From: Ondřej Surý Date: Wed, 20 Nov 2019 19:43:35 +0000 (+0800) Subject: Tune the performance of oldsigs test X-Git-Tag: v9.15.7~68^2~2 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=519b0473621310c5a2f19208f3dcc378f705aee1;p=thirdparty%2Fbind9.git Tune the performance of oldsigs test The oldsigs test was checking only for the validity of the A a.oldsigs.example. resource record and associated DNSSEC signature while the zone might not have been fully signed yet leading to validation failures because of bogus signatures on the validation path. This commit changes the test to test that all old signatures in the oldsigs.example. zone were replaced and the zone is fully resigned before running the main check. --- diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 08a209c827d..35cb0587a6d 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -189,6 +189,8 @@ zone "oldsigs.example" { allow-update { any; }; auto-dnssec maintain; sig-validity-interval 10 2; + sig-signing-nodes 1000; + sig-signing-signatures 100; }; zone "prepub.example" { diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 4ab4a535c1e..27741c9e76d 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -387,20 +387,26 @@ $RNDCCMD 10.53.0.1 sync 2>&1 | sed 's/^/ns1 /' | cat_i $RNDCCMD 10.53.0.2 sync 2>&1 | sed 's/^/ns2 /' | cat_i $RNDCCMD 10.53.0.3 sync 2>&1 | sed 's/^/ns3 /' | cat_i +now="$(TZ=UTC date +%Y%m%d%H%M%S)" +check_expiry() ( + $DIG $DIGOPTS AXFR oldsigs.example @10.53.0.3 > dig.out.test$n + nearest_expiration="$(awk '$4 == "RRSIG" { print $9 }' < dig.out.test$n | sort -n | head -1)" + if [ "$nearest_expiration" -le "$now" ]; then + echo_i "failed: $nearest_expiration <= $now" + return 1 + fi +) + echo_i "checking expired signatures were updated ($n)" -for i in 1 2 3 4 5 6 7 8 9 -do - ret=0 - $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 - $DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 - digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 - grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 - [ $ret = 0 ] && break - sleep 1 -done +retry 10 check_expiry || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.3 a > dig.out.ns3.test$n || ret=1 +$DIG $DIGOPTS +noauth a.oldsigs.example. @10.53.0.4 a > dig.out.ns4.test$n || ret=1 +digcomp dig.out.ns3.test$n dig.out.ns4.test$n || ret=1 +grep "flags:.*ad.*QUERY" dig.out.ns4.test$n > /dev/null || ret=1 n=`expr $n + 1` if [ $ret != 0 ]; then echo_i "failed"; fi status=`expr $status + $ret` + # Check jitter distribution. echo_i "checking expired signatures were jittered correctly ($n)" ret=0