Commit c60dc0db authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

tests: dnssec: keytag conflict testcase added

parent d1f86155
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAsDQulN1onk4XnGGF
LhWmRudSBpBty4XbOyFBikeE9N3S1MMqzszuMbOeiXXdVwIcPgmDl5N1t3ClBJJg
SH++JQIDAQABAkAVegbDdkkuIm6WTPyipVjjA4bn7eq0B9i02FTYuebmwX7xg9rr
jcMRXEaA6yGqP62mvVWBNx91yaUvRji3RNqBAiEAxrljK01EgXdgE49l9SdV78Mf
A2e6con84vgbMb9B7S0CIQDi/Sj9WH1Q8DAqibaaM3mrUCHfOVBWeS2rdRbo4UJf
2QIhAI6PmkQLN1UFdYgyvDsF0BGj0dDYjhnzQdb1lFS41yu1AiEAtC0JvVfhWT7e
rNVVeb9EY8Sermb7KzjTFJdD0SUFH7kCIGvczpFwGty6p3MPatS2vc7A8Z8gvAe3
tE5uJQObc+Z+
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVAIBADANBgkqhkiG9w0BAQEFAASCAT4wggE6AgEAAkEAomNuj0gH5HYjdC0r
7i0mxtBp5rr9dzPPSUwS72ZCFPsq3b8sdfAh2cZsvGQgkYCPPZV0Zx+kUP3WyGFy
9xqiCQIDAQABAkA6KMKALpwlBurLwSHqu+EXc616JZ6CAtxKtCRT+ZvRR1GWcEJ6
O8TeIU4YjWK7N8CQcgmeCX5bKbAW/DxUdksBAiEAy3xujDpOidIhBbYwq/E6a3/Q
EnQ/FGfq6cw3hWI/4k0CIQDMS9ShKl/QouORUlW1zCKWIK/7sAHuncYx6E9pH7uE
rQIgRzrGg8XBSlNJBfPRs86ccZbrIhqZHi6GN9MpuEI9NJ0CIQCgNjuqpDN9x7AV
L+99YXgiKcI46/+n5F0gmGFmPHdvBQIgEQcjUUtC1+qDOlulSjvheIi/Al5c9SRs
AXhDSTXtN3A=
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAybrKa545nAsfsu9m
RYuyTg0WmUquP2MIwHCCRFHBTX7x9oxuj78yXtCZghZjm+GSl698kMBwm0V/2JbG
pApgDwIDAQABAkB1bfzDZNnYUkljmiSIu2dSNCBBn82LLJU9oMDUEFtcRk7gdyS2
taDBh6eCZVUsGErDg4kCHIQdrFjD0MuouXIBAiEA6NqaRS0mkuHiO2J+4XTCRzMV
w3Bu+K88BfqFIkDQKoECIQDdyCx66rvJ8YApy7Tt86hM/chNjFg+j4ZknxM3RF2i
jwIgFmJNSjEY8C2+ra6+O7YZpvaGNQ9t24Ic5wY6HhzU5gECIQDRcLIguf/xa3E/
BzKr7Agp/Rfls/25xsyBxX/eF1/dnQIhAI+z7XQNd/cZUD1TwdziKBuWBDcYp/qH
DmKe/7Xh+MZJ
-----END PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAu9eosHX/Ag8J0r71
lT9tzQeWbEZRAOZY8w+zC4hqTvtAZeE9SsB+ppoNM8bvdaxLVQNIIKKqOxsteOZY
xMFicQIDAQABAkEAtXq84oeNsRqAXhjaQbB/T8gV31PsLNdfdq1jSTAprVVOmHSk
CfKq30FOdIXnlLum2kypxejpdHGocI1rqZLzBQIhAOoPNuh/k3NeEau2VZt9dENN
JL4ByVpMG2gMjiucHl57AiEAzXNc16CmvEfQ/i3JhEhbb1I8o7QGsOk9v8MP/DEz
pQMCIF8EcCjwaX6DKK9JpPUrd8A+l/TeqswSa2nQ9wIzLYzzAiEAzBl4+DV+rrjh
pEE0WpfPTe3yk+Z6ZzGuyFwt+ymd1qUCIBzE561e4uE5tyPB46ybM/029/GFa89z
0D1ZBKVF7AWi
-----END PRIVATE KEY-----
{
"policy": "manual",
"keys": [
{
"id": "7a3500c7feac3fd99f09a208a83b97f7455fa3e0",
"keytag": 58041,
"algorithm": 7,
"public_key": "AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrAfqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=",
"ksk": true,
"publish": "1970-01-01T00:00:01+0000",
"active": "1970-01-01T00:00:01+0000"
},
{
"id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
"keytag": 55574,
"algorithm": 7,
"public_key": "AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=",
"ksk": false,
"publish": "2040-01-01T00:00:00+0000",
"active": "2040-01-01T00:00:00+0000"
},
{
"id": "301d3fc5392e83ea02312dc5bdc1a9f0b7937ddf",
"keytag": 950,
"algorithm": 7,
"public_key": "AwEAAbA0LpTdaJ5OF5xhhS4VpkbnUgaQbcuF2zshQYpHhPTd0tTDKs7M7jGznol13VcCHD4Jg5eTdbdwpQSSYEh/viU=",
"ksk": false,
"publish": "2009-12-31T23:00:00+0000",
"active": "2009-12-31T23:00:00+0000"
},
{
