From 25d2d7e46e5735ea5813acab7556f0bef0d18885 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Wed, 5 Oct 2022 15:59:13 +0200 Subject: [PATCH 1/5] Make digdelv test work in different network envs When a target server is unreachable, the varying network conditions may cause different ICMP message (or no message). The host unreachable message was discovered when attempting to run the test locally while connected to a VPN network which handles all traffic. Extend the dig output check with "host unreachable" message to avoid a false negative test result in certain network environments. (cherry picked from commit 1e7d832342aa2aaaeb8ef1710ec095dfcade4c6d) --- bin/tests/system/digdelv/tests.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bin/tests/system/digdelv/tests.sh b/bin/tests/system/digdelv/tests.sh index 939560737f..c630ae1e8a 100644 --- a/bin/tests/system/digdelv/tests.sh +++ b/bin/tests/system/digdelv/tests.sh @@ -1023,7 +1023,7 @@ if [ -x "$DIG" ] ; then echo_i "check that dig tries the next server after a UDP socket network unreachable error ($n)" ret=0 dig_with_opts @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 + test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) @@ -1032,7 +1032,7 @@ if [ -x "$DIG" ] ; then echo_i "check that dig tries the next server after a TCP socket network unreachable error ($n)" ret=0 dig_with_opts +tcp @192.0.2.128 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1 - test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 + test $(grep -F -e "connection refused" -e "timed out" -e "network unreachable" -e "host unreachable" dig.out.test$n | wc -l) -eq 3 || ret=1 grep -F "status: NOERROR" dig.out.test$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status+ret)) From bd8262dc356a80915766f3632628eea81dc038a7 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Mon, 10 Oct 2022 17:21:41 +0200 Subject: [PATCH 2/5] Revive dialup system test Properly template the port number in config files with copy_setports. The test takes two minutes on my machine which doesn't seem like a proper justification to exclude it from the test suite, especially considering we run these tests in parallel nowadays. The resource usage doesn't seems significantly increased so it shouldn't interfere with other system tests. There also exists a precedent for longer running system tests that are already part of the default system test suite (e.g. serve-stale takes almost three minutes on the same machine). (cherry picked from commit 235ae5f344895fa5d20924e5eeba74a24b33d5d7) --- bin/tests/system/Makefile.am | 7 ++++--- bin/tests/system/conf.sh.common | 4 ++-- bin/tests/system/dialup/clean.sh | 2 ++ .../dialup/ns1/{named.conf => named.conf.in} | 2 +- .../dialup/ns2/{named.conf => named.conf.in} | 2 +- .../dialup/ns3/{named.conf => named.conf.in} | 2 +- bin/tests/system/dialup/setup.sh | 19 +++++++++++++++++++ bin/tests/system/dialup/tests.sh | 2 +- bin/tests/system/dupsigs/tests.sh | 2 +- .../rrl/{broken.conf => broken.conf.in} | 4 ++-- bin/tests/system/rrl/clean.sh | 1 + bin/tests/system/rrl/setup.sh | 1 + 12 files changed, 36 insertions(+), 12 deletions(-) rename bin/tests/system/dialup/ns1/{named.conf => named.conf.in} (98%) rename bin/tests/system/dialup/ns2/{named.conf => named.conf.in} (98%) rename bin/tests/system/dialup/ns3/{named.conf => named.conf.in} (98%) create mode 100644 bin/tests/system/dialup/setup.sh rename bin/tests/system/rrl/{broken.conf => broken.conf.in} (91%) diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index dc73117b27..15371f57ba 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -105,6 +105,7 @@ TESTS += \ checknames \ checkzone \ database \ + dialup \ dlzexternal \ dns64 \ dscp \ @@ -172,9 +173,9 @@ TESTS += \ # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. -# The "dialup" and "dupsigs" tests are also not run by -# default because they take a very long time to