mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-26 11:22:52 -04:00
Fix statschannel system test
The manykeys test case relies on keys being removed. Make sure the
zone is fully signed with the keys that will stay, so the other keys
may be removed safely.
This means the expected number of signatures generated and refreshed
will change. The CDS and CDNSKEY RRset also need to be signed now.
Configure the test case with sig-signing-signatures 100, large enough
that the entire zone is processed in a single step.
(cherry picked from commit 14a243a81d)
This commit is contained in:
Matthijs Mekking
parent
5b85b93847
commit
da8cef5ade
7 changed files with 52 additions and 29 deletions
|
|
@ -24,6 +24,7 @@ options {
|
|||
notify no;
|
||||
minimal-responses no;
|
||||
version none; // make statistics independent of the version number
|
||||
sig-signing-signatures 100;
|
||||
};
|
||||
|
||||
statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };
|
||||
|
|
|
|||
|
|
@ -24,6 +24,7 @@ options {
|
|||
notify no;
|
||||
minimal-responses no;
|
||||
version none; // make statistics independent of the version number
|
||||
sig-signing-signatures 100;
|
||||
};
|
||||
|
||||
statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; };
|
||||
|
|
|
|||
|
|
@ -16,13 +16,18 @@
|
|||
|
||||
set -e
|
||||
|
||||
longago="now-1y"
|
||||
keytimes="-P ${longago} -A ${longago}"
|
||||
O="omnipresent"
|
||||
|
||||
zone=dnssec.
|
||||
infile=dnssec.db.in
|
||||
zonefile=dnssec.db.signed
|
||||
zonefile=dnssec.db
|
||||
cp $infile $zonefile
|
||||
ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" "$zone")
|
||||
# Sign deliberately with a very short expiration date.
|
||||
"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
|
||||
"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1
|
||||
id=$(keyfile_to_key_id "$ksk")
|
||||
echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.ksk.id
|
||||
id=$(keyfile_to_key_id "$zsk")
|
||||
|
|
@ -30,16 +35,22 @@ echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.zsk.id
|
|||
|
||||
zone=manykeys.
|
||||
infile=manykeys.db.in
|
||||
zonefile=manykeys.db.signed
|
||||
ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone")
|
||||
zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone")
|
||||
zonefile=manykeys.db
|
||||
cp $infile $zonefile
|
||||
ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK $keytimes -P sync $longago "$zone")
|
||||
zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 $keytimes "$zone")
|
||||
$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$ksk8" >settime.out.$zone 2>&1
|
||||
$SETTIME -s -g $O -k $O $longago -z $O $longago "$zsk8" >settime.out.$zone 2>&1
|
||||
cat $ksk8.key $zsk8.key >>$zonefile
|
||||
ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone")
|
||||
zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone")
|
||||
cat $ksk13.key $zsk13.key >>$zonefile
|
||||
ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone")
|
||||
zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone")
|
||||
cat $ksk14.key $zsk14.key >>$zonefile
|
||||
# Sign deliberately with a very short expiration date.
|
||||
# Disable zone verification (-P) as records may expire before signing is complete
|
||||
"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1
|
||||
"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1
|
||||
id=$(keyfile_to_key_id "$ksk8")
|
||||
echo "8+$id" >manykeys.ksk8.id
|
||||
id=$(keyfile_to_key_id "$zsk8")
|
||||
|
|
|
|||
|
|
@ -392,22 +392,22 @@ ksk13_id=$(cat ns2/$zone.ksk13.id)
|
|||
zsk13_id=$(cat ns2/$zone.zsk13.id)
|
||||
ksk14_id=$(cat ns2/$zone.ksk14.id)
|
||||
zsk14_id=$(cat ns2/$zone.zsk14.id)
|
||||
# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one
|
||||
# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire
|
||||
# almost right away, this should trigger 10 zsk and 1 ksk sign operations per
|
||||
# key.
|
||||
# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and the
|
||||
# DNSKEY, CDS, and CDNSKEY RRsets with the KSKs. So starting named with
|
||||
# signatures that expire almost right away, this should trigger 10 zsk and 3
|
||||
# ksk sign operations per key.
|
||||
echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect
|
||||
echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect
|
||||
echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect
|
||||
cat zones.expect | sort >zones.expect.$n
|
||||
rm -f zones.expect
|
||||
# Fetch and check the dnssec sign statistics.
|
||||
|
|
@ -437,15 +437,15 @@ ret=0
|
|||
echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect
|
||||
echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect
|
||||
echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect
|
||||
cat zones.expect | sort >zones.expect.$n
|
||||
rm -f zones.expect
|
||||
# Fetch and check the dnssec sign statistics.
|
||||
|
|
@ -466,15 +466,15 @@ n=$((n + 1))
|
|||
ret=0
|
||||
copy_setports ns2/named2.conf.in ns2/named.conf
|
||||
$RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /'
|
||||
# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC,
|
||||
# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should
|
||||
# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly)
|
||||
# counted double, one time because of zone_resigninc and one time because of
|
||||
# zone_nsec3chain. So +5 zsk in total.
|
||||
# This should trigger the resign of DNSKEY, CDS, and CDNSKEY (+3 ksk),
|
||||
# and SOA, NSEC, TYPE65534 (+3 zsk). The dnssec-sign statistics for the
|
||||
# removed keys should be cleared and thus no longer visible. But NSEC and SOA
|
||||
# are (mistakenly) counted double, one time because of zone_resigninc and one
|
||||
# time because of zone_nsec3chain. So +5 zsk in total.
|
||||
echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect
|
||||
echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect
|
||||
echo "${refresh_prefix} ${ksk8_id}: 6" >>zones.expect
|
||||
echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect
|
||||
echo "${sign_prefix} ${ksk8_id}: 6" >>zones.expect
|
||||
cat zones.expect | sort >zones.expect.$n
|
||||
rm -f zones.expect
|
||||
# Fetch and check the dnssec sign statistics.
|
||||
|
|
|
|||
|
|
@ -31,8 +31,11 @@ pytestmark = [
|
|||
"ns2/dsset-*",
|
||||
"ns2/K*",
|
||||
"ns2/dnssec.db.signed",
|
||||
"ns2/dnssec.db",
|
||||
"ns2/dnssec.*.id",
|
||||
"ns2/manykeys.db",
|
||||
"ns2/manykeys.*.id",
|
||||
"ns2/settime.out.*",
|
||||
"ns2/signzone.out.*",
|
||||
"ns3/_default.nzd",
|
||||
"ns3/example-tcp.db",
|
||||
|
|
|
|||
|
|
@ -31,11 +31,15 @@ pytestmark = pytest.mark.extra_artifacts(
|
|||
"zones*",
|
||||
"ns2/*.jnl",
|
||||
"ns2/*.signed",
|
||||
"ns2/*.db",
|
||||
"ns2/dsset-*",
|
||||
"ns2/K*",
|
||||
"ns2/dnssec.db",
|
||||
"ns2/dnssec.*.id",
|
||||
"ns2/manykeys.db",
|
||||
"ns2/manykeys.*.id",
|
||||
"ns2/named.stats",
|
||||
"ns2/settime.out.*",
|
||||
"ns2/signzone.out.*",
|
||||
"ns3/_default.nzf*",
|
||||
"ns3/_default.nzd*",
|
||||
|
|
|
|||
|
|
@ -31,8 +31,11 @@ pytestmark = [
|
|||
"ns2/*.jnl",
|
||||
"ns2/*.signed",
|
||||
"ns2/dsset-*",
|
||||
"ns2/dnssec.db",
|
||||
"ns2/dnssec.*.id",
|
||||
"ns2/manykeys.db",
|
||||
"ns2/manykeys.*.id",
|
||||
"ns2/settime.out.*",
|
||||
"ns2/signzone.out.*",
|
||||
"ns3/_default.nzd",
|
||||
"ns3/example-tcp.db",
|
||||
|
|
|
|||
Loading…
Reference in a new issue