[Opendnssec-commits] sara r7158 - in branches/OpenDNSSEC-1.4: . enforcer/utils testing testing/test-cases.d/enforcer.rollover.manual_rollover testing/test-cases.d/enforcer.rollover.manual_rollover_policy

commits at svn.opendnssec.org commits at svn.opendnssec.org
Mon Jun 17 14:19:48 CEST 2013


Author: sara
Date: Mon Jun 17 14:19:48 2013
New Revision: 7158
URL: http://fisheye.opendnssec.org/changelog/opendnssec?cs=7158

Log:
OPENDNSSEC-91: Make the keytype flag required when rolling keys
OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly when rolling all keys using the --policy option
TEST: Updates/additions of regression tests to cover the new and existing functionality
Update NEWS file and remove 398 from KNOWN_ISSUES

Added:
   branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover_policy/
      - copied from r7094, branches/OpenDNSSEC-1.3/testing/test-cases.d/enforcer.rollover.manual_rollover_policy/
Modified:
   branches/OpenDNSSEC-1.4/KNOWN_ISSUES
   branches/OpenDNSSEC-1.4/NEWS
   branches/OpenDNSSEC-1.4/enforcer/utils/ksmutil.c
   branches/OpenDNSSEC-1.4/enforcer/utils/ods-ksmutil.1.in
   branches/OpenDNSSEC-1.4/testing/   (props changed)
   branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/kasp.xml
   branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/test.sh
   branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/zonelist.xml
   branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover_policy/test.sh

Modified: branches/OpenDNSSEC-1.4/KNOWN_ISSUES
==============================================================================
--- branches/OpenDNSSEC-1.4/KNOWN_ISSUES	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/KNOWN_ISSUES	Mon Jun 17 14:19:48 2013	(r7158)
@@ -9,8 +9,6 @@
 -----
 
 OPENDNSSEC-332: Statistics on average sigs/sec not accurate
-OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
-when rolling all keys using the --policy option
 
 
 Limitations on Number of Zones

Modified: branches/OpenDNSSEC-1.4/NEWS
==============================================================================
--- branches/OpenDNSSEC-1.4/NEWS	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/NEWS	Mon Jun 17 14:19:48 2013	(r7158)
@@ -4,6 +4,7 @@
 
 * SUPPORT-58: Extend ods-signer sign <zone> with --serial <nr> so that the user
   can specify the SOA serial to use in the signed zone [OPENDNSSEC-401].
+* OPENDNSSEC-91: Make the keytype flag required when rolling keys
 
 Bugfixes:
 * SUPPORT-60: Fix datecounter in case inbound serial is higher than outbound
@@ -19,6 +20,8 @@
   Stuart Lau).
 * Bugfix: Fix malform in Outbound IXFR/TCP subsequent packet (thanks Stuart
   Lau).
+* OPENDNSSEC-398: The ods-ksmutil key rollover command does not work correctly
+  when rolling all keys using the --policy option
 
 
 OpenDNSSEC 1.4.0 - 2013-04-22

Modified: branches/OpenDNSSEC-1.4/enforcer/utils/ksmutil.c
==============================================================================
--- branches/OpenDNSSEC-1.4/enforcer/utils/ksmutil.c	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/enforcer/utils/ksmutil.c	Mon Jun 17 14:19:48 2013	(r7158)
@@ -312,9 +312,11 @@
 {
     fprintf(stderr,
             "  key rollover\n"
-            "\t--zone zone [--keytype <type>]           aka -z\n"
+            "\t--zone zone                              aka -z\n"
+            "\t--keytype <type> | --all                 aka -t / -a\n"
             "  key rollover\n"
-            "\t--policy policy [--keytype <type>]       aka -p\n");
+            "\t--policy policy                          aka -p\n"
+            "\t--keytype <type> | --all                 aka -t / -a\n");
 }
 
     void
@@ -1906,6 +1908,8 @@
     int status = 0;
     int user_certain;
 
+    char logmsg[256]; /* For the message that we log when we are done here */
+
     /* If we were given a keytype, turn it into a number */
     if (o_keytype != NULL) {
         StrToLower(o_keytype);
@@ -1926,6 +1930,7 @@
 		StrAppend(&o_zone, ".");
 		status = KsmZoneIdAndPolicyFromName(o_zone, &policy_id, &zone_id);
 		if (status != 0) {
+			printf("Error, can't find zone : %s\n", o_zone);
 			db_disconnect(lock_fd);
 			return(status);
 		}
@@ -1962,6 +1967,27 @@
         return(status);
     }
 
