[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r3754 - in trunk/OpenDNSSEC/auditor: lib lib/kasp_auditor test/signer_test_bad test_scripts

Alex Dalitz alexd at nominet.org.uk
Fri Aug 13 11:22:23 CEST 2010


Author: alex
Date: 2010-08-13 11:22:23 +0200 (Fri, 13 Aug 2010)
New Revision: 3754

Added:
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/changed_config.rb
Modified:
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor.rb
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/auditor.rb
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/config.rb
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/parse.rb
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/partial_auditor.rb
   trunk/OpenDNSSEC/auditor/test/signer_test_bad/kasp_nsec3_partial.xml
   trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb
Log:
Adding support for policy changes to auditor. Also now only reads config for specified zone (or all, if none is specified)

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor/auditor.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor/auditor.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor/auditor.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -36,7 +36,7 @@
 
   # @TODO@ SOA Checks - format, etc.
   
-  class Auditor # :nodoc: all
+  class Auditor 
     class FatalError < Exception
     end
     EMPTY_NAME = Name.create(".")
@@ -361,8 +361,29 @@
           end
         }
       end
+
+      check_policy_changes
+
       #  c) inception date in past by at least interval specified by config
       rrset.sigs.each {|sig|
+        # See if any of the configuration has changed for signature lifetimes
+        if (@policy_has_changed)
+          if (!@inception_offset_has_changed)
+            #  If not inception_offset which changed, then simply ignore RRSIGs which were
+            #   created earlier than the policy change timestamp (including inception_offset here!)
+            if (sig.inception < (@policy_change_timestamp - @config.signatures.inception_offset))
+              log(LOG_WARNING, "Skipping signature lifetime check for #{sig.name}, #{sig.type_covered} : policy has changed since #{sig.inception} (at #{@policy_change_timestamp}\n")
+              next
+            end
+          else
+            #   If InceptionOffset has changed, then all bets are probably off. In this case,
+            #      ignore all signature which were created less than a day before the policy changed.
+            if (sig.inception < (@policy_change_timestamp - (3600 * 24)))
+              log(LOG_WARNING, "Skipping signature lifetime check for #{sig.name}, #{sig.type_covered} : policy has changed since #{sig.inception} (at #{@policy_change_timestamp}\n")
+              next
+            end
+          end
+        end
         time_now = Time.now.to_i
         if (sig.inception > (time_now + @config.signatures.inception_offset))
           log(LOG_ERR, "Inception error for #{sig.name}, #{sig.type_covered} : Signature inception is #{sig.inception}, time now is #{time_now}, inception offset is #{@config.signatures.inception_offset}, difference = #{time_now - sig.inception}")
@@ -395,10 +416,10 @@
         max_lifetime = @config.signatures.inception_offset + validity + @config.signatures.jitter
         actual_lifetime = sig.expiration - sig.inception
         if (min_lifetime > actual_lifetime)
-          log(LOG_ERR, "Signature lifetime too short - should be at least #{min_lifetime} but was #{actual_lifetime}")
+          log(LOG_ERR, "Signature lifetime for #{sig.name}, #{sig.type_covered} too short - should be at least #{min_lifetime} but was #{actual_lifetime}")
         end
         if (max_lifetime < actual_lifetime)
-          log(LOG_ERR, "Signature lifetime too long - should be at most #{max_lifetime} but was #{actual_lifetime}")
+          log(LOG_ERR, "Signature lifetime for #{sig.name}, #{sig.type_covered} too long - should be at most #{max_lifetime} but was #{actual_lifetime}")
         end
 
