Commit f762ee66 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Merge branch '1669-kasp-test-fails-on-windows' into 'master'

Fix kasp timing issue on Windows

Closes #1669

See merge request !3337
parents 58a5e6fb 04e67110
Pipeline #38636 passed with stages
in 4 minutes and 47 seconds
5375. [test] Fix timing issue in kasp test. [GL #1669]
5374. [bug] Statistics counters counting recursive clients and 5374. [bug] Statistics counters counting recursive clients and
active connections could underflow. [GL #1087] active connections could underflow. [GL #1087]
......
...@@ -50,7 +50,7 @@ dnssec-policy "ecdsa256" { ...@@ -50,7 +50,7 @@ dnssec-policy "ecdsa256" {
}; };
dnssec-policy "migrate" { dnssec-policy "migrate" {
dnskey-ttl 300; dnskey-ttl 7200;
keys { keys {
ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256;
......
...@@ -42,8 +42,8 @@ U="UNRETENTIVE" ...@@ -42,8 +42,8 @@ U="UNRETENTIVE"
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
setup migrate.kasp setup migrate.kasp
echo "$zone" >> zones echo "$zone" >> zones
KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2)
$SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1 $SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
...@@ -193,9 +193,9 @@ TactN="now-40h" ...@@ -193,9 +193,9 @@ TactN="now-40h"
TpubN1="now-40h" TpubN1="now-40h"
TactN1="now-31h" TactN1="now-31h"
TremN="now-2h" TremN="now-2h"
$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TremN "$KSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 $SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TremN "$KSK2" > settime.out.$zone.1 2>&1 $SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1
$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 $SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys. # Fake lifetime of old algorithm keys.
echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${KSK1}.state"
...@@ -218,10 +218,11 @@ ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) ...@@ -218,10 +218,11 @@ ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2)
TactN="now-47h" TactN="now-47h"
TpubN1="now-47h" TpubN1="now-47h"
TactN1="now-38h" TactN1="now-38h"
TremN="now-9h" TdeaN="now-9h"
$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TremN "$KSK1" > settime.out.$zone.1 2>&1 TremN="now-7h"
$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 $SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TremN "$KSK2" > settime.out.$zone.1 2>&1 $SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1
$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 $SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys. # Fake lifetime of old algorithm keys.
echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${KSK1}.state"
...@@ -333,9 +334,10 @@ TactN="now-47h" ...@@ -333,9 +334,10 @@ TactN="now-47h"
TpubN1="now-47h" TpubN1="now-47h"
TactN1="now-44h" TactN1="now-44h"
TsubN1="now-38h" TsubN1="now-38h"
TremN="now-9h" TdeaN="now-9h"
$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 TremN="now-7h"
$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.1 2>&1 $SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.1 2>&1
# Fake lifetime of old algorithm keys. # Fake lifetime of old algorithm keys.
echo "Lifetime: 0" >> "${CSK1}.state" echo "Lifetime: 0" >> "${CSK1}.state"
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
......
...@@ -16,8 +16,8 @@ $TTL 300 ...@@ -16,8 +16,8 @@ $TTL 300
3600 ; minimum (1 hour) 3600 ; minimum (1 hour)
) )
NS ns3 NS ns6
ns3 A 10.53.0.3 ns6 A 10.53.0.6
a A 10.0.0.1 a A 10.0.0.1
b A 10.0.0.2 b A 10.0.0.2
......
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if [ "$CYGWIN" ]; then
echo_i "KASP test disabled on Windows for now due to timing issues"
exit 255
fi
exit 0
...@@ -13,6 +13,7 @@ ...@@ -13,6 +13,7 @@
SYSTEMTESTTOP=.. SYSTEMTESTTOP=..
. "$SYSTEMTESTTOP/conf.sh" . "$SYSTEMTESTTOP/conf.sh"
start_time="$(TZ=UTC date +%s)"
status=0 status=0
n=0 n=0
...@@ -2892,7 +2893,7 @@ check_next_key_event 3600 ...@@ -2892,7 +2893,7 @@ check_next_key_event 3600
# Testing good migration. # Testing good migration.
# #
set_zone "migrate.kasp" set_zone "migrate.kasp"
set_policy "none" "2" "300" set_policy "none" "2" "7200"
set_server "ns6" "10.53.0.6" set_server "ns6" "10.53.0.6"
init_migration_match() { init_migration_match() {
...@@ -3052,6 +3053,11 @@ echo_i "reconfig dnssec-policy to trigger algorithm rollover" ...@@ -3052,6 +3053,11 @@ echo_i "reconfig dnssec-policy to trigger algorithm rollover"
copy_setports ns6/named2.conf.in ns6/named.conf copy_setports ns6/named2.conf.in ns6/named.conf
rndc_reconfig ns6 10.53.0.6 rndc_reconfig ns6 10.53.0.6
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
time_passed=$((now-start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
