--- /dev/null
+../rollover/common.py
\ No newline at end of file
--- /dev/null
+../../rollover-going-insecure/ns6/kasp.conf.j2
\ No newline at end of file
--- /dev/null
+../../rollover-dynamic2inline/ns6/named.common.conf.j2
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+{% set policy = policy | default("default") %}
+
+include "kasp.conf";
+include "named.common.conf";
+
+zone "going-straight-to-none.kasp" {
+ type primary;
+ file "going-straight-to-none.kasp.db";
+ dnssec-policy @policy@;
+};
+
+zone "going-straight-to-none-dynamic.kasp" {
+ type primary;
+ file "going-straight-to-none-dynamic.kasp.db.signed";
+ inline-signing no;
+ dnssec-policy @policy@;
+ allow-update { any; };
+};
--- /dev/null
+../../rollover-dynamic2inline/ns6/template.db.in
\ No newline at end of file
--- /dev/null
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+cd "ns6"
+
+setup() {
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+# These zones are going straight to "none" policy. This is undefined behavior.
+T="now-10d"
+S="now-12955mi"
+csktimes="-P $T -A $T -P sync $S"
+
+setup going-straight-to-none.kasp
+echo "$zone" >>zones
+CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+setup going-straight-to-none-dynamic.kasp
+echo "$zone" >>zones
+CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import pytest
+
+import isctest
+from common import (
+ pytestmark,
+ alg,
+ size,
+ CDSS,
+ DURATION,
+ DEFAULT_CONFIG,
+)
+
+
+@pytest.mark.parametrize(
+ "zone",
+ [
+ "going-straight-to-none.kasp",
+ "going-straight-to-none-dynamic.kasp",
+ ],
+)
+def test_straight2none_initial(zone, servers, alg, size):
+ config = DEFAULT_CONFIG
+ policy = "default"
+
+ step = {
+ "zone": zone,
+ "cdss": CDSS,
+ "keyprops": [
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
+ ],
+ "nextev": None,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import pytest
+
+import isctest
+from common import (
+ pytestmark,
+ alg,
+ size,
+ CDSS,
+ DURATION,
+ DEFAULT_CONFIG,
+)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure_policy(servers, templates):
+ templates.render("ns6/named.conf", {"policy": "none"})
+ servers["ns6"].reconfigure()
+
+
+@pytest.mark.parametrize(
+ "zone",
+ [
+ "going-straight-to-none.kasp",
+ "going-straight-to-none-dynamic.kasp",
+ ],
+)
+def test_straight2none_reconfig(zone, servers, alg, size):
+ config = DEFAULT_CONFIG
+ policy = None
+
+ step = {
+ "zone": zone,
+ "cdss": CDSS,
+ # These zones will go bogus after signatures expire, but
+ # remain validly signed for now.
+ "keyprops": [
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
+ ],
+ "nextev": None,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
include "named.common.conf";
-{% set _policy = "default" if not csk_roll else "none" %}
-zone "step1.going-straight-to-none.kasp" {
- type primary;
- file "step1.going-straight-to-none.kasp.db";
- dnssec-policy @_policy@;
-};
-
-{% set _policy = "default" if not csk_roll else "none" %}
-zone "step1.going-straight-to-none-dynamic.kasp" {
- type primary;
- file "step1.going-straight-to-none-dynamic.kasp.db.signed";
- inline-signing no;
- dnssec-policy @_policy@;
- allow-update { any; };
-};
-
/* Zones for testing KSK/ZSK algorithm roll. */
{% set _policy = "rsasha256" if not csk_roll else "ecdsa256" %}
zone "step1.algorithm-roll.kasp" {
O="OMNIPRESENT"
U="UNRETENTIVE"
-# These zones are going straight to "none" policy. This is undefined behavior.
-T="now-10d"
-S="now-12955mi"
-csktimes="-P $T -A $T -P sync $S"
-
-setup step1.going-straight-to-none.kasp
-echo "$zone" >>zones
-CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-setup step1.going-straight-to-none-dynamic.kasp
-echo "$zone" >>zones
-CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
#
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
# algorithm rollover.
start_time = KeyTimingMetadata.now()
- # Test going straight to none.
- isctest.log.info("check going straight to none")
- zones = [
- "step1.going-straight-to-none.kasp",
- "step1.going-straight-to-none-dynamic.kasp",
- ]
- for zone in zones:
- step = {
- "zone": zone,
- "cdss": cdss,
- "config": default_config,
- "policy": "default",
- "keyprops": [
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
- ],
- "nextev": None,
- }
- steps.append(step)
-
# Test algorithm rollover (KSK/ZSK split).
isctest.log.info("check algorithm rollover ksk/zsk split")
offset = -timedelta(days=7)
now = KeyTimingMetadata.now()
time_passed = now.value - start_time.value
- # Test going straight to none.
- isctest.log.info("check going straight to none (after reconfig)")
- zones = [
- "step1.going-straight-to-none.kasp",
- "step1.going-straight-to-none-dynamic.kasp",
- ]
- for zone in zones:
- step = {
- "zone": zone,
- "cdss": cdss,
- "config": default_config,
- "policy": None,
- # These zones will go bogus after signatures expire, but
- # remain validly signed for now.
- "keyprops": [
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
- ],
- "nextev": None,
- }
- steps.append(step)
-
# Test algorithm rollover (KSK/ZSK split) (after reconfig).
isctest.log.info("check algorithm rollover ksk/zsk split (after reconfig)")
offset = -timedelta(days=7)
projects / thirdparty / bind9.git / commitdiff
