Merge branch 'offline_ksk_test' into 'master'

Offline ksk test See merge request !1024

Merge branch 'offline_ksk_test' into 'master'
03b7d09a · Daniel Salzman · 2c073009 · c95f9e5c · 03b7d09a · 03b7d09a
Commit 03b7d09a authored 5 years ago by Daniel Salzman
--- a/src/knot/dnssec/zone-sign.c
+++ b/src/knot/dnssec/zone-sign.c
@@ -244,7 +244,7 @@ static int add_missing_rrsigs(const knot_rrset_t *covered,
 			// don't remove what shall be added
 			result = knot_rdataset_subtract(&to_remove.rrs, &to_add.rrs, NULL);
 		}
-		if (result == KNOT_EOK) {
+		if (result == KNOT_EOK && !knot_rrset_empty(rrsigs)) {
 			// don't add what's already present
 			result = knot_rdataset_subtract(&to_add.rrs, &rrsigs->rrs, NULL);
 		}
@@ -844,10 +844,12 @@ int knot_zone_sign_update_dnskeys(zone_update_t *update,
 	if (dnssec_ctx->policy->offline_ksk) {
 		ret = kasp_db_load_offline_records(dnssec_ctx->kasp_db, apex->owner, dnssec_ctx->now, next_resign, &add_r);
 		if (ret == KNOT_EOK) {
-			log_zone_info(dnssec_ctx->zone->dname, "DNSSEC, using offline DNSKEY RRSIG");
+			log_zone_info(dnssec_ctx->zone->dname,
+			              "DNSSEC, using offline records, DNSKEYs %hu, CDNSKEYs %hu, CDs %hu, RRSIGs %hu",
+			              add_r.dnskey.rrs.count, add_r.cdnskey.rrs.count, add_r.cds.rrs.count, add_r.rrsig.rrs.count);
 		} else {
-			log_zone_warning(dnssec_ctx->zone->dname, "DNSSEC, failed to load offline DNSKEY RRSIG (%s)",
-					 knot_strerror(ret));
+			log_zone_warning(dnssec_ctx->zone->dname, "DNSSEC, failed to load offline records (%s)",
+			                 knot_strerror(ret));
 		}
 	} else {
 		ret = knot_zone_sign_add_dnskeys(zone_keys, dnssec_ctx, &add_r);

--- a/tests-extra/tests/dnssec/offline_ksk/test.py
+++ b/tests-extra/tests/dnssec/offline_ksk/test.py
@@ -51,13 +51,12 @@ def check_zone(server, zone, dnskeys, dnskey_rrsigs, soa_rrsigs, msg):
        server.zone_verify(zone)

 def wait_for_rrsig_count(t, server, rrtype, rrsig_count, timeout):
-    rtime = 0
+    endtime = time.monotonic() + timeout - 0.5
    while True:
        qdnskeyrrsig = server.dig("example.com", rrtype, dnssec=True, bufsize=4096)
        found_rrsigs = qdnskeyrrsig.count("RRSIG")
        if found_rrsigs == rrsig_count:
            break
-        rtime = rtime + 1

        # Verify the zone instead of a dumb sleep
        if not server.valgrind:
@@ -66,11 +65,12 @@ def wait_for_rrsig_count(t, server, rrtype, rrsig_count, timeout):
        else:
            t.sleep(1)

-        if rtime > timeout:
+        if time.monotonic() > endtime:
            break

 def wait_for_dnskey_count(t, server, dnskey_count, timeout):
-    for rtime in range(1, timeout):
+    endtime = time.monotonic() + timeout - 0.5
+    while True:
        qdnskeyrrsig = server.dig("example.com", "DNSKEY", dnssec=True, bufsize=4096)
        found_dnskeys = qdnskeyrrsig.count("DNSKEY")
        if found_dnskeys == dnskey_count:
@@ -83,6 +83,9 @@ def wait_for_dnskey_count(t, server, dnskey_count, timeout):
        else:
            t.sleep(1)

+        if time.monotonic() > endtime:
+            break
+
 def writef(filename, contents):
    with open(filename, "w") as f:
        f.write(contents)
@@ -91,7 +94,7 @@ t = Test()

 knot = t.server("knot")
 ZONE = "example.com."
-FUTURE = 100
+FUTURE = 55
 TICK = 5
 STARTUP = 10

@@ -166,4 +169,44 @@ check_zone(knot, zone, 3, 1, 1, "ZSK rollover: running")
 wait_for_dnskey_count(t, knot, 2, TICK_SAFE*2)
 check_zone(knot, zone, 2, 1, 1, "ZSK rollover: done")

+# re-generate keys, re-eschange KSR and SKR and re-import it over previous
+
+STARTUP = 1
+signer.key_set(ZONE, key_ksk2, retire=tickf(3), remove=tickf(4))
+key_ksk3 = signer.key_gen(ZONE, ksk="true", created="+0", publish=tickf(1), ready=tickf(2), active=tickf(3), retire="+4h", remove="+5h")
+
+knot.dnssec(zone).zsk_lifetime = 7*TICK
+knot.gen_confile()
+
+KSR = KSR + "2"
+SKR = SKR + "2"
+Keymgr.run_check(knot.confile, ZONE, "pregenerate", "+" + str(FUTURE))
+_, out, _ = Keymgr.run_check(knot.confile, ZONE, "generate-ksr", "+0", "+" + str(FUTURE))
+writef(KSR, out)
+_, out, _ = Keymgr.run_check(signer.confile, ZONE, "sign-ksr", KSR)
+writef(SKR, out)
+Keymgr.run_check(knot.confile, ZONE, "import-skr", SKR)
+
+knot.ctl("zone-sign")
+
+check_zone(knot, zone, 2, 1, 1, "init2")
+
+wait_for_dnskey_count(t, knot, 3, STARTUP + TICK_SAFE)
+check_zone(knot, zone, 3, 1, 1, "KSK rollover2: publish")
+
+wait_for_rrsig_count(t, knot, "DNSKEY", 2, TICK_SAFE)
+check_zone(knot, zone, 3, 2, 1, "KSK rollover2: submission")
+
+wait_for_rrsig_count(t, knot, "DNSKEY", 1, TICK_SAFE)
+check_zone(knot, zone, 3, 1, 1, "KSK rollover2: retired")
+
+wait_for_dnskey_count(t, knot, 2, TICK_SAFE)
+check_zone(knot, zone, 2, 1, 1, "KSK rollover2: finished")
+
+wait_for_dnskey_count(t, knot, 3, TICK_SAFE*2)
+check_zone(knot, zone, 3, 1, 1, "ZSK rollover2: running")
+
+wait_for_dnskey_count(t, knot, 2, TICK_SAFE*2)
+check_zone(knot, zone, 2, 1, 1, "ZSK rollover2: done")
+
 t.end()