
+ sleep 5
now=`date +%s`
done
projects / thirdparty / bind9.git / commitdiff