+	/* Let them know that it seemed to work */
+	snprintf(logmsg, 256, "Manual key rollover for key type %s on zone %s initiated" , (o_keytype == NULL) ? "all" : o_keytype, o_zone);
+	printf("\n%s\n", logmsg);
+
+/* send the msg to syslog */
+#ifdef HAVE_OPENLOG_R
+        openlog_r("ods-ksmutil", 0, DEFAULT_LOG_FACILITY, &sdata);
+#else
+        openlog("ods-ksmutil", 0, DEFAULT_LOG_FACILITY);
+#endif
+#ifdef HAVE_SYSLOG_R
+        syslog_r(LOG_INFO, &sdata, "%s", logmsg);
+#else
+        syslog(LOG_INFO, "%s", logmsg);
+#endif
+#ifdef HAVE_CLOSELOG_R
+        closelog_r(&sdata);
+#else
+        closelog();
+#endif
+
     /* Release sqlite lock file (if we have it) */
     db_disconnect(lock_fd);
 
@@ -1990,12 +2016,14 @@
 
     int zone_count = -1;
     
-    int key_type = 0;
+    int key_type = -1;
     int policy_id = 0;
 
     int status = 0;
     int user_certain;
 
+    char logmsg[256]; /* For the message that we log when we are done here */
+
     /* If we were given a keytype, turn it into a number */
     if (o_keytype != NULL) {
         StrToLower(o_keytype);
@@ -2049,6 +2077,31 @@
     }
 
     status = keyRoll(-1, policy_id, key_type);
+    if (status != 0) {
+        db_disconnect(lock_fd);
+        return(status);
+    }
+ 
+	/* Let them know that it seemed to work */
+	snprintf(logmsg, 256, "Manual key rollover for key type %s on policy %s initiated" , (o_keytype == NULL) ? "all" : o_keytype, o_policy);
+	printf("%s\n", logmsg);
+
+/* send the msg to syslog */
+#ifdef HAVE_OPENLOG_R
+        openlog_r("ods-ksmutil", 0, DEFAULT_LOG_FACILITY, &sdata);
+#else
+        openlog("ods-ksmutil", 0, DEFAULT_LOG_FACILITY);
+#endif
+#ifdef HAVE_SYSLOG_R
+        syslog_r(LOG_INFO, &sdata, "%s", logmsg);
+#else
+        syslog(LOG_INFO, "%s", logmsg);
+#endif
+#ifdef HAVE_CLOSELOG_R
+        closelog_r(&sdata);
+#else
+        closelog();
+#endif
 
     /* Release sqlite lock file (if we have it) */
     db_disconnect(lock_fd);
@@ -3868,18 +3921,26 @@
             result = cmd_import();
         }
         else if (!strncmp(case_verb, "ROLLOVER", 8)) {
-            /* Are we rolling a zone or a whole policy? */
-            if (o_zone != NULL && o_policy == NULL) {
-                result = cmd_rollzone();
-            }
-            else if (o_zone == NULL && o_policy != NULL) {
-                result = cmd_rollpolicy();
-            }
-            else {
-                printf("Please provide either a zone OR a policy to rollover\n");
+            /* Check that we have either a key type or the all flag */
+            if (all_flag == 0 && o_keytype == NULL) {
+		        printf("Please specify either a keytype, KSK or ZSK, with the --keytype <type> option or use the --all option\n");
                 usage_keyroll();
                 result = -1;
-            }
+		    } 
+		    else {
+	            /* Are we rolling a zone or a whole policy? */
+	            if (o_zone != NULL && o_policy == NULL) {
+	                result = cmd_rollzone();
+	            }
+	            else if (o_zone == NULL && o_policy != NULL) {
+	                result = cmd_rollpolicy();
+	            }
+	            else {
+	                printf("Please provide either a zone OR a policy to rollover\n");
+	                usage_keyroll();
+	                result = -1;
+	            }
+	        }
         }
         else if (!strncmp(case_verb, "PURGE", 5)) {
             if ((o_zone != NULL && o_policy == NULL) || 

