upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Use a single named.conf template in rollover test

Browse source 
Rather than using multiple slightly modified named.conf files, use a
single template which can be rendered differently based on an input
argument -- in this case, csk_roll.
This commit is contained in:
Nicki Křížek 2025-05-30 17:21:36 +02:00
parent b2bb605143
commit 784a252425
3 changed files with 109 additions and 214 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

120
bin/tests/system/rollover/ns6/named.conf.j2
View file

@ -13,8 +13,11 @@
// NS6
{% set csk_roll = csk_roll | default(False) %}
{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
include "kasp.conf";
include "csk1.conf";
include "@_csk_file@";
options {
query-source address 10.53.0.6;
@ -26,7 +29,7 @@ options {
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
key-directory "."; // TODO if csk_roll?
dnssec-validation no;
};
@ -53,68 +56,159 @@ zone "dynamic2inline.kasp" {
};
/* Lifetime changes. */
{% set _policy = "short-lifetime" if not csk_roll else "long-lifetime" %}
zone longer-lifetime {
type primary;
file "longer-lifetime.db";
dnssec-policy short-lifetime;
dnssec-policy @_policy@;
};
{% set _policy = "long-lifetime" if not csk_roll else "short-lifetime" %}
zone shorter-lifetime {
type primary;
file "shorter-lifetime.db";
dnssec-policy long-lifetime;
dnssec-policy @_policy@;
};
{% set _policy = "unlimited-lifetime" if not csk_roll else "short-lifetime" %}
zone limit-lifetime {
type primary;
file "limit-lifetime.db";
dnssec-policy unlimited-lifetime;
dnssec-policy @_policy@;
};
{% set _policy = "short-lifetime" if not csk_roll else "unlimited-lifetime" %}
zone unlimit-lifetime {
type primary;
file "unlimit-lifetime.db";
dnssec-policy short-lifetime;
dnssec-policy @_policy@;
};
/* These zones are going insecure. */
/* Zones for testing going insecure. */
{% set _policy = "unsigning" if not csk_roll else "insecure" %}
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
dnssec-policy "unsigning";
dnssec-policy @_policy@;
};
{% if csk_roll %} // TODO maybe omit?
zone "step2.going-insecure.kasp" {
type primary;
file "step2.going-insecure.kasp.db";
dnssec-policy "insecure";
};
{% endif %}
{% set _policy = "unsigning" if not csk_roll else "insecure" %}
zone "step1.going-insecure-dynamic.kasp" {
type primary;
file "step1.going-insecure-dynamic.kasp.db";
dnssec-policy "unsigning";
dnssec-policy @_policy@;
inline-signing no;
allow-update { any; };
};
{% if csk_roll %} // TODO maybe omit?
zone "step2.going-insecure-dynamic.kasp" {
type primary;
file "step2.going-insecure-dynamic.kasp.db";
dnssec-policy insecure;
inline-signing no;
allow-update { any; };
};
{% endif %}
{% set _policy = "default" if not csk_roll else "none" %}
zone "step1.going-straight-to-none.kasp" {
type primary;
file "step1.going-straight-to-none.kasp.db";
dnssec-policy "default";
dnssec-policy @_policy@;
};
{% set _policy = "default" if not csk_roll else "none" %}
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
dnssec-policy "default";
dnssec-policy @_policy@;
allow-update { any; };
};
/* These are alorithm rollover test zones. */
/* Zones for testing KSK/ZSK algorithm roll. */
{% set _policy = "rsasha256" if not csk_roll else "ecdsa256" %}
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
dnssec-policy "rsasha256";
dnssec-policy @_policy@;
};
{% if csk_roll %}
zone "step2.algorithm-roll.kasp" {
type primary;
file "step2.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step3.algorithm-roll.kasp" {
type primary;
file "step3.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step4.algorithm-roll.kasp" {
type primary;
file "step4.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step5.algorithm-roll.kasp" {
type primary;
file "step5.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step6.algorithm-roll.kasp" {
type primary;
file "step6.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
{% endif %}
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
{% if csk_roll %}
zone "step2.csk-algorithm-roll.kasp" {
type primary;
file "step2.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step3.csk-algorithm-roll.kasp" {
type primary;
file "step3.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step4.csk-algorithm-roll.kasp" {
type primary;
file "step4.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step5.csk-algorithm-roll.kasp" {
type primary;
file "step5.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step6.csk-algorithm-roll.kasp" {
type primary;
file "step6.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
{% endif %}

