summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/keymgr2kasp
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 23:51:28 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 23:51:28 +0000
commit754c7de1e91eeb28c6d3766900ead0c3e44fdb85 (patch)
tree51433c0e38731dc9ecd342555a56f876980b1834 /bin/tests/system/keymgr2kasp
parentAdding debian version 1:9.16.44-1~deb11u1. (diff)
downloadbind9-754c7de1e91eeb28c6d3766900ead0c3e44fdb85.tar.xz
bind9-754c7de1e91eeb28c6d3766900ead0c3e44fdb85.zip
Merging upstream version 1:9.16.48.
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'bin/tests/system/keymgr2kasp')
-rw-r--r--bin/tests/system/keymgr2kasp/clean.sh1
-rw-r--r--bin/tests/system/keymgr2kasp/ns3/setup.sh98
-rw-r--r--bin/tests/system/keymgr2kasp/ns4/setup.sh10
-rw-r--r--bin/tests/system/keymgr2kasp/setup.sh8
-rw-r--r--bin/tests/system/keymgr2kasp/tests.sh558
5 files changed, 335 insertions, 340 deletions
diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh
index 1fe2bb9..3f6a76f 100644
--- a/bin/tests/system/keymgr2kasp/clean.sh
+++ b/bin/tests/system/keymgr2kasp/clean.sh
@@ -31,4 +31,3 @@ rm -f ./retired.*
rm -f ./rndc.dnssec.*
rm -f ./unused.key*
rm -f ./verify.out.*
-
diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh
index 6c1d0a5..bb71ad3 100644
--- a/bin/tests/system/keymgr2kasp/ns3/setup.sh
+++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh
@@ -17,10 +17,10 @@
echo_i "ns3/setup.sh"
setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
}
# Make lines shorter by storing key states in environment variables.
@@ -31,70 +31,70 @@ U="UNRETENTIVE"
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
setup migrate.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
ksktimes="-P now -A now -P sync now"
zsktimes="-P now -A now"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
# configured, meaning the zone is signed with a single CSK.
setup csk.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
csktimes="-P now -A now -P sync now"
-CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
setup csk-nosep.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
csktimes="-P now -A now -P sync now"
-CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1)
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
-$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
# ECDSAP256SHA256 keys.
setup migrate-nomatch-algnum.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 5 "$KSK" >>"$infile"
+private_type_record $zone 5 "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
# dictates 3072 bits RSASHA256 keys.
setup migrate-nomatch-alglen.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 5 "$KSK" >>"$infile"
+private_type_record $zone 5 "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
#
# Set up zones to test time metadata correctly sets state.
@@ -102,30 +102,30 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer
# Key states expected to be rumoured after migration.
setup rumoured.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
Tds="now-2h"
Tkey="now-300s"
Tsig="now-11h"
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
# Key states expected to be omnipresent after migration.
setup omnipresent.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh
index 63121a0..d5a63e0 100644
--- a/bin/tests/system/keymgr2kasp/ns4/setup.sh
+++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh
@@ -25,22 +25,22 @@ U="UNRETENTIVE"
zone="view-rsasha256.kasp"
algo="RSASHA256"
num="8"
-echo "$zone" >> zones
+echo "$zone" >>zones
# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy.
# The keys for these zones are in use long enough that they should start a
# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
ksktimes="-P -186d -A -186d -P sync -186d"
zsktimes="-P -186d -A -186d"
-KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2>keygen.out.$zone.2)
echo_i "setting up zone $zone (external)"
view="ext"
zonefile="${zone}.${view}.db"
-cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile"
echo_i "setting up zone $zone (internal)"
view="int"
zonefile="${zone}.${view}.db"
-cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" >"$zonefile"
diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh
index e43f798..7c53890 100644
--- a/bin/tests/system/keymgr2kasp/setup.sh
+++ b/bin/tests/system/keymgr2kasp/setup.sh
@@ -25,10 +25,10 @@ copy_setports ns3/kasp.conf.in ns3/kasp.conf
# Setup zones
(
- cd ns3
- $SHELL setup.sh
+ cd ns3
+ $SHELL setup.sh
)
(
- cd ns4
- $SHELL setup.sh
+ cd ns4
+ $SHELL setup.sh
)
diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
index 62b58a7..9bad69c 100644
--- a/bin/tests/system/keymgr2kasp/tests.sh
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -27,17 +27,17 @@ n=0
# Call dig with default options.
dig_with_opts() {
- if [ -n "$TSIG" ]; then
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
- else
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
- fi
+ if [ -n "$TSIG" ]; then
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+ else
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ fi
}
# Log error and increment failure rate.
log_error() {
- echo_i "error: $1"
- ret=$((ret+1))
+ echo_i "error: $1"
+ ret=$((ret + 1))
}
# Default next key event threshold. May be extended by wait periods.
@@ -48,29 +48,29 @@ next_key_event_threshold=100
###############################################################################
set_retired_removed() {
- _Lkey=$2
- _Iret=$3
+ _Lkey=$2
+ _Iret=$3
- _active=$(key_get $1 ACTIVE)
- set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
- _retired=$(key_get $1 RETIRED)
- set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+ _active=$(key_get $1 ACTIVE)
+ set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
+ _retired=$(key_get $1 RETIRED)
+ set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
}
rollover_predecessor_keytimes() {
- _addtime=$1
+ _addtime=$1
- _created=$(key_get KEY1 CREATED)
+ _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
- _created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+ _created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
}
# Policy parameters.
@@ -79,7 +79,6 @@ rollover_predecessor_keytimes() {
Lksk=0
Lzsk=0
-
#################################################
# Test state before switching to dnssec-policy. #
#################################################
@@ -88,38 +87,38 @@ Lzsk=0
# $1 $2: Algorithm number and string.
# $3 $4: KSK and ZSK size.
init_migration_keys() {
- key_clear "KEY1"
- key_set "KEY1" "LEGACY" "yes"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "none"
- set_keyalgorithm "KEY1" "$1" "$2" "$3"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- key_set "KEY2" "LEGACY" "yes"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "none"
- set_keyalgorithm "KEY2" "$1" "$2" "$4"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- key_clear "KEY4"
+ key_clear "KEY1"
+ key_set "KEY1" "LEGACY" "yes"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "none"
+ set_keyalgorithm "KEY1" "$1" "$2" "$3"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ key_set "KEY2" "LEGACY" "yes"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "none"
+ set_keyalgorithm "KEY2" "$1" "$2" "$4"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
}
# Set expected key states for migration tests.
# $1: Goal
# $2: States
init_migration_states() {
- set_keystate "KEY1" "GOAL" "$1"
- set_keystate "KEY1" "STATE_DNSKEY" "$2"
- set_keystate "KEY1" "STATE_KRRSIG" "$2"
- set_keystate "KEY1" "STATE_DS" "$2"
-
- set_keystate "KEY2" "GOAL" "$1"
- set_keystate "KEY2" "STATE_DNSKEY" "$2"
- set_keystate "KEY2" "STATE_ZRRSIG" "$2"
+ set_keystate "KEY1" "GOAL" "$1"
+ set_keystate "KEY1" "STATE_DNSKEY" "$2"
+ set_keystate "KEY1" "STATE_KRRSIG" "$2"
+ set_keystate "KEY1" "STATE_DS" "$2"
+
+ set_keystate "KEY2" "GOAL" "$1"
+ set_keystate "KEY2" "STATE_DNSKEY" "$2"
+ set_keystate "KEY2" "STATE_ZRRSIG" "$2"
}
#
@@ -152,21 +151,21 @@ set_zone "csk.kasp"
set_policy "none" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "yes"
-set_keyrole "KEY1" "ksk"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "ksk"
# This key also acts as a ZSK.
-key_set "KEY1" "ZSK" "yes"
-set_keylifetime "KEY1" "none"
+key_set "KEY1" "ZSK" "yes"
+set_keylifetime "KEY1" "none"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -177,9 +176,9 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key is immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
check_keytimes
check_apex
@@ -195,21 +194,21 @@ set_zone "csk-nosep.kasp"
set_policy "none" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "yes"
-set_keyrole "KEY1" "zsk"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "zsk"
