# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
+from datetime import datetime, timedelta, timezone
from functools import total_ordering
import glob
import os
import time
from typing import Dict, List, Optional, Tuple, Union
-from datetime import datetime, timedelta, timezone
-
import dns
import dns.tsig
+
+from isctest.instance import NamedInstance
import isctest.log
import isctest.query
import isctest.util
proplist.append(keyprop)
return proplist
+
+
+def wait_keymgr_done(server: NamedInstance, zone: str, reconfig: bool = False) -> None:
+ """
+ Block and wait until the keymgr is done processing zone.
+ """
+ messages = []
+ if reconfig:
+ messages.append("received control channel command 'reconfig'")
+ messages.append("apply_configuration")
+ messages.append(f"keymgr: {zone} done")
+ with server.watch_log_from_start() as watcher:
+ watcher.wait_for_sequence(messages)
zone = params["zone"]
policy = params["policy"]
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
params["config"]["key-directory"] = params["config"]["key-directory"].replace(
"{keydir}", keydir
)
else None
)
+ isctest.kasp.wait_keymgr_done(server, zone)
+
key1 = KeyProperties.default()
key1.metadata["Algorithm"] = alg.number
key1.metadata["Length"] = alg.bits
view = f"example{number}"
tsig = f"{os.environ['DEFAULT_HMAC']}:keyforview{number}:{KASP_INHERIT_TSIG_SECRET[f'view{number}']}"
+ isctest.kasp.wait_keymgr_done(ns4, zone)
+
key1 = KeyProperties.default()
key1.metadata["Algorithm"] = ECDSAP384SHA384.number
key1.metadata["Length"] = ECDSAP384SHA384.bits
zone = "default.kasp"
policy = "default"
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
# Key properties.
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
keyprops = [
# A zone that uses inline-signing.
isctest.log.info("check an inline-signed zone with the default policy is signed")
zone = "inline-signing.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
# Key properties.
key1 = KeyProperties.default()
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
isctest.log.info("check dynamic zone is updated and signed after update")
zone = "dynamic.kasp"
policy = "default"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
# Key properties.
key1 = KeyProperties.default()
expected = [key1]
# Dynamic, and inline-signing.
zone = "dynamic-inline-signing.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
# Key properties.
key1 = KeyProperties.default()
expected = [key1]
# Dynamic, signed, and inline-signing.
isctest.log.info("check dynamic signed, and inline-signed zone")
zone = "dynamic-signed-inline-signing.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
# Key properties.
key1 = KeyProperties.default()
# The ns3/setup.sh script sets all states to omnipresent.
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
]
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
ksks = [k for k in keys if k.is_ksk()]
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
]
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
ksks = [k for k in keys if k.is_ksk()]
policy_keys = [
f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
]
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
expected = isctest.kasp.policy_to_properties(ttl=303, keys=policy_keys)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
isctest.kasp.check_dnssec_verify(ns3, zone)
# A zone with special characters.
isctest.log.info("check special characters")
- zone = r'i-am.":\;?&[]\@!\$*+,|=\.\(\)special.kasp'
+ zone = r"i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
# It is non-trivial to adapt the tests to deal with all possible different
# escaping characters, so we will just try to verify the zone.
isctest.kasp.check_dnssec_verify(ns3, zone)
isctest.log.info("check insecure zones")
zone = "insecure.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
expected = []
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
isctest.kasp.check_keys(zone, keys, expected)
# zsk successor
f"zsk 31536000 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
]
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
expected = isctest.kasp.policy_to_properties(300, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, "ns3")
ksks = [k for k in keys if k.is_ksk()]
f"{os.environ['DEFAULT_HMAC']}:keyforview2:{KASP_INHERIT_TSIG_SECRET['view2']}"
)
+ isctest.kasp.wait_keymgr_done(ns4, zone)
+
isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig1)
isctest.kasp.check_dnssec_verify(ns4, zone, tsig=tsig2)
def test_algoroll_csk_initial(ns6):
config = ALGOROLL_CONFIG
policy = "csk-algoroll"
+ zone = "step1.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone)
step = {
- "zone": "step1.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}",
@pytest.fixture(scope="module", autouse=True)
def reconfigure(ns6, templates):
global TIME_PASSED # pylint: disable=global-statement
- start_time = KeyTimingMetadata.now()
+
+ isctest.kasp.wait_keymgr_done(ns6, "step1.csk-algorithm-roll.kasp")
templates.render("ns6/named.conf", {"csk_roll": True})
+ start_time = KeyTimingMetadata.now()
ns6.reconfigure()
