diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-27 07:24:22 +0000 |
commit | 45d6379135504814ab723b57f0eb8be23393a51d (patch) | |
tree | d4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/keymgr | |
parent | Initial commit. (diff) | |
download | bind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip |
Adding upstream version 1:9.16.44.upstream/1%9.16.44
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
62 files changed, 2927 insertions, 0 deletions
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/README b/bin/tests/system/keymgr/01-ksk-inactive/README new file mode 100644 index 0000000..a79314e --- /dev/null +++ b/bin/tests/system/keymgr/01-ksk-inactive/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/01-ksk-inactive/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/02-zsk-inactive/README b/bin/tests/system/keymgr/02-zsk-inactive/README new file mode 100644 index 0000000..8997e0a --- /dev/null +++ b/bin/tests/system/keymgr/02-zsk-inactive/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated. diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/02-zsk-inactive/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/README b/bin/tests/system/keymgr/03-ksk-unpublished/README new file mode 100644 index 0000000..4086a31 --- /dev/null +++ b/bin/tests/system/keymgr/03-ksk-unpublished/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set contains one KSK rollover. The KSK is unpublished before its +successor is published. diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/README b/bin/tests/system/keymgr/04-zsk-unpublished/README new file mode 100644 index 0000000..a3bbe85 --- /dev/null +++ b/bin/tests/system/keymgr/04-zsk-unpublished/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set contains one ZSK rollover. The ZSK is unpublished before its +successor is published. diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/README b/bin/tests/system/keymgr/05-ksk-unpub-active/README new file mode 100644 index 0000000..5b47456 --- /dev/null +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/README b/bin/tests/system/keymgr/06-zsk-unpub-active/README new file mode 100644 index 0000000..5b47456 --- /dev/null +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/07-ksk-ttl/README b/bin/tests/system/keymgr/07-ksk-ttl/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/07-ksk-ttl/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/07-ksk-ttl/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/08-zsk-ttl/README b/bin/tests/system/keymgr/08-zsk-ttl/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/08-zsk-ttl/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/08-zsk-ttl/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/09-no-keys/README b/bin/tests/system/keymgr/09-no-keys/README new file mode 100644 index 0000000..7de6d40 --- /dev/null +++ b/bin/tests/system/keymgr/09-no-keys/README @@ -0,0 +1,5 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has no key set, but one will be initialized by dnssec-keymgr. diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/09-no-keys/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/10-change-roll/README b/bin/tests/system/keymgr/10-change-roll/README new file mode 100644 index 0000000..c83de5f --- /dev/null +++ b/bin/tests/system/keymgr/10-change-roll/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but has a ZSK rollover period +of only three months. It will be updated to have a ZSK rollover period of +one year. diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/10-change-roll/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/11-many-simul/README b/bin/tests/system/keymgr/11-many-simul/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/11-many-simul/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/11-many-simul/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/12-many-active/README b/bin/tests/system/keymgr/12-many-active/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/12-many-active/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect new file mode 100644 index 0000000..67fc4e9 --- /dev/null +++ b/bin/tests/system/keymgr/12-many-active/expect @@ -0,0 +1,9 @@ +kargs="-f example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/13-noroll/README b/bin/tests/system/keymgr/13-noroll/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/13-noroll/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect new file mode 100644 index 0000000..67fc4e9 --- /dev/null +++ b/bin/tests/system/keymgr/13-noroll/expect @@ -0,0 +1,9 @@ +kargs="-f example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/14-wrongalg/README b/bin/tests/system/keymgr/14-wrongalg/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/14-wrongalg/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect new file mode 100644 index 0000000..bd5eadb --- /dev/null +++ b/bin/tests/system/keymgr/14-wrongalg/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=4 diff --git a/bin/tests/system/keymgr/15-unspec/README b/bin/tests/system/keymgr/15-unspec/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/15-unspec/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect new file mode 100644 index 0000000..ad300c4 --- /dev/null +++ b/bin/tests/system/keymgr/15-unspec/expect @@ -0,0 +1,9 @@ +kargs="" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/README b/bin/tests/system/keymgr/16-wrongalg-unspec/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect new file mode 100644 index 0000000..c836535 --- /dev/null +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect @@ -0,0 +1,9 @@ +kargs="" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=4 diff --git a/bin/tests/system/keymgr/17-noforce/README b/bin/tests/system/keymgr/17-noforce/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/17-noforce/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect new file mode 100644 index 0000000..029a4e9 --- /dev/null +++ b/bin/tests/system/keymgr/17-noforce/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=1 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/README b/bin/tests/system/keymgr/18-nonstd-prepub/README