From 7718baa3636c45a47b3bca2f70ec3aef26c04561 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 8 Jul 2025 15:26:09 +0200 Subject: [PATCH 1/2] Add nsX fixtures to system tests Many of our test cases only use a single NamedInstance from the `servers` fixture. Introduce `nsX` helper fixtures to simplify these tests and reduce boilterplate code further. Specifically, the test no longer has to either define its own variable to extract a single server from the list, or use the longer servers["nsX"] syntax. While this may seem minor, the amount of times it is repeated across the tests justifies the change. It also promotes using more explicit server identification, i.e. `nsX`, rather than generic `server`. This also improves the clarity of the tests and may be helpful in traceback during debugging as well. (cherry picked from commit fe5534291699572e67ad4a854b412e40c524307a) --- .../system/addzone/tests_rndc_deadlock.py | 3 +- bin/tests/system/checkds/tests_checkds.py | 8 +- bin/tests/system/conftest.py | 50 ++++ bin/tests/system/database/tests_database.py | 6 +- .../system/emptyzones/tests_emptyzones.py | 7 +- bin/tests/system/kasp/tests_kasp.py | 218 ++++++++---------- bin/tests/system/keepalive/tests_keepalive.py | 6 +- bin/tests/system/ksr/tests_ksr.py | 28 +-- .../tests_mirror_root_zone.py | 5 +- bin/tests/system/nzd2nzf/tests_nzd2nzf.py | 14 +- bin/tests/system/rfc5011/tests_rfc5011.py | 6 +- .../tests_rollover_algo_csk_initial.py | 4 +- .../tests_rollover_algo_csk_reconfig.py | 28 +-- .../tests_rollover_algo_ksk_zsk_initial.py | 4 +- .../tests_rollover_algo_ksk_zsk_reconfig.py | 28 +-- .../tests_rollover_csk_roll1.py | 32 +-- .../tests_rollover_csk_roll2.py | 28 +-- .../tests_rollover_dynamic2inline.py | 8 +- .../tests_rollover_enable_dnssec.py | 16 +- .../tests_rollover_going_insecure_initial.py | 4 +- .../tests_rollover_going_insecure_reconfig.py | 12 +- .../tests_rollover_three_is_a_crowd.py | 15 +- .../tests_rollover_ksk_doubleksk.py | 24 +- .../tests_rollover_lifetime_initial.py | 4 +- .../tests_rollover_lifetime_reconfig.py | 8 +- .../tests_rollover_multisigner.py | 39 ++-- .../tests_rollver_straight2none_initial.py | 4 +- .../tests_rollver_straight2none_reconfig.py | 8 +- .../tests_rollover_zsk_prepublication.py | 24 +- .../system/rollover/tests_rollover_manual.py | 51 ++-- bin/tests/system/spf/tests_spf_zones.py | 6 +- bin/tests/system/stub/tests_stub.py | 6 +- .../system/tsig/tests_tsig_hypothesis.py | 3 +- bin/tests/system/xferquota/tests_xferquota.py | 6 +- 34 files changed, 359 insertions(+), 354 deletions(-) diff --git a/bin/tests/system/addzone/tests_rndc_deadlock.py b/bin/tests/system/addzone/tests_rndc_deadlock.py index 3b987d3912..fd2c9d5897 100755 --- a/bin/tests/system/addzone/tests_rndc_deadlock.py +++ b/bin/tests/system/addzone/tests_rndc_deadlock.py @@ -59,13 +59,12 @@ def check_if_server_is_responsive(ns3): return False -def test_rndc_deadlock(servers): +def test_rndc_deadlock(ns3): """ Test whether running "rndc addzone", "rndc modzone", and "rndc delzone" commands concurrently does not trigger a deadlock """ test_state = {"finished": False} - ns3 = servers["ns3"] # Create 4 worker threads running "rndc" commands in a loop. with concurrent.futures.ThreadPoolExecutor() as executor: diff --git a/bin/tests/system/checkds/tests_checkds.py b/bin/tests/system/checkds/tests_checkds.py index 163c4cc150..edc7d13abd 100755 --- a/bin/tests/system/checkds/tests_checkds.py +++ b/bin/tests/system/checkds/tests_checkds.py @@ -462,16 +462,16 @@ checkds_tests = ( @pytest.mark.parametrize("params", checkds_tests, ids=lambda t: t.zone) -def test_checkds(servers, params): +def test_checkds(ns2, ns9, params): # Wait until the provided zone is signed and then verify its DNSSEC data. - zone_check(servers["ns9"], params.zone) + zone_check(ns9, params.zone) # Wait up to 10 seconds until all the expected log lines are found in the # log file for the provided server. Rekey every second if necessary. time_remaining = 10 for log_string in params.logs_to_wait_for: line = f"zone {params.zone}/IN (signed): checkds: {log_string}" - while line not in servers["ns9"].log: + while line not in ns9.log: rekey(params.zone) time_remaining -= 1 assert time_remaining, f'Timed out waiting for "{log_string}" to be logged' @@ -479,4 +479,4 @@ def test_checkds(servers, params): # Check whether key states on the parent server provided match # expectations. - keystate_check(servers["ns2"], params.zone, params.expected_parent_state) + keystate_check(ns2, params.zone, params.expected_parent_state) diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py index 7f3c0eb0fb..d5a50ecbd6 100644 --- a/bin/tests/system/conftest.py +++ b/bin/tests/system/conftest.py @@ -634,3 +634,53 @@ def servers(system_test_dir): except ValueError: continue return instances + + +@pytest.fixture(scope="module") +def ns1(servers): + return servers["ns1"] + + +@pytest.fixture(scope="module") +def ns2(servers): + return servers["ns2"] + + +@pytest.fixture(scope="module") +def ns3(servers): + return servers["ns3"] + + +@pytest.fixture(scope="module") +def ns4(servers): + return servers["ns4"] + + +@pytest.fixture(scope="module") +def ns5(servers): + return servers["ns5"] + + +@pytest.fixture(scope="module") +def ns6(servers): + return servers["ns6"] + + +@pytest.fixture(scope="module") +def ns7(servers): + return servers["ns7"] + + +@pytest.fixture(scope="module") +def ns8(servers): + return servers["ns8"] + + +@pytest.fixture(scope="module") +def ns9(servers): + return servers["ns9"] + + +@pytest.fixture(scope="module") +def ns10(servers): + return servers["ns10"] diff --git a/bin/tests/system/database/tests_database.py b/bin/tests/system/database/tests_database.py index 476b81da95..0e4fd9be79 100644 --- a/bin/tests/system/database/tests_database.py +++ b/bin/tests/system/database/tests_database.py @@ -14,7 +14,7 @@ import isctest import dns.message -def test_database(servers, templates): +def test_database(ns1, templates): msg = dns.message.make_query("database.", "SOA") # checking pre reload zone @@ -28,8 +28,8 @@ def test_database(servers, templates): ) templates.render("ns1/named.conf", {"rname": "marka.isc.org."}) - with servers["ns1"].watch_log_from_here() as watcher: - servers["ns1"].rndc("reload") + with ns1.watch_log_from_here() as watcher: + ns1.rndc("reload") watcher.wait_for_line("all zones loaded") # checking post reload zone diff --git a/bin/tests/system/emptyzones/tests_emptyzones.py b/bin/tests/system/emptyzones/tests_emptyzones.py index 7a8d3966bd..c478139395 100644 --- a/bin/tests/system/emptyzones/tests_emptyzones.py +++ b/bin/tests/system/emptyzones/tests_emptyzones.py @@ -14,10 +14,11 @@ import dns.message import isctest -def test_emptyzones(servers, templates): +def test_emptyzones(ns1, templates): # check that switching to automatic empty zones works - ns1 = servers["ns1"] - ns1.rndc("reload") + with ns1.watch_log_from_here() as watcher: + ns1.rndc("reload") + watcher.wait_for_line("all zones loaded") templates.render("ns1/named.conf", {"automatic_empty_zones": True}) ns1.rndc("reload") msg = dns.message.make_query("version.bind", "TXT", "CH") diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 039b302801..4e6eda8d82 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -633,11 +633,10 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None): ), ], ) -def test_kasp_case(servers, params): +def test_kasp_case(servers, ns3, params): # Test many different configurations and expected keys and states after # initial startup. - server = servers["ns3"] - keydir = server.identifier + keydir = ns3.identifier # Get test parameters. zone = params["zone"] @@ -660,7 +659,7 @@ def test_kasp_case(servers, params): isctest.log.info(f"check test case zone {zone} policy {policy}") # First make sure the zone is signed. - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) # Key properties. expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=params["key-properties"]) @@ -678,7 +677,7 @@ def test_kasp_case(servers, params): ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) offset = params["offset"] if "offset" in params else None @@ -691,7 +690,7 @@ def test_kasp_case(servers, params): if "rumoured" not in params: isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing) + check_all(ns3, zone, policy, ksks, zsks, zsk_missing=zsk_missing) if "additional-tests" in params: params["servers"] = servers @@ -774,26 +773,25 @@ def test_kasp_inherit_signed(zone, policy, server_id, alg, tsig_kind, servers): param("3", "no", "yes", "view2"), ], ) -def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers): +def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, ns4): zone = "example.net" policy = "test" - server = servers["ns4"] view = f"example{number}" tsig = f"{os.environ['DEFAULT_HMAC']}:keyforview{number}:{KASP_INHERIT_TSIG_SECRET[f'view{number}']}" key1 = KeyProperties.default() key1.metadata["Algorithm"] = ECDSAP384SHA384.number key1.metadata["Length"] = ECDSAP384SHA384.bits - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns4.identifier) - isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig) + isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig) isctest.kasp.check_keys(zone, keys, [key1]) set_keytimes_default_policy(key1) isctest.kasp.check_keytimes(keys, [key1]) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy, view=view) - isctest.kasp.check_apex(server, zone, keys, [], tsig=tsig) + isctest.kasp.check_dnssecstatus(ns4, zone, keys, policy=policy, view=view) + isctest.kasp.check_apex(ns4, zone, keys, [], tsig=tsig) # check zonestatus - response = server.rndc(f"zonestatus {zone} in {view}", log=False) + response = ns4.rndc(f"zonestatus {zone} in {view}", log=False) assert f"dynamic: {dynamic}" in response assert f"inline signing: {inline_signing}" in response # check subdomain @@ -806,9 +804,9 @@ def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers): keyring = dns.tsig.Key(tsigkey[1], tsigkey[2], tsigkey[0]) query.use_tsig(keyring) try: - response = isctest.query.tcp(query, server.ip, server.ports.dns, timeout=3) + response = isctest.query.tcp(query, ns4.ip, ns4.ports.dns, timeout=3) except dns.exception.Timeout: - isctest.log.debug(f"query timeout for query {qname} {qtype} to {server.ip}") + isctest.log.debug(f"query timeout for query {qname} {qtype} to {ns4.ip}") response = None assert response.rcode() == dns.rcode.NOERROR match = f'{qname} 300 IN TXT "{rdata}"' @@ -824,9 +822,7 @@ def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers): isctest.kasp.check_signatures(rrsigs, qtype, fqdn, keys, []) -def test_kasp_default(servers): - server = servers["ns3"] - +def test_kasp_default(ns3): # check the zone with default kasp policy has loaded and is signed. isctest.log.info("check a zone with the default policy is signed") zone = "default.kasp" @@ -839,11 +835,11 @@ def test_kasp_default(servers): ] expected = isctest.kasp.policy_to_properties(ttl=3600, keys=keyprops) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(expected[0]) isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) # Trigger a keymgr run. Make sure the key files are not touched if there # are no modifications to the key metadata. @@ -855,8 +851,8 @@ def test_kasp_default(servers): pubkey_stat = os.stat(key.keyfile) state_stat = os.stat(key.statefile) - with server.watch_log_from_here() as watcher: - server.rndc(f"loadkeys {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"loadkeys {zone}", log=False) watcher.wait_for_line(f"keymgr: {zone} done") assert privkey_stat.st_mtime == os.stat(key.privatefile).st_mtime @@ -864,8 +860,8 @@ def test_kasp_default(servers): assert state_stat.st_mtime == os.stat(key.statefile).st_mtime # again - with server.watch_log_from_here() as watcher: - server.rndc(f"loadkeys {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"loadkeys {zone}", log=False) watcher.wait_for_line(f"keymgr: {zone} done") assert privkey_stat.st_mtime == os.stat(key.privatefile).st_mtime @@ -875,7 +871,7 @@ def test_kasp_default(servers): # modify unsigned zone file and check that new record is signed. isctest.log.info("check that an updated zone signs the new record") shutil.copyfile("ns3/template2.db.in", f"ns3/{zone}.db") - server.rndc(f"reload {zone}", log=False) + ns3.rndc(f"reload {zone}", log=False) def update_is_signed(): parts = update.split() @@ -883,7 +879,7 @@ def test_kasp_default(servers): qtype = dns.rdatatype.from_text(parts[1]) rdata = parts[2] return isctest.kasp.verify_update_is_signed( - server, zone, qname, qtype, rdata, keys, [] + ns3, zone, qname, qtype, rdata, keys, [] ) expected_updates = [f"a.{zone}. A 10.0.0.11", f"d.