From 36ea9b81816835b92888ffca4c74cbc255e2ac4b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Jan 2019 12:12:47 +1100 Subject: [PATCH 1/3] only use a single policy file when testing. --- .../system/keymgr/01-ksk-inactive/expect | 2 +- .../system/keymgr/02-zsk-inactive/expect | 2 +- .../system/keymgr/03-ksk-unpublished/expect | 2 +- .../system/keymgr/04-zsk-unpublished/expect | 2 +- .../system/keymgr/05-ksk-unpub-active/expect | 2 +- .../system/keymgr/06-zsk-unpub-active/expect | 2 +- bin/tests/system/keymgr/07-ksk-ttl/expect | 2 +- bin/tests/system/keymgr/08-zsk-ttl/expect | 2 +- bin/tests/system/keymgr/09-no-keys/expect | 2 +- bin/tests/system/keymgr/10-change-roll/expect | 2 +- bin/tests/system/keymgr/11-many-simul/expect | 2 +- bin/tests/system/keymgr/12-many-active/expect | 2 +- bin/tests/system/keymgr/13-noroll/expect | 2 +- bin/tests/system/keymgr/14-wrongalg/expect | 2 +- bin/tests/system/keymgr/15-unspec/expect | 2 +- .../system/keymgr/16-wrongalg-unspec/expect | 2 +- bin/tests/system/keymgr/17-noforce/expect | 2 +- .../system/keymgr/18-nonstd-prepub/expect | 4 +- bin/tests/system/keymgr/19-old-keys/expect | 4 +- bin/tests/system/keymgr/tests.sh | 128 ++++++++++-------- 20 files changed, 90 insertions(+), 80 deletions(-) diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect index b076310d44..bf908e7c21 100644 --- a/bin/tests/system/keymgr/01-ksk-inactive/expect +++ b/bin/tests/system/keymgr/01-ksk-inactive/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1h -m 2h example.com" diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect index b076310d44..bf908e7c21 100644 --- a/bin/tests/system/keymgr/02-zsk-inactive/expect +++ b/bin/tests/system/keymgr/02-zsk-inactive/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1h -m 2h example.com" diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect index b076310d44..bf908e7c21 100644 --- a/bin/tests/system/keymgr/03-ksk-unpublished/expect +++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1h -m 2h example.com" diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect index b076310d44..bf908e7c21 100644 --- a/bin/tests/system/keymgr/04-zsk-unpublished/expect +++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1h -m 2h example.com" diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect index b076310d44..bf908e7c21 100644 --- a/bin/tests/system/keymgr/05-ksk-unpub-active/expect +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1h -m 2h example.com" diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect index b076310d44..bf908e7c21 100644 --- a/bin/tests/system/keymgr/06-zsk-unpub-active/expect +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1h -m 2h example.com" diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect index de792a9d5e..03d719c3f4 100644 --- a/bin/tests/system/keymgr/07-ksk-ttl/expect +++ b/bin/tests/system/keymgr/07-ksk-ttl/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect index de792a9d5e..03d719c3f4 100644 --- a/bin/tests/system/keymgr/08-zsk-ttl/expect +++ b/bin/tests/system/keymgr/08-zsk-ttl/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect index de792a9d5e..03d719c3f4 100644 --- a/bin/tests/system/keymgr/09-no-keys/expect +++ b/bin/tests/system/keymgr/09-no-keys/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect index de792a9d5e..03d719c3f4 100644 --- a/bin/tests/system/keymgr/10-change-roll/expect +++ b/bin/tests/system/keymgr/10-change-roll/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect index de792a9d5e..03d719c3f4 100644 --- a/bin/tests/system/keymgr/11-many-simul/expect +++ b/bin/tests/system/keymgr/11-many-simul/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect index f990a7a027..67fc4e912c 100644 --- a/bin/tests/system/keymgr/12-many-active/expect +++ b/bin/tests/system/keymgr/12-many-active/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf -f example.com" +kargs="-f example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect index 40616e1a93..67fc4e912c 100644 --- a/bin/tests/system/keymgr/13-noroll/expect +++ b/bin/tests/system/keymgr/13-noroll/expect @@ -1,4 +1,4 @@ -kargs="-f -c policy.conf example.com" +kargs="-f example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect index 436f05fbc9..bd5eadbf7a 100644 --- a/bin/tests/system/keymgr/14-wrongalg/expect +++ b/bin/tests/system/keymgr/14-wrongalg/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect index b1ff4fc3fe..ad300c498c 100644 --- a/bin/tests/system/keymgr/15-unspec/expect +++ b/bin/tests/system/keymgr/15-unspec/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf" +kargs="" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect index 7a21decc0b..c836535ce8 100644 --- a/bin/tests/system/keymgr/16-wrongalg-unspec/expect +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf" +kargs="" kmatch="" kret=0 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect index a5bf1f1ec5..029a4e903a 100644 --- a/bin/tests/system/keymgr/17-noforce/expect +++ b/bin/tests/system/keymgr/17-noforce/expect @@ -1,4 +1,4 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=1 cargs="-d 1w -m 2w example.com" diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect index de792a9d5e..e8518d8c3a 100644 --- a/bin/tests/system/keymgr/18-nonstd-prepub/expect +++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect @@ -1,7 +1,7 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 -cargs="-d 1w -m 2w example.com" +cargs="-d 1h -m 1d example.com" cmatch="" cret=0 warn=0 diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect index f3e49b3d28..ad73b536c9 100644 --- a/bin/tests/system/keymgr/19-old-keys/expect +++ b/bin/tests/system/keymgr/19-old-keys/expect @@ -1,7 +1,7 @@ -kargs="-c policy.conf example.com" +kargs="example.com" kmatch="" kret=0 -cargs="-d 1w -m 2w example.com" +cargs="-d 1h -m 1w example.com" cmatch="4,Publish 4,Activate 2,Inactive diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh index 3043f162e9..4f027c1a01 100644 --- a/bin/tests/system/keymgr/tests.sh +++ b/bin/tests/system/keymgr/tests.sh @@ -19,12 +19,12 @@ matchall () { match_result=ok file=$1 while IFS="," read expect matchline; do - [ -z "$matchline" ] && continue - matches=`grep "$matchline" $file | wc -l` - [ "$matches" -ne "$expect" ] && { - echo "'$matchline': expected $expect found $matches" - return 1 - } + [ -z "$matchline" ] && continue + matches=`grep "$matchline" $file | wc -l` + [ "$matches" -ne "$expect" ] && { + echo "'$matchline': expected $expect found $matches" + return 1 + } done << EOF $2 EOF @@ -34,74 +34,84 @@ EOF echo_i "checking for DNSSEC key coverage issues" ret=0 for dir in [0-9][0-9]-*; do - ret=0 - echo_i "$dir ($n)" - kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok= - . $dir/expect + ret=0 + echo_i "$dir ($n)" + kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok= + . $dir/expect - # use policy.conf if available - policy="" - [ -e "$dir/policy.conf" ] && policy="-c $dir/policy.conf" - # run keymgr to update keys + # use policy.conf if available + policy="" + if [ -e "$dir/policy.conf" ]; then + policy="-c $dir/policy.conf" + if grep -e "-c policy.conf" $dir/expect > /dev/null + then + echo_i "fix $dir/expect: multiple policy files" + ret=1 + fi + else + policy="-c policy.conf" + fi + + # run keymgr to update keys if [ "$CYGWIN" ]; then - $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \ + $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \ -s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1 else $KEYMGR $policy -K $dir -g $KEYGEN \ -s $SETTIME $kargs > keymgr.$n 2>&1 fi - # check that return code matches expectations - found=$? - if [ $found -ne $kret ]; then - echo "keymgr retcode was $found expected $kret" - ret=1 - fi + # check that return code matches expectations + found=$? + if [ $found -ne $kret ]; then + echo "keymgr retcode was $found expected $kret" + ret=1 + fi - # check for matches in keymgr output - matchall keymgr.$n "$kmatch" || ret=1 + # check for matches in keymgr output + matchall keymgr.$n "$kmatch" || ret=1 - # now check coverage - $COVERAGE -K $dir $cargs > coverage.$n 2>&1 - # check that return code matches expectations - found=$? - if [ $found -ne $cret ]; then - echo "coverage retcode was $found expected $cret" - ret=1 - fi + # now check coverage + $COVERAGE -K $dir $cargs > coverage.