       }
@@ -406,6 +427,25 @@
 
     end
 
+    def check_policy_changes
+      if (!@checked_policy)
+        # Since the auditor just runs once per zone, there is no point in refreshing this information for every signature!
+        # Just read it once...
+        @policy_has_changed = false
+        @inception_offset_has_changed = false
+        @policy_change_timestamp = 0
+        @checked_policy = true
+        # Now load the new policy configuration - has anything changed?
+        if (@config.changed_config.signature_config_changed?)
+          @policy_has_changed = true
+          @policy_change_timestamp = @config.changed_config.get_signature_timestamp
+        end
+        if (@config.changed_config.rrsig_inception_offset.timestamp != 0)
+          @inception_offset_has_changed = true
+        end
+      end
+    end
+
     # Get the string for the type of denial this zone is using : either "NSEC" or "NSEC3"
     def nsec_string()
       if (@config.denial.nsec)
@@ -611,6 +651,10 @@
       # This method should be called at the end of the run, when all the DNSKEY records
       # in both the signed and unsigned zones have been collated.
       # We don't bother checking keys which were defined in the unsigned zone
+
+      # NEED TO CHECK POLICY CHANGES!!
+      # No we don't only new keys are checked here! :-)
+
       keys.each {|l_rr|
         found_unsigned = false
         unsigned_keys.each {|uk|

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor/config.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor/config.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor/config.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -34,6 +34,7 @@
     end
 
     attr_reader :err
+    attr_accessor :changed_config
     
     # Should the PartialAuditor be used instead of the full Auditor?
     attr_reader :partial_audit

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -60,6 +60,7 @@
 
     # The Cache holds the data for each of the Status levels.
     # It is dynamically generated from the Status levels.
+    # @TODO@ Now also need to store the time at which the key was first seen
     class Cache
       # Set up add_inuse_key, etc.
       Status.strings.each {|s| eval "attr_reader :#{s.downcase}"}
@@ -67,15 +68,15 @@
                           if (!include_#{s.downcase}_key?key)
                                 new_key = key.clone
                                 new_key.public_key
-                                @#{s.downcase}[new_key]=Time.now.to_i
+                                @#{s.downcase}[new_key]=[Time.now.to_i, Time.now.to_i]
                           end
           end"}
       # Set up add_inuse_key_with_time, etc.
-      Status.strings.each {|s| eval "def add_#{s.downcase}_key_with_time(key, time)
+      Status.strings.each {|s| eval "def add_#{s.downcase}_key_with_time(key, time, first_time)
                           if (!include_#{s.downcase}_key?key)
                                 new_key = key.clone
                                 new_key.public_key
-                                @#{s.downcase}[new_key]=time
+                                @#{s.downcase}[new_key]=[time, first_time]
                           end
           end"}
       # Set up include_inuse_key?, etc.
@@ -158,9 +159,12 @@
             end
             next
           end
-          key_string, status_string, time  = line.split(SEPARATOR)
+          key_string, status_string, time, first_time  = line.split(SEPARATOR)
+          if (!first_time)
+            first_time = time
+          end
           key = RR.create(key_string)
-          eval "cache.add_#{status_string.downcase}_key_with_time(key, #{time})".untaint
+          eval "cache.add_#{status_string.downcase}_key_with_time(key, time.to_i, first_time.to_i)".untaint
         end
       }
       return cache
@@ -179,7 +183,7 @@
         Status.strings.each {|s|
           status = s.downcase
           eval "@cache.#{status}.each {|key, time|
-              write_key_to_file(f, key.to_s, status, time)
+              write_key_to_file(f, key.to_s, status, time[0], time[1])
             }".untaint
         }
 
@@ -189,8 +193,8 @@
       File.rename(tracker_file+".temp", tracker_file)
     end
 
-    def write_key_to_file(f, key, status, time)
-      f.puts("#{key}#{SEPARATOR}#{status}#{SEPARATOR}#{time}")
+    def write_key_to_file(f, key, status, time, first_time)
+      f.puts("#{key}#{SEPARATOR}#{status}#{SEPARATOR}#{time}#{SEPARATOR}#{first_time}")
     end
 
