set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
}
-#
-# Test dnssec-policy inheritance.
-#
-
-# These zones should be unsigned:
-# ns2/unsigned.tld
-# ns4/none.inherit.signed
-# ns4/none.override.signed
-# ns4/inherit.none.signed
-# ns4/none.none.signed
-# ns5/inherit.inherit.unsigned
-# ns5/none.inherit.unsigned
-# ns5/none.override.unsigned
-# ns5/inherit.none.unsigned
-# ns5/none.none.unsigned
-key_clear "KEY1"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-
-set_zone "unsigned.tld"
-set_policy "none" "0" "0"
-set_server "ns2" "10.53.0.2"
-TSIG=""
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "none.inherit.signed"
-set_policy "none" "0" "0"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha1:sha1:$SHA1"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "none.override.signed"
-set_policy "none" "0" "0"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha224:sha224:$SHA224"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "inherit.none.signed"
-set_policy "none" "0" "0"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha256:sha256:$SHA256"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "none.none.signed"
-set_policy "none" "0" "0"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha256:sha256:$SHA256"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "inherit.inherit.unsigned"
-set_policy "none" "0" "0"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha1:sha1:$SHA1"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "none.inherit.unsigned"
-set_policy "none" "0" "0"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha1:sha1:$SHA1"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "none.override.unsigned"
-set_policy "none" "0" "0"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha224:sha224:$SHA224"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "inherit.none.unsigned"
-set_policy "none" "0" "0"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha256:sha256:$SHA256"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-set_zone "none.none.unsigned"
-set_policy "none" "0" "0"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha256:sha256:$SHA256"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-check_apex
-check_subdomain
-
-# These zones should be signed with the default policy:
-# ns2/signed.tld
-# ns4/override.inherit.signed
-# ns4/inherit.override.signed
-# ns5/override.inherit.signed
-# ns5/inherit.override.signed
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_zone "signed.tld"
-set_policy "default" "1" "3600"
-set_server "ns2" "10.53.0.2"
-TSIG=""
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "override.inherit.signed"
-set_policy "default" "1" "3600"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha1:sha1:$SHA1"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "inherit.override.signed"
-set_policy "default" "1" "3600"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha224:sha224:$SHA224"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "override.inherit.unsigned"
-set_policy "default" "1" "3600"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha1:sha1:$SHA1"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "inherit.override.unsigned"
-set_policy "default" "1" "3600"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha224:sha224:$SHA224"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# These zones should be signed with the test policy:
-# ns4/inherit.inherit.signed
-# ns4/override.override.signed
-# ns4/override.none.signed
-# ns5/override.override.unsigned
-# ns5/override.none.unsigned
-# ns4/example.net (both views)
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-
-set_zone "inherit.inherit.signed"
-set_policy "test" "1" "3600"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha1:sha1:$SHA1"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "override.override.signed"
-set_policy "test" "1" "3600"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha224:sha224:$SHA224"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "override.none.signed"
-set_policy "test" "1" "3600"
-set_server "ns4" "10.53.0.4"
-TSIG="hmac-sha256:sha256:$SHA256"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "override.override.unsigned"
-set_policy "test" "1" "3600"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha224:sha224:$SHA224"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-set_zone "override.none.unsigned"
-set_policy "test" "1" "3600"
-set_server "ns5" "10.53.0.5"
-TSIG="hmac-sha256:sha256:$SHA256"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Test with views.
-set_zone "example.net"
-set_server "ns4" "10.53.0.4"
-TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-dnssec_verify
-# check zonestatus
-n=$((n + 1))
-echo_i "check $ZONE (view example1) zonestatus ($n)"
-ret=0
-check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
-check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-# check subdomain
-n=$((n + 1))
-echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
-ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
-check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
-check_apex
-dnssec_verify
-# check zonestatus
-n=$((n + 1))
-echo_i "check $ZONE (view example2) zonestatus ($n)"
-ret=0
-check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
-check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-# check subdomain
-n=$((n + 1))
-echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
-ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
-check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
-wait_for_nsec
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
-check_apex
-dnssec_verify
-# check zonestatus
-n=$((n + 1))
-echo_i "check $ZONE (view example3) zonestatus ($n)"
-ret=0
-check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
-check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-# check subdomain
-n=$((n + 1))
-echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
-ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
-check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status + ret))
-
-# Clear TSIG.