new file mode 100644 index 0000000..4ee0a8a --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but will expire within +the rollover period. The prepublication interval in policy.conf is a +nonstandard value. diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect new file mode 100644 index 0000000..e8518d8 --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 1d example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in new file mode 100644 index 0000000..757311a --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README new file mode 100644 index 0000000..bd66ba8 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but which was published +and activated more than one rollover period ago. dnssec-keymgr should +not mark the keys as already being inactive and deleted. diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect new file mode 100644 index 0000000..ad73b53 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/expect @@ -0,0 +1,12 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 1w example.com" +cmatch="4,Publish +4,Activate +2,Inactive +2,Delete" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh new file mode 100644 index 0000000..502d951 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/extra.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +now=`$PERL -e 'print time()."\n";'` +for keyfile in K*.key; do + inactive=`$SETTIME -upI $keyfile | awk '{print $2}'` + if [ "$inactive" = UNSET ]; then + continue + elif [ "$inactive" -lt "$now" ]; then + echo_d "inactive date is in the past" + ret=1 + fi +done diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf.in b/bin/tests/system/keymgr/19-old-keys/policy.conf.in new file mode 100644 index 0000000..757311a --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/policy.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh new file mode 100644 index 0000000..d8cad32 --- /dev/null +++ b/bin/tests/system/keymgr/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f 18-nonstd-prepub/policy.conf +rm -f 19-old-keys/policy.conf +rm -f K*.key */K*.key +rm -f K*.private */K*.private +rm -f coverage.* keymgr.* settime.* +rm -f ns*/managed-keys.bind* +rm -f policy.conf +rm -f policy.out diff --git a/bin/tests/system/keymgr/policy.conf.in b/bin/tests/system/keymgr/policy.conf.in new file mode 100644 index 0000000..d6bc925 --- /dev/null +++ b/bin/tests/system/keymgr/policy.conf.in @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + key-size zsk 1024; + pre-publish zsk 6w; + post-publish zsk 6w; + roll-period zsk 6mo; + roll-period ksk 0; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/policy.good b/bin/tests/system/keymgr/policy.good new file mode 100644 index 0000000..eb23246 --- /dev/null +++ b/bin/tests/system/keymgr/policy.good @@ -0,0 +1,187 @@ +policy default: + inherits global + directory None + algorithm None + coverage None + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +policy global: + inherits None + directory None + algorithm RSASHA256 + coverage 15552000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod 31536000 + ksk_prepublish 2592000 + ksk_postpublish 2592000 + zsk_prepublish 2592000 + zsk_postpublish 2592000 + ksk_standby None + zsk_standby None + keyttl 3600 + +constructed policy example.com: + inherits global + directory None + algorithm RSASHA256 + coverage 15552000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod 31536000 + ksk_prepublish 2592000 + ksk_postpublish 2592000 + zsk_prepublish 2592000 + zsk_postpublish 2592000 + ksk_standby None + zsk_standby None + keyttl 3600 + +policy default: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +zone policy example.com: + inherits extra + directory "keydir" + algorithm NSEC3RSASHA1 + coverage 12960000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod 31536000 + zsk_rollperiod 7776000 + ksk_prepublish 7776000 + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 604800 + ksk_standby None + zsk_standby None + keyttl 7200 + +constructed policy example.org: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +constructed policy example.net: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +algorithm policy RSASHA1: + inherits None + directory None + algorithm None + coverage None + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +algorithm policy RSASHA256: + inherits None + directory None + algorithm RSASHA256 + coverage None + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +algorithm policy ECDSAP256SHA256: + inherits None + directory None + algorithm ECDSAP256SHA256 + coverage None + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +policy extra: + inherits default + directory None + algorithm None + coverage 157680000 + ksk_keysize None + zsk_keysize None + ksk_rollperiod 31536000 + zsk_rollperiod 7776000 + ksk_prepublish 7776000 + ksk_postpublish None + zsk_prepublish None + zsk_postpublish 604800 + ksk_standby None + zsk_standby None + keyttl 7200 + diff --git a/bin/tests/system/keymgr/policy.sample b/bin/tests/system/keymgr/policy.sample new file mode 100644 index 0000000..8683e27 --- /dev/null +++ b/bin/tests/system/keymgr/policy.sample @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# a comment which should be skipped + +algorithm-policy rsasha1 { + key-size ksk 2048; + key-size zsk 1024; // this too +}; + +// and this + +policy default { + directory "keydir"; + algorithm rsasha1; + coverage 1y; # another comment + roll-period zsk 6mo; // and yet another + pre-publish zsk 6w; + post-publish zsk 6w; + keyttl 1h; +}; + +policy extra { + policy default; + coverage 5y; + roll-period KSK 1 year; + roll-period zsk 3mo; + pre-publish ksk 3mo; + post-publish zsk 1w; + keyttl 2h; +}; + +/* + * and this is also a comment, + * and it should be ignored like + * the others. + */ + +zone example.com { + policy extra; + coverage 5 mon; + algorithm nsec3rsasha1; +}; + +/* + * This confirms that zones starting with digits are accepted. + */ +zone "99example.com" { + policy global; +}; diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh new file mode 100644 index 0000000..d7cef0c --- /dev/null +++ b/bin/tests/system/keymgr/setup.sh @@ -0,0 +1,192 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +KEYGEN="$KEYGEN -q" + +# Test 1: KSK goes inactive before successor is active +dir=01-ksk-inactive +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 2: ZSK goes inactive before successor is active +dir=02-zsk-inactive +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 3: KSK is unpublished before its successor is published +dir=03-ksk-unpublished +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 4: ZSK is unpublished before its successor is published +dir=04-zsk-unpublished +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 5: KSK deleted and successor published before KSK is deactivated +# and successor activated. +dir=05-ksk-unpub-active +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 6: ZSK deleted and successor published before ZSK is deactivated +# and successor activated. +dir=06-zsk-unpub-active +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 7: KSK rolled with insufficient delay after prepublication. +dir=07-ksk-ttl +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 8: ZSK rolled with insufficient delay after prepublication. +dir=08-zsk-ttl +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 9: No special preparation needed + +# Test 10: Valid key set, but rollover period has changed +dir=10-change-roll +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` + +# Test 11: Many keys all simultaneously scheduled to be active in the future +dir=11-many-simul +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` + +# Test 12: Many keys all simultaneously scheduled to be active in the past +dir=12-many-active +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 13: Multiple simultaneous keys with no configured roll period +dir=13-noroll +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +k2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +k3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 14: Keys exist but have the wrong algorithm +dir=14-wrongalg +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com` +z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 15: No zones specified; just search the directory for keys +dir=15-unspec +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 16: No zones specified; search the directory for keys; +# keys have the wrong algorithm for their policies +dir=16-wrongalg-unspec +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com` +z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 17: Keys are simultaneously active but we run with no force +# flag (this should fail) +dir=17-noforce +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 18: Prepublication interval is set to a nonstandard value +dir=18-nonstd-prepub +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null + +# Test 19: Key has been published/active a long time +dir=19-old-keys +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null +$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null + +copy_setports policy.conf.in policy.conf +copy_setports 18-nonstd-prepub/policy.conf.in 18-nonstd-prepub/policy.conf +copy_setports 19-old-keys/policy.conf.in 19-old-keys/policy.conf diff --git a/bin/tests/system/keymgr/testpolicy.py b/bin/tests/system/keymgr/testpolicy.py new file mode 100644 index 0000000..d63a079 --- /dev/null +++ b/bin/tests/system/keymgr/testpolicy.py @@ -0,0 +1,39 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import sys +from isc import policy + +PP = policy.dnssec_policy() +# print the unmodified default and a generated zone policy +print(PP.named_policy["default"]) +print(PP.named_policy["global"]) +print(PP.policy("example.com")) + +if len(sys.argv) > 0: + for policy_file in sys.argv[1:]: + PP.load(policy_file) + + # now print the modified default and generated zone policies + print(PP.named_policy["default"]) + print(PP.policy("example.com")) + print(PP.policy("example.org")) + print(PP.policy("example.net")) + + # print algorithm policies + print(PP.alg_policy["RSASHA1"]) + print(PP.alg_policy["RSASHA256"]) + print(PP.alg_policy["ECDSAP256SHA256"]) + + # print another named policy + print(PP.named_policy["extra"]) +else: + print("ERROR: Please provide an input file") diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh new file mode 100644 index 0000000..667277f --- /dev/null +++ b/bin/tests/system/keymgr/tests.sh @@ -0,0 +1,146 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +matchall () { + match_result=ok + file=$1 + while IFS="," read expect matchline; do + [ -z "$matchline" ] && continue + matches=`grep "$matchline" $file | wc -l` + [ "$matches" -ne "$expect" ] && { + echo "'$matchline': expected $expect found $matches" + return 1 + } + done << EOF + $2 +EOF + return 0 +} + +echo_i "checking for DNSSEC key coverage issues" +ret=0 +for dir in [0-9][0-9]-*; do + ret=0 + echo_i "$dir ($n)" + kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok= + . $dir/expect + + # use policy.conf if available + policy="" + if [ -e "$dir/policy.conf" ]; then + policy="-c $dir/policy.conf" + if grep -e "-c policy.conf" $dir/expect > /dev/null + then + echo_i "fix $dir/expect: multiple policy files" + ret=1 + fi + else + policy="-c policy.conf" + fi + + # run keymgr to update keys + if [ "$CYGWIN" ]; then + $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \ + -s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1 + else + $KEYMGR $policy -K $dir -g $KEYGEN \ + -s $SETTIME $kargs > keymgr.$n 2>&1 + fi + # check that return code matches expectations + found=$? + if [ $found -ne $kret ]; then + echo "keymgr retcode was $found expected $kret" + ret=1 + fi + + # check for matches in keymgr output + matchall keymgr.$n "$kmatch" || ret=1 + + # now check coverage + $COVERAGE -K $dir $cargs > coverage.$n 2>&1 + # check that return code matches expectations + found=$? + if [ $found -ne $cret ]; then + echo "coverage retcode was $found expected $cret" + ret=1 + fi + + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + # check for matches in coverage output + matchall coverage.$n "$cmatch" || ret=1 + + if [ -f $dir/extra.sh ]; then + cd $dir + . ./extra.sh + cd .. + fi + + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "checking domains ending in . ($n)" +ret=0 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking policy.conf parser ($n)" +ret=0 +PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out +$DOS2UNIX policy.out > /dev/null 2>&1 +cmp -s policy.good policy.out || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 diff --git a/bin/tests/system/keymgr2kasp/README b/bin/tests/system/keymgr2kasp/README new file mode 100644 index 0000000..f941209 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/README @@ -0,0 +1,17 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +SPDX-License-Identifier: MPL-2.0 + +This Source Code Form is subject to the terms of the Mozilla Public +License, v. 2.0. If a copy of the MPL was not distributed with this +file, you can obtain one at https://mozilla.org/MPL/2.0/. + +See the COPYRIGHT file distributed with this work for additional +information regarding copyright ownership. + +The test setup for migrating to KASP tests. + +ns3 is an authoritative server for the various test domains. + +ns4 is an authoritative server that tests a specific case where zones +using views migrate to dnssec-policy. diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh new file mode 100644 index 0000000..1fe2bb9 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -0,0 +1,34 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +set -e + +rm -f ns*/K*.private ns*/K*.key ns*/K*.state +rm -f ns*/named.conf ns*/kasp.conf +rm -f ns*/named.memstats ns*/named.run +rm -f ns*/keygen.out* ns*/signer.out* +rm -f ns*/zones +rm -f ns*/dsset-* +rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk +rm -f ns*/*.db.signed* ns*/*.db.infile +rm -f ns*/managed-keys.bind* +rm -f ns*/*.mkeys* +rm -f ./*.created +rm -f ./created.key-* +rm -f ./dig.out* +rm -f ./python.out.* +rm -f ./retired.* +rm -f ./rndc.dnssec.* +rm -f ./unused.key* +rm -f ./verify.out.* + diff --git a/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in new file mode 100644 index 0000000..0dae201 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in @@ -0,0 +1,84 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "migrate" { + dnskey-ttl 7200; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "timing-metadata" { + dnskey-ttl 300; + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + keys { + ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + }; + + // Together 12h + zone-propagation-delay 3600; + max-zone-ttl 11h; + + // Together 3h + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +/* + * This policy tests migration from existing keys with 1024 bits RSASHA1 keys + * to ECDSAP256SHA256 keys. + */ +dnssec-policy "migrate-nomatch-algnum" { + dnskey-ttl 300; + + keys { + ksk key-directory lifetime unlimited algorithm ecdsa256; + zsk key-directory lifetime P60D algorithm ecdsa256; + }; + + // Together 12h + zone-propagation-delay 3600; + max-zone-ttl 11h; + + // Together 3h + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +/* + * This policy tests migration from existing keys with 2048 bits RSASHA256 keys + * to 3072 bits RSASHA256 keys. + */ +dnssec-policy "migrate-nomatch-alglen" { + dnskey-ttl 300; + + keys { + ksk key-directory lifetime unlimited algorithm rsasha256 3072; + zsk key-directory lifetime P60D algorithm rsasha256 3072; + }; + + // Together 12h + zone-propagation-delay 3600; + max-zone-ttl 11h; + + // Together 3h + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/keymgr2kasp/ns3/named.conf.in b/bin/tests/system/keymgr2kasp/ns3/named.conf.in new file mode 100644 index 0000000..5a71a87 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/named.conf.in @@ -0,0 +1,98 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* These are zones that migrate to dnssec-policy. */ +zone "migrate.kasp" { + type primary; + file "migrate.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "csk.kasp" { + type primary; + file "csk.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly no; +}; + +zone "csk-nosep.kasp" { + type primary; + file "csk-nosep.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly no; +}; + +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "omnipresent.kasp" { + type primary; + file "omnipresent.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "migrate-nomatch-algnum.kasp" { + type primary; + file "migrate-nomatch-algnum.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; + +zone "migrate-nomatch-alglen.kasp" { + type primary; + file "migrate-nomatch-alglen.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; +}; diff --git a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in new file mode 100644 index 0000000..8d5aecb --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in @@ -0,0 +1,87 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "kasp.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* These are zones that migrate to dnssec-policy. */ +zone "migrate.kasp" { + type primary; + file "migrate.kasp.db"; + allow-update { any; }; + dnssec-policy "migrate"; +}; + +zone "csk.kasp" { + type primary; + file "csk.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + +zone "csk-nosep.kasp" { + type primary; + file "csk-nosep.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + allow-update { any; }; + dnssec-policy "timing-metadata"; +}; + +zone "omnipresent.kasp" { + type primary; + file "omnipresent.kasp.db"; + allow-update { any; }; + dnssec-policy "timing-metadata"; +}; + +zone "migrate-nomatch-algnum.kasp" { + type primary; + file "migrate-nomatch-algnum.kasp.db"; + allow-update { any; }; + dnssec-policy "migrate-nomatch-algnum"; +}; + +zone "migrate-nomatch-alglen.kasp" { + type primary; + file "migrate-nomatch-alglen.kasp.db"; + allow-update { any; }; + dnssec-policy "migrate-nomatch-alglen"; +}; diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh new file mode 100644 index 0000000..6c1d0a5 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -0,0 +1,131 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns3/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. +setup migrate.kasp +echo "$zone" >> zones +ksktimes="-P now -A now -P sync now" +zsktimes="-P now -A now" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to +# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' +# configured, meaning the zone is signed with a single CSK. +setup csk.kasp +echo "$zone" >> zones +csktimes="-P now -A now -P sync now" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +setup csk-nosep.kasp +echo "$zone" >> zones +csktimes="-P now -A now -P sync now" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this +# time the existing keys do not match the policy. The existing keys are +# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates +# ECDSAP256SHA256 keys. +setup migrate-nomatch-algnum.kasp +echo "$zone" >> zones +Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT +Tkey="now-3900s" # DNSKEY TTL + propagation delay +Tsig="now-12h" # Zone's maximum TTL + propagation delay +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone 5 "$KSK" >> "$infile" +private_type_record $zone 5 "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this +# time the existing keys do not match the policy. The existing keys are +# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that +# dictates 3072 bits RSASHA256 keys. +setup migrate-nomatch-alglen.kasp +echo "$zone" >> zones +Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT +Tkey="now-3900s" # DNSKEY TTL + propagation delay +Tsig="now-12h" # Zone's maximum TTL + propagation delay +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone 5 "$KSK" >> "$infile" +private_type_record $zone 5 "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# +# Set up zones to test time metadata correctly sets state. +# + +# Key states expected to be rumoured after migration. +setup rumoured.kasp +echo "$zone" >> zones +Tds="now-2h" +Tkey="now-300s" +Tsig="now-11h" +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Key states expected to be omnipresent after migration. +setup omnipresent.kasp +echo "$zone" >> zones +Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT +Tkey="now-3900s" # DNSKEY TTL + propagation delay +Tsig="now-12h" # Zone's maximum TTL + propagation delay +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tkey} -A ${Tsig}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/keymgr2kasp/ns3/template.db.in b/bin/tests/system/keymgr2kasp/ns3/template.db.in new file mode 100644 index 0000000..010b05b --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns3/template.db.in @@ -0,0 +1,27 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/keymgr2kasp/ns4/named.conf.in b/bin/tests/system/keymgr2kasp/ns4/named.conf.in new file mode 100644 index 0000000..e478404 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/named.conf.in @@ -0,0 +1,72 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key "external" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "internal" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "ext" { + match-clients { key "external"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.ext.db"; + auto-dnssec maintain; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + }; +}; + +view "int" { + match-clients { key "internal"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.int.db"; + auto-dnssec maintain; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + }; +}; diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in new file mode 100644 index 0000000..538aedc --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in @@ -0,0 +1,89 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS4 + +options { + query-source address 10.53.0.4; + notify-source 10.53.0.4; + transfer-source 10.53.0.4; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.4; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +dnssec-policy "rsasha256" { + keys { + zsk key-directory lifetime P3M algorithm 8 2048; + ksk key-directory lifetime P1Y algorithm 8 2048; + }; + + dnskey-ttl 300; + publish-safety 1h; + retire-safety 1h; + + signatures-refresh 5d; + signatures-validity 14d; + signatures-validity-dnskey 14d; + + max-zone-ttl 1d; + zone-propagation-delay 300; + + parent-ds-ttl 86400; + parent-propagation-delay 3h; +}; + +key "external" { + algorithm @DEFAULT_HMAC@; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "internal" { + algorithm @DEFAULT_HMAC@; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "ext" { + match-clients { key "external"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.ext.db"; + inline-signing yes; + dnssec-policy "rsasha256"; + }; +}; + +view "int" { + match-clients { key "internal"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.int.db"; + inline-signing yes; + dnssec-policy "rsasha256"; + }; +}; diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh new file mode 100644 index 0000000..63121a0 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh @@ -0,0 +1,46 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns4/setup.sh" + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +zone="view-rsasha256.kasp" +algo="RSASHA256" +num="8" +echo "$zone" >> zones + +# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy. +# The keys for these zones are in use long enough that they should start a +# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y). +ksktimes="-P -186d -A -186d -P sync -186d" +zsktimes="-P -186d -A -186d" +KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2) + +echo_i "setting up zone $zone (external)" +view="ext" +zonefile="${zone}.${view}.db" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" + +echo_i "setting up zone $zone (internal)" +view="int" +zonefile="${zone}.${view}.db" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" diff --git a/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in new file mode 100644 index 0000000..eecda2f --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +view TXT "external" diff --git a/bin/tests/system/keymgr2kasp/ns4/template.int.db.in b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in new file mode 100644 index 0000000..3783d64 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in @@ -0,0 +1,24 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns4 +ns4 A 10.53.0.4 + +view TXT "internal" diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh new file mode 100644 index 0000000..e43f798 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/setup.sh @@ -0,0 +1,34 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +set -e + +$SHELL clean.sh + +copy_setports ns3/named.conf.in ns3/named.conf +copy_setports ns4/named.conf.in ns4/named.conf + +copy_setports ns3/kasp.conf.in ns3/kasp.conf + +# Setup zones +( + cd ns3 + $SHELL setup.sh +) +( + cd ns4 + $SHELL setup.sh +) diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh new file mode 100644 index 0000000..62b58a7 --- /dev/null +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -0,0 +1,1137 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh +# shellcheck source=kasp.sh +. ../kasp.sh + +start_time="$(TZ=UTC date +%s)" +status=0 +n=0 + +############################################################################### +# Utilities # +############################################################################### + +# Call dig with default options. +dig_with_opts() { + + if [ -n "$TSIG" ]; then + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" + else + "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" + fi +} + +# Log error and increment failure rate. +log_error() { + echo_i "error: $1" + ret=$((ret+1)) +} + +# Default next key event threshold. May be extended by wait periods. +next_key_event_threshold=100 + +############################################################################### +# Tests # +############################################################################### + +set_retired_removed() { + _Lkey=$2 + _Iret=$3 + + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" +} + +rollover_predecessor_keytimes() { + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" +} + +# Policy parameters. +# Lksk: unlimited +# Lzsk: unlimited +Lksk=0 +Lzsk=0 + + +################################################# +# Test state before switching to dnssec-policy. # +################################################# + +# Set expected key properties for migration tests. +# $1 $2: Algorithm number and string. +# $3 $4: KSK and ZSK size. +init_migration_keys() { + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "none" + set_keyalgorithm "KEY1" "$1" "$2" "$3" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "none" + set_keyalgorithm "KEY2" "$1" "$2" "$4" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" +} + +# Set expected key states for migration tests. +# $1: Goal +# $2: States +init_migration_states() { + set_keystate "KEY1" "GOAL" "$1" + set_keystate "KEY1" "STATE_DNSKEY" "$2" + set_keystate "KEY1" "STATE_KRRSIG" "$2" + set_keystate "KEY1" "STATE_DS" "$2" + + set_keystate "KEY2" "GOAL" "$1" + set_keystate "KEY2" "STATE_DNSKEY" "$2" + set_keystate "KEY2" "STATE_ZRRSIG" "$2" +} + +# +# Testing a good migration. +# +set_zone "migrate.kasp" +set_policy "none" "2" "7200" +set_server "ns3" "10.53.0.3" + +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_ksk=$(key_get KEY1 ID) +_migrate_zsk=$(key_get KEY2 ID) + +# +# Testing a good migration (CSK). +# +set_zone "csk.kasp" +set_policy "none" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "ksk" +# This key also acts as a ZSK. +key_set "KEY1" "ZSK" "yes" +set_keylifetime "KEY1" "none" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Make sure the zone is signed with legacy key. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# The key is immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_csk=$(key_get KEY1 ID) + +# +# Testing a good migration (CSK, no SEP). +# +set_zone "csk-nosep.kasp" +set_policy "none" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "zsk" +# Despite the missing SEP bit, this key also acts as a KSK. +key_set "KEY1" "KSK" "yes" +set_keylifetime "KEY1" "none" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Make sure the zone is signed with legacy key. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# The key is immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_csk_nosep=$(key_get KEY1 ID) + +# +# Testing key states derived from key timing metadata (rumoured). +# +set_zone "rumoured.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_rumoured_ksk=$(key_get KEY1 ID) +_rumoured_zsk=$(key_get KEY2 ID) + +# +# Testing key states derived from key timing metadata (omnipresent). +# +set_zone "omnipresent.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "omnipresent" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_omnipresent_ksk=$(key_get KEY1 ID) +_omnipresent_zsk=$(key_get KEY2 ID) + +# +# Testing migration with unmatched existing keys (different algorithm). +# +set_zone "migrate-nomatch-algnum.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "omnipresent" "omnipresent" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The KSK is immediately published and activated. +# -P : now-3900s +# -P sync: now-3h +# -A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +# The ZSK is immediately published and activated. +# -P: now-3900s +# -A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Remember legacy key tags. +_migratenomatch_algnum_ksk=$(key_get KEY1 ID) +_migratenomatch_algnum_zsk=$(key_get KEY2 ID) + +# +# Testing migration with unmatched existing keys (different length). +# +set_zone "migrate-nomatch-alglen.kasp" +set_policy "none" "2" "300" +set_server "ns3" "10.53.0.3" + +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "omnipresent" "omnipresent" + +# Make sure the zone is signed with legacy keys. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - The KSK is immediately published and activated. +# P : now-3900s +# P sync: now-3h +# A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +# - The ZSK is immediately published and activated. +# P: now-3900s +# A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Remember legacy key tags. +_migratenomatch_alglen_ksk=$(key_get KEY1 ID) +_migratenomatch_alglen_zsk=$(key_get KEY2 ID) + + +############# +# Reconfig. # +############# +echo_i "reconfig (migration to dnssec-policy)" +copy_setports ns3/named2.conf.in ns3/named.conf +rndc_reconfig ns3 10.53.0.3 + +# Calculate time passed to correctly check for next key events. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +echo_i "${time_passed} seconds passed between start of tests and reconfig" + +# Wait until we have seen "zone_rekey done:" message for this key. +_wait_for_done_signing() { + _zone=$1 + + _ksk=$(key_get $2 KSK) + _zsk=$(key_get $2 ZSK) + if [ "$_ksk" = "yes" ]; then + _role="KSK" + _expect_type=EXPECT_KRRSIG + elif [ "$_zsk" = "yes" ]; then + _role="ZSK" + _expect_type=EXPECT_ZRRSIG + fi + + if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then + _keyid=$(key_get $2 ID) + _keyalg=$(key_get $2 ALG_STR) + echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" + grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 + fi + + return 0 +} +wait_for_done_signing() { + n=$((n+1)) + echo_i "wait for zone ${ZONE} is done signing ($n)" + ret=0 + + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 + retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 + + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + + +################################################ +# Test state after switching to dnssec-policy. # +################################################ + +# Policy parameters. +# ZSK now has lifetime of 60 days (5184000 seconds). +# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. +Lzsk=5184000 +IretZSK=867900 + +# +# Testing good migration. +# +set_zone "migrate.kasp" +set_policy "migrate" "2" "7200" +set_server "ns3" "10.53.0.3" + +# Key properties, timings and metadata should be the same as legacy keys above. +# However, because the zsk has a lifetime, kasp will set the retired time. +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY1" "${Lksk}" +set_keylifetime "KEY2" "${Lzsk}" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +rollover_predecessor_keytimes 0 + +# - Key now has lifetime of 60 days (5184000 seconds). +# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 1d (86400 seconds) +# Dprp: 5m (300 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 10d65m (867900 seconds) +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing a good migration (CSK). +# +set_zone "csk.kasp" +set_policy "default" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The key was immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" +ret=0 +[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing a good migration (CSK, no SEP). +# +set_zone "csk-nosep.kasp" +set_policy "default" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +key_set "KEY1" "FLAGS" "256" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The key was immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" +ret=0 +[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Test migration to dnssec-policy, existing keys do not match key algorithm. +# +set_zone "migrate-nomatch-algnum.kasp" +set_policy "migrate-nomatch-algnum" "4" "300" +set_server "ns3" "10.53.0.3" +# The legacy keys need to be retired, but otherwise stay present until the +# new keys are omnipresent, and can be used to construct a chain of trust. +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "hidden" "omnipresent" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" + +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" + +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - KSK must be retired since it no longer matches the policy. +# P : now-3900s +# P sync: now-3h +# A : now-3900s +# - The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +# - ZSK must be retired since it no longer matches the policy. +# P: now-3900s +# A: now-12h +# - The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +# - The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" +# - The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" +ret=0 +[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Test migration to dnssec-policy, existing keys do not match key length. +# +set_zone "migrate-nomatch-alglen.kasp" +set_policy "migrate-nomatch-alglen" "4" "300" +set_server "ns3" "10.53.0.3" + +# The legacy keys need to be retired, but otherwise stay present until the +# new keys are omnipresent, and can be used to construct a chain of trust. +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "hidden" "omnipresent" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" + +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" + +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "5184000" +set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" +set_keysigning "KEY4" "no" +# This key is considered to be prepublished, so it is not yet signing. +set_zonesigning "KEY4" "no" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# - KSK must be retired since it no longer matches the policy. +# P : now-3900s +# P sync: now-3h +# A : now-3900s +# - The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" +# - ZSK must be retired since it no longer matches the policy. +# P: now-3900s +# A: now-12h +# - The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# publish-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +# - The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" +# - The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" +ret=0 +[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +######################################################## +# Testing key states derived from key timing metadata. # +######################################################## + +# Policy parameters. +# KSK has lifetime of 60 days (5184000 seconds). +# The KSK is removed after Iret = DprpP + TTLds + retire-safety = +# 4h = 14400 seconds. +Lksk=5184000 +IretKSK=14400 +# ZSK has lifetime of 60 days (5184000 seconds). +# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety = +# 181h = 651600 seconds. +Lzsk=5184000 +IretZSK=651600 + +# +# Testing rumoured state. +# +set_zone "rumoured.kasp" +set_policy "timing-metadata" "2" "300" +set_server "ns3" "10.53.0.3" + +# Key properties, timings and metadata should be the same as legacy keys above. +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "rumoured" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY1" "${Lksk}" +set_keylifetime "KEY2" "${Lzsk}" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# +# Tds="now-2h" (7200) +# Tkey="now-300s" (300) +# Tsig="now-11h" (39600) +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY1" "ACTIVE" "${created}" -300 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 +set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 +set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 +set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Testing omnipresent state. +# +set_zone "omnipresent.kasp" +set_policy "timing-metadata" "2" "300" +set_server "ns3" "10.53.0.3" + +# Key properties, timings and metadata should be the same as legacy keys above. +init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +init_migration_states "omnipresent" "omnipresent" +key_set "KEY1" "LEGACY" "no" +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY1" "${Lksk}" +set_keylifetime "KEY2" "${Lzsk}" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# Set expected key times: +# +# Tds="now-3h" (10800) +# Tkey="now-3900s" (3900) +# Tsig="now-12h" (43200) +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 +set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + + +###################################### +# Testing good migration with views. # +###################################### +init_view_migration() { + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "0" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "0" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "rumoured" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +} + +set_keytimes_view_migration() { + # Key is six months in use. + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 + set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 +} + +# Zone view.rsasha256.kasp (external) +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "2" "300" +set_server "ns4" "10.53.0.4" +init_view_migration +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +TSIG="$DEFAULT_HMAC:external:$VIEW1" +wait_for_nsec +# Make sure the zone is signed with legacy keys. +check_keys +set_keytimes_view_migration +check_keytimes +dnssec_verify + +n=$((n+1)) +# check subdomain +echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remember legacy key tags. +_migrate_ext8_ksk=$(key_get KEY1 ID) +_migrate_ext8_zsk=$(key_get KEY2 ID) + +# Zone view.rsasha256.kasp (internal) +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "2" "300" +set_server "ns4" "10.53.0.4" +init_view_migration +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +TSIG="$DEFAULT_HMAC:internal:$VIEW2" +wait_for_nsec +# Make sure the zone is signed with legacy keys. +check_keys +set_keytimes_view_migration +check_keytimes +dnssec_verify + +n=$((n+1)) +# check subdomain +echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remember legacy key tags. +_migrate_int8_ksk=$(key_get KEY1 ID) +_migrate_int8_zsk=$(key_get KEY2 ID) + +# Reconfig dnssec-policy. +echo_i "reconfig to switch to dnssec-policy" +copy_setports ns4/named2.conf.in ns4/named.conf +rndc_reconfig ns4 10.53.0.4 + +# Calculate time passed to correctly check for next key events. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +echo_i "${time_passed} seconds passed between start of tests and reconfig" + +# +# Testing migration (RSASHA256, views). +# +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "3" "300" +set_server "ns4" "10.53.0.4" +init_migration_keys "8" "RSASHA256" "2048" "2048" +init_migration_states "omnipresent" "rumoured" +# Key properties, timings and metadata should be the same as legacy keys above. +# However, because the keys have a lifetime, kasp will set the retired time. +key_set "KEY1" "LEGACY" "no" +set_keylifetime "KEY1" "31536000" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY2" "8035200" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# The ZSK needs to be replaced. +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "8035200" +set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # not yet +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks (external). +TSIG="$DEFAULT_HMAC:external:$VIEW1" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "ext" +set_keytimes_view_migration + +# Set expected key times: +published=$(key_get KEY1 PUBLISHED) +set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "SYNCPUBLISH" "${published}" +# Lifetime: 1 year (8035200 seconds) +active=$(key_get KEY1 ACTIVE) +set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" +# Retire interval: +# DS TTL: 1d +# Parent zone propagation: 3h +# Retire safety: 1h +# Total: 100800 seconds +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "100800" + +published=$(key_get KEY2 PUBLISHED) +set_keytime "KEY2" "ACTIVE" "${published}" +# Lifetime: 3 months (8035200 seconds) +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "8035200" +# Retire interval: +# Sign delay: 9d (14-5) +# Max zone TTL: 1d +# Retire safety: 1h +# Zone propagation delay: 300s +# Total: 867900 seconds +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" + +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# Publication interval: +# DNSKEY TTL: 300s +# Publish safety: 1h +# Zone propagation delay: 300s +# Total: 4200 seconds +set_addkeytime "KEY3" "ACTIVE" "${created}" "4200" +# Lifetime: 3 months (8035200 seconds) +active=$(key_get KEY3 ACTIVE) +set_addkeytime "KEY3" "RETIRED" "${active}" "8035200" +# Retire interval: +# Sign delay: 9d (14-5) +# Max zone TTL: 1d +# Retire safety: 1h +# Zone propagation delay: 300s +# Total: 867900 seconds +retired=$(key_get KEY3 RETIRED) +set_addkeytime "KEY3" "REMOVED" "${retired}" "867900" + +# Continue signing policy checks. +check_keytimes +check_apex +dnssec_verify + +# Various signing policy checks (internal). +TSIG="$DEFAULT_HMAC:internal:$VIEW2" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "int" +set_keytimes_view_migration +check_keytimes +check_apex +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag" +[ $_migrate_ext8_zsk = $_migrate_int8_zsk ] || log_error "mismatch zsk tag" +[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |