IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Tests: Set default TTL for DNS zones to 1 sec

Browse Source 
When running IPA tests, a default TTL for the zone should be set
very low to allow get rid of timeouts in the tests. Zone updates should
be propagated to the clients as soon as possible.

This is not something that should be used in production so the change is
done purely at install time within the tests. As zone information is
replicated, we only modify it when creating a master with integrated
DNS.

This change should fix a number of DNSSEC-related tests where default
TTL is longer than what a test expects and a change of DNSSEC keys
never gets noticed by the BIND. As result, DNSSEC tests never match
their expected output with what they received from the BIND.

Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
Co-authored-by: Alexander Bokovoy <abokovoy@redhat.com>
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes 2018-04-17 11:31:10 +02:00
parent 6fb45d2f56
commit dae4aac912
2 changed files with 48 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
ipatests/pytest_plugins/integration/tasks.py
View File

@ -270,6 +270,18 @@ def enable_replication_debugging(host, log_level=0):
stdin_text=logging_ldif)
def set_default_ttl_for_ipa_dns_zone(host, raiseonerr=True):
args = [
'ipa', 'dnszone-mod', host.domain.name,
'--default-ttl', '1',
'--ttl', '1'
]
result = host.run_command(args, raiseonerr=raiseonerr, stdin_text=None)
if result.returncode != 0:
logger.info('Failed to set TTL and default TTL for DNS zone %s to 1',
host.domain.name)
def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
extra_args=(), domain_level=None, unattended=True,
stdin_text=None, raiseonerr=True):
@ -308,6 +320,10 @@ def install_master(host, setup_dns=True, setup_kra=False, setup_adtrust=False,
enable_replication_debugging(host)
setup_sssd_debugging(host)
kinit_admin(host)
if setup_dns:
# fixup DNS zone default TTL for IPA DNS zone
# For tests we should not wait too long
set_default_ttl_for_ipa_dns_zone(host, raiseonerr=raiseonerr)
return result

