Hi guys,

Here is a test for dnssec key rotation mechanism.
The full set of commands works perfectly when run manually (even in the
mode of a full copy-pasting from the test). However, when run
automatically, the test always fails as `dig +rrcomments test.here DS`
does not display zone keytag. I tried to decrease default key TTL values
with no success. Could anyone take a look into this (after 4.4 is
released, of course)?


-- 
Oleg Fayans
Quality Engineer
FreeIPA team
RedHat.
From f7f3d8c256fc9de3f8f0d82056be5a6d10f6c9a7 Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 13 Jun 2016 08:47:34 +0200
Subject: [PATCH] Added dnssec-specific constants

---
 ipaplatform/base/constants.py | 2 ++
 ipaplatform/base/paths.py     | 1 +
 2 files changed, 3 insertions(+)

diff --git a/ipaplatform/base/constants.py b/ipaplatform/base/constants.py
index 3e1c4c6f761444bf1e8d527691aa53282e46f17e..0a632762af42cf294c85f268a873b8420c9f17b1 100644
--- a/ipaplatform/base/constants.py
+++ b/ipaplatform/base/constants.py
@@ -26,3 +26,5 @@ class BaseConstantsNamespace(object):
     # nfsd init variable used to enable kerberized NFS
     SECURE_NFS_VAR = "SECURE_NFS"
     SSSD_USER = "sssd"
+    DNSSEC_KSK_LIFETIME = 'P2Y'
+    DNSSEC_ZSK_LIFETIME = 'P90D'
diff --git a/ipaplatform/base/paths.py b/ipaplatform/base/paths.py
index ca7eb6cf47b4442fa538a47c74846e13c25e02e8..b0e701c453f13aad3ec700a3613cd4f7ecb1c779 100644
--- a/ipaplatform/base/paths.py
+++ b/ipaplatform/base/paths.py
@@ -349,5 +349,6 @@ class BasePathNamespace(object):
     IPA_CUSTODIA_SOCKET = '/run/httpd/ipa-custodia.sock'
     IPA_CUSTODIA_AUDIT_LOG = '/var/log/ipa-custodia.audit.log'
     IPA_GETKEYTAB = '/usr/sbin/ipa-getkeytab'
+    DNSSEC_KASP_TEMPLATE = '/usr/share/ipa/opendnssec_kasp.template'
 
 path_namespace = BasePathNamespace
-- 
1.8.3.1

From 5e4700cf348727711cba7d6486ef4778513fc8ad Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 13 Jun 2016 08:52:45 +0200
Subject: [PATCH] Added a method updating dnssec defaults

For dnssec key rotation test we need to severely decrease default TTL of the
dnssec keys. This method should be execute on master host before IPA
installation
---
 ipatests/test_integration/tasks.py | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/ipatests/test_integration/tasks.py b/ipatests/test_integration/tasks.py
index dbb9950c7db6b902d89cd4cd3cfb676bde68508b..6537b2552c2bc354ed1403e286769f2c285095e9 100644
--- a/ipatests/test_integration/tasks.py
+++ b/ipatests/test_integration/tasks.py
@@ -34,6 +34,7 @@ from six import StringIO
 
 from ipapython import ipautil
 from ipaplatform.paths import paths
+from ipaplatform.constants import constants
 from ipapython.dn import DN
 from ipapython.ipa_log_manager import log_mgr
 from ipatests.test_integration import util
@@ -1206,3 +1207,9 @@ def replicas_cleanup(func):
                                             "host-del",
                                             host.hostname], raiseonerr=False)
     return wrapped
+
+
+def update_dnssec_defaults(host, ksk="PT1H", zsk="PT15M"):
+    backup_file(host, paths.DNSSEC_KASP_TEMPLATE)
+    host.run_command("sed -i 's/%s/%s/' %s" % (constants.DNSSEC_KSK_LIFETIME, ksk, paths.DNSSEC_KASP_TEMPLATE))
+    host.run_command("sed -i 's/%s/%s/' %s" % (constants.DNSSEC_ZSK_LIFETIME, zsk, paths.DNSSEC_KASP_TEMPLATE))
-- 
1.8.3.1

From 6e22ce72181153e4b50488193151f0776e36a59b Mon Sep 17 00:00:00 2001
From: Oleg Fayans <ofay...@redhat.com>
Date: Mon, 13 Jun 2016 09:48:58 +0200
Subject: [PATCH] Automated dnssec key rotation test

---
 ipatests/test_integration/test_dnssec.py | 64 ++++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index 554e96c638fcac03379ed17cbc4d9ac1311ab7ea..c1eea542f9ba9db98b4bf3287d73dc9c24513b0c 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -649,3 +649,67 @@ class TestMigrateDNSSECMaster(IntegrationTest):
             self.master.ip, example3_test_zone, self.log, timeout=200
         ), ("Zone %s is not signed (master)"
             % example3_test_zone)
+class TestDNSSECRotation(IntegrationTest):
+    num_replicas = 0
+    testzone = "myexample.test."
+    testzone_reduced = "myexample.test"
+
+    @classmethod
+    def install(cls, mh):
+        tasks.update_dnssec_defaults(cls.master)
+        tasks.install_master(cls.master, setup_dns=False)
+        args = [
+            "ipa-dns-install",
+            "--dnssec-master",
+            "--forwarder", cls.master.config.dns_forwarder,
+            "-U",
+        ]
+        cls.master.run_command(args)
+
+    def test_dnssec_rotation(self):
+        time.sleep(850)
+        self.master.run_command(['ipa', 'dnszone-add',
+                                 '--dnssec=true', self.testzone])
+        restart_named([self.master])
+        assert wait_until_record_is_signed(
+            self.master.ip, self.testzone, self.log, timeout=100
+        ), "Zone %s is not signed (master)" % test_zone
+
+        ods_output = self.master.run_command(
+            "export SOFTHSM2_CONF=%s ; %s key list --verbose" %
+            (paths.DNSSEC_SOFTHSM2_CONF,
+             paths.ODS_KSMUTIL))
+        text = ods_output.stdout_text
+        assert(text.count('ready') == 1), (
+            "Zone must have 1 ready key, found %i" % text.count('ready'))
+        ksk_keytag = ods_output.stdout_text.split('\n')[2].split(' ')[-1]
+
+        self.master.run_command("dig %s DNSKEY > dnskey.txt" % self.testzone)
+        result0 = self.master.run_command(['dnssec-dsfromkey', '-f',
+                                           'dnskey.txt', '-2', self.testzone])
+        assert(ksk_keytag in result0.stdout_text), (
+            "Failed to find zone's ksk keytag in the command output")
+
+        self.master.run_command(['ipa', 'dnszone-add', '--dnssec=true',
+                                 'test.'])
+        restart_named([self.master])
+        dsrec = " ".join(result0.stdout_text.split(' ')[3:]).strip()
+        self.master.run_command(
+            "ipa dnsrecord-add test. %s --ns-rec=%s. --ds-rec='%s'" % (
+                self.testzone, self.master.hostname, dsrec
+            )
+        )
+
+        result1 = self.master.run_command(['dig', '+rrcomments',
+                                           self.testzone, 'DS'])
+        assert(ksk_keytag in result1.stdout_text), (
+            "Failed to find zone's ksk keytag in the command output")
+        # activate rotation
+        result2 = self.master.run_command(
+            "export SOFTHSM2_CONF=%s ; %s key ds-seen --zone %s --keytag %s" %
+            (paths.DNSSEC_SOFTHSM2_CONF, paths.ODS_KSMUTIL,
+             self.testzone, ksk_keytag))
+        text2 = result2.stdout_text
+        assert(text2.count('ready') == 2), (
+            "Zone must have 2 keys in ready state, found %i" %
+            text2.count(self.testzone_reduced))
-- 
1.8.3.1

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to