Correctly source conf.sh in dupsigs test scripts (fix issue introduced
by
093af1c00ac25e4f132fe2442a24e1264aadb28d).
Update dupsigs test for dnssec-dnskey-kskonly default. Since v9.17.20,
the dnssec-dnskey-kskonly is set to yes. Update the test to not expect
the additional RRSIG with ZSK for DNSKEY.
Speed up the test from 20 minutes to 2.5 minutes and make it part of the
default test suite executed in CI.
- decrease number of records to sign from 2000 to 500
- decrease the signing interval by a factor of 6
- shorten the final part of the test after last signing (since nothing
new happens there)
Finally, clarify misleading comments about (in)sufficient time for zone
re-signing. The time used in the test is in fact sufficient for the
re-signing to happen. If it wasn't, the previous ZSK would end up being
deleted while its signatures would still be present, which is a
situation where duplicate signatures can still happen.
(cherry picked from commit
cb0a2ae1dd9f36c7dfb909d06453cd2beba595ea)
dns64 \
dscp \
dsdigest \
+ dupsigs \
dyndb \
ecdsa \
eddsa \
xferquota \
zonechecks
-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.
-# TESTS += dupsigs
-
if HAVE_LMDB
TESTS += nzd2nzf
endif # HAVE_LMDB
#
# Common lists of system tests to run.
#
-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.
-#
# The following tests are hard-coded to use ports 5300 and 9953. For
# this reason, these must be run sequentially.
#
# rpzrecurse are scheduled first, in order to get more benefit from
# parallelism.
#
-PARALLEL_COMMON="rpzrecurse serve-stale
+PARALLEL_COMMON="
+rpzrecurse
+serve-stale
+dupsigs
acl
additional
addzone
if( $n_signing_keys == 0 ) {
print "at serial $newserial $rrsig_id went unsigned\n";
}
- elsif( $rrsig_id =~ /:DNSKEY$/ ) {
- if( $n_signing_keys != 2 ) {
- print "at serial $newserial $rrsig_id was signed $n_signing_keys time(s) when it should have been signed twice\n";
- }
- }
elsif( $n_signing_keys > 1 ) {
my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+rm -f dig.out*
rm -f ns1/named.conf
rm -f ns1/named.lock
rm -f ns1/named.memstats
key-directory "keys/signing.test";
inline-signing yes;
auto-dnssec maintain;
- sig-validity-interval 120 30;
+ sig-validity-interval 20 5;
};
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
-. ../conf.sh
+. ../../conf.sh
zone=signing.test
rm -rf keys/signing.test
$SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
# schedule the first roll
-R1=`expr $BASE + 300`
+R1=`expr $BASE + 50`
R1T=`timetodnssec $R1`
$SETTIME -I $R1T $KEYDIR/$ZSK0
$SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
# schedule the second roll (which includes the delete of the first key)
-R2=`expr $R1 + 300`
+R2=`expr $R1 + 50`
R2T=`timetodnssec $R2`
DT=$R2
DTT=`timetodnssec $DT`
$SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
# schedule the third roll
-# this isn't long enough for the signing to complete
-R3=`expr $R2 + 60`
+R3=`expr $R2 + 25`
R3T=`timetodnssec $R3`
$SETTIME -D $R3T $KEYDIR/$ZSK1
exit
# schedule the fourth roll
-# this isn't long enough for the signing to complete
-R4=`expr $R3 + 30`
+# this isn't long enough for the signing to complete and would result in
+# duplicate signatures, see
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
+R4=`expr $R3 + 10`
R4T=`timetodnssec $R4`
$SETTIME -D $R4T $KEYDIR/$ZSK2
ns A 127.0.0.1
ns AAAA ::1
-$GENERATE 0-1999 a${0,4,d} AAAA ::$
+$GENERATE 0-499 a${0,4,d} AAAA ::$
status=0
start=`date +%s`
-end=`expr $start + 1200`
-now=$start
+end=`expr $start + 150`
+sleep 10 # wait for a bit for the initial signing
+now=`expr $start + 10`
while test $now -lt $end
do
et=`expr $now - $start`
$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c
lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
- if [ ${et} -ne 0 -a ${lines} -ne 4009 ]
+ if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
then
echo_i "failed"
status=`expr $status + 1`
fi
- sleep 20
+ sleep 5
now=`date +%s`
done
projects / thirdparty / bind9.git / commitdiff
