Add multisigner system test

Add a new system test to test multisigner model use cases. This initial test just tests a small part of the model 2, and uses two providers for the same zone, ns3 and ns4, each with their own unique key set. This commit tests that each provider can import their ZSK of the other provider into their DNSKEY RRset, using dynamic update. Both providers use dnssec-policy, ns3 applies the DNSSEC records directly, while ns4 uses inline-signing.
2026-06-08 17:42:04 -04:00 · 2022-10-04 15:42:03 +02:00 · 2022-10-04 15:42:03 +02:00 · 4e18991fed
commit 4e18991fed
parent b92d33a849
12 changed files with 423 additions and 1 deletions
--- a/bin/tests/system/Makefile.am
+++ b/bin/tests/system/Makefile.am
@ -201,7 +201,7 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER
 endif HAVE_PERLMOD_NET_DNS

 if HAVE_PYTHON
-TESTS += kasp keymgr2kasp tcp pipelined
+TESTS += kasp keymgr2kasp multisigner tcp pipelined

 if HAVE_PYTEST
 TESTS += checkds dispatch rpzextra shutdown timeouts
--- a/bin/tests/system/conf.sh.in
+++ b/bin/tests/system/conf.sh.in
@ -108,6 +108,7 @@ keyfromlabel
 keymgr2kasp
 legacy
 logfileconfig
+multisigner
 nzd2nzf
 pipelined
 qmin
--- a/bin/tests/system/multisigner/clean.sh
+++ b/bin/tests/system/multisigner/clean.sh
@ -0,0 +1,35 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f *.created
+rm -f created.key-*
+rm -f dig.out.*
+rm -f python.out.*
+rm -f rndc.dnssec.status.out.*
+rm -f unused.key-*
+rm -f verify.out.*
+
+rm -f ns*/*.jbk
+rm -f ns*/*.jnl
+rm -f ns*/*.signed
+rm -f ns*/*.signed.jnl
+rm -f ns*/*.zsk
+rm -f ns*/K*
+rm -f ns*/keygen.out.*
+rm -f ns*/managed-keys*
+rm -f ns*/named.conf
+rm -f ns*/named.memstats
+rm -f ns*/named.run
+rm -f ns*/settime.out.*
--- a/bin/tests/system/multisigner/kasp.conf
+++ b/bin/tests/system/multisigner/kasp.conf
@ -0,0 +1,19 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "model2" {
+	keys {
+		ksk lifetime unlimited algorithm ecdsap256sha256;
+		zsk lifetime unlimited algorithm ecdsap256sha256;
+	};
+};
--- a/bin/tests/system/multisigner/ns3/model2.multisigner.db
+++ b/bin/tests/system/multisigner/ns3/model2.multisigner.db
@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+
--- a/bin/tests/system/multisigner/ns3/named.conf.in
+++ b/bin/tests/system/multisigner/ns3/named.conf.in
@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "../kasp.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "model2.multisigner." {
+	type primary;
+	allow-update { any; };
+	file "model2.multisigner.db";
+	dnssec-policy model2;
+	inline-signing no;
+};
--- a/bin/tests/system/multisigner/ns3/setup.sh
+++ b/bin/tests/system/multisigner/ns3/setup.sh
@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+zone="model2.multisigner"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+
+O="OMNIPRESENT"
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now           "$ZSK" > settime.out.$zone.2 2>&1
+# ZSK will be added to the other provider with nsupdate.
+cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk"
--- a/bin/tests/system/multisigner/ns4/model2.multisigner.db
+++ b/bin/tests/system/multisigner/ns4/model2.multisigner.db
@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
--- a/bin/tests/system/multisigner/ns4/named.conf.in
+++ b/bin/tests/system/multisigner/ns4/named.conf.in
@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+include "../kasp.conf";
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "model2.multisigner." {
+	type primary;
+	allow-update { any; };
+	file "model2.multisigner.db";
+	dnssec-policy model2;
+	inline-signing yes;
+};
--- a/bin/tests/system/multisigner/ns4/setup.sh
+++ b/bin/tests/system/multisigner/ns4/setup.sh
@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns4/setup.sh"
+
+zone="model2.multisigner"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+
+O="OMNIPRESENT"
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now  "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now            "$ZSK" > settime.out.$zone.2 2>&1
+# ZSK will be added to the other provider with nsupdate.
+cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk"
--- a/bin/tests/system/multisigner/setup.sh
+++ b/bin/tests/system/multisigner/setup.sh
@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+(
+	cd ns3
+	$SHELL setup.sh
+)
+(
+	cd ns4
+	$SHELL setup.sh
+)
--- a/bin/tests/system/multisigner/tests.sh
+++ b/bin/tests/system/multisigner/tests.sh
@ -0,0 +1,129 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+# shellcheck source=kasp.sh
+. ../kasp.sh
+
+dig_with_opts() {
+	$DIG +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT "$@"
+}
+
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+set_zone "model2.multisigner"
+set_policy "model2" "2" "3600"
+
+# Key properties and states.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+set_keystate     "KEY1" "GOAL"         "omnipresent"
+set_keystate     "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate     "KEY1" "STATE_DS"     "omnipresent"
+
+key_clear        "KEY2"
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+set_keystate     "KEY2" "GOAL"         "omnipresent"
+set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate     "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+key_clear "KEY3"
+key_clear "KEY4"
+
+set_keytimes_model2() {
+	# The first KSK is immediately published and activated.
+	created=$(key_get KEY1 CREATED)
+	set_keytime "KEY1" "PUBLISHED"   "${created}"
+	set_keytime "KEY1" "ACTIVE"      "${created}"
+	set_keytime "KEY1" "SYNCPUBLISH" "${created}"
+
+	# The first ZSKs are immediately published and activated.
+	created=$(key_get KEY2 CREATED)
+	set_keytime "KEY2" "PUBLISHED" "${created}"
+	set_keytime "KEY2" "ACTIVE"    "${created}"
+}
+
+set_server "ns3" "10.53.0.3"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_model2
+check_keytimes
+check_apex
+dnssec_verify
+
+# Check that the ZSKs from the other provider are published.
+zsks_are_published() {
+	dig_with_opts "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
+	# We should have two ZSKs.
+	lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
+	test "$lines" -eq 2 || return 1
+	# And one KSK.
+	lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
+	test "$lines" -eq 1 || return 1
+}
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns3 with ZSK from provider ns4"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.3 "$PORT"
+echo update add $(cat "ns4/${ZONE}.zsk")
+echo send
+) | $NSUPDATE
+echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
+retry_quiet 10 zsks_are_published || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# Verify again.
+dnssec_verify
+
+set_server "ns4" "10.53.0.4"
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_model2
+check_keytimes
+check_apex
+dnssec_verify
+
+n=$((n+1))
+echo_i "update zone ${ZONE} at ns4 with ZSK from provider ns3"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.4 "$PORT"
+echo update add $(cat "ns3/${ZONE}.zsk")
+echo send
+) | $NSUPDATE
+echo_i "check zone ${ZONE} DNSKEY RRset after update ($n)"
+retry_quiet 10 zsks_are_published || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+# Verify again.
+dnssec_verify
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1