"id": "6abddc73bcb46c4e6078cf764290ac315fff03f0",
"keytag": 950,
"algorithm": 7,
"public_key": "AwEAAaJjbo9IB+R2I3QtK+4tJsbQaea6/Xczz0lMEu9mQhT7Kt2/LHXwIdnGbLxkIJGAjz2VdGcfpFD91shhcvcaogk=",
"ksk": false,
"publish": "2009-12-31T23:00:00+0000",
"active": "2009-12-31T23:00:00+0000"
}
]
}
#!/usr/bin/env python3
"""
Check if keytag conflict is correctly handled by Knot.
"""
import collections
import os
import shutil
import datetime
import subprocess
from dnstest.utils import *
from dnstest.keys import Keymgr
from dnstest.test import Test
def key_set(server, zone, key_id, **new_values):
cmd = ["zone", "key", "set", zone, key_id]
for option, value in new_values.items():
cmd += [option, value]
Keymgr.run_check(server.keydir, *cmd)
# check zone if keys are present and used for signing
def check_zone4(server, min_dnskeys, min_rrsigs, msg):
dnskeys = server.dig("example.com", "DNSKEY")
found_dnskeys = dnskeys.count("DNSKEY")
soa = server.dig("mail.example.com", "A", dnssec=True)
found_rrsigs = soa.count("RRSIG")
check_log("RRSIGs: %d (expected min %d)" % (found_rrsigs, min_rrsigs));
check_log("DNSKEYs: %d (expected min %d)" % (found_dnskeys, min_dnskeys));
if found_rrsigs < min_rrsigs:
set_err("BAD RRSIG COUNT: " + msg)
detail_log("!RRSIGs not published and activated as expected: " + msg)
if found_dnskeys < min_dnskeys:
set_err("BAD DNSKEY COUNT: " + msg)
detail_log("!DNSKEYs not published and activated as expected: " + msg)
detail_log(SEP)
t = Test()
knot = t.server("knot")
zone = t.zone("example.com.")
t.link(zone, knot)
knot.dnssec(zone).enable = True
knot.dnssec(zone).manual = True
knot.dnssec(zone).rrsig_lifetime = 5
knot.dnssec(zone).rrsig_refresh = 2
knot.zonefile_sync = "0"
# install keys (one always enabled, one for testing)
shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir)
# parameters
ZONE = "example.com"
KSK = "7a3500c7feac3fd99f09a208a83b97f7455fa3e0"
ZSK1 = "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2"
ZSK2 = "301d3fc5392e83ea02312dc5bdc1a9f0b7937ddf"
ZSK3 = "6abddc73bcb46c4e6078cf764290ac315fff03f0"
key_set(knot, ZONE, KSK, publish="-2y", active="-1y", retire="+1y", remove="+2y")
key_set(knot, ZONE, ZSK1, publish="-20", active="-10", retire="+15", remove="+20")
key_set(knot, ZONE, ZSK2, publish="+8", active="+14", retire="+31", remove="+36")
key_set(knot, ZONE, ZSK3, publish="+24", active="+30", retire="+1y", remove="+2y")
t.start()
t.sleep(4)
check_zone4(knot, 2, 1, "initial keys")
t.sleep(15)
check_zone4(knot, 2, 1, "standard rollover")
t.sleep(13)
for x in range(1, 8):
check_zone4(knot, 2, 1, "conflicting rollover %i" % x)
t.sleep(2)
t.end()
......@@ -45,6 +45,8 @@ class ZoneDnssec(object):
self.nsec3_iters = None
self.nsec3_salt_lifetime = None
self.nsec3_salt_len = None
self.rrsig_lifetime = None
self.rrsig_refresh = None
class Zone(object):
'''DNS zone description'''
......@@ -1040,6 +1042,8 @@ class Knot(Server):
self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
s.end()
s.begin("template")
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment