ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

Also collect DNSSEC refresh signature statistics

Browse Source 
In addition to gather how many times signatures are created per
key in a zone, also count how many of those signature creations are
because of DNSSEC maintenance.  These maintenance counters are
incremented if a signature is refreshed (but the RRset did not
changed), when the DNSKEY RRset is changed, and when that leads
to additional RRset / RRSIG updates (for example SOA, NSEC).
This commit is contained in:
Matthijs Mekking
2019-06-21 10:30:05 +02:00
committed by Matthijs Mekking
parent a8750a8805
commit 6f67546cd6
8 changed files with 149 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
bin/tests/system/statschannel/tests.sh
View File

@@ -281,7 +281,8 @@ n=`expr $n + 1`
# Test dnssec sign statistics.
zone="dnssec"
stat_prefix="dnskey sign operations"
sign_prefix="dnssec-sign operations"
refresh_prefix="dnssec-refresh operations"
ksk_id=`cat ns2/$zone.ksk.id`
zsk_id=`cat ns2/$zone.zsk.id`
@@ -297,8 +298,10 @@ ret=0
# the SOA RRset before a competing RRset. This happens here and so the
# SOA RRset is updated and resigned twice at startup, that explains the
# additional zsk sign operation (11 instead of 10).
echo "${stat_prefix} ${zsk_id}: 11" > zones.expect
echo "${stat_prefix} ${ksk_id}: 1" >> zones.expect
echo "${refresh_prefix} ${zsk_id}: 11" > zones.expect
echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect
echo "${sign_prefix} ${zsk_id}: 11" >> zones.expect
echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect
cat zones.expect | sort > zones.expect.$n
rm -f zones.expect
# Fetch and check the dnssec sign statistics.
@@ -325,8 +328,10 @@ echo update add $zone. 300 in txt "nsupdate added me"
echo send
) | $NSUPDATE
# This should trigger the resign of SOA, TXT and NSEC (+3 zsk).
echo "${stat_prefix} ${zsk_id}: 14" > zones.expect
echo "${stat_prefix} ${ksk_id}: 1" >> zones.expect
echo "${refresh_prefix} ${zsk_id}: 11" > zones.expect
echo "${refresh_prefix} ${ksk_id}: 1" >> zones.expect
echo "${sign_prefix} ${zsk_id}: 14" >> zones.expect
echo "${sign_prefix} ${ksk_id}: 1" >> zones.expect
cat zones.expect | sort > zones.expect.$n
rm -f zones.expect
# Fetch and check the dnssec sign statistics.
@@ -345,13 +350,16 @@ n=`expr $n + 1`
# 3. Test sign operations of KSK.
ret=0
echo_i "fetch zone stats data after updating DNSKEY RRset ($n)"
# Add a standby DNSKEY, this triggers resigning the DNSKEY RRset.
zsk=$("$KEYGEN" -K ns2 -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
$SETTIME -K ns2 -P now -A never $zsk.key > /dev/null
loadkeys_on 2 $zone || ret=1
# This should trigger the resign of SOA (+1 zsk) and DNSKEY (+1 ksk).
echo "${stat_prefix} ${zsk_id}: 15" > zones.expect
echo "${stat_prefix} ${ksk_id}: 2" >> zones.expect
echo "${refresh_prefix} ${zsk_id}: 12" > zones.expect
echo "${refresh_prefix} ${ksk_id}: 2" >> zones.expect
echo "${sign_prefix} ${zsk_id}: 15" >> zones.expect
echo "${sign_prefix} ${ksk_id}: 2" >> zones.expect
cat zones.expect | sort > zones.expect.$n
rm -f zones.expect
# Fetch and check the dnssec sign statistics.