summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/keymgr2kasp/tests.sh
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/keymgr2kasp/tests.sh')
-rw-r--r--bin/tests/system/keymgr2kasp/tests.sh605
1 files changed, 301 insertions, 304 deletions
diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
index 6f9caae..57c1445 100644
--- a/bin/tests/system/keymgr2kasp/tests.sh
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -29,17 +29,17 @@ n=0
# Call dig with default options.
dig_with_opts() {
- if [ -n "$TSIG" ]; then
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
- else
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
- fi
+ if [ -n "$TSIG" ]; then
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+ else
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ fi
}
# Log error and increment failure rate.
log_error() {
- echo_i "error: $1"
- ret=$((ret+1))
+ echo_i "error: $1"
+ ret=$((ret + 1))
}
# Default next key event threshold. May be extended by wait periods.
@@ -50,29 +50,29 @@ next_key_event_threshold=100
###############################################################################
set_retired_removed() {
- _Lkey=$2
- _Iret=$3
+ _Lkey=$2
+ _Iret=$3
- _active=$(key_get $1 ACTIVE)
- set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
- _retired=$(key_get $1 RETIRED)
- set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+ _active=$(key_get $1 ACTIVE)
+ set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
+ _retired=$(key_get $1 RETIRED)
+ set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
}
rollover_predecessor_keytimes() {
- _addtime=$1
+ _addtime=$1
- _created=$(key_get KEY1 CREATED)
+ _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
- _created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+ _created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
}
# Policy parameters.
@@ -81,7 +81,6 @@ rollover_predecessor_keytimes() {
Lksk=0
Lzsk=0
-
#################################################
# Test state before switching to dnssec-policy. #
#################################################
@@ -90,38 +89,38 @@ Lzsk=0
# $1 $2: Algorithm number and string.
# $3 $4: KSK and ZSK size.
init_migration_keys() {
- key_clear "KEY1"
- key_set "KEY1" "LEGACY" "yes"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "none"
- set_keyalgorithm "KEY1" "$1" "$2" "$3"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- key_set "KEY2" "LEGACY" "yes"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "none"
- set_keyalgorithm "KEY2" "$1" "$2" "$4"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- key_clear "KEY4"
+ key_clear "KEY1"
+ key_set "KEY1" "LEGACY" "yes"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "none"
+ set_keyalgorithm "KEY1" "$1" "$2" "$3"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ key_set "KEY2" "LEGACY" "yes"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "none"
+ set_keyalgorithm "KEY2" "$1" "$2" "$4"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
}
# Set expected key states for migration tests.
# $1: Goal
# $2: States
init_migration_states() {
- set_keystate "KEY1" "GOAL" "$1"
- set_keystate "KEY1" "STATE_DNSKEY" "$2"
- set_keystate "KEY1" "STATE_KRRSIG" "$2"
- set_keystate "KEY1" "STATE_DS" "$2"
-
- set_keystate "KEY2" "GOAL" "$1"
- set_keystate "KEY2" "STATE_DNSKEY" "$2"
- set_keystate "KEY2" "STATE_ZRRSIG" "$2"
+ set_keystate "KEY1" "GOAL" "$1"
+ set_keystate "KEY1" "STATE_DNSKEY" "$2"
+ set_keystate "KEY1" "STATE_KRRSIG" "$2"
+ set_keystate "KEY1" "STATE_DS" "$2"
+
+ set_keystate "KEY2" "GOAL" "$1"
+ set_keystate "KEY2" "STATE_DNSKEY" "$2"
+ set_keystate "KEY2" "STATE_ZRRSIG" "$2"
}
#
@@ -154,21 +153,21 @@ set_zone "csk.kasp"
set_policy "none" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "yes"
-set_keyrole "KEY1" "ksk"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "ksk"
# This key also acts as a ZSK.
-key_set "KEY1" "ZSK" "yes"
-set_keylifetime "KEY1" "none"
+key_set "KEY1" "ZSK" "yes"
+set_keylifetime "KEY1" "none"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -179,9 +178,9 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key is immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
check_keytimes
check_apex
@@ -197,21 +196,21 @@ set_zone "csk-nosep.kasp"
set_policy "none" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "yes"
-set_keyrole "KEY1" "zsk"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "yes"
+set_keyrole "KEY1" "zsk"
# Despite the missing SEP bit, this key also acts as a KSK.
-key_set "KEY1" "KSK" "yes"
-set_keylifetime "KEY1" "none"
+key_set "KEY1" "KSK" "yes"
+set_keylifetime "KEY1" "none"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -222,9 +221,9 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key is immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
check_keytimes
check_apex
@@ -292,15 +291,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# -P sync: now-3h
# -A : now-3900s
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
# The ZSK is immediately published and activated.
# -P: now-3900s
# -A: now-12h
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
check_apex
check_subdomain
@@ -330,15 +329,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# P sync: now-3h
# A : now-3900s
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
# - The ZSK is immediately published and activated.
# P: now-3900s
# A: now-12h
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
check_apex
check_subdomain
@@ -368,15 +367,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# P sync: now-3h
# A : now-3900s
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
# - The ZSK is immediately published and activated.
# P: now-3900s
# A: now-12h
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
check_apex
check_subdomain
@@ -395,47 +394,46 @@ rndc_reconfig ns3 10.53.0.3
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
# Wait until we have seen "zone_rekey done:" message for this key.
_wait_for_done_signing() {
- _zone=$1
-
- _ksk=$(key_get $2 KSK)
- _zsk=$(key_get $2 ZSK)
- if [ "$_ksk" = "yes" ]; then
- _role="KSK"
- _expect_type=EXPECT_KRRSIG
- elif [ "$_zsk" = "yes" ]; then
- _role="ZSK"
- _expect_type=EXPECT_ZRRSIG
- fi
-
- if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
- _keyid=$(key_get $2 ID)
- _keyalg=$(key_get $2 ALG_STR)
- echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
- grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
- fi
-
- return 0
+ _zone=$1
+
+ _ksk=$(key_get $2 KSK)
+ _zsk=$(key_get $2 ZSK)
+ if [ "$_ksk" = "yes" ]; then
+ _role="KSK"
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_zsk" = "yes" ]; then
+ _role="ZSK"
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+ _keyid=$(key_get $2 ID)
+ _keyalg=$(key_get $2 ALG_STR)
+ echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+ grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
+ fi
+
+ return 0
}
wait_for_done_signing() {
- n=$((n+1))
- echo_i "wait for zone ${ZONE} is done signing ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "wait for zone ${ZONE} is done signing ($n)"
+ ret=0
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
-
################################################
# Test state after switching to dnssec-policy. #
################################################
@@ -478,9 +476,9 @@ rollover_predecessor_keytimes 0
# retire-safety: 1h (3600 seconds)
# IretZSK: 10d65m (867900 seconds)
active=$(key_get KEY2 ACTIVE)
-set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
+set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
@@ -489,13 +487,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing a good migration (CSK).
@@ -504,19 +502,19 @@ set_zone "csk.kasp"
set_policy "default" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "no"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -529,9 +527,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key was immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
# Continue signing policy checks.
check_keytimes
@@ -540,12 +538,12 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
ret=0
[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing a good migration (CSK, no SEP).
@@ -554,20 +552,20 @@ set_zone "csk-nosep.kasp"
set_policy "default" "1" "7200"
set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_set "KEY1" "LEGACY" "no"
-set_keyrole "KEY1" "csk"
-key_set "KEY1" "FLAGS" "256"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+key_set "KEY1" "LEGACY" "no"
+set_keyrole "KEY1" "csk"
+key_set "KEY1" "FLAGS" "256"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
key_clear "KEY2"
key_clear "KEY3"
@@ -580,9 +578,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The key was immediately published and activated.
_created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${_created}"
+set_keytime "KEY1" "PUBLISHED" "${_created}"
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
-set_keytime "KEY1" "ACTIVE" "${_created}"
+set_keytime "KEY1" "ACTIVE" "${_created}"
# Continue signing policy checks.
check_keytimes
@@ -591,12 +589,12 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
ret=0
[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Test migration to dnssec-policy, existing keys do not match key algorithm.
@@ -611,24 +609,24 @@ init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "5184000"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
@@ -650,13 +648,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# IretKSK: 4h (14400 seconds)
IretKSK=14400
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
# P: now-3900s
@@ -671,17 +669,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
IretZSK=824400
Lzsk=5184000
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is immediately published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 11h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -691,12 +689,12 @@ Ipub=46800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The ZSK is immediately published and activated.
created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
@@ -705,13 +703,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
ret=0
[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Test migration to dnssec-policy, existing keys do not match key length.
@@ -727,25 +725,25 @@ init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "5184000"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "5184000"
set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
-set_keysigning "KEY4" "no"
+set_keysigning "KEY4" "no"
# This key is considered to be prepublished, so it is not yet signing.
-set_zonesigning "KEY4" "no"
+set_zonesigning "KEY4" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
@@ -767,13 +765,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# IretKSK: 4h (14400 seconds)
IretKSK=14400
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
# P: now-3900s
@@ -788,17 +786,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
IretZSK=824400
Lzsk=5184000
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is immediately published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 11h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -808,12 +806,12 @@ Ipub=46800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The ZSK is immediately published and activated.
created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
+set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}"
retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
@@ -822,13 +820,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
ret=0
[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Test migration to dnssec-policy, existing keys do not match role (KSK/ZSK -> CSK).