-TSIG=""
-
#
# Testing RFC 8901 Multi-Signer Model 2.
#
KeyProperties,
KeyTimingMetadata,
)
+from isctest.vars.algorithms import ECDSAP256SHA256, ECDSAP384SHA384
pytestmark = pytest.mark.extra_artifacts(
[
"P6M": int(timedelta(days=31 * 6).total_seconds()),
}
+KASP_INHERIT_TSIG_SECRET = {
+ "sha1": "FrSt77yPTFx6hTs4i2tKLB9LmE0=",
+ "sha224": "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==",
+ "sha256": "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=",
+ "view1": "YPfMoAk6h+3iN8MDRQC004iSNHY=",
+ "view2": "4xILSZQnuO1UKubXHkYUsvBRPu8=",
+ "view3": "C1Azf+gGPMmxrUg/WQINP6eV9Y0=",
+}
+
+
+def param(*args, **kwargs):
+ if "id" not in kwargs:
+ kwargs["id"] = args[0] # use first argument as test ID
+ return pytest.param(*args, **kwargs)
+
def autosign_properties(alg, size):
return [
callback(*arguments, params=params, ksks=ksks, zsks=zsks)
+@pytest.mark.parametrize(
+ "zone, server_id, tsig_kind",
+ [
+ param("unsigned.tld", "ns2", None),
+ param("none.inherit.signed", "ns4", "sha1"),
+ param("none.override.signed", "ns4", "sha224"),
+ param("inherit.none.signed", "ns4", "sha256"),
+ param("none.none.signed", "ns4", "sha256"),
+ param("inherit.inherit.unsigned", "ns5", "sha1"),
+ param("none.inherit.unsigned", "ns5", "sha1"),
+ param("none.override.unsigned", "ns5", "sha224"),
+ param("inherit.none.unsigned", "ns5", "sha256"),
+ param("none.none.unsigned", "ns5", "sha256"),
+ ],
+)
+def test_kasp_inherit_unsigned(zone, server_id, tsig_kind, servers):
+ server = servers[server_id]
+ tsig = (
+ f"hmac-{tsig_kind}:{tsig_kind}:{KASP_INHERIT_TSIG_SECRET[tsig_kind]}"
+ if tsig_kind
+ else None
+ )
+
+ keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+ isctest.kasp.check_keys(zone, keys, [])
+ isctest.kasp.check_dnssecstatus(server, zone, [])
+ isctest.kasp.check_apex(server, zone, [], [], tsig=tsig)
+ isctest.kasp.check_subdomain(server, zone, [], [], tsig=tsig)
+
+
+@pytest.mark.parametrize(
+ "zone, policy, server_id, alg, tsig_kind",
+ [
+ param("signed.tld", "default", "ns2", ECDSAP256SHA256, None),
+ param("override.inherit.signed", "default", "ns4", ECDSAP256SHA256, "sha1"),
+ param("inherit.override.signed", "default", "ns4", ECDSAP256SHA256, "sha224"),
+ param("override.inherit.unsigned", "default", "ns5", ECDSAP256SHA256, "sha1"),
+ param("inherit.override.unsigned", "default", "ns5", ECDSAP256SHA256, "sha224"),
+ param("inherit.inherit.signed", "test", "ns4", ECDSAP384SHA384, "sha1"),
+ param("override.override.signed", "test", "ns4", ECDSAP384SHA384, "sha224"),
+ param("override.none.signed", "test", "ns4", ECDSAP384SHA384, "sha256"),
+ param("override.override.unsigned", "test", "ns5", ECDSAP384SHA384, "sha224"),
+ param("override.none.unsigned", "test", "ns5", ECDSAP384SHA384, "sha256"),
+ ],
+)