{zone}. A 10.0.0.44"] @@ -895,15 +891,15 @@ def test_kasp_default(servers): isctest.log.info("check that missing private key doesn't trigger rollover") shutil.move(f"{key.privatefile}", f"{key.path}.offline") expectmsg = "zone_rekey:zone_verifykeys failed: some key files are missing" - with server.watch_log_from_here() as watcher: - server.rndc(f"loadkeys {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"loadkeys {zone}", log=False) watcher.wait_for_line(f"zone {zone}/IN (signed): {expectmsg}") # Nothing has changed. expected[0].properties["private"] = False - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) # A zone that uses inline-signing. isctest.log.info("check an inline-signed zone with the default policy is signed") @@ -912,17 +908,14 @@ def test_kasp_default(servers): key1 = KeyProperties.default() keys = isctest.kasp.keydir_to_keylist(zone, "ns3") expected = [key1] - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(key1) isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) -def test_kasp_dynamic(servers): - # Dynamic update test cases. - server = servers["ns3"] - +def test_kasp_dynamic(ns3): # Standard dynamic zone. isctest.log.info("check dynamic zone is updated and signed after update") zone = "dynamic.kasp" @@ -931,12 +924,12 @@ def test_kasp_dynamic(servers): key1 = KeyProperties.default() expected = [key1] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(key1) expected = [key1] isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) def update_is_signed(): parts = update.split() @@ -944,14 +937,14 @@ def test_kasp_dynamic(servers): qtype = dns.rdatatype.from_text(parts[1]) rdata = parts[2] return isctest.kasp.verify_update_is_signed( - server, zone, qname, qtype, rdata, keys, [] + ns3, zone, qname, qtype, rdata, keys, [] ) update_msg = dns.update.UpdateMessage(zone) update_msg.delete(f"a.{zone}.", "A", "10.0.0.1") update_msg.add(f"a.{zone}.", 300, "A", "10.0.0.101") update_msg.add(f"d.{zone}.", 300, "A", "10.0.0.4") - server.nsupdate(update_msg) + ns3.nsupdate(update_msg) expected_updates = [f"a.{zone}. A 10.0.0.101", f"d.{zone}. A 10.0.0.4"] for update in expected_updates: @@ -962,15 +955,15 @@ def test_kasp_dynamic(servers): update_msg.add(f"a.{zone}.", 300, "A", "10.0.0.1") update_msg.delete(f"a.{zone}.", "A", "10.0.0.101") update_msg.delete(f"d.{zone}.", "A", "10.0.0.4") - server.nsupdate(update_msg) + ns3.nsupdate(update_msg) update = f"a.{zone}. A 10.0.0.1" isctest.run.retry_with_timeout(update_is_signed, timeout=5) # Update zone with freeze/thaw. isctest.log.info("check dynamic zone is updated and signed after freeze and thaw") - with server.watch_log_from_here() as watcher: - server.rndc(f"freeze {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"freeze {zone}", log=False) watcher.wait_for_line(f"freezing zone '{zone}/IN': success") time.sleep(1) @@ -978,8 +971,8 @@ def test_kasp_dynamic(servers): zonefile.write(f"d.{zone}. 300 A 10.0.0.44\n") time.sleep(1) - with server.watch_log_from_here() as watcher: - server.rndc(f"thaw {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"thaw {zone}", log=False) watcher.wait_for_line(f"thawing zone '{zone}/IN': success") expected_updates = [f"a.{zone}. A 10.0.0.1", f"d.{zone}. A 10.0.0.44"] @@ -993,27 +986,27 @@ def test_kasp_dynamic(servers): key1 = KeyProperties.default() expected = [key1] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) set_keytimes_default_policy(key1) expected = [key1] isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) # Update zone with freeze/thaw. isctest.log.info( "check dynamic inline-signed zone is updated and signed after freeze and thaw" ) - with server.watch_log_from_here() as watcher: - server.rndc(f"freeze {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"freeze {zone}", log=False) watcher.wait_for_line(f"freezing zone '{zone}/IN': success") time.sleep(1) shutil.copyfile("ns3/template2.db.in", f"ns3/{zone}.db") time.sleep(1) - with server.watch_log_from_here() as watcher: - server.rndc(f"thaw {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"thaw {zone}", log=False) watcher.wait_for_line(f"thawing zone '{zone}/IN': success") expected_updates = [f"a.{zone}. A 10.0.0.11", f"d.{zone}. A 10.0.0.44"] @@ -1032,16 +1025,14 @@ def test_kasp_dynamic(servers): key1.metadata["DSState"] = "omnipresent" expected = [key1] keys = isctest.kasp.keydir_to_keylist(zone, "ns3/keys") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) # Ensure no zone_resigninc for the unsigned version of the zone is triggered. assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run" -def test_kasp_checkds(servers): - server = servers["ns3"] - +def test_kasp_checkds(ns3): def wait_for_metadata(): return isctest.util.file_contents_contain(ksk.statefile, metadata) @@ -1058,15 +1049,15 @@ def test_kasp_checkds(servers): keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if k.is_zsk()] - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) - check_all(server, zone, policy, ksks, zsks) + check_all(ns3, zone, policy, ksks, zsks) now = KeyTimingMetadata.now() ksk = ksks[0] isctest.log.info("check if checkds -publish correctly sets DSPublish") - server.rndc(f"dnssec -checkds -when {now} published {zone}", log=False) + ns3.rndc(f"dnssec -checkds -when {now} published {zone}", log=False) metadata = f"DSPublish: {now}" isctest.run.retry_with_timeout(wait_for_metadata, timeout=3) expected[0].metadata["DSState"] = "rumoured" @@ -1074,7 +1065,7 @@ def test_kasp_checkds(servers): isctest.kasp.check_keys(zone, keys, expected) isctest.log.info("check if checkds -withdrawn correctly sets DSRemoved") - server.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False) + ns3.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False) metadata = f"DSRemoved: {now}" isctest.run.retry_with_timeout(wait_for_metadata, timeout=3) expected[0].metadata["DSState"] = "unretentive" @@ -1082,9 +1073,7 @@ def test_kasp_checkds(servers): isctest.kasp.check_keys(zone, keys, expected) -def test_kasp_checkds_doubleksk(servers): - server = servers["ns3"] - +def test_kasp_checkds_doubleksk(ns3): def wait_for_metadata(): return isctest.util.file_contents_contain(ksk.statefile, metadata) @@ -1102,9 +1091,9 @@ def test_kasp_checkds_doubleksk(servers): keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if k.is_zsk()] - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) - check_all(server, zone, policy, ksks, zsks) + check_all(ns3, zone, policy, ksks, zsks) now = KeyTimingMetadata.now() ksk = ksks[0] @@ -1113,7 +1102,7 @@ def test_kasp_checkds_doubleksk(servers): isctest.log.info("check invalid checkds commands") def check_error(): - response = server.rndc(test["command"], log=False) + response = ns3.rndc(test["command"], log=False) assert test["error"] in response test_cases = [ @@ -1138,9 +1127,7 @@ def test_kasp_checkds_doubleksk(servers): check_error() isctest.log.info("check if checkds -publish -key correctly sets DSPublish") - server.rndc( - f"dnssec -checkds -when {now} -key {ksk.tag} published {zone}", log=False - ) + ns3.rndc(f"dnssec -checkds -when {now} -key {ksk.tag} published {zone}", log=False) metadata = f"DSPublish: {now}" isctest.run.retry_with_timeout(wait_for_metadata, timeout=3) expected[0].metadata["DSState"] = "rumoured" @@ -1149,9 +1136,7 @@ def test_kasp_checkds_doubleksk(servers): isctest.log.info("check if checkds -withdrawn -key correctly sets DSRemoved") ksk = ksks[1] - server.rndc( - f"dnssec -checkds -when {now} -key {ksk.tag} withdrawn {zone}", log=False - ) + ns3.rndc(f"dnssec -checkds -when {now} -key {ksk.tag} withdrawn {zone}", log=False) metadata = f"DSRemoved: {now}" isctest.run.retry_with_timeout(wait_for_metadata, timeout=3) expected[1].metadata["DSState"] = "unretentive" @@ -1159,9 +1144,7 @@ def test_kasp_checkds_doubleksk(servers): isctest.kasp.check_keys(zone, keys, expected) -def test_kasp_checkds_csk(servers): - server = servers["ns3"] - +def test_kasp_checkds_csk(ns3): def wait_for_metadata(): return isctest.util.file_contents_contain(ksk.statefile, metadata) @@ -1175,15 +1158,15 @@ def test_kasp_checkds_csk(servers): ] expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) - check_all(server, zone, policy, keys, []) + check_all(ns3, zone, policy, keys, []) now = KeyTimingMetadata.now() ksk = keys[0] isctest.log.info("check if checkds -publish csk correctly sets DSPublish") - server.rndc(f"dnssec -checkds -when {now} published {zone}", log=False) + ns3.rndc(f"dnssec -checkds -when {now} published {zone}", log=False) metadata = f"DSPublish: {now}" isctest.run.retry_with_timeout(wait_for_metadata, timeout=3) expected[0].metadata["DSState"] = "rumoured" @@ -1191,7 +1174,7 @@ def test_kasp_checkds_csk(servers): isctest.kasp.check_keys(zone, keys, expected) isctest.log.info("check if checkds -withdrawn csk correctly sets DSRemoved") - server.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False) + ns3.rndc(f"dnssec -checkds -when {now} withdrawn {zone}", log=False) metadata = f"DSRemoved: {now}" isctest.run.retry_with_timeout(wait_for_metadata, timeout=3) expected[0].metadata["DSState"] = "unretentive" @@ -1199,21 +1182,17 @@ def test_kasp_checkds_csk(servers): isctest.kasp.check_keys(zone, keys, expected) -def test_kasp_special_characters(servers): - server = servers["ns3"] - +def test_kasp_special_characters(ns3): # A zone with special characters. isctest.log.info("check special characters") zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp' # It is non-trivial to adapt the tests to deal with all possible different # escaping characters, so we will just try to verify the zone. - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) -def test_kasp_insecure(servers): - server = servers["ns3"] - +def test_kasp_insecure(ns3): # Insecure zones. isctest.log.info("check insecure zones") @@ -1221,28 +1200,26 @@ def test_kasp_insecure(servers): expected = [] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") isctest.kasp.check_keys(zone, keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy="insecure") - isctest.kasp.check_apex(server, zone, keys, []) - isctest.kasp.check_subdomain(server, zone, keys, []) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy="insecure") + isctest.kasp.check_apex(ns3, zone, keys, []) + isctest.kasp.check_subdomain(ns3, zone, keys, []) zone = "unsigned.kasp" expected = [] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") isctest.kasp.check_keys(zone, keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=None) - isctest.kasp.check_apex(server, zone, keys, []) - isctest.kasp.check_subdomain(server, zone, keys, []) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=None) + isctest.kasp.check_apex(ns3, zone, keys, []) + isctest.kasp.check_subdomain(ns3, zone, keys, []) # Make sure the zone file is untouched. isctest.check.file_contents_equal(f"ns3/{zone}.db.infile", f"ns3/{zone}.db") -def test_kasp_bad_maxzonettl(servers): - server = servers["ns3"] - +def test_kasp_bad_maxzonettl(ns3): # check that max-zone-ttl rejects zones with too high TTL. isctest.log.info("check max-zone-ttl rejects zones with too high TTL") zone = "max-zone-ttl.kasp" - assert f"loading from master file {zone}.db failed: out of range" in server.log + assert f"loading from master file {zone}.db failed: out of range" in ns3.log def test_kasp_dnssec_keygen(): @@ -1431,9 +1408,7 @@ def test_kasp_dnssec_keygen(): isctest.kasp.check_keytimes(keys, expected) -def test_kasp_zsk_retired(servers): - server = servers["ns3"] - +def test_kasp_zsk_retired(ns3): config = { "dnskey-ttl": timedelta(seconds=300), "ds-ttl": timedelta(days=1), @@ -1461,7 +1436,7 @@ def test_kasp_zsk_retired(servers): keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) offset = -timedelta(days=30 * 6) @@ -1529,7 +1504,7 @@ def test_kasp_zsk_retired(servers): expected[2].timing["ZRRSIGChange"] = None isctest.kasp.check_keytimes(keys, expected) - check_all(server, zone, policy, ksks, zsks) + check_all(ns3, zone, policy, ksks, zsks) queries = [ f"{zone} DNSKEY", @@ -1551,25 +1526,23 @@ def test_kasp_zsk_retired(servers): qname = parts[0] qtype = dns.rdatatype.from_text(parts[1]) return isctest.kasp.verify_rrsig_is_refreshed( - server, zone, f"ns3/{zone}.db.signed", qname, qtype, ksks, zsks + ns3, zone, f"ns3/{zone}.db.signed", qname, qtype, ksks, zsks ) for query in queries: isctest.run.retry_with_timeout(rrsig_is_refreshed, timeout=5) # Load again, make sure the purged key is not an issue when verifying keys. - with server.watch_log_from_here() as watcher: - server.rndc(f"loadkeys {zone}", log=False) + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"loadkeys {zone}", log=False) watcher.wait_for_line(f"keymgr: {zone} done") msg = f"zone {zone}/IN (signed): zone_rekey:zone_verifykeys failed: some key files are missing" - server.log.prohibit(msg) + ns3.log.prohibit(msg) -def test_kasp_purge_keys(servers): +def test_kasp_purge_keys(ns4): zone = "purgekeys.kasp" - server = servers["ns4"] - tsig1 = ( f"{os.environ['DEFAULT_HMAC']}:keyforview1:{KASP_INHERIT_TSIG_SECRET['view1']}" ) @@ -1577,24 +1550,23 @@ def test_kasp_purge_keys(servers): f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}" ) - isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig1) - isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig2) + isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig1) + isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig2) # Reconfig, make sure the purged key is not an issue when verifying keys. shutil.copyfile("ns4/purgekeys2.conf", "ns4/purgekeys.conf") - with server.watch_log_from_here() as watcher: - server.rndc("reconfig", log=False) + with ns4.watch_log_from_here() as watcher: + ns4.rndc("reconfig", log=False) watcher.wait_for_line(f"keymgr: {zone} done") msg = f"zone {zone}/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" - server.log.prohibit(msg) + ns4.log.prohibit(msg) msg = f"zone {zone}/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" - server.log.prohibit(msg) + ns4.log.prohibit(msg) -def test_kasp_reload_restart(servers): - server = servers["ns6"] +def test_kasp_reload_restart(ns6): zone = "example" def query_soa(qname): @@ -1602,9 +1574,9 @@ def test_kasp_reload_restart(servers): qtype = dns.rdatatype.SOA query = dns.message.make_query(fqdn, qtype, use_edns=True, want_dnssec=True) try: - response = isctest.query.tcp(query, server.ip, server.ports.dns, timeout=3) + response = isctest.query.tcp(query, ns6.ip, ns6.ports.dns, timeout=3) except dns.exception.Timeout: - isctest.log.debug(f"query timeout for query {qname} SOA to {server.ip}") + isctest.log.debug(f"query timeout for query {qname} SOA to {ns6.ip}") return 0, 0 assert response.rcode() == dns.rcode.NOERROR @@ -1629,8 +1601,8 @@ def test_kasp_reload_restart(servers): assert ttl1 == 300 shutil.copyfile(f"ns6/{zone}2.db.in", f"ns6/{zone}.db") - with server.watch_log_from_here() as watcher: - server.rndc("reload", log=False) + with ns6.watch_log_from_here() as watcher: + ns6.rndc("reload", log=False) watcher.wait_for_line("all zones loaded") newttl = 300 @@ -1641,11 +1613,11 @@ def test_kasp_reload_restart(servers): soa1, ttl1 = query_soa(zone) assert ttl1 == 300 - server.stop() + ns6.stop() shutil.copyfile(f"ns6/{zone}3.db.in", f"ns6/{zone}.db") os.unlink(f"ns6/{zone}.db.jnl") - with server.watch_log_from_here() as watcher: - server.