A workaround for ticket N 5348

A freshly created dnssec-enabled zone does not always display the signature until you restart named-pkcs11. Added restarting of this service after each dnssec-enabled zone. https://fedorahosted.org/freeipa/ticket/5348 Reviewed-By: Martin Basti <mbasti@redhat.com>
author: Oleg Fayans <ofayans@redhat.com> 2016-05-11 12:08:38 +0200
committer: Martin Basti <mbasti@redhat.com> 2016-05-11 13:16:43 +0200
commit: 5567dff4b46cc05bf0ea44dd03afdd12645143a5 (patch)
tree: 5853b22f2a8cf3428e9fd844f38039f18f546b9a /ipatests/test_integration
parent: ea794f3dec52694c58689c6dac267a42b71e5af9 (diff)
download: freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.tar.gz
freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.tar.xz
freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.zip
1 files changed, 90 insertions, 7 deletions
diff --git a/ipatests/test_integration/test_dnssec.py b/ipatests/test_integration/test_dnssec.py
index e90fb1f47..35cf8636d 100644
--- a/ipatests/test_integration/test_dnssec.py
+++ b/ipatests/test_integration/test_dnssec.py
@@ -6,6 +6,7 @@ import dns.dnssec
 import dns.resolver
 import dns.name
 import time
+import pytest
 
 from ipatests.test_integration.base import IntegrationTest
 from ipatests.test_integration import tasks
@@ -71,6 +72,14 @@ def wait_until_record_is_signed(nameserver, record, log, rtype="SOA",
     return False
 
 
+def restart_named(*args):
+        # A workaround for ticket N 5348
+        time.sleep(20)  # wait till dnssec key is exported to named
+        for host in args:
+            host.run_command(["systemctl", "restart",
+                              "named-pkcs11.service"])
+
+
 class TestInstallDNSSECLast(IntegrationTest):
     """Simple DNSSEC test
 
@@ -105,6 +114,7 @@ class TestInstallDNSSECLast(IntegrationTest):
         ]
         self.master.run_command(args)
 
+        restart_named(self.master, self.replicas[0])
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, test_zone, self.log, timeout=100
@@ -125,6 +135,7 @@ class TestInstallDNSSECLast(IntegrationTest):
         ]
         self.replicas[0].run_command(args)
 
+        restart_named(self.replicas[0])
         # test replica
         assert wait_until_record_is_signed(
             self.replicas[0].ip, test_zone_repl, self.log, timeout=300
@@ -170,8 +181,7 @@ class TestInstallDNSSECLast(IntegrationTest):
         ]
         self.master.run_command(args)
 
-        time.sleep(20)  # sleep a bit until LDAP changes are applied to DNS
-
+        restart_named(self.master)
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, test_zone, self.log, timeout=100
@@ -219,7 +229,7 @@ class TestInstallDNSSECLast(IntegrationTest):
         ]
         self.master.run_command(args)
 
-        time.sleep(20)  # sleep a bit until LDAP changes are applied to DNS
+        restart_named(self.master, self.replicas[0])
 
         # test master
         assert wait_until_record_is_signed(
@@ -235,6 +245,78 @@ class TestInstallDNSSECLast(IntegrationTest):
                                          self.log, rtype="DNSKEY").rrset
         assert dnskey_old != dnskey_new, "DNSKEY should be different"
 