# Despite the missing SEP bit, this key also acts as a KSK.
-key_set "KEY1" "KSK" "yes"
-set_keylifetime "KEY1" "none"
+key_set "KEY1" "KSK" "yes"
+set_keylifetime "KEY1" "none"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -220,9 +219,9 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key is immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
check_keytimes
check_apex
@@ -290,15 +289,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# -P sync: now-3h
# -A : now-3900s
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
# The ZSK is immediately published and activated.
# -P: now-3900s
# -A: now-12h
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
check_apex
check_subdomain
@@ -328,15 +327,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# P sync: now-3h
# A : now-3900s
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
# - The ZSK is immediately published and activated.
# P: now-3900s
# A: now-12h
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
check_apex
check_subdomain
@@ -346,7 +345,6 @@ dnssec_verify
_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
-
#############
# Reconfig. #
#############
@@ -356,47 +354,46 @@ rndc_reconfig ns3 10.53.0.3
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
# Wait until we have seen "zone_rekey done:" message for this key.
_wait_for_done_signing() {
- _zone=$1
-
- _ksk=$(key_get $2 KSK)
- _zsk=$(key_get $2 ZSK)
- if [ "$_ksk" = "yes" ]; then
- _role="KSK"
- _expect_type=EXPECT_KRRSIG
- elif [ "$_zsk" = "yes" ]; then
- _role="ZSK"
- _expect_type=EXPECT_ZRRSIG
- fi
-
- if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
- _keyid=$(key_get $2 ID)
- _keyalg=$(key_get $2 ALG_STR)
- echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
- grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
- fi
-
- return 0
+ _zone=$1
+
+ _ksk=$(key_get $2 KSK)
+ _zsk=$(key_get $2 ZSK)
+ if [ "$_ksk" = "yes" ]; then
+ _role="KSK"
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_zsk" = "yes" ]; then
+ _role="ZSK"
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+ _keyid=$(key_get $2 ID)
+ _keyalg=$(key_get $2 ALG_STR)
+ echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+ grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
+ fi
+
+ return 0
}
wait_for_done_signing() {
- n=$((n+1))
- echo_i "wait for zone ${ZONE} is done signing ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "wait for zone ${ZONE} is done signing ($n)"
+ ret=0
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
-
################################################
# Test state after switching to dnssec-policy. #
################################################
@@ -439,9 +436,9 @@ rollover_predecessor_keytimes 0
# retire-safety: 1h (3600 seconds)
# IretZSK: 10d65m (867900 seconds)
active=$(key_get KEY2 ACTIVE)
-set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
+set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
@@ -450,13 +447,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing a good migration (CSK).
@@ -465,19 +462,19 @@ set_zone "csk.kasp"
set_policy "default" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "no"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -490,9 +487,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key was immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
# Continue signing policy checks.
check_keytimes
@@ -501,12 +498,12 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
ret=0
[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing a good migration (CSK, no SEP).
@@ -515,20 +512,20 @@ set_zone "csk-nosep.kasp"
set_policy "default" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "no"
-set_keyrole "KEY1" "csk"
-key_set "KEY1" "FLAGS" "256"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+key_set "KEY1" "FLAGS" "256"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -541,9 +538,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key was immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
# Continue signing policy checks.
check_keytimes
@@ -552,12 +549,12 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
ret=0
[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Test migration to dnssec-policy, existing keys do not match key algorithm.
@@ -572,24 +569,24 @@ init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "5184000"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
@@ -611,13 +608,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# IretKSK: 4h (14400 seconds)
IretKSK=14400
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
# P: now-3900s
@@ -632,17 +629,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
IretZSK=824400
Lzsk=5184000
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is immediately published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 11h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -652,12 +649,12 @@ Ipub=46800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The ZSK is immediately published and activated.
created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
@@ -666,13 +663,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
ret=0
[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Test migration to dnssec-policy, existing keys do not match key length.
