Add multisigner system test

Add a new system test to test multisigner model use cases. This initial test just tests a small part of the model 2, and uses two providers for the same zone, ns3 and ns4, each with their own unique key set. This commit tests that each provider can import their ZSK of the other provider into their DNSKEY RRset, using dynamic update. Both providers use dnssec-policy, ns3 applies the DNSSEC records directly, while ns4 uses inline-signing.
2022-10-04 15:42:03 +02:00
parent b92d33a849
commit 4e18991fed
12 changed files with 423 additions and 1 deletions
--- a/bin/tests/system/multisigner/ns4/model2.multisigner.db
+++ b/bin/tests/system/multisigner/ns4/model2.multisigner.db
@@ -0,0 +1,26 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0.  If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns4
+ns4			A	10.53.0.4
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
--- a/bin/tests/system/multisigner/ns4/named.conf.in
+++ b/bin/tests/system/multisigner/ns4/named.conf.in
@@ -0,0 +1,46 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0.  If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+include "../kasp.conf";
+
+options {
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.4; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+zone "model2.multisigner." {
+	type primary;
+	allow-update { any; };
+	file "model2.multisigner.db";
+	dnssec-policy model2;
+	inline-signing yes;
+};
--- a/bin/tests/system/multisigner/ns4/setup.sh
+++ b/bin/tests/system/multisigner/ns4/setup.sh
@@ -0,0 +1,31 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0.  If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns4/setup.sh"
+
+zone="model2.multisigner"
+echo_i "setting up zone: $zone"
+zonefile="${zone}.db"
+
+O="OMNIPRESENT"
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+KSK=$($KEYGEN  -a $DEFAULT_ALGORITHM -f KSK  -L 3600 $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O now -r $O now -d $O now  "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O now -z $O now            "$ZSK" > settime.out.$zone.2 2>&1
+# ZSK will be added to the other provider with nsupdate.
+cat "${ZSK}.key" | grep -v ";.*" > "${zone}.zsk"