+
+class TestZoneSigningWithoutNamedRestart(IntegrationTest):
+    """Test whether https://fedorahosted.org/freeipa/ticket/5348 is already
+    fixed. If the issue is not fixed, the test will expectedly fail. When
+    fixed, it will pass, which will cause the whole run to become "red"
+    """
+    num_replicas = 1
+    topology = 'star'
+
+    @classmethod
+    def install(cls, mh):
+        tasks.install_master(cls.master, setup_dns=False)
+        args = [
+            "ipa-dns-install",
+            "--dnssec-master",
+            "--forwarder", cls.master.config.dns_forwarder,
+            "-U",
+        ]
+        cls.master.run_command(args)
+
+        tasks.install_replica(cls.master, cls.replicas[0], setup_dns=True)
+
+        # backup trusted key
+        tasks.backup_file(cls.master, paths.DNSSEC_TRUSTED_KEY)
+        tasks.backup_file(cls.replicas[0], paths.DNSSEC_TRUSTED_KEY)
+
+    @classmethod
+    def uninstall(cls, mh):
+        # restore trusted key
+        tasks.restore_files(cls.master)
+        tasks.restore_files(cls.replicas[0])
+
+        super(TestZoneSigningWithoutNamedRestart, cls).uninstall(mh)
+
+    @pytest.mark.xfail(strict=True)
+    def test_sign_root_zone_no_named_restart(self):
+        args = [
+            "ipa", "dnszone-add", root_zone, "--dnssec", "true",
+            "--skip-overlap-check",
+        ]
+        self.master.run_command(args)
+
+        # make BIND happy: add the glue record and delegate zone
+        args = [
+            "ipa", "dnsrecord-add", root_zone, self.master.hostname,
+            "--a-rec=" + self.master.ip
+        ]
+        self.master.run_command(args)
+        args = [
+            "ipa", "dnsrecord-add", root_zone, self.replicas[0].hostname,
+            "--a-rec=" + self.replicas[0].ip
+        ]
+        self.master.run_command(args)
+
+        time.sleep(10)  # sleep a bit until data are provided by bind-dyndb-ldap
+
+        args = [
+            "ipa", "dnsrecord-add", root_zone, self.master.domain.name,
+            "--ns-rec=" + self.master.hostname
+        ]
+        self.master.run_command(args)
+        # test master
+        assert wait_until_record_is_signed(
+            self.master.ip, root_zone, self.log, timeout=100
+        ), "Zone %s is not signed (master)" % root_zone
+
+        # test replica
+        assert wait_until_record_is_signed(
+            self.replicas[0].ip, root_zone, self.log, timeout=300
+        ), "Zone %s is not signed (replica)" % root_zone
+
+
 class TestInstallDNSSECFirst(IntegrationTest):
     """Simple DNSSEC test
 
@@ -288,7 +370,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
             "--ns-rec=" + self.master.hostname
         ]
         self.master.run_command(args)
-
+        restart_named(self.master, self.replicas[0])
         # test master
         assert wait_until_record_is_signed(
             self.master.ip, root_zone, self.log, timeout=100
@@ -319,7 +401,7 @@ class TestInstallDNSSECFirst(IntegrationTest):
             "--ns-rec=" + self.master.hostname
         ]
         self.master.run_command(args)
-
+        restart_named(self.master, self.replicas[0])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.master.ip, example_test_zone, self.log, timeout=100
@@ -457,6 +539,7 @@ class TestMigrateDNSSECMaster(IntegrationTest):
 
         self.master.run_command(args)
 
+        restart_named(self.master, self.replicas[0])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.master.ip, example_test_zone, self.log, timeout=100
@@ -513,7 +596,7 @@ class TestMigrateDNSSECMaster(IntegrationTest):
             "--skip-overlap-check",
         ]
         self.replicas[0].run_command(args)
-
+        restart_named(self.master, self.replicas[0])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.replicas[0].ip, example2_test_zone, self.log, timeout=100
@@ -546,7 +629,7 @@ class TestMigrateDNSSECMaster(IntegrationTest):
             "--skip-overlap-check",
         ]
         self.replicas[1].run_command(args)
-
+        restart_named(self.replicas[0], self.replicas[1])
         # wait until zone is signed
         assert wait_until_record_is_signed(
             self.replicas[1].ip, example3_test_zone, self.log, timeout=200
author	Oleg Fayans <ofayans@redhat.com>	2016-05-11 12:08:38 +0200
committer	Martin Basti <mbasti@redhat.com>	2016-05-11 13:16:43 +0200
commit	5567dff4b46cc05bf0ea44dd03afdd12645143a5 (patch)
tree	5853b22f2a8cf3428e9fd844f38039f18f546b9a /ipatests/test_integration
parent	ea794f3dec52694c58689c6dac267a42b71e5af9 (diff)
download	freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.tar.gz freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.tar.xz freeipa-5567dff4b46cc05bf0ea44dd03afdd12645143a5.zip