diff --git a/tests-extra/tests/ddns/basic/test.py b/tests-extra/tests/ddns/basic/test.py index 9d9cc0e68..e7d418111 100644 --- a/tests-extra/tests/ddns/basic/test.py +++ b/tests-extra/tests/ddns/basic/test.py @@ -521,16 +521,12 @@ t.link(zone, master_plain, ddns=True) master_nsec = t.server("knot") t.link(zone, master_nsec, ddns=True) -master_nsec.dnssec_enable = True -master_nsec.gen_key(zone, ksk=True, alg="RSASHA256") -master_nsec.gen_key(zone, alg="RSASHA256") +master_nsec.dnssec(zone).enable = True master_nsec3 = t.server("knot") t.link(zone, master_nsec3, ddns=True) -master_nsec3.dnssec_enable = True -master_nsec3.enable_nsec3(zone) -master_nsec3.gen_key(zone, ksk=True, alg="RSASHA256") -master_nsec3.gen_key(zone, alg="RSASHA256") +master_nsec3.dnssec(zone).enable = True +master_nsec3.dnssec(zone).nsec3 = True t.start() diff --git a/tests-extra/tests/ddns/chain/test.py b/tests-extra/tests/ddns/chain/test.py index a074dd9bb..34c9d2da0 100644 --- a/tests-extra/tests/ddns/chain/test.py +++ b/tests-extra/tests/ddns/chain/test.py @@ -107,9 +107,7 @@ zone = t.zone_rnd(1, dnssec=False) master = t.server("knot") t.link(zone, master, ddns=True) -master.dnssec_enable = True -master.gen_key(zone, ksk=True, alg="RSASHA256") -master.gen_key(zone, alg="RSASHA256") +master.dnssec(zone).enable = True master.gen_confile() t.start() @@ -119,7 +117,7 @@ master.zone_wait(zone) check_log("============ NSEC test ============") test_run(master, zone, "NSEC") -master.enable_nsec3(zone) +master.dnssec(zone).nsec3 = True master.reload() t.sleep(2) diff --git a/tests-extra/tests/dnssec/add_remove/test.py b/tests-extra/tests/dnssec/add_remove/test.py index 74713ad11..52473f12e 100644 --- a/tests-extra/tests/dnssec/add_remove/test.py +++ b/tests-extra/tests/dnssec/add_remove/test.py @@ -52,14 +52,10 @@ t.link(zone, nsec_master, nsec_slave) t.link(zone, nsec3_master, nsec3_slave) # Enable autosigning -nsec_master.dnssec_enable = True -nsec_master.gen_key(zone, ksk=True, alg="RSASHA256") -nsec_master.gen_key(zone, alg="RSASHA256") +nsec_master.dnssec(zone).enable = True -nsec3_master.dnssec_enable = True -nsec3_master.enable_nsec3(zone) -nsec3_master.gen_key(zone, ksk=True, alg="RSASHA256") -nsec3_master.gen_key(zone, alg="RSASHA256") +nsec3_master.dnssec(zone).enable = True +nsec3_master.dnssec(zone).nsec3 = True t.start() diff --git a/tests-extra/tests/dnssec/case_sensitivity/test.py b/tests-extra/tests/dnssec/case_sensitivity/test.py index db71bc995..a2535baea 100644 --- a/tests-extra/tests/dnssec/case_sensitivity/test.py +++ b/tests-extra/tests/dnssec/case_sensitivity/test.py @@ -20,12 +20,8 @@ t = Test() server = t.server("knot") zone = t.zone("example.", storage=".") - -server.dnssec_enable = True -server.gen_key(zone, ksk=True) -server.gen_key(zone) - t.link(zone, server) +server.dnssec(zone).enable = True t.start() diff --git a/tests-extra/tests/dnssec/dnskey_algorithms/test.py b/tests-extra/tests/dnssec/dnskey_algorithms/test.py index 94fc41f3b..e76cf5529 100644 --- a/tests-extra/tests/dnssec/dnskey_algorithms/test.py +++ b/tests-extra/tests/dnssec/dnskey_algorithms/test.py @@ -30,7 +30,6 @@ TEST_CASES = { t = Test() knot = t.server("knot") -knot.dnssec_enable = True # setup keys @@ -49,6 +48,10 @@ for zone_name in TEST_CASES: t.link(zones, knot) +for zone in zones: + knot.dnssec(zone).enable = True + knot.dnssec(zone).manual = True + t.start() for zone in [zone