     def get_tracker_filename
@@ -255,7 +259,41 @@
           @parent.log(LOG_WARNING, msg)
         end
       }
-      @cache.inuse.each {|key, timestamp|
+      @cache.inuse.each {|key, time|
+        timestamp = time[0]
+        first_timestamp = time[1]
+        # Ignore this check if the key was already in use at the time at which the lifetime policy was changed.
+        # How do we know to which AnyKey group this key belongs? Can only take a guess by [algorithm, alg_length] tuple
+        # Also going to have to put checks in place where key protocol/algorithm is checked against policy :-(
+        #   - no we don't! These are only checked when we are loading a new key - not one we've seen before.
+        #     and of course, a new key should be created with the correct values!
+        key_group_policy_changed = false
+        # First, find all the key groups which this key could belong to
+        keys = @config.changed_config.zsks
+        if (key.sep_key?)
+          keys = @config.changed_config.ksks
+        end
+        possible_groups = keys.select{|k|             (k.algorithm == key.algorithm) &&
+            (k.alg_length == key.key_length)}
+        # Then, find the latest timestamp (other than 0)
+        key_group_policy_changed_time = 0
+        if (possible_groups.length == 0)
+          # Can't find the group this key belongs to
+          if (@config.changed_config.kasp_timestamp < first_timestamp)
+            #    @TODO@ o if there has been no change in any of the configured keys then error (the key shouldn't exist)
+            # Shouldn't this be caught by something else?
+          end
+          #   o if there has been a change since the key was first seen,  then don't raise any errors for this key
+        else
+          possible_groups.each {|g|
+            if (g.timestamp > key_group_policy_changed_time)
+              key_group_policy_changed_time = g.timestamp
+              key_group_policy_changed = true
+            end
+          }
+          next if (key_group_policy_changed && (first_timestamp < key_group_policy_changed_time))
+        end
+
         if (key.zone_key? && !key.sep_key?)
           #   d) Warn if ZSK inuse longer than ZSK:Lifetime + Enforcer:Interval
           # Get the ZSK lifetime for this type of key from the config
@@ -263,7 +301,11 @@
             (zsk.algorithm == key.algorithm) &&
               (zsk.alg_length == key.key_length)}
           next if (zsks.length == 0)
-          zsk_lifetime = (zsks[0]).lifetime
+          # Take the "safest" value - i.e. the longest one in this case
+          zsk_lifetime = 0
+          zsks.each {|z|
+            zsk_lifetime = z.lifetime if (z.lifetime > zsk_lifetime)
+          }
           lifetime = zsk_lifetime + @enforcer_interval 
           if timestamp < (Time.now.to_i - lifetime)
             msg = "ZSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
@@ -275,7 +317,11 @@
           ksks = @config.keys.ksks.select{|ksk| (ksk.algorithm == key.algorithm) &&
               (ksk.alg_length == key.key_length)}
           next if (ksks.length == 0)
-          ksk_lifetime = ksks[0].lifetime
+          # Take the "safest" value - i.e. the longest one in this case
+          ksk_lifetime = 0
+          ksks.each {|k|
+            ksk_lifetime = k.lifetime if (k.lifetime > ksk_lifetime)
+          }
           lifetime = ksk_lifetime + @enforcer_interval 
           if timestamp < (Time.now.to_i - lifetime)
             msg = "KSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
@@ -298,7 +344,7 @@
         @cache.inuse.keys.each {|new_inuse_key|
           next if old_cache.include_inuse_key?new_inuse_key
           next if (new_inuse_key.sep_key?) # KSKs aren't prepublished any more
-          old_key_timestamp = old_cache.include_prepublished_key?new_inuse_key
+          old_key_timestamp, old_key_first_timestamp = old_cache.include_prepublished_key?new_inuse_key
           if (!old_key_timestamp)
             @parent.log(LOG_ERR, "Key (#{new_inuse_key.key_tag}) has gone straight to active use without a prepublished phase")
             next

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor/parse.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor/parse.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor/parse.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -29,7 +29,8 @@
 
 module KASPAuditor
   class Parse
-    def self.parse(path, zonelist_filename, kasp_filename, syslog)
+    def self.parse(path, zonelist_filename, kasp_filename, syslog, conf_file,
+        working_folder, zone)
       # We need to open [/etc/opendnssec/]conf.xml,
       #                 [/etc/opendnssec/]kasp.xml,
       #                 [/etc/opendnssec/]zonelist.xml
@@ -48,6 +49,9 @@
         doc.elements.each("ZoneList/Zone") {|z|
           # First load the config files
           zone_name = z.attributes['name']
+          if (zone) # We're only asked to load a single zone
+            next if (zone_name != zone) # So don't bother loading any other zones
+          end
           policy = z.elements['Policy'].text
 