198
bin/tests/system/rollover/ns6/named2.conf.j2
View file

@ -1,198 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS6
include "kasp.conf";
include "csk2.conf";
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
zone "." {
type hint;
file "../../_common/root.hint.blackhole";
};
/* This zone switch from dynamic to inline-signing. */
zone "dynamic2inline.kasp" {
type primary;
file "dynamic2inline.kasp.db";
allow-update { any; };
dnssec-policy "default";
};
/* Lifetime changes. */
zone longer-lifetime {
type primary;
file "longer-lifetime.db";
dnssec-policy long-lifetime;
};
zone shorter-lifetime {
type primary;
file "shorter-lifetime.db";
dnssec-policy short-lifetime;
};
zone limit-lifetime {
type primary;
file "limit-lifetime.db";
dnssec-policy short-lifetime;
};
zone unlimit-lifetime {
type primary;
file "unlimit-lifetime.db";
dnssec-policy unlimited-lifetime;
};
/* Zones for testing going insecure. */
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
dnssec-policy "insecure";
};
zone "step2.going-insecure.kasp" {
type primary;
file "step2.going-insecure.kasp.db";
dnssec-policy "insecure";
};
zone "step1.going-insecure-dynamic.kasp" {
type primary;
file "step1.going-insecure-dynamic.kasp.db";
inline-signing no;
dnssec-policy "insecure";
allow-update { any; };
};
zone "step2.going-insecure-dynamic.kasp" {
type primary;
file "step2.going-insecure-dynamic.kasp.db";
inline-signing no;
dnssec-policy "insecure";
allow-update { any; };
};
zone "step1.going-straight-to-none.kasp" {
type primary;
file "step1.going-straight-to-none.kasp.db";
dnssec-policy "none";
};
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
dnssec-policy "none";
allow-update { any; };
};
/*
* Zones for testing KSK/ZSK algorithm roll.
*/
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step2.algorithm-roll.kasp" {
type primary;
file "step2.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step3.algorithm-roll.kasp" {
type primary;
file "step3.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step4.algorithm-roll.kasp" {
type primary;
file "step4.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step5.algorithm-roll.kasp" {
type primary;
file "step5.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
zone "step6.algorithm-roll.kasp" {
type primary;
file "step6.algorithm-roll.kasp.db";
dnssec-policy "ecdsa256";
};
/*
* Zones for testing CSK algorithm roll.
*/
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step2.csk-algorithm-roll.kasp" {
type primary;
file "step2.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step3.csk-algorithm-roll.kasp" {
type primary;
file "step3.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step4.csk-algorithm-roll.kasp" {
type primary;
file "step4.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step5.csk-algorithm-roll.kasp" {
type primary;
file "step5.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
zone "step6.csk-algorithm-roll.kasp" {
type primary;
file "step6.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};

5
bin/tests/system/rollover/tests_rollover.py
View file

@ -10,7 +10,6 @@
# information regarding copyright ownership.
import os
import shutil
from datetime import timedelta
@ -1275,7 +1274,7 @@ def test_rollover_csk_roll2(servers):
check_rollover_step(server, config, policy, step)
def test_rollover_policy_changes(servers):
def test_rollover_policy_changes(servers, templates):
server = servers["ns6"]
cdss = ["CDNSKEY", "CDS (SHA-256)"]
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
@ -1445,7 +1444,7 @@ def test_rollover_policy_changes(servers):
# Reconfigure, changing DNSSEC policies and other configuration options,
# triggering algorithm rollovers and other dnssec-policy changes.
shutil.copyfile("ns6/named2.conf", "ns6/named.conf")
templates.render("ns6/named.conf", {"csk_roll": True})
server.rndc("reconfig")
# Calculate time passed to correctly check for next key events.
now = KeyTimingMetadata.now()