tests-extra: switch to the new DNSSEC configuration

tests-extra/tests/ddns/basic/test.py

@@ -521,16 +521,12 @@ t.link(zone, master_plain, ddns=True)
 
 master_nsec = t.server("knot")
 t.link(zone, master_nsec, ddns=True)
-master_nsec.dnssec_enable = True
-master_nsec.gen_key(zone, ksk=True, alg="RSASHA256")
-master_nsec.gen_key(zone, alg="RSASHA256")
+master_nsec.dnssec(zone).enable = True
 
 master_nsec3 = t.server("knot")
 t.link(zone, master_nsec3, ddns=True)
-master_nsec3.dnssec_enable = True
-master_nsec3.enable_nsec3(zone)
-master_nsec3.gen_key(zone, ksk=True, alg="RSASHA256")
-master_nsec3.gen_key(zone, alg="RSASHA256")
+master_nsec3.dnssec(zone).enable = True
+master_nsec3.dnssec(zone).nsec3 = True
 
 t.start()
 

tests-extra/tests/ddns/chain/test.py

@@ -107,9 +107,7 @@ zone = t.zone_rnd(1, dnssec=False)
 master = t.server("knot")
 t.link(zone, master, ddns=True)
 
-master.dnssec_enable = True
-master.gen_key(zone, ksk=True, alg="RSASHA256")
-master.gen_key(zone, alg="RSASHA256")
+master.dnssec(zone).enable = True
 master.gen_confile()
 
 t.start()
@@ -119,7 +117,7 @@ master.zone_wait(zone)
 check_log("============ NSEC test ============")
 test_run(master, zone, "NSEC")
 
-master.enable_nsec3(zone)
+master.dnssec(zone).nsec3 = True
 master.reload()
 t.sleep(2)
 

tests-extra/tests/dnssec/add_remove/test.py

@@ -52,14 +52,10 @@ t.link(zone, nsec_master, nsec_slave)
 t.link(zone, nsec3_master, nsec3_slave)
 
 # Enable autosigning
-nsec_master.dnssec_enable = True
-nsec_master.gen_key(zone, ksk=True, alg="RSASHA256")
-nsec_master.gen_key(zone, alg="RSASHA256")
+nsec_master.dnssec(zone).enable = True
 
-nsec3_master.dnssec_enable = True
-nsec3_master.enable_nsec3(zone)
-nsec3_master.gen_key(zone, ksk=True, alg="RSASHA256")
-nsec3_master.gen_key(zone, alg="RSASHA256")
+nsec3_master.dnssec(zone).enable = True
+nsec3_master.dnssec(zone).nsec3 = True
 
 t.start()
 

tests-extra/tests/dnssec/case_sensitivity/test.py

@@ -20,12 +20,8 @@ t = Test()
 
 server = t.server("knot")
 zone = t.zone("example.", storage=".")
-
-server.dnssec_enable = True
-server.gen_key(zone, ksk=True)
-server.gen_key(zone)
-
 t.link(zone, server)
+server.dnssec(zone).enable = True
 
 t.start()
 

tests-extra/tests/dnssec/dnskey_algorithms/test.py

@@ -30,7 +30,6 @@ TEST_CASES = {
 t = Test()
 
 knot = t.server("knot")
-knot.dnssec_enable = True
 
 # setup keys
 
@@ -49,6 +48,10 @@ for zone_name in TEST_CASES:
 
 t.link(zones, knot)
 
+for zone in zones:
+    knot.dnssec(zone).enable = True
+    knot.dnssec(zone).manual = True
+
 t.start()
 
 for zone in [zone for zone in zones if TEST_CASES[zone.name.rstrip(".")]]:

tests-extra/tests/dnssec/dnskey_timestamps/test.py

@@ -11,20 +11,14 @@ import datetime
 import subprocess
 
 from dnstest.utils import *
+from dnstest.keys import Keymgr
 from dnstest.test import Test
 