@@ -844,18 +842,18 @@ init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
-set_keyrole "KEY3" "csk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "csk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
# This key is considered to be prepublished, so it is not yet signing.
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -875,13 +873,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# IretKSK: 4h (14400 seconds)
IretKSK=14400
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
# P: now-3900s
@@ -896,17 +894,17 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
IretZSK=824400
Lzsk=5184000
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is immediately published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 11h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -922,13 +920,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
ret=0
[ $_migratenomatch_kzc_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migratenomatch_kzc_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
########################################################
# Testing key states derived from key timing metadata. #
@@ -972,13 +970,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Tkey="now-300s" (300)
# Tsig="now-11h" (39600)
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
-set_addkeytime "KEY1" "ACTIVE" "${created}" -300
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY1" "ACTIVE" "${created}" -300
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
-set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
+set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -988,13 +986,13 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing omnipresent state.
@@ -1022,13 +1020,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Tkey="now-3900s" (3900)
# Tsig="now-12h" (43200)
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
-set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
+set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -1038,55 +1036,54 @@ check_subdomain
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
+status=$((status + ret))
######################################
# Testing good migration with views. #
######################################
init_view_migration() {
- key_clear "KEY1"
- key_set "KEY1" "LEGACY" "yes"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "0"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- key_set "KEY2" "LEGACY" "yes"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "0"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- key_clear "KEY4"
-
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
- set_keystate "KEY1" "STATE_DS" "rumoured"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+ key_clear "KEY1"
+ key_set "KEY1" "LEGACY" "yes"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "0"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ key_set "KEY2" "LEGACY" "yes"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "0"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
+
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+ set_keystate "KEY1" "STATE_DS" "rumoured"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
}
set_keytimes_view_migration() {
- # Key is six months in use.
- created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
- set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
- created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
- set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
+ # Key is six months in use.
+ created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
+ set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400
+ created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400
+ set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400
}
# Zone view.rsasha256.kasp (external)
@@ -1104,16 +1101,16 @@ set_keytimes_view_migration
check_keytimes
dnssec_verify
-n=$((n+1))
+n=$((n + 1))
# check subdomain
echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Remember legacy key tags.
_migrate_ext8_ksk=$(key_get KEY1 ID)
@@ -1134,16 +1131,16 @@ set_keytimes_view_migration
check_keytimes
dnssec_verify
-n=$((n+1))
+n=$((n + 1))
# check subdomain
echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Remember legacy key tags.
_migrate_int8_ksk=$(key_get KEY1 ID)
@@ -1156,7 +1153,7 @@ rndc_reconfig ns4 10.53.0.4
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
#
@@ -1169,26 +1166,26 @@ init_migration_keys "8" "RSASHA256" "2048" "2048"
init_migration_states "omnipresent" "rumoured"
# Key properties, timings and metadata should be the same as legacy keys above.
# However, because the keys have a lifetime, kasp will set the retired time.
-key_set "KEY1" "LEGACY" "no"
-set_keylifetime "KEY1" "31536000"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-key_set "KEY2" "LEGACY" "no"
-set_keylifetime "KEY2" "8035200"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+key_set "KEY1" "LEGACY" "no"
+set_keylifetime "KEY1" "31536000"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+key_set "KEY2" "LEGACY" "no"
+set_keylifetime "KEY2" "8035200"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The ZSK needs to be replaced.
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "8035200"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "8035200"
set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "no" # not yet
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no" # not yet
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
# Various signing policy checks (external).
TSIG="$DEFAULT_HMAC:external:$VIEW1"
@@ -1199,11 +1196,11 @@ set_keytimes_view_migration
# Set expected key times:
published=$(key_get KEY1 PUBLISHED)
-set_keytime "KEY1" "ACTIVE" "${published}"
+set_keytime "KEY1" "ACTIVE" "${published}"
set_keytime "KEY1" "SYNCPUBLISH" "${published}"
# Lifetime: 1 year (8035200 seconds)
active=$(key_get KEY1 ACTIVE)
-set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
+set_addkeytime "KEY1" "RETIRED" "${active}" "31536000"
# Retire interval:
# DS TTL: 1d
# Parent zone propagation: 3h
@@ -1227,7 +1224,7 @@ retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
# Publication interval:
# DNSKEY TTL: 300s
# Publish safety: 1h
@@ -1262,7 +1259,7 @@ check_apex
dnssec_verify
# Check key tags, should be the same.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag"
@@ -1270,7 +1267,7 @@ ret=0
[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-07 02:06:34 +0000