set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
}
-#
-# Zone: rsasha1.kasp.
-#
-if [ $RSASHA1_SUPPORTED = 1 ]; then
- set_zone "rsasha1.kasp"
- set_policy "rsasha1" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- key_clear "KEY1"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "315360000"
- set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "157680000"
- set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- set_keyrole "KEY3" "zsk"
- set_keylifetime "KEY3" "31536000"
- set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
- set_keysigning "KEY3" "no"
- set_zonesigning "KEY3" "yes"
-
- # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
- # ZSK: DNSKEY, RRSIG (zsk) published.
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
- set_keystate "KEY1" "STATE_DS" "hidden"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-
- set_keystate "KEY3" "GOAL" "omnipresent"
- set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
- # Three keys only.
- key_clear "KEY4"
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
-fi
-
-#
-# Zone: unlimited.kasp.
-#
-set_zone "unlimited.kasp"
-set_policy "unlimited" "1" "1234"
-set_server "ns3" "10.53.0.3"
-key_clear "KEY1"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_csk_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
#
# Zone: keystore.kasp.
#
check_subdomain
dnssec_verify
-#
-# Zone: inherit.kasp.
-#
-set_zone "inherit.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-
-# Key properties.
+# Key properties for tests below.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "315360000"
# Three keys only.
key_clear "KEY4"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: dnssec-keygen.kasp.
-#
-set_zone "dnssec-keygen.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
#
# Zone: some-keys.kasp.
#
# - configuring a zone with too many active keys (should trigger retire).
# - configuring a zone with keys not matching the policy.
-#
-# Zone: rsasha1-nsec3.kasp.
-#
-if [ $RSASHA1_SUPPORTED = 1 ]; then
- set_zone "rsasha1-nsec3.kasp"
- set_policy "rsasha1-nsec3" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
- set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
- set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
-fi
-
-#
-# Zone: rsasha256.kasp.
-#
-set_zone "rsasha256.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-# Key timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: rsasha512.kasp.
-#
-set_zone "rsasha512.kasp"
-set_policy "rsasha512" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
-set_keyalgorithm "KEY2" "10" "RSASHA512" "2048"
-set_keyalgorithm "KEY3" "10" "RSASHA512" "3072"
-# Key timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: ecdsa256.kasp.
-#
-set_zone "ecdsa256.kasp"
-set_policy "ecdsa256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
-set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-# Key timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: ecdsa512.kasp.
-#
-set_zone "ecdsa384.kasp"
-set_policy "ecdsa384" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
-set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384"
-set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384"
-# Key timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-#
-# Zone: ed25519.kasp.
-#
-if [ $ED25519_SUPPORTED = 1 ]; then
- set_zone "ed25519.kasp"
- set_policy "ed25519" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "15" "ED25519" "256"
- set_keyalgorithm "KEY2" "15" "ED25519" "256"
- set_keyalgorithm "KEY3" "15" "ED25519" "256"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
-fi
-
-#
-# Zone: ed448.kasp.
-#
-if [ $ED448_SUPPORTED = 1 ]; then
- set_zone "ed448.kasp"
- set_policy "ed448" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "16" "ED448" "456"
- set_keyalgorithm "KEY2" "16" "ED448" "456"
- set_keyalgorithm "KEY3" "16" "ED448" "456"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
-fi
-
# Set key times for 'autosign' policy.
set_keytimes_autosign_policy() {
# The KSK was published six months ago (with settime).
check_rrsig_refresh
-#
-# Zone: dnskey-ttl-mismatch.autosign
-#
-set_zone "dnskey-ttl-mismatch.autosign"
-set_policy "autosign" "2" "300"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "63072000"
-set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "31536000"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-# Both KSK and ZSK stay OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-# Expect only two keys.
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_autosign_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
#
# Zone: fresh-sigs.autosign.
#
isctest.kasp.check_dnssecstatus(server, zone, ksks + zsks, policy=policy)
isctest.kasp.check_apex(server, zone, ksks, zsks, tsig=tsig)
isctest.kasp.check_subdomain(server, zone, ksks, zsks, tsig=tsig)
- isctest.kasp.check_dnssec_verify(server, zone)
+ isctest.kasp.check_dnssec_verify(server, zone, tsig=tsig)
def set_keytimes_default_policy(kp):
kp.timing["ZRRSIGChange"] = kp.timing["Active"]
+def test_kasp_cases(servers):
+ # Test many different configurations and expected keys and states after
+ # initial startup.