Modified: branches/OpenDNSSEC-1.4/enforcer/utils/ods-ksmutil.1.in
==============================================================================
--- branches/OpenDNSSEC-1.4/enforcer/utils/ods-ksmutil.1.in	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/enforcer/utils/ods-ksmutil.1.in	Mon Jun 17 14:19:48 2013	(r7158)
@@ -195,16 +195,20 @@
 are used to limit this operation to a single named zone or policy,
 respectively.
 .TP
-.B key rollover \-\-zone|\-z \fIname\fB [\-\-keytype \fItype\fB]
+.B key rollover \-\-zone|\-z \fIname\fB \-\-keytype \fItype\fB|\-t \fItype\fB
 .TP
-.B key rollover \-\-policy|\-p \fIname\fB [\-\-keytype \fItype\fB]
+.B key rollover \-\-zone|\-z \fIname\fB \-\-all|\-a
+.TP
+.B key rollover \-\-policy|\-p \fIname\fB \-\-keytype \fItype\fB|\-t \fItype\fB
+.TP
+.B key rollover \-\-policy|\-p \fIname\fB \-\-all|\-a
 Rollover active keys on the named zone or policy, respectively.
 This command is used to intiate manual rollovers; if it is not given,
 OpenDNSSEC will automatically rollover keys when the need arises. (Or, in the 
 case of KSKs it will start the rollover process, to finish the KSK rollover see
 ksk-roll below.)
 
-The \-\-keytype option specifies the type of key to roll (both are rolled if nothing is specified) After running, the KASP Enforcer will be woken up so that the signer can be sent the new information.
+The \-\-keytype option specifies the type of key to roll. Alternatively the --all option can be used which will roll both types of keys. After running, the KASP Enforcer will be woken up so that the signer can be sent the new information.
 
 If the policy that the zone is on specifies that keys are shared then all zones on that policy will be rolled. If appropriate, a backup of the sqlite DB file is made.
 

Modified: branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/kasp.xml
==============================================================================
--- branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/kasp.xml	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/kasp.xml	Mon Jun 17 14:19:48 2013	(r7158)
@@ -61,5 +61,66 @@
 			</SOA>
 		</Parent>
 	</Policy>
+	<Policy name="bill">
+		<Description>default policy but with shared keys</Description>
+		<Signatures>
+			<Resign>PT3M</Resign>
+			<Refresh>PT15M</Refresh>
+			<Validity>
+				<Default>PT1H</Default>
+				<Denial>PT1H</Denial>
+			</Validity>
+			<Jitter>PT1M</Jitter>
+			<InceptionOffset>PT1M</InceptionOffset>
+		</Signatures>
+		<Denial>
+			<NSEC3>
+				<OptOut/>
+				<Resalt>P10D</Resalt>
+				<Hash>
+					<Algorithm>1</Algorithm>
+					<Iterations>5</Iterations>
+					<Salt length="8"/>
+				</Hash>
+			</NSEC3>
+		</Denial>
+		<Keys>
+			<TTL>PT10M</TTL>
+			<RetireSafety>PT10M</RetireSafety>
+			<PublishSafety>PT10M</PublishSafety>
+			<ShareKeys/>			
+			<Purge>P1D</Purge>
+			<KSK>
+				<Algorithm length="2048">7</Algorithm>
+				<Lifetime>P3D</Lifetime>
+				<Repository>SoftHSM</Repository>
+				<Standby>0</Standby>
+			</KSK>
+			<ZSK>
+				<Algorithm length="1024">7</Algorithm>
+				<Lifetime>PT12H</Lifetime>
+				<Repository>SoftHSM</Repository>
+				<Standby>0</Standby>
+			</ZSK>
+		</Keys>
+		<Zone>
+			<PropagationDelay>PT30M</PropagationDelay>
+			<SOA>
+				<TTL>PT10M</TTL>
+				<Minimum>PT5M</Minimum>
+				<Serial>unixtime</Serial>
+			</SOA>
+		</Zone>
+		<Parent>
+			<PropagationDelay>PT20M</PropagationDelay>
+			<DS>
+				<TTL>PT10M</TTL>
+			</DS>
+			<SOA>
+				<TTL>PT5H</TTL>
+				<Minimum>PT2H</Minimum>
+			</SOA>
+		</Parent>
+	</Policy>
 
 </KASP>

Modified: branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/test.sh
==============================================================================
--- branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/test.sh	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/test.sh	Mon Jun 17 14:19:48 2013	(r7158)
@@ -1,13 +1,14 @@
 #!/usr/bin/env bash
 #
 #TEST: Test to make sure a manual key rollover can be done
-#TEST: Roll the ZSK and then the KSK
+#TEST: Roll the ZSK and then the KSK and use the zone option
 #TEST: We use TIMESHIFT to hurry things along
 
 #TODO: Test the no-retire on the ds-seen command
 #TODO: Test error cases/more complicated scenarios e.g.
 #TODO: do a manual rollover when a scheduled one is due
-#TODO: Also test the --policy option
+
+#OPENDNSSEC-91: Make the keytype flag required when rolling keys
 
 ENFORCER_WAIT=90	# Seconds we wait for enforcer to run
 
@@ -27,16 +28,30 @@
 syslog_grep "ods-enforcerd: .*Timeshift mode detected, running once only!" &&
 syslog_grep "ods-enforcerd: .*DEBUG: Timeshift in operation; ENFORCER_TIMESHIFT set to 01-01-2010 12:00" &&
 
-# Check that we have 2 keys
+# Check that we have 2 keys per zone
 log_this ods-ksmutil-key-list1 ods-ksmutil key list &&
 log_grep ods-ksmutil-key-list1 stdout 'ods                             KSK           publish' &&
 log_grep ods-ksmutil-key-list1 stdout 'ods                             ZSK           active' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods2                            KSK           publish' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods2                            ZSK           active' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods3                            KSK           publish' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods3                            ZSK           active' &&
+
+#OPENDNSSEC-91. Make sure either a keytype or the all option are required
+! log_this ods-ksmutil-key-rollover_bad1 ods-ksmutil key rollover --zone ods &&
+log_grep ods-ksmutil-key-rollover_bad1 stdout 'Please specify either a keytype, KSK or ZSK, with the --keytype <type> option or use the --all option' &&
+
+# Make sure nothing happens for a non-existant zone
+! log_this ods-ksmutil-key-rollover_bad2 ods-ksmutil key rollover --zone bob --keytype ZSK &&
+log_grep ods-ksmutil-key-rollover_bad2 stdout "Error, can't find zone : bob" &&
 
 # ******************* Roll the ZSK first ************************ 
 log_this ods-ksmutil-key-rollover1 ods-ksmutil key rollover --zone ods --keytype ZSK &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type zsk on zone ods initiated" &&
 # *************************************************************** 
 
-# Run the enforcer and check for a published ZSK
+# Run the enforcer and check for a published ZSK for our zone
+# and check nothing happens to the other zone
 log_this_timeout ods-control-enforcer-start $ENFORCER_WAIT ods-enforcerd -1 &&
 syslog_waitfor_count $ENFORCER_WAIT 2 'ods-enforcerd: .*all done' &&
 
@@ -44,6 +59,12 @@
 log_grep ods-ksmutil-key-list2 stdout 'ods                             KSK           publish' &&
 log_grep ods-ksmutil-key-list2 stdout 'ods                             ZSK           active' &&
 log_grep ods-ksmutil-key-list2 stdout 'ods                             ZSK           publish' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods2                            KSK           publish' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods2                            ZSK           active' &&
+! log_grep ods-ksmutil-key-list2 stdout 'ods2                            ZSK           publish' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods3                            KSK           publish' &&
+log_grep ods-ksmutil-key-list1 stdout 'ods3                            ZSK           active' &&
+! log_grep ods-ksmutil-key-list2 stdout 'ods3                            ZSK           publish' &&
 KSK_CKA_ID1=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             KSK           publish" | awk '{print $9}'` &&
 ZSK_CKA_ID1=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             ZSK           active" | awk '{print $9}'` &&
 ZSK_CKA_ID2=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             ZSK           publish" | awk '{print $9}'` &&
@@ -95,9 +116,11 @@
 log_grep ods-ksmutil-key-list5 stdout "ods                             KSK           active.*$KSK_CKA_ID1" &&
 log_grep ods-ksmutil-key-list5 stdout "ods                             ZSK           active.*$ZSK_CKA_ID2" &&
 log_grep ods-ksmutil-key-list5 stdout 'ods                             ZSK           publish' &&
+ZSK_CKA_ID3=`log_grep -o ods-ksmutil-key-list5 stdout "ods                             ZSK           publish" | awk '{print $9}'` &&
 