           config_file_loc = z.elements["SignerConfiguration"].text
@@ -65,6 +69,13 @@
               output_file_loc = path + output_file_loc
             end
             zones.push([config, output_file_loc])
+
+#            # Load the config elements storage file, and keep a note of which elements have changed, and when they last changed.
+            changed_config = ChangedConfig.new(zone_name, conf_file, kasp_filename, config, working_folder)
+            config.changed_config = changed_config
+
+            # @TODO@ Can we store a simple map of element name -> [timstamp, value]
+
           rescue Config::ConfigLoadError => e
             msg = "Can't load #{zone_name} SignerConfiguration file (#{config_file_loc}) : #{e}"
             print msg+"\n"

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor/partial_auditor.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor/partial_auditor.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor/partial_auditor.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -823,11 +823,55 @@
       end
     end
 
+    def check_policy_changes
+      if (!@checked_policy)
+        # Since the auditor just runs once per zone, there is no point in refreshing this information for every signature!
+        # Just read it once...
+        @policy_has_changed = false
+        @inception_offset_has_changed = false
+        @policy_change_timestamp = 0
+        @checked_policy = true
+        # Now load the new policy configuration - has anything changed?
+        if (@config.changed_config.signature_config_changed?)
+          @policy_has_changed = true
+          @policy_change_timestamp = @config.changed_config.get_signature_timestamp
+        end
+        if (@config.changed_config.rrsig_inception_offset.timestamp != 0)
+          @inception_offset_has_changed = true
+        end
+      end
+    end
+
     def do_basic_rrsig_checks(line)
       # @TODO@  Can we check the length of the RRSIG signature here?
+
       time_now = Time.now.to_i
       split = line.split
+      key_tag = split[10]
+      @keys_used.push(key_tag) if !@keys_used.include?key_tag
       sig_inception = RR::RRSIG.get_time(split[9])
+
+      check_policy_changes
+
+      # See if any of the configuration has changed for signature lifetimes
+      if (@policy_has_changed)
+        if (!@inception_offset_has_changed)
+          #  If not inception_offset which changed, then simply ignore RRSIGs which were
+          #   created earlier than the policy change timestamp (including inception_offset here!)
+          if (sig_inception < (@policy_change_timestamp - @config.signatures.inception_offset))
+            log(LOG_WARNING, "Skipping signature lifetime check for  #{split[0].chop}, #{split[4]} : policy has changed since #{sig_inception} (at #{@policy_change_timestamp}\n")
+            return
+          end
+        else
+          #   If InceptionOffset has changed, then all bets are probably off. In this case,
+          #      ignore all signature which were created less than a day before the policy changed.
+          if (sig_inception < (@policy_change_timestamp - (3600 * 24)))
+            log(LOG_WARNING, "Skipping signature lifetime check for  #{split[0].chop}, #{split[4]} : policy has changed since #{sig_inception} (at #{@policy_change_timestamp}\n")
+            return
+          end
+        end
+      end
+
       if (sig_inception > (time_now + @config.signatures.inception_offset))
         log(LOG_ERR, "Inception error for #{split[0].chop}, #{split[4]} : Signature inception is #{sig_inception}, time now is #{time_now}, inception offset is #{@config.signatures.inception_offset}, difference = #{time_now - sig_inception}")
       else
@@ -864,9 +908,6 @@
         log(LOG_ERR, "Signature lifetime too long - should be at most #{max_lifetime} but was #{actual_lifetime}")
       end
 
-      key_tag = split[10]
-      @keys_used.push(key_tag) if !@keys_used.include?key_tag
-
     end
 
     def do_basic_dnskey_checks(line)

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -37,6 +37,7 @@
 include Dnsruby
 require 'kasp_auditor/commands.rb'
 require 'kasp_auditor/config.rb'
+require 'kasp_auditor/changed_config.rb'
 require 'kasp_auditor/key_tracker.rb'
 require 'kasp_auditor/auditor.rb'
 require 'kasp_auditor/partial_auditor.rb'
@@ -111,13 +112,13 @@
       Syslog.open("ods-auditor", Syslog::LOG_PID |
         Syslog::LOG_CONS, syslog_facility) { |syslog|
         run_with_syslog(zonelist, kasp_file, syslog, working, 
-          signer_working_folder, enforcer_interval)
+          signer_working_folder, enforcer_interval, conf_file)
       }
     end
 
     # This method is provided so that the test code can use its own syslog
     def run_with_syslog(zonelist_file, kasp_file, syslog, 
-        working, signer_working_folder, enforcer_interval) # :nodoc: all
+        working, signer_working_folder, enforcer_interval, conf_file) # :nodoc: all
       syslog.log(LOG_INFO, "Auditor started")
       print("Auditor started\n")
       if (@enable_timeshift)
@@ -126,9 +127,9 @@
       zones = nil
       begin
         zones = Parse.parse(File.dirname(kasp_file)  + File::SEPARATOR,
-          zonelist_file, kasp_file, syslog)
+          zonelist_file, kasp_file, syslog, conf_file, working, @zone_name)
       rescue Exception => e
-        KASPAuditor.exit("Couldn't load configuration files (from #{kasp_file}) - try running ods-kaspcheck", -LOG_ERR, syslog)
+        KASPAuditor.exit("Couldn't load configuration files (from #{kasp_file}) - try running ods-kaspcheck. #{e}", -LOG_ERR, syslog)
       end
       zones = check_zones_to_audit(zones, syslog)
       # Now check the input and output zones using the config
@@ -322,12 +323,12 @@
       begin
         File.open((conf_file + "").untaint , 'r') {|file|
           doc = REXML::Document.new(file)
-          enforcer_interval = 3600
+          enforcer_interval = nil
           begin
             e_i_text = doc.elements['Configuration/Enforcer/Interval'].text
             enforcer_interval = Config.xsd_duration_to_seconds(e_i_text)
           rescue Exception
-            print "Can't read Enforcer->Interval from Configuration\n"
+            KASPAuditor.exit("Can't read Enforcer->Interval from Configuration", 1)
           end
             begin
               working = doc.elements['Configuration/Auditor/WorkingDirectory'].text

Modified: trunk/OpenDNSSEC/auditor/test/signer_test_bad/kasp_nsec3_partial.xml
===================================================================
--- trunk/OpenDNSSEC/auditor/test/signer_test_bad/kasp_nsec3_partial.xml	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/test/signer_test_bad/kasp_nsec3_partial.xml	2010-08-13 09:22:23 UTC (rev 3754)
@@ -44,7 +44,7 @@
 			</KSK>
 
 			<ZSK>
-				<Algorithm length="1024">5</Algorithm>
+				<Algorithm length="1024">7</Algorithm>
 				<Lifetime>P14D</Lifetime>
 				<Repository>softHSM</Repository>
 				<Standby>0</Standby>

Modified: trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb	2010-08-13 09:05:13 UTC (rev 3753)
+++ trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb	2010-08-13 09:22:23 UTC (rev 3754)
@@ -34,6 +34,22 @@
 
