EXPIRE_SLEEP = 15
master = t.server("knot")
slave = t.server("knot")
slave.tcp_remote_io_timeout = "1000"
t.link(zone, master, slave)
t.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# expire by shutting down the master
master.stop()
t.sleep(EXPIRE_SLEEP);
test_expire(zone, slave)
# bring back master (notifies slave)
master.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# expire by breaking AXFR
break_xfrout(master)
master.update_zonefile(zone, version=1)
master.reload()
t.sleep(EXPIRE_SLEEP);
test_expire(zone, slave)
t.stop()
t.start()
# initial convenience check
master.zone_wait(zone)
slave.zone_wait(zone)
resp = slave.dig("added.example.", "A")
resp.check(rcode="NOERROR", rdata="1.2.3.4")
# check that slave ignored outdated master
master.update_zonefile(zone, version=1)
master.stop()
master.start()
t.sleep(2)
slave.ctl("zone-refresh") # the refresh should fail -> no blocking mode, no error
t.sleep(2)
resp = master.dig("added.example.", "A")
resp.check(rcode="NXDOMAIN")
resp = slave.dig("added.example.", "A")
resp.check(rcode="NOERROR", rdata="1.2.3.4")
# check that slave bootstrapped older zone
while not slave.log_search("zone expired"):
t.sleep(2)
t.sleep(3)
child.dnssec(child_zone).propagation_delay = 11
child.dnssec(child_zone).ksk_sbm_check = [parent]
child.dnssec(child_zone).ksk_sbm_check_interval = 2
child.dnssec(child_zone).ksk_shared = True
child.dnssec(child_zone).cds_publish = "always"
if DOUBLE_DS:
child.dnssec(child_zone).cds_publish = "double-ds"
# parameters
ZONE = "example.com."
t.start()
child.zone_wait(child_zone)
cds_submission()
t.sleep(5)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg",
"ECDSAP256SHA256", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", True, 27,
cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 2, 3, "CSK to KZSK", False, 0,
cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", False, 27,
master.zones["catalog1."].catalog = True
slave.zones["catalog1."].catalog = True
if random.choice([True, False]):
slave.dnssec(zone[1]).enable = True
else:
slave.add_module(zone[1], ModOnlineSign(algorithm="ECDSAP256SHA256", single_type_signing=False))
for zf in glob.glob(t.data_dir + "/*.zone"):
shutil.copy(zf, master.dir + "/master")
t.start()
# Basic: master a slave configure cataloged zone.
t.sleep(5)
resp = master.dig("cataloged1.", "SOA")
resp.check(rcode="NOERROR")
resp = slave.dig("cataloged1.", "DNSKEY", dnssec=True)
resp.check(rcode="NOERROR")
resp.check_count(2, "DNSKEY")
resp.check_count(1, "RRSIG")
resp = master.dig("not-cataloged1.", "SOA")
resp.check(rcode="REFUSED")
# Udating a cataloged zone
subprocess.run(["sed", "-i", "s/10001/10002/;$s/$/\\nxyz A 1.2.3.4/", master.dir + "/master/cataloged1.zone"])
master.ctl("zone-reload cataloged1.")
t.sleep(4)
resp = slave.dig("xyz.cataloged1.", "A", dnssec=True)
resp.check(rcode="NOERROR")
master.dnssec(zone).nsec3 = random.choice([True, False])
master.dnssec(zone).nsec3_iters = 2
master.dnssec(zone).nsec3_salt_len = random.choice([0, 1, 9, 64, 128, 255])
master.dnssec(zone).nsec3_opt_out = (random.random() < 0.5)
t.start()
master.zones_wait(zones)
slave.ctl("zone-refresh")
slave.zones_wait(zones)
# initial convenience check
t.xfr_diff(master, slave, zones)
# update master
master.flush()
t.sleep(2)
for zone in zones1:
master.random_ddns(zone)
up = master0.update(zone0)
up.add("dk.", "86400", "SOA", "a.nic.dk. mail.dk. 1666666666 600 300 1814400 7200")
up.delete("nextlevelinlife.dk.", "NS")
up.delete("nextlevelinlife.dk.", "DS")
up.add("nextlevelinlife.dk.", "86400", "NS", "test.com.")