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + with ns6.watch_log_from_here() as watcher: + ns6.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) watcher.wait_for_line("all zones loaded") newttl = 400 diff --git a/bin/tests/system/keepalive/tests_keepalive.py b/bin/tests/system/keepalive/tests_keepalive.py index c815c3e84b..958a8b7c46 100644 --- a/bin/tests/system/keepalive/tests_keepalive.py +++ b/bin/tests/system/keepalive/tests_keepalive.py @@ -18,9 +18,9 @@ pytestmark = pytest.mark.extra_artifacts( ) -def test_dig_tcp_keepalive_handling(named_port, servers): +def test_dig_tcp_keepalive_handling(named_port, ns2): def get_keepalive_options_received(): - servers["ns2"].rndc("stats", log=False) + ns2.rndc("stats", log=False) options_received = 0 with open("ns2/named.stats", "r", encoding="utf-8") as ns2_stats_file: for line in ns2_stats_file: @@ -53,7 +53,7 @@ def test_dig_tcp_keepalive_handling(named_port, servers): ) isctest.log.info("check a re-configured keepalive value") - response = servers["ns2"].rndc("tcp-timeouts 300 300 300 200", log=False) + response = ns2.rndc("tcp-timeouts 300 300 300 200", log=False) assert "tcp-initial-timeout=300" in response assert "tcp-idle-timeout=300" in response assert "tcp-keepalive-timeout=300" in response diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index 12b4a6e487..20a72276f0 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -564,7 +564,7 @@ def test_ksr_errors(): assert "dnssec-ksr: fatal: 'sign' requires a KSR file" in err -def test_ksr_common(servers): +def test_ksr_common(ns1): # common test cases (1) zone = "common.test" policy = "common" @@ -738,7 +738,6 @@ def test_ksr_common(servers): ) # add zone - ns1 = servers["ns1"] ns1.rndc( f"addzone {zone} " + "{ type primary; file " @@ -764,7 +763,7 @@ def test_ksr_common(servers): isctest.kasp.check_subdomain(ns1, zone, ksks, overlapping_zsks, offline_ksk=True) -def test_ksr_lastbundle(servers): +def test_ksr_lastbundle(ns1): zone = "last-bundle.test" policy = "common" n = 1 @@ -811,7 +810,6 @@ def test_ksr_lastbundle(servers): check_signedkeyresponse(out, zone, ksks, zsks, then, until, refresh) # add zone - ns1 = servers["ns1"] ns1.rndc( f"addzone {zone} " + "{ type primary; file " @@ -841,7 +839,7 @@ def test_ksr_lastbundle(servers): assert f"zone {zone}/IN (signed): zone_rekey: {warning}" in ns1.log -def test_ksr_inthemiddle(servers): +def test_ksr_inthemiddle(ns1): zone = "in-the-middle.test" policy = "common" n = 1 @@ -889,7 +887,6 @@ def test_ksr_inthemiddle(servers): check_signedkeyresponse(out, zone, ksks, zsks, then, until, refresh) # add zone - ns1 = servers["ns1"] ns1.rndc( f"addzone {zone} " + "{ type primary; file " @@ -982,18 +979,14 @@ def check_ksr_rekey_logs_error(server, zone, policy, offset, end): assert line in server.log -def test_ksr_rekey_logs_error(servers): +def test_ksr_rekey_logs_error(ns1): # check that an SKR that is too old logs error - check_ksr_rekey_logs_error( - servers["ns1"], "past.test", "common", -63072000, -31536000 - ) + check_ksr_rekey_logs_error(ns1, "past.test", "common", -63072000, -31536000) # check that an SKR that is too new logs error - check_ksr_rekey_logs_error( - servers["ns1"], "future.test", "common", 2592000, 31536000 - ) + check_ksr_rekey_logs_error(ns1, "future.test", "common", 2592000, 31536000) -def test_ksr_unlimited(servers): +def test_ksr_unlimited(ns1): zone = "unlimited.test" policy = "unlimited" n = 1 @@ -1082,7 +1075,6 @@ def test_ksr_unlimited(servers): check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh) # add zone - ns1 = servers["ns1"] ns1.rndc( f"addzone {zone} " + "{ type primary; file " @@ -1108,7 +1100,7 @@ def test_ksr_unlimited(servers): isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True) -def test_ksr_twotone(servers): +def test_ksr_twotone(ns1): zone = "two-tone.test" policy = "two-tone" n = 1 @@ -1192,7 +1184,6 @@ def test_ksr_twotone(servers): check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh) # add zone - ns1 = servers["ns1"] ns1.rndc( f"addzone {zone} " + "{ type primary; file " @@ -1224,7 +1215,7 @@ def test_ksr_twotone(servers): isctest.kasp.check_subdomain(ns1, zone, ksks, zsks, offline_ksk=True) -def test_ksr_kskroll(servers): +def test_ksr_kskroll(ns1): zone = "ksk-roll.test" policy = "ksk-roll" n = 1 @@ -1270,7 +1261,6 @@ def test_ksr_kskroll(servers): check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh) # add zone - ns1 = servers["ns1"] ns1.rndc( f"addzone {zone} " + "{ type primary; file " diff --git a/bin/tests/system/mirror-root-zone/tests_mirror_root_zone.py b/bin/tests/system/mirror-root-zone/tests_mirror_root_zone.py index 31fdf8dd50..4a5c52d9c1 100644 --- a/bin/tests/system/mirror-root-zone/tests_mirror_root_zone.py +++ b/bin/tests/system/mirror-root-zone/tests_mirror_root_zone.py @@ -9,19 +9,16 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -from typing import Dict - from isctest.instance import NamedInstance from isctest.mark import live_internet_test @live_internet_test -def test_mirror_root_zone(servers: Dict[str, NamedInstance]): +def test_mirror_root_zone(ns1: NamedInstance): """ This test pulls the root zone from the Internet, so let's only run it when CI_ENABLE_LIVE_INTERNET_TESTS is set. """ - ns1 = servers["ns1"] with ns1.watch_log_from_start() as watch_log: # TimeoutError is raised if the line is not found and the test will fail. watch_log.wait_for_line("Transfer status: success") diff --git a/bin/tests/system/nzd2nzf/tests_nzd2nzf.py b/bin/tests/system/nzd2nzf/tests_nzd2nzf.py index cd22bef7d9..0f5c89a09b 100644 --- a/bin/tests/system/nzd2nzf/tests_nzd2nzf.py +++ b/bin/tests/system/nzd2nzf/tests_nzd2nzf.py @@ -27,22 +27,22 @@ pytestmark = [ ] -def test_nzd2nzf(servers): +def test_nzd2nzf(ns1): zone_data = '"added.example" { type primary; file "added.db"; };' msg = dns.message.make_query("a.added.example.", "A") # query for non-existing zone data - res = isctest.query.tcp(msg, servers["ns1"].ip) + res = isctest.query.tcp(msg, ns1.ip) isctest.check.refused(res) # add new zone into the default NZD using "rndc addzone" - servers["ns1"].rndc(f"addzone {zone_data}", log=False) + ns1.rndc(f"addzone {zone_data}", log=False) # query for existing zone data - res = isctest.query.tcp(msg, servers["ns1"].ip) + res = isctest.query.tcp(msg, ns1.ip) isctest.check.noerror(res) - servers["ns1"].stop() + ns1.stop() # dump "_default.nzd" to "_default.nzf" and check that it contains the expected content cfg_dir = "ns1" @@ -59,8 +59,8 @@ def test_nzd2nzf(servers): os.remove(nzd_filename) # start ns1 again, it should migrate "_default.nzf" to "_default.nzd" - servers["ns1"].start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + ns1.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) # query for zone data from the migrated zone config - res = isctest.query.tcp(msg, servers["ns1"].ip) + res = isctest.query.tcp(msg, ns1.ip) isctest.check.noerror(res) diff --git a/bin/tests/system/rfc5011/tests_rfc5011.py b/bin/tests/system/rfc5011/tests_rfc5011.py index 283e9c7ba8..652293792b 100644 --- a/bin/tests/system/rfc5011/tests_rfc5011.py +++ b/bin/tests/system/rfc5011/tests_rfc5011.py @@ -20,13 +20,13 @@ pytestmark = pytest.mark.extra_artifacts( @live_internet_test -def test_rfc5011_rootdnskeyrefresh(servers): - with servers["ns1"].watch_log_from_start() as watcher: +def test_rfc5011_rootdnskeyrefresh(ns1): + with ns1.watch_log_from_start() as watcher: watcher.wait_for_line( "managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period" ) - with servers["ns1"].watch_log_from_start() as watcher: + with ns1.watch_log_from_start() as watcher: watcher.wait_for_line( "managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 38696 is now trusted, waiving the normal 30-day waiting period" ) diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py index e3b1053c39..aa12acbbaa 100644 --- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py @@ -21,7 +21,7 @@ from common import ( ) -def test_algoroll_csk_initial(servers): +def test_algoroll_csk_initial(ns6): config = ALGOROLL_CONFIG policy = "csk-algoroll" @@ -33,4 +33,4 @@ def test_algoroll_csk_initial(servers): ], "nextev": TIMEDELTA["PT1H"], } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py index 7037238db8..19a58045af 100644 --- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py @@ -37,18 +37,18 @@ TIME_PASSED = 0 # set in reconfigure() fixture @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): +def reconfigure(ns6, templates): global TIME_PASSED # pylint: disable=global-statement start_time = KeyTimingMetadata.now() templates.render("ns6/named.conf", {"csk_roll": True}) - servers["ns6"].reconfigure() + ns6.reconfigure() # Calculate time passed to correctly check for next key events. TIME_PASSED = KeyTimingMetadata.now().value - start_time.value -def test_algoroll_csk_reconfig_step1(servers, alg, size): +def test_algoroll_csk_reconfig_step1(ns6, alg, size): step = { "zone": "step1.csk-algorithm-roll.kasp", "cdss": CDSS, @@ -61,10 +61,10 @@ def test_algoroll_csk_reconfig_step1(servers, alg, size): # Next key event is when the ecdsa256 keys have been propagated. "nextev": ALGOROLL_IPUB, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_csk_reconfig_step2(servers, alg, size): +def test_algoroll_csk_reconfig_step2(ns6, alg, size): step = { "zone": "step2.csk-algorithm-roll.kasp", "cdss": CDSS, @@ -84,10 +84,10 @@ def test_algoroll_csk_reconfig_step2(servers, alg, size): # the time passed between key creation and invoking 'rndc reconfig'. "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_csk_reconfig_step3(servers, alg, size): +def test_algoroll_csk_reconfig_step3(ns6, alg, size): step = { "zone": "step3.csk-algorithm-roll.kasp", "cdss": CDSS, @@ -100,10 +100,10 @@ def test_algoroll_csk_reconfig_step3(servers, alg, size): # after the publication interval of the parent side. "nextev": ALGOROLL_IRETKSK - TIME_PASSED, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_csk_reconfig_step4(servers, alg, size): +def test_algoroll_csk_reconfig_step4(ns6, alg, size): step = { "zone": "step4.csk-algorithm-roll.kasp", "cdss": CDSS, @@ -116,10 +116,10 @@ def test_algoroll_csk_reconfig_step4(servers, alg, size): # This happens after the DNSKEY TTL plus zone propagation delay. "nextev": ALGOROLL_KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_csk_reconfig_step5(servers, alg, size): +def test_algoroll_csk_reconfig_step5(ns6, alg, size): step = { "zone": "step5.csk-algorithm-roll.kasp", "cdss": CDSS, @@ -136,10 +136,10 @@ def test_algoroll_csk_reconfig_step5(servers, alg, size): # between key creation and invoking 'rndc reconfig'. "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_csk_reconfig_step6(servers, alg, size): +def test_algoroll_csk_reconfig_step6(ns6, alg, size): step = { "zone": "step6.csk-algorithm-roll.kasp", "cdss": CDSS, @@ -153,4 +153,4 @@ def test_algoroll_csk_reconfig_step6(servers, alg, size): # loadkeys interval. "nextev": TIMEDELTA["PT1H"], } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py index cc90ad3b62..1df8028f57 100644 --- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py +++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py @@ -21,7 +21,7 @@ from common import ( ) -def test_algoroll_ksk_zsk_initial(servers): +def test_algoroll_ksk_zsk_initial(ns6): config = ALGOROLL_CONFIG policy = "rsasha256" @@ -34,4 +34,4 @@ def test_algoroll_ksk_zsk_initial(servers): ], "nextev": TIMEDELTA["PT1H"], } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py index c23eb01875..d0e402f950 100644 --- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py +++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py @@ -37,18 +37,18 @@ TIME_PASSED = 0 # set in reconfigure() fixture @pytest.fixture(scope="module", autouse=True) -def reconfigure(servers, templates): +def reconfigure(ns6, templates): global TIME_PASSED # pylint: disable=global-statement start_time = KeyTimingMetadata.now() templates.render("ns6/named.conf", {"alg_roll": True}) - servers["ns6"].reconfigure() + ns6.reconfigure() # Calculate time passed to correctly check for next key events. TIME_PASSED = KeyTimingMetadata.now().value - start_time.value -def test_algoroll_ksk_zsk_reconfig_step1(servers, alg, size): +def test_algoroll_ksk_zsk_reconfig_step1(ns6, alg, size): step = { "zone": "step1.algorithm-roll.kasp", "cdss": CDSS, @@ -63,10 +63,10 @@ def test_algoroll_ksk_zsk_reconfig_step1(servers, alg, size): # Next key event is when the ecdsa256 