From 377d75b98b3e62a6c224940420b61c6e8a7846a1 Mon Sep 17 00:00:00 2001 From: Oleg Fayans Date: May 11 2016 11:16:43 +0000 Subject: A workaround for ticket N 5348 A freshly created dnssec-enabled zone does not always display the signature until you restart named-pkcs11. Added restarting of this service after each dnssec-enabled zone. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti --- diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index e90fb1f..35cf863 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -6,6 +6,7 @@ import dns.dnssec import dns.resolver import dns.name import time +import pytest from ipatests.test_integration.base import IntegrationTest from ipatests.test_integration import tasks @@ -71,6 +72,14 @@ def wait_until_record_is_signed(nameserver, record, log, rtype="SOA", return False +def restart_named(*args): + # A workaround for ticket N 5348 + time.sleep(20) # wait till dnssec key is exported to named + for host in args: + host.run_command(["systemctl", "restart", + "named-pkcs11.service"]) + + class TestInstallDNSSECLast(IntegrationTest): """Simple DNSSEC test @@ -105,6 +114,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) + restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -125,6 +135,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.replicas[0].run_command(args) + restart_named(self.replicas[0]) # test replica assert wait_until_record_is_signed( self.replicas[0].ip, test_zone_repl, self.log, timeout=300 @@ -170,8 +181,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) - time.sleep(20) # sleep a bit until LDAP changes are applied to DNS - + restart_named(self.master) # test master assert wait_until_record_is_signed( self.master.ip, test_zone, self.log, timeout=100 @@ -219,7 +229,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) - time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( @@ -235,6 +245,78 @@ class TestInstallDNSSECLast(IntegrationTest): self.log, rtype="DNSKEY").rrset assert dnskey_old != dnskey_new, "DNSKEY should be different" + +class TestZoneSigningWithoutNamedRestart(IntegrationTest): + """Test whether https://fedorahosted.org/freeipa/ticket/5348 is already + fixed. If the issue is not fixed, the test will expectedly fail. When + fixed, it will pass, which will cause the whole run to become "red" + """ + num_replicas = 1 + topology = 'star' + + @classmethod + def install(cls, mh): + tasks.install_master(cls.master, setup_dns=False) + args = [ + "ipa-dns-install", + "--dnssec-master", + "--forwarder", cls.master.config.dns_forwarder, + "-U", + ] + cls.master.run_command(args) + + tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True) + + # backup trusted key + tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY) + tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY) + + @classmethod + def uninstall(cls, mh): + # restore trusted key + tasks.restore_files(cls.master) + tasks.restore_files(cls.replicas[0]) + + super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh) + + @pytest.mark.xfail(strict=True) + def test_sign_root_zone_no_named_restart(self): + args = [ + "ipa", "dnszone-add", root_zone, "--dnssec", "true", + "--skip-overlap-check", + ] + self.master.run_command(args) + + # make BIND happy: add the glue record and delegate zone + args = [ + "ipa", "dnsrecord-add", root_zone, self.master.hostname, + "--a-rec=" + self.master.ip + ] + self.master.run_command(args) + args = [ + "ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname, + "--a-rec=" + self.replicas[0].ip + ] + self.master.run_command(args) + + time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap + + args = [ + "ipa", "dnsrecord-add", root_zone, self.master.domain.name, + "--ns-rec=" + self.master.hostname + ] + self.master.run_command(args) + # test master + assert wait_until_record_is_signed( + self.master.ip, root_zone, self.log, timeout=100 + ), "Zone %s is not signed (master)" % root_zone + + # test replica + assert wait_until_record_is_signed( + self.replicas[0].ip, root_zone, self.log, timeout=300 + ), "Zone %s is not signed (replica)" % root_zone + + class TestInstallDNSSECFirst(IntegrationTest): """Simple DNSSEC test @@ -288,7 +370,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) - + restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( self.master.ip, root_zone, self.log, timeout=100 @@ -319,7 +401,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--ns-rec=" + self.master.hostname ] self.master.run_command(args) - + restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 @@ -457,6 +539,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): self.master.run_command(args) + restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.master.ip, example_test_zone, self.log, timeout=100 @@ -513,7 +596,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): "--skip-overlap-check", ] self.replicas[0].run_command(args) - + restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[0].ip, example2_test_zone, self.log, timeout=100 @@ -546,7 +629,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): "--skip-overlap-check", ] self.replicas[1].run_command(args) - + restart_named(self.replicas[0], self.replicas[1]) # wait until zone is signed assert wait_until_record_is_signed( self.replicas[1].ip, example3_test_zone, self.log, timeout=200