-def keymgr(server, args):
-    cmd = subprocess.Popen([params.keymgr_bin, "--dir", server.keydir] + args)
-    (stdout, stderr) = cmd.communicate()
-    return (cmd.returncode, stdout, stderr)
-
 def key_set(server, zone, key_id, **new_values):
     cmd = ["zone", "key", "set", zone, key_id]
     for option, value in new_values.items():
         cmd += [option, value]
-    (exitcode, _x, _y) = keymgr(server, cmd)
-    if exitcode != 0:
-        raise Failed("Unable to modify key timing values.")
+    Keymgr.run_check(server.keydir, *cmd)
 
 # check zone if keys are present and used for signing
 def check_zone(server, expect_dnskey, expect_rrsig, msg):
@@ -49,9 +43,10 @@ def check_zone(server, expect_dnskey, expect_rrsig, msg):
 t = Test()
 
 knot = t.server("knot")
-knot.dnssec_enable = True
 zone = t.zone("example.com.")
 t.link(zone, knot)
+knot.dnssec(zone).enable = True
+knot.dnssec(zone).manual = True
 
 # install keys (one always enabled, one for testing)
 shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir)

tests-extra/tests/dnssec/no_resign/test.py

@@ -38,24 +38,23 @@ old_nsec3_serial = master.zone_wait(nsec3_zone)
 old_static_serial = master.zone_wait(static_zone)
 
 # Enable autosigning.
-master.dnssec_enable = True
+master.dnssec(nsec_zone).enable = True
+master.dnssec(nsec3_zone).enable = True
+master.dnssec(static_zone).enable = True
 master.use_keys(nsec_zone)
 master.use_keys(nsec3_zone)
 master.use_keys(static_zone)
 master.gen_confile()
-t.sleep(1)
-master.stop()
-master.start()
+master.reload()
 
 new_nsec_serial = master.zone_wait(nsec_zone)
 new_nsec3_serial = master.zone_wait(nsec3_zone)
 new_static_serial = master.zone_wait(static_zone)
 
 # Check if the zones are resigned.
-if old_nsec_serial < new_nsec_serial:
+if old_nsec_serial != new_nsec_serial:
     if not only_nsec_changed(master, nsec_zone, old_nsec_serial):
         set_err("NSEC zone got resigned")
-    old_nsec_serial = new_nsec_serial
 
 compare(old_nsec3_serial, new_nsec3_serial, "NSEC3 zone got resigned")
 compare(old_static_serial, new_static_serial, "static zone got resigned")

tests-extra/tests/dnssec/none_to_nsec/test.py

@@ -1,57 +0,0 @@
-#!/usr/bin/env python3
-
-'''Test for transition from unsigned zone to auto-signed zone with NSEC.'''
-
-from dnstest.utils import *
-from dnstest.test import Test
-
-t = Test()
-
-master = t.server("knot")
-slave = t.server("bind")
-zone = t.zone_rnd(1, dnssec=False)
-t.link(zone, master, slave)
-
-t.start()
-
-# Wait for listening server with unsigned zone.
-old_serial = master.zone_wait(zone)
-slave.zone_wait(zone)
-t.xfr_diff(master, slave, zone)
-
-# Check NSEC absence.
-master.check_nsec(zone, nonsec=True)
-
-master.stop()
-
-# Enable autosigning.
-master.dnssec_enable = True
-master.gen_key(zone, ksk=True, alg="RSASHA1") # Old NSEC only algorithm.
-master.gen_key(zone, alg="RSASHA1")
-master.gen_key(zone, ksk=True, alg="RSASHA256") # New NSEC/NSEC3 algorithm.
-master.gen_key(zone, alg="RSASHA256")
-master.gen_confile()
-master.start()
-
-# Wait for changed zone and flush.
-new_serial = master.zone_wait(zone, old_serial)
-slave.zone_wait(zone, old_serial)
-t.xfr_diff(master, slave, zone)
-master.flush()
-t.sleep(1)
-
-# Check absence of NSEC3PARAM record.
-resp = master.dig(zone, "NSEC3PARAM", dnssec=True)
-compare(resp.count(), 0, "NSEC3PARAM count")
-
-# Check presence of DNSKEYs.
-resp = master.dig(zone, "DNSKEY", dnssec=True)
-compare(resp.count(), 4, "DNSKEY count")
-
-# Check NSEC presence.
-master.check_nsec(zone)
-
-# Verify signed zone file.
-master.zone_verify(zone)
-
-t.end()