for zone in zones if TEST_CASES[zone.name.rstrip(".")]]: diff --git a/tests-extra/tests/dnssec/dnskey_timestamps/test.py b/tests-extra/tests/dnssec/dnskey_timestamps/test.py index 8ac054e95..5802545b9 100644 --- a/tests-extra/tests/dnssec/dnskey_timestamps/test.py +++ b/tests-extra/tests/dnssec/dnskey_timestamps/test.py @@ -11,20 +11,14 @@ import datetime import subprocess from dnstest.utils import * +from dnstest.keys import Keymgr from dnstest.test import Test -def keymgr(server, args): - cmd = subprocess.Popen([params.keymgr_bin, "--dir", server.keydir] + args) - (stdout, stderr) = cmd.communicate() - return (cmd.returncode, stdout, stderr) - def key_set(server, zone, key_id, **new_values): cmd = ["zone", "key", "set", zone, key_id] for option, value in new_values.items(): cmd += [option, value] - (exitcode, _x, _y) = keymgr(server, cmd) - if exitcode != 0: - raise Failed("Unable to modify key timing values.") + Keymgr.run_check(server.keydir, *cmd) # check zone if keys are present and used for signing def check_zone(server, expect_dnskey, expect_rrsig, msg): @@ -49,9 +43,10 @@ def check_zone(server, expect_dnskey, expect_rrsig, msg): t = Test() knot = t.server("knot") -knot.dnssec_enable = True zone = t.zone("example.com.") t.link(zone, knot) +knot.dnssec(zone).enable = True +knot.dnssec(zone).manual = True # install keys (one always enabled, one for testing) shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir) diff --git a/tests-extra/tests/dnssec/no_resign/test.py b/tests-extra/tests/dnssec/no_resign/test.py index c100a6e07..cd103ef13 100644 --- a/tests-extra/tests/dnssec/no_resign/test.py +++ b/tests-extra/tests/dnssec/no_resign/test.py @@ -38,24 +38,23 @@ old_nsec3_serial = master.zone_wait(nsec3_zone) old_static_serial = master.zone_wait(static_zone) # Enable autosigning. -master.dnssec_enable = True +master.dnssec(nsec_zone).enable = True +master.dnssec(nsec3_zone).enable = True +master.dnssec(static_zone).enable = True master.use_keys(nsec_zone) master.use_keys(nsec3_zone) master.use_keys(static_zone) master.gen_confile() -t.sleep(1) -master.stop() -master.start() +master.reload() new_nsec_serial = master.zone_wait(nsec_zone) new_nsec3_serial = master.zone_wait(nsec3_zone) new_static_serial = master.zone_wait(static_zone) # Check if the zones are resigned. -if old_nsec_serial < new_nsec_serial: +if old_nsec_serial != new_nsec_serial: if not only_nsec_changed(master, nsec_zone, old_nsec_serial): set_err("NSEC zone got resigned") - old_nsec_serial = new_nsec_serial compare(old_nsec3_serial, new_nsec3_serial, "NSEC3 zone got resigned") compare(old_static_serial, new_static_serial, "static zone got resigned") diff --git a/tests-extra/tests/dnssec/none_to_nsec/test.py b/tests-extra/tests/dnssec/none_to_nsec/test.py deleted file mode 100644 index 97ea74b5b..000000000 --- a/tests-extra/tests/dnssec/none_to_nsec/test.py +++ /dev/null @@ -1,57 +0,0 @@ -#!/usr/bin/env python3 - -'''Test for transition from unsigned zone to auto-signed zone with NSEC.''' - -from dnstest.utils import * -from dnstest.test import Test - -t = Test() - -master = t.server("knot") -slave = t.server("bind") -zone = t.zone_rnd(1, dnssec=False) -t.link(zone, master, slave) - -t.start() - -# Wait for listening server with unsigned zone. -old_serial = master.zone_wait(zone) -slave.zone_wait(zone) -t.xfr_diff(master, slave, zone) - -# Check NSEC absence. -master.check_nsec(zone, nonsec=True) - -master.stop() - -# Enable autosigning. -master.dnssec_enable = True -master.gen_key(zone, ksk=True, alg="RSASHA1") # Old NSEC only algorithm. -master.gen_key(zone, alg="RSASHA1") -master.gen_key(zone, ksk=True, alg="RSASHA256") # New NSEC/NSEC3 algorithm. -master.gen_key(zone, alg="RSASHA256") -master.gen_confile() -master.start() - -# Wait for changed zone and flush. -new_serial = master.zone_wait(zone, old_serial) -slave.zone_wait(zone, old_serial) -t.xfr_diff(master, slave, zone) -master.flush() -t.sleep(1) - -# Check absence of NSEC3PARAM record. -resp = master.dig(zone, "NSEC3PARAM", dnssec=True) -compare(resp.count(), 0, "NSEC3PARAM count") - -# Check presence of DNSKEYs. -resp = master.dig(zone, "DNSKEY", dnssec=True) -compare(resp.count(), 4, "DNSKEY count") - -# Check NSEC presence. -master.check_nsec(zone) - -# Verify signed zone file. -master.zone_verify(zone) - -t.end() diff --git a/tests-extra/tests/dnssec/none_to_nsec3/test.py b/tests-extra/tests/dnssec/none_to_nsec3/test.py deleted file mode 100644 index 9cb95e290..000000000 --- a/tests-extra/tests/dnssec/none_to_nsec3/test.py +++ /dev/null @@ -1,58 +0,0 @@ -#!/usr/bin/env python3 - -'''Test for transition from unsigned zone to auto-signed zone with NSEC3.''' - -from dnstest.utils import * -from dnstest.test import Test - -t = Test() - -master = t.server("knot") -slave = t.server("bind") -zone = t.zone_rnd(1, dnssec=False) -t.link(zone, master, slave) - -t.start() - -# Wait for listening server with unsigned zone. -old_serial = master.zone_wait(zone) -slave.zone_wait(zone) -t.xfr_diff(master, slave, zone) - -# Check NSEC absence. -master.check_nsec(zone, nonsec=True) - -master.stop() - -# Enable autosigning. -master.dnssec_enable = True -master.enable_nsec3(zone) -master.gen_key(zone, ksk=True, alg="RSASHA1") # Old NSEC only algorithm. -master.gen_key(zone, alg="RSASHA1") -master.gen_key(zone, ksk=True, alg="RSASHA256") # New NSEC/NSEC3 algorithm. -master.gen_key(zone, alg="RSASHA256") -master.gen_confile() -master.start() - -# Wait for changed zone and flush. -new_serial = master.zone_wait(zone, old_serial) -slave.zone_wait(zone, old_serial) -t.xfr_diff(master, slave, zone) -master.flush() -t.sleep(1) - -# Check presence of NSEC3PARAM record. -resp = master.dig(zone, "NSEC3PARAM", dnssec=True) -compare(resp.count(), 1, "NSEC3PARAM count") - -# Check presence of DNSKEYs. -resp = master.dig(zone, "DNSKEY", dnssec=True) -compare(resp.count(), 2, "DNSKEY count") - -# Check NSEC presence. -master.check_nsec(zone, nsec3=True) - -# Verify signed zone file. -master.zone_verify(zone) - -t.end() diff --git a/tests-extra/tests/dnssec/nsec3_to_nsec/test.py b/tests-extra/tests/dnssec/nsec3_to_nsec/test.py deleted file mode 100644 index 9d65c7cbc..000000000 --- a/tests-extra/tests/dnssec/nsec3_to_nsec/test.py +++ /dev/null @@ -1,89 +0,0 @@ -#!/usr/bin/env python3 - -'''Test for transition from NSEC3 to NSEC on auto-signed zone.''' - -from dnstest.utils import * -from dnstest.test import Test - -t = Test() - -master = t.server("knot") -slave = t.server("bind") -zone = t.zone_rnd(1, dnssec=False) -t.link(zone, master, slave) - -t.start() - -# Wait for listening server with unsigned zone. -old_serial = master.zone_wait(zone) -slave.zone_wait(zone) -t.xfr_diff(master, slave, zone) - -# Check NSEC absence. -master.check_nsec(zone, nonsec=True) - -master.stop() - -# Enable autosigning. -master.dnssec_enable = True -master.enable_nsec3(zone) -master.gen_key(zone, ksk=True, alg="rsasha1-nsec3-sha1") -master.gen_key(zone, alg="rsasha1-nsec3-sha1") -master.gen_key(zone, ksk=True, alg="rsasha256") -master.gen_key(zone, alg="rsasha256") -master.gen_confile() -master.start() - -# Wait for changed zone and flush. -new_serial = master.zone_wait(zone, old_serial) -slave.zone_wait(zone, old_serial) -t.xfr_diff(master, slave, zone) -master.flush() -t.sleep(1) - -# Check presence of NSEC3PARAM record. -resp = master.dig(zone, "NSEC3PARAM", dnssec=True) -compare(resp.count(), 1, "NSEC3PARAM count") - -# Check presence of DNSKEYs. -resp = master.dig(zone, "DNSKEY", dnssec=True) -compare(resp.count(), 4, "DNSKEY count") - -# Check NSEC3 presence. -master.check_nsec(zone, nsec3=True) - -master.stop() -master.backup_zone(zone) - -# Verify signed zone file. -master.zone_verify(zone) - -### NSEC3 -> NSEC ### - -# Disable NSEC3 on zone. -master.disable_nsec3(zone) -master.gen_confile() -master.start() - -# Wait for changed zone and flush. -master.zone_wait(zone, new_serial) -slave.zone_wait(zone, new_serial) -t.xfr_diff(master, slave, zone) -master.flush() -t.sleep(1) - -# Check absence of NSEC3PARAM record. -resp = master.dig(zone, "NSEC3PARAM", dnssec=True) -compare(resp.count(), 0, "NSEC3PARAM count") - -# Check presence of DNSKEYs. -resp = master.dig(zone, "DNSKEY", dnssec=True) -compare(resp.count(), 4, "DNSKEY count") - -# Check NSEC presence. -master.check_nsec(zone) - -# Verify signed zone file. -master.zone_verify(zone) - -t.end() diff --git a/tests-extra/tests/dnssec/nsec_changes/test.py b/tests-extra/tests/dnssec/nsec_changes/test.py new file mode 100644 index 000000000..c9de7f2b1 --- /dev/null +++ b/tests-extra/tests/dnssec/nsec_changes/test.py @@ -0,0 +1,141 @@ +#!/usr/bin/env python3 + +'''Test for NSEC transitions with autosigning. + zone1: none->nsec->nsec3->none + zone2: none->nsec3->nsec->none''' + +from dnstest.utils import * +from dnstest.test import Test + +t = Test() + +master = t.server("knot") +slave = t.server("bind") +zone1 = t.zone_rnd(1, dnssec=False, records=5) +zone2 = t.zone_rnd(1, dnssec=False, records=5) +zones = zone1 + zone2 +t.link(zones, master, slave) + +t.start() + +# Wait for listening server with unsigned zones. +master.zones_wait(zones) +old_serials = slave.zones_wait(zones) +t.xfr_diff(master, slave, zones) + +# Check NSEC absence. +master.check_nsec(zone1, nonsec=True) +master.check_nsec(zone2, nonsec=True) + +### First change ############################################################## + +# Enable autosigning. +master.dnssec(zone1).enable = True +master.dnssec(zone2).enable = True +master.dnssec(zone2).nsec3 = True +master.dnssec(zone2).nsec3_iters = 2 +master.dnssec(zone2).nsec3_salt_len = 2 +master.gen_confile() +master.reload() + +# Wait for changed zone and flush. +master.zones_wait(zones, old_serials) +old_serials = slave.zones_wait(zones, old_serials) +t.xfr_diff(master, slave, zones) +master.flush() +t.sleep(1) + +# Check the NSEC3PARAM record. +resp = master.dig(zone1, "NSEC3PARAM", dnssec=True) +compare(resp.count(), 0, "NSEC3PARAM count") +resp = master.dig(zone2, "NSEC3PARAM", dnssec=True) +compare(resp.count(), 1, "NSEC3PARAM count") + +# Check DNSKEYs. +resp = master.dig(zone1, "DNSKEY", dnssec=True) +compare(resp.count(), 2, "DNSKEY count") +resp = master.dig(zone2, "DNSKEY", dnssec=True) +compare(resp.count(), 2, "DNSKEY count") + +# Check NSEC. +master.check_nsec(zone1) +master.check_nsec(zone2, nsec3=True) + +# Verify signed zone files. +master.zone_verify(zone1) +master.zone_verify(zone2) + +### Second change ############################################################# + +# Reconfigure autosigning. +master.dnssec(zone1).nsec3 = True +master.dnssec(zone1).nsec3_iters = 1 +master.dnssec(zone1).nsec3_salt_len = 0 +master.dnssec(zone2).nsec3 = False +master.gen_confile() +master.reload() + +# Wait for changed zone and flush. +master.zones_wait(zones, old_serials) +old_serials = slave.zones_wait(zones, old_serials) +t.xfr_diff(master, slave, zones) +master.flush() +t.sleep(1) + +# Check the NSEC3PARAM record. +resp = master.dig(zone1, "NSEC3PARAM", dnssec=True) +compare(resp.count(), 1, "NSEC3PARAM count") +resp = master.dig(zone2, "NSEC3PARAM", dnssec=True) +compare(resp.count(), 0, "NSEC3PARAM count") + +# Check DNSKEYs. +resp = master.dig(zone1, "DNSKEY", dnssec=True) +compare(resp.count(), 2, "DNSKEY count") +resp = master.dig(zone2, "DNSKEY", dnssec=True) +compare(resp.count(), 2, "DNSKEY count") + +# Check NSEC. +master.check_nsec(zone1, nsec3=True) +master.check_nsec(zone2) + +# Verify signed zone files. +master.zone_verify(zone1) +master.zone_verify(zone2) + +### Third change ############################################################## + +# Disable autosigning. +master.dnssec(zone1).enable = False +master.dnssec(zone2).enable = False +master.gen_confile() +master.reload() + +# Wait for changed zone and flush (unchanged). +t.sleep(1) +master.zones_wait(zones, old_serials, equal=True, greater=False) +slave.zones_wait(zones, old_serials, equal=True, greater=False) +t.xfr_diff(master, slave, zones) +master.flush() +t.sleep(1) + +# Check the NSEC3PARAM record (unchanged). +resp = master.dig(zone1, "NSEC3PARAM", dnssec=True) +compare(resp.count(), 1, "NSEC3PARAM count") +resp = master.dig(zone2, "NSEC3PARAM", dnssec=True) +compare(resp.count(), 0, "NSEC3PARAM count") + +# Check DNSKEYs (unchanged). +resp = master.dig(zone1, "DNSKEY", dnssec=True) +compare(resp.count(), 2, "DNSKEY count") +resp = master.dig(zone2, "DNSKEY", dnssec=True) +compare(resp.count(), 2, "DNSKEY count") + +# Check NSEC (unchanged). +master.check_nsec(zone1, nsec3=True) +master.check_nsec(zone2) + +# Verify signed zone files (unchanged). +master.zone_verify(zone1) +master.zone_verify(zone2) + +t.end() diff --git a/tests-extra/tests/dnssec/nsec_to_nsec3/test.py b/tests-extra/tests/dnssec/nsec_to_nsec3/test.py deleted file mode 100644 index a1313f1a7..000000000 --- a/tests-extra/tests/dnssec/nsec_to_nsec3/test.py +++ /dev/null @@ -1,88 +0,0 @@ -#!/usr/bin/env python3 - -'''Test for transition from NSEC to NSEC3 on auto-signed zone.''' - -from dnstest.utils import * -from dnstest.test import Test - -t = Test() - -master = t.server("knot") -slave = t.server("bind") -zone = t.zone_rnd(1, dnssec=False) -t.link(zone, master, slave) - -t.start() - -# Wait for listening server with unsigned zone. -old_serial = master.zone_wait(zone) -slave.zone_wait(zone) -t.xfr_diff(master, slave, zone) - -# Check NSEC absence. -master.check_nsec(zone, nonsec=True) - -master.stop() - -# Enable autosigning. -master.dnssec_enable = True -master.gen_key(zone, ksk=True, alg="rsasha1-nsec3-sha1") -master.gen_key(zone, alg="rsasha1-nsec3-sha1") -master.gen_key(zone, ksk=True, alg="rsasha256") -master.gen_key(zone, alg="rsasha256") -master.gen_confile() -master.start() - -# Wait