diff --git a/bin/tests/system/multisigner/ns1/named.conf.j2 b/bin/tests/system/multisigner/ns1/named.conf.j2 new file mode 100644 index 0000000000..86cd34ca3a --- /dev/null +++ b/bin/tests/system/multisigner/ns1/named.conf.j2 @@ -0,0 +1,33 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; +}; + +zone "." { + type primary; + file "root.db.signed"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns1/root.db.in b/bin/tests/system/multisigner/ns1/root.db.in new file mode 100644 index 0000000000..395e28089e --- /dev/null +++ b/bin/tests/system/multisigner/ns1/root.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +. IN SOA gson.nominum.com. a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 + +multisigner. NS ns2.multisigner. +ns2.multisigner. A 10.53.0.2 + +secondary. NS ns2.secondary. +ns2.secondary. A 10.53.0.2 diff --git a/bin/tests/system/multisigner/ns1/setup.sh b/bin/tests/system/multisigner/ns1/setup.sh new file mode 100644 index 0000000000..293f6ff192 --- /dev/null +++ b/bin/tests/system/multisigner/ns1/setup.sh @@ -0,0 +1,41 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +set -e + +zone=. +infile=root.db.in +zonefile=root.db + +echo_i "ns1/setup.sh" + +for tld in multisigner secondary; do + cp "../ns2/dsset-${tld}." . +done + +KSK=$($KEYGEN -q -fk -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -b $DEFAULT_BITS $zone) + +cat $infile $KSK.key $ZSK.key >$zonefile + +$SIGNER -g -o $zone $zonefile >/dev/null 2>&1 + +# Configure the resolving server with a static key. +keyfile_to_static_ds "$KSK" >trusted.conf +cp trusted.conf ../ns2/trusted.conf +cp trusted.conf ../ns3/trusted.conf +cp trusted.conf ../ns4/trusted.conf +cp trusted.conf ../ns5/trusted.conf diff --git a/bin/tests/system/multisigner/ns2/multisigner.db.in.j2 b/bin/tests/system/multisigner/ns2/multisigner.db.in.j2 new file mode 100644 index 0000000000..db9c07981c --- /dev/null +++ b/bin/tests/system/multisigner/ns2/multisigner.db.in.j2 @@ -0,0 +1,34 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN multisigner. + +multisigner. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +*._dsync DSYNC CDS NOTIFY @PORT@ scanner diff --git a/bin/tests/system/multisigner/ns2/named.conf.j2 b/bin/tests/system/multisigner/ns2/named.conf.j2 new file mode 100644 index 0000000000..951c840d49 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/named.conf.j2 @@ -0,0 +1,53 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + allow-notify { 10.53.0.3; 10.53.0.4; }; + dnssec-validation no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "multisigner" { + type primary; + file "multisigner.db.signed"; +}; + +zone "secondary" { + type primary; + file "secondary.db.signed"; +}; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns2/secondary.db.in.j2 b/bin/tests/system/multisigner/ns2/secondary.db.in.j2 new file mode 100644 index 0000000000..d108187ff2 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/secondary.db.in.j2 @@ -0,0 +1,36 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +$ORIGIN secondary. + +secondary. IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 + +scanner A 10.53.0.2 + +model2 NS ns3 + NS ns4 + +ns3.model2 A 10.53.0.3 +ns4.model2 A 10.53.0.4 + +model2._dsync DSYNC CSYNC NOTIFY @PORT@ scanner ; ignored, unknown rrtype +model2._dsync DSYNC DSYNC NOTIFY @PORT@ scanner ; ignored, bad rrtype +model2._dsync DSYNC CDS NOTIFY @PORT@ scanner diff --git a/bin/tests/system/multisigner/ns2/setup.sh b/bin/tests/system/multisigner/ns2/setup.sh new file mode 100644 index 0000000000..025c5d3204 --- /dev/null +++ b/bin/tests/system/multisigner/ns2/setup.sh @@ -0,0 +1,38 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + infile="${zone}.db.in" + zonefile="${zone}.db" + + cp ../ns3/dsset-ns3-model2.