up.send("NOERROR")
t.sleep(1)
master.ctl("zone-refresh")
t.sleep(4) # zones_wait fails if an empty update is generated
after_update = master.zones_wait(zones)
zone = t.zone_rnd(1, dnssec=False, records=100)
t.link(zone, master, slave)
master.dnssec(zone).enable = True
master.zonefile_sync = 0
slave.zonefile_sync = 0
t.start()
m_zfpath = master.zones[zone[0].name].zfile.path
s_zfpath = slave.zones[zone[0].name].zfile.path
master.zones_wait(zone)
slave.zones_wait(zone)
t.sleep(2)
# check zonefile flushed after load and sign
master.zone_verify(zone)
# check zonefile flushed after AXFR
slave.zone_verify(zone)
m_mtime1 = os.stat(m_zfpath).st_mtime
s_mtime1 = os.stat(s_zfpath).st_mtime
up = master.update(zone)
up.add("djojdw", 3600, "TXT", "this wont sure be there yet")
up.send("NOERROR")
t.sleep(4)
zone = t.zone_rnd(1, dnssec=False, records=10)
t.link(zone, master, slave, ixfr=True)
master.dnssec(zone).enable = True
master.zonefile_sync = 0
slave.zonefile_sync = 0
t.start()
m_zfpath = master.zones[zone[0].name].zfile.path
s_zfpath = slave.zones[zone[0].name].zfile.path
master.zones_wait(zone)
slave.zones_wait(zone)
t.sleep(2)
# check zonefile flushed after load and sign
master.zone_verify(zone)
# check zonefile flushed after AXFR
slave.zone_verify(zone)
# reload with re-sign (no additional serial increment)
master.ctl("zone-freeze")
master.zones[zone[0].name].zfile.update_soa()
m_mtime0 = os.stat(m_zfpath).st_mtime
t.sleep(1.5)
master.reload()
t.sleep(10)
master.ctl("zone-thaw")
child.zonefile_sync = 24 * 60 * 60
child.dnssec(child_zone).ksk_sbm_check = [parent]
child.add_module(
child_zone,
ModOnlineSign("ECDSAP384SHA384",
key_size="384",
prop_delay=11,
ksc=[parent],
ksci=2,
ksk_shared=True))
# parameters
ZONE = "example.com."
t.start()
child.zone_wait(child_zone)
cds_submission() # pass initially generated key to active state
t.sleep(4) # let the server accept the submission before forced reload
pregenerate_key(child, child_zone, "ECDSAP384SHA384")
watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", 22,
cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg",
"ECDSAP256SHA256", 256, cds_submission)
t.end()
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(
child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
child.dnssec(child_zone).propagation_delay = 11
child.dnssec(child_zone).ksk_sbm_check = [parent]
child.dnssec(child_zone).ksk_sbm_check_interval = 2
child.dnssec(child_zone).ds_push = parent
child.dnssec(child_zone).ksk_shared = True
child.dnssec(child_zone).cds_publish = "always"
# parameters
ZONE = "example.com."
#t.start()
t.generate_conf()
parent.start()
t.sleep(2)
child.start()
child.zone_wait(child_zone)
t.sleep(5)
pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", 27)
resp = parent.dig("example.com.", "DS")
resp.check_count(1, rtype="DS")
t.end()
ZSK2,
publish="+8",
ready="+14",
active="+14",
retire="+31",
remove="+36")
knot.key_set(ZONE,
ZSK3,
publish="+24",
ready="+30",
active="+30",
retire="+1y",
remove="+2y")
t.start()
t.sleep(4)
check_zone4(knot, 2, 1, "initial keys")
t.sleep(15)
check_zone4(knot, 2, 1, "standard rollover")
t.sleep(13)
for x in range(1, 8):
check_zone4(knot, 2, 1, "conflicting rollover %i" % x)
t.sleep(2)
t.end()
for z in zones:
master.dnssec(z).enable = True
if master.valgrind:
master.ctl_params_append = ["-t", "240"]
t.start()
serials_init = master.zones_wait(zones)
for i in range(10):
try:
master.ctl("zone-backup +backupdir %s" % backup_dir)
except:
pass
t.sleep(i * 0.05)
t.sleep(10)
for z in zones:
master.ctl("zone-key-rollover %s zsk" % z.name)