+ server = servers["ns3"]
+ keydir = server.identifier
+ alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
+ size = os.environ["DEFAULT_BITS"]
+
+ kasp_config = {
+ "dnskey-ttl": timedelta(seconds=1234),
+ "ds-ttl": timedelta(days=1),
+ "key-directory": keydir,
+ "max-zone-ttl": timedelta(days=1),
+ "parent-propagation-delay": timedelta(hours=1),
+ "publish-safety": timedelta(hours=1),
+ "retire-safety": timedelta(hours=1),
+ "signatures-refresh": timedelta(days=5),
+ "signatures-validity": timedelta(days=14),
+ "zone-propagation-delay": timedelta(minutes=5),
+ }
+
+ autosign_config = {
+ "dnskey-ttl": timedelta(seconds=300),
+ "ds-ttl": timedelta(days=1),
+ "key-directory": keydir,
+ "max-zone-ttl": timedelta(days=1),
+ "parent-propagation-delay": timedelta(hours=1),
+ "publish-safety": timedelta(hours=1),
+ "retire-safety": timedelta(hours=1),
+ "signatures-refresh": timedelta(days=7),
+ "signatures-validity": timedelta(days=14),
+ "zone-propagation-delay": timedelta(minutes=5),
+ }
+
+ lifetime = {
+ "P10Y": int(timedelta(days=10 * 365).total_seconds()),
+ "P5Y": int(timedelta(days=5 * 365).total_seconds()),
+ "P2Y": int(timedelta(days=2 * 365).total_seconds()),
+ "P1Y": int(timedelta(days=365).total_seconds()),
+ "P30D": int(timedelta(days=30).total_seconds()),
+ "P6M": int(timedelta(days=31 * 6).total_seconds()),
+ }
+
+ autosign_properties = [
+ f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk {lifetime['P1Y']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ ]
+
+ def rsa1_properties(alg):
+ return [
+ f"ksk {lifetime['P10Y']} {alg} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk {lifetime['P5Y']} {alg} 2048 goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"zsk {lifetime['P1Y']} {alg} 2000 goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ ]
+
+ def fips_properties(alg, bits=None):
+ sizes = [2048, 2048, 3072]
+ if bits is not None:
+ sizes = [bits, bits, bits]
+
+ return [
+ f"ksk {lifetime['P10Y']} {alg} {sizes[0]} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk {lifetime['P5Y']} {alg} {sizes[1]} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"zsk {lifetime['P1Y']} {alg} {sizes[2]} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ ]
+
+ # Test case function.
+ def test_case():
+ zone = test["zone"]
+ policy = test["policy"]
+ ttl = int(test["config"]["dnskey-ttl"].total_seconds())
+
+ isctest.log.info(f"check test case zone {zone} policy {policy}")
+
+ # Key properties.
+ expected = isctest.kasp.policy_to_properties(
+ ttl=ttl, keys=test["key-properties"]
+ )
+ # Key files.
+ keys = isctest.kasp.keydir_to_keylist(zone, test["config"]["key-directory"])
+ ksks = [k for k in keys if k.is_ksk()]
+ zsks = [k for k in keys if not k.is_ksk()]
+
+ isctest.kasp.check_zone_is_signed(server, zone)
+ isctest.kasp.check_keys(zone, keys, expected)
+
+ offset = test["offset"] if "offset" in test else None
+
+ for kp in expected:
+ kp.set_expected_keytimes(test["config"], offset=offset)
+
+ isctest.kasp.check_keytimes(keys, expected)
+
+ check_all(server, zone, policy, ksks, zsks)
+
+ # Test cases.
+ rsa_cases = []
+ if os.environ["RSASHA1_SUPPORTED"] == 1:
+ rsa_cases = [
+ {
+ "zone": "rsasha1.kasp",
+ "policy": "rsasha1",
+ "config": kasp_config,
+ "key-properties": rsa1_properties(5),
+ },
+ {
+ "zone": "rsasha1-nsec3.kasp",
+ "policy": "rsasha1",
+ "config": kasp_config,
+ "key-properties": rsa1_properties(7),
+ },
+ ]
+
+ fips_cases = [
+ {
+ "zone": "dnskey-ttl-mismatch.autosign",
+ "policy": "autosign",
+ "config": autosign_config,
+ "offset": -timedelta(days=30 * 6),
+ "key-properties": autosign_properties,
+ },
+ {
+ "zone": "dnssec-keygen.kasp",
+ "policy": "rsasha256",
+ "config": kasp_config,
+ "key-properties": fips_properties(8),
+ },
+ {
+ "zone": "ecdsa256.kasp",
+ "policy": "ecdsa256",
+ "config": kasp_config,
+ "key-properties": fips_properties(13, bits=256),
+ },
+ {
+ "zone": "ecdsa384.kasp",
+ "policy": "ecdsa384",
+ "config": kasp_config,
+ "key-properties": fips_properties(14, bits=384),
+ },
+ {
+ "zone": "inherit.kasp",
+ "policy": "rsasha256",
+ "config": kasp_config,
+ "key-properties": fips_properties(8),
+ },
+ {
+ "zone": "rsasha256.kasp",
+ "policy": "rsasha256",
+ "config": kasp_config,
+ "key-properties": fips_properties(8),
+ },
+ {
+ "zone": "rsasha512.kasp",
+ "policy": "rsasha512",
+ "config": kasp_config,
+ "key-properties": fips_properties(10),
+ },
+ {
+ "zone": "unlimited.kasp",
+ "policy": "unlimited",
+ "config": kasp_config,
+ "key-properties": [
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ },
+ ]
+
+ if os.environ["ED25519_SUPPORTED"] == 1:
+ fips_cases.append(
+ {
+ "zone": "ed25519.kasp",
+ "policy": "ed25519",
+ "config": kasp_config,
+ "key-properties": fips_properties(15, bits=256),
+ }
+ )
+
+ if os.environ["ED448_SUPPORTED"] == 1:
+ fips_cases.append(
+ {
+ "zone": "ed448.kasp",
+ "policy": "ed448",
+ "config": kasp_config,
+ "key-properties": fips_properties(16, bits=456),
+ }
+ )
+
+ test_cases = rsa_cases + fips_cases
+ for test in test_cases:
+ test_case()
+
+
def test_kasp_default(servers):
server = servers["ns3"]
projects / thirdparty / bind9.git / commitdiff
