diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 23:51:28 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 23:51:28 +0000 |
commit | 754c7de1e91eeb28c6d3766900ead0c3e44fdb85 (patch) | |
tree | 51433c0e38731dc9ecd342555a56f876980b1834 /bin/tests/system/keymgr2kasp | |
parent | Adding debian version 1:9.16.44-1~deb11u1. (diff) | |
download | bind9-754c7de1e91eeb28c6d3766900ead0c3e44fdb85.tar.xz bind9-754c7de1e91eeb28c6d3766900ead0c3e44fdb85.zip |
Merging upstream version 1:9.16.48.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/keymgr2kasp')
-rw-r--r-- | bin/tests/system/keymgr2kasp/clean.sh | 1 | ||||
-rw-r--r-- | bin/tests/system/keymgr2kasp/ns3/setup.sh | 98 | ||||
-rw-r--r-- | bin/tests/system/keymgr2kasp/ns4/setup.sh | 10 | ||||
-rw-r--r-- | bin/tests/system/keymgr2kasp/setup.sh | 8 | ||||
-rw-r--r-- | bin/tests/system/keymgr2kasp/tests.sh | 558 |
5 files changed, 335 insertions, 340 deletions
diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh index 1fe2bb9..3f6a76f 100644 --- a/bin/tests/system/keymgr2kasp/clean.sh +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -31,4 +31,3 @@ rm -f ./retired.* rm -f ./rndc.dnssec.* rm -f ./unused.key* rm -f ./verify.out.* - diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh index 6c1d0a5..bb71ad3 100644 --- a/bin/tests/system/keymgr2kasp/ns3/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -17,10 +17,10 @@ echo_i "ns3/setup.sh" setup() { - zone="$1" - echo_i "setting up zone: $zone" - zonefile="${zone}.db" - infile="${zone}.db.infile" + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" } # Make lines shorter by storing key states in environment variables. @@ -31,70 +31,70 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp -echo "$zone" >> zones +echo "$zone" >>zones ksktimes="-P now -A now -P sync now" zsktimes="-P now -A now" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up Single-Type Signing Scheme zones with auto-dnssec maintain to # migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' # configured, meaning the zone is signed with a single CSK. setup csk.kasp -echo "$zone" >> zones +echo "$zone" >>zones csktimes="-P now -A now -P sync now" -CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 setup csk-nosep.kasp -echo "$zone" >> zones +echo "$zone" >>zones csktimes="-P now -A now -P sync now" -CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1) -cat template.db.in "${CSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1) +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # RSASHA256 keys, and will be migrated to a dnssec-policy that dictates # ECDSAP256SHA256 keys. setup migrate-nomatch-algnum.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that # dictates 3072 bits RSASHA256 keys. setup migrate-nomatch-alglen.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone 5 "$KSK" >>"$infile" +private_type_record $zone 5 "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # # Set up zones to test time metadata correctly sets state. @@ -102,30 +102,30 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Key states expected to be rumoured after migration. setup rumoured.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-2h" Tkey="now-300s" Tsig="now-11h" ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 # Key states expected to be omnipresent after migration. setup omnipresent.kasp -echo "$zone" >> zones +echo "$zone" >>zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) -cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh index 63121a0..d5a63e0 100644 --- a/bin/tests/system/keymgr2kasp/ns4/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh @@ -25,22 +25,22 @@ U="UNRETENTIVE" zone="view-rsasha256.kasp" algo="RSASHA256" num="8" -echo "$zone" >> zones +echo "$zone" >>zones # Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy. # The keys for these zones are in use long enough that they should start a # rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y). ksktimes="-P -186d -A -186d -P sync -186d" zsktimes="-P -186d -A -186d" -KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2>keygen.out.$zone.2) echo_i "setting up zone $zone (external)" view="ext" zonefile="${zone}.${view}.db" -cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile" echo_i "setting up zone $zone (internal)" view="int" zonefile="${zone}.${view}.db" -cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile" diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh index e43f798..7c53890 100644 --- a/bin/tests/system/keymgr2kasp/setup.sh +++ b/bin/tests/system/keymgr2kasp/setup.sh @@ -25,10 +25,10 @@ copy_setports ns3/kasp.conf.in ns3/kasp.conf # Setup zones ( - cd ns3 - $SHELL setup.sh + cd ns3 + $SHELL setup.sh ) ( - cd ns4 - $SHELL setup.sh + cd ns4 + $SHELL setup.sh ) diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 62b58a7..9bad69c 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -27,17 +27,17 @@ n=0 # Call dig with default options. dig_with_opts() { - if [ -n "$TSIG" ]; then - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" - else - "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" - fi + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi } # Log error and increment failure rate. log_error() { - echo_i "error: $1" - ret=$((ret+1)) + echo_i "error: $1" + ret=$((ret + 1)) } # Default next key event threshold. May be extended by wait periods. @@ -48,29 +48,29 @@ next_key_event_threshold=100 ############################################################################### set_retired_removed() { - _Lkey=$2 - _Iret=$3 + _Lkey=$2 + _Iret=$3 - _active=$(key_get $1 ACTIVE) - set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" - _retired=$(key_get $1 RETIRED) - set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" } rollover_predecessor_keytimes() { - _addtime=$1 + _addtime=$1 - _created=$(key_get KEY1 CREATED) + _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" - _created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" - set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" - [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" } # Policy parameters. @@ -79,7 +79,6 @@ rollover_predecessor_keytimes() { Lksk=0 Lzsk=0 - ################################################# # Test state before switching to dnssec-policy. # ################################################# @@ -88,38 +87,38 @@ Lzsk=0 # $1 $2: Algorithm number and string. # $3 $4: KSK and ZSK size. init_migration_keys() { - key_clear "KEY1" - key_set "KEY1" "LEGACY" "yes" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "none" - set_keyalgorithm "KEY1" "$1" "$2" "$3" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - key_set "KEY2" "LEGACY" "yes" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "none" - set_keyalgorithm "KEY2" "$1" "$2" "$4" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - key_clear "KEY4" + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "none" + set_keyalgorithm "KEY1" "$1" "$2" "$3" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "none" + set_keyalgorithm "KEY2" "$1" "$2" "$4" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" } # Set expected key states for migration tests. # $1: Goal # $2: States init_migration_states() { - set_keystate "KEY1" "GOAL" "$1" - set_keystate "KEY1" "STATE_DNSKEY" "$2" - set_keystate "KEY1" "STATE_KRRSIG" "$2" - set_keystate "KEY1" "STATE_DS" "$2" - - set_keystate "KEY2" "GOAL" "$1" - set_keystate "KEY2" "STATE_DNSKEY" "$2" - set_keystate "KEY2" "STATE_ZRRSIG" "$2" + set_keystate "KEY1" "GOAL" "$1" + set_keystate "KEY1" "STATE_DNSKEY" "$2" + set_keystate "KEY1" "STATE_KRRSIG" "$2" + set_keystate "KEY1" "STATE_DS" "$2" + + set_keystate "KEY2" "GOAL" "$1" + set_keystate "KEY2" "STATE_DNSKEY" "$2" + set_keystate "KEY2" "STATE_ZRRSIG" "$2" } # @@ -152,21 +151,21 @@ set_zone "csk.kasp" set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "ksk" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "ksk" # This key also acts as a ZSK. -key_set "KEY1" "ZSK" "yes" -set_keylifetime "KEY1" "none" +key_set "KEY1" "ZSK" "yes" +set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -177,9 +176,9 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key is immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" check_keytimes check_apex @@ -195,21 +194,21 @@ set_zone "csk-nosep.kasp" set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "yes" -set_keyrole "KEY1" "zsk" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "zsk" # Despite the missing SEP bit, this key also acts as a KSK. -key_set "KEY1" "KSK" "yes" -set_keylifetime "KEY1" "none" +key_set "KEY1" "KSK" "yes" +set_keylifetime "KEY1" "none" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -220,9 +219,9 @@ check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key is immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" check_keytimes check_apex @@ -290,15 +289,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # -P sync: now-3h # -A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # The ZSK is immediately published and activated. # -P: now-3900s # -A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -328,15 +327,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # P sync: now-3h # A : now-3900s created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 # - The ZSK is immediately published and activated. # P: now-3900s # A: now-12h created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 check_keytimes check_apex check_subdomain @@ -346,7 +345,6 @@ dnssec_verify _migratenomatch_alglen_ksk=$(key_get KEY1 ID) _migratenomatch_alglen_zsk=$(key_get KEY2 ID) - ############# # Reconfig. # ############# @@ -356,47 +354,46 @@ rndc_reconfig ns3 10.53.0.3 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # Wait until we have seen "zone_rekey done:" message for this key. _wait_for_done_signing() { - _zone=$1 - - _ksk=$(key_get $2 KSK) - _zsk=$(key_get $2 ZSK) - if [ "$_ksk" = "yes" ]; then - _role="KSK" - _expect_type=EXPECT_KRRSIG - elif [ "$_zsk" = "yes" ]; then - _role="ZSK" - _expect_type=EXPECT_ZRRSIG - fi - - if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then - _keyid=$(key_get $2 ID) - _keyalg=$(key_get $2 ALG_STR) - echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" - grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 - fi - - return 0 + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1 + fi + + return 0 } wait_for_done_signing() { - n=$((n+1)) - echo_i "wait for zone ${ZONE} is done signing ($n)" - ret=0 + n=$((n + 1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 - retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + test "$ret" -eq 0 || echo_i "failed" + status=$((status + ret)) } - ################################################ # Test state after switching to dnssec-policy. # ################################################ @@ -439,9 +436,9 @@ rollover_predecessor_keytimes 0 # retire-safety: 1h (3600 seconds) # IretZSK: 10d65m (867900 seconds) active=$(key_get KEY2 ACTIVE) -set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY2 RETIRED) -set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -450,13 +447,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing a good migration (CSK). @@ -465,19 +462,19 @@ set_zone "csk.kasp" set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "no" -set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -490,9 +487,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" # Continue signing policy checks. check_keytimes @@ -501,12 +498,12 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" ret=0 [ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing a good migration (CSK, no SEP). @@ -515,20 +512,20 @@ set_zone "csk-nosep.kasp" set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" -key_clear "KEY1" -key_set "KEY1" "LEGACY" "no" -set_keyrole "KEY1" "csk" -key_set "KEY1" "FLAGS" "256" -set_keylifetime "KEY1" "0" +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +key_set "KEY1" "FLAGS" "256" +set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "yes" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" key_clear "KEY2" key_clear "KEY3" @@ -541,9 +538,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was immediately published and activated. _created=$(key_get KEY1 CREATED) -set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "PUBLISHED" "${_created}" set_keytime "KEY1" "SYNCPUBLISH" "${_created}" -set_keytime "KEY1" "ACTIVE" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" # Continue signing policy checks. check_keytimes @@ -552,12 +549,12 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" ret=0 [ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Test migration to dnssec-policy, existing keys do not match key algorithm. @@ -572,24 +569,24 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "5184000" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" -set_keysigning "KEY4" "no" -set_zonesigning "KEY4" "yes" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" @@ -611,13 +608,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. # P: now-3900s @@ -632,17 +629,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" IretZSK=824400 Lzsk=5184000 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 keyfile=$(key_get KEY2 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' <retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new KSK is immediately published and activated. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" -set_keytime "KEY3" "ACTIVE" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 11h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -652,12 +649,12 @@ Ipub=46800 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" # - The ZSK is immediately published and activated. created=$(key_get KEY4 CREATED) -set_keytime "KEY4" "PUBLISHED" "${created}" -set_keytime "KEY4" "ACTIVE" "${created}" +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" active=$(key_get KEY4 ACTIVE) -set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY4 RETIRED) -set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -666,13 +663,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" ret=0 [ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Test migration to dnssec-policy, existing keys do not match key length. @@ -688,25 +685,25 @@ init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" -set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "0" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" -set_keysigning "KEY3" "yes" -set_zonesigning "KEY3" "no" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" -set_keyrole "KEY4" "zsk" -set_keylifetime "KEY4" "5184000" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" -set_keysigning "KEY4" "no" +set_keysigning "KEY4" "no" # This key is considered to be prepublished, so it is not yet signing. -set_zonesigning "KEY4" "no" +set_zonesigning "KEY4" "no" -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" -set_keystate "KEY3" "STATE_DS" "hidden" +set_keystate "KEY3" "STATE_DS" "hidden" -set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" @@ -728,13 +725,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # IretKSK: 4h (14400 seconds) IretKSK=14400 created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 keyfile=$(key_get KEY1 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk -retired=$(awk '{print $3}' < retired.test${n}.ksk) -set_keytime "KEY1" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk +retired=$(awk '{print $3}' <retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" # - ZSK must be retired since it no longer matches the policy. # P: now-3900s @@ -749,17 +746,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" IretZSK=824400 Lzsk=5184000 created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 keyfile=$(key_get KEY2 BASEFILE) -grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk -retired=$(awk '{print $3}' < retired.test${n}.zsk) -set_keytime "KEY2" "RETIRED" "${retired}" +grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk +retired=$(awk '{print $3}' <retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" # - The new KSK is immediately published and activated. created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" -set_keytime "KEY3" "ACTIVE" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # TTLsig: 11h (39600 seconds) # Dprp: 1h (3600 seconds) @@ -769,12 +766,12 @@ Ipub=46800 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" # - The ZSK is immediately published and activated. created=$(key_get KEY4 CREATED) -set_keytime "KEY4" "PUBLISHED" "${created}" -set_keytime "KEY4" "ACTIVE" "${created}" +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" active=$(key_get KEY4 ACTIVE) -set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" retired=$(key_get KEY4 RETIRED) -set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" # Continue signing policy checks. check_keytimes @@ -783,13 +780,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" ret=0 [ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) ######################################################## # Testing key states derived from key timing metadata. # @@ -833,13 +830,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Tkey="now-300s" (300) # Tsig="now-11h" (39600) created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 -set_addkeytime "KEY1" "ACTIVE" "${created}" -300 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY1" "ACTIVE" "${created}" -300 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 -set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -849,13 +846,13 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # # Testing omnipresent state. @@ -883,13 +880,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # Tkey="now-3900s" (3900) # Tsig="now-12h" (43200) created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 -set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" # Continue signing policy checks. @@ -899,55 +896,54 @@ check_subdomain dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - +status=$((status + ret)) ###################################### # Testing good migration with views. # ###################################### init_view_migration() { - key_clear "KEY1" - key_set "KEY1" "LEGACY" "yes" - set_keyrole "KEY1" "ksk" - set_keylifetime "KEY1" "0" - set_keysigning "KEY1" "yes" - set_zonesigning "KEY1" "no" - - key_clear "KEY2" - key_set "KEY2" "LEGACY" "yes" - set_keyrole "KEY2" "zsk" - set_keylifetime "KEY2" "0" - set_keysigning "KEY2" "no" - set_zonesigning "KEY2" "yes" - - key_clear "KEY3" - key_clear "KEY4" - - set_keystate "KEY1" "GOAL" "omnipresent" - set_keystate "KEY1" "STATE_DNSKEY" "rumoured" - set_keystate "KEY1" "STATE_KRRSIG" "rumoured" - set_keystate "KEY1" "STATE_DS" "rumoured" - - set_keystate "KEY2" "GOAL" "omnipresent" - set_keystate "KEY2" "STATE_DNSKEY" "rumoured" - set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "0" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "0" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "rumoured" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" } set_keytimes_view_migration() { - # Key is six months in use. - created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 - set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 - set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 - created=$(key_get KEY2 CREATED) - set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 - set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 + # Key is six months in use. + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 + set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 } # Zone view.rsasha256.kasp (external) @@ -965,16 +961,16 @@ set_keytimes_view_migration check_keytimes dnssec_verify -n=$((n+1)) +n=$((n + 1)) # check subdomain echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remember legacy key tags. _migrate_ext8_ksk=$(key_get KEY1 ID) @@ -995,16 +991,16 @@ set_keytimes_view_migration check_keytimes dnssec_verify -n=$((n+1)) +n=$((n + 1)) # check subdomain echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" ret=0 -dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" -grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" -grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) # Remember legacy key tags. _migrate_int8_ksk=$(key_get KEY1 ID) @@ -1017,7 +1013,7 @@ rndc_reconfig ns4 10.53.0.4 # Calculate time passed to correctly check for next key events. now="$(TZ=UTC date +%s)" -time_passed=$((now-start_time)) +time_passed=$((now - start_time)) echo_i "${time_passed} seconds passed between start of tests and reconfig" # @@ -1030,26 +1026,26 @@ init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "rumoured" # Key properties, timings and metadata should be the same as legacy keys above. # However, because the keys have a lifetime, kasp will set the retired time. -key_set "KEY1" "LEGACY" "no" -set_keylifetime "KEY1" "31536000" -set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "omnipresent" - -key_set "KEY2" "LEGACY" "no" -set_keylifetime "KEY2" "8035200" -set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" -set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +key_set "KEY1" "LEGACY" "no" +set_keylifetime "KEY1" "31536000" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY2" "8035200" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The ZSK needs to be replaced. -set_keystate "KEY2" "GOAL" "hidden" -set_keystate "KEY3" "GOAL" "omnipresent" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "8035200" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "8035200" set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "no" # not yet -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_ZRRSIG" "hidden" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # not yet +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" # Various signing policy checks (external). TSIG="$DEFAULT_HMAC:external:$VIEW1" @@ -1060,11 +1056,11 @@ set_keytimes_view_migration # Set expected key times: published=$(key_get KEY1 PUBLISHED) -set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "ACTIVE" "${published}" set_keytime "KEY1" "SYNCPUBLISH" "${published}" # Lifetime: 1 year (8035200 seconds) active=$(key_get KEY1 ACTIVE) -set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" +set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" # Retire interval: # DS TTL: 1d # Parent zone propagation: 3h @@ -1088,7 +1084,7 @@ retired=$(key_get KEY2 RETIRED) set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" created=$(key_get KEY3 CREATED) -set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "PUBLISHED" "${created}" # Publication interval: # DNSKEY TTL: 300s # Publish safety: 1h @@ -1123,7 +1119,7 @@ check_apex dnssec_verify # Check key tags, should be the same. -n=$((n+1)) +n=$((n + 1)) echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" ret=0 [ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag" @@ -1131,7 +1127,7 @@ ret=0 [ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" [ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +status=$((status + ret)) echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 |