complete. -# TESTS += dialup dupsigs stress +# The "dupsigs" test is not run by default because it takes +# a very long time to complete. +# TESTS += dupsigs stress if HAVE_LMDB TESTS += nzd2nzf diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index e0811c8eaa..726e20f817 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -28,8 +28,8 @@ export LANG=C # # The "stress" test is not run by default since it creates enough # load on the machine to make it unusable to other users. -# The "dialup" and "dupsigs" tests are also not run by -# default because they take a very long time to complete. +# The "dupsigs" test is not run by default because it takes +# a very long time to complete. # # The following tests are hard-coded to use ports 5300 and 9953. For # this reason, these must be run sequentially. diff --git a/bin/tests/system/dialup/clean.sh b/bin/tests/system/dialup/clean.sh index 581c3ccdfa..9318255bfa 100644 --- a/bin/tests/system/dialup/clean.sh +++ b/bin/tests/system/dialup/clean.sh @@ -14,3 +14,5 @@ rm -f ns2/example.bk rm -f ns3/example.bk rm -f */named.memstats */named.run +rm -f ns*/named.conf +rm -f ns*/named.lock diff --git a/bin/tests/system/dialup/ns1/named.conf b/bin/tests/system/dialup/ns1/named.conf.in similarity index 98% rename from bin/tests/system/dialup/ns1/named.conf rename to bin/tests/system/dialup/ns1/named.conf.in index 14852d13f9..4b8302bcfa 100644 --- a/bin/tests/system/dialup/ns1/named.conf +++ b/bin/tests/system/dialup/ns1/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/dialup/ns2/named.conf b/bin/tests/system/dialup/ns2/named.conf.in similarity index 98% rename from bin/tests/system/dialup/ns2/named.conf rename to bin/tests/system/dialup/ns2/named.conf.in index d36d4346aa..382f5ce9a4 100644 --- a/bin/tests/system/dialup/ns2/named.conf +++ b/bin/tests/system/dialup/ns2/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.2; notify-source 10.53.0.2; transfer-source 10.53.0.2; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/dialup/ns3/named.conf b/bin/tests/system/dialup/ns3/named.conf.in similarity index 98% rename from bin/tests/system/dialup/ns3/named.conf rename to bin/tests/system/dialup/ns3/named.conf.in index 5158ef963f..054a65893c 100644 --- a/bin/tests/system/dialup/ns3/named.conf +++ b/bin/tests/system/dialup/ns3/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.3; notify-source 10.53.0.3; transfer-source 10.53.0.3; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/dialup/setup.sh b/bin/tests/system/dialup/setup.sh new file mode 100644 index 0000000000..dad3589a35 --- /dev/null +++ b/bin/tests/system/dialup/setup.sh @@ -0,0 +1,19 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf diff --git a/bin/tests/system/dialup/tests.sh b/bin/tests/system/dialup/tests.sh index efc976177a..3a8f5e8980 100644 --- a/bin/tests/system/dialup/tests.sh +++ b/bin/tests/system/dialup/tests.sh @@ -17,7 +17,7 @@ status=0 rm -f dig.out.* -DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p 5300" +DIGOPTS="+norec +tcp +noadd +nosea +nostat +noquest +nocmd -p ${PORT}" # Check the example. domain diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh index 9778ff9a2e..731a3193b3 100644 --- a/bin/tests/system/dupsigs/tests.sh +++ b/bin/tests/system/dupsigs/tests.sh @@ -20,7 +20,7 @@ do et=`expr $now - $start` echo "=============== $et ============" $JOURNALPRINT ns1/signing.test.db.signed.jnl | $PERL check_journal.pl - $DIG axfr signing.test -p 5300 @10.53.0.1 > dig.out.at$et + $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l` if [ ${et} -ne 0 -a ${lines} -ne 4009 ] diff --git a/bin/tests/system/rrl/broken.conf b/bin/tests/system/rrl/broken.conf.in similarity index 91% rename from bin/tests/system/rrl/broken.conf rename to bin/tests/system/rrl/broken.conf.in index bf98736ee5..020542cfe7 100644 --- a/bin/tests/system/rrl/broken.conf +++ b/bin/tests/system/rrl/broken.