upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 02:49:59 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix nsec3 system test

Browse source 
The nsec3 system test has a couple of cases where the configured policy
changes the algorithm, effectively triggering an algorithm rollover. Fix
those cases to start in a valid DNSSEC state. Then fix the expected key
states, no longer should the old algorithm be removed immediately.
This commit is contained in:
Matthijs Mekking 2025-08-04 13:09:12 +02:00
parent c756b8a505
commit a8339be0f8
4 changed files with 30 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
bin/tests/system/nsec3/ns3/named-rsasha1.conf.j2
View file

@ -25,7 +25,7 @@ dnssec-policy "rsasha1" {
{% if "rsasha1-to-nsec3.kasp" in zones %}
/*
* This zone starts with NSEC, but will be reconfigured to use NSEC3.
* This should work despite the incompatible RSAHSHA1 algorithm,
* This should work despite the incompatible RSASHA1 algorithm,
* because the DS is still in hidden state.
*/
zone "rsasha1-to-nsec3.kasp" {
@ -51,7 +51,7 @@ zone "rsasha1-to-nsec3-wait.kasp" {
{% if "nsec3-to-rsasha1.kasp" in zones %}
/*
* This zone starts with NSEC3, but will be reconfigured to use NSEC with an
* NSEC only algorithm. This should work despite the incompatible RSAHSHA1
* NSEC only algorithm. This should work despite the incompatible RSASHA1
* algorithm, because the DS is still in hidden state.
*/
zone "nsec3-to-rsasha1.kasp" {

27
bin/tests/system/nsec3/ns3/setup.sh
View file

@ -31,24 +31,23 @@ for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
done
if [ $RSASHA1_SUPPORTED = 1 ]; then
for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait nsec3-to-rsasha1 \
nsec3-to-rsasha1-ds; do
setup "${zn}.kasp"
done
longago="now-1y"
keytimes="-P ${longago} -A ${longago}"
keytimes="-P ${longago} -A ${longago} -P sync ${longago}"
O="omnipresent"
zone="rsasha1-to-nsec3-wait.kasp"
CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2>keygen.out.$zone)
echo_i "Created key file $CSK"
$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
for zn in nsec3-to-rsasha1 nsec3-to-rsasha1-ds; do
setup "${zn}.kasp"
CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
cat $CSK.key >>$zonefile
done
zone="nsec3-to-rsasha1-ds.kasp"
CSK=$($KEYGEN -k "default" -l named.conf $keytimes $zone 2>keygen.out.$zone)
echo_i "Created key file $CSK"
$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
for zn in rsasha1-to-nsec3 rsasha1-to-nsec3-wait; do
setup "${zn}.kasp"
CSK=$($KEYGEN -k "rsasha1" -l named.conf $keytimes $zone 2>keygen.out.$zone)
$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
cat $CSK.key >>$zonefile
done
else
echo_i "skip: skip rsasha1 zones - signing with RSASHA1 not supported"
fi

4
bin/tests/system/nsec3/tests_nsec3_initial.py
View file

@ -81,7 +81,7 @@ def bootstrap():
"zone": "rsasha1-to-nsec3.kasp",
"policy": "rsasha1",
"key-properties": [
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
],
},
id="rsasha1-to-nsec3.kasp",
@ -162,7 +162,7 @@ def test_nsec_case(ns3, params):
"zone": "nsec3-to-rsasha1.kasp",
"policy": "nsec3",
"key-properties": [
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
],
},
id="nsec3-to-rsasha1.kasp",

26
bin/tests/system/nsec3/tests_nsec3_reconfig.py
View file

@ -92,6 +92,18 @@ def after_servers_start(ns3, templates):
@pytest.mark.parametrize(
"params",
[
pytest.param(
{
"zone": "rsasha1-to-nsec3.kasp",
"policy": "nsec3",
"key-properties": [
f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="rsasha1-to-nsec3.kasp",
marks=isctest.mark.with_algorithm("RSASHA1"),
),
pytest.param(
{
"zone": "rsasha1-to-nsec3-wait.kasp",
@ -109,7 +121,7 @@ def after_servers_start(ns3, templates):
"zone": "nsec3-to-rsasha1.kasp",
"policy": "rsasha1",
"key-properties": [
f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden",
f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
@ -163,18 +175,6 @@ def test_nsec_case(ns3, params):
},
id="nsec-to-nsec3.kasp",
),
pytest.param(
{
"zone": "rsasha1-to-nsec3.kasp",
"policy": "nsec3",
"key-properties": [
f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden",
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="rsasha1-to-nsec3.kasp",
marks=isctest.mark.with_algorithm("RSASHA1"),
),
pytest.param(
{
"zone": "nsec3.kasp",