 # ******************* Roll the KSK now ************************ 
 log_this ods-ksmutil-key-rollover2 ods-ksmutil key rollover --zone ods --keytype KSK &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type ksk on zone ods initiated" &&
 # *************************************************************
 
 # Run the enforcer
@@ -108,6 +131,8 @@
 log_this ods-ksmutil-key-list6 ods-ksmutil key list --verbose &&
 log_grep ods-ksmutil-key-list6 stdout "ods                             KSK           active.*$KSK_CKA_ID1" &&
 log_grep ods-ksmutil-key-list6 stdout 'ods                             KSK           publish' &&
+log_grep ods-ksmutil-key-list6 stdout "ods                             ZSK           active.*$ZSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list6 stdout 'ods                             ZSK           publish' &&
 KSK_CKA_ID2=`log_grep -o ods-ksmutil-key-list6 stdout "ods                             KSK           publish" | awk '{print $9}'` &&
 
 syslog_grep "WARNING: KSK rollover for zone 'ods' not completed as there are no keys in the 'ready' state;" &&
@@ -123,6 +148,8 @@
 log_this ods-ksmutil-key-list7 ods-ksmutil key list --verbose &&
 log_grep ods-ksmutil-key-list7 stdout "ods                             KSK           active.*$KSK_CKA_ID1" &&
 log_grep ods-ksmutil-key-list7 stdout "ods                             KSK           ready     waiting for ds-seen.*$KSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list7 stdout "ods                             ZSK           retire.*$ZSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list7 stdout "ods                             ZSK           active.*$ZSK_CKA_ID3" &&
 
 syslog_grep "ods-enforcerd: .*Once the new DS records are seen in DNS please issue the ds-seen command for zone ods with the following cka_ids, $KSK_CKA_ID2" &&
 
@@ -136,6 +163,8 @@
 log_this ods-ksmutil-key-list8 ods-ksmutil key list --verbose &&
 log_grep ods-ksmutil-key-list8 stdout "ods                             KSK           retire.*$KSK_CKA_ID1" &&
 log_grep ods-ksmutil-key-list8 stdout "ods                             KSK           active.*$KSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list8 stdout "ods                             ZSK           retire.*$ZSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list8 stdout "ods                             ZSK           active.*$ZSK_CKA_ID3" &&
 
 # ##################  STEP 5: Time = 15hrs ###########################
 export ENFORCER_TIMESHIFT='02-01-2010 03:00' &&
@@ -148,6 +177,56 @@
 log_this ods-ksmutil-key-list9 ods-ksmutil key list --verbose &&
 log_grep ods-ksmutil-key-list9 stdout "ods                             KSK           active.*$KSK_CKA_ID2" &&
 ! log_grep ods-ksmutil-key-list9 stdout "ods                             KSK           retire" &&
+! log_grep ods-ksmutil-key-list9 stdout "ods                             KSK           publish" &&
+log_grep ods-ksmutil-key-list9 stdout "ods                             ZSK           retire.*$ZSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list9 stdout "ods                             ZSK           active.*$ZSK_CKA_ID3" &&
+! log_grep ods-ksmutil-key-list9 stdout "ods                             ZSK           publish" &&
+
+# ********Lets roll for a policy and all key types now ************** 
+log_this ods-ksmutil-key-rollover_all ods-ksmutil key rollover --zone ods --all &&
+#echo "y" | log_this ods-ksmutil-key-rollover_all ods-ksmutil key rollover --policy default --all &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type all on zone ods initiated" &&
+# ******************************************************************* 
+
+# Run the enforcer
+log_this_timeout ods-control-enforcer-start $ENFORCER_WAIT ods-enforcerd -1 &&
+syslog_waitfor_count $ENFORCER_WAIT 9 'ods-enforcerd: .*all done' &&
+
+# Check both keys have started rolling
+log_this ods-ksmutil-key-list10 ods-ksmutil key list --verbose &&
+log_grep ods-ksmutil-key-list10 stdout "ods                             KSK           active.*$KSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list10 stdout "ods                             KSK           publish" &&
+log_grep ods-ksmutil-key-list10 stdout "ods                             ZSK           retire.*$ZSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list10 stdout "ods                             ZSK           active.*$ZSK_CKA_ID3" &&
+log_grep ods-ksmutil-key-list10 stdout "ods                             ZSK           publish" &&
+log_grep ods-ksmutil-key-list10 stdout 'ods2                            KSK           ready' &&
+log_grep ods-ksmutil-key-list10 stdout 'ods2                            ZSK           active' &&
+log_grep ods-ksmutil-key-list10 stdout 'ods3                            KSK           ready' &&
+log_grep ods-ksmutil-key-list10 stdout 'ods3                            ZSK           active' &&
+
+# ******************* Now roll a zone which shares keys ************************ 
+echo "y" | log_this ods-ksmutil-key-rollover3 ods-ksmutil key rollover --zone ods2 --keytype ZSK &&
+log_grep ods-ksmutil-key-rollover3 stdout "This zone shares keys with others, all instances of the active key on this zone will be retired; are you sure?" &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type zsk on zone ods2 initiated" &&
+# ***************************************************************
+
+# Run the enforcer
+log_this_timeout ods-control-enforcer-start $ENFORCER_WAIT ods-enforcerd -1 &&
+syslog_waitfor_count $ENFORCER_WAIT 10 'ods-enforcerd: .*all done' &&
+
+# Check both keys have started rolling on ods2
+log_this ods-ksmutil-key-list11 ods-ksmutil key list --verbose &&
+log_grep ods-ksmutil-key-list11 stdout "ods                             KSK           active.*$KSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list11 stdout "ods                             KSK           publish" &&
+log_grep ods-ksmutil-key-list11 stdout "ods                             ZSK           retire.*$ZSK_CKA_ID2" &&
+log_grep ods-ksmutil-key-list11 stdout "ods                             ZSK           active.*$ZSK_CKA_ID3" &&
+log_grep ods-ksmutil-key-list11 stdout "ods                             ZSK           publish" &&
+log_grep ods-ksmutil-key-list11 stdout 'ods2                            KSK           ready' &&
+log_grep ods-ksmutil-key-list11 stdout 'ods2                            ZSK           active' &&
+log_grep ods-ksmutil-key-list11 stdout 'ods2                            ZSK           publish' &&
+log_grep ods-ksmutil-key-list11 stdout 'ods3                            KSK           ready' &&
+log_grep ods-ksmutil-key-list11 stdout 'ods3                            ZSK           active' &&
+log_grep ods-ksmutil-key-list11 stdout 'ods3                            ZSK           publish' &&
 
 return 0
 

Modified: branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/zonelist.xml
==============================================================================
--- branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/zonelist.xml	Mon Jun 17 11:54:25 2013	(r7157)
+++ branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover/zonelist.xml	Mon Jun 17 14:19:48 2013	(r7158)
@@ -13,4 +13,28 @@
 			</Output>
 		</Adapters>
 	</Zone>
+	<Zone name="ods2">
+		<Policy>bill</Policy>
+		<SignerConfiguration>@INSTALL_ROOT@/var/opendnssec/signconf/ods2.xml</SignerConfiguration>
+		<Adapters>
+			<Input>
+				<File>@INSTALL_ROOT@/var/opendnssec/unsigned/ods2</File>
+			</Input>
+			<Output>
+				<File>@INSTALL_ROOT@/var/opendnssec/signed/ods2</File>
+			</Output>
+		</Adapters>
+	</Zone>	
+	<Zone name="ods3">
+		<Policy>bill</Policy>
+		<SignerConfiguration>@INSTALL_ROOT@/var/opendnssec/signconf/ods3.xml</SignerConfiguration>
+		<Adapters>
+			<Input>
+				<File>@INSTALL_ROOT@/var/opendnssec/unsigned/ods3</File>
+			</Input>
+			<Output>
+				<File>@INSTALL_ROOT@/var/opendnssec/signed/ods3</File>
+			</Output>
+		</Adapters>
+	</Zone>
 </ZoneList>

