// NS6
+{% set csk_roll = csk_roll | default(False) %}
+{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
+
include "kasp.conf";
-include "csk1.conf";
+include "@_csk_file@";
options {
query-source address 10.53.0.6;
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
- key-directory ".";
+ key-directory "."; // TODO if csk_roll?
dnssec-validation no;
};
};
/* Lifetime changes. */
+{% set _policy = "short-lifetime" if not csk_roll else "long-lifetime" %}
zone longer-lifetime {
type primary;
file "longer-lifetime.db";
- dnssec-policy short-lifetime;
+ dnssec-policy @_policy@;
};
+{% set _policy = "long-lifetime" if not csk_roll else "short-lifetime" %}
zone shorter-lifetime {
type primary;
file "shorter-lifetime.db";
- dnssec-policy long-lifetime;
+ dnssec-policy @_policy@;
};
+{% set _policy = "unlimited-lifetime" if not csk_roll else "short-lifetime" %}
zone limit-lifetime {
type primary;
file "limit-lifetime.db";
- dnssec-policy unlimited-lifetime;
+ dnssec-policy @_policy@;
};
+{% set _policy = "short-lifetime" if not csk_roll else "unlimited-lifetime" %}
zone unlimit-lifetime {
type primary;
file "unlimit-lifetime.db";
- dnssec-policy short-lifetime;
+ dnssec-policy @_policy@;
};
-/* These zones are going insecure. */
+/* Zones for testing going insecure. */
+{% set _policy = "unsigning" if not csk_roll else "insecure" %}
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
- dnssec-policy "unsigning";
+ dnssec-policy @_policy@;
+};
+
+{% if csk_roll %} // TODO maybe omit?
+zone "step2.going-insecure.kasp" {
+ type primary;
+ file "step2.going-insecure.kasp.db";
+ dnssec-policy "insecure";
};
+{% endif %}
+{% set _policy = "unsigning" if not csk_roll else "insecure" %}
zone "step1.going-insecure-dynamic.kasp" {
type primary;
file "step1.going-insecure-dynamic.kasp.db";
- dnssec-policy "unsigning";
+ dnssec-policy @_policy@;
+ inline-signing no;
+ allow-update { any; };
+};
+
+{% if csk_roll %} // TODO maybe omit?
+zone "step2.going-insecure-dynamic.kasp" {
+ type primary;
+ file "step2.going-insecure-dynamic.kasp.db";
+ dnssec-policy insecure;
inline-signing no;
allow-update { any; };
};
+{% endif %}
+{% set _policy = "default" if not csk_roll else "none" %}
zone "step1.going-straight-to-none.kasp" {
type primary;
file "step1.going-straight-to-none.kasp.db";
- dnssec-policy "default";
+ dnssec-policy @_policy@;
};
+{% set _policy = "default" if not csk_roll else "none" %}
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
- dnssec-policy "default";
+ dnssec-policy @_policy@;
allow-update { any; };
};
-/* These are alorithm rollover test zones. */
+/* Zones for testing KSK/ZSK algorithm roll. */
+{% set _policy = "rsasha256" if not csk_roll else "ecdsa256" %}
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
- dnssec-policy "rsasha256";
+ dnssec-policy @_policy@;
+};
+
+{% if csk_roll %}
+zone "step2.algorithm-roll.kasp" {
+ type primary;
+ file "step2.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step3.algorithm-roll.kasp" {
+ type primary;
+ file "step3.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step4.algorithm-roll.kasp" {
+ type primary;
+ file "step4.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step5.algorithm-roll.kasp" {
+ type primary;
+ file "step5.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
};
+zone "step6.algorithm-roll.kasp" {
+ type primary;
+ file "step6.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+{% endif %}
+
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
dnssec-policy "csk-algoroll";
};
+
+{% if csk_roll %}
+zone "step2.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step2.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step3.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step3.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step4.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step4.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step5.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step5.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step6.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step6.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+{% endif %}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-// NS6
-
-include "kasp.conf";
-include "csk2.conf";
-
-options {
- query-source address 10.53.0.6;
- notify-source 10.53.0.6;
- transfer-source 10.53.0.6;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.6; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- recursion no;
- dnssec-validation no;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-zone "." {
- type hint;
- file "../../_common/root.hint.blackhole";
-};
-
-/* This zone switch from dynamic to inline-signing. */
-zone "dynamic2inline.kasp" {
- type primary;
- file "dynamic2inline.kasp.db";
- allow-update { any; };
- dnssec-policy "default";
-};
-
-/* Lifetime changes. */
-zone longer-lifetime {
- type primary;
- file "longer-lifetime.db";
- dnssec-policy long-lifetime;
-};
-
-zone shorter-lifetime {
- type primary;
- file "shorter-lifetime.db";
- dnssec-policy short-lifetime;
-};
-
-zone limit-lifetime {
- type primary;
- file "limit-lifetime.db";
- dnssec-policy short-lifetime;
-};
-
-zone unlimit-lifetime {
- type primary;
- file "unlimit-lifetime.db";
- dnssec-policy unlimited-lifetime;
-};
-
-/* Zones for testing going insecure. */
-zone "step1.going-insecure.kasp" {
- type primary;
- file "step1.going-insecure.kasp.db";
- dnssec-policy "insecure";
-};
-
-zone "step2.going-insecure.kasp" {
- type primary;
- file "step2.going-insecure.kasp.db";
- dnssec-policy "insecure";
-};
-
-zone "step1.going-insecure-dynamic.kasp" {
- type primary;
- file "step1.going-insecure-dynamic.kasp.db";
- inline-signing no;
- dnssec-policy "insecure";
- allow-update { any; };
-};
-
-zone "step2.going-insecure-dynamic.kasp" {
- type primary;
- file "step2.going-insecure-dynamic.kasp.db";
- inline-signing no;
- dnssec-policy "insecure";
- allow-update { any; };
-};
-
-zone "step1.going-straight-to-none.kasp" {
- type primary;
- file "step1.going-straight-to-none.kasp.db";
- dnssec-policy "none";
-};
-
-zone "step1.going-straight-to-none-dynamic.kasp" {
- type primary;
- file "step1.going-straight-to-none-dynamic.kasp.db.signed";
- inline-signing no;
- dnssec-policy "none";
- allow-update { any; };
-};
-
-/*
- * Zones for testing KSK/ZSK algorithm roll.
- */
-zone "step1.algorithm-roll.kasp" {
- type primary;
- file "step1.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step2.algorithm-roll.kasp" {
- type primary;
- file "step2.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step3.algorithm-roll.kasp" {
- type primary;
- file "step3.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step4.algorithm-roll.kasp" {
- type primary;
- file "step4.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step5.algorithm-roll.kasp" {
- type primary;
- file "step5.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step6.algorithm-roll.kasp" {
- type primary;
- file "step6.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-/*
- * Zones for testing CSK algorithm roll.
- */
-zone "step1.csk-algorithm-roll.kasp" {
- type primary;
- file "step1.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step2.csk-algorithm-roll.kasp" {
- type primary;
- file "step2.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step3.csk-algorithm-roll.kasp" {
- type primary;
- file "step3.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step4.csk-algorithm-roll.kasp" {
- type primary;
- file "step4.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step5.csk-algorithm-roll.kasp" {
- type primary;
- file "step5.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step6.csk-algorithm-roll.kasp" {
- type primary;
- file "step6.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
# information regarding copyright ownership.
import os
-import shutil
from datetime import timedelta
check_rollover_step(server, config, policy, step)
-def test_rollover_policy_changes(servers):
+def test_rollover_policy_changes(servers, templates):
server = servers["ns6"]
cdss = ["CDNSKEY", "CDS (SHA-256)"]
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
# Reconfigure, changing DNSSEC policies and other configuration options,
# triggering algorithm rollovers and other dnssec-policy changes.
- shutil.copyfile("ns6/named2.conf", "ns6/named.conf")
+ templates.render("ns6/named.conf", {"csk_roll": True})
server.rndc("reconfig")
# Calculate time passed to correctly check for next key events.
now = KeyTimingMetadata.now()
projects / thirdparty / bind9.git / commitdiff
