mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-01 13:01:40 -05:00
Add additional wait period for algorithm rollover
We may be checking the algorithm steps too fast: the reconfig command may still be in progress. Make sure the zones are signed and loaded by digging the NSEC records for these zones.
This commit is contained in:
parent
53bd81ad19
commit
d16520532f
3 changed files with 38 additions and 6 deletions
|
|
@ -22,4 +22,4 @@ rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
|
|||
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
|
||||
rm -f ns*/managed-keys.bind
|
||||
rm -f ns*/*.mkeys
|
||||
rm -f ns*/zones ns*/*.db.infile
|
||||
rm -f ns*/zones* ns*/*.db.infile
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ setup() {
|
|||
echo_i "setting up zone: $zone"
|
||||
zonefile="${zone}.db"
|
||||
infile="${zone}.db.infile"
|
||||
echo "$zone" >> zones.2
|
||||
}
|
||||
|
||||
private_type_record() {
|
||||
|
|
@ -46,7 +47,6 @@ U="UNRETENTIVE"
|
|||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.algorithm-roll.kasp
|
||||
echo "$zone" >> zones
|
||||
KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2)
|
||||
TactN="now"
|
||||
|
|
|
|||
|
|
@ -465,6 +465,9 @@ dnssec_verify()
|
|||
status=$((status+ret))
|
||||
}
|
||||
|
||||
# Default next key event threshold. May be extended by wait periods.
|
||||
next_key_event_threshold=100
|
||||
|
||||
###############################################################################
|
||||
# Tests #
|
||||
###############################################################################
|
||||
|
|
@ -611,7 +614,6 @@ check_key "KEY1" "$id"
|
|||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
|
||||
#
|
||||
# named
|
||||
#
|
||||
|
|
@ -649,6 +651,8 @@ done
|
|||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
next_key_event_threshold=$((next_key_event_threshold+i))
|
||||
|
||||
#
|
||||
# Zone: default.kasp.
|
||||
#
|
||||
|
|
@ -1632,10 +1636,10 @@ check_next_key_event() {
|
|||
# Get the latest next key event.
|
||||
_time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1)
|
||||
|
||||
# The next key event time must within 60 seconds of the
|
||||
# The next key event time must within threshold of the
|
||||
# expected time.
|
||||
_expectmin=$((_expect-60))
|
||||
_expectmax=$((_expect+60))
|
||||
_expectmin=$((_expect-next_key_event_threshold))
|
||||
_expectmax=$((_expect+next_key_event_threshold))
|
||||
|
||||
test $_expectmin -le "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})"
|
||||
test $_expectmax -ge "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})"
|
||||
|
|
@ -2272,6 +2276,34 @@ echo_i "reconfig dnssec-policy to trigger algorithm rollover"
|
|||
copy_setports ns6/named2.conf.in ns6/named.conf
|
||||
rndc_reconfig ns6 10.53.0.6
|
||||
|
||||
# The NSEC record at the apex of the zone and its RRSIG records are
|
||||
# added as part of the last step in signing a zone. We wait for the
|
||||
# NSEC records to appear before proceeding with a counter to prevent
|
||||
# infinite loops if there is a error.
|
||||
#
|
||||
n=$((n+1))
|
||||
echo_i "waiting for reconfig signing changes to take effect ($n)"
|
||||
i=0
|
||||
while [ $i -lt 30 ]
|
||||
do
|
||||
ret=0
|
||||
while read -r zone
|
||||
do
|
||||
dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || ret=1
|
||||
grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1
|
||||
grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || ret=1
|
||||
done < ns6/zones.2
|
||||
|
||||
i=$((i+1))
|
||||
if [ $ret = 0 ]; then break; fi
|
||||
echo_i "waiting ... ($i)"
|
||||
sleep 1
|
||||
done
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
next_key_event_threshold=$((next_key_event_threshold+i))
|
||||
|
||||
#
|
||||
# Testing KSK/ZSK algorithm rollover.
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in a new issue