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.5; notify-source 10.53.0.5; transfer-source 10.53.0.5; - port 5300; + port @PORT@; pid-file "named.pid"; statistics-file "named.stats"; listen-on { 10.53.0.5; }; @@ -41,6 +41,6 @@ key rndc_key { algorithm hmac-sha256; }; controls { - inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; }; + inet 10.53.0.5 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; diff --git a/bin/tests/system/rrl/clean.sh b/bin/tests/system/rrl/clean.sh index abb10bd744..5709d9f7fd 100644 --- a/bin/tests/system/rrl/clean.sh +++ b/bin/tests/system/rrl/clean.sh @@ -16,5 +16,6 @@ rm -f */named.memstats */named.run */named.stats */log-* */session.key rm -f ns3/bl*.db */*.jnl */*.core */*.pid rm -f ns*/named.lock rm -f ns*/named.conf +rm -f broken.conf rm -f broken.out rm -f ns*/managed-keys.bind* diff --git a/bin/tests/system/rrl/setup.sh b/bin/tests/system/rrl/setup.sh index 49a642683d..752b02ceed 100644 --- a/bin/tests/system/rrl/setup.sh +++ b/bin/tests/system/rrl/setup.sh @@ -15,6 +15,7 @@ $SHELL clean.sh +copy_setports broken.conf.in broken.conf copy_setports ns1/named.conf.in ns1/named.conf copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf From ef0eadf864f1d6c0f3de7192629f668e218e42c1 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Fri, 14 Oct 2022 16:59:50 +0200 Subject: [PATCH 3/5] Revive the stress system test Ensure the port numbers are dynamically filled in with copy_setports. Clarify test fail condition. Make the stress test part of the default test suite since it doesn't seem to run too long or interfere with other tests any more (the original note claiming so is more than 20 years old). Related !6883 (cherry picked from commit 7495deea3e80fe20dd32dabf1d174d1458ce2b47) --- bin/tests/system/Makefile.am | 5 ++--- bin/tests/system/conf.sh.common | 2 -- bin/tests/system/stress/clean.sh | 3 +++ bin/tests/system/stress/ns1/{named.conf => named.conf.in} | 2 +- bin/tests/system/stress/ns2/{named.conf => named.conf.in} | 2 +- bin/tests/system/stress/ns3/{named.conf => named.conf.in} | 4 ++-- bin/tests/system/stress/ns4/{named.conf => named.conf.in} | 2 +- bin/tests/system/stress/setup.sh | 5 +++++ bin/tests/system/stress/tests.sh | 8 ++++++-- 9 files changed, 21 insertions(+), 12 deletions(-) rename bin/tests/system/stress/ns1/{named.conf => named.conf.in} (98%) rename bin/tests/system/stress/ns2/{named.conf => named.conf.in} (98%) rename bin/tests/system/stress/ns3/{named.conf => named.conf.in} (91%) rename bin/tests/system/stress/ns4/{named.conf => named.conf.in} (98%) diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 15371f57ba..f185dd26fb 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -171,11 +171,9 @@ TESTS += \ xferquota \ zonechecks -# The "stress" test is not run by default since it creates enough -# load on the machine to make it unusable to other users. # The "dupsigs" test is not run by default because it takes # a very long time to complete. -# TESTS += dupsigs stress +# TESTS += dupsigs if HAVE_LMDB TESTS += nzd2nzf @@ -189,6 +187,7 @@ TESTS += \ nsupdate \ resolver \ statistics \ + stress \ upforwd \ zero diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 726e20f817..ff0950f129 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -26,8 +26,6 @@ export LANG=C # # Common lists of system tests to run. # -# The "stress" test is not run by default since it creates enough -# load on the machine to make it unusable to other users. # The "dupsigs" test is not run by default because it takes # a very long time to complete. # diff --git a/bin/tests/system/stress/clean.sh b/bin/tests/system/stress/clean.sh index 0f8403c83a..b365d7cc77 100644 --- a/bin/tests/system/stress/clean.sh +++ b/bin/tests/system/stress/clean.sh @@ -17,9 +17,12 @@ rm -f ns?/zones.conf rm -f ns?/zone*.bk rm -f ns1/delegations.db +rm -f ns1/root.db rm -f ns2/zone0*.db rm -f ns2/zone0*.jnl rm -f */named.memstats rm -f ns*/named.lock rm -f ns*/managed-keys.bind* +rm -f ns*/named.run +rm -f ns*/named.conf diff --git a/bin/tests/system/stress/ns1/named.conf b/bin/tests/system/stress/ns1/named.conf.in similarity index 98% rename from bin/tests/system/stress/ns1/named.conf rename to bin/tests/system/stress/ns1/named.conf.in index a8378d2034..74ad00787b 100644 --- a/bin/tests/system/stress/ns1/named.conf +++ b/bin/tests/system/stress/ns1/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.1; notify-source 10.53.0.1; transfer-source 10.53.0.1; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.1; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/stress/ns2/named.conf b/bin/tests/system/stress/ns2/named.conf.in similarity index 98% rename from bin/tests/system/stress/ns2/named.conf rename to bin/tests/system/stress/ns2/named.conf.in index f8317823b1..5bbea78aca 100644 --- a/bin/tests/system/stress/ns2/named.conf +++ b/bin/tests/system/stress/ns2/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.2; notify-source 10.53.0.2; transfer-source 10.53.0.2; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.2; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/stress/ns3/named.conf b/bin/tests/system/stress/ns3/named.conf.in similarity index 91% rename from bin/tests/system/stress/ns3/named.conf rename to bin/tests/system/stress/ns3/named.conf.in index d4f331c4ce..036ffdbac2 100644 --- a/bin/tests/system/stress/ns3/named.conf +++ b/bin/tests/system/stress/ns3/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.3; notify-source 10.53.0.3; transfer-source 10.53.0.3; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.3; }; listen-on-v6 { none; }; @@ -32,7 +32,7 @@ key rndc_key { }; controls { - inet 10.53.0.3 port 9953 allow { any; } keys { rndc_key; }; + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; zone "." { diff --git a/bin/tests/system/stress/ns4/named.conf b/bin/tests/system/stress/ns4/named.conf.in similarity index 98% rename from bin/tests/system/stress/ns4/named.conf rename to bin/tests/system/stress/ns4/named.conf.in index e41d194705..57f7e40fdd 100644 --- a/bin/tests/system/stress/ns4/named.conf +++ b/bin/tests/system/stress/ns4/named.conf.in @@ -17,7 +17,7 @@ options { query-source address 10.53.0.4; notify-source 10.53.0.4; transfer-source 10.53.0.4; - port 5300; + port @PORT@; pid-file "named.pid"; listen-on { 10.53.0.4; }; listen-on-v6 { none; }; diff --git a/bin/tests/system/stress/setup.sh b/bin/tests/system/stress/setup.sh index 7d7d8b34a9..cc751d3b7a 100644 --- a/bin/tests/system/stress/setup.sh +++ b/bin/tests/system/stress/setup.sh @@ -19,3 +19,8 @@ # $PERL setup.pl + +copy_setports ns1/named.conf.in ns1/named.conf +copy_setports ns2/named.conf.in ns2/named.conf +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf diff --git a/bin/tests/system/stress/tests.sh b/bin/tests/system/stress/tests.sh index e0c6ea7466..43e373e09f 100644 --- a/bin/tests/system/stress/tests.sh +++ b/bin/tests/system/stress/tests.sh @@ -17,7 +17,7 @@ status=0 ( $SHELL -c "while true - do $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p 9953 reload 2>&1 | + do $RNDC -c ../common/rndc.conf -s 10.53.0.3 -p $CONTROLPORT reload 2>&1 | sed 's/^/I:ns3 /'; sleep 1 done" & echo $! >reload.pid @@ -25,7 +25,7 @@ $SHELL -c "while true for i in 0 1 2 3 4 do - $PERL update.pl -s 10.53.0.2 -p 5300 zone00000$i.example. & + $PERL update.pl -s 10.53.0.2 -p $PORT zone00000$i.example. & done echo_i "waiting for background processes to finish" @@ -34,5 +34,9 @@ wait echo_i "killing reload loop" kill `cat reload.pid` +# If the test has run to completion without named crashing, it has succeeded. +# Otherwise, the crash will be detected by the test framework and the test will +# fail. + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 From 5db5f209855ec97418271c33305be89d13127e7a Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Tue, 18 Oct 2022 17:16:27 +0200 Subject: [PATCH 4/5] Revive dupsigs system test Correctly source conf.sh in dupsigs test scripts (fix issue introduced by 093af1c00ac25e4f132fe2442a24e1264aadb28d). Update dupsigs test for dnssec-dnskey-kskonly default. Since v9.17.20, the dnssec-dnskey-kskonly is set to yes. Update the test to not expect the additional RRSIG with ZSK for DNSKEY. Speed up the test from 20 minutes to 2.5 minutes and make it part of the default test suite executed in CI. - decrease number of records to sign from 2000 to 500 - decrease the signing interval by a factor of 6 - shorten the final part of the test after last signing (since nothing new happens there) Finally, clarify misleading comments about (in)sufficient time for zone re-signing. The time used in the test is in fact sufficient for the re-signing to happen. If it wasn't, the previous ZSK would end up being deleted while its signatures would still be present, which is a situation where duplicate signatures can still happen. (cherry picked from commit cb0a2ae1dd9f36c7dfb909d06453cd2beba595ea) --- bin/tests/system/Makefile.am | 5 +---- bin/tests/system/conf.sh.common | 8 ++++---- bin/tests/system/dupsigs/check_journal.pl | 5 ----- bin/tests/system/dupsigs/clean.sh | 1 + bin/tests/system/dupsigs/ns1/named.conf.in | 2 +- bin/tests/system/dupsigs/ns1/reset_keys.sh | 15 ++++++++------- bin/tests/system/dupsigs/ns1/signing.test.db.in | 2 +- bin/tests/system/dupsigs/tests.sh | 9 +++++---- 8 files changed, 21 insertions(+), 26 deletions(-) diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index f185dd26fb..34a7ddd0c1 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -110,6 +110,7 @@ TESTS += \ dns64 \ dscp \ dsdigest \ + dupsigs \ dyndb \ ecdsa \ eddsa \ @@ -171,10 +172,6 @@ TESTS += \ xferquota \ zonechecks -# The "dupsigs" test is not run by default because it takes -# a very long time to complete. -# TESTS += dupsigs - if HAVE_LMDB TESTS += nzd2nzf endif # HAVE_LMDB diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index ff0950f129..54cfb05f38 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -26,9 +26,6 @@ export LANG=C # # Common lists of system tests to run. # -# The "dupsigs" test is not run by default because it takes -# a very long time to complete. -# # The following tests are hard-coded to use ports 5300 and 9953. For # this reason, these must be run sequentially. # @@ -49,7 +46,10 @@ SEQUENTIAL_COMMON="" # rpzrecurse are scheduled first, in order to get more benefit from # parallelism. # -PARALLEL_COMMON="rpzrecurse serve-stale +PARALLEL_COMMON=" +rpzrecurse +serve-stale +dupsigs acl additional addzone diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl index 99bf6907e8..074743205c 100644 --- a/bin/tests/system/dupsigs/check_journal.pl +++ b/bin/tests/system/dupsigs/check_journal.pl @@ -197,11 +197,6 @@ if( @changeset ) { if( $n_signing_keys == 0 ) { print "at serial $newserial $rrsig_id went unsigned\n"; } - elsif( $rrsig_id =~ /:DNSKEY$/ ) { - if( $n_signing_keys != 2 ) { - print "at serial $newserial $rrsig_id was signed $n_signing_keys time(s) when it should have been signed twice\n"; - } - } elsif( $n_signing_keys > 1 ) { my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} }; print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n"; diff --git a/bin/tests/system/dupsigs/clean.sh b/bin/tests/system/dupsigs/clean.sh index 9db0799490..68ddace99e 100644 --- a/bin/tests/system/dupsigs/clean.sh +++ b/bin/tests/system/dupsigs/clean.sh @@ -9,6 +9,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +rm -f dig.out* rm -f ns1/named.conf rm -f ns1/named.lock rm -f ns1/named.memstats diff --git a/bin/tests/system/dupsigs/ns1/named.conf.in b/bin/tests/system/dupsigs/ns1/named.conf.in index c5ade8bf8e..494ecfb9e3 100644 --- a/bin/tests/system/dupsigs/ns1/named.conf.in +++ b/bin/tests/system/dupsigs/ns1/named.conf.in @@ -29,5 +29,5 @@ zone "signing.test" { key-directory "keys/signing.test"; inline-signing yes; auto-dnssec maintain; - sig-validity-interval 120 30; + sig-validity-interval 20 5; }; diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh index 28b1191b29..cc9bef78f5 100644 --- a/bin/tests/system/dupsigs/ns1/reset_keys.sh +++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh @@ -11,7 +11,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. -. ../conf.sh +. ../../conf.sh zone=signing.test rm -rf keys/signing.test @@ -52,14 +52,14 @@ $SETTIME -P $BASET -A $BASET $KEYDIR/$KSK $SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0 # schedule the first roll -R1=`expr $BASE + 300` +R1=`expr $BASE + 50` R1T=`timetodnssec $R1` $SETTIME -I $R1T $KEYDIR/$ZSK0 $SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1 # schedule the second roll (which includes the delete of the first key) -R2=`expr $R1 + 300` +R2=`expr $R1 + 50` R2T=`timetodnssec $R2` DT=$R2 DTT=`timetodnssec $DT` @@ -69,8 +69,7 @@ $SETTIME -I $R2T $KEYDIR/$ZSK1 $SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2 # schedule the third roll -# this isn't long enough for the signing to complete -R3=`expr $R2 + 60` +R3=`expr $R2 + 25` R3T=`timetodnssec $R3` $SETTIME -D $R3T $KEYDIR/$ZSK1 @@ -89,8 +88,10 @@ echo ZSK4=$ZSK4 exit # schedule the fourth roll -# this isn't long enough for the signing to complete -R4=`expr $R3 + 30` +# this isn't long enough for the signing to complete and would result in +# duplicate signatures, see +# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597 +R4=`expr $R3 + 10` R4T=`timetodnssec $R4` $SETTIME -D $R4T $KEYDIR/$ZSK2 diff --git a/bin/tests/system/dupsigs/ns1/signing.test.db.in b/bin/tests/system/dupsigs/ns1/signing.test.db.in index f4c6643533..b522b6f0ef 100644 --- a/bin/tests/system/dupsigs/ns1/signing.test.db.in +++ b/bin/tests/system/dupsigs/ns1/signing.test.db.in @@ -15,4 +15,4 @@ $TTL 3600 ns A 127.0.0.1 ns AAAA ::1 -$GENERATE 0-1999 a${0,4,d} AAAA ::$ +$GENERATE 0-499 a${0,4,d} AAAA ::$ diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh index 731a3193b3..2901fede3b 100644 --- a/bin/tests/system/dupsigs/tests.sh +++ b/bin/tests/system/dupsigs/tests.sh @@ -13,8 +13,9 @@ status=0 start=`date +%s` -end=`expr $start + 1200` -now=$start +end=`expr $start + 150` +sleep 10 # wait for a bit for the initial signing +now=`expr $start + 10` while test $now -lt $end do et=`expr $now - $start` @@ -23,12 +24,12 @@ do $DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l` - if [ ${et} -ne 0 -a ${lines} -ne 4009 ] + if [ ${et} -ne 0 -a ${lines} -ne 1008 ] then echo_i "failed" status=`expr $status + 1` fi - sleep 20 + sleep 5 now=`date +%s` done From ba7ea2dfac98a976efac2dcb6620b2c10f4e94da Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Fri, 7 Oct 2022 16:23:56 +0200 Subject: [PATCH 5/5] Remove generated controls.conf file from system tests The controls.conf file shouldn't be used directly without templating it first. Remove this no longer used hard-coded file to avoid confusion. (cherry picked from commit cbd035532810965f61ee814803dff2592b7cf5fc) --- bin/tests/system/common/controls.conf | 22 ------------------- .../system/synthfromdnssec/ns4/named.conf.in | 1 - 2 files changed, 23 deletions(-) delete mode 100644 bin/tests/system/common/controls.conf diff --git a/bin/tests/system/common/controls.conf b/bin/tests/system/common/controls.conf deleted file mode 100644 index 36bd38d0b6..0000000000 --- a/bin/tests/system/common/controls.conf +++ /dev/null @@ -1,22 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; }; -}; - diff --git a/bin/tests/system/synthfromdnssec/ns4/named.conf.in b/bin/tests/system/synthfromdnssec/ns4/named.conf.in index 780562ffcd..c9d921092e 100644 --- a/bin/tests/system/synthfromdnssec/ns4/named.conf.in +++ b/bin/tests/system/synthfromdnssec/ns4/named.conf.in @@ -46,4 +46,3 @@ zone "." { }; include "../ns1/trusted.conf"; -// include "../../common/controls.conf";