90
ipatests/test_integration/test_dnssec.py
View File

@ -5,12 +5,11 @@
from __future__ import absolute_import
import logging
import pytest
import time
import dns.dnssec
import dns.resolver
import dns.name
import time
import pytest
from ipatests.test_integration.base import IntegrationTest
@ -19,6 +18,10 @@ from ipaplatform.paths import paths
logger = logging.getLogger(__name__)
# Sleep 5 seconds at most when waiting for LDAP updates
# for DNSSEC changes. Test zones should be updated with 1 second TTL
DNSSEC_SLEEP = 5
test_zone = "dnssec.test."
test_zone_repl = "dnssec-replica.test."
root_zone = "."
@ -79,6 +82,20 @@ def wait_until_record_is_signed(nameserver, record, rtype="SOA",
return False
def dnszone_add_dnssec(host, test_zone):
"""Add dnszone with dnssec and short TTL
"""
args = [
"ipa",
"dnszone-add", test_zone,
"--skip-overlap-check",
"--dnssec", "true",
"--ttl", "1",
"--default-ttl", "1",
]
return host.run_command(args)
class TestInstallDNSSECLast(IntegrationTest):
"""Simple DNSSEC test
@ -105,14 +122,7 @@ class TestInstallDNSSECLast(IntegrationTest):
def test_if_zone_is_signed_master(self):
# add zone with enabled DNSSEC signing on master
args = [
"ipa",
"dnszone-add", test_zone,
"--skip-overlap-check",
"--dnssec", "true",
]
self.master.run_command(args)
dnszone_add_dnssec(self.master, test_zone)
tasks.restart_named(self.master, self.replicas[0])
# test master
assert wait_until_record_is_signed(
@ -126,14 +136,7 @@ class TestInstallDNSSECLast(IntegrationTest):
def test_if_zone_is_signed_replica(self):
# add zone with enabled DNSSEC signing on replica
args = [
"ipa",
"dnszone-add", test_zone_repl,
"--skip-overlap-check",
"--dnssec", "true",
]
self.replicas[0].run_command(args)
dnszone_add_dnssec(self.replicas[0], test_zone_repl)
tasks.restart_named(self.replicas[0])
# test replica
assert wait_until_record_is_signed(
@ -161,7 +164,7 @@ class TestInstallDNSSECLast(IntegrationTest):
]
self.master.run_command(args)
time.sleep(20) # sleep a bit until LDAP changes are applied to DNS
time.sleep(DNSSEC_SLEEP)
# test master
assert not is_record_signed(
@ -210,7 +213,7 @@ class TestInstallDNSSECLast(IntegrationTest):
]
self.master.run_command(args)
time.sleep(20) # sleep a bit until LDAP changes are applied to DNS
time.sleep(DNSSEC_SLEEP)
# test master
assert not is_record_signed(
@ -279,11 +282,7 @@ class TestZoneSigningWithoutNamedRestart(IntegrationTest):
super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh)
def test_sign_root_zone_no_named_restart(self):
args = [
"ipa", "dnszone-add", root_zone, "--dnssec", "true",
"--skip-overlap-check",
]
self.master.run_command(args)
dnszone_add_dnssec(self.master, root_zone)
# make BIND happy: add the glue record and delegate zone
args = [
@ -298,7 +297,7 @@ class TestZoneSigningWithoutNamedRestart(IntegrationTest):
self.master.run_command(args)
# sleep a bit until data are provided by bind-dyndb-ldap
time.sleep(10)
time.sleep(DNSSEC_SLEEP)
args = [
"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
@ -350,11 +349,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
super(TestInstallDNSSECFirst, cls).uninstall(mh)
def test_sign_root_zone(self):
args = [
"ipa", "dnszone-add", root_zone, "--dnssec", "true",
"--skip-overlap-check",
]
self.master.run_command(args)
dnszone_add_dnssec(self.master, root_zone)
# make BIND happy: add the glue record and delegate zone
args = [
@ -367,7 +362,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
"--a-rec=" + self.replicas[0].ip
]
self.master.run_command(args)
time.sleep(10) # sleep a bit until data are provided by bind-dyndb-ldap
time.sleep(DNSSEC_SLEEP)
args = [
"ipa", "dnsrecord-add", root_zone, self.master.domain.name,
@ -391,14 +386,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
Validate signed DNS records, using our own signed root zone
:return:
"""
# add test zone
args = [
"ipa", "dnszone-add", example_test_zone, "--dnssec", "true",
"--skip-overlap-check",
]
self.master.run_command(args)
dnszone_add_dnssec(self.master, example_test_zone)
# delegation
args = [
@ -491,7 +479,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
root_keys_rrset.to_text() + '\n')
# verify signatures
time.sleep(1)
time.sleep(DNSSEC_SLEEP)
args = [
"drill", "@localhost", "-k",
paths.DNSSEC_TRUSTED_KEY, "-S",
@ -537,13 +525,7 @@ class TestMigrateDNSSECMaster(IntegrationTest):
replica_backup_filename = "/tmp/ipa-kasp.db.backup"
# add test zone
args = [
"ipa", "dnszone-add", example_test_zone, "--dnssec", "true",
"--skip-overlap-check",
]
self.master.run_command(args)
dnszone_add_dnssec(self.master, example_test_zone)
tasks.restart_named(self.master, self.replicas[0])
# wait until zone is signed
assert wait_until_record_is_signed(
@ -596,11 +578,7 @@ class TestMigrateDNSSECMaster(IntegrationTest):
assert dnskey_old == dnskey_new, "DNSKEY should be the same"
# add test zone
args = [
"ipa", "dnszone-add", example2_test_zone, "--dnssec", "true",
"--skip-overlap-check",
]
self.replicas[0].run_command(args)
dnszone_add_dnssec(self.replicas[0], example2_test_zone)
tasks.restart_named(self.master, self.replicas[0])
# wait until zone is signed
assert wait_until_record_is_signed(
@ -629,11 +607,7 @@ class TestMigrateDNSSECMaster(IntegrationTest):
% example2_test_zone)
# add new zone to new replica
args = [
"ipa", "dnszone-add", example3_test_zone, "--dnssec", "true",
"--skip-overlap-check",
]
self.replicas[1].run_command(args)
dnszone_add_dnssec(self.replicas[0], example3_test_zone)
tasks.restart_named(self.replicas[0], self.replicas[1])
# wait until zone is signed
assert wait_until_record_is_signed(