upstream/knot-dns
1
0
Fork 0
mirror of https://gitlab.nic.cz/knot/knot-dns.git synced 2026-02-03 18:49:28 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

tests-extra: facility for calling server.key_gen() also for Bind

Browse source
This commit is contained in:
Libor Peltan 2024-04-23 17:14:18 +02:00
parent 7fa5b5e99d
commit 84461f65b6
2 changed files with 57 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
tests-extra/tests/dnssec/offline_ksk/test.py
View file

@ -181,15 +181,17 @@ def tickf(when):
return "+%d" % (STARTUP + when * TICK)
# generate keys, including manual KSK rollover on the beginning
key_ksk1 = signer.key_gen(ZONE, ksk="true", created="+0", publish="+0", ready="+0", active="+0", retire=tickf(4), remove=tickf(5))
key_ksk2 = signer.key_gen(ZONE, ksk="true", created="+0", publish=tickf(3), ready=tickf(4), active=tickf(5), retire="+2h", remove="+3h")
key_zsk1 = knot.key_gen(ZONE, ksk="false", created="+0", publish="+0", active="+0")
key_ksk1 = signer.key_gen(ZONE, ksk="true", algorithm="ECDSAP384SHA384", created="+0", publish="+0", ready="+0", active="+0", retire=tickf(4), remove=tickf(5))
key_ksk2 = signer.key_gen(ZONE, ksk="true", algorithm="ECDSAP384SHA384", created="+0", publish=tickf(3), ready=tickf(4), active=tickf(5), retire="+2h", remove="+3h")
key_zsk1 = knot.key_gen(ZONE, ksk="false", algorithm="ECDSAP384SHA384", created="+0", publish="+0", active="+0")
Keymgr.run_check(knot.confile, ZONE, "list")
# pregenerate keys, exchange KSR, pre-sign it, exchange SKR
KSR = knot.keydir + "/ksr"
SKR = knot.keydir + "/skr"
SKR_BROKEN = SKR + "_broken"
Keymgr.run_check(knot.confile, ZONE, "pregenerate", "+20", "+" + str(FUTURE))
Keymgr.run_check(knot.confile, ZONE, "list")
_, out, _ = Keymgr.run_check(knot.confile, ZONE, "generate-ksr", "+0", "+" + str(FUTURE))
writef(KSR, out)
_, out, _ = Keymgr.run_check(signer.confile, ZONE, "sign-ksr", KSR)
@ -231,7 +233,7 @@ check_zone(knot, zone, 2, 1, 1, "ZSK rollover: done")
STARTUP = 1
signer.key_set(ZONE, key_ksk2, retire=tickf(3), remove=tickf(4))
key_ksk3 = signer.key_gen(ZONE, ksk="true", created="+0", publish=tickf(1), ready=tickf(2), active=tickf(3), retire="+4h", remove="+5h")
key_ksk3 = signer.key_gen(ZONE, ksk="true", algorithm="ECDSAP384SHA384", created="+0", publish=tickf(1), ready=tickf(2), active=tickf(3), retire="+4h", remove="+5h")
knot.dnssec(zone).zsk_lifetime = 8 * TICK
knot.gen_confile()

60
tests-extra/tools/dnstest/server.py
View file

@ -887,6 +887,28 @@ class Server(object):
return self.zones[zone.name].dnssec
def keymgr_timers(self, *args):
return tuple(self.default_keymgr_timer() if arg is None else str(arg) for arg in args)
def ksk_zsk_flag(self, fl, other, dflt):
if fl is not None:
return fl
elif other is None:
return dflt
elif str(other).lower()[0] in [ "t", "y", "1"]:
return False
else:
return True
def key_gen(self, zone_name, algorithm="ECDSAP256SHA256", ksk=None, zsk=None, created="+0", pre_active=None, publish="+0", ready=None, active="+0", retire=None, revoke=None, remove=None, size=None, nsec3=None, sep=None):
ksk = self.ksk_zsk_flag(ksk, zsk, False)
zsk = self.ksk_zsk_flag(zsk, ksk, True)
created, pre_active, publish, ready, active, retire, revoke, remove = self.keymgr_timers(created, pre_active, publish, ready, active, retire, revoke, remove)
return self.key_gen_check(zone_name, algorithm, ksk, zsk, created, pre_active, publish, ready, active, retire, revoke, remove, size, nsec3, sep)
def enable_nsec3(self, zone, **args):
zone = zone_arg_check(zone)
@ -1018,6 +1040,21 @@ class Bind(Server):
if value is not None:
conf.item(name, str(value))
def default_keymgr_timer(self):
return "none"
def key_gen_check(self, zone_name, algorithm, ksk, zsk, created, pre_active, publish, ready, active, retire, revoke, remove, size, nsec3, sep):
ps = [ 'dnssec-keygen', '-n', 'ZONE', '-a', algorithm, '-K', self.keydir ]
if nsec3:
ps += [ '-3' ]
if size is not None:
ps += [ '-b', str(size) ]
if ksk:
ps += [ '-f', 'KSK' ]
ps += [ '-P', publish, '-A', active, '-I', retire, '-R', revoke, '-D', remove ]
return check_output(ps + [zone_name], stderr=DEVNULL)
def get_config(self):
s = dnstest.config.BindConf()
s.begin("options")
@ -1191,11 +1228,8 @@ class Bind(Server):
continue
# unrelated: generate keys as Bind won't do
ps = [ 'dnssec-keygen', '-n', 'ZONE', '-a', 'ECDSA256', '-K', self.keydir ]
if z.dnssec.nsec3:
ps += ['-3']
k1 = check_output(ps + [z.name], stderr=DEVNULL)
k2 = check_output(ps + ["-f", "KSK"] + [z.name], stderr=DEVNULL)
k1 = self.key_gen(z.name, algorithm=z.dnssec.alg or "ECDSAP256SHA256", nsec3=z.dnssec.nsec3)
k2 = self.key_gen(z.name, algorithm=z.dnssec.alg or "ECDSAP256SHA256", ksk="True", nsec3=z.dnssec.nsec3)
k1 = self.keydir + '/' + k1.rstrip().decode('ascii')
k2 = self.keydir + '/' + k2.rstrip().decode('ascii')
@ -1254,10 +1288,18 @@ class Knot(Server):
else:
self.ctl("%szone-flush" % params, wait=wait)
def key_gen(self, zone_name, **new_params):
set_params = [ option + "=" + value for option, value in new_params.items() ]
res = dnstest.keys.Keymgr.run_check(self.confile, zone_name, "generate", *set_params)
errcode, stdo, stde = res
def default_keymgr_timer(self):
return "0"
def key_gen_check(self, zone_name, algorithm, ksk, zsk, created, pre_active, publish, ready, active, retire, revoke, remove, size, nsec3, sep):
set_params = [ "created="+created, "pre_active="+pre_active, "publish="+publish, "ready="+ready ]
set_params += [ "active="+active, "retire="+retire, "revoke="+revoke, "remove="+remove ]
set_params += [ "ksk="+str(ksk).lower(), "zsk="+str(zsk).lower(), "algorithm="+algorithm ]
if size is not None:
set_params += [ "size="+size ]
if sep:
set_params += [ "sep="+str(sep) ]
errcode, stdo, stde = dnstest.keys.Keymgr.run_check(self.confile, zone_name, "generate", *set_params)
return stdo.split()[-1]
def key_set(self, zone_name, key_id, **new_values):