tests-extra/tests/dnssec/none_to_nsec3/test.py

@@ -1,58 +0,0 @@
-#!/usr/bin/env python3
-
-'''Test for transition from unsigned zone to auto-signed zone with NSEC3.'''
-
-from dnstest.utils import *
-from dnstest.test import Test
-
-t = Test()
-
-master = t.server("knot")
-slave = t.server("bind")
-zone = t.zone_rnd(1, dnssec=False)
-t.link(zone, master, slave)
-
-t.start()
-
-# Wait for listening server with unsigned zone.
-old_serial = master.zone_wait(zone)
-slave.zone_wait(zone)
-t.xfr_diff(master, slave, zone)
-
-# Check NSEC absence.
-master.check_nsec(zone, nonsec=True)
-
-master.stop()
-
-# Enable autosigning.
-master.dnssec_enable = True
-master.enable_nsec3(zone)
-master.gen_key(zone, ksk=True, alg="RSASHA1") # Old NSEC only algorithm.
-master.gen_key(zone, alg="RSASHA1")
-master.gen_key(zone, ksk=True, alg="RSASHA256") # New NSEC/NSEC3 algorithm.
-master.gen_key(zone, alg="RSASHA256")
-master.gen_confile()
-master.start()
-
-# Wait for changed zone and flush.
-new_serial = master.zone_wait(zone, old_serial)
-slave.zone_wait(zone, old_serial)
-t.xfr_diff(master, slave, zone)
-master.flush()
-t.sleep(1)
-
-# Check presence of NSEC3PARAM record.
-resp = master.dig(zone, "NSEC3PARAM", dnssec=True)
-compare(resp.count(), 1, "NSEC3PARAM count")
-
-# Check presence of DNSKEYs.
-resp = master.dig(zone, "DNSKEY", dnssec=True)
-compare(resp.count(), 2, "DNSKEY count")
-
-# Check NSEC presence.
-master.check_nsec(zone, nsec3=True)
-
-# Verify signed zone file.
-master.zone_verify(zone)
-
-t.end()

