Add a test for RFC 8901 signer model 2

The new 'dnssec-policy' was already compatible with multi-signer
model 2, now we also have a test for it.

diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
index 9ec8a91ee8a701999cb4dfc68bc2ce81c3599f16..ab5890da77f802da53db4337be338de9ecbd812c 100644 (file)
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -24,6 +24,7 @@ rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
 rm -f ns*/managed-keys.bind
 rm -f ns*/*.mkeys
 rm -f ns*/zones ns*/*.db.infile
+rm -f ns*/*.zsk1 ns*/*.zsk2
 rm -f *.created published.test* retired.test*
 rm -f rndc.dnssec.*.out.*
 rm -f python.out.*

diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in
index d6e5300e25444f1d1a8bac30c21073edbce1a2c6..3df661b4aed68a0dbdc4233c86da6b37ecf44aa1 100644 (file)
--- a/bin/tests/system/kasp/ns3/named.conf.in
+++ b/bin/tests/system/kasp/ns3/named.conf.in
@@ -177,6 +177,14 @@ zone "rumoured.kasp" {
        dnssec-policy "rsasha1";
 };
 
+/* RFC 8901 Multi-signer Model 2. */
+zone "multisigner-model2.kasp" {
+       type primary;
+       file "multisigner-model2.kasp.db";
+       dnssec-policy "multisigner-model2";
+       allow-update { any; };
+};
+
 /*
  * Different algorithms.
  */

diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
index 65d57970798b0af1b206ed7325db88379ad712a9..823060630251ab5f516881f6f4b80627520d1421 100644 (file)
--- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in
@@ -26,6 +26,15 @@ dnssec-policy "manual-rollover" {
        };
 };
 
+dnssec-policy "multisigner-model2" {
+       dnskey-ttl 3600;
+
+       keys {
+               ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+               zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+       };
+};
+
 dnssec-policy "rsasha1" {
        dnskey-ttl 1234;
 

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index aefb0ca38d25f3187a99c4d252e714be6bc92eaf..521c1923290ab7485bd549336ceeda4e6988fa9a 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -54,7 +54,7 @@ for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
          rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
          dynamic dynamic-inline-signing inline-signing \
          checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
-         manual-rollover
+         manual-rollover multisigner-model2
 do
        setup "${zn}.kasp"
        cp template.db.in "$zonefile"
@@ -95,6 +95,18 @@ zone="pregenerated.kasp"
 $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
 $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
 
+zone="multisigner-model2.kasp"
+# Import the ZSK sets of the other providers into their DNSKEY RRset.
+ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1)
+ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2)
+# ZSK1 will be added to the unsigned zonefile.
+cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db"
+cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1"
+rm -f "../${ZSK1}.*"
+# ZSK2 will be used with a Dynamic Update.
+cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2"
+rm -f "../${ZSK2}.*"
+
 zone="rumoured.kasp"
 Tpub="now"
 Tact="now+1d"

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index e875e406c9dcdc4ee5884f47e6ac24057a47182c..ae7c315837fe31f6f2ad8046b1fee327f6fbec07 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1374,7 +1374,6 @@ retry_quiet 10 update_is_signed || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status+ret))
 
-
 #
 # Zone: dynamic-inline-signing.kasp
 #
@@ -2687,6 +2686,68 @@ status=$((status+ret))
 # Clear TSIG.
 TSIG=""
 
+#
+# Testing RFC 8901 Multi-Signer Model 2.
+#
+set_zone "multisigner-model2.kasp"
+set_policy "multisigner-model2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Key properties.
+set_keyrole      "KEY1" "ksk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "no"
+
+set_keyrole      "KEY2" "zsk"
+set_keylifetime  "KEY2" "0"
+set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY2" "no"
+set_zonesigning  "KEY2" "yes"
+
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+set_keystate "KEY2" "GOAL"         "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check that the ZSKs from the other provider are published.
+zsks_are_published() {
+       dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
+       # We should have three ZSKs.
+       lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
+       test "$lines" -eq 3 || return 1
+       # And one KSK.
+       lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
+       test "$lines" -eq 1 || return 1
+}
+
+n=$((n+1))
+echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)"
+ret=0
+(
+echo zone ${ZONE}
+echo server 10.53.0.3 "$PORT"
+echo update add $(cat "${DIR}/${ZONE}.zsk2")
+echo send
+) | $NSUPDATE
+retry_quiet 10 zsks_are_published || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status+ret))
+
 #
 # Testing manual rollover.
 #