summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/keymgr
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-27 07:24:22 +0000
commit45d6379135504814ab723b57f0eb8be23393a51d (patch)
treed4f2ec4acca824a8446387a758b0ce4238a4dffa /bin/tests/system/keymgr
parentInitial commit. (diff)
downloadbind9-45d6379135504814ab723b57f0eb8be23393a51d.tar.xz
bind9-45d6379135504814ab723b57f0eb8be23393a51d.zip
Adding upstream version 1:9.16.44.upstream/1%9.16.44
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--bin/tests/system/keymgr/01-ksk-inactive/README6
-rw-r--r--bin/tests/system/keymgr/01-ksk-inactive/expect9
-rw-r--r--bin/tests/system/keymgr/02-zsk-inactive/README6
-rw-r--r--bin/tests/system/keymgr/02-zsk-inactive/expect9
-rw-r--r--bin/tests/system/keymgr/03-ksk-unpublished/README6
-rw-r--r--bin/tests/system/keymgr/03-ksk-unpublished/expect9
-rw-r--r--bin/tests/system/keymgr/04-zsk-unpublished/README6
-rw-r--r--bin/tests/system/keymgr/04-zsk-unpublished/expect9
-rw-r--r--bin/tests/system/keymgr/05-ksk-unpub-active/README7
-rw-r--r--bin/tests/system/keymgr/05-ksk-unpub-active/expect9
-rw-r--r--bin/tests/system/keymgr/06-zsk-unpub-active/README7
-rw-r--r--bin/tests/system/keymgr/06-zsk-unpub-active/expect9
-rw-r--r--bin/tests/system/keymgr/07-ksk-ttl/README6
-rw-r--r--bin/tests/system/keymgr/07-ksk-ttl/expect9
-rw-r--r--bin/tests/system/keymgr/08-zsk-ttl/README6
-rw-r--r--bin/tests/system/keymgr/08-zsk-ttl/expect9
-rw-r--r--bin/tests/system/keymgr/09-no-keys/README5
-rw-r--r--bin/tests/system/keymgr/09-no-keys/expect9
-rw-r--r--bin/tests/system/keymgr/10-change-roll/README7
-rw-r--r--bin/tests/system/keymgr/10-change-roll/expect9
-rw-r--r--bin/tests/system/keymgr/11-many-simul/README6
-rw-r--r--bin/tests/system/keymgr/11-many-simul/expect9
-rw-r--r--bin/tests/system/keymgr/12-many-active/README6
-rw-r--r--bin/tests/system/keymgr/12-many-active/expect9
-rw-r--r--bin/tests/system/keymgr/13-noroll/README6
-rw-r--r--bin/tests/system/keymgr/13-noroll/expect9
-rw-r--r--bin/tests/system/keymgr/14-wrongalg/README6
-rw-r--r--bin/tests/system/keymgr/14-wrongalg/expect9
-rw-r--r--bin/tests/system/keymgr/15-unspec/README6
-rw-r--r--bin/tests/system/keymgr/15-unspec/expect9
-rw-r--r--bin/tests/system/keymgr/16-wrongalg-unspec/README6
-rw-r--r--bin/tests/system/keymgr/16-wrongalg-unspec/expect9
-rw-r--r--bin/tests/system/keymgr/17-noforce/README6
-rw-r--r--bin/tests/system/keymgr/17-noforce/expect9
-rw-r--r--bin/tests/system/keymgr/18-nonstd-prepub/README7
-rw-r--r--bin/tests/system/keymgr/18-nonstd-prepub/expect9
-rw-r--r--bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in20
-rw-r--r--bin/tests/system/keymgr/19-old-keys/README7
-rw-r--r--bin/tests/system/keymgr/19-old-keys/expect12
-rw-r--r--bin/tests/system/keymgr/19-old-keys/extra.sh23
-rw-r--r--bin/tests/system/keymgr/19-old-keys/policy.conf.in20
-rw-r--r--bin/tests/system/keymgr/clean.sh21
-rw-r--r--bin/tests/system/keymgr/policy.conf.in23
-rw-r--r--bin/tests/system/keymgr/policy.good187
-rw-r--r--bin/tests/system/keymgr/policy.sample60
-rw-r--r--bin/tests/system/keymgr/setup.sh192
-rw-r--r--bin/tests/system/keymgr/testpolicy.py39
-rw-r--r--bin/tests/system/keymgr/tests.sh146
-rw-r--r--bin/tests/system/keymgr2kasp/README17
-rw-r--r--bin/tests/system/keymgr2kasp/clean.sh34
-rw-r--r--bin/tests/system/keymgr2kasp/ns3/kasp.conf.in84
-rw-r--r--bin/tests/system/keymgr2kasp/ns3/named.conf.in98
-rw-r--r--bin/tests/system/keymgr2kasp/ns3/named2.conf.in87
-rw-r--r--bin/tests/system/keymgr2kasp/ns3/setup.sh131
-rw-r--r--bin/tests/system/keymgr2kasp/ns3/template.db.in27
-rw-r--r--bin/tests/system/keymgr2kasp/ns4/named.conf.in72
-rw-r--r--bin/tests/system/keymgr2kasp/ns4/named2.conf.in89
-rw-r--r--bin/tests/system/keymgr2kasp/ns4/setup.sh46
-rw-r--r--bin/tests/system/keymgr2kasp/ns4/template.ext.db.in24
-rw-r--r--bin/tests/system/keymgr2kasp/ns4/template.int.db.in24
-rw-r--r--bin/tests/system/keymgr2kasp/setup.sh34
-rw-r--r--bin/tests/system/keymgr2kasp/tests.sh1137
62 files changed, 2927 insertions, 0 deletions
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/README b/bin/tests/system/keymgr/01-ksk-inactive/README
new file mode 100644
index 0000000..a79314e
--- /dev/null
+++ b/bin/tests/system/keymgr/01-ksk-inactive/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one KSK rollover. The KSK is deactivated prior to
+its replacement being activated.
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/01-ksk-inactive/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/02-zsk-inactive/README b/bin/tests/system/keymgr/02-zsk-inactive/README
new file mode 100644
index 0000000..8997e0a
--- /dev/null
+++ b/bin/tests/system/keymgr/02-zsk-inactive/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one ZSK rollover. The first ZSK is deactivated
+prior to its replacement being activated.
diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/02-zsk-inactive/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/README b/bin/tests/system/keymgr/03-ksk-unpublished/README
new file mode 100644
index 0000000..4086a31
--- /dev/null
+++ b/bin/tests/system/keymgr/03-ksk-unpublished/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set contains one KSK rollover. The KSK is unpublished before its
+successor is published.
diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/README b/bin/tests/system/keymgr/04-zsk-unpublished/README
new file mode 100644
index 0000000..a3bbe85
--- /dev/null
+++ b/bin/tests/system/keymgr/04-zsk-unpublished/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set contains one ZSK rollover. The ZSK is unpublished before its
+successor is published.
diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/README b/bin/tests/system/keymgr/05-ksk-unpub-active/README
new file mode 100644
index 0000000..5b47456
--- /dev/null
+++ b/bin/tests/system/keymgr/05-ksk-unpub-active/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one KSK rollover. The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated.
diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/README b/bin/tests/system/keymgr/06-zsk-unpub-active/README
new file mode 100644
index 0000000..5b47456
--- /dev/null
+++ b/bin/tests/system/keymgr/06-zsk-unpub-active/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes one KSK rollover. The first KSK is deleted
+and its successor published prior to the first KSK being deactivated
+and its successor activated.
diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect
new file mode 100644
index 0000000..bf908e7
--- /dev/null
+++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 2h example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/07-ksk-ttl/README b/bin/tests/system/keymgr/07-ksk-ttl/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/07-ksk-ttl/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/07-ksk-ttl/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/08-zsk-ttl/README b/bin/tests/system/keymgr/08-zsk-ttl/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/08-zsk-ttl/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/08-zsk-ttl/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/09-no-keys/README b/bin/tests/system/keymgr/09-no-keys/README
new file mode 100644
index 0000000..7de6d40
--- /dev/null
+++ b/bin/tests/system/keymgr/09-no-keys/README
@@ -0,0 +1,5 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has no key set, but one will be initialized by dnssec-keymgr.
diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/09-no-keys/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/10-change-roll/README b/bin/tests/system/keymgr/10-change-roll/README
new file mode 100644
index 0000000..c83de5f
--- /dev/null
+++ b/bin/tests/system/keymgr/10-change-roll/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has a key set which is valid, but has a ZSK rollover period
+of only three months. It will be updated to have a ZSK rollover period of
+one year.
diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/10-change-roll/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/11-many-simul/README b/bin/tests/system/keymgr/11-many-simul/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/11-many-simul/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect
new file mode 100644
index 0000000..03d719c
--- /dev/null
+++ b/bin/tests/system/keymgr/11-many-simul/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/12-many-active/README b/bin/tests/system/keymgr/12-many-active/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/12-many-active/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect
new file mode 100644
index 0000000..67fc4e9
--- /dev/null
+++ b/bin/tests/system/keymgr/12-many-active/expect
@@ -0,0 +1,9 @@
+kargs="-f example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/13-noroll/README b/bin/tests/system/keymgr/13-noroll/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/13-noroll/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect
new file mode 100644
index 0000000..67fc4e9
--- /dev/null
+++ b/bin/tests/system/keymgr/13-noroll/expect
@@ -0,0 +1,9 @@
+kargs="-f example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/14-wrongalg/README b/bin/tests/system/keymgr/14-wrongalg/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/14-wrongalg/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect
new file mode 100644
index 0000000..bd5eadb
--- /dev/null
+++ b/bin/tests/system/keymgr/14-wrongalg/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=4
diff --git a/bin/tests/system/keymgr/15-unspec/README b/bin/tests/system/keymgr/15-unspec/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/15-unspec/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect
new file mode 100644
index 0000000..ad300c4
--- /dev/null
+++ b/bin/tests/system/keymgr/15-unspec/expect
@@ -0,0 +1,9 @@
+kargs=""
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/README b/bin/tests/system/keymgr/16-wrongalg-unspec/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/16-wrongalg-unspec/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect
new file mode 100644
index 0000000..c836535
--- /dev/null
+++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect
@@ -0,0 +1,9 @@
+kargs=""
+kmatch=""
+kret=0
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=4
diff --git a/bin/tests/system/keymgr/17-noforce/README b/bin/tests/system/keymgr/17-noforce/README
new file mode 100644
index 0000000..0830ca3
--- /dev/null
+++ b/bin/tests/system/keymgr/17-noforce/README
@@ -0,0 +1,6 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This set includes a KSK rollover, with insufficient delay between
+prepublication and rollover.
diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect
new file mode 100644
index 0000000..029a4e9
--- /dev/null
+++ b/bin/tests/system/keymgr/17-noforce/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=1
+cargs="-d 1w -m 2w example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/README b/bin/tests/system/keymgr/18-nonstd-prepub/README
new file mode 100644
index 0000000..4ee0a8a
--- /dev/null
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has a key set which is valid, but will expire within
+the rollover period. The prepublication interval in policy.conf is a
+nonstandard value.
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect
new file mode 100644
index 0000000..e8518d8
--- /dev/null
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect
@@ -0,0 +1,9 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 1d example.com"
+cmatch=""
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in
new file mode 100644
index 0000000..757311a
--- /dev/null
+++ b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy default {
+ policy global;
+ algorithm @DEFAULT_ALGORITHM@;
+ pre-publish zsk 2w;
+ roll-period zsk 6mo;
+ coverage 364d;
+};
diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README
new file mode 100644
index 0000000..bd66ba8
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/README
@@ -0,0 +1,7 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+This directory has a key set which is valid, but which was published
+and activated more than one rollover period ago. dnssec-keymgr should
+not mark the keys as already being inactive and deleted.
diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect
new file mode 100644
index 0000000..ad73b53
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/expect
@@ -0,0 +1,12 @@
+kargs="example.com"
+kmatch=""
+kret=0
+cargs="-d 1h -m 1w example.com"
+cmatch="4,Publish
+4,Activate
+2,Inactive
+2,Delete"
+cret=0
+warn=0
+error=0
+ok=2
diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh
new file mode 100644
index 0000000..502d951
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/extra.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+now=`$PERL -e 'print time()."\n";'`
+for keyfile in K*.key; do
+ inactive=`$SETTIME -upI $keyfile | awk '{print $2}'`
+ if [ "$inactive" = UNSET ]; then
+ continue
+ elif [ "$inactive" -lt "$now" ]; then
+ echo_d "inactive date is in the past"
+ ret=1
+ fi
+done
diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf.in b/bin/tests/system/keymgr/19-old-keys/policy.conf.in
new file mode 100644
index 0000000..757311a
--- /dev/null
+++ b/bin/tests/system/keymgr/19-old-keys/policy.conf.in
@@ -0,0 +1,20 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy default {
+ policy global;
+ algorithm @DEFAULT_ALGORITHM@;
+ pre-publish zsk 2w;
+ roll-period zsk 6mo;
+ coverage 364d;
+};
diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh
new file mode 100644
