Attached patches improve DNSSEC CI tests.
From b6271dfde300835e21b815a809a32c46dd46f3dc Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Tue, 1 Sep 2015 12:07:13 +0200 Subject: [PATCH 1/2] DNSSEC: improve CI test Test disabling and re-enabling zone signing. --- ipatests/test_integration/test_dnssec.py | 113 +++++++++++++++++++++++++++++-- 1 file changed, 109 insertions(+), 4 deletions(-) diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index 74dc1be25476353e676f2601ace673212234df63..35b7652786b122ab6d2b5b137deefde9a8c647af 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -30,13 +30,17 @@ def resolve_with_dnssec(nameserver, query, log, rtype="SOA"): ans = res.query(query, rtype) return ans +def get_RRSIG_record(nameserver, query, log, rtype="SOA"): + ans = resolve_with_dnssec(nameserver, query, log, rtype=rtype) + return ans.response.find_rrset( + ans.response.answer, dns.name.from_text(query), + dns.rdataclass.IN, dns.rdatatype.RRSIG, + dns.rdatatype.from_text(rtype)) + def is_record_signed(nameserver, query, log, rtype="SOA"): try: - ans = resolve_with_dnssec(nameserver, query, log, rtype=rtype) - ans.response.find_rrset(ans.response.answer, dns.name.from_text(query), - dns.rdataclass.IN, dns.rdatatype.RRSIG, - dns.rdatatype.from_text(rtype)) + get_RRSIG_record(nameserver, query, log, rtype=rtype) except KeyError: return False except dns.exception.DNSException: @@ -130,6 +134,103 @@ class TestInstallDNSSECLast(IntegrationTest): self.master.ip, test_zone_repl, self.log, timeout=5 ), "DNS zone %s is not signed (master)" % test_zone + def test_disable_reenable_signing_master(self): + + dnskey_old = resolve_with_dnssec(self.master.ip, test_zone, + self.log, rtype="DNSKEY").rrset + + # disable DNSSEC signing of zone on master + args = [ + "ipa", + "dnszone-mod", test_zone, + "--dnssec", "false", + ] + self.master.run_command(args) + + time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + + # test master + assert not is_record_signed( + self.master.ip, test_zone, self.log + ), "Zone %s is still signed (master)" % test_zone + + # test replica + assert not is_record_signed( + self.replicas[0].ip, test_zone, self.log + ), "DNS zone %s is still signed (replica)" % test_zone + + # reenable DNSSEC signing + args = [ + "ipa", + "dnszone-mod", test_zone, + "--dnssec", "true", + ] + self.master.run_command(args) + + time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + + # test master + assert wait_until_record_is_signed( + self.master.ip, test_zone, self.log, timeout=100 + ), "Zone %s is not signed (master)" % test_zone + + # test replica + assert wait_until_record_is_signed( + self.replicas[0].ip, test_zone, self.log, timeout=200 + ), "DNS zone %s is not signed (replica)" % test_zone + + dnskey_new = resolve_with_dnssec(self.master.ip, test_zone, + self.log, rtype="DNSKEY").rrset + assert dnskey_old != dnskey_new, "RRSIG should be different" + + def test_disable_reenable_signing_replica(self): + + dnskey_old = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl, + self.log, rtype="DNSKEY").rrset + + # disable DNSSEC signing of zone on replica + args = [ + "ipa", + "dnszone-mod", test_zone_repl, + "--dnssec", "false", + ] + self.master.run_command(args) + + time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + + # test master + assert not is_record_signed( + self.master.ip, test_zone_repl, self.log + ), "Zone %s is still signed (master)" % test_zone_repl + + # test replica + assert not is_record_signed( + self.replicas[0].ip, test_zone_repl, self.log + ), "DNS zone %s is still signed (replica)" % test_zone_repl + + # reenable DNSSEC signing + args = [ + "ipa", + "dnszone-mod", test_zone_repl, + "--dnssec", "true", + ] + self.master.run_command(args) + + time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + + # test master + assert wait_until_record_is_signed( + self.master.ip, test_zone_repl, self.log, timeout=100 + ), "Zone %s is not signed (master)" % test_zone_repl + + # test replica + assert wait_until_record_is_signed( + self.replicas[0].ip, test_zone_repl, self.log, timeout=200 + ), "DNS zone %s is not signed (replica)" % test_zone_repl + + dnskey_new = resolve_with_dnssec(self.replicas[0].ip, test_zone_repl, + self.log, rtype="DNSKEY").rrset + assert dnskey_old != dnskey_new, "DNSKEY should be different" class TestInstallDNSSECFirst(IntegrationTest): """Simple DNSSEC test @@ -205,6 +306,10 @@ class TestInstallDNSSECFirst(IntegrationTest): assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 ), "Zone %s is not signed (master)" % example_test_zone + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[0].ip, example_test_zone, self.log, timeout=200 + ), "Zone %s is not signed (replica)" % example_test_zone # GET DNSKEY records from zone ans = resolve_with_dnssec(self.master.ip, example_test_zone, self.log, -- 2.4.3
From 00cfd710d56efdf7e25090076d9b49abcd5a13bd Mon Sep 17 00:00:00 2001 From: Martin Basti <mba...@redhat.com> Date: Wed, 2 Sep 2015 17:46:44 +0200 Subject: [PATCH 2/2] DNSSEC CI: test master migration --- ipatests/test_integration/test_dnssec.py | 149 +++++++++++++++++++++++++++++++ 1 file changed, 149 insertions(+) diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index 35b7652786b122ab6d2b5b137deefde9a8c647af..a06926cbbfbf4c5f84b1c3ad533ec10c5d720e19 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -15,6 +15,8 @@ test_zone = "dnssec.test." test_zone_repl = "dnssec-replica.test." root_zone = "." example_test_zone = "example.test." +example2_test_zone = "example2.test." +example3_test_zone = "example3.test." def resolve_with_dnssec(nameserver, query, log, rtype="SOA"): @@ -389,3 +391,150 @@ class TestInstallDNSSECFirst(IntegrationTest): # test if signature chains are valid self.master.run_command(args) self.replicas[0].run_command(args) + + +class TestMigrateDNSSECMaster(IntegrationTest): + """test DNSSEC master migration + + Install a server and a replica with DNS, then reinstall server + as DNSSEC master + Test: + * migrate dnssec master to replica + * create new zone + * verify if zone is signed on all replicas + * add new replica + * add new zone + * test if new zone is signed on all replicas + """ + num_replicas = 2 + topology = 'star' + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_dns=True) + args = [ + "ipa-dns-install", + "--dnssec-master", + "--forwarder", cls.master.config.dns_forwarder, + "-p", cls.master.config.dirman_password, + "-U", + ] + cls.master.run_command(args) + tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) + + def test_migrate_dnssec_master(self): + """Both master and replica have DNS installed""" + backup_filename = "/var/lib/ipa/ipa-kasp.db.backup" + replica_backup_filename = "/tmp/ipa-kasp.db.backup" + + # add test zone + args = [ + "ipa", "dnszone-add", example_test_zone, "--dnssec", "true" + ] + + self.master.run_command(args) + + # wait until zone is signed + assert wait_until_record_is_signed( + self.master.ip, example_test_zone, self.log, timeout=100 + ), "Zone %s is not signed (master)" % example_test_zone + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[0].ip, example_test_zone, self.log, timeout=200 + ), "Zone %s is not signed (replica)" % example_test_zone + + dnskey_old = resolve_with_dnssec(self.master.ip, example_test_zone, + self.log, rtype="DNSKEY").rrset + + # migrate dnssec master to replica + args = [ + "ipa-dns-install", + "--disable-dnssec-master", + "--forwarder", self.master.config.dns_forwarder, + "-p", self.master.config.dirman_password, + "--force", + "-U", + ] + self.master.run_command(args) + + # move content of "ipa-kasp.db.backup" to replica + kasp_db_backup = self.master.get_file_contents(backup_filename) + self.replicas[0].put_file_contents(replica_backup_filename, + kasp_db_backup) + + args = [ + "ipa-dns-install", + "--dnssec-master", + "--kasp-db", replica_backup_filename, + "--forwarder", self.master.config.dns_forwarder, + "-p", self.master.config.dirman_password, + "-U", + ] + self.replicas[0].run_command(args) + + # wait until zone is signed + assert wait_until_record_is_signed( + self.master.ip, example_test_zone, self.log, timeout=100 + ), "Zone %s is not signed after migration (master)" % example_test_zone + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[0].ip, example_test_zone, self.log, timeout=200 + ), "Zone %s is not signed after migration (replica)" % example_test_zone + + # test if dnskey are the same + dnskey_new = resolve_with_dnssec(self.master.ip, example_test_zone, + self.log, rtype="DNSKEY").rrset + assert dnskey_old == dnskey_new, "DNSKEY should be the same" + + # add test zone + args = [ + "ipa", "dnszone-add", example2_test_zone, "--dnssec", "true" + ] + self.replicas[0].run_command(args) + + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[0].ip, example2_test_zone, self.log, timeout=100 + ), ("Zone %s is not signed after migration (replica - dnssec master)" + % example2_test_zone) + # wait until zone is signed + assert wait_until_record_is_signed( + self.master.ip, example2_test_zone, self.log, timeout=200 + ), ("Zone %s is not signed after migration (master)" + % example2_test_zone) + + # add new replica + tasks.install_replica(self.master, self.replicas[1], setup_dns=True) + + # test if originial zones are signed on new replica + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[1].ip, example_test_zone, self.log, timeout=200 + ), ("Zone %s is not signed (new replica)" + % example_test_zone) + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[1].ip, example2_test_zone, self.log, timeout=200 + ), ("Zone %s is not signed (new replica)" + % example2_test_zone) + + # add new zone to new replica + args = [ + "ipa", "dnszone-add", example3_test_zone, "--dnssec", "true" + ] + self.replicas[1].run_command(args) + + # wait until zone is signed + assert wait_until_record_is_signed( + self.replicas[1].ip, example3_test_zone, self.log, timeout=200 + ), ("Zone %s is not signed (new replica)" + % example3_test_zone) + assert wait_until_record_is_signed( + self.replicas[0].ip, example3_test_zone, self.log, timeout=200 + ), ("Zone %s is not signed (replica)" + % example3_test_zone) + # wait until zone is signed + assert wait_until_record_is_signed( + self.master.ip, example3_test_zone, self.log, timeout=200 + ), ("Zone %s is not signed (master)" + % example3_test_zone) -- 2.4.3
-- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code