diff --git a/ipatests/pytest_plugins/integration/tasks.py b/ipatests/pytest_plugins/integration/tasks.py index e4dee190d..688f645e5 100644 --- a/ipatests/pytest_plugins/integration/tasks.py +++ b/ipatests/pytest_plugins/integration/tasks.py @@ -270,6 +270,18 @@ def enable_replication_debugging(host, log_level=0): stdin_text=logging_ldif) +def set_default_ttl_for_ipa_dns_zone(host, raiseonerr=True): + args = [ + 'ipa', 'dnszone-mod', host.domain.name, + '--default-ttl', '1', + '--ttl', '1' + ] + result = host.run_command(args, raiseonerr=raiseonerr, stdin_text=None) + if result.returncode != 0: + logger.info('Failed to set TTL and default TTL for DNS zone %s to 1', + host.domain.name) + + def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, extra_args=(), domain_level=None, unattended=True, stdin_text=None, raiseonerr=True): @@ -308,6 +320,10 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False, enable_replication_debugging(host) setup_sssd_debugging(host) kinit_admin(host) + if setup_dns: + # fixup DNS zone default TTL for IPA DNS zone + # For tests we should not wait too long + set_default_ttl_for_ipa_dns_zone(host, raiseonerr=raiseonerr) return result diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py index b9169952f..0436a6521 100644 --- a/ipatests/test_integration/test_dnssec.py +++ b/ipatests/test_integration/test_dnssec.py @@ -5,12 +5,11 @@ from __future__ import absolute_import import logging -import pytest +import time import dns.dnssec import dns.resolver import dns.name -import time import pytest from ipatests.test_integration.base import IntegrationTest @@ -19,6 +18,10 @@ from ipaplatform.paths import paths logger = logging.getLogger(__name__) +# Sleep 5 seconds at most when waiting for LDAP updates +# for DNSSEC changes. Test zones should be updated with 1 second TTL +DNSSEC_SLEEP = 5 + test_zone = "dnssec.test." test_zone_repl = "dnssec-replica.test." root_zone = "." @@ -79,6 +82,20 @@ def wait_until_record_is_signed(nameserver, record, rtype="SOA", return False +def dnszone_add_dnssec(host, test_zone): + """Add dnszone with dnssec and short TTL + """ + args = [ + "ipa", + "dnszone-add", test_zone, + "--skip-overlap-check", + "--dnssec", "true", + "--ttl", "1", + "--default-ttl", "1", + ] + return host.run_command(args) + + class TestInstallDNSSECLast(IntegrationTest): """Simple DNSSEC test @@ -105,14 +122,7 @@ class TestInstallDNSSECLast(IntegrationTest): def test_if_zone_is_signed_master(self): # add zone with enabled DNSSEC signing on master - args = [ - "ipa", - "dnszone-add", test_zone, - "--skip-overlap-check", - "--dnssec", "true", - ] - self.master.run_command(args) - + dnszone_add_dnssec(self.master, test_zone) tasks.restart_named(self.master, self.replicas[0]) # test master assert wait_until_record_is_signed( @@ -126,14 +136,7 @@ class TestInstallDNSSECLast(IntegrationTest): def test_if_zone_is_signed_replica(self): # add zone with enabled DNSSEC signing on replica - args = [ - "ipa", - "dnszone-add", test_zone_repl, - "--skip-overlap-check", - "--dnssec", "true", - ] - self.replicas[0].run_command(args) - + dnszone_add_dnssec(self.replicas[0], test_zone_repl) tasks.restart_named(self.replicas[0]) # test replica assert wait_until_record_is_signed( @@ -161,7 +164,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) - time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + time.sleep(DNSSEC_SLEEP) # test master assert not is_record_signed( @@ -210,7 +213,7 @@ class TestInstallDNSSECLast(IntegrationTest): ] self.master.run_command(args) - time.sleep(20) # sleep a bit until LDAP changes are applied to DNS + time.sleep(DNSSEC_SLEEP) # test master assert not is_record_signed( @@ -279,11 +282,7 @@ class TestZoneSigningWithoutNamedRestart(IntegrationTest): super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh) def test_sign_root_zone_no_named_restart(self): - args = [ - "ipa", "dnszone-add", root_zone, "--dnssec", "true", - "--skip-overlap-check", - ] - self.master.run_command(args) + dnszone_add_dnssec(self.master, root_zone) # make BIND happy: add the glue record and delegate zone args = [ @@ -298,7 +297,7 @@ class TestZoneSigningWithoutNamedRestart(IntegrationTest): self.master.run_command(args) # sleep a bit until data are provided by bind-dyndb-ldap - time.sleep(10) + time.sleep(DNSSEC_SLEEP) args = [ "ipa", "dnsrecord-add", root_zone, self.master.domain.name, @@ -350,11 +349,7 @@ class TestInstallDNSSECFirst(IntegrationTest): super(TestInstallDNSSECFirst, cls).uninstall(mh) def test_sign_root_zone(self): - args = [ - "ipa", "dnszone-add", root_zone, "--dnssec", "true", - "--skip-overlap-check", - ] - self.master.run_command(args) + dnszone_add_dnssec(self.master, root_zone) # make BIND happy: add the glue record and delegate zone args = [ @@ -367,7 +362,7 @@ class TestInstallDNSSECFirst(IntegrationTest): "--a-rec=" + self.replicas[0].ip ] self.master.run_command(args) - time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap + time.sleep(DNSSEC_SLEEP) args = [ "ipa", "dnsrecord-add", root_zone, self.master.domain.name, @@ -391,14 +386,7 @@ class TestInstallDNSSECFirst(IntegrationTest): Validate signed DNS records, using our own signed root zone :return: """ - - # add test zone - args = [ - "ipa", "dnszone-add", example_test_zone, "--dnssec", "true", - "--skip-overlap-check", - ] - - self.master.run_command(args) + dnszone_add_dnssec(self.master, example_test_zone) # delegation args = [ @@ -491,7 +479,7 @@ class TestInstallDNSSECFirst(IntegrationTest): root_keys_rrset.to_text() + '\n') # verify signatures - time.sleep(1) + time.sleep(DNSSEC_SLEEP) args = [ "drill", "@localhost", "-k", paths.DNSSEC_TRUSTED_KEY, "-S", @@ -537,13 +525,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): replica_backup_filename = "/tmp/ipa-kasp.db.backup" # add test zone - args = [ - "ipa", "dnszone-add", example_test_zone, "--dnssec", "true", - "--skip-overlap-check", - ] - - self.master.run_command(args) - + dnszone_add_dnssec(self.master, example_test_zone) tasks.restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( @@ -596,11 +578,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): assert dnskey_old == dnskey_new, "DNSKEY should be the same" # add test zone - args = [ - "ipa", "dnszone-add", example2_test_zone, "--dnssec", "true", - "--skip-overlap-check", - ] - self.replicas[0].run_command(args) + dnszone_add_dnssec(self.replicas[0], example2_test_zone) tasks.restart_named(self.master, self.replicas[0]) # wait until zone is signed assert wait_until_record_is_signed( @@ -629,11 +607,7 @@ class TestMigrateDNSSECMaster(IntegrationTest): % example2_test_zone) # add new zone to new replica - args = [ - "ipa", "dnszone-add", example3_test_zone, "--dnssec", "true", - "--skip-overlap-check", - ] - self.replicas[1].run_command(args) + dnszone_add_dnssec(self.replicas[0], example3_test_zone) tasks.restart_named(self.replicas[0], self.replicas[1]) # wait until zone is signed assert wait_until_record_is_signed(