index 0000000..d8cad32
--- /dev/null
+++ b/bin/tests/system/keymgr/clean.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+rm -f 18-nonstd-prepub/policy.conf
+rm -f 19-old-keys/policy.conf
+rm -f K*.key */K*.key
+rm -f K*.private */K*.private
+rm -f coverage.* keymgr.* settime.*
+rm -f ns*/managed-keys.bind*
+rm -f policy.conf
+rm -f policy.out
diff --git a/bin/tests/system/keymgr/policy.conf.in b/bin/tests/system/keymgr/policy.conf.in
new file mode 100644
index 0000000..d6bc925
--- /dev/null
+++ b/bin/tests/system/keymgr/policy.conf.in
@@ -0,0 +1,23 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+policy default {
+ policy global;
+ algorithm @DEFAULT_ALGORITHM@;
+ key-size zsk 1024;
+ pre-publish zsk 6w;
+ post-publish zsk 6w;
+ roll-period zsk 6mo;
+ roll-period ksk 0;
+ coverage 364d;
+};
diff --git a/bin/tests/system/keymgr/policy.good b/bin/tests/system/keymgr/policy.good
new file mode 100644
index 0000000..eb23246
--- /dev/null
+++ b/bin/tests/system/keymgr/policy.good
@@ -0,0 +1,187 @@
+policy default:
+ inherits global
+ directory None
+ algorithm None
+ coverage None
+ ksk_keysize None
+ zsk_keysize None
+ ksk_rollperiod None
+ zsk_rollperiod None
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish None
+ zsk_postpublish None
+ ksk_standby None
+ zsk_standby None
+ keyttl None
+
+policy global:
+ inherits None
+ directory None
+ algorithm RSASHA256
+ coverage 15552000
+ ksk_keysize 2048
+ zsk_keysize 2048
+ ksk_rollperiod None
+ zsk_rollperiod 31536000
+ ksk_prepublish 2592000
+ ksk_postpublish 2592000
+ zsk_prepublish 2592000
+ zsk_postpublish 2592000
+ ksk_standby None
+ zsk_standby None
+ keyttl 3600
+
+constructed policy example.com:
+ inherits global
+ directory None
+ algorithm RSASHA256
+ coverage 15552000
+ ksk_keysize 2048
+ zsk_keysize 2048
+ ksk_rollperiod None
+ zsk_rollperiod 31536000
+ ksk_prepublish 2592000
+ ksk_postpublish 2592000
+ zsk_prepublish 2592000
+ zsk_postpublish 2592000
+ ksk_standby None
+ zsk_standby None
+ keyttl 3600
+
+policy default:
+ inherits None
+ directory "keydir"
+ algorithm RSASHA1
+ coverage 31536000
+ ksk_keysize None
+ zsk_keysize None
+ ksk_rollperiod None
+ zsk_rollperiod 15552000
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish 3628800
+ zsk_postpublish 3628800
+ ksk_standby None
+ zsk_standby None
+ keyttl 3600
+
+zone policy example.com:
+ inherits extra
+ directory "keydir"
+ algorithm NSEC3RSASHA1
+ coverage 12960000
+ ksk_keysize 2048
+ zsk_keysize 2048
+ ksk_rollperiod 31536000
+ zsk_rollperiod 7776000
+ ksk_prepublish 7776000
+ ksk_postpublish None
+ zsk_prepublish 3628800
+ zsk_postpublish 604800
+ ksk_standby None
+ zsk_standby None
+ keyttl 7200
+
+constructed policy example.org:
+ inherits None
+ directory "keydir"
+ algorithm RSASHA1
+ coverage 31536000
+ ksk_keysize 2048
+ zsk_keysize 1024
+ ksk_rollperiod None
+ zsk_rollperiod 15552000
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish 3628800
+ zsk_postpublish 3628800
+ ksk_standby None
+ zsk_standby None
+ keyttl 3600
+
+constructed policy example.net:
+ inherits None
+ directory "keydir"
+ algorithm RSASHA1
+ coverage 31536000
+ ksk_keysize 2048
+ zsk_keysize 1024
+ ksk_rollperiod None
+ zsk_rollperiod 15552000
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish 3628800
+ zsk_postpublish 3628800
+ ksk_standby None
+ zsk_standby None
+ keyttl 3600
+
+algorithm policy RSASHA1:
+ inherits None
+ directory None
+ algorithm None
+ coverage None
+ ksk_keysize 2048
+ zsk_keysize 1024
+ ksk_rollperiod None
+ zsk_rollperiod None
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish None
+ zsk_postpublish None
+ ksk_standby None
+ zsk_standby None
+ keyttl None
+
+algorithm policy RSASHA256:
+ inherits None
+ directory None
+ algorithm RSASHA256
+ coverage None
+ ksk_keysize 2048
+ zsk_keysize 2048
+ ksk_rollperiod None
+ zsk_rollperiod None
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish None
+ zsk_postpublish None
+ ksk_standby None
+ zsk_standby None
+ keyttl None
+
+algorithm policy ECDSAP256SHA256:
+ inherits None
+ directory None
+ algorithm ECDSAP256SHA256
+ coverage None
+ ksk_keysize None
+ zsk_keysize None
+ ksk_rollperiod None
+ zsk_rollperiod None
+ ksk_prepublish None
+ ksk_postpublish None
+ zsk_prepublish None
+ zsk_postpublish None
+ ksk_standby None
+ zsk_standby None
+ keyttl None
+
+policy extra:
+ inherits default
+ directory None
+ algorithm None
+ coverage 157680000
+ ksk_keysize None
+ zsk_keysize None
+ ksk_rollperiod 31536000
+ zsk_rollperiod 7776000
+ ksk_prepublish 7776000
+ ksk_postpublish None
+ zsk_prepublish None
+ zsk_postpublish 604800
+ ksk_standby None
+ zsk_standby None
+ keyttl 7200
+
diff --git a/bin/tests/system/keymgr/policy.sample b/bin/tests/system/keymgr/policy.sample
new file mode 100644
index 0000000..8683e27
--- /dev/null
+++ b/bin/tests/system/keymgr/policy.sample
@@ -0,0 +1,60 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+# a comment which should be skipped
+
+algorithm-policy rsasha1 {
+ key-size ksk 2048;
+ key-size zsk 1024; // this too
+};
+
+// and this
+
+policy default {
+ directory "keydir";
+ algorithm rsasha1;
+ coverage 1y; # another comment
+ roll-period zsk 6mo; // and yet another
+ pre-publish zsk 6w;
+ post-publish zsk 6w;
+ keyttl 1h;
+};
+
+policy extra {
+ policy default;
+ coverage 5y;
+ roll-period KSK 1 year;
+ roll-period zsk 3mo;
+ pre-publish ksk 3mo;
+ post-publish zsk 1w;
+ keyttl 2h;
+};
+
+/*
+ * and this is also a comment,
+ * and it should be ignored like
+ * the others.
+ */
+
+zone example.com {
+ policy extra;
+ coverage 5 mon;
+ algorithm nsec3rsasha1;
+};
+
+/*
+ * This confirms that zones starting with digits are accepted.
+ */
+zone "99example.com" {
+ policy global;
+};
diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh
new file mode 100644
index 0000000..d7cef0c
--- /dev/null
+++ b/bin/tests/system/keymgr/setup.sh
@@ -0,0 +1,192 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+KEYGEN="$KEYGEN -q"
+
+# Test 1: KSK goes inactive before successor is active
+dir=01-ksk-inactive
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 2: ZSK goes inactive before successor is active
+dir=02-zsk-inactive
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 3: KSK is unpublished before its successor is published
+dir=03-ksk-unpublished
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 4: ZSK is unpublished before its successor is published
+dir=04-zsk-unpublished
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 5: KSK deleted and successor published before KSK is deactivated
+# and successor activated.
+dir=05-ksk-unpub-active
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 6: ZSK deleted and successor published before ZSK is deactivated
+# and successor activated.
+dir=06-zsk-unpub-active
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 7: KSK rolled with insufficient delay after prepublication.
+dir=07-ksk-ttl
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1
+ksk2=`$KEYGEN -K $dir -S $ksk1`
+$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+
+# Test 8: ZSK rolled with insufficient delay after prepublication.
+dir=08-zsk-ttl
+echo_i "set up $dir"
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+# allow only 1 day between publication and activation
+$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+
+# Test 9: No special preparation needed
+
+# Test 10: Valid key set, but rollover period has changed
+dir=10-change-roll
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1
+zsk2=`$KEYGEN -K $dir -S $zsk1`
+
+# Test 11: Many keys all simultaneously scheduled to be active in the future
+dir=11-many-simul
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com`
+
+# Test 12: Many keys all simultaneously scheduled to be active in the past
+dir=12-many-active
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+
+# Test 13: Multiple simultaneous keys with no configured roll period
+dir=13-noroll
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+k2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+k3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+
+# Test 14: Keys exist but have the wrong algorithm
+dir=14-wrongalg
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com`
+z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com`
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
+z2=`$KEYGEN -K $dir -q -S ${z1}.key`
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
+z3=`$KEYGEN -K $dir -q -S ${z2}.key`
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
+z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+
+# Test 15: No zones specified; just search the directory for keys
+dir=15-unspec
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
+z2=`$KEYGEN -K $dir -q -S ${z1}.key`
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
+z3=`$KEYGEN -K $dir -q -S ${z2}.key`
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
+z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+
+# Test 16: No zones specified; search the directory for keys;
+# keys have the wrong algorithm for their policies
+dir=16-wrongalg-unspec
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com`
+z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com`
+$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null
+z2=`$KEYGEN -K $dir -q -S ${z1}.key`
+$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null
+z3=`$KEYGEN -K $dir -q -S ${z2}.key`
+$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null
+z4=`$KEYGEN -K $dir -q -S ${z3}.key`
+
+# Test 17: Keys are simultaneously active but we run with no force
+# flag (this should fail)
+dir=17-noforce
+echo_i "set up $dir"
+k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com`
+z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com`
+
+# Test 18: Prepublication interval is set to a nonstandard value
+dir=18-nonstd-prepub
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
+
+# Test 19: Key has been published/active a long time
+dir=19-old-keys
+echo_i "set up $dir"
+ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com`
+zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com`
+$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null
+$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null
+
+copy_setports policy.conf.in policy.conf
+copy_setports 18-nonstd-prepub/policy.conf.in 18-nonstd-prepub/policy.conf
+copy_setports 19-old-keys/policy.conf.in 19-old-keys/policy.conf
diff --git a/bin/tests/system/keymgr/testpolicy.py b/bin/tests/system/keymgr/testpolicy.py
new file mode 100644
index 0000000..d63a079
--- /dev/null
+++ b/bin/tests/system/keymgr/testpolicy.py
@@ -0,0 +1,39 @@
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+import sys
+from isc import policy
+
+PP = policy.dnssec_policy()
+# print the unmodified default and a generated zone policy
+print(PP.named_policy["default"])
+print(PP.named_policy["global"])
+print(PP.policy("example.com"))
+
+if len(sys.argv) > 0:
+ for policy_file in sys.argv[1:]:
+ PP.load(policy_file)
+
+ # now print the modified default and generated zone policies
+ print(PP.named_policy["default"])
+ print(PP.policy("example.com"))
+ print(PP.policy("example.org"))
+ print(PP.policy("example.net"))
+
+ # print algorithm policies
+ print(PP.alg_policy["RSASHA1"])
+ print(PP.alg_policy["RSASHA256"])
+ print(PP.alg_policy["ECDSAP256SHA256"])
+
+ # print another named policy
+ print(PP.named_policy["extra"])
+else:
+ print("ERROR: Please provide an input file")
diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh
new file mode 100644
index 0000000..667277f
--- /dev/null
+++ b/bin/tests/system/keymgr/tests.sh
@@ -0,0 +1,146 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+SYSTEMTESTTOP=..
+. $SYSTEMTESTTOP/conf.sh
+
+status=0
+n=1
+
+matchall () {
+ match_result=ok
+ file=$1
+ while IFS="," read expect matchline; do
+ [ -z "$matchline" ] && continue
+ matches=`grep "$matchline" $file | wc -l`
+ [ "$matches" -ne "$expect" ] && {
+ echo "'$matchline': expected $expect found $matches"
+ return 1
+ }
+ done << EOF
+ $2
+EOF
+ return 0
+}
+
+echo_i "checking for DNSSEC key coverage issues"
+ret=0
+for dir in [0-9][0-9]-*; do
+ ret=0
+ echo_i "$dir ($n)"
+ kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok=
+ . $dir/expect
+
+ # use policy.conf if available
+ policy=""
+ if [ -e "$dir/policy.conf" ]; then
+ policy="-c $dir/policy.conf"
+ if grep -e "-c policy.conf" $dir/expect > /dev/null
+ then
+ echo_i "fix $dir/expect: multiple policy files"
+ ret=1
+ fi
+ else
+ policy="-c policy.conf"
+ fi
+
+ # run keymgr to update keys
+ if [ "$CYGWIN" ]; then
+ $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \
+ -s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1
+ else
+ $KEYMGR $policy -K $dir -g $KEYGEN \
+ -s $SETTIME $kargs > keymgr.$n 2>&1
+ fi
+ # check that return code matches expectations
+ found=$?
+ if [ $found -ne $kret ]; then
+ echo "keymgr retcode was $found expected $kret"
+ ret=1
+ fi
+
+ # check for matches in keymgr output
+ matchall keymgr.$n "$kmatch" || ret=1
+
+ # now check coverage
+ $COVERAGE -K $dir $cargs > coverage.$n 2>&1
+ # check that return code matches expectations
+ found=$?
+ if [ $found -ne $cret ]; then
+ echo "coverage retcode was $found expected $cret"
+ ret=1
+ fi
+
+ # check for correct number of errors
+ found=`grep ERROR coverage.$n | wc -l`
+ if [ $found -ne $error ]; then
+ echo "error count was $found expected $error"
+ ret=1
+ fi
+
+ # check for correct number of warnings
+ found=`grep WARNING coverage.$n | wc -l`
+ if [ $found -ne $warn ]; then
+ echo "warning count was $found expected $warn"
+ ret=1
+ fi
+
+ # check for correct number of OKs
+ found=`grep "No errors found" coverage.$n | wc -l`
+ if [ $found -ne $ok ]; then
+ echo "good count was $found expected $ok"
+ ret=1
+ fi
+
+ # check for matches in coverage output
+ matchall coverage.$n "$cmatch" || ret=1
+
+ if [ -f $dir/extra.sh ]; then
+ cd $dir
+ . ./extra.sh
+ cd ..
+ fi
+
+ n=`expr $n + 1`
+ if [ $ret != 0 ]; then echo_i "failed"; fi
+ status=`expr $status + $ret`
+done
+
+echo_i "checking domains ending in . ($n)"
+ret=0
+$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l`
+[ "$nkeys" -eq 2 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l`
+[ "$nkeys" -eq 0 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l`
+[ "$nkeys" -eq 2 ] || ret=1
+$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1
+nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l`
+[ "$nkeys" -eq 0 ] || ret=1
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "checking policy.conf parser ($n)"
+ret=0
+PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out
+$DOS2UNIX policy.out > /dev/null 2>&1
+cmp -s policy.good policy.out || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=`expr $status + $ret`
+n=`expr $n + 1`
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1
diff --git a/bin/tests/system/keymgr2kasp/README b/bin/tests/system/keymgr2kasp/README
new file mode 100644
index 0000000..f941209
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/README
@@ -0,0 +1,17 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+SPDX-License-Identifier: MPL-2.0
+
+This Source Code Form is subject to the terms of the Mozilla Public
+License, v. 2.0. If a copy of the MPL was not distributed with this
+file, you can obtain one at https://mozilla.org/MPL/2.0/.
+
+See the COPYRIGHT file distributed with this work for additional
+information regarding copyright ownership.
+
+The test setup for migrating to KASP tests.
+
+ns3 is an authoritative server for the various test domains.
+
+ns4 is an authoritative server that tests a specific case where zones
+using views migrate to dnssec-policy.
diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh
new file mode 100644
index 0000000..1fe2bb9
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/clean.sh
@@ -0,0 +1,34 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/named.conf ns*/kasp.conf
+rm -f ns*/named.memstats ns*/named.run
+rm -f ns*/keygen.out* ns*/signer.out*
+rm -f ns*/zones
+rm -f ns*/dsset-*
+rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk
+rm -f ns*/*.db.signed* ns*/*.db.infile
+rm -f ns*/managed-keys.bind*
+rm -f ns*/*.mkeys*
+rm -f ./*.created
+rm -f ./created.key-*
+rm -f ./dig.out*
+rm -f ./python.out.*
+rm -f ./retired.*
+rm -f ./rndc.dnssec.*
+rm -f ./unused.key*
+rm -f ./verify.out.*
+
diff --git a/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in
new file mode 100644
index 0000000..0dae201
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in
@@ -0,0 +1,84 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "migrate" {
+ dnskey-ttl 7200;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "timing-metadata" {
+ dnskey-ttl 300;
+
+ signatures-refresh P1W;
+ signatures-validity P2W;
+ signatures-validity-dnskey P2W;
+
+ keys {
+ ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ // Together 12h
+ zone-propagation-delay 3600;
+ max-zone-ttl 11h;
+
+ // Together 3h
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to ECDSAP256SHA256 keys.
+ */
+dnssec-policy "migrate-nomatch-algnum" {
+ dnskey-ttl 300;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm ecdsa256;
+ zsk key-directory lifetime P60D algorithm ecdsa256;
+ };
+
+ // Together 12h
+ zone-propagation-delay 3600;
+ max-zone-ttl 11h;
+
+ // Together 3h
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+/*
+ * This policy tests migration from existing keys with 2048 bits RSASHA256 keys
+ * to 3072 bits RSASHA256 keys.
+ */
+dnssec-policy "migrate-nomatch-alglen" {
+ dnskey-ttl 300;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm rsasha256 3072;
+ zsk key-directory lifetime P60D algorithm rsasha256 3072;
+ };
+
+ // Together 12h
+ zone-propagation-delay 3600;
+ max-zone-ttl 11h;
+
+ // Together 3h
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
diff --git a/bin/tests/system/keymgr2kasp/ns3/named.conf.in b/bin/tests/system/keymgr2kasp/ns3/named.conf.in
new file mode 100644
index 0000000..5a71a87
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/named.conf.in
@@ -0,0 +1,98 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+ key-directory ".";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* These are zones that migrate to dnssec-policy. */
+zone "migrate.kasp" {
+ type primary;
+ file "migrate.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+};
+
+zone "csk.kasp" {
+ type primary;
+ file "csk.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly no;
+};
+
+zone "csk-nosep.kasp" {
+ type primary;
+ file "csk-nosep.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly no;
+};
+
+zone "rumoured.kasp" {
+ type primary;
+ file "rumoured.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+};
+
+zone "omnipresent.kasp" {
+ type primary;
+ file "omnipresent.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+};
+
+zone "migrate-nomatch-algnum.kasp" {
+ type primary;
+ file "migrate-nomatch-algnum.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+};
+
+zone "migrate-nomatch-alglen.kasp" {
+ type primary;
+ file "migrate-nomatch-alglen.kasp.db";
+ auto-dnssec maintain;
+ allow-update { any; };
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+};
diff --git a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in
new file mode 100644
index 0000000..8d5aecb
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in
@@ -0,0 +1,87 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "kasp.conf";
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* These are zones that migrate to dnssec-policy. */
+zone "migrate.kasp" {
+ type primary;
+ file "migrate.kasp.db";
+ allow-update { any; };
+ dnssec-policy "migrate";
+};
+
+zone "csk.kasp" {
+ type primary;
+ file "csk.kasp.db";
+ allow-update { any; };
+ dnssec-policy "default";
+};
+
+zone "csk-nosep.kasp" {
+ type primary;
+ file "csk-nosep.kasp.db";
+ allow-update { any; };
+ dnssec-policy "default";
+};
+
+zone "rumoured.kasp" {
+ type primary;
+ file "rumoured.kasp.db";
+ allow-update { any; };
+ dnssec-policy "timing-metadata";
+};
+
+zone "omnipresent.kasp" {
+ type primary;
+ file "omnipresent.kasp.db";
+ allow-update { any; };
+ dnssec-policy "timing-metadata";
+};
+
+zone "migrate-nomatch-algnum.kasp" {
+ type primary;
+ file "migrate-nomatch-algnum.kasp.db";
+ allow-update { any; };
+ dnssec-policy "migrate-nomatch-algnum";
+};
+
+zone "migrate-nomatch-alglen.kasp" {
+ type primary;
+ file "migrate-nomatch-alglen.kasp.db";
+ allow-update { any; };
+ dnssec-policy "migrate-nomatch-alglen";
+};
diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh
new file mode 100644
index 0000000..6c1d0a5
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh
@@ -0,0 +1,131 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
+setup migrate.kasp
+echo "$zone" >> zones
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
+# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
+# configured, meaning the zone is signed with a single CSK.
+setup csk.kasp
+echo "$zone" >> zones
+csktimes="-P now -A now -P sync now"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+setup csk-nosep.kasp
+echo "$zone" >> zones
+csktimes="-P now -A now -P sync now"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2> keygen.out.$zone.1)
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy. The existing keys are
+# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
+# ECDSAP256SHA256 keys.
+setup migrate-nomatch-algnum.kasp
+echo "$zone" >> zones
+Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h" # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy. The existing keys are
+# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
+# dictates 3072 bits RSASHA256 keys.
+setup migrate-nomatch-alglen.kasp
+echo "$zone" >> zones
+Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h" # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+#
+# Set up zones to test time metadata correctly sets state.
+#
+
+# Key states expected to be rumoured after migration.
+setup rumoured.kasp
+echo "$zone" >> zones
+Tds="now-2h"
+Tkey="now-300s"
+Tsig="now-11h"
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Key states expected to be omnipresent after migration.
+setup omnipresent.kasp
+echo "$zone" >> zones
+Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h" # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tkey} -A ${Tsig}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/keymgr2kasp/ns3/template.db.in b/bin/tests/system/keymgr2kasp/ns3/template.db.in
new file mode 100644
index 0000000..010b05b
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns3/template.db.in
@@ -0,0 +1,27 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+
diff --git a/bin/tests/system/keymgr2kasp/ns4/named.conf.in b/bin/tests/system/keymgr2kasp/ns4/named.conf.in
new file mode 100644
index 0000000..e478404
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/named.conf.in
@@ -0,0 +1,72 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+ key-directory ".";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+key "external" {
+ algorithm @DEFAULT_HMAC@;
+ secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "internal" {
+ algorithm @DEFAULT_HMAC@;
+ secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "ext" {
+ match-clients { key "external"; };
+
+ zone "view-rsasha256.kasp" {
+ type master;
+ file "view-rsasha256.kasp.ext.db";
+ auto-dnssec maintain;
+ inline-signing yes;
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+ };
+};
+
+view "int" {
+ match-clients { key "internal"; };
+
+ zone "view-rsasha256.kasp" {
+ type master;
+ file "view-rsasha256.kasp.int.db";
+ auto-dnssec maintain;
+ inline-signing yes;
+ dnssec-dnskey-kskonly yes;
+ update-check-ksk yes;
+ };
+};
diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
new file mode 100644
index 0000000..538aedc
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in
@@ -0,0 +1,89 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS4
+
+options {
+ query-source address 10.53.0.4;
+ notify-source 10.53.0.4;
+ transfer-source 10.53.0.4;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.4; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+ key-directory ".";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm hmac-sha256;
+};
+
+controls {
+ inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+dnssec-policy "rsasha256" {
+ keys {
+ zsk key-directory lifetime P3M algorithm 8 2048;
+ ksk key-directory lifetime P1Y algorithm 8 2048;
+ };
+
+ dnskey-ttl 300;
+ publish-safety 1h;
+ retire-safety 1h;
+
+ signatures-refresh 5d;
+ signatures-validity 14d;
+ signatures-validity-dnskey 14d;
+
+ max-zone-ttl 1d;
+ zone-propagation-delay 300;
+
+ parent-ds-ttl 86400;
+ parent-propagation-delay 3h;
+};
+
+key "external" {
+ algorithm @DEFAULT_HMAC@;
+ secret "YPfMoAk6h+3iN8MDRQC004iSNHY=";
+};
+
+key "internal" {
+ algorithm @DEFAULT_HMAC@;
+ secret "4xILSZQnuO1UKubXHkYUsvBRPu8=";
+};
+
+view "ext" {
+ match-clients { key "external"; };
+
+ zone "view-rsasha256.kasp" {
+ type master;
+ file "view-rsasha256.kasp.ext.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+ };
+};
+
+view "int" {
+ match-clients { key "internal"; };
+
+ zone "view-rsasha256.kasp" {
+ type master;
+ file "view-rsasha256.kasp.int.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+ };
+};
diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh
new file mode 100644
index 0000000..63121a0
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh
@@ -0,0 +1,46 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns4/setup.sh"
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+zone="view-rsasha256.kasp"
+algo="RSASHA256"
+num="8"
+echo "$zone" >> zones
+
+# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy.
+# The keys for these zones are in use long enough that they should start a
+# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
+ksktimes="-P -186d -A -186d -P sync -186d"
+zsktimes="-P -186d -A -186d"
+KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2)
+
+echo_i "setting up zone $zone (external)"
+view="ext"
+zonefile="${zone}.${view}.db"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
+
+echo_i "setting up zone $zone (internal)"
+view="int"
+zonefile="${zone}.${view}.db"
+cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile"
diff --git a/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in
new file mode 100644
index 0000000..eecda2f
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/template.ext.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns4
+ns4 A 10.53.0.4
+
+view TXT "external"
diff --git a/bin/tests/system/keymgr2kasp/ns4/template.int.db.in b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in
new file mode 100644
index 0000000..3783d64
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/ns4/template.int.db.in
@@ -0,0 +1,24 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns4
+ns4 A 10.53.0.4
+
+view TXT "internal"
diff --git a/bin/tests/system/keymgr2kasp/setup.sh b/bin/tests/system/keymgr2kasp/setup.sh
new file mode 100644
index 0000000..e43f798
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/setup.sh
@@ -0,0 +1,34 @@
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+copy_setports ns3/kasp.conf.in ns3/kasp.conf
+
+# Setup zones
+(
+ cd ns3
+ $SHELL setup.sh
+)
+(
+ cd ns4
+ $SHELL setup.sh
+)
diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
new file mode 100644
index 0000000..62b58a7
--- /dev/null
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -0,0 +1,1137 @@
+#!/bin/sh
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+# shellcheck source=kasp.sh
+. ../kasp.sh
+
+start_time="$(TZ=UTC date +%s)"
+status=0
+n=0
+
+###############################################################################
+# Utilities #
+###############################################################################
+
+# Call dig with default options.
+dig_with_opts() {
+
+ if [ -n "$TSIG" ]; then
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+ else
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ fi
+}
+
+# Log error and increment failure rate.
+log_error() {
+ echo_i "error: $1"
+ ret=$((ret+1))
+}
+
+# Default next key event threshold. May be extended by wait periods.
+next_key_event_threshold=100
+
+###############################################################################
+# Tests #
+###############################################################################
+
+set_retired_removed() {
+ _Lkey=$2
+ _Iret=$3
+
+ _active=$(key_get $1 ACTIVE)
+ set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
+ _retired=$(key_get $1 RETIRED)
+ set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+}
+
+rollover_predecessor_keytimes() {
+ _addtime=$1
+
+ _created=$(key_get KEY1 CREATED)
+
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+
+ _created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+}
+
+# Policy parameters.
+# Lksk: unlimited
+# Lzsk: unlimited
+Lksk=0
+Lzsk=0
+
+
+#################################################
+# Test state before switching to dnssec-policy. #
+#################################################
+
+# Set expected key properties for migration tests.
+# $1 $2: Algorithm number and string.
+# $3 $4: KSK and ZSK size.
+init_migration_keys() {
+ key_clear "KEY1"
+ key_set "KEY1" "LEGACY" "yes"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "none"
+ set_keyalgorithm "KEY1" "$1" "$2" "$3"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ key_set "KEY2" "LEGACY" "yes"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "none"
+ set_keyalgorithm "KEY2" "$1" "$2" "$4"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
+}
+
+# Set expected key states for migration tests.
+# $1: Goal
+# $2: States
+init_migration_states() {
+ set_keystate "KEY1" "GOAL" "$1"
+ set_keystate "KEY1" "STATE_DNSKEY" "$2"
+ set_keystate "KEY1" "STATE_KRRSIG" "$2"
+ set_keystate "KEY1" "STATE_DS" "$2"
+
+ set_keystate "KEY2" "GOAL" "$1"
+ set_keystate "KEY2" "STATE_DNSKEY" "$2"
+ set_keystate "KEY2" "STATE_ZRRSIG" "$2"
+}
+
+#
+# Testing a good migration.
+#
+set_zone "migrate.kasp"
+set_policy "none" "2" "7200"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# These keys are immediately published and activated.
+rollover_predecessor_keytimes 0
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_ksk=$(key_get KEY1 ID)
+_migrate_zsk=$(key_get KEY2 ID)
+
+#
+# Testing a good migration (CSK).
+#
+set_zone "csk.kasp"
+set_policy "none" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "ksk"
+# This key also acts as a ZSK.
+key_set "KEY1" "ZSK" "yes"
+set_keylifetime "KEY1" "none"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Make sure the zone is signed with legacy key.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# The key is immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_csk=$(key_get KEY1 ID)
+
+#
+# Testing a good migration (CSK, no SEP).
+#
+set_zone "csk-nosep.kasp"
+set_policy "none" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "zsk"
+# Despite the missing SEP bit, this key also acts as a KSK.
+key_set "KEY1" "KSK" "yes"
+set_keylifetime "KEY1" "none"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Make sure the zone is signed with legacy key.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# The key is immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
+
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_migrate_csk_nosep=$(key_get KEY1 ID)
+
+#
+# Testing key states derived from key timing metadata (rumoured).
+#
+set_zone "rumoured.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_rumoured_ksk=$(key_get KEY1 ID)
+_rumoured_zsk=$(key_get KEY2 ID)
+
+#
+# Testing key states derived from key timing metadata (omnipresent).
+#
+set_zone "omnipresent.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "omnipresent"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+# Remember legacy key tags.
+_omnipresent_ksk=$(key_get KEY1 ID)
+_omnipresent_zsk=$(key_get KEY2 ID)
+
+#
+# Testing migration with unmatched existing keys (different algorithm).
+#
+set_zone "migrate-nomatch-algnum.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "omnipresent" "omnipresent"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The KSK is immediately published and activated.
+# -P : now-3900s
+# -P sync: now-3h
+# -A : now-3900s
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+# The ZSK is immediately published and activated.
+# -P: now-3900s
+# -A: now-12h
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Remember legacy key tags.
+_migratenomatch_algnum_ksk=$(key_get KEY1 ID)
+_migratenomatch_algnum_zsk=$(key_get KEY2 ID)
+
+#
+# Testing migration with unmatched existing keys (different length).
+#
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "none" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "omnipresent" "omnipresent"
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - The KSK is immediately published and activated.
+# P : now-3900s
+# P sync: now-3h
+# A : now-3900s
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+# - The ZSK is immediately published and activated.
+# P: now-3900s
+# A: now-12h
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Remember legacy key tags.
+_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
+_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
+
+
+#############
+# Reconfig. #
+#############
+echo_i "reconfig (migration to dnssec-policy)"
+copy_setports ns3/named2.conf.in ns3/named.conf
+rndc_reconfig ns3 10.53.0.3
+
+# Calculate time passed to correctly check for next key events.
+now="$(TZ=UTC date +%s)"
+time_passed=$((now-start_time))
+echo_i "${time_passed} seconds passed between start of tests and reconfig"
+
+# Wait until we have seen "zone_rekey done:" message for this key.
+_wait_for_done_signing() {
+ _zone=$1
+
+ _ksk=$(key_get $2 KSK)
+ _zsk=$(key_get $2 ZSK)
+ if [ "$_ksk" = "yes" ]; then
+ _role="KSK"
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_zsk" = "yes" ]; then
+ _role="ZSK"
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+ _keyid=$(key_get $2 ID)
+ _keyalg=$(key_get $2 ALG_STR)
+ echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+ grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
+ fi
+
+ return 0
+}
+wait_for_done_signing() {
+ n=$((n+1))
+ echo_i "wait for zone ${ZONE} is done signing ($n)"
+ ret=0
+
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
+
+
+################################################
+# Test state after switching to dnssec-policy. #
+################################################
+
+# Policy parameters.
+# ZSK now has lifetime of 60 days (5184000 seconds).
+# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
+Lzsk=5184000
+IretZSK=867900
+
+#
+# Testing good migration.
+#
+set_zone "migrate.kasp"
+set_policy "migrate" "2" "7200"
+set_server "ns3" "10.53.0.3"
+
+# Key properties, timings and metadata should be the same as legacy keys above.
+# However, because the zsk has a lifetime, kasp will set the retired time.
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY1" "${Lksk}"
+set_keylifetime "KEY2" "${Lzsk}"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+rollover_predecessor_keytimes 0
+
+# - Key now has lifetime of 60 days (5184000 seconds).
+# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
+# TTLsig: 1d (86400 seconds)
+# Dprp: 5m (300 seconds)
+# Dsgn: 9d (777600 seconds)
+# retire-safety: 1h (3600 seconds)
+# IretZSK: 10d65m (867900 seconds)
+active=$(key_get KEY2 ACTIVE)
+set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing a good migration (CSK).
+#
+set_zone "csk.kasp"
+set_policy "default" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The key was immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
+ret=0
+[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing a good migration (CSK, no SEP).
+#
+set_zone "csk-nosep.kasp"
+set_policy "default" "1" "7200"
+set_server "ns3" "10.53.0.3"
+
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+key_set "KEY1" "FLAGS" "256"
+set_keylifetime "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
+
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# The key was immediately published and activated.
+_created=$(key_get KEY1 CREATED)
+set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
+ret=0
+[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Test migration to dnssec-policy, existing keys do not match key algorithm.
+#
+set_zone "migrate-nomatch-algnum.kasp"
+set_policy "migrate-nomatch-algnum" "4" "300"
+set_server "ns3" "10.53.0.3"
+# The legacy keys need to be retired, but otherwise stay present until the
+# new keys are omnipresent, and can be used to construct a chain of trust.
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "hidden" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
+
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
+
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS" "hidden"
+
+set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - KSK must be retired since it no longer matches the policy.
+# P : now-3900s
+# P sync: now-3h
+# A : now-3900s
+# - The key is removed after the retire interval:
+# IretKSK = TTLds + DprpP + retire_safety.
+# TTLds: 2h (7200 seconds)
+# Dprp: 1h (3600 seconds)
+# retire-safety: 1h (3600 seconds)
+# IretKSK: 4h (14400 seconds)
+IretKSK=14400
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
+retired=$(awk '{print $3}' < retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+# - ZSK must be retired since it no longer matches the policy.
+# P: now-3900s
+# A: now-12h
+# - The key is removed after the retire interval:
+# IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
+# TTLsig: 11h (39600 seconds)
+# Dprp: 1h (3600 seconds)
+# Dsgn: 9d (777600 seconds)
+# retire-safety: 1h (3600 seconds)
+# IretZSK: 9d13h (824400 seconds)
+IretZSK=824400
+Lzsk=5184000
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+keyfile=$(key_get KEY2 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
+retired=$(awk '{print $3}' < retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+# - The new KSK is immediately published and activated.
+created=$(key_get KEY3 CREATED)
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
+# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+# TTLsig: 11h (39600 seconds)
+# Dprp: 1h (3600 seconds)
+# publish-safety: 1h (3600 seconds)
+# Ipub: 13h (46800 seconds)
+Ipub=46800
+set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
+# - The ZSK is immediately published and activated.
+created=$(key_get KEY4 CREATED)
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
+active=$(key_get KEY4 ACTIVE)
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
+retired=$(key_get KEY4 RETIRED)
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
+ret=0
+[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Test migration to dnssec-policy, existing keys do not match key length.
+#
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "migrate-nomatch-alglen" "4" "300"
+set_server "ns3" "10.53.0.3"
+
+# The legacy keys need to be retired, but otherwise stay present until the
+# new keys are omnipresent, and can be used to construct a chain of trust.
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "hidden" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
+
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
+set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
+set_keysigning "KEY4" "no"
+# This key is considered to be prepublished, so it is not yet signing.
+set_zonesigning "KEY4" "no"
+
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS" "hidden"
+
+set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+# - KSK must be retired since it no longer matches the policy.
+# P : now-3900s
+# P sync: now-3h
+# A : now-3900s
+# - The key is removed after the retire interval:
+# IretKSK = TTLds + DprpP + retire_safety.
+# TTLds: 2h (7200 seconds)
+# Dprp: 1h (3600 seconds)
+# retire-safety: 1h (3600 seconds)
+# IretKSK: 4h (14400 seconds)
+IretKSK=14400
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+keyfile=$(key_get KEY1 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
+retired=$(awk '{print $3}' < retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+# - ZSK must be retired since it no longer matches the policy.
+# P: now-3900s
+# A: now-12h
+# - The key is removed after the retire interval:
+# IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
+# TTLsig: 11h (39600 seconds)
+# Dprp: 1h (3600 seconds)
+# Dsgn: 9d (777600 seconds)
+# publish-safety: 1h (3600 seconds)
+# IretZSK: 9d13h (824400 seconds)
+IretZSK=824400
+Lzsk=5184000
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+keyfile=$(key_get KEY2 BASEFILE)
+grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
+retired=$(awk '{print $3}' < retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+# - The new KSK is immediately published and activated.
+created=$(key_get KEY3 CREATED)
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
+# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
+# TTLsig: 11h (39600 seconds)
+# Dprp: 1h (3600 seconds)
+# publish-safety: 1h (3600 seconds)
+# Ipub: 13h (46800 seconds)
+Ipub=46800
+set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
+# - The ZSK is immediately published and activated.
+created=$(key_get KEY4 CREATED)
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
+active=$(key_get KEY4 ACTIVE)
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
+retired=$(key_get KEY4 RETIRED)
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
+ret=0
+[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+########################################################
+# Testing key states derived from key timing metadata. #
+########################################################
+
+# Policy parameters.
+# KSK has lifetime of 60 days (5184000 seconds).
+# The KSK is removed after Iret = DprpP + TTLds + retire-safety =
+# 4h = 14400 seconds.
+Lksk=5184000
+IretKSK=14400
+# ZSK has lifetime of 60 days (5184000 seconds).
+# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety =
+# 181h = 651600 seconds.
+Lzsk=5184000
+IretZSK=651600
+
+#
+# Testing rumoured state.
+#
+set_zone "rumoured.kasp"
+set_policy "timing-metadata" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+# Key properties, timings and metadata should be the same as legacy keys above.
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "rumoured"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY1" "${Lksk}"
+set_keylifetime "KEY2" "${Lzsk}"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+#
+# Tds="now-2h" (7200)
+# Tkey="now-300s" (300)
+# Tsig="now-11h" (39600)
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY1" "ACTIVE" "${created}" -300
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
+set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
+set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+#
+# Testing omnipresent state.
+#
+set_zone "omnipresent.kasp"
+set_policy "timing-metadata" "2" "300"
+set_server "ns3" "10.53.0.3"
+
+# Key properties, timings and metadata should be the same as legacy keys above.
+init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
+init_migration_states "omnipresent" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY1" "${Lksk}"
+set_keylifetime "KEY2" "${Lzsk}"
+
+# Various signing policy checks.
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+
+# Set expected key times:
+#
+# Tds="now-3h" (10800)
+# Tkey="now-3900s" (3900)
+# Tsig="now-12h" (43200)
+created=$(key_get KEY1 CREATED)
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+created=$(key_get KEY2 CREATED)
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+
+######################################
+# Testing good migration with views. #
+######################################
+init_view_migration() {
+ key_clear "KEY1"
+ key_set "KEY1" "LEGACY" "yes"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "0"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ key_set "KEY2" "LEGACY" "yes"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "0"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
+
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+ set_keystate "KEY1" "STATE_DS" "rumoured"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+}
+
+set_keytimes_view_migration() {
+ # Key is six months in use.
+ created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
+ set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
+ created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
+ set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
+}
+
+# Zone view.rsasha256.kasp (external)
+set_zone "view-rsasha256.kasp"
+set_policy "rsasha256" "2" "300"
+set_server "ns4" "10.53.0.4"
+init_view_migration
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+TSIG="$DEFAULT_HMAC:external:$VIEW1"
+wait_for_nsec
+# Make sure the zone is signed with legacy keys.
+check_keys
+set_keytimes_view_migration
+check_keytimes
+dnssec_verify
+
+n=$((n+1))
+# check subdomain
+echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Remember legacy key tags.
+_migrate_ext8_ksk=$(key_get KEY1 ID)
+_migrate_ext8_zsk=$(key_get KEY2 ID)
+
+# Zone view.rsasha256.kasp (internal)
+set_zone "view-rsasha256.kasp"
+set_policy "rsasha256" "2" "300"
+set_server "ns4" "10.53.0.4"
+init_view_migration
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
+TSIG="$DEFAULT_HMAC:internal:$VIEW2"
+wait_for_nsec
+# Make sure the zone is signed with legacy keys.
+check_keys
+set_keytimes_view_migration
+check_keytimes
+dnssec_verify
+
+n=$((n+1))
+# check subdomain
+echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
+ret=0
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+# Remember legacy key tags.
+_migrate_int8_ksk=$(key_get KEY1 ID)
+_migrate_int8_zsk=$(key_get KEY2 ID)
+
+# Reconfig dnssec-policy.
+echo_i "reconfig to switch to dnssec-policy"
+copy_setports ns4/named2.conf.in ns4/named.conf
+rndc_reconfig ns4 10.53.0.4
+
+# Calculate time passed to correctly check for next key events.
+now="$(TZ=UTC date +%s)"
+time_passed=$((now-start_time))
+echo_i "${time_passed} seconds passed between start of tests and reconfig"
+
+#
+# Testing migration (RSASHA256, views).
+#
+set_zone "view-rsasha256.kasp"
+set_policy "rsasha256" "3" "300"
+set_server "ns4" "10.53.0.4"
+init_migration_keys "8" "RSASHA256" "2048" "2048"
+init_migration_states "omnipresent" "rumoured"
+# Key properties, timings and metadata should be the same as legacy keys above.
+# However, because the keys have a lifetime, kasp will set the retired time.
+key_set "KEY1" "LEGACY" "no"
+set_keylifetime "KEY1" "31536000"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY2" "8035200"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# The ZSK needs to be replaced.
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "8035200"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no" # not yet
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+
+# Various signing policy checks (external).
+TSIG="$DEFAULT_HMAC:external:$VIEW1"
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "ext"
+set_keytimes_view_migration
+
+# Set expected key times:
+published=$(key_get KEY1 PUBLISHED)
+set_keytime "KEY1" "ACTIVE" "${published}"
+set_keytime "KEY1" "SYNCPUBLISH" "${published}"
+# Lifetime: 1 year (8035200 seconds)
+active=$(key_get KEY1 ACTIVE)
+set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
+# Retire interval:
+# DS TTL: 1d
+# Parent zone propagation: 3h
+# Retire safety: 1h
+# Total: 100800 seconds
+retired=$(key_get KEY1 RETIRED)
+set_addkeytime "KEY1" "REMOVED" "${retired}" "100800"
+
+published=$(key_get KEY2 PUBLISHED)
+set_keytime "KEY2" "ACTIVE" "${published}"
+# Lifetime: 3 months (8035200 seconds)
+active=$(key_get KEY2 ACTIVE)
+set_addkeytime "KEY2" "RETIRED" "${active}" "8035200"
+# Retire interval:
+# Sign delay: 9d (14-5)
+# Max zone TTL: 1d
+# Retire safety: 1h
+# Zone propagation delay: 300s
+# Total: 867900 seconds
+retired=$(key_get KEY2 RETIRED)
+set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
+
+created=$(key_get KEY3 CREATED)
+set_keytime "KEY3" "PUBLISHED" "${created}"
+# Publication interval:
+# DNSKEY TTL: 300s
+# Publish safety: 1h
+# Zone propagation delay: 300s
+# Total: 4200 seconds
+set_addkeytime "KEY3" "ACTIVE" "${created}" "4200"
+# Lifetime: 3 months (8035200 seconds)
+active=$(key_get KEY3 ACTIVE)
+set_addkeytime "KEY3" "RETIRED" "${active}" "8035200"
+# Retire interval:
+# Sign delay: 9d (14-5)
+# Max zone TTL: 1d
+# Retire safety: 1h
+# Zone propagation delay: 300s
+# Total: 867900 seconds
+retired=$(key_get KEY3 RETIRED)
+set_addkeytime "KEY3" "REMOVED" "${retired}" "867900"
+
+# Continue signing policy checks.
+check_keytimes
+check_apex
+dnssec_verify
+
+# Various signing policy checks (internal).
+TSIG="$DEFAULT_HMAC:internal:$VIEW2"
+check_keys
+wait_for_done_signing
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "int"
+set_keytimes_view_migration
+check_keytimes
+check_apex
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
+ret=0
+[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag"
+[ $_migrate_ext8_zsk = $_migrate_int8_zsk ] || log_error "mismatch zsk tag"
+[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
+echo_i "exit status: $status"
+[ $status -eq 0 ] || exit 1