$zone. . + cp ../ns4/dsset-ns4-model2.$zone. . + + KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 -f KSK $zone) + ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zone) + $DSFROMKEY $KSK.key >dsset-ns2-${zone}. + + cat $infile $KSK.key $ZSK.key >$zonefile + $SIGNER -g -o $zone $zonefile + # >/dev/null 2>&1 +} + +setup "multisigner" +setup "secondary" diff --git a/bin/tests/system/multisigner/ns3/named.conf.j2 b/bin/tests/system/multisigner/ns3/named.conf.j2 index 7cf25bbc44..fc51c882f4 100644 --- a/bin/tests/system/multisigner/ns3/named.conf.j2 +++ b/bin/tests/system/multisigner/ns3/named.conf.j2 @@ -24,9 +24,9 @@ options { listen-on { 10.53.0.3; }; listen-on-v6 { none; }; allow-transfer { any; }; - recursion no; key-directory "."; - dnssec-validation no; + dnssec-validation yes; + notify-cds yes; }; key rndc_key { @@ -52,4 +52,12 @@ zone "model2.secondary." { file "model2.secondary.db"; dnssec-policy model2; inline-signing yes; + notify no; }; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns3/setup.sh b/bin/tests/system/multisigner/ns3/setup.sh index 80327a1300..2194f4e8d8 100644 --- a/bin/tests/system/multisigner/ns3/setup.sh +++ b/bin/tests/system/multisigner/ns3/setup.sh @@ -23,20 +23,20 @@ zsktimes="-P now -A now" zone="model2.multisigner" echo_i "setting up zone: $zone" zonefile="${zone}.db" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" cp "../ns5/${zonefile}.in" "$zonefile" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns3-${zone}. # ZSK will be added to the other provider with nsupdate. cat "${ZSK}.key" | grep -v ";.*" >"${zone}.zsk" diff --git a/bin/tests/system/multisigner/ns4/named.conf.j2 b/bin/tests/system/multisigner/ns4/named.conf.j2 index 3f36f76cd5..017dd6c50a 100644 --- a/bin/tests/system/multisigner/ns4/named.conf.j2 +++ b/bin/tests/system/multisigner/ns4/named.conf.j2 @@ -24,9 +24,9 @@ options { listen-on { 10.53.0.4; }; listen-on-v6 { none; }; allow-transfer { any; }; - recursion no; key-directory "."; - dnssec-validation no; + dnssec-validation yes; + notify-cds yes; }; key rndc_key { @@ -52,4 +52,12 @@ zone "model2.secondary." { file "model2.secondary.db"; dnssec-policy model2; inline-signing yes; + notify no; }; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/ns4/setup.sh b/bin/tests/system/multisigner/ns4/setup.sh index c58ddce495..d50d3bd26c 100644 --- a/bin/tests/system/multisigner/ns4/setup.sh +++ b/bin/tests/system/multisigner/ns4/setup.sh @@ -23,20 +23,20 @@ zsktimes="-P now -A now" zone="model2.multisigner" echo_i "setting up zone: $zone" zonefile="${zone}.db" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. zone="model2.secondary" echo_i "setting up zone: $zone" zonefile="${zone}.db" cp "../ns5/${zonefile}.in" "$zonefile" - -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) +KSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -f KSK -L 3600 $ksktimes $zone) +ZSK=$($KEYGEN -q -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone) $SETTIME -s -g $O -k $O now -r $O now -d $O now "$KSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O now -z $O now "$ZSK" >settime.out.$zone.2 2>&1 +$DSFROMKEY $KSK.key >dsset-ns4-${zone}. # ZSK will be added to the other provider with nsupdate. cat "${ZSK}.key" | grep -v ";.