From cb0a2ae1dd9f36c7dfb909d06453cd2beba595ea Mon Sep 17 00:00:00 2001
From: Tom Krizek <tkrizek@isc.org>
Date: Tue, 18 Oct 2022 17:16:27 +0200
Subject: [PATCH] Revive dupsigs system test

Correctly source conf.sh in dupsigs test scripts (fix issue introduced
by 093af1c00ac25e4f132fe2442a24e1264aadb28d).

Update dupsigs test for dnssec-dnskey-kskonly default. Since v9.17.20,
the dnssec-dnskey-kskonly is set to yes. Update the test to not expect
the additional RRSIG with ZSK for DNSKEY.

Speed up the test from 20 minutes to 2.5 minutes and make it part of the
default test suite executed in CI.
- decrease number of records to sign from 2000 to 500
- decrease the signing interval by a factor of 6
- shorten the final part of the test after last signing (since nothing
  new happens there)

Finally, clarify misleading comments about (in)sufficient time for zone
re-signing. The time used in the test is in fact sufficient for the
re-signing to happen. If it wasn't, the previous ZSK would end up being
deleted while its signatures would still be present, which is a
situation where duplicate signatures can still happen.
---
 bin/tests/system/Makefile.am                    |  5 +----
 bin/tests/system/conf.sh.common                 |  7 ++++---
 bin/tests/system/dupsigs/check_journal.pl       |  5 -----
 bin/tests/system/dupsigs/clean.sh               |  1 +
 bin/tests/system/dupsigs/ns1/named.conf.in      |  2 +-
 bin/tests/system/dupsigs/ns1/reset_keys.sh      | 15 ++++++++-------
 bin/tests/system/dupsigs/ns1/signing.test.db.in |  2 +-
 bin/tests/system/dupsigs/tests.sh               |  9 +++++----
 8 files changed, 21 insertions(+), 25 deletions(-)

diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am
index 79450fb99c..266b49985b 100644
--- a/bin/tests/system/Makefile.am
+++ b/bin/tests/system/Makefile.am
@@ -101,6 +101,7 @@ TESTS +=			\
 	dns64			\
 	dscp			\
 	dsdigest		\
+	dupsigs			\
 	dyndb			\
 	ecdsa			\
 	eddsa			\
@@ -162,10 +163,6 @@ TESTS +=			\
 	xferquota		\
 	zonechecks
 
-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.
-# TESTS += dupsigs
-
 if HAVE_LMDB
 TESTS += nzd2nzf
 endif # HAVE_LMDB
diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common
index dbb8490885..3f6381703c 100644
--- a/bin/tests/system/conf.sh.common
+++ b/bin/tests/system/conf.sh.common
@@ -26,8 +26,6 @@ export LANG=C
 #
 # Common lists of system tests to run.
 #
-# The "dupsigs" test is not run by default because it takes
-# a very long time to complete.
 
 #
 # These tests can use ports assigned by the caller (other than 5300
@@ -41,7 +39,10 @@ export LANG=C
 # rpzrecurse are scheduled first, in order to get more benefit from
 # parallelism.
 #
-PARALLEL_COMMON="rpzrecurse serve-stale
+PARALLEL_COMMON="
+rpzrecurse
+serve-stale
+dupsigs
 acl
 additional
 addzone
diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl
index 99bf6907e8..074743205c 100644
--- a/bin/tests/system/dupsigs/check_journal.pl
+++ b/bin/tests/system/dupsigs/check_journal.pl
@@ -197,11 +197,6 @@ if( @changeset ) {
             if( $n_signing_keys == 0 ) {
                 print "at serial $newserial $rrsig_id went unsigned\n";
             }
-            elsif( $rrsig_id =~ /:DNSKEY$/ ) {
-                if( $n_signing_keys != 2 ) {
-                    print "at serial $newserial $rrsig_id was signed $n_signing_keys time(s) when it should have been signed twice\n";
-                }
-            }
             elsif( $n_signing_keys > 1 ) {
                 my @signing_keys = sort { $a <=> $b } keys %{ $rrsig_db{$rrsig_id} };
                 print "at serial $newserial $rrsig_id was signed too many times, keys (@signing_keys)\n";
diff --git a/bin/tests/system/dupsigs/clean.sh b/bin/tests/system/dupsigs/clean.sh
index 9db0799490..68ddace99e 100644
--- a/bin/tests/system/dupsigs/clean.sh
+++ b/bin/tests/system/dupsigs/clean.sh
@@ -9,6 +9,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
+rm -f dig.out*
 rm -f ns1/named.conf
 rm -f ns1/named.lock
 rm -f ns1/named.memstats
diff --git a/bin/tests/system/dupsigs/ns1/named.conf.in b/bin/tests/system/dupsigs/ns1/named.conf.in
index c5ade8bf8e..494ecfb9e3 100644
--- a/bin/tests/system/dupsigs/ns1/named.conf.in
+++ b/bin/tests/system/dupsigs/ns1/named.conf.in
@@ -29,5 +29,5 @@ zone "signing.test" {
 	key-directory "keys/signing.test";
 	inline-signing yes;
 	auto-dnssec maintain;
-	sig-validity-interval 120 30;
+	sig-validity-interval 20 5;
 };
diff --git a/bin/tests/system/dupsigs/ns1/reset_keys.sh b/bin/tests/system/dupsigs/ns1/reset_keys.sh
index 28b1191b29..cc9bef78f5 100644
--- a/bin/tests/system/dupsigs/ns1/reset_keys.sh
+++ b/bin/tests/system/dupsigs/ns1/reset_keys.sh
@@ -11,7 +11,7 @@
 # See the COPYRIGHT file distributed with this work for additional
 # information regarding copyright ownership.
 
-. ../conf.sh
+. ../../conf.sh
 
 zone=signing.test
 rm -rf keys/signing.test
@@ -52,14 +52,14 @@ $SETTIME -P $BASET -A $BASET $KEYDIR/$KSK
 $SETTIME -P $BASET -A $BASET $KEYDIR/$ZSK0
 
 # schedule the first roll
-R1=`expr $BASE + 300`
+R1=`expr $BASE + 50`
 R1T=`timetodnssec $R1`
 
 $SETTIME -I $R1T $KEYDIR/$ZSK0
 $SETTIME -P $BASET -A $R1T $KEYDIR/$ZSK1
 
 # schedule the second roll (which includes the delete of the first key)
-R2=`expr $R1 + 300`
+R2=`expr $R1 + 50`
 R2T=`timetodnssec $R2`
 DT=$R2
 DTT=`timetodnssec $DT`
@@ -69,8 +69,7 @@ $SETTIME -I $R2T $KEYDIR/$ZSK1
 $SETTIME -P $R1T -A $R2T $KEYDIR/$ZSK2
 
 # schedule the third roll
-# this isn't long enough for the signing to complete
-R3=`expr $R2 + 60`
+R3=`expr $R2 + 25`
 R3T=`timetodnssec $R3`
 
 $SETTIME -D $R3T $KEYDIR/$ZSK1
@@ -89,8 +88,10 @@ echo ZSK4=$ZSK4
 exit
 
 # schedule the fourth roll
-# this isn't long enough for the signing to complete
-R4=`expr $R3 + 30`
+# this isn't long enough for the signing to complete and would result in
+# duplicate signatures, see
+# https://gitlab.isc.org/isc-projects/bind9/-/merge_requests/231#note_9597
+R4=`expr $R3 + 10`
 R4T=`timetodnssec $R4`
 
 $SETTIME -D $R4T $KEYDIR/$ZSK2
diff --git a/bin/tests/system/dupsigs/ns1/signing.test.db.in b/bin/tests/system/dupsigs/ns1/signing.test.db.in
index f4c6643533..b522b6f0ef 100644
--- a/bin/tests/system/dupsigs/ns1/signing.test.db.in
+++ b/bin/tests/system/dupsigs/ns1/signing.test.db.in
@@ -15,4 +15,4 @@ $TTL 3600
 ns   A    127.0.0.1
 ns   AAAA ::1
 
-$GENERATE 0-1999 a${0,4,d} AAAA ::$
+$GENERATE 0-499 a${0,4,d} AAAA ::$
diff --git a/bin/tests/system/dupsigs/tests.sh b/bin/tests/system/dupsigs/tests.sh
index 731a3193b3..2901fede3b 100644
--- a/bin/tests/system/dupsigs/tests.sh
+++ b/bin/tests/system/dupsigs/tests.sh
@@ -13,8 +13,9 @@
 
 status=0
 start=`date +%s`
-end=`expr $start + 1200`
-now=$start
+end=`expr $start + 150`
+sleep 10  # wait for a bit for the initial signing
+now=`expr $start + 10`
 while test $now -lt $end
 do
 	et=`expr $now - $start`
@@ -23,12 +24,12 @@ do
 	$DIG axfr signing.test -p ${PORT} @10.53.0.1 > dig.out.at$et
 	awk '$4 == "RRSIG" { print $11 }' dig.out.at$et | sort | uniq -c
 	lines=`awk '$4 == "RRSIG" { print}' dig.out.at$et | wc -l`
-	if [ ${et} -ne 0 -a ${lines} -ne 4009 ]
+	if [ ${et} -ne 0 -a ${lines} -ne 1008 ]
 	then
 		echo_i "failed"
 		status=`expr $status + 1`
 	fi
-	sleep 20
+	sleep 5
 	now=`date +%s`
 done