bugfix: changeset merge cancelout confused by changing RRSIG TTL

this caused sometimes duplicit SOA RRSIGs on slave

bugfix: changeset merge cancelout confused by changing RRSIG TTL
this caused sometimes duplicit SOA RRSIGs on slave
b18e9188 · Libor Peltan · Daniel Salzman · e8f956e2 · b18e9188 · b18e9188
Commit b18e9188 authored Mar 19, 2019 by Libor Peltan Committed by Daniel Salzman Mar 19, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 32 additions and 27 deletions

src/knot/updates/changesets.c src/knot/updates/changesets.c +4 -2

tests-extra/tests/dnssec/key_rollovers/test.py tests-extra/tests/dnssec/key_rollovers/test.py +28 -25

No files found.
--- a/src/knot/updates/changesets.c
+++ b/src/knot/updates/changesets.c
@@ -166,14 +166,16 @@ static void check_redundancy(zone_contents_t *counterpart, const knot_rrset_t *r
 	knot_rdataset_t *rrs = node_rdataset(node, rr->type);
 	uint32_t rrs_ttl = node_rrset(node, rr->type).ttl;

-	if (fixed_rr != NULL && *fixed_rr != NULL && (*fixed_rr)->ttl == rrs_ttl) {
+	if (fixed_rr != NULL && *fixed_rr != NULL &&
+	    ((*fixed_rr)->ttl == rrs_ttl || rr->type == KNOT_RRTYPE_RRSIG)) {
 		int ret = knot_rdataset_subtract(&(*fixed_rr)->rrs, rrs, NULL);
 		if (ret != KNOT_EOK) {
 			return;
 		}
 	}

-	if (rr->ttl == rrs_ttl) {
+	// TTL of RRSIGs is better determined by original_ttl field, which is compared as part of rdata anyway
+	if (rr->ttl == rrs_ttl || rr->type == KNOT_RRTYPE_RRSIG) {
 		int ret = knot_rdataset_subtract(rrs, &rr->rrs, NULL);
 		if (ret != KNOT_EOK) {
 			return;

--- a/tests-extra/tests/dnssec/key_rollovers/test.py
+++ b/tests-extra/tests/dnssec/key_rollovers/test.py
@@ -29,7 +29,7 @@ def pregenerate_key(server, zone, alg):
                   addtopolicy=zone[0].name)

 # check zone if keys are present and used for signing
-def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
+def check_zone(server, zone, slave, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
    qdnskeys = server.dig("example.com", "DNSKEY", bufsize=4096)
    found_dnskeys = qdnskeys.count("DNSKEY")

@@ -67,6 +67,8 @@ def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):

    # Valgrind delay breaks the timing!
    if not server.valgrind:
+        t.xfr_diff(server, slave, zone)
+
        server.zone_backup(zone, flush=True)
        server.zone_verify(zone)

@@ -100,8 +102,8 @@ def wait_after_submission(t, server):
    else:
        t.sleep(4)

-def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg, set_stss, submission_cb):
-    check_zone(server, zone, before_keys, 1, 1, 1, desc + ": initial keys")
+def watch_alg_rollover(t, server, zone, slave, before_keys, after_keys, desc, set_alg, set_stss, submission_cb):
+    check_zone(server, zone, slave, before_keys, 1, 1, 1, desc + ": initial keys")

    server.dnssec(zone).single_type_signing = set_stss
    server.dnssec(zone).alg = set_alg
@@ -109,10 +111,10 @@ def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg,
    server.reload()

    wait_for_rrsig_count(t, server, "SOA", 2, 20)
-    check_zone(server, zone, before_keys, 1 if after_keys > 1 else 2, 1, 2, desc + ": pre active")
+    check_zone(server, zone, slave, before_keys, 1 if after_keys > 1 else 2, 1, 2, desc + ": pre active")

    wait_for_count(t, server, "DNSKEY", before_keys + after_keys, 20)
-    check_zone(server, zone, before_keys + after_keys, 2, 1, 2, desc + ": both algorithms active")
+    check_zone(server, zone, slave, before_keys + after_keys, 2, 1, 2, desc + ": both algorithms active")

    # wait for any change in CDS records
    CDS1 = str(server.dig(ZONE, "CDS").resp.answer[0].to_rdataset())
@@ -121,20 +123,20 @@ def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg,
      t.sleep(1)

    cdnskeys = 2 if DOUBLE_DS else 1
-    check_zone(server, zone, before_keys + after_keys, 2, cdnskeys, 2, desc + ": new KSK ready")
+    check_zone(server, zone, slave, before_keys + after_keys, 2, cdnskeys, 2, desc + ": new KSK ready")

    submission_cb()
    wait_after_submission(t, server)
-    check_zone(server, zone, before_keys + after_keys, 2, 1, 2, desc + ": both still active")
+    check_zone(server, zone, slave, before_keys + after_keys, 2, 1, 2, desc + ": both still active")

    wait_for_count(t, server, "DNSKEY", after_keys, 20)
-    check_zone(server, zone, after_keys, 1 if before_keys > 1 else 2, 1, 2, desc + ": post active")
+    check_zone(server, zone, slave, after_keys, 1 if before_keys > 1 else 2, 1, 2, desc + ": post active")

    wait_for_rrsig_count(t, server, "SOA", 1, 20)
-    check_zone(server, zone, after_keys, 1, 1, 1, desc + ": old alg removed")
+    check_zone(server, zone, slave, after_keys, 1, 1, 1, desc + ": old alg removed")

-def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, desc, set_stss, set_ksk_lifetime, submission_cb):
-    check_zone(server, zone, before_keys, 1, 1, 1, desc + ": initial keys")
+def watch_ksk_rollover(t, server, zone, slave, before_keys, after_keys, total_keys, desc, set_stss, set_ksk_lifetime, submission_cb):
+    check_zone(server, zone, slave, before_keys, 1, 1, 1, desc + ": initial keys")
    orig_ksk_lifetime = server.dnssec(zone).ksk_lifetime

    server.dnssec(zone).single_type_signing = set_stss
@@ -145,11 +147,11 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des
    wait_for_count(t, server, "DNSKEY", total_keys, 20)

    t.sleep(3)
-    check_zone(server, zone, total_keys, 1, 1, 1, desc + ": published new")
+    check_zone(server, zone, slave, total_keys, 1, 1, 1, desc + ": published new")

    wait_for_rrsig_count(t, server, "DNSKEY", 2, 20)
    cdnskeys = 2 if DOUBLE_DS else 1
-    check_zone(server, zone, total_keys, 2, cdnskeys, 1 if before_keys > 1 and after_keys > 1 else 2, desc + ": new KSK ready")
+    check_zone(server, zone, slave, total_keys, 2, cdnskeys, 1 if before_keys > 1 and after_keys > 1 else 2, desc + ": new KSK ready")

    server.dnssec(zone).ksk_lifetime = orig_ksk_lifetime
    server.gen_confile()
@@ -159,16 +161,16 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des
    submission_cb()
    wait_after_submission(t, server)
    if before_keys < 2 or after_keys > 1:
-        check_zone(server, zone, total_keys, 2, 1, 1 if before_keys > 1 else 2, desc + ": both still active")
+        check_zone(server, zone, slave, total_keys, 2, 1, 1 if before_keys > 1 else 2, desc + ": both still active")
    # else skip the test as we have no control on KSK and ZSK retiring asynchronously

    wait_for_rrsig_count(t, server, "DNSKEY", 1, 20)
    if before_keys < 2 or after_keys > 1:
-        check_zone(server, zone, total_keys, 1, 1, 1, desc + ": old key retired")
+        check_zone(server, zone, slave, total_keys, 1, 1, 1, desc + ": old key retired")
    # else skip the test as we have no control on KSK and ZSK retiring asynchronously

    wait_for_count(t, server, "DNSKEY", after_keys, 20)
-    check_zone(server, zone, after_keys, 1, 1, 1, desc + ": old key removed")
+    check_zone(server, zone, slave, after_keys, 1, 1, 1, desc + ": old key removed")

 t = Test()

@@ -179,8 +181,9 @@ t.link(parent_zone, parent)
 parent.dnssec(parent_zone).enable = True

 child = t.server("knot")
+slave = t.server("knot")
 child_zone = t.zone("example.com.", storage=".")
-t.link(child_zone, child)
+t.link(child_zone, child, slave, ixfr=True)

 def cds_submission():
    cds = child.dig(ZONE, "CDS")
@@ -221,27 +224,27 @@ cds_submission()
 t.sleep(5)

 pregenerate_key(child, child_zone, "ECDSAP256SHA256")
-watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission)
+watch_alg_rollover(t, child, child_zone, slave, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP256SHA256")
-watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", True, 27, cds_submission)
+watch_ksk_rollover(t, child, child_zone, slave, 1, 1, 2, "CSK rollover", True, 27, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP256SHA256")
-watch_ksk_rollover(t, child, child_zone, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission)
+watch_ksk_rollover(t, child, child_zone, slave, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP256SHA256")
-watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", False, 27, cds_submission)
+watch_ksk_rollover(t, child, child_zone, slave, 2, 2, 3, "KSK rollover", False, 27, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP256SHA256")
-watch_ksk_rollover(t, child, child_zone, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission)
+watch_ksk_rollover(t, child, child_zone, slave, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP384SHA384")
-watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission)
+watch_alg_rollover(t, child, child_zone, slave, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP256SHA256")
-watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission)
+watch_alg_rollover(t, child, child_zone, slave, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission)

 pregenerate_key(child, child_zone, "ECDSAP384SHA384")
-watch_alg_rollover(t, child, child_zone, 2, 2, "KZSK alg", "ECDSAP384SHA384", False, cds_submission)
+watch_alg_rollover(t, child, child_zone, slave, 2, 2, "KZSK alg", "ECDSAP384SHA384", False, cds_submission)

 t.end()