master.zones_wait(zones, serials_init, equal=False, greater=True)
master.ctl("zone-restore +backupdir %s" % backup_dir, wait=True)
if master.valgrind:
t.sleep(45)
master.zones_wait(zones, serials_init, equal=True, greater=False)
master.ctl("zone-backup +backupdir %s" % backup_dir)
t.sleep(random.randint(0, 5))
shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir) # parameters key_file = os.path.join(knot.keydir, "test.private") date_past = "19700101000001" date_future = "20400101000000" WAIT_SIGN = 0 # # Common cases # # key not published, not active key_settime(key_file, Publish=date_future, Activate=date_future) t.start() t.sleep(WAIT_SIGN) check_zone(knot, False, False) # key published, not active key_settime(key_file, Publish=date_past) knot.reload() t.sleep(WAIT_SIGN) check_zone(knot, True, False) # key published, active key_settime(key_file, Activate=date_past) knot.reload() t.sleep(WAIT_SIGN) check_zone(knot, True, True) # key published, inactive
slave.update_zonefile(zone, version="slave")
zfpath = slave.zones[zone[0].name].zfile.path
mtime0 = os.stat(zfpath).st_mtime
t.start()
serial_master = master.zone_wait(zone)
serial_slave = slave.zone_wait(zone)
# Check that the slave's serial is larger than master's
assert serial_master <= serial_slave
# Retransfer zone with lower serial
slave.ctl("zone-retransfer example.com.", wait=True)
t.sleep(2) # allow zone file update
serial_slave = slave.zone_wait(zone)
compare(serial_slave, serial_master, "Serial after retransfer")
mtime1 = os.stat(zfpath).st_mtime
if mtime1 == mtime0:
set_err("Not flushed after retransfer")
# Retransfer zone with the same serial
master.update_zonefile(zone, version="master")
master.reload()
slave.ctl("zone-retransfer example.com.", wait=True)
t.sleep(2) # allow zone file update
old_nsec3_serial = master.zone_wait(nsec3_zone)
old_static_serial = master.zone_wait(static_zone)
# Enable autosigning.
master.dnssec(nsec_zone).enable = True
master.dnssec(nsec3_zone).enable = True
master.dnssec(static_zone).enable = True
master.dnssec(nsec_zone).manual = True
master.dnssec(nsec3_zone).manual = True
master.dnssec(static_zone).manual = True
master.key_import_bind(nsec_zone[0].name)
master.key_import_bind(nsec3_zone[0].name)
master.gen_confile()
master.reload()
t.sleep(10)
new_nsec_serial = master.zone_wait(nsec_zone)
new_nsec3_serial = master.zone_wait(nsec3_zone)
new_static_serial = master.zone_wait(static_zone)
# Check if the zones are re-signed.
if old_nsec_serial != new_nsec_serial:
if not only_nsec_changed(master, nsec_zone, old_nsec_serial):
set_err("NSEC zone got re-signed")
compare(old_nsec3_serial, new_nsec3_serial, "NSEC3 zone got re-signed")
compare(old_static_serial, new_static_serial, "static zone got re-signed")
t.stop()
master.semantic_check = False
master.zonefile_sync = "-1"
for zone in zones:
master.dnssec(zone).enable = True
t.start()
ser1 = master.zones_wait(zones, serials_zfile=True, greater=True, equal=False)
slave.zones_wait(zones, ser1, greater=False, equal=True)
for zone in zones:
slave.zone_backup(zone, flush=True)
master.flush()
t.sleep(3)
for zone in zones:
master.update_zonefile(zone, random=True)
master.ctl("zone-reload %s" % zone.name)
ser2 = master.zones_wait(zones, serials_zfile=True, greater=True, equal=False)
slave.zones_wait(zones, ser2, greater=False, equal=True)
master.stop()
t.sleep(3)
master.start()
master.zones_wait(zones, ser2, greater=False, equal=True)
t.xfr_diff(master, slave, zones) # AXFR diff
slave = t.server("bind")
zones = t.zone_rnd(5, records=50) + t.zone("wild.") + \
t.zone("cname-loop.") + t.zone("records.")
t.link(zones, master, slave, ixfr=True)
t.start()
# Wait for AXFR to slave server.
serials_init = master.zones_wait(zones)
slave.zones_wait(zones)
serials_prev = serials_init
for i in range(4):
# Update zone files on master.
for zone in zones:
master.update_zonefile(zone, random=True)
master.reload()
t.sleep(5)
# Wait for IXFR to slave.
serials = master.zones_wait(zones, serials_prev)
slave.zones_wait(zones, serials_prev)
serials_prev = serials
# Compare IXFR between servers.
t.xfr_diff(master, slave, zones, serials_init)
t.end()
master = t.server("knot")
zone = t.zone("example.com.")
t.link(zone, master)
master.dnssec(zone).enable = True
master.dnssec(zone).rrsig_lifetime = 20
master.dnssec(zone).rrsig_refresh = 2
master.dnssec(zone).rrsig_prerefresh = 4
t.start()
serial_init = master.zone_wait(zone)
master.ctl("zone-sign")
t.sleep(2)
up = master.update(zone)
up.add("record1.example.com.", 3600, "A", "1.2.3.4")
up.send("NOERROR")
serial_updates = master.zone_wait(zone)
serial_refresh = master.zone_wait(zone, serial_updates)
t.sleep(10)
serial_wait = master.zone_wait(zone)
if serial_wait != serial_refresh:
set_err("RRSIGs refreshed separately (%d != %d)" %
t.link(zone, master, slave)
t.start()
slave.stop()
try:
os.remove(zone_path)
except:
pass
slave.start()
slave.zone_wait(zone)
#check that the zone file has not been flushed
if os.path.exists(zone_path):
check_log("Zonefile created too soon: " + str(os.stat(zone_path).st_ctime))
set_err("SOON FLUSH")
t.sleep(FLUSH_SLEEP) #point of first flush ~ 5s
#check that the zone file has been flushed
if not os.path.exists(zone_path):
check_log("Zonefile not created")
set_err("NOT FLUSHED")
prev_mtime = os.stat(zone_path).st_mtime
master.update_zonefile(zone, random=True)
master.reload()
t.sleep(FLUSH_SLEEP) #point of second flush ~ 10s
last_mtime = os.stat(zone_path).st_mtime
#check that the zone file has been flushed after transfer
if prev_mtime == last_mtime:
#!/usr/bin/env python3
'''Test for unsiccessful creation of NSEC3 tree'''
from dnstest.test import Test
t = Test()
master = t.server("knot")
zone = t.zone_rnd(1, records=200)
t.link(zone, master)
master.journal_max_usage = 51200 # the creation of NSEC3 tree fails on ESPACE
t.start()
master.zone_wait(zone)
master.dnssec(zone).enable = True
master.dnssec(zone).nsec3 = True
master.gen_confile()
master.reload()
t.sleep(8) # unfixed knotd will crash upon update reversal
master.flush(wait=True)
t.end()
t.link(nsec3_zone, master)
t.start()
# Get zone serial.
old_nsec_serial = master.zone_wait(nsec_zone)
old_nsec3_serial = master.zone_wait(nsec3_zone)
# Enable autosigning.
master.dnssec_enable = True
master.use_keys(nsec_zone)
master.use_keys(nsec3_zone)
master.gen_confile()
master.reload()
t.sleep(4)
new_nsec_serial = master.zone_wait(nsec_zone)
new_nsec3_serial = master.zone_wait(nsec3_zone)
# Check if the zones are resigned.
if compare(old_nsec_serial, new_nsec_serial,
"%s SOA serial (NSEC)" % nsec_zone[0].name):
resp = master.dig(nsec_zone, "IXFR", serial=old_nsec_serial)
for rr in resp.resp:
detail_log(rr)
if compare(old_nsec3_serial, new_nsec3_serial,
"%s SOA serial (NSEC3)" % nsec3_zone[0].name):
resp = master.dig(nsec3_zone, "IXFR", serial=old_nsec3_serial)
for rr in resp.resp:
start_time = int(t.uptime())
for z in zones:
if master.dnssec(z).enable:
Keymgr.run_check(master.confile, z.name, "import-pub",
"%s/%skey" % (t.data_dir, z.name))
master.ctl("zone-sign " + z.name)
slave.zone_wait(z, serials_init[z.name])
master.ctl("zone-backup +backupdir %s" % backup_dir)
slave.ctl("zone-backup %s %s +journal +backupdir %s +nozonefile" % \
(zones[0].name, zones[1].name, slave_bck_dir))
(dnskey1_1, dnskey2_1) = get_dnskeys(master, zones)
t.sleep(4)
for z in zones:
up = master.update(z)
up.delete("added.%s" % z.name, "A")
up.send()
t.sleep(1)
slave.stop()
master.stop()
shutil.rmtree(master.keydir) # let Knot generate new set of keys
master.start()
master.zones_wait(zones)
(dnskey1_2, dnskey2_2) = get_dnskeys(master, zones)
slave = t.server("knot")
zone = t.zone("example.", storage=".")
t.link(zone, master, slave)
t.start()
master.zone_wait(zone)
slave.zone_wait(zone)
slave.ctl("zone-freeze")
master.update_zonefile(zone, version=1)
master.reload()
master.zone_wait(zone, serial=2, equal=True)
t.sleep(1)
# check that slave freezed transfer after obtained notify
resp = slave.dig("added.example.", "A")
resp.check(rcode="NXDOMAIN", nordata="1.2.3.4")
slave.ctl("zone-refresh")
# check that slave transferred when invoked from ctl
slave.zone_wait(zone, serial=2, equal=True)
resp = slave.dig("added.example.", "A")
resp.check(rcode="NOERROR", rdata="1.2.3.4")
# check that update is refused
up = slave.update(zone)
up.add("noddns", 3600, "A", "1.2.3.6")
EXPIRE_SLEEP = 15
master = t.server("knot")
slave = t.server("knot")
slave.tcp_reply_timeout = "1s"
t.link(zone, master, slave)
t.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# expire by shutting down the master
master.stop()
t.sleep(EXPIRE_SLEEP)
test_expire(zone, slave)
# bring back master (notifies slave)
master.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# expire by breaking AXFR
break_xfrout(master)
master.update_zonefile(zone, version=1)
master.reload()
t.sleep(EXPIRE_SLEEP)
test_expire(zone, slave)
t.stop()
t.start()
# initial convenience check
master.zone_wait(zone)
slave.zone_wait(zone)
resp = slave.dig("added.example.", "A")
resp.check(rcode="NOERROR", rdata="1.2.3.4")
# check that slave ignored outdated master
master.update_zonefile(zone, version=1)
master.stop()
master.start()
t.sleep(RESYNC_SLEEP - TEST_START_EXPECTED)
resp = master.dig("added.example.", "A")
resp.check(rcode="NXDOMAIN")
resp = slave.dig("added.example.", "A")
resp.check(rcode="NOERROR", rdata="1.2.3.4")
# check that slave bootstrapped older zone
t.sleep(EXPIRE_SLEEP - RESYNC_SLEEP)
resp = slave.dig("added.example.", "A")
resp.check(rcode="NXDOMAIN")
t.stop()
# set journal limit for one of the slaves
slaves[0].ixfr_fslimit = "500k"
for s in slaves:
t.link(zone, master, s, ddns=True, ixfr=True)
t.start()
for s in slaves + [master]:
s.zone_wait(zone)
# flood server with updates
last_rr = flood(master, zone)
# wait for update and ixfr processing
t.sleep(10)
# restart servers and dig for last change
for s in slaves + [master]:
s.stop()
s.start()
s.zone_wait(zone)
resp = s.dig(last_rr[0], "TXT")
resp.check(rdata = last_rr[3])
# check journal sizes
st = os.stat(master.dir + "/" + zone[0].name.lower() + "diff.db")
if st.st_size > 1050 * 1024:
detail_log("Journal too big, should be max 800k, is: " + str(st.st_size // 1024) + "k")
set_err("JOURNAL SIZE OVERFLOW")
# Enable autosigning. master.dnssec_enable = True master.gen_key(zone, ksk=True, alg="NSEC3RSASHA1") master.gen_key(zone, alg="NSEC3RSASHA1") master.gen_key(zone, ksk=True, alg="RSASHA256") master.gen_key(zone, alg="RSASHA256") master.gen_confile() master.start() # Wait for changed zone and flush. new_serial = master.zone_wait(zone, old_serial) slave.zone_wait(zone, old_serial) t.xfr_diff(master, slave, zone) master.flush() t.sleep(1) # Check absence of NSEC3PARAM record. resp = master.dig(zone, "NSEC3PARAM", dnssec=True) compare(resp.count(), 0, "NSEC3PARAM count") # Check presence of DNSKEYs. resp = master.dig(zone, "DNSKEY", dnssec=True) compare(resp.count(), 4, "DNSKEY count") # Check NSEC presence. master.check_nsec(zone) master.backup_zone(zone) # Verify signed zone file.
