// NSEC will be used;
};
+dnssec-policy "nsec-altalg" {
+ keys {
+ csk lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
+ };
+};
+
dnssec-policy "nsec3" {
nsec3param;
};
dnssec-policy "nsec3-other" {
nsec3param iterations 0 optout yes salt-length 8;
};
-
{% set reconfiged = reconfiged | default(False) %}
{% set nsec_to_nsec3 = "nsec" if not reconfiged else "nsec3" %}
{% set nsec3_to_nsec = "nsec3" if not reconfiged else "nsec" %}
+{% set nsec3_to_nsec_altalg = "nsec3" if not reconfiged else "nsec-altalg" %}
{% set nsec3_change = "nsec3" if not reconfiged else "nsec3-other" %}
{% set nsec3_from_optout = "optout" if not reconfiged else "nsec3" %}
{% set nsec3_to_optout = "nsec3" if not reconfiged else "optout" %}
};
{% endif %}{# nsec3-to-nsec.kasp #}
+{% if "nsec3-to-nsec-altalg.kasp" in zones %}
+/*
+ * The zone starts with NSEC3, but will be reconfigured to use NSEC while
+ * rolling to the alternative DNSSEC algorithm.
+ */
+zone "nsec3-to-nsec-altalg.kasp" {
+ type primary;
+ file "nsec3-to-nsec-altalg.kasp.db";
+ dnssec-policy "@nsec3_to_nsec_altalg@";
+};
+{% endif %}{# nsec3-to-nsec-altalg.kasp #}
+
{% if "nsec3-fails-to-load.kasp" in zones %}
/*
* The zone fails to load, this should not prevent shutdown.
setup "${zn}.kasp"
done
-if [ $RSASHA1_SUPPORTED = 1 ]; then
- longago="now-1y"
- keytimes="-P ${longago} -A ${longago} -P sync ${longago}"
- O="omnipresent"
+longago="now-1y"
+keytimes="-P ${longago} -A ${longago} -P sync ${longago}"
+O="omnipresent"
+
+setup "nsec3-to-nsec-altalg.kasp"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone)
+$SETTIME -s -g $O -k $O $longago -r $O $longago -z $O $longago -d $O $longago "$CSK" >settime.out.$zone 2>&1
+cat $CSK.key >>$zonefile
+if [ $RSASHA1_SUPPORTED = 1 ]; then
for zn in nsec3-to-rsasha1 nsec3-to-rsasha1-ds; do
setup "${zn}.kasp"
CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone)
"nsec3-dynamic-to-inline.kasp",
"nsec3-inline-to-dynamic.kasp",
"nsec3-to-nsec.kasp",
+ "nsec3-to-nsec-altalg.kasp",
"nsec3-to-optout.kasp",
"nsec3-from-optout.kasp",
"nsec3-other.kasp",
},
id="nsec3-to-nsec.kasp",
),
+ pytest.param(
+ {
+ "zone": "nsec3-to-nsec-altalg.kasp",
+ "policy": "nsec3",
+ "key-properties": [
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+ ],
+ },
+ id="nsec3-to-nsec-altalg.kasp",
+ ),
pytest.param(
{
"zone": "nsec3-to-optout.kasp",
# include the following zones when rendering named configs
ZONES = {
"nsec3-to-nsec.kasp",
+ "nsec3-to-nsec-altalg.kasp",
"nsec-to-nsec3.kasp",
"nsec3.kasp",
"nsec3-dynamic.kasp",
)
+def _algorithm_from_env(prefix):
+ return Algorithm(
+ os.environ[f"{prefix}_ALGORITHM"],
+ int(os.environ[f"{prefix}_ALGORITHM_NUMBER"]),
+ int(os.environ[f"{prefix}_ALGORITHM_DST_NUMBER"]),
+ int(os.environ[f"{prefix}_BITS"]),
+ )
+
+
+ALTERNATIVE = _algorithm_from_env("ALTERNATIVE")
+
+
def bootstrap():
return {
"zones": ZONES,
zone = "rsasha1-to-nsec3-wait.kasp"
isctest.kasp.check_dnssec_verify(ns3, zone)
+ # Ensure the old NSEC3 chain and default-algorithm signatures are fully
+ # established before the NSEC plus algorithm rollover begins.
+ isctest.kasp.check_dnssec_verify(ns3, "nsec3-to-nsec-altalg.kasp")
+
# Reconfigure.
data = {
"reconfiged": True,
},
id="nsec3-to-nsec.kasp",
),
+ pytest.param(
+ {
+ "zone": "nsec3-to-nsec-altalg.kasp",
+ "policy": "nsec-altalg",
+ "key-properties": [
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+ f"csk 0 {ALTERNATIVE.number} {ALTERNATIVE.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ },
+ id="nsec3-to-nsec-altalg.kasp",
+ marks=isctest.mark.with_algorithm(ALTERNATIVE.name),
+ ),
],
)
def test_nsec_case(ns3, params):