Modified: branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover_policy/test.sh
==============================================================================
--- branches/OpenDNSSEC-1.3/testing/test-cases.d/enforcer.rollover.manual_rollover_policy/test.sh	Tue Apr 16 17:19:10 2013	(r7094)
+++ branches/OpenDNSSEC-1.4/testing/test-cases.d/enforcer.rollover.manual_rollover_policy/test.sh	Mon Jun 17 14:19:48 2013	(r7158)
@@ -41,7 +41,7 @@
 
 # ******************* Roll the ZSK first ************************ 
 echo "y" | log_this ods-ksmutil-key-rollover1 ods-ksmutil key rollover --policy default --keytype ZSK &&
-syslog_grep "ods-ksmutil: Manual key rollover for key type zsk on policy default initiated" &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type zsk on policy default initiated" &&
 # *************************************************************** 
 
 # Run the enforcer and check for a published ZSK on our policy
@@ -56,9 +56,9 @@
 log_grep ods-ksmutil-key-list1 stdout 'ods2                            KSK           publish' &&
 log_grep ods-ksmutil-key-list1 stdout 'ods2                            ZSK           active' &&
 ! log_grep ods-ksmutil-key-list2 stdout 'ods2                            ZSK           publish' &&
-KSK_CKA_ID1=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             KSK           publish" | awk '{print $6}'` &&
-ZSK_CKA_ID1=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             ZSK           active" | awk '{print $6}'` &&
-ZSK_CKA_ID2=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             ZSK           publish" | awk '{print $6}'` &&
+KSK_CKA_ID1=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             KSK           publish" | awk '{print $9}'` &&
+ZSK_CKA_ID1=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             ZSK           active" | awk '{print $9}'` &&
+ZSK_CKA_ID2=`log_grep -o ods-ksmutil-key-list2 stdout "ods                             ZSK           publish" | awk '{print $9}'` &&
 
 syslog_grep "WARNING: ZSK rollover for zone 'ods' not completed as there are no keys in the 'ready' state;" &&
 
@@ -107,11 +107,11 @@
 log_grep ods-ksmutil-key-list5 stdout "ods                             KSK           active.*$KSK_CKA_ID1" &&
 log_grep ods-ksmutil-key-list5 stdout "ods                             ZSK           active.*$ZSK_CKA_ID2" &&
 log_grep ods-ksmutil-key-list5 stdout 'ods                             ZSK           publish' &&
-ZSK_CKA_ID3=`log_grep -o ods-ksmutil-key-list5 stdout "ods                             ZSK           publish" | awk '{print $6}'` &&
+ZSK_CKA_ID3=`log_grep -o ods-ksmutil-key-list5 stdout "ods                             ZSK           publish" | awk '{print $9}'` &&
 
 # ******************* Roll the KSK now ************************ 
 echo "y" | log_this ods-ksmutil-key-rollover2 ods-ksmutil key rollover --policy default --keytype KSK &&
-syslog_grep "ods-ksmutil: Manual key rollover for key type ksk on policy default initiated" &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type ksk on policy default initiated" &&
 # *************************************************************
 
 # Run the enforcer
@@ -124,7 +124,7 @@
 log_grep ods-ksmutil-key-list6 stdout 'ods                             KSK           publish' &&
 log_grep ods-ksmutil-key-list6 stdout "ods                             ZSK           active.*$ZSK_CKA_ID2" &&
 log_grep ods-ksmutil-key-list6 stdout 'ods                             ZSK           publish' &&
-KSK_CKA_ID2=`log_grep -o ods-ksmutil-key-list6 stdout "ods                             KSK           publish" | awk '{print $6}'` &&
+KSK_CKA_ID2=`log_grep -o ods-ksmutil-key-list6 stdout "ods                             KSK           publish" | awk '{print $9}'` &&
 
 syslog_grep "WARNING: KSK rollover for zone 'ods' not completed as there are no keys in the 'ready' state;" &&
 
@@ -175,7 +175,7 @@
 
 # ********Lets roll for a policy and all key types now ************** 
 echo "y" | log_this ods-ksmutil-key-rollover_all ods-ksmutil key rollover --policy default --all &&
-syslog_grep "ods-ksmutil: Manual key rollover for key type all on policy default initiated" &&
+syslog_waitfor 5 "ods-ksmutil: .*Manual key rollover for key type all on policy default initiated" &&
 # ******************************************************************* 
 
 # Run the enforcer



More information about the Opendnssec-commits mailing list