@@ -688,25 +685,25 @@ init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "5184000"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
-set_keysigning "KEY4" "no"
+set_keysigning "KEY4" "no"
# This key is considered to be prepublished, so it is not yet signing.
-set_zonesigning "KEY4" "no"
+set_zonesigning "KEY4" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
@@ -728,13 +725,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# IretKSK: 4h (14400 seconds)
IretKSK=14400
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
# P: now-3900s
@@ -749,17 +746,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
IretZSK=824400
Lzsk=5184000
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is immediately published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 11h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -769,12 +766,12 @@ Ipub=46800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The ZSK is immediately published and activated.
created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
@@ -783,13 +780,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
ret=0
[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
########################################################
# Testing key states derived from key timing metadata. #
@@ -833,13 +830,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Tkey="now-300s" (300)
# Tsig="now-11h" (39600)
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
-set_addkeytime "KEY1" "ACTIVE" "${created}" -300
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY1" "ACTIVE" "${created}" -300
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
-set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -849,13 +846,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing omnipresent state.
@@ -883,13 +880,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Tkey="now-3900s" (3900)
# Tsig="now-12h" (43200)
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -899,55 +896,54 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
+status=$((status + ret))
######################################
# Testing good migration with views. #
######################################
init_view_migration() {
- key_clear "KEY1"
- key_set "KEY1" "LEGACY" "yes"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "0"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- key_set "KEY2" "LEGACY" "yes"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "0"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- key_clear "KEY4"
-
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
- set_keystate "KEY1" "STATE_DS" "rumoured"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+ key_clear "KEY1"
+ key_set "KEY1" "LEGACY" "yes"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "0"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ key_set "KEY2" "LEGACY" "yes"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "0"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
+
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+ set_keystate "KEY1" "STATE_DS" "rumoured"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
}
set_keytimes_view_migration() {
- # Key is six months in use.
- created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
- set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
- created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
- set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
+ # Key is six months in use.
+ created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
+ set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
+ created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
+ set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
}
# Zone view.rsasha256.kasp (external)
@@ -965,16 +961,16 @@ set_keytimes_view_migration
check_keytimes
dnssec_verify
-n=$((n+1))
+n=$((n + 1))
# check subdomain
echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Remember legacy key tags.
_migrate_ext8_ksk=$(key_get KEY1 ID)
@@ -995,16 +991,16 @@ set_keytimes_view_migration
check_keytimes
dnssec_verify
-n=$((n+1))
+n=$((n + 1))
# check subdomain
echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Remember legacy key tags.
_migrate_int8_ksk=$(key_get KEY1 ID)
@@ -1017,7 +1013,7 @@ rndc_reconfig ns4 10.53.0.4
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
#
@@ -1030,26 +1026,26 @@ init_migration_keys "8" "RSASHA256" "2048" "2048"
init_migration_states "omnipresent" "rumoured"
# Key properties, timings and metadata should be the same as legacy keys above.
# However, because the keys have a lifetime, kasp will set the retired time.
-key_set "KEY1" "LEGACY" "no"
-set_keylifetime "KEY1" "31536000"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-key_set "KEY2" "LEGACY" "no"
-set_keylifetime "KEY2" "8035200"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+set_keylifetime "KEY1" "31536000"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY2" "8035200"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The ZSK needs to be replaced.
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "8035200"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "8035200"
set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "no" # not yet
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no" # not yet
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
# Various signing policy checks (external).
TSIG="$DEFAULT_HMAC:external:$VIEW1"
@@ -1060,11 +1056,11 @@ set_keytimes_view_migration
# Set expected key times:
published=$(key_get KEY1 PUBLISHED)
-set_keytime "KEY1" "ACTIVE" "${published}"
+set_keytime "KEY1" "ACTIVE" "${published}"
set_keytime "KEY1" "SYNCPUBLISH" "${published}"
# Lifetime: 1 year (8035200 seconds)
active=$(key_get KEY1 ACTIVE)
-set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
+set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
# Retire interval:
# DS TTL: 1d
# Parent zone propagation: 3h
@@ -1088,7 +1084,7 @@ retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
# Publication interval:
# DNSKEY TTL: 300s
# Publish safety: 1h
@@ -1123,7 +1119,7 @@ check_apex
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag"
@@ -1131,7 +1127,7 @@ ret=0
[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1