diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index a315ce9d1f..b3c097326e 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -22,6 +22,6 @@ rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys -rm -f ns*/zones* ns*/*.db.infile +rm -f ns*/zones ns*/*.db.infile rm -f *.created published.test* retired.test* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 536b1cb619..a63db413ef 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -19,7 +19,6 @@ setup() { echo_i "setting up zone: $zone" zonefile="${zone}.db" infile="${zone}.db.infile" - echo "$zone" >> zones.2 } private_type_record() { @@ -47,8 +46,8 @@ zsktimes="-P now -A now" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" +private_type_record $zone 13 "$KSK" >> "$infile" +private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 6547053d05..0432977eac 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -800,37 +800,32 @@ status=$((status+ret)) # # named # -# -# The NSEC record at the apex of the zone and its RRSIG records are -# added as part of the last step in signing a zone. We wait for the -# NSEC records to appear before proceeding with a counter to prevent -# infinite loops if there is a error. -# + +# The NSEC record at the apex of the zone and its RRSIG records are +# added as part of the last step in signing a zone. We wait for the +# NSEC records to appear before proceeding with a counter to prevent +# infinite loops if there is an error. n=$((n+1)) echo_i "waiting for kasp signing changes to take effect ($n)" -i=0 -while [ $i -lt 30 ] -do - ret=0 + +_wait_for_done_apexnsec() { while read -r zone do - dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || ret=1 - grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || ret=1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || ret=1 + dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 done < ns3/zones while read -r zone do - dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || ret=1 - grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1 + dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 + grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 + grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 done < ns6/zones - i=$((i+1)) - if [ $ret = 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 1 -done + return 0 +} +retry_quiet 30 _wait_for_done_apexnsec || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -1067,7 +1062,6 @@ check_apex() { dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" - if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)" check_signatures $_qtype "dig.out.$DIR.test$n" "KSK" @@ -1605,29 +1599,22 @@ echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" ret=0 cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" -_log=0 -i=0 -while [ $i -lt 5 ] -do + +_wait_for_done_subdomains() { ret=0 - - dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || log_error "dig a.${ZONE} A failed" - grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || log_error "mismatch status in DNS response" - grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || log_error "missing a.${ZONE} A record in response" + dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 + grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" + if [ $ret -gt 0 ]; then return $ret; fi - dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || log_error "dig d.${ZONE} A failed" - grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || log_error "mismatch status in DNS response" - grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || log_error "missing d.${ZONE} A record in response" - lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.d" | wc -l) + dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 + grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 + grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" - - i=$((i+1)) - if [ $ret = 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 1 -done -_log=1 + return $ret +} +retry_quiet 5 _wait_for_done_subdomains || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -2310,7 +2297,6 @@ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 # Key lifetime is unlimited, so not setting RETIRED and REMOVED. check_keytimes - check_apex check_subdomain dnssec_verify @@ -2362,7 +2348,6 @@ set_addkeytime "KEY1" "ACTIVE" "${created}" -900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 check_keytimes - check_apex check_subdomain dnssec_verify @@ -2391,7 +2376,6 @@ set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 set_keytime "KEY1" "SYNCPUBLISH" "${created}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2419,7 +2403,6 @@ set_addkeytime "KEY1" "ACTIVE" "${created}" -143100 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400 check_keytimes - check_apex check_subdomain dnssec_verify @@ -2508,7 +2491,6 @@ check_keys # These keys are immediately published and activated. rollover_predecessor_keytimes 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -2552,7 +2534,6 @@ IpubZSK=93600 set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2586,7 +2567,6 @@ set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 set_keytime "KEY3" "ACTIVE" "${created}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" check_keytimes - check_apex # Subdomain still has good signatures of ZSK (KEY2). # Set expected zone signing on for KEY2 and off for KEY3, @@ -2629,7 +2609,6 @@ published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2659,7 +2638,6 @@ published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2723,7 +2701,6 @@ check_keys # These keys are immediately published and activated. rollover_predecessor_keytimes 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -2776,7 +2753,6 @@ syncpub=$(key_get KEY3 SYNCPUBLISH) set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2813,7 +2789,6 @@ syncpub=$(key_get KEY3 SYNCPUBLISH) set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2854,7 +2829,6 @@ syncpub=$(key_get KEY3 SYNCPUBLISH) set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2887,7 +2861,6 @@ syncpub=$(key_get KEY3 SYNCPUBLISH) set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -2953,7 +2926,6 @@ check_keys # This key is immediately published and activated. csk_rollover_predecessor_keytimes 0 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3000,7 +2972,6 @@ set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3042,7 +3013,6 @@ set_keytime "KEY2" "SYNCPUBLISH" "${created}" set_keytime "KEY2" "ACTIVE" "${created}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, @@ -3091,7 +3061,6 @@ syncpub=$(key_get KEY2 SYNCPUBLISH) set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3123,7 +3092,6 @@ syncpub=$(key_get KEY2 SYNCPUBLISH) set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3161,7 +3129,6 @@ syncpub=$(key_get KEY2 SYNCPUBLISH) set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3193,7 +3160,6 @@ syncpub=$(key_get KEY2 SYNCPUBLISH) set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3252,7 +3218,6 @@ check_keys # This key is immediately published and activated. csk_rollover_predecessor_keytimes 0 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3339,7 +3304,6 @@ set_keytime "KEY2" "SYNCPUBLISH" "${created}" set_keytime "KEY2" "ACTIVE" "${created}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, @@ -3385,7 +3349,6 @@ set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3426,7 +3389,6 @@ set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3459,7 +3421,6 @@ set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3516,7 +3477,6 @@ IretKSK=0 IretZSK=0 rollover_predecessor_keytimes 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3556,7 +3516,6 @@ Lcsk=0 IretCSK=0 csk_rollover_predecessor_keytimes 0 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3610,7 +3569,6 @@ check_keys # These keys are immediately published and activated. rollover_predecessor_keytimes 0 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3673,7 +3631,6 @@ created=$(key_get KEY2 CREATED) set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3736,7 +3693,6 @@ created=$(key_get KEY2 CREATED) set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes - check_apex check_subdomain dnssec_verify @@ -3756,33 +3712,43 @@ now="$(TZ=UTC date +%s)" time_passed=$((now-start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" -# The NSEC record at the apex of the zone and its RRSIG records are -# added as part of the last step in signing a zone. We wait for the -# NSEC records to appear before proceeding with a counter to prevent -# infinite loops if there is a error. -# -n=$((n+1)) -echo_i "waiting for reconfig signing changes to take effect ($n)" -i=0 -while [ $i -lt 30 ] -do +# Wait until we have seen "zone_rekey done:" message for this key. +_wait_for_done_signing() { + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 + fi + + return 0 +} + +wait_for_done_signing() { + n=$((n+1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" ret=0 - while read -r zone - do - dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || ret=1 - grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1 - grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1 - done < ns6/zones.2 - i=$((i+1)) - if [ $ret = 0 ]; then break; fi - echo_i "waiting ... ($i)" - sleep 1 -done -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 -next_key_event_threshold=$((next_key_event_threshold+i)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} # # Testing migration. @@ -3798,6 +3764,7 @@ key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" check_keys +wait_for_done_signing rollover_predecessor_keytimes 0 # Key now has lifetime of 60 days (5184000 seconds). @@ -3814,7 +3781,6 @@ set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY2 RETIRED) set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3864,6 +3830,7 @@ set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys +wait_for_done_signing # KSK must be retired since it no longer matches the policy. # -P : now-3900s @@ -3929,7 +3896,6 @@ set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY4 RETIRED) set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -3980,6 +3946,7 @@ set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" check_keys +wait_for_done_signing # KSK must be retired since it no longer matches the policy. # -P : now-3900s @@ -4045,7 +4012,6 @@ set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY4 RETIRED) set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -4121,6 +4087,7 @@ set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys +wait_for_done_signing # The old keys are published and activated. rollover_predecessor_keytimes 0 @@ -4173,7 +4140,6 @@ set_keytime "KEY4" "PUBLISHED" "${created}" set_keytime "KEY4" "ACTIVE" "${created}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -4200,6 +4166,7 @@ set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" check_keys +wait_for_done_signing # The old keys were activated three hours ago (10800 seconds). rollover_predecessor_keytimes -10800 @@ -4226,7 +4193,6 @@ set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 check_keytimes - check_apex check_subdomain dnssec_verify @@ -4255,6 +4221,7 @@ set_keystate "KEY3" "STATE_DS" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" check_keys +wait_for_done_signing # The old keys were activated 9 hours ago (32400 seconds) # and retired 6 hours ago (21600 seconds). @@ -4282,7 +4249,6 @@ set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 check_keytimes - check_apex check_subdomain dnssec_verify @@ -4312,6 +4278,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys +wait_for_done_signing # The old keys were activated 38 hours ago (136800 seconds) # and retired 35 hours ago (126000 seconds). @@ -4339,7 +4306,6 @@ set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 check_keytimes - check_apex check_subdomain dnssec_verify @@ -4360,6 +4326,7 @@ set_keystate "KEY1" "STATE_KRRSIG" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys +wait_for_done_signing # The old keys were activated 40 hours ago (144000 seconds) # and retired 35 hours ago (133200 seconds). @@ -4387,7 +4354,6 @@ set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 check_keytimes - check_apex check_subdomain dnssec_verify @@ -4411,6 +4377,7 @@ set_server "ns6" "10.53.0.6" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" check_keys +wait_for_done_signing # The old keys were activated 47 hours ago (169200 seconds) # and retired 34 hours ago (158400 seconds). @@ -4438,7 +4405,6 @@ set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 check_keytimes - check_apex check_subdomain dnssec_verify @@ -4491,6 +4457,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "hidden" check_keys +wait_for_done_signing # CSK must be retired since it no longer matches the policy. csk_rollover_predecessor_keytimes 0 0 @@ -4522,7 +4489,6 @@ Ipub=28800 set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -4548,6 +4514,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" check_keys +wait_for_done_signing # The old key was activated three hours ago (10800 seconds). csk_rollover_predecessor_keytimes -10800 -10800 @@ -4565,7 +4532,6 @@ published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -4594,6 +4560,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys +wait_for_done_signing # The old key was activated 9 hours ago (10800 seconds) # and retired 6 hours ago (21600 seconds). @@ -4611,7 +4578,6 @@ published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" check_keytimes - check_apex check_subdomain dnssec_verify @@ -4638,6 +4604,7 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys +wait_for_done_signing # The old key was activated 38 hours ago (136800 seconds) # and retired 35 hours ago (126000 seconds). @@ -4655,7 +4622,6 @@ published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} check_keytimes - check_apex check_subdomain dnssec_verify @@ -4675,6 +4641,7 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys +wait_for_done_signing # The old key was activated 40 hours ago (144000 seconds) # and retired 37 hours ago (133200 seconds). @@ -4692,7 +4659,6 @@ published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} check_keytimes - check_apex check_subdomain dnssec_verify @@ -4716,6 +4682,7 @@ set_server "ns6" "10.53.0.6" set_keystate "KEY1" "STATE_ZRRSIG" "hidden" check_keys +wait_for_done_signing # The old keys were activated 47 hours ago (169200 seconds) # and retired 44 hours ago (158400 seconds). @@ -4733,7 +4700,6 @@ published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} check_keytimes - check_apex check_subdomain dnssec_verify diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 5cfc2bf4c2..ead79a8f76 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -19591,7 +19591,7 @@ zone_rekey(dns_zone_t *zone) { /* * Clear fullsign flag, if it was set, so we don't do - * another full signing next time + * another full signing next time. */ DNS_ZONEKEY_CLROPTION(zone, DNS_ZONEKEY_FULLSIGN); @@ -19709,6 +19709,19 @@ zone_rekey(dns_zone_t *zone) { } UNLOCK_ZONE(zone); + if (isc_log_wouldlog(dns_lctx, ISC_LOG_DEBUG(3))) { + for (key = ISC_LIST_HEAD(dnskeys); key != NULL; + key = ISC_LIST_NEXT(key, link)) { + /* This debug log is used in the kasp system test */ + char algbuf[DNS_SECALG_FORMATSIZE]; + dns_secalg_format(dst_key_alg(key->key), algbuf, + sizeof(algbuf)); + dnssec_log(zone, ISC_LOG_DEBUG(3), + "zone_rekey done: key %d/%s", + dst_key_id(key->key), algbuf); + } + } + result = ISC_R_SUCCESS; failure: