Attached patches improve DNSSEC CI tests.
From b6271dfde300835e21b815a809a32c46dd46f3dc Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Tue, 1 Sep 2015 12:07:13 +0200
Subject: [PATCH 1/2] DNSSEC: improve CI test
Test disabling and re-enabling zone signing.
---
ipatests/test_integration/test_dnssec.py | 113 +++++++++++++++++++++++++++++--
1 file changed, 109 insertions(+), 4 deletions(-)
diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 74dc1be25476353e676f2601ace673212234df63..35b7652786b122ab6d2b5b137deefde9a8c647af 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -30,13 +30,17 @@ def resolve_with_dnssec(nameserver, query, log, rtype="SOA"):
ans = res.query(query, rtype)
return ans
+def get_RRSIG_record(nameserver, query, log, rtype="SOA"):
+ ans = resolve_with_dnssec(nameserver, query, log, rtype=rtype)
+ return ans.response.find_rrset(
+ ans.response.answer, dns.name.from_text(query),
+ dns.rdataclass.IN, dns.rdatatype.RRSIG,
+ dns.rdatatype.from_text(rtype))
+
def is_record_signed(nameserver, query, log, rtype="SOA"):
try:
- ans = resolve_with_dnssec(nameserver, query, log, rtype=rtype)
- ans.response.find_rrset(ans.response.answer, dns.name.from_text(query),
- dns.rdataclass.IN, dns.rdatatype.RRSIG,
- dns.rdatatype.from_text(rtype))
+ get_RRSIG_record(nameserver, query, log, rtype=rtype)
except KeyError:
return False
except dns.exception.DNSException:
@@ -130,6 +134,103 @@ class TestInstallDNSSECLast(IntegrationTest):
self.master.ip, test_zone_repl, self.log, timeout=5
), "DNS zone %s is not signed (master)" % test_zone
+ def test_disable_reenable_signing_master(self):
+
+ dnskey_old = resolve_with_dnssec(self.master.ip, test_zone,
+ self.log, rtype="DNSKEY").rrset
+
+ # disable DNSSEC signing of zone on master
+ args = [
+ "ipa",
+ "dnszone-mod", test_zone,
+ "--dnssec", "false",
+ ]
+ self.master.run_command(args)
+
+ time.sleep(20) # sleep a bit until LDAP changes are applied to DNS
+
+ # test master
+ assert not is_record_signed(
+ self.master.ip, test_zone, self.log
+ ), "Zone %s is still signed (master)" % test_zone
+
+ # test replica
+ assert not is_record_signed(
+ self.replicas[0].ip, test_zone, self.log
+ ), "DNS zone %s is still signed (replica)" % test_zone
+
+ # reenable DNSSEC signing
+ args = [
+ "ipa",
+ "dnszone-mod", test_zone,
+ "--dnssec", "true",
+ ]
+ self.master.run_command(args)
+
+ time.sleep(20) # sleep a bit until LDAP changes are applied to DNS
+
+ # test master
+ assert wait_until_record_is_signed(
+ self.master.ip, test_zone, self.log, timeout=100
+ ), "Zone %s is not signed (master)" % test_zone
+
+ # test replica
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, test_zone, self.log, timeout=200
+ ), "DNS zone %s is not signed (replica)" % test_zone
+
+ dnskey_new = resolve_with_dnssec(self.master.ip, test_zone,
+ self.log, rtype="DNSKEY").rrset
+ assert dnskey_old != dnskey_new, "RRSIG should be different"
+
+ def test_disable_reenable_signing_replica(self):
+
+ dnskey_old = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl,
+ self.log, rtype="DNSKEY").rrset
+
+ # disable DNSSEC signing of zone on replica
+ args = [
+ "ipa",
+ "dnszone-mod", test_zone_repl,
+ "--dnssec", "false",
+ ]
+ self.master.run_command(args)
+
+ time.sleep(20) # sleep a bit until LDAP changes are applied to DNS
+
+ # test master
+ assert not is_record_signed(
+ self.master.ip, test_zone_repl, self.log
+ ), "Zone %s is still signed (master)" % test_zone_repl
+
+ # test replica
+ assert not is_record_signed(
+ self.replicas[0].ip, test_zone_repl, self.log
+ ), "DNS zone %s is still signed (replica)" % test_zone_repl
+
+ # reenable DNSSEC signing
+ args = [
+ "ipa",
+ "dnszone-mod", test_zone_repl,
+ "--dnssec", "true",
+ ]
+ self.master.run_command(args)
+
+ time.sleep(20) # sleep a bit until LDAP changes are applied to DNS
+
+ # test master
+ assert wait_until_record_is_signed(
+ self.master.ip, test_zone_repl, self.log, timeout=100
+ ), "Zone %s is not signed (master)" % test_zone_repl
+
+ # test replica
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, test_zone_repl, self.log, timeout=200
+ ), "DNS zone %s is not signed (replica)" % test_zone_repl
+
+ dnskey_new = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl,
+ self.log, rtype="DNSKEY").rrset
+ assert dnskey_old != dnskey_new, "DNSKEY should be different"
class TestInstallDNSSECFirst(IntegrationTest):
"""Simple DNSSEC test
@@ -205,6 +306,10 @@ class TestInstallDNSSECFirst(IntegrationTest):
assert wait_until_record_is_signed(
self.master.ip, example_test_zone, self.log, timeout=100
), "Zone %s is not signed (master)" % example_test_zone
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, example_test_zone, self.log, timeout=200
+ ), "Zone %s is not signed (replica)" % example_test_zone
# GET DNSKEY records from zone
ans = resolve_with_dnssec(self.master.ip, example_test_zone, self.log,
--
2.4.3
From 00cfd710d56efdf7e25090076d9b49abcd5a13bd Mon Sep 17 00:00:00 2001
From: Martin Basti <mba...@redhat.com>
Date: Wed, 2 Sep 2015 17:46:44 +0200
Subject: [PATCH 2/2] DNSSEC CI: test master migration
---
ipatests/test_integration/test_dnssec.py | 149 +++++++++++++++++++++++++++++++
1 file changed, 149 insertions(+)
diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 35b7652786b122ab6d2b5b137deefde9a8c647af..a06926cbbfbf4c5f84b1c3ad533ec10c5d720e19 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -15,6 +15,8 @@ test_zone = "dnssec.test."
test_zone_repl = "dnssec-replica.test."
root_zone = "."
example_test_zone = "example.test."
+example2_test_zone = "example2.test."
+example3_test_zone = "example3.test."
def resolve_with_dnssec(nameserver, query, log, rtype="SOA"):
@@ -389,3 +391,150 @@ class TestInstallDNSSECFirst(IntegrationTest):
# test if signature chains are valid
self.master.run_command(args)
self.replicas[0].run_command(args)
+
+
+class TestMigrateDNSSECMaster(IntegrationTest):
+ """test DNSSEC master migration
+
+ Install a server and a replica with DNS, then reinstall server
+ as DNSSEC master
+ Test:
+ * migrate dnssec master to replica
+ * create new zone
+ * verify if zone is signed on all replicas
+ * add new replica
+ * add new zone
+ * test if new zone is signed on all replicas
+ """
+ num_replicas = 2
+ topology = 'star'
+
+ @classmethod
+ def install(cls, mh):
+ tasks.install_master(cls.master, setup_dns=True)
+ args = [
+ "ipa-dns-install",
+ "--dnssec-master",
+ "--forwarder", cls.master.config.dns_forwarder,
+ "-p", cls.master.config.dirman_password,
+ "-U",
+ ]
+ cls.master.run_command(args)
+ tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
+
+ def test_migrate_dnssec_master(self):
+ """Both master and replica have DNS installed"""
+ backup_filename = "/var/lib/ipa/ipa-kasp.db.backup"
+ replica_backup_filename = "/tmp/ipa-kasp.db.backup"
+
+ # add test zone
+ args = [
+ "ipa", "dnszone-add", example_test_zone, "--dnssec", "true"
+ ]
+
+ self.master.run_command(args)
+
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.master.ip, example_test_zone, self.log, timeout=100
+ ), "Zone %s is not signed (master)" % example_test_zone
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, example_test_zone, self.log, timeout=200
+ ), "Zone %s is not signed (replica)" % example_test_zone
+
+ dnskey_old = resolve_with_dnssec(self.master.ip, example_test_zone,
+ self.log, rtype="DNSKEY").rrset
+
+ # migrate dnssec master to replica
+ args = [
+ "ipa-dns-install",
+ "--disable-dnssec-master",
+ "--forwarder", self.master.config.dns_forwarder,
+ "-p", self.master.config.dirman_password,
+ "--force",
+ "-U",
+ ]
+ self.master.run_command(args)
+
+ # move content of "ipa-kasp.db.backup" to replica
+ kasp_db_backup = self.master.get_file_contents(backup_filename)
+ self.replicas[0].put_file_contents(replica_backup_filename,
+ kasp_db_backup)
+
+ args = [
+ "ipa-dns-install",
+ "--dnssec-master",
+ "--kasp-db", replica_backup_filename,
+ "--forwarder", self.master.config.dns_forwarder,
+ "-p", self.master.config.dirman_password,
+ "-U",
+ ]
+ self.replicas[0].run_command(args)
+
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.master.ip, example_test_zone, self.log, timeout=100
+ ), "Zone %s is not signed after migration (master)" % example_test_zone
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, example_test_zone, self.log, timeout=200
+ ), "Zone %s is not signed after migration (replica)" % example_test_zone
+
+ # test if dnskey are the same
+ dnskey_new = resolve_with_dnssec(self.master.ip, example_test_zone,
+ self.log, rtype="DNSKEY").rrset
+ assert dnskey_old == dnskey_new, "DNSKEY should be the same"
+
+ # add test zone
+ args = [
+ "ipa", "dnszone-add", example2_test_zone, "--dnssec", "true"
+ ]
+ self.replicas[0].run_command(args)
+
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, example2_test_zone, self.log, timeout=100
+ ), ("Zone %s is not signed after migration (replica - dnssec master)"
+ % example2_test_zone)
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.master.ip, example2_test_zone, self.log, timeout=200
+ ), ("Zone %s is not signed after migration (master)"
+ % example2_test_zone)
+
+ # add new replica
+ tasks.install_replica(self.master, self.replicas[1], setup_dns=True)
+
+ # test if originial zones are signed on new replica
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[1].ip, example_test_zone, self.log, timeout=200
+ ), ("Zone %s is not signed (new replica)"
+ % example_test_zone)
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[1].ip, example2_test_zone, self.log, timeout=200
+ ), ("Zone %s is not signed (new replica)"
+ % example2_test_zone)
+
+ # add new zone to new replica
+ args = [
+ "ipa", "dnszone-add", example3_test_zone, "--dnssec", "true"
+ ]
+ self.replicas[1].run_command(args)
+
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.replicas[1].ip, example3_test_zone, self.log, timeout=200
+ ), ("Zone %s is not signed (new replica)"
+ % example3_test_zone)
+ assert wait_until_record_is_signed(
+ self.replicas[0].ip, example3_test_zone, self.log, timeout=200
+ ), ("Zone %s is not signed (replica)"
+ % example3_test_zone)
+ # wait until zone is signed
+ assert wait_until_record_is_signed(
+ self.master.ip, example3_test_zone, self.log, timeout=200
+ ), ("Zone %s is not signed (master)"
+ % example3_test_zone)
--
2.4.3
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
