From 6d72f5ba416f4e49d502d7d53703c504e867b236 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 3 Jun 2025 14:38:28 +0200 Subject: [PATCH] Test purge-keys with views Create a test scenario where a signed zone is in multiple views and then a key may be purged. This is a bug case where the key files are removed by one view and then the other view starts complaining. Note: This commit was manually modified because 9.18 does not have pytest based kasp system tests. The test was translated to a shell script style test case. (cherry picked from commit 752d8617f558130cc552cae0e903aca318a3ef02) --- bin/tests/system/kasp/ns4/named.conf.in | 16 +++++++++++++ bin/tests/system/kasp/ns4/purgekeys1.conf | 28 +++++++++++++++++++++++ bin/tests/system/kasp/ns4/purgekeys2.conf | 21 +++++++++++++++++ bin/tests/system/kasp/ns4/setup.sh | 19 +++++++++++++++ bin/tests/system/kasp/tests.sh | 27 ++++++++++++++++++++++ bin/tests/system/kasp/tests_sh_kasp.py | 2 ++ 6 files changed, 113 insertions(+) create mode 100644 bin/tests/system/kasp/ns4/purgekeys1.conf create mode 100644 bin/tests/system/kasp/ns4/purgekeys2.conf diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index 459ea73a89..67d89fe82f 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -13,6 +13,8 @@ // NS4 +include "purgekeys.conf"; + key rndc_key { secret "1234abcd8765"; algorithm @DEFAULT_HMAC@; @@ -157,6 +159,13 @@ view "example1" { type primary; file "example1.db"; }; + + zone "purgekeys.kasp" { + type primary; + file "purgekeys.kasp.example1.db"; + dnssec-policy "purgekeys"; + inline-signing yes; + }; }; view "example2" { @@ -167,6 +176,13 @@ view "example2" { file "example2.db"; inline-signing yes; }; + + zone "purgekeys.kasp" { + type primary; + file "purgekeys.kasp.example2.db"; + dnssec-policy "purgekeys"; + inline-signing yes; + }; }; view "example3" { diff --git a/bin/tests/system/kasp/ns4/purgekeys1.conf b/bin/tests/system/kasp/ns4/purgekeys1.conf new file mode 100644 index 0000000000..9845c8936c --- /dev/null +++ b/bin/tests/system/kasp/ns4/purgekeys1.conf @@ -0,0 +1,28 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "purgekeys" { + keys { + ksk key-directory lifetime 0 algorithm 13; + zsk key-directory lifetime P30D algorithm 13; + }; + /* + * Initially set to 0, so no keys are purged. Keys that are no longer + * in use will still be in the zone's keyring, one per view. After + * reconfig the purge-keys value is set to 7 days, at least one key + * will be eligible for purging, and should be purged from both + * keyrings without issues. + */ + purge-keys 0; + //purge-keys P7D; +}; diff --git a/bin/tests/system/kasp/ns4/purgekeys2.conf b/bin/tests/system/kasp/ns4/purgekeys2.conf new file mode 100644 index 0000000000..62376c1fd7 --- /dev/null +++ b/bin/tests/system/kasp/ns4/purgekeys2.conf @@ -0,0 +1,21 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "purgekeys" { + keys { + ksk key-directory lifetime 0 algorithm 13; + zsk key-directory lifetime P30D algorithm 13; + }; + //purge-keys 0; + purge-keys P7D; +}; diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh index c488bc4588..2b1c9d7944 100644 --- a/bin/tests/system/kasp/ns4/setup.sh +++ b/bin/tests/system/kasp/ns4/setup.sh @@ -30,3 +30,22 @@ done cp example1.db.in example1.db cp example2.db.in example2.db + +# Regression test for GL #5315 +cp purgekeys1.conf purgekeys.conf +cp example1.db.in purgekeys.kasp.example1.db +cp example2.db.in purgekeys.kasp.example2.db + +zone="purgekeys.kasp" +H="HIDDEN" +O="OMNIPRESENT" +T="now-9mo" +# KSK omnipresent +KSK=$($KEYGEN -fk -a 13 -L 3600 $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 +# ZSK omnipresent +ZSK1=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK1" >settime.out.$zone.2 2>&1 +# ZSK hidden (may be purged) +ZSK2=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $T -z $H $T "$ZSK2" >settime.out.$zone.2 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index ceb4e3b80a..9f3c6823c0 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2105,6 +2105,33 @@ check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +# +# Test purge-keys in combination with views [GL #5315]. +# +set_zone "purgekeys.kasp" +set_policy "purgekeys" "2" "3600" +set_server "ns4" "10.53.0.4" + +TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1" +wait_for_nsec +dnssec_verify + +TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2" +wait_for_nsec +dnssec_verify + +# Reconfig, make sure the purged key is not an issue when verifying keys. +cp ns4/purgekeys2.conf ns4/purgekeys.conf || ret=1 +nextpart ns4/named.run >/dev/null +rndccmd 10.53.0.4 reconfig || ret=1 +wait_for_log 3 "keymgr: $ZONE done" ns4/named.run || ret=1 + +grep "zone $ZONE/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" ns4/named.run && ret=1 +grep "zone $ZONE/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" ns4/named.run && ret=1 + +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + # Clear TSIG. TSIG="" diff --git a/bin/tests/system/kasp/tests_sh_kasp.py b/bin/tests/system/kasp/tests_sh_kasp.py index fa7a7f64bd..022aa6b324 100644 --- a/bin/tests/system/kasp/tests_sh_kasp.py +++ b/bin/tests/system/kasp/tests_sh_kasp.py @@ -58,6 +58,8 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/*.zsk2", "ns3/legacy-keys.*", "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed", + "ns4/purgekeys.conf", + "ns4/purgekeys2.conf", ] )