 class AuditorTest < Test::Unit::TestCase
 
+  def test_changed_config
+  # @TODO@ Test the auditor against changes in policy!
+  # @TODO@ How do we test this?
+  # Can we re-run the good test, with a completely changed config?
+  # And make sure that we only get warnings we expect?
+  # Can we try faking a config from the past (hack the kasp_timestamp),
+  # and get errors we'd expect if signed zone had been produced with that config?
+  
+    # So, just run the good nsec file, to keep things simple.
+    # Should we do more stuff regarding editing/creating configured keys?
+    # @TODO@ How do we load up a new kasp file without affecting existing tests?
+    
+  
+  end
+
+
   def test_good_file_nsec
     # Get the auditor to check a known-good zone (with signatures set well into the future)
     # Make sure there are no errors
@@ -83,8 +99,8 @@
       "RRSet (www.tjeb.nl, AAAA) failed verification : Signature record not in validity period, tag = 1390",
       "RRSet (www.tjeb.nl, NSEC) failed verification : Signature record not in validity period, tag = 1390",
       "Inception error for www.tjeb.nl, NSEC : Signature inception is 1275722596, time now is",
-      "Signature lifetime too short - should be at least 657936300 but was 2219833",
-      "Signature lifetime too short - should be at least 657936300 but was 633371846",
+      "Signature lifetime for www.tjeb.nl, AAAA too short - should be at least 657936300 but was 2219833",
+      "Signature lifetime for www.tjeb.nl, NSEC too short - should be at least 657936300 but was 633371846",
       # Taken out next warning, as we already have an error for expired RRSIG for this record
       #      "Signature expiration (962409629) for www.tjeb.nl, AAAA should be later than (the refresh period (120) - the resign period (60)) from now",
       "RRSIGS should include algorithm RSASHA1 for not.there.tjeb.nl, A, have :",
@@ -302,7 +318,9 @@
       #
       #   4. The "Next Hashed Owner" name field contains the hash of another domain in the zone that has an NSEC3 record associated with it, and that the links form a closed loop.
       # - @TODO@ extra next_hashed on one NSEC3
-      "NSEC3 record left after folowing closed loop : ht35pgoisfecot5i7fratgsu2m4k23lu.tjeb.nl"
+      "NSEC3 record left after folowing closed loop : ht35pgoisfecot5i7fratgsu2m4k23lu.tjeb.nl",
+
+      "3: New KSK DNSKEY has incorrect algorithm (was RSASHA1-NSEC3-SHA1) or alg_length (was 2048)"
     ]
     success = check_syslog(r, expected_strings)
     assert(success, "NSEC3 bad file not audited correctly")
@@ -358,7 +376,8 @@
       runner.force_partial
     end
 
-    ["test/tmp/tracker/tjeb.nl", "test/tmp1/tracker/tjeb.nl"].each {|f|
+    ["test/tmp/tracker/tjeb.nl", "test/tmp1/tracker/tjeb.nl", "test/tmp2/tracker/tjeb.nl",
+    "test/tmp/tracker/tjeb.nl.config", "test/tmp1/tracker/tjeb.nl.config", "test/tmp2/tracker/tjeb.nl.config"].each {|f|
       begin
         File.delete(f)
       rescue Exception
@@ -371,7 +390,7 @@
       $stdout.reopen w
 
       runner.force_partial if partial
-      ret = runner.run_with_syslog(path + zonelist_filename, path + kasp_filename, TestLogger.new(false), working, working, 3600) # Audit all zones
+      ret = runner.run_with_syslog(path + zonelist_filename, path + kasp_filename, TestLogger.new(false), working, working, 3600, path+"conf.xml") # Audit all zones
       w.close
       exit!(ret)
     }
@@ -491,6 +510,13 @@
     keys.ksks.push(ksk)
     config.keys = keys
     config.audit_tag_present = true
+    # Add changed_config - with no changes
+    changed_config = KASPAuditor::ChangedConfig.new(1,2,3,4,5,6)
+    changed_config.zsks = []
+    changed_config.ksks = []
+    changed_config.rrsig_inception_offset = KASPAuditor::ChangedConfig::Element.new(3600, 0)
+    changed_config.kasp_timestamp = 0
+    config.changed_config = changed_config
 
     checker = KASPAuditor::KeyTracker.new("test/tmp", "example.com.", syslog, config, 0)
     key_cache = checker.load_tracker_cache
@@ -544,9 +570,9 @@
     k3 = RR.create({:name => "example.com.", :type => Types::DNSKEY,
         :protocol => 3, :flags => RR::DNSKEY::ZONE_KEY, :algorithm => 5, :key => "GEAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
 
-    cache.add_retired_key_with_time(k1, time)
-    cache.add_inuse_key_with_time(k2, time)
-    cache.add_inuse_key_with_time(k3, time)
+    cache.add_retired_key_with_time(k1, time, time)
+    cache.add_inuse_key_with_time(k2, time, time)
+    cache.add_inuse_key_with_time(k3, time, time)
     assert(checker.cache.retired.length == 1)
     checker.save_tracker_cache
 




More information about the Opendnssec-commits mailing list