upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-13 20:00:01 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Test sending NOTIFY(CDS) messages during rollover

Browse source 
When doing rollover and the CDS/CDNSKEY RRset is updated, test that a
NOTIFY(CDS) message is sent. For other steps in the rollover, prohibit
any dsyncfetch activity.
This commit is contained in:
Matthijs Mekking 2025-12-01 14:20:01 +01:00
parent e344fe18bc
commit 35a7024e8c
17 changed files with 137 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py
View file

@ -80,3 +80,5 @@ def test_algoroll_csk_initial(tld, ns3):
"nextev": TIMEDELTA["PT1H"],
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

15
bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py
View file

@ -138,6 +138,8 @@ def test_algoroll_csk_reconfig_step1(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -175,6 +177,8 @@ def test_algoroll_csk_reconfig_step2(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -244,6 +248,11 @@ def test_algoroll_csk_reconfig_step3(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.{tld}"
)
@pytest.mark.parametrize(
"tld",
@ -299,6 +308,8 @@ def test_algoroll_csk_reconfig_step4(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -333,6 +344,8 @@ def test_algoroll_csk_reconfig_step5(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -365,3 +378,5 @@ def test_algoroll_csk_reconfig_step6(tld, ns3, alg, size):
"verbose": True,
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

2
bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py
View file

@ -77,3 +77,5 @@ def test_algoroll_ksk_zsk_initial(tld, ns3):
"nextev": TIMEDELTA["PT1H"],
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

15
bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py
View file

@ -141,6 +141,8 @@ def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -180,6 +182,8 @@ def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -253,6 +257,11 @@ def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.{tld}"
)
@pytest.mark.parametrize(
"tld",
@ -315,6 +324,8 @@ def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -353,6 +364,8 @@ def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -387,3 +400,5 @@ def test_algoroll_ksk_zsk_reconfig_step6(tld, ns3, alg, size):
"verbose": True,
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

17
bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py
View file

@ -123,6 +123,8 @@ def test_csk_roll1_step1(tld, ns3, alg, size):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -181,6 +183,8 @@ def test_csk_roll1_step2(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -268,6 +272,11 @@ def test_csk_roll1_step3(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.{tld}"
)
@pytest.mark.parametrize(
"tld",
@ -333,6 +342,8 @@ def test_csk_roll1_step4(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -366,6 +377,8 @@ def test_csk_roll1_step5(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -402,6 +415,8 @@ def test_csk_roll1_step6(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -461,3 +476,5 @@ def test_csk_roll1_step8(tld, alg, size, ns3):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

17
bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py
View file

@ -126,6 +126,8 @@ def test_csk_roll2_step1(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -184,6 +186,8 @@ def test_csk_roll2_step2(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -271,6 +275,11 @@ def test_csk_roll2_step3(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.{tld}"
)
@pytest.mark.parametrize(
"tld",
@ -310,6 +319,8 @@ def test_csk_roll2_step4(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -374,6 +385,8 @@ def test_csk_roll2_step5(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -409,6 +422,8 @@ def test_csk_roll2_step6(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -439,3 +454,5 @@ def test_csk_roll2_step7(tld, alg, size, ns3):
"verbose": True,
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

11
bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py
View file

@ -122,6 +122,8 @@ def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -154,6 +156,8 @@ def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -208,6 +212,11 @@ def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.{tld}"
)
@pytest.mark.parametrize(
"tld",
@ -237,3 +246,5 @@ def test_rollover_enable_dnssec_step4(tld, alg, size, ns3):
"nextev": TIMEDELTA["PT1H"],
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

2
bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py
View file

@ -70,3 +70,5 @@ def test_going_insecure_initial(zone, ns3, alg, size):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

18
bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py
View file

@ -63,14 +63,14 @@ def after_servers_start(ns3, templates):
def test_going_insecure_reconfig_step1(zone, alg, size, ns3):
config = DEFAULT_CONFIG
policy = "insecure"
zone = f"step1.{zone}"
szone = f"step1.{zone}"
isctest.kasp.wait_keymgr_done(ns3, zone, reconfig=True)
isctest.kasp.wait_keymgr_done(ns3, szone, reconfig=True)
# Key goal states should be HIDDEN.
# The DS may be removed if we are going insecure.
step = {
"zone": zone,
"zone": szone,
"cdss": CDSS,
"keyprops": [
f"ksk 0 {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}",
@ -85,6 +85,16 @@ def test_going_insecure_reconfig_step1(zone, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
with ns3.watch_log_from_start() as watcher:
if "dynamic" in zone:
watcher.wait_for_line(
f"zone {szone}/IN: dsyncfetch: send NOTIFY(CDS) query to scanner.kasp"
)
else:
watcher.wait_for_line(
f"zone {szone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.kasp"
)
@pytest.mark.parametrize(
"zone",
@ -119,3 +129,5 @@ def test_going_insecure_reconfig_step2(zone, alg, size, ns3):
"check-keytimes": False,
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

5
bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py
View file

@ -115,3 +115,8 @@ def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
expected[1].timing["Removed"] = now + KSK_IPUB + KSK_IRET
isctest.kasp.check_keytimes(keys, expected)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.kasp"
)

15
bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py
View file

@ -107,6 +107,8 @@ def test_ksk_doubleksk_step1(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -166,6 +168,8 @@ def test_ksk_doubleksk_step2(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -246,6 +250,11 @@ def test_ksk_doubleksk_step3(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
with ns3.watch_log_from_start() as watcher:
watcher.wait_for_line(
f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.{tld}"
)
@pytest.mark.parametrize(
"tld",
@ -312,6 +321,8 @@ def test_ksk_doubleksk_step4(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -349,6 +360,8 @@ def test_ksk_doubleksk_step5(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -376,3 +389,5 @@ def test_ksk_doubleksk_step6(tld, alg, size, ns3):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

2
bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py
View file

@ -48,3 +48,5 @@ def test_lifetime_initial(zone, policy, lifetime, alg, size, ns3):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

2
bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py
View file

@ -63,3 +63,5 @@ def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns3):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

2
bin/tests/system/rollover-straight2none/tests_rollover_straight2none_initial.py
View file

@ -68,3 +68,5 @@ def test_straight2none_initial(zone, ns3, alg, size):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

2
bin/tests/system/rollover-straight2none/tests_rollover_straight2none_reconfig.py
View file

@ -77,3 +77,5 @@ def test_straight2none_reconfig(zone, ns3, alg, size):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, config, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

12
bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py
View file

@ -116,6 +116,8 @@ def test_zsk_prepub_step1(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -173,6 +175,8 @@ def test_zsk_prepub_step2(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -251,6 +255,8 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
# Force full resign and check all signatures have been replaced.
with ns3.watch_log_from_here() as watcher:
ns3.rndc(f"sign {zone}")
@ -321,6 +327,8 @@ def test_zsk_prepub_step4(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -356,6 +364,8 @@ def test_zsk_prepub_step5(tld, alg, size, ns3):
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log
@pytest.mark.parametrize(
"tld",
@ -382,3 +392,5 @@ def test_zsk_prepub_step6(tld, alg, size, ns3):
"nextev": None,
}
isctest.kasp.check_rollover_step(ns3, CONFIG, policy, step)
assert f"zone {zone}/IN (signed): dsyncfetch" not in ns3.log

1
bin/tests/system/rollover/ns3/named.common.conf.j2
View file

@ -30,6 +30,7 @@ options {
allow-transfer { any; };
recursion yes;
dnssec-validation @dnssec_validation@;
notify-cds yes;
};
key rndc_key {