+def test_kasp_inherit_signed(zone, policy, server_id, alg, tsig_kind, servers):
+ server = servers[server_id]
+ tsig = (
+ f"hmac-{tsig_kind}:{tsig_kind}:{KASP_INHERIT_TSIG_SECRET[tsig_kind]}"
+ if tsig_kind
+ else None
+ )
+
+ key1 = KeyProperties.default()
+ key1.metadata["Algorithm"] = alg.number
+ key1.metadata["Length"] = alg.bits
+ keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+
+ isctest.kasp.check_zone_is_signed(server, zone, tsig=tsig)
+ isctest.kasp.check_keys(zone, keys, [key1])
+ set_keytimes_default_policy(key1)
+ isctest.kasp.check_keytimes(keys, [key1])
+ check_all(server, zone, policy, keys, [], tsig=tsig)
+
+
+@pytest.mark.parametrize(
+ "number, dynamic, inline_signing, txt_rdata",
+ [
+ param("1", "yes", "no", "view1"),
+ param("2", "no", "yes", "view2"),
+ param("3", "no", "yes", "view2"),
+ ],
+)
+def test_kasp_inherit_view(number, dynamic, inline_signing, txt_rdata, servers):
+ zone = "example.net"
+ policy = "test"
+ server = servers["ns4"]
+ view = f"example{number}"
+ tsig = f"{os.environ['DEFAULT_HMAC']}:keyforview{number}:{KASP_INHERIT_TSIG_SECRET[f'view{number}']}"
+
+ key1 = KeyProperties.default()
+ key1.metadata["Algorithm"] = ECDSAP384SHA384.number
+ key1.metadata["Length"] = ECDSAP384SHA384.bits
+ keys = isctest.kasp.keydir_to_keylist(zone, server.identifier)
+
+ isctest.kasp.check_zone_is_signed(server, zone, tsig=tsig)
+ isctest.kasp.check_keys(zone, keys, [key1])
+ set_keytimes_default_policy(key1)
+ isctest.kasp.check_keytimes(keys, [key1])
+ isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy, view=view)
+ isctest.kasp.check_apex(server, zone, keys, [], tsig=tsig)
+ # check zonestatus
+ response = server.rndc(f"zonestatus {zone} in {view}", log=False)
+ assert f"dynamic: {dynamic}" in response
+ assert f"inline signing: {inline_signing}" in response
+ # check subdomain
+ fqdn = f"{zone}."
+ qname = f"view.{zone}."
+ qtype = dns.rdatatype.TXT
+ rdata = txt_rdata
+ query = dns.message.make_query(qname, qtype, use_edns=True, want_dnssec=True)
+ tsigkey = tsig.split(":")
+ keyring = dns.tsig.Key(tsigkey[1], tsigkey[2], tsigkey[0])
+ query.use_tsig(keyring)
+ try:
+ response = isctest.query.tcp(query, server.ip, server.ports.dns, timeout=3)
+ except dns.exception.Timeout:
+ isctest.log.debug(f"query timeout for query {qname} {qtype} to {server.ip}")
+ response = None
+ assert response.rcode() == dns.rcode.NOERROR
+ match = f'{qname} 300 IN TXT "{rdata}"'
+ rrsigs = []
+ for rrset in response.answer:
+ if rrset.match(
+ dns.name.from_text(qname), dns.rdataclass.IN, dns.rdatatype.RRSIG, qtype
+ ):
+ rrsigs.append(rrset)
+ else:
+ assert match in rrset.to_text()
+ assert len(rrsigs) > 0
+ isctest.kasp.check_signatures(rrsigs, qtype, fqdn, keys, [])
+
+
def test_kasp_default(servers):
server = servers["ns3"]
projects / thirdparty / bind9.git / commitdiff
