diff options
Diffstat (limited to 'debian/patches/0011-keymgr-dont-immediately-delete.diff')
-rw-r--r-- | debian/patches/0011-keymgr-dont-immediately-delete.diff | 236 |
1 files changed, 236 insertions, 0 deletions
diff --git a/debian/patches/0011-keymgr-dont-immediately-delete.diff b/debian/patches/0011-keymgr-dont-immediately-delete.diff new file mode 100644 index 0000000..e0a9cb8 --- /dev/null +++ b/debian/patches/0011-keymgr-dont-immediately-delete.diff @@ -0,0 +1,236 @@ +From: Debian DNS Team <team+dns@tracker.debian.org> +Date: Wed, 20 Nov 2019 22:17:10 +0100 +Subject: keymgr-dont-immediately-delete + +--- + bin/python/isc/keyseries.py.in | 28 ++++++++++++++++++-- + bin/tests/system/keymgr/19-old-keys/README | 7 +++++ + bin/tests/system/keymgr/19-old-keys/expect | 12 +++++++++ + bin/tests/system/keymgr/19-old-keys/extra.sh | 19 ++++++++++++++ + bin/tests/system/keymgr/19-old-keys/policy.conf | 18 +++++++++++++ + bin/tests/system/keymgr/clean.sh | 2 ++ + bin/tests/system/keymgr/setup.sh | 10 ++++++++ + bin/tests/system/keymgr/tests.sh | 34 +++++++++++++++---------- + 8 files changed, 114 insertions(+), 16 deletions(-) + create mode 100644 bin/tests/system/keymgr/19-old-keys/README + create mode 100644 bin/tests/system/keymgr/19-old-keys/expect + create mode 100644 bin/tests/system/keymgr/19-old-keys/extra.sh + create mode 100644 bin/tests/system/keymgr/19-old-keys/policy.conf + +diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in +index e1241f0..74ccc64 100644 +--- a/bin/python/isc/keyseries.py.in ++++ b/bin/python/isc/keyseries.py.in +@@ -77,15 +77,39 @@ class keyseries: + a = key.activate() + if not p or p > now: + key.setpublish(now) ++ p = now + if not a or a > now: + key.setactivate(now) ++ a = now + ++ i = key.inactive() + if not rp: + key.setinactive(None, **kwargs) + key.setdelete(None, **kwargs) ++ elif not i or a + rp != i: ++ if not i and a + rp > now + prepub: ++ key.setinactive(a + rp, **kwargs) ++ key.setdelete(a + rp + postpub, **kwargs) ++ elif not i: ++ key.setinactive(now + prepub, **kwargs) ++ key.setdelete(now + prepub + postpub, **kwargs) ++ elif a + rp > i: ++ key.setinactive(a + rp, **kwargs) ++ key.setdelete(a + rp + postpub, **kwargs) ++ elif a + rp > now + prepub: ++ key.setinactive(a + rp, **kwargs) ++ key.setdelete(a + rp + postpub, **kwargs) ++ else: ++ key.setinactive(now + prepub, **kwargs) ++ key.setdelete(now + prepub + postpub, **kwargs) + else: +- key.setinactive(a + rp, **kwargs) +- key.setdelete(a + rp + postpub, **kwargs) ++ d = key.delete() ++ if not d or i + postpub > now: ++ key.setdelete(i + postpub, **kwargs) ++ elif not d: ++ key.setdelete(now + postpub, **kwargs) ++ elif d < i + postpub: ++ key.setdelete(i + postpub, **kwargs) + + if policy.keyttl != key.ttl: + key.setttl(policy.keyttl) +diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README +new file mode 100644 +index 0000000..424b70c +--- /dev/null ++++ b/bin/tests/system/keymgr/19-old-keys/README +@@ -0,0 +1,7 @@ ++Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ ++See COPYRIGHT in the source root or http://isc.org/copyright.html for terms. ++ ++This directory has a key set which is valid, but which was published ++and activated more than one rollover period ago. dnssec-keymgr should ++not mark the keys as already being inactive and deleted. +diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect +new file mode 100644 +index 0000000..f3e49b3 +--- /dev/null ++++ b/bin/tests/system/keymgr/19-old-keys/expect +@@ -0,0 +1,12 @@ ++kargs="-c policy.conf example.com" ++kmatch="" ++kret=0 ++cargs="-d 1w -m 2w example.com" ++cmatch="4,Publish ++4,Activate ++2,Inactive ++2,Delete" ++cret=0 ++warn=0 ++error=0 ++ok=2 +diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh +new file mode 100644 +index 0000000..8da6aa1 +--- /dev/null ++++ b/bin/tests/system/keymgr/19-old-keys/extra.sh +@@ -0,0 +1,19 @@ ++# Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++# ++# This Source Code Form is subject to the terms of the Mozilla Public ++# License, v. 2.0. If a copy of the MPL was not distributed with this ++# file, You can obtain one at http://mozilla.org/MPL/2.0/. ++# ++# See the COPYRIGHT file distributed with this work for additional ++# information regarding copyright ownership. ++ ++now=`$PERL -e 'print time()."\n";'` ++for keyfile in K*.key; do ++ inactive=`$SETTIME -upI $keyfile | awk '{print $2}'` ++ if [ "$inactive" = UNSET ]; then ++ continue ++ elif [ "$inactive" -lt "$now" ]; then ++ echo_d "inactive date is in the past" ++ ret=1 ++ fi ++done +diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf b/bin/tests/system/keymgr/19-old-keys/policy.conf +new file mode 100644 +index 0000000..91817ff +--- /dev/null ++++ b/bin/tests/system/keymgr/19-old-keys/policy.conf +@@ -0,0 +1,18 @@ ++/* ++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC") ++ * ++ * This Source Code Form is subject to the terms of the Mozilla Public ++ * License, v. 2.0. If a copy of the MPL was not distributed with this ++ * file, You can obtain one at http://mozilla.org/MPL/2.0/. ++ * ++ * See the COPYRIGHT file distributed with this work for additional ++ * information regarding copyright ownership. ++ */ ++ ++policy default { ++ policy global; ++ algorithm nsec3rsasha1; ++ pre-publish zsk 2w; ++ roll-period zsk 6mo; ++ coverage 364d; ++}; +diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh +index dc9f0a0..3b9b1a2 100644 +--- a/bin/tests/system/keymgr/clean.sh ++++ b/bin/tests/system/keymgr/clean.sh +@@ -11,5 +11,7 @@ + + rm -f */K*.key + rm -f */K*.private ++rm -f Kexample.com.*.key ++rm -f Kexample.com.*.private + rm -f coverage.* keymgr.* + rm -f policy.out +diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh +index 24e6c7c..ea6e566 100644 +--- a/bin/tests/system/keymgr/setup.sh ++++ b/bin/tests/system/keymgr/setup.sh +@@ -214,3 +214,13 @@ rm -f $dir/K*.private + ksk1=`$KEYGEN -K $dir -3fk example.com` + zsk1=`$KEYGEN -K $dir -3 example.com` + $SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null ++ ++# Test 19: Key has been published/active a long time ++dir=19-old-keys ++echo_i "set up $dir" ++rm -f $dir/K*.key ++rm -f $dir/K*.private ++ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com` ++zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com` ++$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null ++$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null +diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh +index 88b43d9..89fedd3 100644 +--- a/bin/tests/system/keymgr/tests.sh ++++ b/bin/tests/system/keymgr/tests.sh +@@ -16,13 +16,19 @@ status=0 + n=1 + + matchall () { ++ match_result=ok + file=$1 +- echo "$2" | while read matchline; do +- grep "$matchline" $file > /dev/null 2>&1 || { +- echo "FAIL" +- return ++ while IFS="," read expect matchline; do ++ [ -z "$matchline" ] && continue ++ matches=`grep "$matchline" $file | wc -l` ++ [ "$matches" -ne "$expect" ] && { ++ echo "'$matchline': expected $expect found $matches" ++ return 1 + } +- done ++ done << EOF ++ $2 ++EOF ++ return 0 + } + + echo_i "checking for DNSSEC key coverage issues" +@@ -51,11 +57,8 @@ for dir in [0-9][0-9]-*; do + ret=1 + fi + +- found=`matchall keymgr.$n "$kmatch"` +- if [ "$found" = "FAIL" ]; then +- echo "no match on '$kmatch'" +- ret=1 +- fi ++ # check for matches in keymgr output ++ matchall keymgr.$n "$kmatch" || ret=1 + + # now check coverage + $COVERAGE -K $dir $cargs > coverage.$n 2>&1 +@@ -87,10 +90,13 @@ for dir in [0-9][0-9]-*; do + ret=1 + fi + +- found=`matchall coverage.$n "$cmatch"` +- if [ "$found" = "FAIL" ]; then +- echo "no match on '$cmatch'" +- ret=1 ++ # check for matches in coverage output ++ matchall coverage.$n "$cmatch" || ret=1 ++ ++ if [ -f $dir/extra.sh ]; then ++ cd $dir ++ . ./extra.sh ++ cd .. + fi + + n=`expr $n + 1` |