upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-25 02:47:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Move nsec3-change.kasp test to separate module

Browse source 
This zone has a specific corner case to be tested during the setup.
Move it to a separate module so it is less convoluted.
This commit is contained in:
Matthijs Mekking 2025-11-14 16:31:42 +01:00
parent 7762b2391e
commit 9ee62467a6
2 changed files with 103 additions and 56 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
bin/tests/system/nsec3/tests_nsec3_change.py Normal file
View file

@ -0,0 +1,101 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# pylint: disable=redefined-outer-name,unused-import
import os
import shutil
import time
import dns.update
import pytest
pytest.importorskip("dns", minversion="2.0.0")
import isctest
import isctest.mark
from isctest.vars.algorithms import RSASHA1
from nsec3.common import (
ALGORITHM,
SIZE,
default_config,
pytestmark,
check_nsec3_case,
)
@pytest.fixture(scope="module", autouse=True)
def after_servers_start(ns3, templates):
def check_soa_update():
query = isctest.query.create(fqdn, dns.rdatatype.SOA)
response = isctest.query.tcp(query, ns3.ip, attempts=1, timeout=2)
rrset = response.get_rrset(
response.answer,
dns.name.from_text(fqdn),
dns.rdataclass.IN,
dns.rdatatype.SOA,
)
return rrset[0].minimum == 900
nsdir = ns3.identifier
zone = "nsec3-change.kasp"
fqdn = f"{zone}."
isctest.kasp.wait_keymgr_done(ns3, zone)
shutil.copyfile(f"{nsdir}/template2.db.in", f"{nsdir}/{zone}.db")
ns3.rndc(f"reload {zone}")
isctest.run.retry_with_timeout(check_soa_update, timeout=10)
# After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
# Reconfigure.
templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
# Wait for the NSEC3 chain is finished rebuilding.
messages = [
f"zone {zone}/IN (signed): generated salt",
f"zone_nsec3chain: zone {zone}/IN (signed): enter",
f"add {zone}. 900 IN NSEC3PARAM 1 0 0",
f"zone_needdump: zone {zone}/IN (signed): enter",
]
with ns3.watch_log_from_start() as watcher:
ns3.reconfigure()
watcher.wait_for_sequence(messages)
def test_nsec3_case(ns3):
# Get test parameters.
params = {
"zone": "nsec3-change.kasp",
"policy": "nsec3",
"soa-minimum": 900,
"nsec3param": {
"optout": 1,
"salt-length": 8,
},
"key-properties": [
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
}
zone = params["zone"]
# First make sure the zone is properly signed.
isctest.kasp.wait_keymgr_done(ns3, zone, reconfig=True)
# Test case.
check_nsec3_case(ns3, params)
# Using rndc signing -nsec3param (should fail)
isctest.log.info(f"use rndc signing -nsec3param {zone} to change NSEC3 settings")
response = ns3.rndc(f"signing -nsec3param 1 1 12 ffff {zone}")
assert "zone uses dnssec-policy, use rndc dnssec command instead" in response

58
bin/tests/system/nsec3/tests_nsec3_reconfig.py
View file

@ -33,36 +33,6 @@ from nsec3.common import (
@pytest.fixture(scope="module", autouse=True)
def after_servers_start(ns3, templates):
def wait_for_soa_update():
match = "20 20 1814400 900"
for _ in range(5):
query = isctest.query.create(fqdn, dns.rdatatype.SOA)
response = isctest.query.tcp(query, ns3.ip)
rrset = response.get_rrset(
response.answer,
dns.name.from_text(fqdn),
dns.rdataclass.IN,
dns.rdatatype.SOA,
)
if match in str(rrset[0]):
return True
return False
nsdir = ns3.identifier
# Extra test for nsec3-change.kasp.
zone = "nsec3-change.kasp"
fqdn = f"{zone}."
isctest.kasp.wait_keymgr_done(ns3, zone)
shutil.copyfile(f"{nsdir}/template2.db.in", f"{nsdir}/{zone}.db")
ns3.rndc(f"reload {zone}")
isctest.run.retry_with_timeout(wait_for_soa_update, timeout=5)
# After reconfig, the NSEC3PARAM TTL should match the new SOA MINIMUM.
# Ensure rsasha1-to-nsec3-wait.kasp is fully signed prior to reconfig.
with_rsasha1 = "RSASHA1_SUPPORTED"
assert with_rsasha1 in os.environ, f"{with_rsasha1} env variable undefined"
@ -71,8 +41,8 @@ def after_servers_start(ns3, templates):
isctest.kasp.check_dnssec_verify(ns3, zone)
# Reconfigure.
templates.render(f"{nsdir}/named-fips.conf", {"reconfiged": True})
templates.render(f"{nsdir}/named-rsasha1.conf", {"reconfiged": True})
templates.render(f"{ns3.identifier}/named-fips.conf", {"reconfiged": True})
templates.render(f"{ns3.identifier}/named-rsasha1.conf", {"reconfiged": True})
ns3.reconfigure()
@ -182,21 +152,6 @@ def test_nsec_case(ns3, params):
},
id="nsec3-dynamic.kasp",
),
pytest.param(
{
"zone": "nsec3-change.kasp",
"policy": "nsec3",
"soa-minimum": 900,
"nsec3param": {
"optout": 1,
"salt-length": 8,
},
"key-properties": [
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-change.kasp",
),
pytest.param(
{
"zone": "nsec3-dynamic-change.kasp",
@ -287,15 +242,6 @@ def test_nsec3_case(ns3, params):
# Test case.
check_nsec3_case(ns3, params)
# Extra test for nsec3-change.kasp.
if zone == "nsec3-change.kasp":
# Using rndc signing -nsec3param (should fail)
isctest.log.info(
f"use rndc signing -nsec3param {zone} to change NSEC3 settings"
)
response = ns3.rndc(f"signing -nsec3param 1 1 12 ffff {zone}")
assert "zone uses dnssec-policy, use rndc dnssec command instead" in response
def test_nsec3_ent(ns3, templates):
# Zone: nsec3-ent.kasp (regression test for #5108)