os.rmdir(slave2keydir)
shutil.copytree(slave1.keydir, slave2keydir)
# hide zonefile, in order to let servers start slowly
ZFILE=master.zones[zone[0].name].zfile.path
ZFILE_ = ZFILE + "_"
os.rename(ZFILE, ZFILE_)
t.start()
# now un-hide zonefile, invoke load and NOTIFY, and let both slaves sign in same second!
os.rename(ZFILE_, ZFILE)
master.ctl("zone-reload")
serial_orig = slave1.zone_wait(zone)
t.sleep(1)
t.xfr_diff(slave1, slave2, zone)
# now stop and start slave1 and check if it doesn't re-sign the zone
slave1.stop()
t.sleep(3)
slave1.start()
serial = slave1.zone_wait(zone)
if serial != serial_orig:
set_err("zone was re-signed")
t.end()
proto = random.choice([4, 6])
t = Test(stress=False, tsig=False, address=proto)
knot = t.server("knot")
zones = t.zone_rnd(2)
t.link(zones, knot)
knot.add_module(None, ModStats())
knot.add_module(zones[0], ModStats())
knot.add_module(zones[1], ModStats())
t.start()
t.sleep(4)
check_item(knot, "server", "zone-count", 2)
resp = knot.dig(zones[0].name, "SOA", tries=1, udp=True)
query_size1 = resp.query_size()
reply_size1 = resp.response_size()
resp = knot.dig(zones[0].name, "NS", tries=1, udp=False)
query_size2 = resp.query_size()
reply_size2 = resp.response_size()
resp = knot.dig(zones[1].name, "TYPE11", tries=1, udp=True)
query_size3 = resp.query_size()
reply_size3 = resp.response_size()
soa2 = slave.dig(zone[0].name, "SOA", dnssec=True, bufsize=4096)
soa2serial = str(soa2.resp.answer[0].to_rdataset()).split()[5]
detail_log("soa2serial " + soa2serial)
soa2rrsig_expire = str(soa2.resp.answer[1].to_rdataset()).split()[7]
detail_log("soa2rrsig_exp " + soa2rrsig_expire)
if soa2rrsig_expire == soa1rrsig_expire:
set_err("Zone not re-signed, test error")
if soa2serial == soa1serial:
set_err("Serial not incremented on AXFR")
up = master.update(zone)
up.add("hahahahahah", 3600, "A", "1.2.3.4")
up.send()
t.sleep(9)
msoa3 = master.dig(zone[0].name, "SOA", dnssec=False)
msoa3serial = str(msoa3.resp.answer[0].to_rdataset()).split()[5]
detail_log("msoa3serial " + msoa3serial)
soa4 = slave.dig(zone[0].name, "SOA", dnssec=True, bufsize=4096)
soa4serial = str(soa4.resp.answer[0].to_rdataset()).split()[5]
detail_log("soa4serial " + soa4serial)
if msoa3serial != soa2serial:
set_err("Serial incremented unexpectedly, test error")
if soa4serial == soa2serial:
set_err("Serial not incremented on IXFR")
knot.gen_key(zones[1], ksk=True, zsk=True, alg="ECDSAP384SHA384", key_len="384")
knot.gen_key(zones[1], ksk=True, zsk=True, alg="ECDSAP256SHA256", key_len="256")
# different algorithms: KSK+ZSK pair, one KSK
knot.gen_key(zones[2], ksk=True, alg="ECDSAP256SHA256", key_len="256")
knot.gen_key(zones[2], ksk=False, alg="ECDSAP256SHA256", key_len="256")
knot.gen_key(zones[2], ksk=True, zsk=True, alg="ECDSAP384SHA384", key_len="384")
# one ZSK
knot.gen_key(zones[3], ksk=False, alg="ECDSAP256SHA256", key_len="256").change_role(ksk=True, zsk=True)
for zone in zones[:-1]:
knot.dnssec(zone).enable = True
knot.dnssec(zone).single_type_signing = True
# enable automatic Single-Type signing scheme with NSEC3 on the last zone
knot.dnssec(zones[-1]).enable = True
knot.dnssec(zones[-1]).nsec3 = True
knot.dnssec(zones[-1]).single_type_signing = True
knot.gen_confile()
knot.reload()
t.sleep(7)
knot.flush(wait=True)
knot.stop()
for zone in zones:
knot.zone_verify(zone)
t.end()
# parameters
ZONE = "example.com"
KEYID = "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2"
WAIT_SIGN = 2
#
# Common cases
#
check_log("Common cases")
# key not published, not active
key_set(knot, ZONE, KEYID, publish="+10y", active="+10y")
t.start()
t.sleep(WAIT_SIGN)
check_zone(knot, False, False, "not published, not active")
# key published, not active
key_set(knot, ZONE, KEYID, publish="-10y")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, False, "published, not active")
# key published, active
key_set(knot, ZONE, KEYID, active="-10y")
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, True, "published, active")
# key published, inactive
zone = t.zone("example.com.")
t.link(zone, master, slave, journal_content="all")
slave.zonefile_sync = "-1"
t.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# Check if bootstrapped and unflushed zone is accessible without master available.
master.stop()
slave.stop()
t.sleep(2)
slave.start()
slave.zone_wait(zone)
resp = slave.dig("mail.example.com.", "A")
resp.check(rcode="NOERROR", rdata="192.0.2.3")
resp = slave.dig("node.example.com.", "A")
resp.check(rcode="NXDOMAIN", nordata="1.2.3.4")
# Update the master zone and wait for updated slave.
master.start()
serial = master.zone_wait(zone)
up = master.update(zone)
from dnstest.test import Test
from dnstest.utils import *
t = Test()
master = t.server("bind")
slave = t.server("knot")
zone = t.zone("example.com.", storage=".")
t.link(zone, master, slave)
# Load newer zone to the slave
slave.update_zonefile(zone, version=1)
t.start()
serial_master = master.zone_wait(zone)
serial_slave = slave.zone_wait(zone)
# Check that the slave's serial is larger than master's
assert serial_master <= serial_slave
# Force refresh
slave.ctl("zone-retransfer example.com.")
t.sleep(2)
serial_slave = slave.zone_wait(zone)
compare(serial_slave, serial_master, "Serial after retransfer")
t.end()
t.link(zones, master)
master.dnssec(zones[0]).enable = True
master.dnssec(zones[0]).nsec3 = True
master.dnssec(zones[0]).nsec3_opt_out = True
master.dnssec(zones[0]).nsec3_iters = 1
t.start()
master.zones_wait(zones)
master.dnssec(zones[0]).nsec3_iters = 2
master.gen_confile()
master.reload()
t.sleep(8)
up = master.update(zones)
up.add("b.example.", 3600, "DS",
"57855 5 1 B6DCD485719ADCA18E5F3D48A2331627FDD3636B")
up.send()
t.sleep(4)
resp = master.dig("b.example.", "NS", dnssec=True)
resp.check_count(0, rtype="NSEC3", section="authority")
if random.random() < 0.5:
master.dnssec(zones[0]).nsec3_iters = 3
master.gen_confile()
master.reload()
t.sleep(6)
ksk="false",
created="-2",
publish="-2",
ready="+14y",
active="+14y",
retire="+31y",
remove="+36y")
# ZSK2 only reason: prevents Knot from publishing another ZSK
t.start()
child.zone_wait(child_zone)
check_zone(child, child_zone, 4, 1, 1, "only first KSK")
CDS1 = str(child.dig(ZONE, "CDS").resp.answer[0].to_rdataset())
t.sleep(3)
while CDS1 == str(child.dig(ZONE, "CDS").resp.answer[0].to_rdataset()):
t.sleep(1)
check_zone(child, child_zone, 4, 2, 1, "new KSK ready")
cds = child.dig(ZONE, "CDS")
cds_rdata = cds.resp.answer[0].to_rdataset()[0].to_text()
up = parent.update(parent_zone)
up.add(ZONE, 3600, "DS", cds_rdata)
up.send("NOERROR")
t.sleep(40)
check_zone(child, child_zone, 2, 1, 1, "old KSK retired")
# Enable autosigning. master.dnssec_enable = True master.gen_key(zone, ksk=True, alg="NSEC3RSASHA1") master.gen_key(zone, alg="NSEC3RSASHA1") master.gen_key(zone, ksk=True, alg="RSASHA256") master.gen_key(zone, alg="RSASHA256") master.gen_confile() master.start() # Wait for changed zone and flush. new_serial = master.zone_wait(zone, old_serial) slave.zone_wait(zone, old_serial) t.xfr_diff(master, slave, zone) master.flush() t.sleep(1) # Check absence of NSEC3PARAM record. resp = master.dig(zone, "NSEC3PARAM", dnssec=True) compare(resp.count(), 0, "NSEC3PARAM count") # Check presence of DNSKEYs. resp = master.dig(zone, "DNSKEY", dnssec=True) compare(resp.count(), 4, "DNSKEY count") # Check NSEC presence. master.check_nsec(zone) master.stop() master.backup_zone(zone)
# multiple KSKs
knot.gen_key(zones[2], ksk=True, alg="RSASHA512", key_len="1024")
knot.gen_key(zones[2], ksk=True, alg="RSASHA256", key_len="512")
# different algorithms: KSK+ZSK pair, one ZSK
knot.gen_key(zones[3], ksk=True, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[3], ksk=False, alg="RSASHA256", key_len="1024")
knot.gen_key(zones[3], ksk=False, alg="RSASHA512", key_len="1024")
for zone in zones[:-1]:
knot.dnssec(zone).enable = True
knot.dnssec(zone).manual = True
# enable automatic Single-Type signing scheme with NSEC3 on the last zone
knot.dnssec(zones[-1]).enable = True
knot.dnssec(zones[-1]).nsec3 = True
knot.dnssec(zones[-1]).single_type_signing = True
knot.gen_confile()
knot.reload()
t.sleep(7)
knot.flush()
t.sleep(2)
knot.stop()
for zone in zones:
knot.zone_verify(zone)
t.end()
EXPIRE_SLEEP = 15
master = t.server("knot")
slave = t.server("knot")
slave.tcp_idle_timeout = "1s"
t.link(zone, master, slave)
t.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# expire by shutting down the master
master.stop()
t.sleep(EXPIRE_SLEEP);
test_expire(zone, slave)
# bring back master (notifies slave)
master.start()
master.zone_wait(zone)
slave.zone_wait(zone)
# expire by breaking AXFR
break_xfrout(master)
master.update_zonefile(zone, version=1)
master.reload()
t.sleep(EXPIRE_SLEEP);
test_expire(zone, slave)
t.stop()
#!/usr/bin/env python3
'''Test for Knot clean-up after interruption of AXFR from Bind'''
from dnstest.test import Test
from dnstest.utils import *
t = Test()
master = t.server("bind")
slave = t.server("knot")
zones = t.zone_rnd(1, dnssec=False, records=50000)
t.link(zones, master, slave)
t.start()
t.sleep(2)
check_log("Killing master %s" % master.name)
master.proc.kill()
t.sleep(5)
t.end()
# parameters
key_file = os.path.join(knot.keydir, "test.private")
date_past = "19700101000001"
date_future = "20400101000000"
WAIT_SIGN = 2
#
# Common cases
#
check_log("Common cases")
# key not published, not active
key_settime(key_file, Publish=date_future, Activate=date_future)
t.start()
t.sleep(WAIT_SIGN)
check_zone(knot, False, False, "not published, not active")
# key published, not active
key_settime(key_file, Publish=date_past)
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, False, "published, not active")
# key published, active
key_settime(key_file, Activate=date_past)
knot.reload()
t.sleep(WAIT_SIGN)
check_zone(knot, True, True, "published, active")
# key published, inactive
t = Test()
master = t.server("bind")
slave = t.server("knot")
zones = t.zone_rnd(400, records=10, dnssec=False)
t.link(zones, master, slave, ixfr=True)
t.start()
# Wait for AXFR to slave server.
serials_init = master.zones_wait(zones)
slave.zones_wait(zones)
# Update zone files on master.
for zone in zones:
master.update_zonefile(zone, random=True)
master.reload()
t.sleep(30)
# Wait for IXFR to slave.
master.zones_wait(zones, serials_init)
slave.zones_wait(zones, serials_init)
# Compare IXFR between servers.
t.xfr_diff(master, slave, zones, serials_init)
t.end()
