def test_zone_deletion(api_user_domain: DeSECAPIV1Client): name = api_user_domain.domain assert_eventually(lambda: query_replication(name, "", 'SOA') is not None, timeout=20) api_user_domain.domain_destroy(name) assert_eventually(lambda: query_replication(name, "", 'SOA') is None, timeout=20)
def test_create_long_subname(api_user_domain: DeSECAPIV1Client): subname = 'a' * 63 assert api_user_domain.rr_set_create(api_user_domain.domain, "AAAA", ["::1"], subname=subname).status_code == 201 assert NSLordClient.query(f"{subname}.{api_user_domain.domain}", "AAAA") == {"::1"} assert_eventually(lambda: query_replication(api_user_domain.domain, subname, "AAAA") == {"::1"})
def test_signature_rotation(api_user_domain: DeSECAPIV1Client): name = random_domainname() api_user_domain.domain_create(name) rrsig = return_eventually( lambda: query_replication(name, "", 'RRSIG', covers='SOA'), timeout=20) faketime_add(days=7) assert_eventually( lambda: rrsig != query_replication(name, "", 'RRSIG', covers='SOA'), timeout=60)
def test_create_valid_non_canonical(api_user_domain: DeSECAPIV1Client, rr_type: str, value: str): domain_name = api_user_domain.domain expected = set() subname = 'a' if rr_type in ('CDNSKEY', 'CDS', 'DNSKEY'): expected |= api_user_domain.get_key_params(domain_name, rr_type) subname = '' if value is not None: assert api_user_domain.rr_set_create( domain_name, rr_type, [value], subname=subname).status_code == 201 expected.add(value) rrset = NSLordClient.query(f'{subname}.{domain_name}'.strip('.'), rr_type) assert len(rrset) == len(expected) assert_eventually(lambda: len( query_replication(domain_name, subname, rr_type)) == len(expected))
def test_add_remove_DNSKEY(api_user_domain: DeSECAPIV1Client): domain_name = api_user_domain.domain auto_dnskeys = api_user_domain.get_key_params(domain_name, 'DNSKEY') # After adding another DNSKEY, we expect it to be part of the nameserver's response (along with the automatic ones) value = '257 3 13 aCoEWYBBVsP9Fek2oC8yqU8ocKmnS1iD SFZNORnQuHKtJ9Wpyz+kNryquB78Pyk/ NTEoai5bxoipVQQXzHlzyg==' assert api_user_domain.rr_set_create(domain_name, 'DNSKEY', [value], subname='').status_code == 201 assert NSLordClient.query(domain_name, 'DNSKEY') == auto_dnskeys | {value} assert_eventually(lambda: query_replication(domain_name, '', 'DNSKEY') == auto_dnskeys | {value}) # After deleting it, we expect that the automatically managed ones are still there assert api_user_domain.rr_set_delete(domain_name, "DNSKEY", subname='').status_code == 204 assert NSLordClient.query(domain_name, 'DNSKEY') == auto_dnskeys assert_eventually( lambda: query_replication(domain_name, '', 'DNSKEY') == auto_dnskeys)
def test_signature_rotation_performance(api_user_domain: DeSECAPIV1Client): root_domain = api_user_domain.domain # test configuration bulk_block_size = 500 domain_sizes = { # number of delegations: number of zones 2000: 1, 1000: 2, 10: 10, } # create test domains domain_names = { num_delegations: [ random_domainname() + f'.num-ds-{num_delegations}.' + root_domain for _ in range(num_zones) ] for num_delegations, num_zones in domain_sizes.items() } for num_delegations, names in domain_names.items(): for name in names: # create a domain with name `name` and `num_delegations` delegations api_user_domain.domain_create(name) for a in range( 0, num_delegations, bulk_block_size ): # run block-wise to avoid exceeding max request size r = api_user_domain.rr_set_create_bulk( name, [{ "subname": f'x{i}', "type": "DS", "ttl": 3600, "records": some_ds_records } for i in range(a, a + bulk_block_size)] + [{ "subname": f'x{i}', "type": "NS", "ttl": 3600, "records": ['ns1.test.', 'ns2.test.'] } for i in range(a, a + bulk_block_size)]) assert r.status_code == 200 # retrieve all SOA RRSIGs soa_rrsig = {} for names in domain_names.values(): for name in names: soa_rrsig[name] = return_eventually( lambda: query_replication(name, "", 'RRSIG', covers='SOA'), timeout=20) # rotate signatures faketime_add(7) # assert SOA RRSIG has been updated for names in domain_names.values(): for name in names: assert_eventually( lambda: soa_rrsig[name] != query_replication( name, "", 'RRSIG', covers='SOA'), timeout= 600, # depending on number of domains in the database, this value requires increase )