[master] Revert "[master] tag initializing keys so they can't be used for normal validation"

This reverts commit 560d8b833e. This change created a potential race between key refresh queries and root zone priming queries which could leave the root name servers in the bad-server cache.
2017-10-12 10:53:35 -07:00
parent 5daa633313
commit 3abcd7cd8a
22 changed files with 122 additions and 367 deletions
--- a/bin/tests/system/mkeys/README
+++ b/bin/tests/system/mkeys/README
@@ -16,8 +16,16 @@ is used so it will send TAT queries once per second.

 ns3 is a validator with a broken key in managed-keys.

-ns4 is a validator with a deliberately broken managed-keys.bind and
-managed-keys.jnl, causing RFC 5011 initialization to fail.
+Tests TODO:

-ns5 is a validator which is prevented from getting a response from the
-root server, causing key refresh queries to fail.
+- initial working KSK
+
+TODO: test using delv with new trusted key too
+
+- introduce a REVOKE bit
+
+- later remove a signature
+
+- corrupt a signature
+
+TODO: also same things with dlv auto updates of trust anchor
--- a/bin/tests/system/mkeys/clean.sh
+++ b/bin/tests/system/mkeys/clean.sh
@@ -15,4 +15,3 @@ rm -f */named.memstats */named.run
 rm -f dig.out* delv.out* rndc.out* signer.out*
 rm -f ns1/named.secroots ns1/root.db.signed* ns1/root.db.tmp
 rm -f ns1/named.conf
-rm -rf ns4/nope
--- a/bin/tests/system/mkeys/ns1/named1.conf
+++ b/bin/tests/system/mkeys/ns1/named1.conf
@@ -10,11 +10,6 @@

 controls { /* empty */ };

-acl allowed {
-	! 10.53.0.5;
-	any;
-};
-
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
@@ -27,7 +22,6 @@ options {
 	notify no;
 	dnssec-enable yes;
 	dnssec-validation yes;
-	allow-query { allowed; };
 };

 key rndc_key {
--- a/bin/tests/system/mkeys/ns1/named2.conf
+++ b/bin/tests/system/mkeys/ns1/named2.conf
@@ -10,11 +10,6 @@

 controls { /* empty */ };

-acl allowed {
-	! 10.53.0.5;
-	any;
-};
-
 options {
 	query-source address 10.53.0.1;
 	notify-source 10.53.0.1;
@@ -27,7 +22,6 @@ options {
 	notify no;
 	dnssec-enable yes;
 	dnssec-validation yes;
-	allow-query { allowed; };
 };

 key rndc_key {
--- a/bin/tests/system/mkeys/ns1/sign.sh
+++ b/bin/tests/system/mkeys/ns1/sign.sh
@@ -28,8 +28,6 @@ managed-keys {
 EOF
 ' > managed.conf
 cp managed.conf ../ns2/managed.conf
-cp managed.conf ../ns4/managed.conf
-cp managed.conf ../ns5/managed.conf

 # Configure a trusted key statement (used by delve)
 cat $keyname.key | grep -v '^; ' | $PERL -n -e '
--- a/bin/tests/system/mkeys/ns2/named.args
+++ b/bin/tests/system/mkeys/ns2/named.args
@@ -1 +1 @@
-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40 -T tat=1
+-m record,size,mctx -T clienttest -c named.conf -d 99 -X named.lock -g -T mkeytimers=2/20/40
--- a/bin/tests/system/mkeys/ns4/named.conf
+++ b/bin/tests/system/mkeys/ns4/named.conf
@@ -1,41 +0,0 @@
-/*
- * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-// NS4
-
-controls { /* empty */ };
-
-options {
-	query-source address 10.53.0.4;
-	notify-source 10.53.0.4;
-	transfer-source 10.53.0.4;
-	port 5300;
-	pid-file "named.pid";
-	listen-on { 10.53.0.4; };
-	listen-on-v6 { none; };
-	recursion yes;
-	notify no;
-	dnssec-enable yes;
-	dnssec-validation auto;
-	bindkeys-file "managed.conf";
-	managed-keys-directory "nope";
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm hmac-sha256;
-};
-
-controls {
-	inet 10.53.0.4 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "." {
-	type hint;
-	file "../../common/root.hint";
-};
--- a/bin/tests/system/mkeys/ns5/named.conf
+++ b/bin/tests/system/mkeys/ns5/named.conf
@@ -1,38 +0,0 @@
-/*
- * Copyright (C) 2017  Internet Systems Consortium, Inc. ("ISC")
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, You can obtain one at http://mozilla.org/MPL/2.0/.
- */
-
-// NS5
-
-options {
-	query-source address 10.53.0.5;
-	notify-source 10.53.0.5;
-	transfer-source 10.53.0.5;
-	port 5300;
-	pid-file "named.pid";
-	listen-on { 10.53.0.5; };
-	listen-on-v6 { none; };
-	recursion yes;
-	notify no;
-	dnssec-enable yes;
-	dnssec-validation auto;
-	bindkeys-file "managed.conf";
-};
-
-key rndc_key {
-	secret "1234abcd8765";
-	algorithm hmac-sha256;
-};
-
-controls {
-	inet 10.53.0.5 port 9953 allow { any; } keys { rndc_key; };
-};
-
-zone "." {
-	type hint;
-	file "../../common/root.hint";
-};
--- a/bin/tests/system/mkeys/setup.sh
+++ b/bin/tests/system/mkeys/setup.sh
@@ -16,9 +16,3 @@ test -r $RANDFILE || $GENRANDOM 800 $RANDFILE
 cp ns1/named1.conf ns1/named.conf

 cd ns1 && $SHELL sign.sh
-
-cd ../ns4
-mkdir nope
-touch nope/managed-keys.bind
-touch nope/managed.keys.bind.jnl
-chmod 444 nope/*
--- a/bin/tests/system/mkeys/tests.sh
+++ b/bin/tests/system/mkeys/tests.sh
@@ -28,7 +28,6 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check positive validation with valid trust anchor ($n)"
 ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@@ -391,7 +390,6 @@ $PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns2
 n=`expr $n + 1`
 echo "I: check positive validation ($n)"
 ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns2 /'
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@@ -448,6 +446,7 @@ rm -f ${revoked}.key ${revoked}.private
 $SETTIME -D none -R none -K ns1 `cat ns1/managed.key` > /dev/null
 $SETTIME -D now -K ns1 $standby1 > /dev/null
 $SETTIME -D now -K ns1 $standby2 > /dev/null
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
 sleep 1
 $SIGNER -Sg -K ns1 -N unixtime -r $RANDFILE -o . ns1/root.db > /dev/null 2>&-
 $RNDC -c ../common/rndc.conf -s 10.53.0.1 -p 9953 reload . | sed 's/^/I: ns1 /'
@@ -455,7 +454,6 @@ sleep 3
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys refresh | sed 's/^/I: ns2 /'
 sleep 1
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 managed-keys status > rndc.out.$n 2>&1
-$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 flush | sed 's/^/I: ns1 /'
 $DIG $DIGOPTS +noauth example. @10.53.0.2 txt > dig.out.ns2.test$n || ret=1
 grep "flags:.*ad.*QUERY" dig.out.ns2.test$n > /dev/null || ret=1
 grep "example..*.RRSIG..*TXT" dig.out.ns2.test$n > /dev/null || ret=1
@@ -539,7 +537,7 @@ status=`expr $status + $ret`
 n=`expr $n + 1`
 echo "I: check that trust-anchor-telemetry queries are logged ($n)"
 ret=0
-grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns2/named.run > /dev/null || ret=1
+grep "sending trust-anchor-telemetry query '_ta-[0-9a-f]*/NULL" ns3/named.run > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

@@ -564,45 +562,5 @@ grep "name: \." rndc.out.$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo "I:failed"; fi
 status=`expr $status + $ret`

-n=`expr $n + 1`
-echo "I: check that trust-anchor-telemetry queries contain the correct key ($n)"
-ret=0
-# convert the hexadecimal key from the TAT query into decimal and
-# compare against the known key.
-tathex=`grep "query '_ta-[0-9a-f]*/NULL/IN' approved" ns1/named.run | awk '{print $6; exit 0}' | sed -e 's/(_ta-\([a-f0-9][a-f0-d]*\)):/\1/'`
-tatkey=`$PERL -e 'printf("%d\n", hex(@ARGV[0]));' $tathex`
-realkey=`$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 secroots - | grep '; managed' | sed 's#.*SHA256/\([0-9][0-9]*\) ; managed.*#\1#'`
-[ "$tatkey" -eq "$realkey" ] || ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo "I: check initialization fails if managed-keys can't be created ($n)"
-ret=0
-$RNDC -c ../common/rndc.conf -s 10.53.0.4 -p 9953 secroots | sed 's/^/I: ns4 /'
-grep '; initializing managed' ns4/named.secroots > /dev/null 2>&1 || ret=1
-grep '; managed' ns4/named.secroots > /dev/null 2>&1 && ret=1
-grep '; trusted' ns4/named.secroots > /dev/null 2>&1 && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
-n=`expr $n + 1`
-echo "I: check failure to contact root servers does not prevent key refreshes after restart ($n)"
-ret=0
-# By the time we get here, ns5 should have attempted refreshing its managed
-# keys.  These attempts should fail as ns1 is configured to REFUSE all queries
-# from ns5.  Note we do not configure ns5 with "-T mkeytimers"; this is to
-# ensure key refresh retry will be scheduled one hour in the future instead of
-# a few seconds in the future, in order to prevent races when ns5 is restarted.
-$PERL $SYSTEMTESTTOP/stop.pl --use-rndc . ns5
-$PERL $SYSTEMTESTTOP/start.pl --noclean --restart . ns5
-sleep 2
-# ns5/named.run will contain logs from both the old instance and the new
-# instance.  In order for the test to pass, both must attempt a fetch.
-count=`grep -c "Creating key fetch" ns5/named.run`
-[ $count -lt 2 ] && ret=1
-if [ $ret != 0 ]; then echo "I:failed"; fi
-status=`expr $status + $ret`
-
 echo "I:exit status: $status"
 [ $status -eq 0 ] || exit 1