From da8cef5adeec5eff671982979004f1198d1340a7 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 4 Aug 2025 14:34:07 +0200 Subject: [PATCH] Fix statschannel system test The manykeys test case relies on keys being removed. Make sure the zone is fully signed with the keys that will stay, so the other keys may be removed safely. This means the expected number of signatures generated and refreshed will change. The CDS and CDNSKEY RRset also need to be signed now. Configure the test case with sig-signing-signatures 100, large enough that the entire zone is processed in a single step. (cherry picked from commit 14a243a81dd6b438345d70ff7963ceaaedd85ee7) --- .../system/statschannel/ns2/named.conf.in | 1 + .../system/statschannel/ns2/named2.conf.in | 1 + bin/tests/system/statschannel/ns2/sign.sh | 23 +++++++--- bin/tests/system/statschannel/tests.sh | 46 +++++++++---------- bin/tests/system/statschannel/tests_json.py | 3 ++ .../statschannel/tests_sh_statschannel.py | 4 ++ bin/tests/system/statschannel/tests_xml.py | 3 ++ 7 files changed, 52 insertions(+), 29 deletions(-) diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in index 342d03b561..c2f4c1f278 100644 --- a/bin/tests/system/statschannel/ns2/named.conf.in +++ b/bin/tests/system/statschannel/ns2/named.conf.in @@ -24,6 +24,7 @@ options { notify no; minimal-responses no; version none; // make statistics independent of the version number + sig-signing-signatures 100; }; statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; }; diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in index c726ae4220..f93bf94e75 100644 --- a/bin/tests/system/statschannel/ns2/named2.conf.in +++ b/bin/tests/system/statschannel/ns2/named2.conf.in @@ -24,6 +24,7 @@ options { notify no; minimal-responses no; version none; // make statistics independent of the version number + sig-signing-signatures 100; }; statistics-channels { inet 10.53.0.2 port @EXTRAPORT1@ allow { localhost; }; }; diff --git a/bin/tests/system/statschannel/ns2/sign.sh b/bin/tests/system/statschannel/ns2/sign.sh index b9d2ed72d3..a4df397a2a 100644 --- a/bin/tests/system/statschannel/ns2/sign.sh +++ b/bin/tests/system/statschannel/ns2/sign.sh @@ -16,13 +16,18 @@ set -e +longago="now-1y" +keytimes="-P ${longago} -A ${longago}" +O="omnipresent" + zone=dnssec. infile=dnssec.db.in -zonefile=dnssec.db.signed +zonefile=dnssec.db +cp $infile $zonefile ksk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" -f KSK "$zone") zsk=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -L 3600 -b "$DEFAULT_BITS" "$zone") # Sign deliberately with a very short expiration date. -"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1 id=$(keyfile_to_key_id "$ksk") echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.ksk.id id=$(keyfile_to_key_id "$zsk") @@ -30,16 +35,22 @@ echo "$DEFAULT_ALGORITHM_NUMBER+$id" >dnssec.zsk.id zone=manykeys. infile=manykeys.db.in -zonefile=manykeys.db.signed -ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK "$zone") -zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 "$zone") +zonefile=manykeys.db +cp $infile $zonefile +ksk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 -f KSK $keytimes -P sync $longago "$zone") +zsk8=$("$KEYGEN" -q -a RSASHA256 -L 3600 -b 2048 $keytimes "$zone") +$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$ksk8" >settime.out.$zone 2>&1 +$SETTIME -s -g $O -k $O $longago -z $O $longago "$zsk8" >settime.out.$zone 2>&1 +cat $ksk8.key $zsk8.key >>$zonefile ksk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 -f KSK "$zone") zsk13=$("$KEYGEN" -q -a ECDSAP256SHA256 -L 3600 -b 256 "$zone") +cat $ksk13.key $zsk13.key >>$zonefile ksk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 -f KSK "$zone") zsk14=$("$KEYGEN" -q -a ECDSAP384SHA384 -L 3600 -b 384 "$zone") +cat $ksk14.key $zsk14.key >>$zonefile # Sign deliberately with a very short expiration date. # Disable zone verification (-P) as records may expire before signing is complete -"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" -f "$zonefile" "$infile" >"signzone.out.$zone" 2>&1 +"$SIGNER" -P -S -x -O full -e "now"+1s -o "$zone" "$zonefile" >"signzone.out.$zone" 2>&1 id=$(keyfile_to_key_id "$ksk8") echo "8+$id" >manykeys.ksk8.id id=$(keyfile_to_key_id "$zsk8") diff --git a/bin/tests/system/statschannel/tests.sh b/bin/tests/system/statschannel/tests.sh index 8a343fe1b5..f681649331 100644 --- a/bin/tests/system/statschannel/tests.sh +++ b/bin/tests/system/statschannel/tests.sh @@ -392,22 +392,22 @@ ksk13_id=$(cat ns2/$zone.ksk13.id) zsk13_id=$(cat ns2/$zone.zsk13.id) ksk14_id=$(cat ns2/$zone.ksk14.id) zsk14_id=$(cat ns2/$zone.zsk14.id) -# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and one -# RRset (DNSKEY) with the KSKs. So starting named with signatures that expire -# almost right away, this should trigger 10 zsk and 1 ksk sign operations per -# key. +# The dnssec zone has 10 RRsets to sign (including NSEC) with the ZSKs and the +# DNSKEY, CDS, and CDNSKEY RRsets with the KSKs. So starting named with +# signatures that expire almost right away, this should trigger 10 zsk and 3 +# ksk sign operations per key. echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect echo "${sign_prefix} ${zsk8_id}: 10" >>zones.expect echo "${sign_prefix} ${zsk13_id}: 10" >>zones.expect echo "${sign_prefix} ${zsk14_id}: 10" >>zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. @@ -437,15 +437,15 @@ ret=0 echo "${refresh_prefix} ${zsk8_id}: 10" >zones.expect echo "${refresh_prefix} ${zsk13_id}: 10" >>zones.expect echo "${refresh_prefix} ${zsk14_id}: 10" >>zones.expect -echo "${refresh_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${refresh_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${refresh_prefix} ${ksk14_id}: 3" >>zones.expect echo "${sign_prefix} ${zsk8_id}: 13" >>zones.expect echo "${sign_prefix} ${zsk13_id}: 13" >>zones.expect echo "${sign_prefix} ${zsk14_id}: 13" >>zones.expect -echo "${sign_prefix} ${ksk8_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk13_id}: 1" >>zones.expect -echo "${sign_prefix} ${ksk14_id}: 1" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk13_id}: 3" >>zones.expect +echo "${sign_prefix} ${ksk14_id}: 3" >>zones.expect cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. @@ -466,15 +466,15 @@ n=$((n + 1)) ret=0 copy_setports ns2/named2.conf.in ns2/named.conf $RNDCCMD 10.53.0.2 reload 2>&1 | sed 's/^/I:ns2 /' -# This should trigger the resign of DNSKEY (+1 ksk), and SOA, NSEC, -# TYPE65534 (+3 zsk). The dnssec-sign statistics for the removed keys should -# be cleared and thus no longer visible. But NSEC and SOA are (mistakenly) -# counted double, one time because of zone_resigninc and one time because of -# zone_nsec3chain. So +5 zsk in total. +# This should trigger the resign of DNSKEY, CDS, and CDNSKEY (+3 ksk), +# and SOA, NSEC, TYPE65534 (+3 zsk). The dnssec-sign statistics for the +# removed keys should be cleared and thus no longer visible. But NSEC and SOA +# are (mistakenly) counted double, one time because of zone_resigninc and one +# time because of zone_nsec3chain. So +5 zsk in total. echo "${refresh_prefix} ${zsk8_id}: 15" >zones.expect -echo "${refresh_prefix} ${ksk8_id}: 2" >>zones.expect +echo "${refresh_prefix} ${ksk8_id}: 6" >>zones.expect echo "${sign_prefix} ${zsk8_id}: 18" >>zones.expect -echo "${sign_prefix} ${ksk8_id}: 2" >>zones.expect +echo "${sign_prefix} ${ksk8_id}: 6" >>zones.expect cat zones.expect | sort >zones.expect.$n rm -f zones.expect # Fetch and check the dnssec sign statistics. diff --git a/bin/tests/system/statschannel/tests_json.py b/bin/tests/system/statschannel/tests_json.py index 21f2402243..6a2dbc9f96 100755 --- a/bin/tests/system/statschannel/tests_json.py +++ b/bin/tests/system/statschannel/tests_json.py @@ -31,8 +31,11 @@ pytestmark = [ "ns2/dsset-*", "ns2/K*", "ns2/dnssec.db.signed", + "ns2/dnssec.db", "ns2/dnssec.*.id", + "ns2/manykeys.db", "ns2/manykeys.*.id", + "ns2/settime.out.*", "ns2/signzone.out.*", "ns3/_default.nzd", "ns3/example-tcp.db", diff --git a/bin/tests/system/statschannel/tests_sh_statschannel.py b/bin/tests/system/statschannel/tests_sh_statschannel.py index 2f7a826aa4..7b5788010d 100644 --- a/bin/tests/system/statschannel/tests_sh_statschannel.py +++ b/bin/tests/system/statschannel/tests_sh_statschannel.py @@ -31,11 +31,15 @@ pytestmark = pytest.mark.extra_artifacts( "zones*", "ns2/*.jnl", "ns2/*.signed", + "ns2/*.db", "ns2/dsset-*", "ns2/K*", + "ns2/dnssec.db", "ns2/dnssec.*.id", + "ns2/manykeys.db", "ns2/manykeys.*.id", "ns2/named.stats", + "ns2/settime.out.*", "ns2/signzone.out.*", "ns3/_default.nzf*", "ns3/_default.nzd*", diff --git a/bin/tests/system/statschannel/tests_xml.py b/bin/tests/system/statschannel/tests_xml.py index 796eea9d24..59fbcf0b06 100755 --- a/bin/tests/system/statschannel/tests_xml.py +++ b/bin/tests/system/statschannel/tests_xml.py @@ -31,8 +31,11 @@ pytestmark = [ "ns2/*.jnl", "ns2/*.signed", "ns2/dsset-*", + "ns2/dnssec.db", "ns2/dnssec.*.id", + "ns2/manykeys.db", "ns2/manykeys.*.id", + "ns2/settime.out.*", "ns2/signzone.out.*", "ns3/_default.nzd", "ns3/example-tcp.db",