tests-extra/tests/dnssec/nsec3_to_nsec/test.py

@@ -1,89 +0,0 @@
-#!/usr/bin/env python3
-
-'''Test for transition from NSEC3 to NSEC on auto-signed zone.'''
-
-from dnstest.utils import *
-from dnstest.test import Test
-
-t = Test()
-
-master = t.server("knot")
-slave = t.server("bind")
-zone = t.zone_rnd(1, dnssec=False)
-t.link(zone, master, slave)
-
-t.start()
-
-# Wait for listening server with unsigned zone.
-old_serial = master.zone_wait(zone)
-slave.zone_wait(zone)
-t.xfr_diff(master, slave, zone)
-
-# Check NSEC absence.
-master.check_nsec(zone, nonsec=True)
-
-master.stop()
-
-# Enable autosigning.
-master.dnssec_enable = True
-master.enable_nsec3(zone)
-master.gen_key(zone, ksk=True, alg="rsasha1-nsec3-sha1")
-master.gen_key(zone, alg="rsasha1-nsec3-sha1")
-master.gen_key(zone, ksk=True, alg="rsasha256")
-master.gen_key(zone, alg="rsasha256")
-master.gen_confile()
-master.start()
-
-# Wait for changed zone and flush.
-new_serial = master.zone_wait(zone, old_serial)
-slave.zone_wait(zone, old_serial)
-t.xfr_diff(master, slave, zone)
-master.flush()
-t.sleep(1)
-
-# Check presence of NSEC3PARAM record.
-resp = master.dig(zone, "NSEC3PARAM", dnssec=True)
-compare(resp.count(), 1, "NSEC3PARAM count")
-
-# Check presence of DNSKEYs.
-resp = master.dig(zone, "DNSKEY", dnssec=True)
-compare(resp.count(), 4, "DNSKEY count")
-
-# Check NSEC3 presence.
-master.check_nsec(zone, nsec3=True)
-
-master.stop()
-master.backup_zone(zone)
-
-# Verify signed zone file.
-master.zone_verify(zone)
-
-### NSEC3 -> NSEC ###
-
-# Disable NSEC3 on zone.
-master.disable_nsec3(zone)
-master.gen_confile()
-master.start()
-
-# Wait for changed zone and flush.
-master.zone_wait(zone, new_serial)
-slave.zone_wait(zone, new_serial)
-t.xfr_diff(master, slave, zone)
-master.flush()
-t.sleep(1)
-
-# Check absence of NSEC3PARAM record.
-resp = master.dig(zone, "NSEC3PARAM", dnssec=True)
-compare(resp.count(), 0, "NSEC3PARAM count")
-
-# Check presence of DNSKEYs.
-resp = master.dig(zone, "DNSKEY", dnssec=True)
-compare(resp.count(), 4, "DNSKEY count")
-
-# Check NSEC presence.
-master.check_nsec(zone)
-
-# Verify signed zone file.
-master.zone_verify(zone)
-
-t.end()

tests-extra/tests/dnssec/nsec_changes/test.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python3
+
+'''Test for NSEC transitions with autosigning.
+   zone1: none->nsec->nsec3->none
+   zone2: none->nsec3->nsec->none'''
+
+from dnstest.utils import *
+from dnstest.test import Test
+
+t = Test()
+
+master = t.server("knot")
+slave = t.server("bind")
+zone1 = t.zone_rnd(1, dnssec=False, records=5)
+zone2 = t.zone_rnd(1, dnssec=False, records=5)
+zones = zone1 + zone2
+t.link(zones, master, slave)
+
+t.start()
+
+# Wait for listening server with unsigned zones.
+master.zones_wait(zones)
+old_serials = slave.zones_wait(zones)
+t.xfr_diff(master, slave, zones)
+
+# Check NSEC absence.
+master.check_nsec(zone1, nonsec=True)
+master.check_nsec(zone2, nonsec=True)
+
+### First change ##############################################################
+
+# Enable autosigning.
+master.dnssec(zone1).enable = True
+master.dnssec(zone2).enable = True
+master.dnssec(zone2).nsec3 = True
+master.dnssec(zone2).nsec3_iters = 2
+master.dnssec(zone2).nsec3_salt_len = 2
+master.gen_confile()
+master.reload()
+
+# Wait for changed zone and flush.
+master.zones_wait(zones, old_serials)
+old_serials = slave.zones_wait(zones, old_serials)
+t.xfr_diff(master, slave, zones)
+master.flush()
+t.sleep(1)
+
+# Check the NSEC3PARAM record.
+resp = master.dig(zone1, "NSEC3PARAM", dnssec=True)
+compare(resp.count(), 0, "NSEC3PARAM count")
+resp = master.dig(zone2, "NSEC3PARAM", dnssec=True)
+compare(resp.count(), 1, "NSEC3PARAM count")
+
+# Check DNSKEYs.
+resp = master.dig(zone1, "DNSKEY", dnssec=True)
+compare(resp.count(), 2, "DNSKEY count")
+resp = master.dig(zone2, "DNSKEY", dnssec=True)
+compare(resp.count(), 2, "DNSKEY count")
+
+# Check NSEC.
+master.check_nsec(zone1)
+master.check_nsec(zone2, nsec3=True)
+
+# Verify signed zone files.
+master.zone_verify(zone1)
+master.zone_verify(zone2)
+
+### Second change #############################################################
+
+# Reconfigure autosigning.
+master.dnssec(zone1).nsec3 = True
+master.dnssec(zone1).nsec3_iters = 1
+master.dnssec(zone1).nsec3_salt_len = 0
+master.dnssec(zone2).nsec3 = False
+master.gen_confile()
+master.reload()
+
+# Wait for changed zone and flush.
+master.zones_wait(zones, old_serials)
+old_serials = slave.zones_wait(zones, old_serials)
+t.xfr_diff(master, slave, zones)
+master.flush()
+t.sleep(1)
+
+# Check the NSEC3PARAM record.
+resp = master.dig(zone1, "NSEC3PARAM", dnssec=True)
+compare(resp.count(), 1, "NSEC3PARAM count")
+resp = master.dig(zone2, "NSEC3PARAM", dnssec=True)
+compare(resp.count(), 0, "NSEC3PARAM count")
+
+# Check DNSKEYs.
+resp = master.dig(zone1, "DNSKEY", dnssec=True)
+compare(resp.count(), 2, "DNSKEY count")
+resp = master.dig(zone2, "DNSKEY", dnssec=True)
+compare(resp.count(), 2, "DNSKEY count")
+
+# Check NSEC.
+master.check_nsec(zone1, nsec3=True)
+master.check_nsec(zone2)
+
+# Verify signed zone files.
+master.zone_verify(zone1)
+master.zone_verify(zone2)
+
+### Third change ##############################################################
+
+# Disable autosigning.
+master.dnssec(zone1).enable = False
+master.dnssec(zone2).enable = False
+master.gen_confile()
+master.reload()
+
+# Wait for changed zone and flush (unchanged).
+t.sleep(1)
+master.zones_wait(zones, old_serials, equal=True, greater=False)
+slave.zones_wait(zones, old_serials, equal=True, greater=False)
+t.xfr_diff(master, slave, zones)
+master.flush()
+t.sleep(1)
+
+# Check the NSEC3PARAM record (unchanged).
+resp = master.dig(zone1, "NSEC3PARAM", dnssec=True)
+compare(resp.count(), 1, "NSEC3PARAM count")
+resp = master.dig(zone2, "NSEC3PARAM", dnssec=True)
+compare(resp.count(), 0, "NSEC3PARAM count")
+
+# Check DNSKEYs (unchanged).
+resp = master.dig(zone1, "DNSKEY", dnssec=True)
+compare(resp.count(), 2, "DNSKEY count")
+resp = master.dig(zone2, "DNSKEY", dnssec=True)
+compare(resp.count(), 2, "DNSKEY count")
+
+# Check NSEC (unchanged).
+master.check_nsec(zone1, nsec3=True)
+master.check_nsec(zone2)
+
+# Verify signed zone files (unchanged).
+master.zone_verify(zone1)
+master.zone_verify(zone2)
+
+t.end()

