Commit b18e9188 authored by Libor Peltan's avatar Libor Peltan Committed by Daniel Salzman

bugfix: changeset merge cancelout confused by changing RRSIG TTL

this caused sometimes duplicit SOA RRSIGs on slave
parent e8f956e2
...@@ -166,14 +166,16 @@ static void check_redundancy(zone_contents_t *counterpart, const knot_rrset_t *r ...@@ -166,14 +166,16 @@ static void check_redundancy(zone_contents_t *counterpart, const knot_rrset_t *r
knot_rdataset_t *rrs = node_rdataset(node, rr->type); knot_rdataset_t *rrs = node_rdataset(node, rr->type);
uint32_t rrs_ttl = node_rrset(node, rr->type).ttl; uint32_t rrs_ttl = node_rrset(node, rr->type).ttl;
if (fixed_rr != NULL && *fixed_rr != NULL && (*fixed_rr)->ttl == rrs_ttl) { if (fixed_rr != NULL && *fixed_rr != NULL &&
((*fixed_rr)->ttl == rrs_ttl || rr->type == KNOT_RRTYPE_RRSIG)) {
int ret = knot_rdataset_subtract(&(*fixed_rr)->rrs, rrs, NULL); int ret = knot_rdataset_subtract(&(*fixed_rr)->rrs, rrs, NULL);
if (ret != KNOT_EOK) { if (ret != KNOT_EOK) {
return; return;
} }
} }
if (rr->ttl == rrs_ttl) { // TTL of RRSIGs is better determined by original_ttl field, which is compared as part of rdata anyway
if (rr->ttl == rrs_ttl || rr->type == KNOT_RRTYPE_RRSIG) {
int ret = knot_rdataset_subtract(rrs, &rr->rrs, NULL); int ret = knot_rdataset_subtract(rrs, &rr->rrs, NULL);
if (ret != KNOT_EOK) { if (ret != KNOT_EOK) {
return; return;
......
...@@ -29,7 +29,7 @@ def pregenerate_key(server, zone, alg): ...@@ -29,7 +29,7 @@ def pregenerate_key(server, zone, alg):
addtopolicy=zone[0].name) addtopolicy=zone[0].name)
# check zone if keys are present and used for signing # check zone if keys are present and used for signing
def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg): def check_zone(server, zone, slave, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
qdnskeys = server.dig("example.com", "DNSKEY", bufsize=4096) qdnskeys = server.dig("example.com", "DNSKEY", bufsize=4096)
found_dnskeys = qdnskeys.count("DNSKEY") found_dnskeys = qdnskeys.count("DNSKEY")
...@@ -67,6 +67,8 @@ def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg): ...@@ -67,6 +67,8 @@ def check_zone(server, zone, dnskeys, dnskey_rrsigs, cdnskeys, soa_rrsigs, msg):
# Valgrind delay breaks the timing! # Valgrind delay breaks the timing!
if not server.valgrind: if not server.valgrind:
t.xfr_diff(server, slave, zone)
server.zone_backup(zone, flush=True) server.zone_backup(zone, flush=True)
server.zone_verify(zone) server.zone_verify(zone)
...@@ -100,8 +102,8 @@ def wait_after_submission(t, server): ...@@ -100,8 +102,8 @@ def wait_after_submission(t, server):
else: else:
t.sleep(4) t.sleep(4)
def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg, set_stss, submission_cb): def watch_alg_rollover(t, server, zone, slave, before_keys, after_keys, desc, set_alg, set_stss, submission_cb):
check_zone(server, zone, before_keys, 1, 1, 1, desc + ": initial keys") check_zone(server, zone, slave, before_keys, 1, 1, 1, desc + ": initial keys")
server.dnssec(zone).single_type_signing = set_stss server.dnssec(zone).single_type_signing = set_stss
server.dnssec(zone).alg = set_alg server.dnssec(zone).alg = set_alg
...@@ -109,10 +111,10 @@ def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg, ...@@ -109,10 +111,10 @@ def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg,
server.reload() server.reload()
wait_for_rrsig_count(t, server, "SOA", 2, 20) wait_for_rrsig_count(t, server, "SOA", 2, 20)
check_zone(server, zone, before_keys, 1 if after_keys > 1 else 2, 1, 2, desc + ": pre active") check_zone(server, zone, slave, before_keys, 1 if after_keys > 1 else 2, 1, 2, desc + ": pre active")
wait_for_count(t, server, "DNSKEY", before_keys + after_keys, 20) wait_for_count(t, server, "DNSKEY", before_keys + after_keys, 20)
check_zone(server, zone, before_keys + after_keys, 2, 1, 2, desc + ": both algorithms active") check_zone(server, zone, slave, before_keys + after_keys, 2, 1, 2, desc + ": both algorithms active")
# wait for any change in CDS records # wait for any change in CDS records
CDS1 = str(server.dig(ZONE, "CDS").resp.answer[0].to_rdataset()) CDS1 = str(server.dig(ZONE, "CDS").resp.answer[0].to_rdataset())
...@@ -121,20 +123,20 @@ def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg, ...@@ -121,20 +123,20 @@ def watch_alg_rollover(t, server, zone, before_keys, after_keys, desc, set_alg,
t.sleep(1) t.sleep(1)
cdnskeys = 2 if DOUBLE_DS else 1 cdnskeys = 2 if DOUBLE_DS else 1
check_zone(server, zone, before_keys + after_keys, 2, cdnskeys, 2, desc + ": new KSK ready") check_zone(server, zone, slave, before_keys + after_keys, 2, cdnskeys, 2, desc + ": new KSK ready")
submission_cb() submission_cb()
wait_after_submission(t, server) wait_after_submission(t, server)
check_zone(server, zone, before_keys + after_keys, 2, 1, 2, desc + ": both still active") check_zone(server, zone, slave, before_keys + after_keys, 2, 1, 2, desc + ": both still active")
wait_for_count(t, server, "DNSKEY", after_keys, 20) wait_for_count(t, server, "DNSKEY", after_keys, 20)
check_zone(server, zone, after_keys, 1 if before_keys > 1 else 2, 1, 2, desc + ": post active") check_zone(server, zone, slave, after_keys, 1 if before_keys > 1 else 2, 1, 2, desc + ": post active")
wait_for_rrsig_count(t, server, "SOA", 1, 20) wait_for_rrsig_count(t, server, "SOA", 1, 20)
check_zone(server, zone, after_keys, 1, 1, 1, desc + ": old alg removed") check_zone(server, zone, slave, after_keys, 1, 1, 1, desc + ": old alg removed")
def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, desc, set_stss, set_ksk_lifetime, submission_cb): def watch_ksk_rollover(t, server, zone, slave, before_keys, after_keys, total_keys, desc, set_stss, set_ksk_lifetime, submission_cb):
check_zone(server, zone, before_keys, 1, 1, 1, desc + ": initial keys") check_zone(server, zone, slave, before_keys, 1, 1, 1, desc + ": initial keys")
orig_ksk_lifetime = server.dnssec(zone).ksk_lifetime orig_ksk_lifetime = server.dnssec(zone).ksk_lifetime
server.dnssec(zone).single_type_signing = set_stss server.dnssec(zone).single_type_signing = set_stss
...@@ -145,11 +147,11 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des ...@@ -145,11 +147,11 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des
wait_for_count(t, server, "DNSKEY", total_keys, 20) wait_for_count(t, server, "DNSKEY", total_keys, 20)
t.sleep(3) t.sleep(3)
check_zone(server, zone, total_keys, 1, 1, 1, desc + ": published new") check_zone(server, zone, slave, total_keys, 1, 1, 1, desc + ": published new")
wait_for_rrsig_count(t, server, "DNSKEY", 2, 20) wait_for_rrsig_count(t, server, "DNSKEY", 2, 20)
cdnskeys = 2 if DOUBLE_DS else 1 cdnskeys = 2 if DOUBLE_DS else 1
check_zone(server, zone, total_keys, 2, cdnskeys, 1 if before_keys > 1 and after_keys > 1 else 2, desc + ": new KSK ready") check_zone(server, zone, slave, total_keys, 2, cdnskeys, 1 if before_keys > 1 and after_keys > 1 else 2, desc + ": new KSK ready")
server.dnssec(zone).ksk_lifetime = orig_ksk_lifetime server.dnssec(zone).ksk_lifetime = orig_ksk_lifetime
server.gen_confile() server.gen_confile()
...@@ -159,16 +161,16 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des ...@@ -159,16 +161,16 @@ def watch_ksk_rollover(t, server, zone, before_keys, after_keys, total_keys, des
submission_cb() submission_cb()
wait_after_submission(t, server) wait_after_submission(t, server)
if before_keys < 2 or after_keys > 1: if before_keys < 2 or after_keys > 1:
check_zone(server, zone, total_keys, 2, 1, 1 if before_keys > 1 else 2, desc + ": both still active") check_zone(server, zone, slave, total_keys, 2, 1, 1 if before_keys > 1 else 2, desc + ": both still active")
# else skip the test as we have no control on KSK and ZSK retiring asynchronously # else skip the test as we have no control on KSK and ZSK retiring asynchronously
wait_for_rrsig_count(t, server, "DNSKEY", 1, 20) wait_for_rrsig_count(t, server, "DNSKEY", 1, 20)
if before_keys < 2 or after_keys > 1: if before_keys < 2 or after_keys > 1:
check_zone(server, zone, total_keys, 1, 1, 1, desc + ": old key retired") check_zone(server, zone, slave, total_keys, 1, 1, 1, desc + ": old key retired")
# else skip the test as we have no control on KSK and ZSK retiring asynchronously # else skip the test as we have no control on KSK and ZSK retiring asynchronously
wait_for_count(t, server, "DNSKEY", after_keys, 20) wait_for_count(t, server, "DNSKEY", after_keys, 20)
check_zone(server, zone, after_keys, 1, 1, 1, desc + ": old key removed") check_zone(server, zone, slave, after_keys, 1, 1, 1, desc + ": old key removed")
t = Test() t = Test()
...@@ -179,8 +181,9 @@ t.link(parent_zone, parent) ...@@ -179,8 +181,9 @@ t.link(parent_zone, parent)
parent.dnssec(parent_zone).enable = True parent.dnssec(parent_zone).enable = True
child = t.server("knot") child = t.server("knot")
slave = t.server("knot")
child_zone = t.zone("example.com.", storage=".") child_zone = t.zone("example.com.", storage=".")
t.link(child_zone, child) t.link(child_zone, child, slave, ixfr=True)
def cds_submission(): def cds_submission():
cds = child.dig(ZONE, "CDS") cds = child.dig(ZONE, "CDS")
...@@ -221,27 +224,27 @@ cds_submission() ...@@ -221,27 +224,27 @@ cds_submission()
t.sleep(5) t.sleep(5)
pregenerate_key(child, child_zone, "ECDSAP256SHA256") pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission) watch_alg_rollover(t, child, child_zone, slave, 2, 1, "KZSK to CSK alg", "ECDSAP256SHA256", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256") pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 1, 2, "CSK rollover", True, 27, cds_submission) watch_ksk_rollover(t, child, child_zone, slave, 1, 1, 2, "CSK rollover", True, 27, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256") pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission) watch_ksk_rollover(t, child, child_zone, slave, 1, 2, 3, "CSK to KZSK", False, 0, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256") pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 2, 3, "KSK rollover", False, 27, cds_submission) watch_ksk_rollover(t, child, child_zone, slave, 2, 2, 3, "KSK rollover", False, 27, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256") pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_ksk_rollover(t, child, child_zone, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission) watch_ksk_rollover(t, child, child_zone, slave, 2, 1, 3, "KZSK to CSK", True, 0, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP384SHA384") pregenerate_key(child, child_zone, "ECDSAP384SHA384")
watch_alg_rollover(t, child, child_zone, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission) watch_alg_rollover(t, child, child_zone, slave, 1, 1, "CSK to CSK alg", "ECDSAP384SHA384", True, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP256SHA256") pregenerate_key(child, child_zone, "ECDSAP256SHA256")
watch_alg_rollover(t, child, child_zone, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission) watch_alg_rollover(t, child, child_zone, slave, 1, 2, "CSK to KZSK alg", "ECDSAP256SHA256", False, cds_submission)
pregenerate_key(child, child_zone, "ECDSAP384SHA384") pregenerate_key(child, child_zone, "ECDSAP384SHA384")
watch_alg_rollover(t, child, child_zone, 2, 2, "KZSK alg", "ECDSAP384SHA384", False, cds_submission) watch_alg_rollover(t, child, child_zone, slave, 2, 2, "KZSK alg", "ECDSAP384SHA384", False, cds_submission)
t.end() t.end()
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment