Merge branch 'offline_ksk_alg_roll' into 'master'

tests: scenario of alg roll with offline KSK See merge request !1399

Merge branch 'offline_ksk_alg_roll' into 'master'
cfea3a34 · Daniel Salzman · 068409aa · 4811a3d6 · cfea3a34 · cfea3a34
Commit cfea3a34 authored 3 years ago by Daniel Salzman
--- a/tests-extra/tests/dnssec/key_rollovers/test.py
+++ b/tests-extra/tests/dnssec/key_rollovers/test.py
@@ -95,7 +95,7 @@ def check_zone(server, zone, slave, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs
    t.xfr_diff(server, slave, zone)

    server.zone_backup(zone, flush=True)
-    server.zone_verify(zone, ldns_check=False) # ldns-verify-zone complains about RRSIG without corresponding DNSKEY
+    server.zone_verify(zone)

 global_last_roll = 0


--- a/tests-extra/tests/dnssec/ksk_rollover/test.py
+++ b/tests-extra/tests/dnssec/ksk_rollover/test.py
@@ -61,7 +61,7 @@ def check_zone(server, zone, slave, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs
    t.xfr_diff(server, slave, zone)

    server.zone_backup(zone, flush=True)
-    server.zone_verify(zone, ldns_check=False) # ldns-verify-zone complains about RRSIG without corresponding DNSKEY
+    server.zone_verify(zone)

 global_last_roll = 0


--- a/tests-extra/tests/dnssec/offline_ksk/test.py
+++ b/tests-extra/tests/dnssec/offline_ksk/test.py
@@ -70,30 +70,40 @@ def check_zone(server, zone, dnskeys, dnskey_rrsigs, soa_rrsigs, msg):

 def wait_for_rrsig_count(t, server, rrtype, rrsig_count, timeout):
    endtime = time.monotonic() + timeout - 0.5
+    first = True
    while True:
        qdnskeyrrsig = server.dig("example.com", rrtype, dnssec=True, bufsize=4096)
        found_rrsigs = qdnskeyrrsig.count("RRSIG")
        if found_rrsigs == rrsig_count:
            break

-        # Verify the zone instead of a dumb sleep
-        server.zone_backup(zone, flush=True)
-        server.zone_verify(zone)
+        if first:
+            first = False
+            # Verify the zone instead of a dumb sleep
+            server.zone_backup(zone, flush=True)
+            server.zone_verify(zone)
+        else:
+            t.sleep(0.5)

        if time.monotonic() > endtime:
            break

 def wait_for_dnskey_count(t, server, dnskey_count, timeout):
    endtime = time.monotonic() + timeout - 0.5
+    first = True
    while True:
        qdnskeyrrsig = server.dig("example.com", "DNSKEY", dnssec=True, bufsize=4096)
        found_dnskeys = qdnskeyrrsig.count("DNSKEY")
        if found_dnskeys == dnskey_count:
            break

-        # Verify the zone instead of a dumb sleep
-        server.zone_backup(zone, flush=True)
-        server.zone_verify(zone)
+        if first:
+            first = False
+            # Verify the zone instead of a dumb sleep
+            server.zone_backup(zone, flush=True)
+            server.zone_verify(zone)
+        else:
+            t.sleep(0.5)

        if time.monotonic() > endtime:
            break
@@ -235,4 +245,44 @@ check_zone(knot, zone, 3, 1, 1, "ZSK rollover2: running")
 wait_for_dnskey_count(t, knot, 2, TICK_SAFE * 2)
 check_zone(knot, zone, 2, 1, 1, "ZSK rollover2: done")

+# prepare algorithm roll-over: delete pre-generated ZSKs, arrange all the timestamps
+
+_, out, _ = Keymgr.run_check(knot.confile, ZONE, "list")
+for line in out.split('\n'):
+    if len(line) > 0 and line.split()[-1] == "remove=0": # only one key with this property
+        last_zsk = line.split()[0]
+
+algtick = 5
+now = int(time.time())
+preactive = now + algtick
+publish = preactive + algtick
+postactive = publish + algtick
+remove = postactive + algtick
+
+key_ksk4 = signer.key_gen(ZONE, ksk="true", algorithm="ECDSAP256SHA256", created="+0", pre_active=str(preactive), publish=str(publish), ready=str(publish), active=str(postactive))
+key_zsk2 = knot.key_gen(ZONE, ksk="false", algorithm="ECDSAP256SHA256", created="+0", pre_active=str(preactive), publish=str(publish), active=str(postactive))
+signer.key_set(ZONE, key_ksk3, post_active=str(postactive), remove=str(remove))
+knot.key_set(ZONE, last_zsk, post_active=str(postactive), remove=str(remove))
+
+KSR = KSR + "3"
+SKR = SKR + "3"
+_, out, _ = Keymgr.run_check(knot.confile, ZONE, "generate-ksr", "+0", str(remove + 1))
+writef(KSR, out)
+_, out, _ = Keymgr.run_check(signer.confile, ZONE, "sign-ksr", KSR)
+writef(SKR, out)
+Keymgr.run_check(knot.confile, ZONE, "import-skr", SKR)
+knot.ctl("zone-keys-load")
+
+wait_for_rrsig_count(t, knot, "SOA", 2, algtick + 2)
+check_zone(knot, zone, 2, 1, 2, "alg roll: pre-active")
+
+wait_for_dnskey_count(t, knot, 4, algtick + 2)
+check_zone(knot, zone, 4, 2, 2, "alg roll: published")
+
+wait_for_dnskey_count(t, knot, 2, algtick + 2)
+check_zone(knot, zone, 2, 2, 2, "alg roll: post-active")
+
+wait_for_rrsig_count(t, knot, "SOA", 1, algtick + 2)
+check_zone(knot, zone, 2, 1, 1, "alg roll: finished")
+
 t.end()