keys have been propagated. "nextev": ALGOROLL_IPUB, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_ksk_zsk_reconfig_step2(servers, alg, size): +def test_algoroll_ksk_zsk_reconfig_step2(ns6, alg, size): step = { "zone": "step2.algorithm-roll.kasp", "cdss": CDSS, @@ -88,10 +88,10 @@ def test_algoroll_ksk_zsk_reconfig_step2(servers, alg, size): # key creation and invoking 'rndc reconfig'. "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_ksk_zsk_reconfig_step3(servers, alg, size): +def test_algoroll_ksk_zsk_reconfig_step3(ns6, alg, size): step = { "zone": "step3.algorithm-roll.kasp", "cdss": CDSS, @@ -106,10 +106,10 @@ def test_algoroll_ksk_zsk_reconfig_step3(servers, alg, size): # after the retire interval. "nextev": ALGOROLL_IRETKSK - TIME_PASSED, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_ksk_zsk_reconfig_step4(servers, alg, size): +def test_algoroll_ksk_zsk_reconfig_step4(ns6, alg, size): step = { "zone": "step4.algorithm-roll.kasp", "cdss": CDSS, @@ -124,10 +124,10 @@ def test_algoroll_ksk_zsk_reconfig_step4(servers, alg, size): # This happens after the DNSKEY TTL plus zone propagation delay. "nextev": ALGOROLL_KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size): +def test_algoroll_ksk_zsk_reconfig_step5(ns6, alg, size): step = { "zone": "step5.algorithm-roll.kasp", "cdss": CDSS, @@ -146,10 +146,10 @@ def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size): # between key creation and invoking 'rndc reconfig'. "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED, } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) -def test_algoroll_ksk_zsk_reconfig_step6(servers, alg, size): +def test_algoroll_ksk_zsk_reconfig_step6(ns6, alg, size): step = { "zone": "step6.algorithm-roll.kasp", "cdss": CDSS, @@ -165,4 +165,4 @@ def test_algoroll_ksk_zsk_reconfig_step6(servers, alg, size): # loadkeys interval. "nextev": TIMEDELTA["PT1H"], } - isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns6, CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py index 9a265a682c..8f72165bf8 100644 --- a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py +++ b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py @@ -62,7 +62,7 @@ OFFSETS["step8-p"] = OFFSETS["step7-p"] - int(CONFIG["purge-keys"].total_seconds OFFSETS["step8-s"] = OFFSETS["step7-s"] - int(CONFIG["purge-keys"].total_seconds()) -def test_csk_roll1_step1(alg, size, servers): +def test_csk_roll1_step1(alg, size, ns3): step = { # Introduce the first key. This will immediately be active. "zone": "step1.csk-roll1.autosign", @@ -75,10 +75,10 @@ def test_csk_roll1_step1(alg, size, servers): # registration delay). "nextev": CSK_LIFETIME - IPUB - timedelta(days=7), } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step2(alg, size, servers): +def test_csk_roll1_step2(alg, size, ns3): step = { # Successor CSK is prepublished (signs DNSKEY RRset, but not yet # other RRsets). @@ -96,10 +96,10 @@ def test_csk_roll1_step2(alg, size, servers): # Next key event is when the successor CSK becomes OMNIPRESENT. "nextev": IPUB, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step3(alg, size, servers): +def test_csk_roll1_step3(alg, size, ns3): step = { # Successor CSK becomes omnipresent, meaning we can start signing # the remainder of the zone with the successor CSK, and we can @@ -130,10 +130,10 @@ def test_csk_roll1_step3(alg, size, servers): # from the predecessor ZSK. "smooth": True, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step4(alg, size, servers): +def test_csk_roll1_step4(alg, size, ns3): step = { "zone": "step4.csk-roll1.autosign", "cdss": CDSS, @@ -153,10 +153,10 @@ def test_csk_roll1_step4(alg, size, servers): # We already swapped the DS in the previous step, so disable ds-swap. "ds-swap": False, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step5(alg, size, servers): +def test_csk_roll1_step5(alg, size, ns3): step = { "zone": "step5.csk-roll1.autosign", "cdss": CDSS, @@ -172,10 +172,10 @@ def test_csk_roll1_step5(alg, size, servers): # CSK. "nextev": SIGNDELAY, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step6(alg, size, servers): +def test_csk_roll1_step6(alg, size, ns3): step = { "zone": "step6.csk-roll1.autosign", "cdss": CDSS, @@ -193,10 +193,10 @@ def test_csk_roll1_step6(alg, size, servers): # This is the DNSKEY TTL plus zone propagation delay. "nextev": KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step7(alg, size, servers): +def test_csk_roll1_step7(alg, size, ns3): step = { "zone": "step7.csk-roll1.autosign", "cdss": CDSS, @@ -211,10 +211,10 @@ def test_csk_roll1_step7(alg, size, servers): # minus the prepublication time. "nextev": CSK_LIFETIME - IRETZSK - IPUB - KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll1_step8(alg, size, servers): +def test_csk_roll1_step8(alg, size, ns3): step = { "zone": "step8.csk-roll1.autosign", "cdss": CDSS, @@ -223,4 +223,4 @@ def test_csk_roll1_step8(alg, size, servers): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py index a4fe5e574d..844f754c17 100644 --- a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py +++ b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py @@ -65,7 +65,7 @@ OFFSETS["step7-p"] = OFFSETS["step6-p"] - int(timedelta(days=90).total_seconds() OFFSETS["step7-s"] = OFFSETS["step6-s"] - int(timedelta(days=90).total_seconds()) -def test_csk_roll2_step1(alg, size, servers): +def test_csk_roll2_step1(alg, size, ns3): step = { # Introduce the first key. This will immediately be active. "zone": "step1.csk-roll2.autosign", @@ -78,10 +78,10 @@ def test_csk_roll2_step1(alg, size, servers): # registration delay). "nextev": CSK_LIFETIME - IPUB - TIMEDELTA["P7D"], } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll2_step2(alg, size, servers): +def test_csk_roll2_step2(alg, size, ns3): step = { # Successor CSK is prepublished (signs DNSKEY RRset, but not yet # other RRsets). @@ -99,10 +99,10 @@ def test_csk_roll2_step2(alg, size, servers): # Next key event is when the successor CSK becomes OMNIPRESENT. "nextev": IPUB, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll2_step3(alg, size, servers): +def test_csk_roll2_step3(alg, size, ns3): step = { # Successor CSK becomes omnipresent, meaning we can start signing # the remainder of the zone with the successor CSK, and we can @@ -133,10 +133,10 @@ def test_csk_roll2_step3(alg, size, servers): # from the predecessor ZSK. "smooth": True, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll2_step4(alg, size, servers): +def test_csk_roll2_step4(alg, size, ns3): step = { "zone": "step4.csk-roll2.autosign", "cdss": CDSS, @@ -158,10 +158,10 @@ def test_csk_roll2_step4(alg, size, servers): # We already swapped the DS in the previous step, so disable ds-swap. "ds-swap": False, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll2_step5(alg, size, servers): +def test_csk_roll2_step5(alg, size, ns3): step = { "zone": "step5.csk-roll2.autosign", "cdss": CDSS, @@ -180,10 +180,10 @@ def test_csk_roll2_step5(alg, size, servers): # This is the DNSKEY TTL plus zone propagation delay. "nextev": KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll2_step6(alg, size, servers): +def test_csk_roll2_step6(alg, size, ns3): step = { "zone": "step6.csk-roll2.autosign", "cdss": CDSS, @@ -199,10 +199,10 @@ def test_csk_roll2_step6(alg, size, servers): # This is the Lcsk, minus time passed since the key was published. "nextev": CSK_LIFETIME - IRET - IPUB - KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_csk_roll2_step7(alg, size, servers): +def test_csk_roll2_step7(alg, size, ns3): step = { "zone": "step7.csk-roll2.autosign", "cdss": CDSS, @@ -214,4 +214,4 @@ def test_csk_roll2_step7(alg, size, servers): "keyrelationships": [0, 1], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py b/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py index 15f53c4dfb..39b0a900f4 100644 --- a/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py +++ b/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py @@ -21,7 +21,7 @@ from common import ( ) -def test_dynamic2inline(alg, size, servers, templates): +def test_dynamic2inline(alg, size, ns6, templates): config = DEFAULT_CONFIG policy = "default" @@ -34,9 +34,9 @@ def test_dynamic2inline(alg, size, servers, templates): "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) templates.render("ns6/named.conf", {"change_lifetime": True}) - servers["ns6"].reconfigure() + ns6.reconfigure() - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py index a41f699af8..c879f5061c 100644 --- a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py +++ b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py @@ -44,7 +44,7 @@ OFFSETS["step3"] = -int(IRETZSK.total_seconds()) OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds()) -def test_rollover_enable_dnssec_step1(alg, size, servers): +def test_rollover_enable_dnssec_step1(alg, size, ns3): step = { "zone": "step1.enable-dnssec.autosign", "cdss": CDSS, @@ -55,10 +55,10 @@ def test_rollover_enable_dnssec_step1(alg, size, servers): # after the publication interval. "nextev": IPUB, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_rollover_enable_dnssec_step2(alg, size, servers): +def test_rollover_enable_dnssec_step2(alg, size, ns3): step = { "zone": "step2.enable-dnssec.autosign", "cdss": CDSS, @@ -73,10 +73,10 @@ def test_rollover_enable_dnssec_step2(alg, size, servers): # Minus the time already elapsed. "nextev": IRETZSK - IPUB, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_rollover_enable_dnssec_step3(alg, size, servers): +def test_rollover_enable_dnssec_step3(alg, size, ns3): step = { "zone": "step3.enable-dnssec.autosign", "cdss": CDSS, @@ -90,10 +90,10 @@ def test_rollover_enable_dnssec_step3(alg, size, servers): # This is after the retire interval. "nextev": IRETKSK, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_rollover_enable_dnssec_step4(alg, size, servers): +def test_rollover_enable_dnssec_step4(alg, size, ns3): step = { "zone": "step4.enable-dnssec.autosign", "cdss": CDSS, @@ -106,4 +106,4 @@ def test_rollover_enable_dnssec_step4(alg, size, servers): # established. So we fall back to the default loadkeys interval. "nextev": TIMEDELTA["PT1H"], } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py index 6011958209..112e2cc31f 100644 --- a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py +++ b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py @@ -31,7 +31,7 @@ from common import ( "going-insecure-dynamic.kasp", ], ) -def test_going_insecure_initial(zone, servers, alg, size): +def test_going_insecure_initial(zone, ns6, alg, size): config = UNSIGNING_CONFIG policy = "unsigning" step = { @@ -43,4 +43,4 @@ def test_going_insecure_initial(zone, servers, alg, size): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py index a783f4fb17..60a0b54c90 100644 --- a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py +++ b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py @@ -26,9 +26,9 @@ from common import ( @pytest.fixture(scope="module", autouse=True) -def reconfigure_policy(servers, templates): +def reconfigure_policy(ns6, templates): templates.render("ns6/named.conf", {"policy": "insecure"}) - servers["ns6"].reconfigure() + ns6.reconfigure() @pytest.mark.parametrize( @@ -38,7 +38,7 @@ def reconfigure_policy(servers, templates): "going-insecure-dynamic.kasp", ], ) -def test_going_insecure_reconfig_step1(zone, alg, size, servers): +def test_going_insecure_reconfig_step1(zone, alg, size, ns6): config = DEFAULT_CONFIG policy = "insecure" @@ -58,7 +58,7 @@ def test_going_insecure_reconfig_step1(zone, alg, size, servers): "cds-delete": True, "check-keytimes": False, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) @pytest.mark.parametrize( @@ -68,7 +68,7 @@ def test_going_insecure_reconfig_step1(zone, alg, size, servers): "going-insecure-dynamic.kasp", ], ) -def test_going_insecure_reconfig_step2(zone, alg, size, servers): +def test_going_insecure_reconfig_step2(zone, alg, size, ns6): config = DEFAULT_CONFIG policy = "insecure" @@ -90,4 +90,4 @@ def test_going_insecure_reconfig_step2(zone, alg, size, servers): "zone-signed": False, "check-keytimes": False, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py b/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py index f30c2061d2..c43d318aaa 100644 --- a/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py +++ b/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py @@ -33,9 +33,8 @@ OFFSET2 = -int(timedelta(hours=27).total_seconds()) TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds()) -def test_rollover_ksk_three_is_a_crowd(alg, size, servers): +def test_rollover_ksk_three_is_a_crowd(alg, size, ns3): """Test #2375: Scheduled rollovers are happening faster than they can finish.""" - server = servers["ns3"] zone = "three-is-a-crowd.kasp" step = { @@ -48,16 +47,16 @@ def test_rollover_ksk_three_is_a_crowd(alg, size, servers): ], "keyrelationships": [0, 1], } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) # Rollover successor KSK (with DS in rumoured state). expected = isctest.kasp.policy_to_properties(TTL, step["keyprops"]) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) isctest.kasp.check_keys(zone, keys, expected) key = expected[1].key now = KeyTimingMetadata.now() - with server.watch_log_from_here() as watcher: - server.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}") + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"dnssec -rollover -key {key.tag} -when {now} {zone}") watcher.wait_for_line(f"keymgr: {zone} done") # We now expect four keys (3x KSK, 1x ZSK). @@ -72,10 +71,10 @@ def test_rollover_ksk_three_is_a_crowd(alg, size, servers): ], "check-keytimes": False, # checked manually with modified values } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) expected = isctest.kasp.policy_to_properties(TTL, step["keyprops"]) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) isctest.kasp.check_keys(zone, keys, expected) expected[0].metadata["Successor"] = expected[1].key.tag diff --git a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py index 4b0652c7f4..76df1fb710 100644 --- a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py +++ b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py @@ -45,7 +45,7 @@ OFFSETS["step6-p"] = OFFSETS["step5-p"] - int(KSK_CONFIG["purge-keys"].total_sec OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(KSK_CONFIG["purge-keys"].total_seconds()) -def test_ksk_doubleksk_step1(alg, size, servers): +def test_ksk_doubleksk_step1(alg, size, ns3): step = { # Introduce the first key. This will immediately be active. "zone": "step1.ksk-doubleksk.autosign", @@ -59,10 +59,10 @@ def test_ksk_doubleksk_step1(alg, size, servers): # already passed). "nextev": KSK_LIFETIME - KSK_IPUB - timedelta(days=7), } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) -def test_ksk_doubleksk_step2(alg, size, servers): +def test_ksk_doubleksk_step2(alg, size, ns3): step = { # Successor KSK is prepublished (and signs DNSKEY RRset). # KSK1 goal: omnipresent -> hidden @@ -80,10 +80,10 @@ def test_ksk_doubleksk_step2(alg, size, servers): # Next key event is when the successor KSK becomes OMNIPRESENT. "nextev": KSK_IPUB, } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) -def test_ksk_doubleksk_step3(alg, size, servers): +def test_ksk_doubleksk_step3(alg, size, ns3): step = { # The successor DNSKEY RRset has become omnipresent. The # predecessor DS can be withdrawn and the successor DS can be @@ -106,10 +106,10 @@ def test_ksk_doubleksk_step3(alg, size, servers): # successor DS. This is the the retire interval. "nextev": KSK_IRET, } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) -def test_ksk_doubleksk_step4(alg, size, servers): +def test_ksk_doubleksk_step4(alg, size, ns3): step = { # The predecessor DNSKEY may be removed, the successor DS is # omnipresent. @@ -129,10 +129,10 @@ def test_ksk_doubleksk_step4(alg, size, servers): # This is the DNSKEY TTL plus zone propagation delay. "nextev": KSK_KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) -def test_ksk_doubleksk_step5(alg, size, servers): +def test_ksk_doubleksk_step5(alg, size, ns3): step = { # The predecessor DNSKEY is long enough removed from the zone it # has become hidden. @@ -150,10 +150,10 @@ def test_ksk_doubleksk_step5(alg, size, servers): # This is the KSK lifetime minus Ipub minus Iret minus time elapsed. "nextev": KSK_LIFETIME - KSK_IPUB - KSK_IRET - KSK_KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) -def test_ksk_doubleksk_step6(alg, size, servers): +def test_ksk_doubleksk_step6(alg, size, ns3): step = { # Predecessor KSK is now purged. "zone": "step6.ksk-doubleksk.autosign", @@ -164,4 +164,4 @@ def test_ksk_doubleksk_step6(alg, size, servers): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns3"], KSK_CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, KSK_CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py index 29764dca17..2801073842 100644 --- a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py +++ b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py @@ -34,7 +34,7 @@ from common import ( param("unlimit-lifetime", "short-lifetime", "P6M"), ], ) -def test_lifetime_initial(zone, policy, lifetime, alg, size, servers): +def test_lifetime_initial(zone, policy, lifetime, alg, size, ns6): config = DEFAULT_CONFIG step = { @@ -45,4 +45,4 @@ def test_lifetime_initial(zone, policy, lifetime, alg, size, servers): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py index 6689721edc..1765c88590 100644 --- a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py +++ b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py @@ -26,9 +26,9 @@ from common import ( @pytest.fixture(scope="module", autouse=True) -def reconfigure_policy(servers, templates): +def reconfigure_policy(ns6, templates): templates.render("ns6/named.conf", {"change_lifetime": True}) - servers["ns6"].reconfigure() + ns6.reconfigure() @pytest.mark.parametrize( @@ -44,7 +44,7 @@ def reconfigure_policy(servers, templates): param("unlimit-lifetime", "unlimited-lifetime", 0), ], ) -def test_lifetime_reconfig(zone, policy, lifetime, alg, size, servers): +def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns6): config = DEFAULT_CONFIG step = { @@ -55,4 +55,4 @@ def test_lifetime_reconfig(zone, policy, lifetime, alg, size, servers): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py index 9c2403ca68..dce4bbc5c0 100644 --- a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py +++ b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py @@ -28,8 +28,7 @@ from common import ( ) -def test_rollover_multisigner(servers, alg, size): - server = servers["ns3"] +def test_rollover_multisigner(ns3, alg, size): policy = "multisigner-model2" config = { "dnskey-ttl": timedelta(hours=1), @@ -63,7 +62,7 @@ def test_rollover_multisigner(servers, alg, size): zone = "multisigner-model2.kasp" - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535", @@ -77,7 +76,7 @@ def test_rollover_multisigner(servers, alg, size): expected2[0].properties["legacy"] = True expected = expected + expected2 - ownkeys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + ownkeys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) extkeys = isctest.kasp.keydir_to_keylist(zone) keys = ownkeys + extkeys ksks = [k for k in ownkeys if k.is_ksk()] @@ -88,9 +87,9 @@ def test_rollover_multisigner(servers, alg, size): for kp in expected: kp.set_expected_keytimes(config) isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) # Update zone with ZSK from another provider for zone. out = keygen(zone) @@ -106,15 +105,15 @@ def test_rollover_multisigner(servers, alg, size): update_msg = dns.update.UpdateMessage(zone) update_msg.add(f"{dnskey[0]}", 3600, "DNSKEY", rdata) - server.nsupdate(update_msg) + ns3.nsupdate(update_msg) - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) keys = keys + newkeys zsks = zsks + newkeys isctest.kasp.check_keys(zone, keys, expected) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) # Remove ZSKs from the other providers for zone. dnskey2 = extkeys[0].dnskey().split() @@ -122,24 +121,24 @@ def test_rollover_multisigner(servers, alg, size): update_msg = dns.update.UpdateMessage(zone) update_msg.delete(f"{dnskey[0]}", "DNSKEY", rdata) update_msg.delete(f"{dnskey2[0]}", "DNSKEY", rdata2) - server.nsupdate(update_msg) + ns3.nsupdate(update_msg) - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) expected = isctest.kasp.policy_to_properties(ttl, key_properties) keys = ownkeys ksks = [k for k in ownkeys if k.is_ksk()] zsks = [k for k in ownkeys if not k.is_ksk()] isctest.kasp.check_keys(zone, keys, expected) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) # A zone transitioning from single-signed to multi-signed. We should have # the old omnipresent keys outside of the desired key range and the new # keys in the desired key range. zone = "single-to-multisigner.kasp" - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535", @@ -148,7 +147,7 @@ def test_rollover_multisigner(servers, alg, size): f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent tag-range:0-32767 offset:{offval}", ] expected = isctest.kasp.policy_to_properties(ttl, key_properties) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] @@ -168,6 +167,6 @@ def test_rollover_multisigner(servers, alg, size): ) isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) diff --git a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py index 15f1253f9a..538766bffc 100644 --- a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py +++ b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py @@ -31,7 +31,7 @@ from common import ( "going-straight-to-none-dynamic.kasp", ], ) -def test_straight2none_initial(zone, servers, alg, size): +def test_straight2none_initial(zone, ns6, alg, size): config = DEFAULT_CONFIG policy = "default" @@ -43,4 +43,4 @@ def test_straight2none_initial(zone, servers, alg, size): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py index 58663f5e37..81dd240f2c 100644 --- a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py +++ b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py @@ -25,9 +25,9 @@ from common import ( @pytest.fixture(scope="module", autouse=True) -def reconfigure_policy(servers, templates): +def reconfigure_policy(ns6, templates): templates.render("ns6/named.conf", {"policy": "none"}) - servers["ns6"].reconfigure() + ns6.reconfigure() @pytest.mark.parametrize( @@ -37,7 +37,7 @@ def reconfigure_policy(servers, templates): "going-straight-to-none-dynamic.kasp", ], ) -def test_straight2none_reconfig(zone, servers, alg, size): +def test_straight2none_reconfig(zone, ns6, alg, size): config = DEFAULT_CONFIG policy = None @@ -51,4 +51,4 @@ def test_straight2none_reconfig(zone, servers, alg, size): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) + isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py index 24cb04fd8b..bd57f4cb9e 100644 --- a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py +++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py @@ -54,7 +54,7 @@ OFFSETS["step6-p"] = OFFSETS["step5-p"] - int(CONFIG["purge-keys"].total_seconds OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(CONFIG["purge-keys"].total_seconds()) -def test_zsk_prepub_step1(alg, size, servers): +def test_zsk_prepub_step1(alg, size, ns3): step = { # Introduce the first key. This will immediately be active. "zone": "step1.zsk-prepub.autosign", @@ -67,10 +67,10 @@ def test_zsk_prepub_step1(alg, size, servers): # already passed). "nextev": ZSK_LIFETIME - IPUB - timedelta(days=7), } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_zsk_prepub_step2(alg, size, servers): +def test_zsk_prepub_step2(alg, size, ns3): step = { # it is time to pre-publish the successor zsk. # zsk1 goal: omnipresent -> hidden @@ -87,10 +87,10 @@ def test_zsk_prepub_step2(alg, size, servers): # that is the dnskey ttl plus the zone propagation delay "nextev": IPUB, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_zsk_prepub_step3(alg, size, servers): +def test_zsk_prepub_step3(alg, size, ns3): step = { # predecessor zsk is no longer actively signing. successor zsk is # now actively signing. @@ -112,10 +112,10 @@ def test_zsk_prepub_step3(alg, size, servers): # from the predecessor zsk. "smooth": True, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_zsk_prepub_step4(alg, size, servers): +def test_zsk_prepub_step4(alg, size, ns3): step = { # predecessor zsk is no longer needed. all rrsets are signed with # the successor zsk. @@ -133,10 +133,10 @@ def test_zsk_prepub_step4(alg, size, servers): # this is the dnskey ttl plus zone propagation delay. "nextev": KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_zsk_prepub_step5(alg, size, servers): +def test_zsk_prepub_step5(alg, size, ns3): step = { # predecessor zsk is now removed. # zsk1 dnskey: unretentive -> hidden @@ -152,10 +152,10 @@ def test_zsk_prepub_step5(alg, size, servers): # elapsed. "nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) -def test_zsk_prepub_step6(alg, size, servers): +def test_zsk_prepub_step6(alg, size, ns3): step = { # predecessor zsk is now purged. "zone": "step6.zsk-prepub.autosign", @@ -165,4 +165,4 @@ def test_zsk_prepub_step6(alg, size, servers): ], "nextev": None, } - isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + isctest.kasp.check_rollover_step(ns3, CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover/tests_rollover_manual.py b/bin/tests/system/rollover/tests_rollover_manual.py index 78723dfa16..41698e6225 100644 --- a/bin/tests/system/rollover/tests_rollover_manual.py +++ b/bin/tests/system/rollover/tests_rollover_manual.py @@ -18,8 +18,7 @@ from isctest.kasp import KeyTimingMetadata, Ipub, Iret from common import pytestmark # pylint: disable=unused-import -def test_rollover_manual(servers): - server = servers["ns3"] +def test_rollover_manual(ns3): policy = "manual-rollover" config = { "dnskey-ttl": timedelta(hours=1), @@ -37,17 +36,17 @@ def test_rollover_manual(servers): size = os.environ["DEFAULT_BITS"] zone = "manual-rollover.kasp" - with server.watch_log_from_start() as watcher: + with ns3.watch_log_from_start() as watcher: watcher.wait_for_line(f"keymgr: {zone} done") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent", f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent", ] expected = isctest.kasp.policy_to_properties(ttl, key_properties) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] @@ -58,9 +57,9 @@ def test_rollover_manual(servers): kp.set_expected_keytimes(config, offset=offset) isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) # Schedule KSK rollover in six months. assert len(ksks) == 1 @@ -71,24 +70,24 @@ def test_rollover_manual(servers): config, zsk=False, ksk=True ) - with server.watch_log_from_here() as watcher: - server.rndc(f"dnssec -rollover -key {ksk.tag} -when {startroll} {zone}") + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"dnssec -rollover -key {ksk.tag} -when {startroll} {zone}") watcher.wait_for_line(f"keymgr: {zone} done") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) isctest.kasp.check_keys(zone, keys, expected) isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) # Schedule KSK rollover now. now = KeyTimingMetadata.now() - with server.watch_log_from_here() as watcher: - server.rndc(f"dnssec -rollover -key {ksk.tag} -when {now} {zone}") + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"dnssec -rollover -key {ksk.tag} -when {now} {zone}") watcher.wait_for_line(f"keymgr: {zone} done") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent", @@ -96,7 +95,7 @@ def test_rollover_manual(servers): f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent", ] expected = isctest.kasp.policy_to_properties(ttl, key_properties) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] @@ -118,19 +117,19 @@ def test_rollover_manual(servers): ) isctest.kasp.check_keytimes(keys, expected) - isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) - isctest.kasp.check_apex(server, zone, ksks, zsks) - isctest.kasp.check_subdomain(server, zone, ksks, zsks) + isctest.kasp.check_dnssecstatus(ns3, zone, keys, policy=policy) + isctest.kasp.check_apex(ns3, zone, ksks, zsks) + isctest.kasp.check_subdomain(ns3, zone, ksks, zsks) # Schedule ZSK rollover now. assert len(zsks) == 1 zsk = zsks[0] now = KeyTimingMetadata.now() - with server.watch_log_from_here() as watcher: - server.rndc(f"dnssec -rollover -key {zsk.tag} -when {now} {zone}") + with ns3.watch_log_from_here() as watcher: + ns3.rndc(f"dnssec -rollover -key {zsk.tag} -when {now} {zone}") watcher.wait_for_line(f"keymgr: {zone} done") - isctest.kasp.check_dnssec_verify(server, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent", @@ -139,7 +138,7 @@ def test_rollover_manual(servers): f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden", ] expected = isctest.kasp.policy_to_properties(ttl, key_properties) - keys = isctest.kasp.keydir_to_keylist(zone, server.identifier) + keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks = [k for k in keys if k.is_ksk()] zsks = [k for k in keys if not k.is_ksk()] @@ -153,5 +152,5 @@ def test_rollover_manual(servers): # Try to schedule a ZSK rollover for an inactive key (should fail). zsk = expected[3].key - response = server.rndc(f"dnssec -rollover -key {zsk.tag} {zone}") + response = ns3.rndc(f"dnssec -rollover -key {zsk.tag} {zone}") assert "key is not actively signing" in response diff --git a/bin/tests/system/spf/tests_spf_zones.py b/bin/tests/system/spf/tests_spf_zones.py index 550704ba51..bcb08e9e5b 100644 --- a/bin/tests/system/spf/tests_spf_zones.py +++ b/bin/tests/system/spf/tests_spf_zones.py @@ -13,7 +13,7 @@ import pytest @pytest.mark.requires_zones_loaded("ns1") -def test_spf_log(servers): +def test_spf_log(ns1): for msg in ( "zone spf/IN: 'y.spf' found type SPF record but no SPF TXT record found", "zone warn/IN: 'y.warn' found type SPF record but no SPF TXT record found", @@ -21,7 +21,7 @@ def test_spf_log(servers): "zone warn/IN: loaded serial 0", "zone nowarn/IN: loaded serial 0", ): - servers["ns1"].log.expect(msg) + ns1.log.expect(msg) for msg in ( "zone nowarn/IN: 'y.nowarn' found type SPF record but no SPF TXT record found", @@ -29,4 +29,4 @@ def test_spf_log(servers): "zone warn/IN: 'warn' found type SPF record but no SPF TXT record found", "zone nowarn/IN: 'nowarn' found type SPF record but no SPF TXT record found", ): - servers["ns1"].log.prohibit(msg) + ns1.log.prohibit(msg) diff --git a/bin/tests/system/stub/tests_stub.py b/bin/tests/system/stub/tests_stub.py index a456a911ba..89df5bdce0 100644 --- a/bin/tests/system/stub/tests_stub.py +++ b/bin/tests/system/stub/tests_stub.py @@ -26,7 +26,7 @@ pytestmark = pytest.mark.extra_artifacts( ) -def test_stub_zones_availability(servers): +def test_stub_zones_availability(ns3): # check that the stub zone has been saved to disk assert os.path.exists("ns3/child.example.st") @@ -65,8 +65,8 @@ def test_stub_zones_availability(servers): stub_zone_lookout_without_recursion() stub_zone_lookout_with_recursion() - servers["ns3"].stop() - servers["ns3"].start(["--noclean", "--restart", "--port", os.environ["PORT"]]) + ns3.stop() + ns3.start(["--noclean", "--restart", "--port", os.environ["PORT"]]) axfr_denied() stub_zone_lookout_without_recursion() diff --git a/bin/tests/system/tsig/tests_tsig_hypothesis.py b/bin/tests/system/tsig/tests_tsig_hypothesis.py index 39dcc8914f..06ff5452a0 100644 --- a/bin/tests/system/tsig/tests_tsig_hypothesis.py +++ b/bin/tests/system/tsig/tests_tsig_hypothesis.py @@ -101,11 +101,10 @@ def test_tsig_fuzz_rdata( error, mangle_orig_id, other, - servers, + ns1, named_port, ): alg, mac = alg_and_mac - ns1 = servers["ns1"] msg = dns.message.make_query("example.com.", "AXFR") msg.keyring = False # don't validate received TSIG diff --git a/bin/tests/system/xferquota/tests_xferquota.py b/bin/tests/system/xferquota/tests_xferquota.py index c31700e4a2..d64ed58868 100644 --- a/bin/tests/system/xferquota/tests_xferquota.py +++ b/bin/tests/system/xferquota/tests_xferquota.py @@ -33,14 +33,14 @@ pytestmark = pytest.mark.extra_artifacts( ) -def test_xferquota(named_port, servers): +def test_xferquota(named_port, ns1, ns2): # Changing test zone ensuring that the time stamp changes time.sleep(1) shutil.copyfile("ns1/changing2.db", "ns1/changing.db") with open("ns1/named.pid", "r", encoding="utf-8") as pidfile: pid = int(pidfile.read()) os.kill(pid, signal.SIGHUP) - with servers["ns1"].watch_log_from_start() as watcher: + with ns1.watch_log_from_start() as watcher: watcher.wait_for_line("received SIGHUP signal to reload zones") def check_line_count(): @@ -75,6 +75,6 @@ def test_xferquota(named_port, servers): f"transfer of 'changing/IN' from 10.53.0.1#{named_port}: " f"Transfer completed: .*\\(serial 2\\)" ) - with servers["ns2"].watch_log_from_start(timeout=30) as watcher: + with ns2.watch_log_from_start(timeout=30) as watcher: watcher.wait_for_line(pattern) query_and_compare(a_msg) From 3446e70b6a44d67422082acf7411e064b2bfdec6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Tue, 8 Jul 2025 13:46:01 +0200 Subject: [PATCH 2/2] Add wait_for_keymgr_done() util function to tests The kasp test cases assume that keymgr operations on the zone under test have been completed before the test is executed. These are typically quite fast, but the logs need to be explicitly checked for the messages, otherwise there's a possibility of race conditions causing the kasp/rollover tests to become unstable. Call the wait function in all the kasp/rollover tests where it is expected (which is generally in each test, unless we're dealing with unsigned zones). (cherry picked from commit 467b826162170334fe1c81cfde02b2fcb77c7725) --- bin/tests/system/isctest/kasp.py | 17 ++++++- bin/tests/system/kasp/tests_kasp.py | 42 +++++++++++++++- .../tests_rollover_algo_csk_initial.py | 5 +- .../tests_rollover_algo_csk_reconfig.py | 40 +++++++++++++--- .../tests_rollover_algo_ksk_zsk_initial.py | 5 +- .../tests_rollover_algo_ksk_zsk_reconfig.py | 40 +++++++++++++--- .../tests_rollover_csk_roll1.py | 48 +++++++++++++++---- .../tests_rollover_csk_roll2.py | 42 +++++++++++++--- .../tests_rollover_dynamic2inline.py | 6 ++- .../tests_rollover_enable_dnssec.py | 24 ++++++++-- .../tests_rollover_going_insecure_initial.py | 6 ++- .../tests_rollover_going_insecure_reconfig.py | 10 +++- .../tests_rollover_three_is_a_crowd.py | 2 + .../tests_rollover_ksk_doubleksk.py | 36 +++++++++++--- .../tests_rollover_lifetime_initial.py | 2 + .../tests_rollover_lifetime_reconfig.py | 7 +++ .../tests_rollover_multisigner.py | 4 ++ .../tests_rollver_straight2none_initial.py | 2 + .../tests_rollver_straight2none_reconfig.py | 3 ++ .../tests_rollover_zsk_prepublication.py | 36 +++++++++++--- .../system/rollover/tests_rollover_manual.py | 3 +- 21 files changed, 324 insertions(+), 56 deletions(-) diff --git a/bin/tests/system/isctest/kasp.py b/bin/tests/system/isctest/kasp.py index 3391ff7198..df5ea8a5db 100644 --- a/bin/tests/system/isctest/kasp.py +++ b/bin/tests/system/isctest/kasp.py @@ -9,6 +9,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +from datetime import datetime, timedelta, timezone from functools import total_ordering import glob import os @@ -18,10 +19,10 @@ import subprocess import time from typing import Dict, List, Optional, Tuple, Union -from datetime import datetime, timedelta, timezone - import dns import dns.tsig + +from isctest.instance import NamedInstance import isctest.log import isctest.query import isctest.util @@ -1520,3 +1521,15 @@ def policy_to_properties(ttl, keys: List[str]) -> List[KeyProperties]: proplist.append(keyprop) return proplist + + +def wait_keymgr_done(server: NamedInstance, zone: str, reconfig: bool = False) -> None: + """ + Block and wait until the keymgr is done processing zone. + """ + messages = [] + if reconfig: + messages.append("received control channel command 'reconfig'") + messages.append(f"keymgr: {zone} done") + with server.watch_log_from_start() as watcher: + watcher.wait_for_sequence(messages) diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index 4e6eda8d82..0c4005d950 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -642,6 +642,8 @@ def test_kasp_case(servers, ns3, params): zone = params["zone"] policy = params["policy"] + isctest.kasp.wait_keymgr_done(ns3, zone) + params["config"]["key-directory"] = params["config"]["key-directory"].replace( "{keydir}", keydir ) @@ -753,6 +755,8 @@ def test_kasp_inherit_signed(zone, policy, server_id, alg, tsig_kind, servers): else None ) + isctest.kasp.wait_keymgr_done(server, zone) + key1 = KeyProperties.default() key1.metadata["Algorithm"] = alg.number key1.metadata["Length"] = alg.bits @@ -779,6 +783,8 @@ def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, ns4): view = f"example{number}" tsig = f"{os.environ['DEFAULT_HMAC']}:keyforview{number}:{KASP_INHERIT_TSIG_SECRET[f'view{number}']}" + isctest.kasp.wait_keymgr_done(ns4, zone) + key1 = KeyProperties.default() key1.metadata["Algorithm"] = ECDSAP384SHA384.number key1.metadata["Length"] = ECDSAP384SHA384.bits @@ -828,6 +834,8 @@ def test_kasp_default(ns3): zone = "default.kasp" policy = "default" + isctest.kasp.wait_keymgr_done(ns3, zone) + # Key properties. # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. keyprops = [ @@ -904,6 +912,9 @@ def test_kasp_default(ns3): # A zone that uses inline-signing. isctest.log.info("check an inline-signed zone with the default policy is signed") zone = "inline-signing.kasp" + + isctest.kasp.wait_keymgr_done(ns3, zone) + # Key properties. key1 = KeyProperties.default() keys = isctest.kasp.keydir_to_keylist(zone, "ns3") @@ -920,6 +931,9 @@ def test_kasp_dynamic(ns3): isctest.log.info("check dynamic zone is updated and signed after update") zone = "dynamic.kasp" policy = "default" + + isctest.kasp.wait_keymgr_done(ns3, zone) + # Key properties. key1 = KeyProperties.default() expected = [key1] @@ -982,6 +996,9 @@ def test_kasp_dynamic(ns3): # Dynamic, and inline-signing. zone = "dynamic-inline-signing.kasp" + + isctest.kasp.wait_keymgr_done(ns3, zone) + # Key properties. key1 = KeyProperties.default() expected = [key1] @@ -1016,6 +1033,9 @@ def test_kasp_dynamic(ns3): # Dynamic, signed, and inline-signing. isctest.log.info("check dynamic signed, and inline-signed zone") zone = "dynamic-signed-inline-signing.kasp" + + isctest.kasp.wait_keymgr_done(ns3, zone) + # Key properties. key1 = KeyProperties.default() # The ns3/setup.sh script sets all states to omnipresent. @@ -1045,6 +1065,9 @@ def test_kasp_checkds(ns3): f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden", f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured", ] + + isctest.kasp.wait_keymgr_done(ns3, zone) + expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] @@ -1087,6 +1110,9 @@ def test_kasp_checkds_doubleksk(ns3): f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden", f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured", ] + + isctest.kasp.wait_keymgr_done(ns3, zone) + expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] @@ -1156,6 +1182,9 @@ def test_kasp_checkds_csk(ns3): policy_keys = [ f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden", ] + + isctest.kasp.wait_keymgr_done(ns3, zone) + expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") isctest.kasp.check_dnssec_verify(ns3, zone) @@ -1186,7 +1215,10 @@ def test_kasp_special_characters(ns3): # A zone with special characters. isctest.log.info("check special characters") - zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp' + zone = r"i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp" + + isctest.kasp.wait_keymgr_done(ns3, zone) + # It is non-trivial to adapt the tests to deal with all possible different # escaping characters, so we will just try to verify the zone. isctest.kasp.check_dnssec_verify(ns3, zone) @@ -1197,6 +1229,9 @@ def test_kasp_insecure(ns3): isctest.log.info("check insecure zones") zone = "insecure.kasp" + + isctest.kasp.wait_keymgr_done(ns3, zone) + expected = [] keys = isctest.kasp.keydir_to_keylist(zone, "ns3") isctest.kasp.check_keys(zone, keys, expected) @@ -1432,6 +1467,9 @@ def test_kasp_zsk_retired(ns3): # zsk successor f"zsk 31536000 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden", ] + + isctest.kasp.wait_keymgr_done(ns3, zone) + expected = isctest.kasp.policy_to_properties(300, key_properties) keys = isctest.kasp.keydir_to_keylist(zone, "ns3") ksks = [k for k in keys if k.is_ksk()] @@ -1550,6 +1588,8 @@ def test_kasp_purge_keys(ns4): f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}" ) + isctest.kasp.wait_keymgr_done(ns4, zone) + isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig1) isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig2) diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py index aa12acbbaa..a4f518a3f9 100644 --- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py @@ -24,9 +24,12 @@ from common import ( def test_algoroll_csk_initial(ns6): config = ALGOROLL_CONFIG policy = "csk-algoroll" + zone = "step1.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone) step = { - "zone": "step1.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}", diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py index 19a58045af..ef1c9842b9 100644 --- a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py @@ -39,9 +39,11 @@ TIME_PASSED = 0 # set in reconfigure() fixture @pytest.fixture(scope="module", autouse=True) def reconfigure(ns6, templates): global TIME_PASSED # pylint: disable=global-statement - start_time = KeyTimingMetadata.now() + + isctest.kasp.wait_keymgr_done(ns6, "step1.csk-algorithm-roll.kasp") templates.render("ns6/named.conf", {"csk_roll": True}) + start_time = KeyTimingMetadata.now() ns6.reconfigure() # Calculate time passed to correctly check for next key events. @@ -49,8 +51,12 @@ def reconfigure(ns6, templates): def test_algoroll_csk_reconfig_step1(ns6, alg, size): + zone = "step1.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step1.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The RSASHA keys are outroducing. @@ -65,8 +71,12 @@ def test_algoroll_csk_reconfig_step1(ns6, alg, size): def test_algoroll_csk_reconfig_step2(ns6, alg, size): + zone = "step2.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step2.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The RSASHA keys are outroducing, but need to stay present @@ -88,8 +98,12 @@ def test_algoroll_csk_reconfig_step2(ns6, alg, size): def test_algoroll_csk_reconfig_step3(ns6, alg, size): + zone = "step3.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step3.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The DS can be swapped. @@ -104,8 +118,12 @@ def test_algoroll_csk_reconfig_step3(ns6, alg, size): def test_algoroll_csk_reconfig_step4(ns6, alg, size): + zone = "step4.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step4.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The old DS is HIDDEN, we can remove the old algorithm records. @@ -120,8 +138,12 @@ def test_algoroll_csk_reconfig_step4(ns6, alg, size): def test_algoroll_csk_reconfig_step5(ns6, alg, size): + zone = "step5.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step5.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The DNSKEY becomes HIDDEN. @@ -140,8 +162,12 @@ def test_algoroll_csk_reconfig_step5(ns6, alg, size): def test_algoroll_csk_reconfig_step6(ns6, alg, size): + zone = "step6.csk-algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step6.csk-algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The zone signatures are now HIDDEN. diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py index 1df8028f57..914f05d335 100644 --- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py +++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_initial.py @@ -24,9 +24,12 @@ from common import ( def test_algoroll_ksk_zsk_initial(ns6): config = ALGOROLL_CONFIG policy = "rsasha256" + zone = "step1.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone) step = { - "zone": "step1.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ f"ksk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}", diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py index d0e402f950..2eac0cdd3b 100644 --- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py +++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py @@ -39,9 +39,11 @@ TIME_PASSED = 0 # set in reconfigure() fixture @pytest.fixture(scope="module", autouse=True) def reconfigure(ns6, templates): global TIME_PASSED # pylint: disable=global-statement - start_time = KeyTimingMetadata.now() + + isctest.kasp.wait_keymgr_done(ns6, "step1.algorithm-roll.kasp") templates.render("ns6/named.conf", {"alg_roll": True}) + start_time = KeyTimingMetadata.now() ns6.reconfigure() # Calculate time passed to correctly check for next key events. @@ -49,8 +51,12 @@ def reconfigure(ns6, templates): def test_algoroll_ksk_zsk_reconfig_step1(ns6, alg, size): + zone = "step1.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step1.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The RSASHA keys are outroducing. @@ -67,8 +73,12 @@ def test_algoroll_ksk_zsk_reconfig_step1(ns6, alg, size): def test_algoroll_ksk_zsk_reconfig_step2(ns6, alg, size): + zone = "step2.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step2.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The RSASHA keys are outroducing, but need to stay present @@ -92,8 +102,12 @@ def test_algoroll_ksk_zsk_reconfig_step2(ns6, alg, size): def test_algoroll_ksk_zsk_reconfig_step3(ns6, alg, size): + zone = "step3.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step3.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The DS can be swapped. @@ -110,8 +124,12 @@ def test_algoroll_ksk_zsk_reconfig_step3(ns6, alg, size): def test_algoroll_ksk_zsk_reconfig_step4(ns6, alg, size): + zone = "step4.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step4.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The old DS is HIDDEN, we can remove the old algorithm records. @@ -128,8 +146,12 @@ def test_algoroll_ksk_zsk_reconfig_step4(ns6, alg, size): def test_algoroll_ksk_zsk_reconfig_step5(ns6, alg, size): + zone = "step5.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step5.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The DNSKEY becomes HIDDEN. @@ -150,8 +172,12 @@ def test_algoroll_ksk_zsk_reconfig_step5(ns6, alg, size): def test_algoroll_ksk_zsk_reconfig_step6(ns6, alg, size): + zone = "step6.algorithm-roll.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { - "zone": "step6.algorithm-roll.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ # The zone signatures are now HIDDEN. diff --git a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py index 8f72165bf8..664d1fef9c 100644 --- a/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py +++ b/bin/tests/system/rollover-csk-roll1/tests_rollover_csk_roll1.py @@ -63,9 +63,13 @@ OFFSETS["step8-s"] = OFFSETS["step7-s"] - int(CONFIG["purge-keys"].total_seconds def test_csk_roll1_step1(alg, size, ns3): + zone = "step1.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Introduce the first key. This will immediately be active. - "zone": "step1.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}", @@ -79,6 +83,10 @@ def test_csk_roll1_step1(alg, size, ns3): def test_csk_roll1_step2(alg, size, ns3): + zone = "step2.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Successor CSK is prepublished (signs DNSKEY RRset, but not yet # other RRsets). @@ -86,7 +94,7 @@ def test_csk_roll1_step2(alg, size, ns3): # CSK2 goal: hidden -> omnipresent # CSK2 dnskey: hidden -> rumoured # CSK2 krrsig: hidden -> rumoured - "zone": "step2.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}", @@ -100,11 +108,15 @@ def test_csk_roll1_step2(alg, size, ns3): def test_csk_roll1_step3(alg, size, ns3): + zone = "step3.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Successor CSK becomes omnipresent, meaning we can start signing # the remainder of the zone with the successor CSK, and we can # submit the DS. - "zone": "step3.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, # Predecessor CSK will be removed, so moving to UNRETENTIVE. # CSK1 zrrsig: omnipresent -> unretentive @@ -134,8 +146,12 @@ def test_csk_roll1_step3(alg, size, ns3): def test_csk_roll1_step4(alg, size, ns3): + zone = "step4.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step4.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, # The predecessor CSK is no longer signing the DNSKEY RRset. # CSK1 krrsig: omnipresent -> unretentive @@ -157,8 +173,12 @@ def test_csk_roll1_step4(alg, size, ns3): def test_csk_roll1_step5(alg, size, ns3): + zone = "step5.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step5.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, # The predecessor KRRSIG records are now all hidden. # CSK1 krrsig: unretentive -> hidden @@ -176,8 +196,12 @@ def test_csk_roll1_step5(alg, size, ns3): def test_csk_roll1_step6(alg, size, ns3): + zone = "step6.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step6.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, # The predecessor ZRRSIG records are now all hidden (so the DNSKEY # can be removed). @@ -197,8 +221,12 @@ def test_csk_roll1_step6(alg, size, ns3): def test_csk_roll1_step7(alg, size, ns3): + zone = "step7.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step7.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, # The predecessor CSK is now completely HIDDEN. "keyprops": [ @@ -215,8 +243,12 @@ def test_csk_roll1_step7(alg, size, ns3): def test_csk_roll1_step8(alg, size, ns3): + zone = "step8.csk-roll1.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step8.csk-roll1.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step8-s']}", diff --git a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py index 844f754c17..6bbe19345c 100644 --- a/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py +++ b/bin/tests/system/rollover-csk-roll2/tests_rollover_csk_roll2.py @@ -66,9 +66,13 @@ OFFSETS["step7-s"] = OFFSETS["step6-s"] - int(timedelta(days=90).total_seconds() def test_csk_roll2_step1(alg, size, ns3): + zone = "step1.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Introduce the first key. This will immediately be active. - "zone": "step1.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}", @@ -82,6 +86,10 @@ def test_csk_roll2_step1(alg, size, ns3): def test_csk_roll2_step2(alg, size, ns3): + zone = "step2.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Successor CSK is prepublished (signs DNSKEY RRset, but not yet # other RRsets). @@ -89,7 +97,7 @@ def test_csk_roll2_step2(alg, size, ns3): # CSK2 goal: hidden -> omnipresent # CSK2 dnskey: hidden -> rumoured # CSK2 krrsig: hidden -> rumoured - "zone": "step2.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}", @@ -103,11 +111,15 @@ def test_csk_roll2_step2(alg, size, ns3): def test_csk_roll2_step3(alg, size, ns3): + zone = "step3.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Successor CSK becomes omnipresent, meaning we can start signing # the remainder of the zone with the successor CSK, and we can # submit the DS. - "zone": "step3.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, # Predecessor CSK will be removed, so moving to UNRETENTIVE. # CSK1 zrrsig: omnipresent -> unretentive @@ -137,8 +149,12 @@ def test_csk_roll2_step3(alg, size, ns3): def test_csk_roll2_step4(alg, size, ns3): + zone = "step4.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step4.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, # The predecessor ZRRSIG is HIDDEN. The successor ZRRSIG is # OMNIPRESENT. @@ -162,8 +178,12 @@ def test_csk_roll2_step4(alg, size, ns3): def test_csk_roll2_step5(alg, size, ns3): + zone = "step5.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step5.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, # The predecessor DNSKEY can be removed. # CSK1 dnskey: omnipresent -> unretentive @@ -184,8 +204,12 @@ def test_csk_roll2_step5(alg, size, ns3): def test_csk_roll2_step6(alg, size, ns3): + zone = "step6.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step6.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, # The predecessor CSK is now completely HIDDEN. # CSK1 dnskey: unretentive -> hidden @@ -203,8 +227,12 @@ def test_csk_roll2_step6(alg, size, ns3): def test_csk_roll2_step7(alg, size, ns3): + zone = "step7.csk-roll2.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step7.csk-roll2.autosign", + "zone": zone, "cdss": CDSS, # The predecessor CSK is now completely HIDDEN. "keyprops": [ diff --git a/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py b/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py index 39b0a900f4..23accc0941 100644 --- a/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py +++ b/bin/tests/system/rollover-dynamic2inline/tests_rollover_dynamic2inline.py @@ -24,9 +24,12 @@ from common import ( def test_dynamic2inline(alg, size, ns6, templates): config = DEFAULT_CONFIG policy = "default" + zone = "dynamic2inline.kasp" + + isctest.kasp.wait_keymgr_done(ns6, zone) step = { - "zone": "dynamic2inline.kasp", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden", @@ -38,5 +41,6 @@ def test_dynamic2inline(alg, size, ns6, templates): templates.render("ns6/named.conf", {"change_lifetime": True}) ns6.reconfigure() + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) isctest.kasp.check_rollover_step(ns6, config, policy, step) diff --git a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py index c879f5061c..544e8d5be0 100644 --- a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py +++ b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py @@ -45,8 +45,12 @@ OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds()) def test_rollover_enable_dnssec_step1(alg, size, ns3): + zone = "step1.enable-dnssec.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step1.enable-dnssec.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}", @@ -59,8 +63,12 @@ def test_rollover_enable_dnssec_step1(alg, size, ns3): def test_rollover_enable_dnssec_step2(alg, size, ns3): + zone = "step2.enable-dnssec.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step2.enable-dnssec.autosign", + "zone": zone, "cdss": CDSS, # The DNSKEY is omnipresent, but the zone signatures not yet. # Thus, the DS remains hidden. @@ -77,8 +85,12 @@ def test_rollover_enable_dnssec_step2(alg, size, ns3): def test_rollover_enable_dnssec_step3(alg, size, ns3): + zone = "step3.enable-dnssec.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step3.enable-dnssec.autosign", + "zone": zone, "cdss": CDSS, # All signatures should be omnipresent, so the DS can be submitted. # zrrsig: rumoured -> omnipresent @@ -94,8 +106,12 @@ def test_rollover_enable_dnssec_step3(alg, size, ns3): def test_rollover_enable_dnssec_step4(alg, size, ns3): + zone = "step4.enable-dnssec.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { - "zone": "step4.enable-dnssec.autosign", + "zone": zone, "cdss": CDSS, # DS has been published long enough. # ds: rumoured -> omnipresent diff --git a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py index 112e2cc31f..229fcb7f77 100644 --- a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py +++ b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_initial.py @@ -34,8 +34,12 @@ from common import ( def test_going_insecure_initial(zone, ns6, alg, size): config = UNSIGNING_CONFIG policy = "unsigning" + zone = f"step1.{zone}" + + isctest.kasp.wait_keymgr_done(ns6, zone) + step = { - "zone": f"step1.{zone}", + "zone": zone, "cdss": CDSS, "keyprops": [ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}", diff --git a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py index 60a0b54c90..d20b0e4c0e 100644 --- a/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py +++ b/bin/tests/system/rollover-going-insecure/tests_rollover_going_insecure_reconfig.py @@ -41,11 +41,14 @@ def reconfigure_policy(ns6, templates): def test_going_insecure_reconfig_step1(zone, alg, size, ns6): config = DEFAULT_CONFIG policy = "insecure" + zone = f"step1.{zone}" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) # Key goal states should be HIDDEN. # The DS may be removed if we are going insecure. step = { - "zone": f"step1.{zone}", + "zone": zone, "cdss": CDSS, "keyprops": [ f"ksk 0 {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}", @@ -71,12 +74,15 @@ def test_going_insecure_reconfig_step1(zone, alg, size, ns6): def test_going_insecure_reconfig_step2(zone, alg, size, ns6): config = DEFAULT_CONFIG policy = "insecure" + zone = f"step2.{zone}" + + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) # The DS is long enough removed from the zone to be considered # HIDDEN. This means the DNSKEY and the KSK signatures can be # removed. step = { - "zone": f"step2.{zone}", + "zone": zone, "cdss": CDSS, "keyprops": [ f"ksk 0 {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{-DURATION['P10D']}", diff --git a/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py b/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py index c43d318aaa..7891c37fa5 100644 --- a/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py +++ b/bin/tests/system/rollover-ksk-3crowd/tests_rollover_three_is_a_crowd.py @@ -37,6 +37,8 @@ def test_rollover_ksk_three_is_a_crowd(alg, size, ns3): """Test #2375: Scheduled rollovers are happening faster than they can finish.""" zone = "three-is-a-crowd.kasp" + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { "zone": zone, "cdss": CDSS, diff --git a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py index 76df1fb710..e8a4e6bb18 100644 --- a/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py +++ b/bin/tests/system/rollover-ksk-doubleksk/tests_rollover_ksk_doubleksk.py @@ -46,9 +46,13 @@ OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(KSK_CONFIG["purge-keys"].total_sec def test_ksk_doubleksk_step1(alg, size, ns3): + zone = "step1.ksk-doubleksk.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Introduce the first key. This will immediately be active. - "zone": "step1.ksk-doubleksk.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}", @@ -63,13 +67,17 @@ def test_ksk_doubleksk_step1(alg, size, ns3): def test_ksk_doubleksk_step2(alg, size, ns3): + zone = "step2.ksk-doubleksk.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Successor KSK is prepublished (and signs DNSKEY RRset). # KSK1 goal: omnipresent -> hidden # KSK2 goal: hidden -> omnipresent # KSK2 dnskey: hidden -> rumoured # KSK2 krrsig: hidden -> rumoured - "zone": "step2.ksk-doubleksk.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}", @@ -84,6 +92,10 @@ def test_ksk_doubleksk_step2(alg, size, ns3): def test_ksk_doubleksk_step3(alg, size, ns3): + zone = "step3.ksk-doubleksk.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # The successor DNSKEY RRset has become omnipresent. The # predecessor DS can be withdrawn and the successor DS can be @@ -92,7 +104,7 @@ def test_ksk_doubleksk_step3(alg, size, ns3): # KSK2 dnskey: rumoured -> omnipresent # KSK2 krrsig: rumoured -> omnipresent # KSK2 ds: hidden -> rumoured - "zone": "step3.ksk-doubleksk.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}", @@ -110,6 +122,10 @@ def test_ksk_doubleksk_step3(alg, size, ns3): def test_ksk_doubleksk_step4(alg, size, ns3): + zone = "step4.ksk-doubleksk.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # The predecessor DNSKEY may be removed, the successor DS is # omnipresent. @@ -117,7 +133,7 @@ def test_ksk_doubleksk_step4(alg, size, ns3): # KSK1 krrsig: omnipresent -> unretentive # KSK1 ds: unretentive -> hidden # KSK2 ds: rumoured -> omnipresent - "zone": "step4.ksk-doubleksk.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}", @@ -133,12 +149,16 @@ def test_ksk_doubleksk_step4(alg, size, ns3): def test_ksk_doubleksk_step5(alg, size, ns3): + zone = "step5.ksk-doubleksk.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # The predecessor DNSKEY is long enough removed from the zone it # has become hidden. # KSK1 dnskey: unretentive -> hidden # KSK1 krrsig: unretentive -> hidden - "zone": "step5.ksk-doubleksk.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-p']}", @@ -154,9 +174,13 @@ def test_ksk_doubleksk_step5(alg, size, ns3): def test_ksk_doubleksk_step6(alg, size, ns3): + zone = "step6.ksk-doubleksk.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Predecessor KSK is now purged. - "zone": "step6.ksk-doubleksk.autosign", + "zone": zone, "cdss": CDSS, "keyprops": [ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-p']}", diff --git a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py index 2801073842..29acc4fddd 100644 --- a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py +++ b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_initial.py @@ -37,6 +37,8 @@ from common import ( def test_lifetime_initial(zone, policy, lifetime, alg, size, ns6): config = DEFAULT_CONFIG + isctest.kasp.wait_keymgr_done(ns6, zone) + step = { "zone": zone, "cdss": CDSS, diff --git a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py index 1765c88590..8d1d92f51d 100644 --- a/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py +++ b/bin/tests/system/rollover-lifetime/tests_rollover_lifetime_reconfig.py @@ -27,6 +27,11 @@ from common import ( @pytest.fixture(scope="module", autouse=True) def reconfigure_policy(ns6, templates): + isctest.kasp.wait_keymgr_done(ns6, "shorter-lifetime") + isctest.kasp.wait_keymgr_done(ns6, "longer-lifetime") + isctest.kasp.wait_keymgr_done(ns6, "limit-lifetime") + isctest.kasp.wait_keymgr_done(ns6, "unlimit-lifetime") + templates.render("ns6/named.conf", {"change_lifetime": True}) ns6.reconfigure() @@ -47,6 +52,8 @@ def reconfigure_policy(ns6, templates): def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns6): config = DEFAULT_CONFIG + isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True) + step = { "zone": zone, "cdss": CDSS, diff --git a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py index dce4bbc5c0..313cd7189a 100644 --- a/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py +++ b/bin/tests/system/rollover-multisigner/tests_rollover_multisigner.py @@ -62,6 +62,8 @@ def test_rollover_multisigner(ns3, alg, size): zone = "multisigner-model2.kasp" + isctest.kasp.wait_keymgr_done(ns3, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ @@ -138,6 +140,8 @@ def test_rollover_multisigner(ns3, alg, size): # keys in the desired key range. zone = "single-to-multisigner.kasp" + isctest.kasp.wait_keymgr_done(ns3, zone) + isctest.kasp.check_dnssec_verify(ns3, zone) key_properties = [ diff --git a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py index 538766bffc..fd87d49807 100644 --- a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py +++ b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_initial.py @@ -35,6 +35,8 @@ def test_straight2none_initial(zone, ns6, alg, size): config = DEFAULT_CONFIG policy = "default" + isctest.kasp.wait_keymgr_done(ns6, zone) + step = { "zone": zone, "cdss": CDSS, diff --git a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py index 81dd240f2c..68ce4e134d 100644 --- a/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py +++ b/bin/tests/system/rollover-straight2none/tests_rollver_straight2none_reconfig.py @@ -26,6 +26,9 @@ from common import ( @pytest.fixture(scope="module", autouse=True) def reconfigure_policy(ns6, templates): + isctest.kasp.wait_keymgr_done(ns6, "going-straight-to-none.kasp") + isctest.kasp.wait_keymgr_done(ns6, "going-straight-to-none-dynamic.kasp") + templates.render("ns6/named.conf", {"policy": "none"}) ns6.reconfigure() diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py index bd57f4cb9e..726940f24c 100644 --- a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py +++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py @@ -55,9 +55,13 @@ OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(CONFIG["purge-keys"].total_seconds def test_zsk_prepub_step1(alg, size, ns3): + zone = "step1.zsk-prepub.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # Introduce the first key. This will immediately be active. - "zone": "step1.zsk-prepub.autosign", + "zone": zone, "keyprops": [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}", f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}", @@ -71,12 +75,16 @@ def test_zsk_prepub_step1(alg, size, ns3): def test_zsk_prepub_step2(alg, size, ns3): + zone = "step2.zsk-prepub.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # it is time to pre-publish the successor zsk. # zsk1 goal: omnipresent -> hidden # zsk2 goal: hidden -> omnipresent # zsk2 dnskey: hidden -> rumoured - "zone": "step2.zsk-prepub.autosign", + "zone": zone, "keyprops": [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}", f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}", @@ -91,13 +99,17 @@ def test_zsk_prepub_step2(alg, size, ns3): def test_zsk_prepub_step3(alg, size, ns3): + zone = "step3.zsk-prepub.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # predecessor zsk is no longer actively signing. successor zsk is # now actively signing. # zsk1 zrrsig: omnipresent -> unretentive # zsk2 dnskey: rumoured -> omnipresent # zsk2 zrrsig: hidden -> rumoured - "zone": "step3.zsk-prepub.autosign", + "zone": zone, "keyprops": [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}", f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}", @@ -116,13 +128,17 @@ def test_zsk_prepub_step3(alg, size, ns3): def test_zsk_prepub_step4(alg, size, ns3): + zone = "step4.zsk-prepub.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # predecessor zsk is no longer needed. all rrsets are signed with # the successor zsk. # zsk1 dnskey: omnipresent -> unretentive # zsk1 zrrsig: unretentive -> hidden # zsk2 zrrsig: rumoured -> omnipresent - "zone": "step4.zsk-prepub.autosign", + "zone": zone, "keyprops": [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}", f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}", @@ -137,10 +153,14 @@ def test_zsk_prepub_step4(alg, size, ns3): def test_zsk_prepub_step5(alg, size, ns3): + zone = "step5.zsk-prepub.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # predecessor zsk is now removed. # zsk1 dnskey: unretentive -> hidden - "zone": "step5.zsk-prepub.autosign", + "zone": zone, "keyprops": [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}", f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}", @@ -156,9 +176,13 @@ def test_zsk_prepub_step5(alg, size, ns3): def test_zsk_prepub_step6(alg, size, ns3): + zone = "step6.zsk-prepub.autosign" + + isctest.kasp.wait_keymgr_done(ns3, zone) + step = { # predecessor zsk is now purged. - "zone": "step6.zsk-prepub.autosign", + "zone": zone, "keyprops": [ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}", f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}", diff --git a/bin/tests/system/rollover/tests_rollover_manual.py b/bin/tests/system/rollover/tests_rollover_manual.py index 41698e6225..3602329180 100644 --- a/bin/tests/system/rollover/tests_rollover_manual.py +++ b/bin/tests/system/rollover/tests_rollover_manual.py @@ -36,8 +36,7 @@ def test_rollover_manual(ns3): size = os.environ["DEFAULT_BITS"] zone = "manual-rollover.kasp" - with ns3.watch_log_from_start() as watcher: - watcher.wait_for_line(f"keymgr: {zone} done") + isctest.kasp.wait_keymgr_done(ns3, zone) isctest.kasp.check_dnssec_verify(ns3, zone)