tests-extra/tests/dnssec/nsec_to_nsec3/test.py

@@ -1,88 +0,0 @@
-#!/usr/bin/env python3
-
-'''Test for transition from NSEC to NSEC3 on auto-signed zone.'''
-
-from dnstest.utils import *
-from dnstest.test import Test
-
-t = Test()
-
-master = t.server("knot")
-slave = t.server("bind")
-zone = t.zone_rnd(1, dnssec=False)
-t.link(zone, master, slave)
-
-t.start()
-
-# Wait for listening server with unsigned zone.
-old_serial = master.zone_wait(zone)
-slave.zone_wait(zone)
-t.xfr_diff(master, slave, zone)
-
-# Check NSEC absence.
-master.check_nsec(zone, nonsec=True)
-
-master.stop()
-
-# Enable autosigning.
-master.dnssec_enable = True
-master.gen_key(zone, ksk=True, alg="rsasha1-nsec3-sha1")
-master.gen_key(zone, alg="rsasha1-nsec3-sha1")
-master.gen_key(zone, ksk=True, alg="rsasha256")
-master.gen_key(zone, alg="rsasha256")
-master.gen_confile()
-master.start()
-
-# Wait for changed zone and flush.
-new_serial = master.zone_wait(zone, old_serial)
-slave.zone_wait(zone, old_serial)
-t.xfr_diff(master, slave, zone)
-master.flush()
-t.sleep(1)
-
-# Check absence of NSEC3PARAM record.
-resp = master.dig(zone, "NSEC3PARAM", dnssec=True)
-compare(resp.count(), 0, "NSEC3PARAM count")
-
-# Check presence of DNSKEYs.
-resp = master.dig(zone, "DNSKEY", dnssec=True)
-compare(resp.count(), 4, "DNSKEY count")
-
-# Check NSEC presence.
-master.check_nsec(zone)
-
-master.stop()
-master.backup_zone(zone)
-
-# Verify signed zone file.
-master.zone_verify(zone)
-
-### NSEC -> NSEC3 ###
-
-# Enable NSEC3 on zone.
-master.enable_nsec3(zone)
-master.gen_confile()
-master.start()
-
-# Wait for changed zone and flush.
-master.zone_wait(zone, new_serial)
-slave.zone_wait(zone, new_serial)
-t.xfr_diff(master, slave, zone)
-master.flush()
-t.sleep(1)
-
-# Check presence of NSEC3PARAM record.
-resp = master.dig(zone, "NSEC3PARAM", dnssec=True)
-compare(resp.count(), 1, "NSEC3PARAM count")
-
-# Check presence of DNSKEYs.
-resp = master.dig(zone, "DNSKEY", dnssec=True)
-compare(resp.count(), 4, "DNSKEY count")
-
-# Check NSEC3 presence.
-master.check_nsec(zone, nsec3=True)
-
-# Verify signed zone file.
-master.zone_verify(zone)
-
-t.end()

tests-extra/tests/dnssec/records/test.py

@@ -10,12 +10,7 @@ t = Test()
 master = t.server("knot")
 zone = t.zone("records.")
 t.link(zone, master)
-
-# Enable autosigning.
-master.dnssec_enable = True
-master.gen_key(zone, ksk=True, alg="RSASHA1")
-master.gen_key(zone, alg="RSASHA1")
-master.gen_confile()
+master.dnssec(zone).enable = True
 
 t.start()
 

tests-extra/tests/dnssec/single_type_signing/test.py

@@ -27,7 +27,10 @@ knot.gen_key(zones[3], ksk=True, alg="RSASHA256", key_len="1024")
 knot.gen_key(zones[3], ksk=False, alg="RSASHA256", key_len="1024")
 knot.gen_key(zones[3], ksk=False, alg="RSASHA512", key_len="1024")
 
-knot.dnssec_enable = True
+for zone in zones:
+    knot.dnssec(zone).enable = True
+    knot.dnssec(zone).manual = True
+
 knot.gen_confile()
 knot.reload()
 t.sleep(2)

tests-extra/tests/modules/synth_record/test.py

@@ -22,10 +22,8 @@ zone = t.zone("forward.", storage=".") + \
 t.link(zone, knot)
 
 # Enable DNSSEC
-knot.dnssec_enable = True
 for z in zone:
-    knot.gen_key(z, ksk=True, alg="RSASHA256")
-    knot.gen_key(z, alg="RSASHA256")
+    knot.dnssec(z).enable = True
 
 # Configure 'synth_record' modules for auto forward/reverse zones
 knot.add_module(zone[FWD],  ModSynthRecord("forward", None,        None,  "192.168.0.1"))

tests-extra/tests/zone/restart/test.py

@@ -1,6 +1,6 @@
 #!/usr/bin/env python3
 
-'''Test for changeset application after restart. '''
+'''Test for changeset application after restart.'''
 
 from dnstest.test import Test
 import dnstest.utils
@@ -28,13 +28,11 @@ slave = t.server("knot")
 