$n 2>&1 + # check that return code matches expectations + found=$? + if [ $found -ne $cret ]; then + echo "coverage retcode was $found expected $cret" + ret=1 + fi - # check for correct number of errors - found=`grep ERROR coverage.$n | wc -l` - if [ $found -ne $error ]; then - echo "error count was $found expected $error" - ret=1 - fi + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi - # check for correct number of warnings - found=`grep WARNING coverage.$n | wc -l` - if [ $found -ne $warn ]; then - echo "warning count was $found expected $warn" - ret=1 - fi + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi - # check for correct number of OKs - found=`grep "No errors found" coverage.$n | wc -l` - if [ $found -ne $ok ]; then - echo "good count was $found expected $ok" - ret=1 - fi + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi - # check for matches in coverage output - matchall coverage.$n "$cmatch" || ret=1 + # check for matches in coverage output + matchall coverage.$n "$cmatch" || ret=1 - if [ -f $dir/extra.sh ]; then - cd $dir - . ./extra.sh - cd .. - fi + if [ -f $dir/extra.sh ]; then + cd $dir + . ./extra.sh + cd .. + fi - n=`expr $n + 1` - if [ $ret != 0 ]; then echo_i "failed"; fi - status=`expr $status + $ret` + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` done echo_i "checking domains ending in . ($n)" From acf0292da4c193fc83e6444f390d59e2d979f7a1 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Jan 2019 13:02:14 +1100 Subject: [PATCH 2/3] add 300 seconds of fudge --- bin/python/dnssec-keymgr.docbook | 6 ++++++ bin/python/isc/keyseries.py.in | 21 +++++++++++++-------- 2 files changed, 19 insertions(+), 8 deletions(-) diff --git a/bin/python/dnssec-keymgr.docbook b/bin/python/dnssec-keymgr.docbook index 1a209be3eb..32848250be 100644 --- a/bin/python/dnssec-keymgr.docbook +++ b/bin/python/dnssec-keymgr.docbook @@ -99,6 +99,12 @@ set by the option), and check the keys for all the zones represented in the directory. + + Key times that are in the past will not be updated unless + the is used (see below). Key inactivation + and deletion times that are less than five minutes in the future + will be delayed by five minutes. + It is expected that this tool will be run automatically and unattended (for example, by cron). diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in index 74ccc645f8..2f4906f809 100644 --- a/bin/python/isc/keyseries.py.in +++ b/bin/python/isc/keyseries.py.in @@ -83,31 +83,36 @@ class keyseries: a = now i = key.inactive() + fudge = 300 if not rp: key.setinactive(None, **kwargs) key.setdelete(None, **kwargs) elif not i or a + rp != i: - if not i and a + rp > now + prepub: + if not i and a + rp > now + prepub + fudge: key.setinactive(a + rp, **kwargs) key.setdelete(a + rp + postpub, **kwargs) elif not i: - key.setinactive(now + prepub, **kwargs) - key.setdelete(now + prepub + postpub, **kwargs) + key.setinactive(now + prepub + fudge, **kwargs) + key.setdelete(now + prepub + postpub + fudge, **kwargs) + elif i < now: + pass elif a + rp > i: key.setinactive(a + rp, **kwargs) key.setdelete(a + rp + postpub, **kwargs) - elif a + rp > now + prepub: + elif a + rp > now + prepub + fudge: key.setinactive(a + rp, **kwargs) key.setdelete(a + rp + postpub, **kwargs) else: - key.setinactive(now + prepub, **kwargs) - key.setdelete(now + prepub + postpub, **kwargs) + key.setinactive(now + prepub + fudge, **kwargs) + key.setdelete(now + prepub + postpub + fudge, **kwargs) else: d = key.delete() - if not d or i + postpub > now: + if not d or i + postpub > now + fudge: key.setdelete(i + postpub, **kwargs) elif not d: - key.setdelete(now + postpub, **kwargs) + key.setdelete(now + postpub + fudge, **kwargs) + elif d < now + fudge: + pass elif d < i + postpub: key.setdelete(i + postpub, **kwargs) From b9d5a62bdccb2d7972d324c998f205a6de9d7d1f Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Wed, 30 Jan 2019 15:07:30 +1100 Subject: [PATCH 3/3] add CHANGES --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 18e9001c80..431542f46b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5147. [bug] dnssec-keymgr: Add a five-minute margin to better + handle key events close to 'now'. [GL #848] + 5146. [placeholder] 5145. [func] Use atomics instead of locked variables for isc_quota