def test_zone_deletion(api_user_domain: DeSECAPIV1Client):
name = api_user_domain.domain
assert_eventually(lambda: query_replication(name, "", 'SOA') is not None,
timeout=20)
api_user_domain.domain_destroy(name)
assert_eventually(lambda: query_replication(name, "", 'SOA') is None,
timeout=20)
def test_signature_rotation(api_user_domain: DeSECAPIV1Client):
name = random_domainname()
api_user_domain.domain_create(name)
rrsig = return_eventually(
lambda: query_replication(name, "", 'RRSIG', covers='SOA'), timeout=20)
faketime_add(days=7)
assert_eventually(
lambda: rrsig != query_replication(name, "", 'RRSIG', covers='SOA'),
timeout=60)
def test_create_long_subname(api_user_domain: DeSECAPIV1Client):
subname = 'a' * 63
assert api_user_domain.rr_set_create(api_user_domain.domain,
"AAAA", ["::1"],
subname=subname).status_code == 201
assert NSLordClient.query(f"{subname}.{api_user_domain.domain}",
"AAAA") == {"::1"}
assert_eventually(lambda: query_replication(api_user_domain.domain,
subname, "AAAA") == {"::1"})
def test_add_remove_DNSKEY(api_user_domain: DeSECAPIV1Client):
domain_name = api_user_domain.domain
auto_dnskeys = api_user_domain.get_key_params(domain_name, 'DNSKEY')
# After adding another DNSKEY, we expect it to be part of the nameserver's response (along with the automatic ones)
value = '257 3 13 aCoEWYBBVsP9Fek2oC8yqU8ocKmnS1iD SFZNORnQuHKtJ9Wpyz+kNryquB78Pyk/ NTEoai5bxoipVQQXzHlzyg=='
assert api_user_domain.rr_set_create(domain_name,
'DNSKEY', [value],
subname='').status_code == 201
assert NSLordClient.query(domain_name, 'DNSKEY') == auto_dnskeys | {value}
assert_eventually(lambda: query_replication(domain_name, '', 'DNSKEY') ==
auto_dnskeys | {value})
# After deleting it, we expect that the automatically managed ones are still there
assert api_user_domain.rr_set_delete(domain_name, "DNSKEY",
subname='').status_code == 204
assert NSLordClient.query(domain_name, 'DNSKEY') == auto_dnskeys
assert_eventually(
lambda: query_replication(domain_name, '', 'DNSKEY') == auto_dnskeys)
def test_create_valid_non_canonical(api_user_domain: DeSECAPIV1Client,
rr_type: str, value: str):
domain_name = api_user_domain.domain
expected = set()
subname = 'a'
if rr_type in ('CDNSKEY', 'CDS', 'DNSKEY'):
expected |= api_user_domain.get_key_params(domain_name, rr_type)
subname = ''
if value is not None:
assert api_user_domain.rr_set_create(
domain_name, rr_type, [value], subname=subname).status_code == 201
expected.add(value)
rrset = NSLordClient.query(f'{subname}.{domain_name}'.strip('.'), rr_type)
assert len(rrset) == len(expected)
assert_eventually(lambda: len(
query_replication(domain_name, subname, rr_type)) == len(expected))
def test_signature_rotation_performance(api_user_domain: DeSECAPIV1Client):
root_domain = api_user_domain.domain
# test configuration
bulk_block_size = 500
domain_sizes = {
# number of delegations: number of zones
2000: 1,
1000: 2,
10: 10,
}
# create test domains
domain_names = {
num_delegations: [
random_domainname() + f'.num-ds-{num_delegations}.' + root_domain
for _ in range(num_zones)
]
for num_delegations, num_zones in domain_sizes.items()
}
for num_delegations, names in domain_names.items():
for name in names:
# create a domain with name `name` and `num_delegations` delegations
api_user_domain.domain_create(name)
for a in range(
0, num_delegations, bulk_block_size
): # run block-wise to avoid exceeding max request size
r = api_user_domain.rr_set_create_bulk(
name, [{
"subname": f'x{i}',
"type": "DS",
"ttl": 3600,
"records": some_ds_records
} for i in range(a, a + bulk_block_size)] +
[{
"subname": f'x{i}',
"type": "NS",
"ttl": 3600,
"records": ['ns1.test.', 'ns2.test.']
} for i in range(a, a + bulk_block_size)])
assert r.status_code == 200
# retrieve all SOA RRSIGs
soa_rrsig = {}
for names in domain_names.values():
for name in names:
soa_rrsig[name] = return_eventually(
lambda: query_replication(name, "", 'RRSIG', covers='SOA'),
timeout=20)
# rotate signatures
faketime_add(7)
# assert SOA RRSIG has been updated
for names in domain_names.values():
for name in names:
assert_eventually(
lambda: soa_rrsig[name] != query_replication(
name, "", 'RRSIG', covers='SOA'),
timeout=
600, # depending on number of domains in the database, this value requires increase
)