*" >"${zone}.zsk" diff --git a/bin/tests/system/multisigner/ns5/named.conf.j2 b/bin/tests/system/multisigner/ns5/named.conf.j2 index eeae1309c5..f6cf15e991 100644 --- a/bin/tests/system/multisigner/ns5/named.conf.j2 +++ b/bin/tests/system/multisigner/ns5/named.conf.j2 @@ -24,7 +24,6 @@ options { listen-on { 10.53.0.5; }; listen-on-v6 { none; }; allow-transfer { any; }; - recursion no; key-directory "."; dnssec-validation no; notify-delay 0; @@ -44,3 +43,10 @@ zone "model2.secondary." { allow-update { any; }; file "model2.secondary.db"; }; + +zone "." { + type hint; + file "../../_common/root.hint"; +}; + +include "trusted.conf"; diff --git a/bin/tests/system/multisigner/setup.sh b/bin/tests/system/multisigner/setup.sh index af72460917..12d7073d26 100644 --- a/bin/tests/system/multisigner/setup.sh +++ b/bin/tests/system/multisigner/setup.sh @@ -16,6 +16,7 @@ set -e +# multi-signers ( cd ns3 $SHELL setup.sh @@ -28,3 +29,13 @@ set -e cd ns5 $SHELL setup.sh ) +# tld +( + cd ns2 + $SHELL setup.sh +) +# root +( + cd ns1 + $SHELL setup.sh +) diff --git a/bin/tests/system/multisigner/tests_multisigner.py b/bin/tests/system/multisigner/tests_multisigner.py index 6fdb177bd9..bc53c24975 100644 --- a/bin/tests/system/multisigner/tests_multisigner.py +++ b/bin/tests/system/multisigner/tests_multisigner.py @@ -33,16 +33,20 @@ pytestmark = pytest.mark.extra_artifacts( "secondary.cds.ns*", "unused.*", "verify.out.*", - "ns*/K*", - "ns*/db-*", - "ns*/keygen.out.*", + "ns*/*.db", + "ns*/*.db.in", "ns*/*.jbk", "ns*/*.jnl", - "ns*/*.zsk", - "ns*/*.signed", "ns*/*.journal.out.*", + "ns*/*.signed", + "ns*/*.zsk", + "ns*/db-*", + "ns*/dsset-*", + "ns*/K*", + "ns*/keygen.out.*", + "ns*/managed-keys.bind*", "ns*/settime.out.*", - "ns*/model2.secondary.db", + "ns*/trusted.conf", ] ) @@ -503,7 +507,7 @@ def check_remove_cds( check_dnssec(server, zone, keys, expected) -def test_multisigner(ns3, ns4): +def test_multisigner(ns2, ns3, ns4): zone = "model2.multisigner" keyprops = [ f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent", @@ -515,6 +519,23 @@ def test_multisigner(ns3, ns4): isctest.kasp.wait_keymgr_done(ns3, zone) isctest.kasp.wait_keymgr_done(ns4, zone) + with ns3.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN: dsyncfetch: send NOTIFY(CDS) query to scanner.multisigner" + ) + + with ns4.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.multisigner" + ) + + with ns2.watch_log_from_start() as watcher: + # Receiving NOTIFY(CDS) has not been implemented yet. Until + # then, notifies for child zones towards the parent result in + # not authoritative (unless child and parent are served by the + # same name server). + watcher.wait_for_line(f"received notify for zone '{zone}': NOTAUTH") + keys3 = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks3 = [k for k in keys3 if k.is_ksk()] zsks3 = [k for k in keys3 if not k.is_ksk()] @@ -574,7 +595,7 @@ def test_multisigner(ns3, ns4): check_no_dnssec_in_journal(ns4, zone) -def test_multisigner_secondary(ns3, ns4, ns5): +def test_multisigner_secondary(ns2, ns3, ns4, ns5): zone = "model2.secondary" keyprops = [ f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent", @@ -586,6 +607,24 @@ def test_multisigner_secondary(ns3, ns4, ns5): isctest.kasp.wait_keymgr_done(ns3, zone) isctest.kasp.wait_keymgr_done(ns4, zone) + for server in [ns3, ns4]: + with server.watch_log_from_start() as watcher: + watcher.wait_for_line( + f"zone {zone}/IN (signed): dsyncfetch: send NOTIFY(CDS) query to scanner.secondary" + ) + + msg = f"zone {zone}/IN (signed): dsyncfetch: DSYNC RRtype CSYNC not supported, ignoring" + assert msg in server.log + msg = f"zone {zone}/IN (signed): dsyncfetch: DSYNC RRtype DSYNC not supported, ignoring" + assert msg in server.log + + with ns2.watch_log_from_start() as watcher: + # Receiving NOTIFY(CDS) has not been implemented yet. Until + # then, notifies for child zones towards the parent result in + # not authoritative (unless child and parent are served by the + # same name server). + watcher.wait_for_line(f"received notify for zone '{zone}': NOTAUTH") + keys3 = isctest.kasp.keydir_to_keylist(zone, ns3.identifier) ksks3 = [k for k in keys3 if k.is_ksk()] zsks3 = [k for k in keys3 if not k.is_ksk()]