for changed zone and flush. -new_serial = master.zone_wait(zone, old_serial) -slave.zone_wait(zone, old_serial) -t.xfr_diff(master, slave, zone) -master.flush() -t.sleep(1) - -# Check absence of NSEC3PARAM record. -resp = master.dig(zone, "NSEC3PARAM", dnssec=True) -compare(resp.count(), 0, "NSEC3PARAM count") - -# Check presence of DNSKEYs. -resp = master.dig(zone, "DNSKEY", dnssec=True) -compare(resp.count(), 4, "DNSKEY count") - -# Check NSEC presence. -master.check_nsec(zone) - -master.stop() -master.backup_zone(zone) - -# Verify signed zone file. -master.zone_verify(zone) - -### NSEC -> NSEC3 ### - -# Enable NSEC3 on zone. -master.enable_nsec3(zone) -master.gen_confile() -master.start() - -# Wait for changed zone and flush. -master.zone_wait(zone, new_serial) -slave.zone_wait(zone, new_serial) -t.xfr_diff(master, slave, zone) -master.flush() -t.sleep(1) - -# Check presence of NSEC3PARAM record. -resp = master.dig(zone, "NSEC3PARAM", dnssec=True) -compare(resp.count(), 1, "NSEC3PARAM count") - -# Check presence of DNSKEYs. -resp = master.dig(zone, "DNSKEY", dnssec=True) -compare(resp.count(), 4, "DNSKEY count") - -# Check NSEC3 presence. -master.check_nsec(zone, nsec3=True) - -# Verify signed zone file. -master.zone_verify(zone) - -t.end() diff --git a/tests-extra/tests/dnssec/records/test.py b/tests-extra/tests/dnssec/records/test.py index 72bdacfd6..a634199ba 100644 --- a/tests-extra/tests/dnssec/records/test.py +++ b/tests-extra/tests/dnssec/records/test.py @@ -10,12 +10,7 @@ t = Test() master = t.server("knot") zone = t.zone("records.") t.link(zone, master) - -# Enable autosigning. -master.dnssec_enable = True -master.gen_key(zone, ksk=True, alg="RSASHA1") -master.gen_key(zone, alg="RSASHA1") -master.gen_confile() +master.dnssec(zone).enable = True t.start() diff --git a/tests-extra/tests/dnssec/single_type_signing/test.py b/tests-extra/tests/dnssec/single_type_signing/test.py index 9b5a3c0cb..086059782 100644 --- a/tests-extra/tests/dnssec/single_type_signing/test.py +++ b/tests-extra/tests/dnssec/single_type_signing/test.py @@ -27,7 +27,10 @@ knot.gen_key(zones[3], ksk=True, alg="RSASHA256", key_len="1024") knot.gen_key(zones[3], ksk=False, alg="RSASHA256", key_len="1024") knot.gen_key(zones[3], ksk=False, alg="RSASHA512", key_len="1024") -knot.dnssec_enable = True +for zone in zones: + knot.dnssec(zone).enable = True + knot.dnssec(zone).manual = True + knot.gen_confile() knot.reload() t.sleep(2) diff --git a/tests-extra/tests/modules/synth_record/test.py b/tests-extra/tests/modules/synth_record/test.py index 3743c06ee..8a39afcb8 100644 --- a/tests-extra/tests/modules/synth_record/test.py +++ b/tests-extra/tests/modules/synth_record/test.py @@ -22,10 +22,8 @@ zone = t.zone("forward.", storage=".") + \ t.link(zone, knot) # Enable DNSSEC -knot.dnssec_enable = True for z in zone: - knot.gen_key(z, ksk=True, alg="RSASHA256") - knot.gen_key(z, alg="RSASHA256") + knot.dnssec(z).enable = True # Configure 'synth_record' modules for auto forward/reverse zones knot.add_module(zone[FWD], ModSynthRecord("forward", None, None, "192.168.0.1")) diff --git a/tests-extra/tests/zone/restart/test.py b/tests-extra/tests/zone/restart/test.py index c1a33737b..9fa3f1faa 100644 --- a/tests-extra/tests/zone/restart/test.py +++ b/tests-extra/tests/zone/restart/test.py @@ -1,6 +1,6 @@ #!/usr/bin/env python3 -'''Test for changeset application after restart. ''' +'''Test for changeset application after restart.''' from dnstest.test import Test import dnstest.utils @@ -28,13 +28,11 @@ slave = t.server("knot") # Zone setup zone = t.zone_rnd(1, dnssec=False) -t.link(zone, master, slave, ixfr = True, ddns=True) +t.link(zone, master, slave, ixfr=True, ddns=True) # Turn automatic DNSSEC on -master.dnssec_enable = True -master.enable_nsec3(zone) -master.gen_key(zone, ksk=True, alg="RSASHA256") -master.gen_key(zone, alg="RSASHA256") +master.dnssec(zone).enable = True +master.dnssec(zone).nsec3 = True t.start() diff --git a/tests-extra/tools/dnstest/keys.py b/tests-extra/tools/dnstest/keys.py index 1a04a79b5..77bb25ef9 100644 --- a/tests-extra/tools/dnstest/keys.py +++ b/tests-extra/tools/dnstest/keys.py @@ -118,29 +118,6 @@ class Key(object): def _keymgr(self, *args): return Keymgr.run(self.dir, *args) - def _ensure_zone(self): - # initialize KASP (currently NOOP if initialized) - (exit_code, _, _) = self._keymgr("init"); - if exit_code != 0: - raise Failed("Failed to initialize the KASP.") - - # disable automatic signing - (exit_code, _, _) = self._keymgr("policy", "set", "default", "manual", "true"); - if exit_code != 0: - raise Failed("Failed to disable automatic signing in KASP.") - - # check if zone exists in KASP - (exit_code, _, _) = self._keymgr("zone", "show", self.zone_name) - if exit_code == 0: - return - - # add zone into KASP - (exit_code, _, _) = self._keymgr("zone", "add", self.zone_name) - if exit_code == 0: - return - - raise Failed("Unable to add zone '%s' into KASP." % self.zone_name) - def _gen_command(self): cmd = [ "zone", "key", "generate", self.zone_name, @@ -154,7 +131,6 @@ class Key(object): return cmd def generate(self): - self._ensure_zone() command = self._gen_command() (exit_code, _, _) = self._keymgr(*command) if exit_code != 0: diff --git a/tests-extra/tools/dnstest/server.py b/tests-extra/tools/dnstest/server.py index 1cf6e528d..50ee812a4 100644 --- a/tests-extra/tools/dnstest/server.py +++ b/tests-extra/tools/dnstest/server.py @@ -31,6 +31,20 @@ def zone_arg_check(zone): return zone[0] return zone +class ZoneDnssec(object): + '''Zone DNSSEC signing configuration''' + + def __init__(self): + self.enable = None + self.manual = None + self.alg = None + self.ksk_size = None + self.zsk_size = None + self.nsec3 = None + self.nsec3_iters = None + self.nsec3_resalt = None + self.nsec3_salt_len = None + class Zone(object): '''DNS zone description''' @@ -39,10 +53,9 @@ class Zone(object): self.masters = set() self.slaves = set() self.ddns = ddns - # ixfr from differences - self.ixfr = ixfr - # modules + self.ixfr = ixfr # ixfr from differences self.modules = [] + self.dnssec = ZoneDnssec() @property def name(self): @@ -115,7 +128,7 @@ class Server(object): self.fout = None self.ferr = None self.valgrind_log = None - self.conffile = None + self.confile = None def _check_socket(self, proto, port): if ipaddress.ip_address(self.addr).version == 4: @@ -587,7 +600,6 @@ class Server(object): def gen_key(self, zone, **args): zone = zone_arg_check(zone) - prepare_dir(self.keydir) key = dnstest.keys.Key(self.keydir, zone.name, **args) key.generate() @@ -598,6 +610,11 @@ class Server(object): # copy all keys, even for other zones distutils.dir_util.copy_tree(zone.key_dir, self.keydir, update=True) + def dnssec(self, zone): + zone = zone_arg_check(zone) + + return self.zones[zone.name].dnssec + def enable_nsec3(self, zone, **args): zone = zone_arg_check(zone) @@ -855,6 +872,14 @@ class Knot(Server): conf.item_str("algorithm", key.alg) conf.item_str("secret", key.key) + def _bool(self, conf, name, value): + if value != None: + conf.item_str(name, "on" if value else "off") + + def _str(self, conf, name, value): + if value != None: + conf.item_str(name, value) + def get_config(self): s = dnstest.config.KnotConf() s.begin("server") @@ -970,9 +995,26 @@ class Knot(Server): for module in z.modules: module.get_conf(s) + s.begin("policy") + for zone in sorted(self.zones): + z = self.zones[zone] + if not z.dnssec.enable: + continue + s.id_item("id", z.name) + self._bool(s, "manual", z.dnssec.manual) + self._str(s, "algorithm", z.dnssec.alg) + self._str(s, "ksk_size", z.dnssec.ksk_size) + self._str(s, "zsk_size", z.dnssec.zsk_size) + self._bool(s, "nsec3", z.dnssec.nsec3) + self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters) + self._str(s, "nsec3-resalt", z.dnssec.nsec3_resalt) + self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len) + s.end() + s.begin("template") s.id_item("id", "default") s.item_str("storage", self.dir) + s.item_str("kasp-db", self.keydir) if self.zonefile_sync: s.item_str("zonefile-sync", self.zonefile_sync) else: @@ -982,9 +1024,6 @@ class Knot(Server): s.item_str("semantic-checks", "on") if self.disable_any: s.item_str("disable-any", "on") - if self.dnssec_enable: - s.item_str("kasp-db", self.keydir) - s.item_str("dnssec-signing", "on") if len(self.modules) > 0: modules = "" for module in self.modules: @@ -1030,6 +1069,10 @@ class Knot(Server): if z.ixfr and not z.masters: s.item_str("ixfr-from-differences", "on") + if z.dnssec.enable: + s.item_str("dnssec-signing", "on") + s.item_str("dnssec-policy", z.name) + if len(z.modules) > 0: modules = "" for module in z.modules: diff --git a/tests-extra/tools/dnstest/zonefile.py b/tests-extra/tools/dnstest/zonefile.py index abd250708..34946b0cd 100644 --- a/tests-extra/tools/dnstest/zonefile.py +++ b/tests-extra/tools/dnstest/zonefile.py @@ -89,26 +89,13 @@ class ZoneFile(object): self.set_file(file_name=file_name, storage=storage, version=version) def _kasp_import_keys(self, keydir, bind_keydir, zone_name): - Keymgr.run(keydir, "init") - Keymgr.run(keydir, "policy", "set", "default", "manual", "true") - # add zone if not exists - exitcode, _, _ = Keymgr.run(keydir, "zone", "show", zone_name) - if exitcode != 0: - Keymgr.run_check(keydir, "zone", "add", zone_name) - - # retrieve existing keys - tags = [] - exitcode, stdout, _ = Keymgr.run(keydir, "zone", "key", "list", zone_name) - if exitcode != 0: - tags = [int(re.search(r'\bkeytag\s+(\d+)\b', x).group(1)) for x in stdout.splitlines()] - - # import new keys, ignore existing (compare keytag) + # import bind style keys, overwrite existing (shouldn't be a problem) assert(zone_name.endswith(".")) for pkey_path in glob.glob("%s/K*.private" % glob.escape(bind_keydir)): pkey = os.path.basename(pkey_path) m = re.match(r'K(?P[^+]+)\+(?P\d+)\+(?P\d+)\.private', pkey) - if m and m.group("name") == zone_name.lower() and int(m.group("tag")) not in tags: + if m and m.group("name") == zone_name.lower(): Keymgr.run_check(keydir, "zone", "key", "import", zone_name, pkey_path) def gen_file(self, dnssec=None, nsec3=None, records=None, serial=None):