summaryrefslogtreecommitdiffstats
path: root/debian/patches/0011-keymgr-dont-immediately-delete.diff
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--debian/patches/0011-keymgr-dont-immediately-delete.diff236
1 files changed, 236 insertions, 0 deletions
diff --git a/debian/patches/0011-keymgr-dont-immediately-delete.diff b/debian/patches/0011-keymgr-dont-immediately-delete.diff
new file mode 100644
index 0000000..e0a9cb8
--- /dev/null
+++ b/debian/patches/0011-keymgr-dont-immediately-delete.diff
@@ -0,0 +1,236 @@
+From: Debian DNS Team <team+dns@tracker.debian.org>
+Date: Wed, 20 Nov 2019 22:17:10 +0100
+Subject: keymgr-dont-immediately-delete
+
+---
+ bin/python/isc/keyseries.py.in | 28 ++++++++++++++++++--
+ bin/tests/system/keymgr/19-old-keys/README | 7 +++++
+ bin/tests/system/keymgr/19-old-keys/expect | 12 +++++++++
+ bin/tests/system/keymgr/19-old-keys/extra.sh | 19 ++++++++++++++
+ bin/tests/system/keymgr/19-old-keys/policy.conf | 18 +++++++++++++
+ bin/tests/system/keymgr/clean.sh | 2 ++
+ bin/tests/system/keymgr/setup.sh | 10 ++++++++
+ bin/tests/system/keymgr/tests.sh | 34 +++++++++++++++----------
+ 8 files changed, 114 insertions(+), 16 deletions(-)
+ create mode 100644 bin/tests/system/keymgr/19-old-keys/README
+ create mode 100644 bin/tests/system/keymgr/19-old-keys/expect
+ create mode 100644 bin/tests/system/keymgr/19-old-keys/extra.sh
+ create mode 100644 bin/tests/system/keymgr/19-old-keys/policy.conf
+
+diff --git a/bin/python/isc/keyseries.py.in b/bin/python/isc/keyseries.py.in
+index e1241f0..74ccc64 100644
+--- a/bin/python/isc/keyseries.py.in
++++ b/bin/python/isc/keyseries.py.in
+@@ -77,15 +77,39 @@ class keyseries:
+ a = key.activate()
+ if not p or p > now:
+ key.setpublish(now)
++ p = now
+ if not a or a > now:
+ key.setactivate(now)
++ a = now
+
++ i = key.inactive()
+ if not rp:
+ key.setinactive(None, **kwargs)
+ key.setdelete(None, **kwargs)
++ elif not i or a + rp != i:
++ if not i and a + rp > now + prepub:
++ key.setinactive(a + rp, **kwargs)
++ key.setdelete(a + rp + postpub, **kwargs)
++ elif not i:
++ key.setinactive(now + prepub, **kwargs)
++ key.setdelete(now + prepub + postpub, **kwargs)
++ elif a + rp > i:
++ key.setinactive(a + rp, **kwargs)
++ key.setdelete(a + rp + postpub, **kwargs)
++ elif a + rp > now + prepub:
++ key.setinactive(a + rp, **kwargs)
++ key.setdelete(a + rp + postpub, **kwargs)
++ else:
++ key.setinactive(now + prepub, **kwargs)
++ key.setdelete(now + prepub + postpub, **kwargs)
+ else:
+- key.setinactive(a + rp, **kwargs)
+- key.setdelete(a + rp + postpub, **kwargs)
++ d = key.delete()
++ if not d or i + postpub > now:
++ key.setdelete(i + postpub, **kwargs)
++ elif not d:
++ key.setdelete(now + postpub, **kwargs)
++ elif d < i + postpub:
++ key.setdelete(i + postpub, **kwargs)
+
+ if policy.keyttl != key.ttl:
+ key.setttl(policy.keyttl)
+diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README
+new file mode 100644
+index 0000000..424b70c
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/README
+@@ -0,0 +1,7 @@
++Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++
++See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
++
++This directory has a key set which is valid, but which was published
++and activated more than one rollover period ago. dnssec-keymgr should
++not mark the keys as already being inactive and deleted.
+diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect
+new file mode 100644
+index 0000000..f3e49b3
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/expect
+@@ -0,0 +1,12 @@
++kargs="-c policy.conf example.com"
++kmatch=""
++kret=0
++cargs="-d 1w -m 2w example.com"
++cmatch="4,Publish
++4,Activate
++2,Inactive
++2,Delete"
++cret=0
++warn=0
++error=0
++ok=2
+diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh
+new file mode 100644
+index 0000000..8da6aa1
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/extra.sh
+@@ -0,0 +1,19 @@
++# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++#
++# This Source Code Form is subject to the terms of the Mozilla Public
++# License, v. 2.0. If a copy of the MPL was not distributed with this
++# file, You can obtain one at http://mozilla.org/MPL/2.0/.
++#
++# See the COPYRIGHT file distributed with this work for additional
++# information regarding copyright ownership.
++
++now=`$PERL -e 'print time()."\n";'`
++for keyfile in K*.key; do
++ inactive=`$SETTIME -upI $keyfile | awk '{print $2}'`
++ if [ "$inactive" = UNSET ]; then
++ continue
++ elif [ "$inactive" -lt "$now" ]; then
++ echo_d "inactive date is in the past"
++ ret=1
++ fi
++done
+diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf b/bin/tests/system/keymgr/19-old-keys/policy.conf
+new file mode 100644
+index 0000000..91817ff
+--- /dev/null
++++ b/bin/tests/system/keymgr/19-old-keys/policy.conf
+@@ -0,0 +1,18 @@
++/*
++ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
++ *
++ * This Source Code Form is subject to the terms of the Mozilla Public
++ * License, v. 2.0. If a copy of the MPL was not distributed with this
++ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
++ *
++ * See the COPYRIGHT file distributed with this work for additional
++ * information regarding copyright ownership.
++ */
++
++policy default {
++ policy global;
++ algorithm nsec3rsasha1;
++ pre-publish zsk 2w;
++ roll-period zsk 6mo;
++ coverage 364d;
++};
+diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh
+index dc9f0a0..3b9b1a2 100644
+--- a/bin/tests/system/keymgr/clean.sh
++++ b/bin/tests/system/keymgr/clean.sh
+@@ -11,5 +11,7 @@
+
+ rm -f */K*.key
+ rm -f */K*.private
++rm -f Kexample.com.*.key
++rm -f Kexample.com.*.private
+ rm -f coverage.* keymgr.*
+ rm -f policy.out
+diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh
+index 24e6c7c..ea6e566 100644
+--- a/bin/tests/system/keymgr/setup.sh
++++ b/bin/tests/system/keymgr/setup.sh
+@@ -214,3 +214,13 @@ rm -f $dir/K*.private
+ ksk1=`$KEYGEN -K $dir -3fk example.com`
+ zsk1=`$KEYGEN -K $dir -3 example.com`
+ $SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
++
++# Test 19: Key has been published/active a long time
++dir=19-old-keys
++echo_i "set up $dir"
++rm -f $dir/K*.key
++rm -f $dir/K*.private
++ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
++zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
++$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null
++$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null
+diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
+index 88b43d9..89fedd3 100644
+--- a/bin/tests/system/keymgr/tests.sh
++++ b/bin/tests/system/keymgr/tests.sh
+@@ -16,13 +16,19 @@ status=0
+ n=1
+
+ matchall () {
++ match_result=ok
+ file=$1
+- echo "$2" | while read matchline; do
+- grep "$matchline" $file > /dev/null 2>&1 || {
+- echo "FAIL"
+- return
++ while IFS="," read expect matchline; do
++ [ -z "$matchline" ] && continue
++ matches=`grep "$matchline" $file | wc -l`
++ [ "$matches" -ne "$expect" ] && {
++ echo "'$matchline': expected $expect found $matches"
++ return 1
+ }
+- done
++ done << EOF
++ $2
++EOF
++ return 0
+ }
+
+ echo_i "checking for DNSSEC key coverage issues"
+@@ -51,11 +57,8 @@ for dir in [0-9][0-9]-*; do
+ ret=1
+ fi
+
+- found=`matchall keymgr.$n "$kmatch"`
+- if [ "$found" = "FAIL" ]; then
+- echo "no match on '$kmatch'"
+- ret=1
+- fi
++ # check for matches in keymgr output
++ matchall keymgr.$n "$kmatch" || ret=1
+
+ # now check coverage
+ $COVERAGE -K $dir $cargs > coverage.$n 2>&1
+@@ -87,10 +90,13 @@ for dir in [0-9][0-9]-*; do
+ ret=1
+ fi
+
+- found=`matchall coverage.$n "$cmatch"`
+- if [ "$found" = "FAIL" ]; then
+- echo "no match on '$cmatch'"
+- ret=1
++ # check for matches in coverage output
++ matchall coverage.$n "$cmatch" || ret=1
++
++ if [ -f $dir/extra.sh ]; then
++ cd $dir
++ . ./extra.sh
++ cd ..
+ fi
+
+ n=`expr $n + 1`