# Calculate time passed to correctly check for next key events.
def test_algoroll_csk_reconfig_step1(ns6, alg, size):
+ zone = "step1.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step1.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing.
def test_algoroll_csk_reconfig_step2(ns6, alg, size):
+ zone = "step2.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step2.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing, but need to stay present
def test_algoroll_csk_reconfig_step3(ns6, alg, size):
+ zone = "step3.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step3.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The DS can be swapped.
def test_algoroll_csk_reconfig_step4(ns6, alg, size):
+ zone = "step4.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step4.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
def test_algoroll_csk_reconfig_step5(ns6, alg, size):
+ zone = "step5.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step5.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The DNSKEY becomes HIDDEN.
def test_algoroll_csk_reconfig_step6(ns6, alg, size):
+ zone = "step6.csk-algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step6.csk-algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The zone signatures are now HIDDEN.
def test_algoroll_ksk_zsk_initial(ns6):
config = ALGOROLL_CONFIG
policy = "rsasha256"
+ zone = "step1.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone)
step = {
- "zone": "step1.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"ksk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}",
@pytest.fixture(scope="module", autouse=True)
def reconfigure(ns6, templates):
global TIME_PASSED # pylint: disable=global-statement
- start_time = KeyTimingMetadata.now()
+
+ isctest.kasp.wait_keymgr_done(ns6, "step1.algorithm-roll.kasp")
templates.render("ns6/named.conf", {"alg_roll": True})
+ start_time = KeyTimingMetadata.now()
ns6.reconfigure()
# Calculate time passed to correctly check for next key events.
def test_algoroll_ksk_zsk_reconfig_step1(ns6, alg, size):
+ zone = "step1.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step1.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing.
def test_algoroll_ksk_zsk_reconfig_step2(ns6, alg, size):
+ zone = "step2.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step2.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing, but need to stay present
def test_algoroll_ksk_zsk_reconfig_step3(ns6, alg, size):
+ zone = "step3.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step3.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The DS can be swapped.
def test_algoroll_ksk_zsk_reconfig_step4(ns6, alg, size):
+ zone = "step4.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step4.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
def test_algoroll_ksk_zsk_reconfig_step5(ns6, alg, size):
+ zone = "step5.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step5.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The DNSKEY becomes HIDDEN.
def test_algoroll_ksk_zsk_reconfig_step6(ns6, alg, size):
+ zone = "step6.algorithm-roll.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
- "zone": "step6.algorithm-roll.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
# The zone signatures are now HIDDEN.
def test_csk_roll1_step1(alg, size, ns3):
+ zone = "step1.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Introduce the first key. This will immediately be active.
- "zone": "step1.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
def test_csk_roll1_step2(alg, size, ns3):
+ zone = "step2.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Successor CSK is prepublished (signs DNSKEY RRset, but not yet
# other RRsets).
# CSK2 goal: hidden -> omnipresent
# CSK2 dnskey: hidden -> rumoured
# CSK2 krrsig: hidden -> rumoured
- "zone": "step2.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
def test_csk_roll1_step3(alg, size, ns3):
+ zone = "step3.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Successor CSK becomes omnipresent, meaning we can start signing
# the remainder of the zone with the successor CSK, and we can
# submit the DS.
- "zone": "step3.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
# Predecessor CSK will be removed, so moving to UNRETENTIVE.
# CSK1 zrrsig: omnipresent -> unretentive
def test_csk_roll1_step4(alg, size, ns3):
+ zone = "step4.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step4.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor CSK is no longer signing the DNSKEY RRset.
# CSK1 krrsig: omnipresent -> unretentive
def test_csk_roll1_step5(alg, size, ns3):
+ zone = "step5.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step5.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor KRRSIG records are now all hidden.
# CSK1 krrsig: unretentive -> hidden
def test_csk_roll1_step6(alg, size, ns3):
+ zone = "step6.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step6.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor ZRRSIG records are now all hidden (so the DNSKEY
# can be removed).
def test_csk_roll1_step7(alg, size, ns3):
+ zone = "step7.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step7.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor CSK is now completely HIDDEN.
"keyprops": [
def test_csk_roll1_step8(alg, size, ns3):
+ zone = "step8.csk-roll1.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step8.csk-roll1.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step8-s']}",
def test_csk_roll2_step1(alg, size, ns3):
+ zone = "step1.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Introduce the first key. This will immediately be active.
- "zone": "step1.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
def test_csk_roll2_step2(alg, size, ns3):
+ zone = "step2.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Successor CSK is prepublished (signs DNSKEY RRset, but not yet
# other RRsets).
# CSK2 goal: hidden -> omnipresent
# CSK2 dnskey: hidden -> rumoured
# CSK2 krrsig: hidden -> rumoured
- "zone": "step2.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
def test_csk_roll2_step3(alg, size, ns3):
+ zone = "step3.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Successor CSK becomes omnipresent, meaning we can start signing
# the remainder of the zone with the successor CSK, and we can
# submit the DS.
- "zone": "step3.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
# Predecessor CSK will be removed, so moving to UNRETENTIVE.
# CSK1 zrrsig: omnipresent -> unretentive
def test_csk_roll2_step4(alg, size, ns3):
+ zone = "step4.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step4.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor ZRRSIG is HIDDEN. The successor ZRRSIG is
# OMNIPRESENT.
def test_csk_roll2_step5(alg, size, ns3):
+ zone = "step5.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step5.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor DNSKEY can be removed.
# CSK1 dnskey: omnipresent -> unretentive
def test_csk_roll2_step6(alg, size, ns3):
+ zone = "step6.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step6.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor CSK is now completely HIDDEN.
# CSK1 dnskey: unretentive -> hidden
def test_csk_roll2_step7(alg, size, ns3):
+ zone = "step7.csk-roll2.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step7.csk-roll2.autosign",
+ "zone": zone,
"cdss": CDSS,
# The predecessor CSK is now completely HIDDEN.
"keyprops": [
def test_dynamic2inline(alg, size, ns6, templates):
config = DEFAULT_CONFIG
policy = "default"
+ zone = "dynamic2inline.kasp"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone)
step = {
- "zone": "dynamic2inline.kasp",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
templates.render("ns6/named.conf", {"change_lifetime": True})
ns6.reconfigure()
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
isctest.kasp.check_rollover_step(ns6, config, policy, step)
def test_rollover_enable_dnssec_step1(alg, size, ns3):
+ zone = "step1.enable-dnssec.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step1.enable-dnssec.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}",
def test_rollover_enable_dnssec_step2(alg, size, ns3):
+ zone = "step2.enable-dnssec.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step2.enable-dnssec.autosign",
+ "zone": zone,
"cdss": CDSS,
# The DNSKEY is omnipresent, but the zone signatures not yet.
# Thus, the DS remains hidden.
def test_rollover_enable_dnssec_step3(alg, size, ns3):
+ zone = "step3.enable-dnssec.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step3.enable-dnssec.autosign",
+ "zone": zone,
"cdss": CDSS,
# All signatures should be omnipresent, so the DS can be submitted.
# zrrsig: rumoured -> omnipresent
def test_rollover_enable_dnssec_step4(alg, size, ns3):
+ zone = "step4.enable-dnssec.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
- "zone": "step4.enable-dnssec.autosign",
+ "zone": zone,
"cdss": CDSS,
# DS has been published long enough.
# ds: rumoured -> omnipresent
def test_going_insecure_initial(zone, ns6, alg, size):
config = UNSIGNING_CONFIG
policy = "unsigning"
+ zone = f"step1.{zone}"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone)
+
step = {
- "zone": f"step1.{zone}",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
def test_going_insecure_reconfig_step1(zone, alg, size, ns6):
config = DEFAULT_CONFIG
policy = "insecure"
+ zone = f"step1.{zone}"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
# Key goal states should be HIDDEN.
# The DS may be removed if we are going insecure.
step = {
- "zone": f"step1.{zone}",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"ksk 0 {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}",
def test_going_insecure_reconfig_step2(zone, alg, size, ns6):
config = DEFAULT_CONFIG
policy = "insecure"
+ zone = f"step2.{zone}"
+
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
# The DS is long enough removed from the zone to be considered
# HIDDEN. This means the DNSKEY and the KSK signatures can be
# removed.
step = {
- "zone": f"step2.{zone}",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"ksk 0 {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{-DURATION['P10D']}",
"""Test #2375: Scheduled rollovers are happening faster than they can finish."""
zone = "three-is-a-crowd.kasp"
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
"zone": zone,
"cdss": CDSS,
def test_ksk_doubleksk_step1(alg, size, ns3):
+ zone = "step1.ksk-doubleksk.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Introduce the first key. This will immediately be active.
- "zone": "step1.ksk-doubleksk.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
def test_ksk_doubleksk_step2(alg, size, ns3):
+ zone = "step2.ksk-doubleksk.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Successor KSK is prepublished (and signs DNSKEY RRset).
# KSK1 goal: omnipresent -> hidden
# KSK2 goal: hidden -> omnipresent
# KSK2 dnskey: hidden -> rumoured
# KSK2 krrsig: hidden -> rumoured
- "zone": "step2.ksk-doubleksk.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
def test_ksk_doubleksk_step3(alg, size, ns3):
+ zone = "step3.ksk-doubleksk.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# The successor DNSKEY RRset has become omnipresent. The
# predecessor DS can be withdrawn and the successor DS can be
# KSK2 dnskey: rumoured -> omnipresent
# KSK2 krrsig: rumoured -> omnipresent
# KSK2 ds: hidden -> rumoured
- "zone": "step3.ksk-doubleksk.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
def test_ksk_doubleksk_step4(alg, size, ns3):
+ zone = "step4.ksk-doubleksk.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# The predecessor DNSKEY may be removed, the successor DS is
# omnipresent.
# KSK1 krrsig: omnipresent -> unretentive
# KSK1 ds: unretentive -> hidden
# KSK2 ds: rumoured -> omnipresent
- "zone": "step4.ksk-doubleksk.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
def test_ksk_doubleksk_step5(alg, size, ns3):
+ zone = "step5.ksk-doubleksk.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# The predecessor DNSKEY is long enough removed from the zone it
# has become hidden.
# KSK1 dnskey: unretentive -> hidden
# KSK1 krrsig: unretentive -> hidden
- "zone": "step5.ksk-doubleksk.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-p']}",
def test_ksk_doubleksk_step6(alg, size, ns3):
+ zone = "step6.ksk-doubleksk.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Predecessor KSK is now purged.
- "zone": "step6.ksk-doubleksk.autosign",
+ "zone": zone,
"cdss": CDSS,
"keyprops": [
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-p']}",
def test_lifetime_initial(zone, policy, lifetime, alg, size, ns6):
config = DEFAULT_CONFIG
+ isctest.kasp.wait_keymgr_done(ns6, zone)
+
step = {
"zone": zone,
"cdss": CDSS,
@pytest.fixture(scope="module", autouse=True)
def reconfigure_policy(ns6, templates):
+ isctest.kasp.wait_keymgr_done(ns6, "shorter-lifetime")
+ isctest.kasp.wait_keymgr_done(ns6, "longer-lifetime")
+ isctest.kasp.wait_keymgr_done(ns6, "limit-lifetime")
+ isctest.kasp.wait_keymgr_done(ns6, "unlimit-lifetime")
+
templates.render("ns6/named.conf", {"change_lifetime": True})
ns6.reconfigure()
def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns6):
config = DEFAULT_CONFIG
+ isctest.kasp.wait_keymgr_done(ns6, zone, reconfig=True)
+
step = {
"zone": zone,
"cdss": CDSS,
zone = "multisigner-model2.kasp"
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
# keys in the desired key range.
zone = "single-to-multisigner.kasp"
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
config = DEFAULT_CONFIG
policy = "default"
+ isctest.kasp.wait_keymgr_done(ns6, zone)
+
step = {
"zone": zone,
"cdss": CDSS,
@pytest.fixture(scope="module", autouse=True)
def reconfigure_policy(ns6, templates):
+ isctest.kasp.wait_keymgr_done(ns6, "going-straight-to-none.kasp")
+ isctest.kasp.wait_keymgr_done(ns6, "going-straight-to-none-dynamic.kasp")
+
templates.render("ns6/named.conf", {"policy": "none"})
ns6.reconfigure()
def test_zsk_prepub_step1(alg, size, ns3):
+ zone = "step1.zsk-prepub.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# Introduce the first key. This will immediately be active.
- "zone": "step1.zsk-prepub.autosign",
+ "zone": zone,
"keyprops": [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
def test_zsk_prepub_step2(alg, size, ns3):
+ zone = "step2.zsk-prepub.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# it is time to pre-publish the successor zsk.
# zsk1 goal: omnipresent -> hidden
# zsk2 goal: hidden -> omnipresent
# zsk2 dnskey: hidden -> rumoured
- "zone": "step2.zsk-prepub.autosign",
+ "zone": zone,
"keyprops": [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
def test_zsk_prepub_step3(alg, size, ns3):
+ zone = "step3.zsk-prepub.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# predecessor zsk is no longer actively signing. successor zsk is
# now actively signing.
# zsk1 zrrsig: omnipresent -> unretentive
# zsk2 dnskey: rumoured -> omnipresent
# zsk2 zrrsig: hidden -> rumoured
- "zone": "step3.zsk-prepub.autosign",
+ "zone": zone,
"keyprops": [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}",
def test_zsk_prepub_step4(alg, size, ns3):
+ zone = "step4.zsk-prepub.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# predecessor zsk is no longer needed. all rrsets are signed with
# the successor zsk.
# zsk1 dnskey: omnipresent -> unretentive
# zsk1 zrrsig: unretentive -> hidden
# zsk2 zrrsig: rumoured -> omnipresent
- "zone": "step4.zsk-prepub.autosign",
+ "zone": zone,
"keyprops": [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}",
def test_zsk_prepub_step5(alg, size, ns3):
+ zone = "step5.zsk-prepub.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# predecessor zsk is now removed.
# zsk1 dnskey: unretentive -> hidden
- "zone": "step5.zsk-prepub.autosign",
+ "zone": zone,
"keyprops": [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}",
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}",
def test_zsk_prepub_step6(alg, size, ns3):
+ zone = "step6.zsk-prepub.autosign"
+
+ isctest.kasp.wait_keymgr_done(ns3, zone)
+
step = {
# predecessor zsk is now purged.
- "zone": "step6.zsk-prepub.autosign",
+ "zone": zone,
"keyprops": [
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}",
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}",
size = os.environ["DEFAULT_BITS"]
zone = "manual-rollover.kasp"
- with ns3.watch_log_from_start() as watcher:
- watcher.wait_for_line(f"keymgr: {zone} done")
+ isctest.kasp.wait_keymgr_done(ns3, zone)
isctest.kasp.check_dnssec_verify(ns3, zone)
projects / thirdparty / bind9.git / commitdiff