# The NSEC record at the apex of the zone and its RRSIG records are # The NSEC record at the apex of the zone and its RRSIG records are
# added as part of the last step in signing a zone. We wait for the # added as part of the last step in signing a zone. We wait for the
# NSEC records to appear before proceeding with a counter to prevent # NSEC records to appear before proceeding with a counter to prevent
...@@ -3084,7 +3090,7 @@ next_key_event_threshold=$((next_key_event_threshold+i)) ...@@ -3084,7 +3090,7 @@ next_key_event_threshold=$((next_key_event_threshold+i))
# Testing migration. # Testing migration.
# #
set_zone "migrate.kasp" set_zone "migrate.kasp"
set_policy "migrate" "2" "300" set_policy "migrate" "2" "7200"
set_server "ns6" "10.53.0.6" set_server "ns6" "10.53.0.6"
# Key properties, timings and metadata should be the same as legacy keys above. # Key properties, timings and metadata should be the same as legacy keys above.
...@@ -3326,8 +3332,11 @@ dnssec_verify ...@@ -3326,8 +3332,11 @@ dnssec_verify
# algorithm. This is the max-zone-ttl plus zone propagation delay # algorithm. This is the max-zone-ttl plus zone propagation delay
# plus retire safety: 6h + 1h + 2h. But three hours have already passed # plus retire safety: 6h + 1h + 2h. But three hours have already passed
# (the time it took to make the DNSKEY omnipresent), so the next event # (the time it took to make the DNSKEY omnipresent), so the next event
# should be scheduled in 6 hour: 21600 seconds. # should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
check_next_key_event 21600 # false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
next_time=$((21600-time_passed))
check_next_key_event $next_time
# #
# Zone: step3.algorithm-roll.kasp # Zone: step3.algorithm-roll.kasp
...@@ -3399,8 +3408,11 @@ dnssec_verify ...@@ -3399,8 +3408,11 @@ dnssec_verify
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens # Next key event is when the RSASHA1 signatures become HIDDEN. This happens
# after the max-zone-ttl plus zone propagation delay plus retire safety # after the max-zone-ttl plus zone propagation delay plus retire safety
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has # (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
# been reached (2h): 9h - 2h = 7h = 25200 # been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
check_next_key_event 25200 # false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
next_time=$((25200-time_passed))
check_next_key_event $next_time
# #
# Zone: step6.algorithm-roll.kasp # Zone: step6.algorithm-roll.kasp
...@@ -3498,8 +3510,11 @@ dnssec_verify ...@@ -3498,8 +3510,11 @@ dnssec_verify
# algorithm. This is the max-zone-ttl plus zone propagation delay # algorithm. This is the max-zone-ttl plus zone propagation delay
# plus retire safety: 6h + 1h + 2h. But three hours have already passed # plus retire safety: 6h + 1h + 2h. But three hours have already passed
# (the time it took to make the DNSKEY omnipresent), so the next event # (the time it took to make the DNSKEY omnipresent), so the next event
# should be scheduled in 6 hour: 21600 seconds. # should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
check_next_key_event 21600 # false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
next_time=$((21600-time_passed))
check_next_key_event $next_time
# #
# Zone: step3.csk-algorithm-roll.kasp # Zone: step3.csk-algorithm-roll.kasp
...@@ -3567,8 +3582,11 @@ dnssec_verify ...@@ -3567,8 +3582,11 @@ dnssec_verify
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens # Next key event is when the RSASHA1 signatures become HIDDEN. This happens
# after the max-zone-ttl plus zone propagation delay plus retire safety # after the max-zone-ttl plus zone propagation delay plus retire safety
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has # (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
# been reached (2h): 9h - 2h = 7h = 25200 # been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
check_next_key_event 25200 # false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
next_time=$((25200-time_passed))
check_next_key_event $next_time
# #
# Zone: step6.csk-algorithm-roll.kasp # Zone: step6.csk-algorithm-roll.kasp
......
...@@ -699,7 +699,6 @@ ...@@ -699,7 +699,6 @@
./bin/tests/system/kasp/ns4/setup.sh SH 2019,2020 ./bin/tests/system/kasp/ns4/setup.sh SH 2019,2020
./bin/tests/system/kasp/ns5/setup.sh SH 2019,2020 ./bin/tests/system/kasp/ns5/setup.sh SH 2019,2020
./bin/tests/system/kasp/ns6/setup.sh SH 2020 ./bin/tests/system/kasp/ns6/setup.sh SH 2020
./bin/tests/system/kasp/prereq.sh SH 2020
./bin/tests/system/kasp/setup.sh SH 2019,2020 ./bin/tests/system/kasp/setup.sh SH 2019,2020
./bin/tests/system/kasp/tests.sh SH 2019,2020 ./bin/tests/system/kasp/tests.sh SH 2019,2020
./bin/tests/system/keepalive/clean.sh SH 2017,2018,2019,2020 ./bin/tests/system/keepalive/clean.sh SH 2017,2018,2019,2020
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment