diff options
Diffstat (limited to 'bin/tests/system/keymgr')
48 files changed, 1023 insertions, 0 deletions
diff --git a/bin/tests/system/keymgr/01-ksk-inactive/README b/bin/tests/system/keymgr/01-ksk-inactive/README new file mode 100644 index 0000000..a79314e --- /dev/null +++ b/bin/tests/system/keymgr/01-ksk-inactive/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The KSK is deactivated prior to +its replacement being activated. diff --git a/bin/tests/system/keymgr/01-ksk-inactive/expect b/bin/tests/system/keymgr/01-ksk-inactive/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/01-ksk-inactive/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/02-zsk-inactive/README b/bin/tests/system/keymgr/02-zsk-inactive/README new file mode 100644 index 0000000..8997e0a --- /dev/null +++ b/bin/tests/system/keymgr/02-zsk-inactive/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one ZSK rollover. The first ZSK is deactivated +prior to its replacement being activated. diff --git a/bin/tests/system/keymgr/02-zsk-inactive/expect b/bin/tests/system/keymgr/02-zsk-inactive/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/02-zsk-inactive/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/README b/bin/tests/system/keymgr/03-ksk-unpublished/README new file mode 100644 index 0000000..4086a31 --- /dev/null +++ b/bin/tests/system/keymgr/03-ksk-unpublished/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set contains one KSK rollover. The KSK is unpublished before its +successor is published. diff --git a/bin/tests/system/keymgr/03-ksk-unpublished/expect b/bin/tests/system/keymgr/03-ksk-unpublished/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/03-ksk-unpublished/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/README b/bin/tests/system/keymgr/04-zsk-unpublished/README new file mode 100644 index 0000000..a3bbe85 --- /dev/null +++ b/bin/tests/system/keymgr/04-zsk-unpublished/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set contains one ZSK rollover. The ZSK is unpublished before its +successor is published. diff --git a/bin/tests/system/keymgr/04-zsk-unpublished/expect b/bin/tests/system/keymgr/04-zsk-unpublished/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/04-zsk-unpublished/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/README b/bin/tests/system/keymgr/05-ksk-unpub-active/README new file mode 100644 index 0000000..5b47456 --- /dev/null +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. diff --git a/bin/tests/system/keymgr/05-ksk-unpub-active/expect b/bin/tests/system/keymgr/05-ksk-unpub-active/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/05-ksk-unpub-active/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/README b/bin/tests/system/keymgr/06-zsk-unpub-active/README new file mode 100644 index 0000000..5b47456 --- /dev/null +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes one KSK rollover. The first KSK is deleted +and its successor published prior to the first KSK being deactivated +and its successor activated. diff --git a/bin/tests/system/keymgr/06-zsk-unpub-active/expect b/bin/tests/system/keymgr/06-zsk-unpub-active/expect new file mode 100644 index 0000000..bf908e7 --- /dev/null +++ b/bin/tests/system/keymgr/06-zsk-unpub-active/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 2h example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/07-ksk-ttl/README b/bin/tests/system/keymgr/07-ksk-ttl/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/07-ksk-ttl/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/07-ksk-ttl/expect b/bin/tests/system/keymgr/07-ksk-ttl/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/07-ksk-ttl/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/08-zsk-ttl/README b/bin/tests/system/keymgr/08-zsk-ttl/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/08-zsk-ttl/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/08-zsk-ttl/expect b/bin/tests/system/keymgr/08-zsk-ttl/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/08-zsk-ttl/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/09-no-keys/README b/bin/tests/system/keymgr/09-no-keys/README new file mode 100644 index 0000000..7de6d40 --- /dev/null +++ b/bin/tests/system/keymgr/09-no-keys/README @@ -0,0 +1,5 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has no key set, but one will be initialized by dnssec-keymgr. diff --git a/bin/tests/system/keymgr/09-no-keys/expect b/bin/tests/system/keymgr/09-no-keys/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/09-no-keys/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/10-change-roll/README b/bin/tests/system/keymgr/10-change-roll/README new file mode 100644 index 0000000..c83de5f --- /dev/null +++ b/bin/tests/system/keymgr/10-change-roll/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but has a ZSK rollover period +of only three months. It will be updated to have a ZSK rollover period of +one year. diff --git a/bin/tests/system/keymgr/10-change-roll/expect b/bin/tests/system/keymgr/10-change-roll/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/10-change-roll/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/11-many-simul/README b/bin/tests/system/keymgr/11-many-simul/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/11-many-simul/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/11-many-simul/expect b/bin/tests/system/keymgr/11-many-simul/expect new file mode 100644 index 0000000..03d719c --- /dev/null +++ b/bin/tests/system/keymgr/11-many-simul/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/12-many-active/README b/bin/tests/system/keymgr/12-many-active/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/12-many-active/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/12-many-active/expect b/bin/tests/system/keymgr/12-many-active/expect new file mode 100644 index 0000000..67fc4e9 --- /dev/null +++ b/bin/tests/system/keymgr/12-many-active/expect @@ -0,0 +1,9 @@ +kargs="-f example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/13-noroll/README b/bin/tests/system/keymgr/13-noroll/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/13-noroll/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/13-noroll/expect b/bin/tests/system/keymgr/13-noroll/expect new file mode 100644 index 0000000..67fc4e9 --- /dev/null +++ b/bin/tests/system/keymgr/13-noroll/expect @@ -0,0 +1,9 @@ +kargs="-f example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/14-wrongalg/README b/bin/tests/system/keymgr/14-wrongalg/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/14-wrongalg/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/14-wrongalg/expect b/bin/tests/system/keymgr/14-wrongalg/expect new file mode 100644 index 0000000..bd5eadb --- /dev/null +++ b/bin/tests/system/keymgr/14-wrongalg/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=4 diff --git a/bin/tests/system/keymgr/15-unspec/README b/bin/tests/system/keymgr/15-unspec/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/15-unspec/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/15-unspec/expect b/bin/tests/system/keymgr/15-unspec/expect new file mode 100644 index 0000000..ad300c4 --- /dev/null +++ b/bin/tests/system/keymgr/15-unspec/expect @@ -0,0 +1,9 @@ +kargs="" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/README b/bin/tests/system/keymgr/16-wrongalg-unspec/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/16-wrongalg-unspec/expect b/bin/tests/system/keymgr/16-wrongalg-unspec/expect new file mode 100644 index 0000000..c836535 --- /dev/null +++ b/bin/tests/system/keymgr/16-wrongalg-unspec/expect @@ -0,0 +1,9 @@ +kargs="" +kmatch="" +kret=0 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=4 diff --git a/bin/tests/system/keymgr/17-noforce/README b/bin/tests/system/keymgr/17-noforce/README new file mode 100644 index 0000000..0830ca3 --- /dev/null +++ b/bin/tests/system/keymgr/17-noforce/README @@ -0,0 +1,6 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This set includes a KSK rollover, with insufficient delay between +prepublication and rollover. diff --git a/bin/tests/system/keymgr/17-noforce/expect b/bin/tests/system/keymgr/17-noforce/expect new file mode 100644 index 0000000..029a4e9 --- /dev/null +++ b/bin/tests/system/keymgr/17-noforce/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=1 +cargs="-d 1w -m 2w example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/README b/bin/tests/system/keymgr/18-nonstd-prepub/README new file mode 100644 index 0000000..4ee0a8a --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but will expire within +the rollover period. The prepublication interval in policy.conf is a +nonstandard value. diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/expect b/bin/tests/system/keymgr/18-nonstd-prepub/expect new file mode 100644 index 0000000..e8518d8 --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/expect @@ -0,0 +1,9 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 1d example.com" +cmatch="" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in new file mode 100644 index 0000000..757311a --- /dev/null +++ b/bin/tests/system/keymgr/18-nonstd-prepub/policy.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/19-old-keys/README b/bin/tests/system/keymgr/19-old-keys/README new file mode 100644 index 0000000..bd66ba8 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/README @@ -0,0 +1,7 @@ +Copyright (C) Internet Systems Consortium, Inc. ("ISC") + +See COPYRIGHT in the source root or https://isc.org/copyright.html for terms. + +This directory has a key set which is valid, but which was published +and activated more than one rollover period ago. dnssec-keymgr should +not mark the keys as already being inactive and deleted. diff --git a/bin/tests/system/keymgr/19-old-keys/expect b/bin/tests/system/keymgr/19-old-keys/expect new file mode 100644 index 0000000..ad73b53 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/expect @@ -0,0 +1,12 @@ +kargs="example.com" +kmatch="" +kret=0 +cargs="-d 1h -m 1w example.com" +cmatch="4,Publish +4,Activate +2,Inactive +2,Delete" +cret=0 +warn=0 +error=0 +ok=2 diff --git a/bin/tests/system/keymgr/19-old-keys/extra.sh b/bin/tests/system/keymgr/19-old-keys/extra.sh new file mode 100644 index 0000000..502d951 --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/extra.sh @@ -0,0 +1,23 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +now=`$PERL -e 'print time()."\n";'` +for keyfile in K*.key; do + inactive=`$SETTIME -upI $keyfile | awk '{print $2}'` + if [ "$inactive" = UNSET ]; then + continue + elif [ "$inactive" -lt "$now" ]; then + echo_d "inactive date is in the past" + ret=1 + fi +done diff --git a/bin/tests/system/keymgr/19-old-keys/policy.conf.in b/bin/tests/system/keymgr/19-old-keys/policy.conf.in new file mode 100644 index 0000000..757311a --- /dev/null +++ b/bin/tests/system/keymgr/19-old-keys/policy.conf.in @@ -0,0 +1,20 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + pre-publish zsk 2w; + roll-period zsk 6mo; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/clean.sh b/bin/tests/system/keymgr/clean.sh new file mode 100644 index 0000000..d8cad32 --- /dev/null +++ b/bin/tests/system/keymgr/clean.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +rm -f 18-nonstd-prepub/policy.conf +rm -f 19-old-keys/policy.conf +rm -f K*.key */K*.key +rm -f K*.private */K*.private +rm -f coverage.* keymgr.* settime.* +rm -f ns*/managed-keys.bind* +rm -f policy.conf +rm -f policy.out diff --git a/bin/tests/system/keymgr/policy.conf.in b/bin/tests/system/keymgr/policy.conf.in new file mode 100644 index 0000000..d6bc925 --- /dev/null +++ b/bin/tests/system/keymgr/policy.conf.in @@ -0,0 +1,23 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +policy default { + policy global; + algorithm @DEFAULT_ALGORITHM@; + key-size zsk 1024; + pre-publish zsk 6w; + post-publish zsk 6w; + roll-period zsk 6mo; + roll-period ksk 0; + coverage 364d; +}; diff --git a/bin/tests/system/keymgr/policy.good b/bin/tests/system/keymgr/policy.good new file mode 100644 index 0000000..eb23246 --- /dev/null +++ b/bin/tests/system/keymgr/policy.good @@ -0,0 +1,187 @@ +policy default: + inherits global + directory None + algorithm None + coverage None + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +policy global: + inherits None + directory None + algorithm RSASHA256 + coverage 15552000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod 31536000 + ksk_prepublish 2592000 + ksk_postpublish 2592000 + zsk_prepublish 2592000 + zsk_postpublish 2592000 + ksk_standby None + zsk_standby None + keyttl 3600 + +constructed policy example.com: + inherits global + directory None + algorithm RSASHA256 + coverage 15552000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod 31536000 + ksk_prepublish 2592000 + ksk_postpublish 2592000 + zsk_prepublish 2592000 + zsk_postpublish 2592000 + ksk_standby None + zsk_standby None + keyttl 3600 + +policy default: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +zone policy example.com: + inherits extra + directory "keydir" + algorithm NSEC3RSASHA1 + coverage 12960000 + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod 31536000 + zsk_rollperiod 7776000 + ksk_prepublish 7776000 + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 604800 + ksk_standby None + zsk_standby None + keyttl 7200 + +constructed policy example.org: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +constructed policy example.net: + inherits None + directory "keydir" + algorithm RSASHA1 + coverage 31536000 + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod 15552000 + ksk_prepublish None + ksk_postpublish None + zsk_prepublish 3628800 + zsk_postpublish 3628800 + ksk_standby None + zsk_standby None + keyttl 3600 + +algorithm policy RSASHA1: + inherits None + directory None + algorithm None + coverage None + ksk_keysize 2048 + zsk_keysize 1024 + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +algorithm policy RSASHA256: + inherits None + directory None + algorithm RSASHA256 + coverage None + ksk_keysize 2048 + zsk_keysize 2048 + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +algorithm policy ECDSAP256SHA256: + inherits None + directory None + algorithm ECDSAP256SHA256 + coverage None + ksk_keysize None + zsk_keysize None + ksk_rollperiod None + zsk_rollperiod None + ksk_prepublish None + ksk_postpublish None + zsk_prepublish None + zsk_postpublish None + ksk_standby None + zsk_standby None + keyttl None + +policy extra: + inherits default + directory None + algorithm None + coverage 157680000 + ksk_keysize None + zsk_keysize None + ksk_rollperiod 31536000 + zsk_rollperiod 7776000 + ksk_prepublish 7776000 + ksk_postpublish None + zsk_prepublish None + zsk_postpublish 604800 + ksk_standby None + zsk_standby None + keyttl 7200 + diff --git a/bin/tests/system/keymgr/policy.sample b/bin/tests/system/keymgr/policy.sample new file mode 100644 index 0000000..8683e27 --- /dev/null +++ b/bin/tests/system/keymgr/policy.sample @@ -0,0 +1,60 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +# a comment which should be skipped + +algorithm-policy rsasha1 { + key-size ksk 2048; + key-size zsk 1024; // this too +}; + +// and this + +policy default { + directory "keydir"; + algorithm rsasha1; + coverage 1y; # another comment + roll-period zsk 6mo; // and yet another + pre-publish zsk 6w; + post-publish zsk 6w; + keyttl 1h; +}; + +policy extra { + policy default; + coverage 5y; + roll-period KSK 1 year; + roll-period zsk 3mo; + pre-publish ksk 3mo; + post-publish zsk 1w; + keyttl 2h; +}; + +/* + * and this is also a comment, + * and it should be ignored like + * the others. + */ + +zone example.com { + policy extra; + coverage 5 mon; + algorithm nsec3rsasha1; +}; + +/* + * This confirms that zones starting with digits are accepted. + */ +zone "99example.com" { + policy global; +}; diff --git a/bin/tests/system/keymgr/setup.sh b/bin/tests/system/keymgr/setup.sh new file mode 100644 index 0000000..d7cef0c --- /dev/null +++ b/bin/tests/system/keymgr/setup.sh @@ -0,0 +1,192 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +KEYGEN="$KEYGEN -q" + +# Test 1: KSK goes inactive before successor is active +dir=01-ksk-inactive +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -I +7mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 2: ZSK goes inactive before successor is active +dir=02-zsk-inactive +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -I +7mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 3: KSK is unpublished before its successor is published +dir=03-ksk-unpublished +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -D +6mo $ksk1 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 4: ZSK is unpublished before its successor is published +dir=04-zsk-unpublished +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +$SETTIME -K $dir -D +6mo $zsk1 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 5: KSK deleted and successor published before KSK is deactivated +# and successor activated. +dir=05-ksk-unpub-active +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +8mo $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 6: ZSK deleted and successor published before ZSK is deactivated +# and successor activated. +dir=06-zsk-unpub-active +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +8mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 7: KSK rolled with insufficient delay after prepublication. +dir=07-ksk-ttl +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +$SETTIME -K $dir -I +9mo -D +1y $ksk1 > /dev/null 2>&1 +ksk2=`$KEYGEN -K $dir -S $ksk1` +$SETTIME -K $dir -P +269d $ksk2 > /dev/null 2>&1 +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` + +# Test 8: ZSK rolled with insufficient delay after prepublication. +dir=08-zsk-ttl +echo_i "set up $dir" +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +9mo -D +1y $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` +# allow only 1 day between publication and activation +$SETTIME -K $dir -P +269d $zsk2 > /dev/null 2>&1 +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` + +# Test 9: No special preparation needed + +# Test 10: Valid key set, but rollover period has changed +dir=10-change-roll +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I +3mo -D +4mo $zsk1 > /dev/null 2>&1 +zsk2=`$KEYGEN -K $dir -S $zsk1` + +# Test 11: Many keys all simultaneously scheduled to be active in the future +dir=11-many-simul +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk -P now+1mo -A now+1mo example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 -P now+1mo -A now+1mo example.com` + +# Test 12: Many keys all simultaneously scheduled to be active in the past +dir=12-many-active +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 13: Multiple simultaneous keys with no configured roll period +dir=13-noroll +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +k2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +k3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 14: Keys exist but have the wrong algorithm +dir=14-wrongalg +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com` +z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 15: No zones specified; just search the directory for keys +dir=15-unspec +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 16: No zones specified; search the directory for keys; +# keys have the wrong algorithm for their policies +dir=16-wrongalg-unspec +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -qfk example.com` +z1=`$KEYGEN -K $dir -a ${ALTERNATIVE_ALGORITHM} -q example.com` +$SETTIME -K $dir -I now+6mo -D now+8mo $z1 > /dev/null +z2=`$KEYGEN -K $dir -q -S ${z1}.key` +$SETTIME -K $dir -I now+1y -D now+14mo $z2 > /dev/null +z3=`$KEYGEN -K $dir -q -S ${z2}.key` +$SETTIME -K $dir -I now+18mo -D now+20mo $z3 > /dev/null +z4=`$KEYGEN -K $dir -q -S ${z3}.key` + +# Test 17: Keys are simultaneously active but we run with no force +# flag (this should fail) +dir=17-noforce +echo_i "set up $dir" +k1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3fk example.com` +z1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z2=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z3=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` +z4=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -q3 example.com` + +# Test 18: Prepublication interval is set to a nonstandard value +dir=18-nonstd-prepub +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null + +# Test 19: Key has been published/active a long time +dir=19-old-keys +echo_i "set up $dir" +ksk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3fk example.com` +zsk1=`$KEYGEN -K $dir -a ${DEFAULT_ALGORITHM} -3 example.com` +$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null +$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null + +copy_setports policy.conf.in policy.conf +copy_setports 18-nonstd-prepub/policy.conf.in 18-nonstd-prepub/policy.conf +copy_setports 19-old-keys/policy.conf.in 19-old-keys/policy.conf diff --git a/bin/tests/system/keymgr/testpolicy.py b/bin/tests/system/keymgr/testpolicy.py new file mode 100644 index 0000000..d63a079 --- /dev/null +++ b/bin/tests/system/keymgr/testpolicy.py @@ -0,0 +1,39 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +import sys +from isc import policy + +PP = policy.dnssec_policy() +# print the unmodified default and a generated zone policy +print(PP.named_policy["default"]) +print(PP.named_policy["global"]) +print(PP.policy("example.com")) + +if len(sys.argv) > 0: + for policy_file in sys.argv[1:]: + PP.load(policy_file) + + # now print the modified default and generated zone policies + print(PP.named_policy["default"]) + print(PP.policy("example.com")) + print(PP.policy("example.org")) + print(PP.policy("example.net")) + + # print algorithm policies + print(PP.alg_policy["RSASHA1"]) + print(PP.alg_policy["RSASHA256"]) + print(PP.alg_policy["ECDSAP256SHA256"]) + + # print another named policy + print(PP.named_policy["extra"]) +else: + print("ERROR: Please provide an input file") diff --git a/bin/tests/system/keymgr/tests.sh b/bin/tests/system/keymgr/tests.sh new file mode 100644 index 0000000..667277f --- /dev/null +++ b/bin/tests/system/keymgr/tests.sh @@ -0,0 +1,146 @@ +#!/bin/sh + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +SYSTEMTESTTOP=.. +. $SYSTEMTESTTOP/conf.sh + +status=0 +n=1 + +matchall () { + match_result=ok + file=$1 + while IFS="," read expect matchline; do + [ -z "$matchline" ] && continue + matches=`grep "$matchline" $file | wc -l` + [ "$matches" -ne "$expect" ] && { + echo "'$matchline': expected $expect found $matches" + return 1 + } + done << EOF + $2 +EOF + return 0 +} + +echo_i "checking for DNSSEC key coverage issues" +ret=0 +for dir in [0-9][0-9]-*; do + ret=0 + echo_i "$dir ($n)" + kargs= cargs= kmatch= cmatch= kret= cret=0 warn= error= ok= + . $dir/expect + + # use policy.conf if available + policy="" + if [ -e "$dir/policy.conf" ]; then + policy="-c $dir/policy.conf" + if grep -e "-c policy.conf" $dir/expect > /dev/null + then + echo_i "fix $dir/expect: multiple policy files" + ret=1 + fi + else + policy="-c policy.conf" + fi + + # run keymgr to update keys + if [ "$CYGWIN" ]; then + $KEYMGR $policy -K $dir -g `cygpath -w $KEYGEN` \ + -s `cygpath -w $SETTIME` $kargs > keymgr.$n 2>&1 + else + $KEYMGR $policy -K $dir -g $KEYGEN \ + -s $SETTIME $kargs > keymgr.$n 2>&1 + fi + # check that return code matches expectations + found=$? + if [ $found -ne $kret ]; then + echo "keymgr retcode was $found expected $kret" + ret=1 + fi + + # check for matches in keymgr output + matchall keymgr.$n "$kmatch" || ret=1 + + # now check coverage + $COVERAGE -K $dir $cargs > coverage.$n 2>&1 + # check that return code matches expectations + found=$? + if [ $found -ne $cret ]; then + echo "coverage retcode was $found expected $cret" + ret=1 + fi + + # check for correct number of errors + found=`grep ERROR coverage.$n | wc -l` + if [ $found -ne $error ]; then + echo "error count was $found expected $error" + ret=1 + fi + + # check for correct number of warnings + found=`grep WARNING coverage.$n | wc -l` + if [ $found -ne $warn ]; then + echo "warning count was $found expected $warn" + ret=1 + fi + + # check for correct number of OKs + found=`grep "No errors found" coverage.$n | wc -l` + if [ $found -ne $ok ]; then + echo "good count was $found expected $ok" + ret=1 + fi + + # check for matches in coverage output + matchall coverage.$n "$cmatch" || ret=1 + + if [ -f $dir/extra.sh ]; then + cd $dir + . ./extra.sh + cd .. + fi + + n=`expr $n + 1` + if [ $ret != 0 ]; then echo_i "failed"; fi + status=`expr $status + $ret` +done + +echo_i "checking domains ending in . ($n)" +ret=0 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.1.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.1.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME . > keymgr.2.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.2.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.3.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.3.$n | wc -l` +[ "$nkeys" -eq 2 ] || ret=1 +$KEYMGR -g $KEYGEN -s $SETTIME example.com. > keymgr.4.$n 2>&1 +nkeys=`grep dnssec-keygen keymgr.4.$n | wc -l` +[ "$nkeys" -eq 0 ] || ret=1 +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "checking policy.conf parser ($n)" +ret=0 +PYTHONPATH="../../../python:$PYTHONPATH" ${PYTHON} testpolicy.py policy.sample > policy.out +$DOS2UNIX policy.out > /dev/null 2>&1 +cmp -s policy.good policy.out || ret=1 +if [ $ret != 0 ]; then echo_i "failed"; fi +status=`expr $status + $ret` +n=`expr $n + 1` + +echo_i "exit status: $status" +[ $status -eq 0 ] || exit 1 |