upstream/knot-dns
1
0
Fork 0
mirror of https://gitlab.nic.cz/knot/knot-dns.git synced 2026-02-03 18:49:28 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions
knot-dns/tests-extra/tests/modules/onlinesign/test.py
Libor Peltan 6b0afca6cb KASP db: use server->kaspdb also in onlinesign... 
...otherwise the extra environment breaks up server->kaspdb once deinitialized.
This caused rarely MDB_BAD_RSLOT after onlinesign reload.
2020-04-17 16:47:21 +02:00

82 lines
2.4 KiB
Python
Raw Permalink Blame History

#!/usr/bin/env python3
'''Check online DNSSEC signing module (just basic checks).'''
import dns.rdatatype
from dnstest.test import Test
from dnstest.utils import *
from dnstest.module import ModOnlineSign
t = Test(stress=False)
ModOnlineSign.check()
knot = t.server("knot")
zones = t.zone_rnd(4, dnssec=False, records=5)
t.link(zones, knot, journal_content="none")
knot.add_module(zones[0], ModOnlineSign())
knot.add_module(zones[1], ModOnlineSign("ECDSAP384SHA384", key_size="384"))
knot.dnssec(zones[2]).enable = True
knot.dnssec(zones[3]).enable = True
knot.dnssec(zones[3]).nsec3 = True
def check_zone(zone, dnskey_rdata_start):
# Check SOA record.
soa1 = knot.dig(zone.name, "SOA", dnssec=True)
soa1.check(rcode="NOERROR", flags="QR AA")
soa1.check_count(1, "RRSIG")
t.sleep(1) # Ensure different RRSIGs.
soa2 = knot.dig(zone.name, "SOA", dnssec=True)
soa2.check(rcode="NOERROR", flags="QR AA")
soa2.check_count(1, "RRSIG")
for rrset in soa1.resp.answer:
if rrset.rdtype == dns.rdatatype.SOA:
if rrset not in soa2.resp.answer:
set_err("DIFFERENT SOA")
check_log("ERROR: DIFFERENT SOA")
elif rrset.rdtype == dns.rdatatype.RRSIG:
if rrset in soa2.resp.answer:
set_err("UNCHANGED RRSIG")
check_log("ERROR: UNCHANGED RRSIG")
else:
set_err("UNEXPECTED RRSET")
check_log("ERROR: UNEXPECTED RRSET")
detail_log("%s" % rrset)
# Check DNSKEY record.
resp = knot.dig(zone.name, "DNSKEY", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA")
resp.check_count(1, "DNSKEY")
resp.check_count(1, "RRSIG")
for rrset in resp.resp.answer:
if rrset.rdtype != dns.rdatatype.DNSKEY:
continue
else:
isset(dnskey_rdata_start in rrset.to_text(), "DNSKEY ALGORITHM")
# Check NSEC record.
resp = knot.dig("nx." + zone.name, "A", dnssec=True)
resp.check(rcode="NOERROR", flags="QR AA")
resp.check_count(0, section="answer")
resp.check_count(1, "SOA", section="authority")
resp.check_count(1, "NSEC", section="authority")
resp.check_count(2, "RRSIG", section="authority")
t.start()
serial = knot.zones_wait(zones)
check_zone(zones[0], "257 3 13")
check_zone(zones[1], "257 3 14")
for z in zones:
knot.update_zonefile(z, random=True)
knot.reload()
knot.zones_wait(zones, serial)
t.end()
Reference in a new issue View git blame Copy permalink