 # Zone setup
 zone = t.zone_rnd(1, dnssec=False)
-t.link(zone, master, slave, ixfr = True, ddns=True)
+t.link(zone, master, slave, ixfr=True, ddns=True)
 
 # Turn automatic DNSSEC on
-master.dnssec_enable = True
-master.enable_nsec3(zone)
-master.gen_key(zone, ksk=True, alg="RSASHA256")
-master.gen_key(zone, alg="RSASHA256")
+master.dnssec(zone).enable = True
+master.dnssec(zone).nsec3 = True
 
 t.start()
 

tests-extra/tools/dnstest/keys.py

@@ -118,29 +118,6 @@ class Key(object):
     def _keymgr(self, *args):
         return Keymgr.run(self.dir, *args)
 
-    def _ensure_zone(self):
-        # initialize KASP (currently NOOP if initialized)
-        (exit_code, _, _) = self._keymgr("init");
-        if exit_code != 0:
-            raise Failed("Failed to initialize the KASP.")
-
-        # disable automatic signing
-        (exit_code, _, _) = self._keymgr("policy", "set", "default", "manual", "true");
-        if exit_code != 0:
-            raise Failed("Failed to disable automatic signing in KASP.")
-
-        # check if zone exists in KASP
-        (exit_code, _, _) = self._keymgr("zone", "show", self.zone_name)
-        if exit_code == 0:
-            return
-
-        # add zone into KASP
-        (exit_code, _, _) = self._keymgr("zone", "add", self.zone_name)
-        if exit_code == 0:
-            return
-
-        raise Failed("Unable to add zone '%s' into KASP." % self.zone_name)
-
     def _gen_command(self):
         cmd = [
             "zone", "key", "generate", self.zone_name,
@@ -154,7 +131,6 @@ class Key(object):
         return cmd
 
     def generate(self):
-        self._ensure_zone()
         command = self._gen_command()
         (exit_code, _, _) = self._keymgr(*command)
         if exit_code != 0:

tests-extra/tools/dnstest/server.py

@@ -31,6 +31,20 @@ def zone_arg_check(zone):
         return zone[0]
     return zone
 
+class ZoneDnssec(object):
+    '''Zone DNSSEC signing configuration'''
+
+    def __init__(self):
+        self.enable = None
+        self.manual = None
+        self.alg = None
+        self.ksk_size = None
+        self.zsk_size = None
+        self.nsec3 = None
+        self.nsec3_iters = None
+        self.nsec3_resalt = None
+        self.nsec3_salt_len = None
+
 class Zone(object):
     '''DNS zone description'''
 
@@ -39,10 +53,9 @@ class Zone(object):
         self.masters = set()
         self.slaves = set()
         self.ddns = ddns
-        # ixfr from differences
-        self.ixfr = ixfr
-        # modules
+        self.ixfr = ixfr # ixfr from differences
         self.modules = []
+        self.dnssec = ZoneDnssec()
 
     @property
     def name(self):
@@ -115,7 +128,7 @@ class Server(object):
         self.fout = None
         self.ferr = None
         self.valgrind_log = None
-        self.conffile = None
+        self.confile = None
 
     def _check_socket(self, proto, port):
         if ipaddress.ip_address(self.addr).version == 4:
@@ -587,7 +600,6 @@ class Server(object):
     def gen_key(self, zone, **args):
         zone = zone_arg_check(zone)
 
-        prepare_dir(self.keydir)
         key = dnstest.keys.Key(self.keydir, zone.name, **args)
         key.generate()
 
@@ -598,6 +610,11 @@ class Server(object):
         # copy all keys, even for other zones
         distutils.dir_util.copy_tree(zone.key_dir, self.keydir, update=True)
 
+    def dnssec(self, zone):
+        zone = zone_arg_check(zone)
+
+        return self.zones[zone.name].dnssec
+
     def enable_nsec3(self, zone, **args):
         zone = zone_arg_check(zone)
 
@@ -855,6 +872,14 @@ class Knot(Server):
         conf.item_str("algorithm", key.alg)
         conf.item_str("secret", key.key)
 
+    def _bool(self, conf, name, value):
+        if value != None:
+            conf.item_str(name, "on" if value else "off")
+
+    def _str(self, conf, name, value):
+        if value != None:
+            conf.item_str(name, value)
+
     def get_config(self):
         s = dnstest.config.KnotConf()
         s.begin("server")
@@ -970,9 +995,26 @@ class Knot(Server):
                 for module in z.modules:
                     module.get_conf(s)
 
+        s.begin("policy")
+        for zone in sorted(self.zones):
+            z = self.zones[zone]
+            if not z.dnssec.enable:
+                continue
+            s.id_item("id", z.name)
+            self._bool(s, "manual", z.dnssec.manual)
+            self._str(s, "algorithm", z.dnssec.alg)
+            self._str(s, "ksk_size", z.dnssec.ksk_size)
+            self._str(s, "zsk_size", z.dnssec.zsk_size)
+            self._bool(s, "nsec3", z.dnssec.nsec3)
+            self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
+            self._str(s, "nsec3-resalt", z.dnssec.nsec3_resalt)
+            self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
+        s.end()
+
         s.begin("template")
         s.id_item("id", "default")
         s.item_str("storage", self.dir)
+        s.item_str("kasp-db", self.keydir)
         if self.zonefile_sync:
             s.item_str("zonefile-sync", self.zonefile_sync)
         else:
@@ -982,9 +1024,6 @@ class Knot(Server):
         s.item_str("semantic-checks", "on")
         if self.disable_any:
             s.item_str("disable-any", "on")
-        if self.dnssec_enable:
-            s.item_str("kasp-db", self.keydir)
-            s.item_str("dnssec-signing", "on")
         if len(self.modules) > 0:
             modules = ""
             for module in self.modules:
@@ -1030,6 +1069,10 @@ class Knot(Server):
             if z.ixfr and not z.masters:
                 s.item_str("ixfr-from-differences", "on")
 
+            if z.dnssec.enable:
+                s.item_str("dnssec-signing", "on")
+                s.item_str("dnssec-policy", z.name)
+
             if len(z.modules) > 0:
                 modules = ""
                 for module in z.modules:

tests-extra/tools/dnstest/zonefile.py

@@ -89,26 +89,13 @@ class ZoneFile(object):
         self.set_file(file_name=file_name, storage=storage, version=version)
 
     def _kasp_import_keys(self, keydir, bind_keydir, zone_name):
-        Keymgr.run(keydir, "init")
-        Keymgr.run(keydir, "policy", "set", "default", "manual", "true")
 
-        # add zone if not exists
-        exitcode, _, _ = Keymgr.run(keydir, "zone", "show", zone_name)
-        if exitcode != 0:
-            Keymgr.run_check(keydir, "zone", "add", zone_name)
-
-        # retrieve existing keys
-        tags = []
-        exitcode, stdout, _ = Keymgr.run(keydir, "zone", "key", "list", zone_name)
-        if exitcode != 0:
-            tags = [int(re.search(r'\bkeytag\s+(\d+)\b', x).group(1)) for x in stdout.splitlines()]
-
-        # import new keys, ignore existing (compare keytag)
+        # import bind style keys, overwrite existing (shouldn't be a problem)
         assert(zone_name.endswith("."))
         for pkey_path in glob.glob("%s/K*.private" % glob.escape(bind_keydir)):
             pkey = os.path.basename(pkey_path)
             m = re.match(r'K(?P<name>[^+]+)\+(?P<algo>\d+)\+(?P<tag>\d+)\.private', pkey)
-            if m and m.group("name") == zone_name.lower() and int(m.group("tag")) not in tags:
+            if m and m.group("name") == zone_name.lower():
                 Keymgr.run_check(keydir, "zone", "key", "import", zone_name, pkey_path)
 
     def gen_file(self, dnssec=None, nsec3=None, records=None, serial=None):