dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
-
if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)"
check_signatures $_qtype "dig.out.$DIR.test$n" "KSK"
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
# These keys are immediately published and activated.
rollover_predecessor_keytimes 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keytime "KEY3" "ACTIVE" "${created}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
check_keytimes
-
check_apex
# Subdomain still has good signatures of ZSK (KEY2).
# Set expected zone signing on for KEY2 and off for KEY3,
set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
# These keys are immediately published and activated.
rollover_predecessor_keytimes 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
# This key is immediately published and activated.
csk_rollover_predecessor_keytimes 0 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keytime "KEY2" "ACTIVE" "${created}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
# Subdomain still has good signatures of old CSK (KEY1).
# Set expected zone signing on for KEY1 and off for KEY2,
set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
# This key is immediately published and activated.
csk_rollover_predecessor_keytimes 0 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keytime "KEY2" "ACTIVE" "${created}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
# Subdomain still has good signatures of old CSK (KEY1).
# Set expected zone signing on for KEY1 and off for KEY2,
set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
IretZSK=0
rollover_predecessor_keytimes 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
IretCSK=0
csk_rollover_predecessor_keytimes 0 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
# These keys are immediately published and activated.
rollover_predecessor_keytimes 0
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
time_passed=$((now-start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
-# The NSEC record at the apex of the zone and its RRSIG records are
-# added as part of the last step in signing a zone. We wait for the
-# NSEC records to appear before proceeding with a counter to prevent
-# infinite loops if there is a error. Make sure the zone is signed
-# with the new algorithm.
-_wait_for_done_reconfig() {
- while read -r zone
- do
- dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1
- grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
- grep "$zone\..*IN.*RRSIG.*NSEC" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
- done < ns6/zones.2
+# Wait until we have seen "zone_rekey done:" message for this key.
+_wait_for_done_signing() {
+ _zone=$1
+
+ _ksk=$(key_get $2 KSK)
+ _zsk=$(key_get $2 ZSK)
+ if [ "$_ksk" = "yes" ]; then
+ _role="KSK"
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_zsk" = "yes" ]; then
+ _role="ZSK"
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+ _keyid=$(key_get $2 ID)
+ _keyalg=$(key_get $2 ALG_STR)
+ echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+ grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
+ fi
+
+ return 0
}
-retry_quiet 30 _wait_for_done_reconfig || ret=1
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-next_key_event_threshold=$((next_key_event_threshold+i))
+wait_for_done_signing() {
+ n=$((n+1))
+ echo_i "wait for zone ${ZONE} is done signing ($n)"
+ ret=0
+
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status+ret))
+}
#
# Testing migration.
key_set "KEY2" "LEGACY" "no"
check_keys
+wait_for_done_signing
rollover_predecessor_keytimes 0
# Key now has lifetime of 60 days (5184000 seconds).
retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
check_keys
+wait_for_done_signing
# KSK must be retired since it no longer matches the policy.
# -P : now-3900s
retired=$(key_get KEY4 RETIRED)
set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
check_keys
+wait_for_done_signing
# KSK must be retired since it no longer matches the policy.
# -P : now-3900s
retired=$(key_get KEY4 RETIRED)
set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
check_keys
+wait_for_done_signing
# The old keys are published and activated.
rollover_predecessor_keytimes 0
set_keytime "KEY4" "ACTIVE" "${created}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
check_keys
+wait_for_done_signing
# The old keys were activated three hours ago (10800 seconds).
rollover_predecessor_keytimes -10800
set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
check_keys
+wait_for_done_signing
# The old keys were activated 9 hours ago (32400 seconds)
# and retired 6 hours ago (21600 seconds).
set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY3" "STATE_DS" "omnipresent"
check_keys
+wait_for_done_signing
# The old keys were activated 38 hours ago (136800 seconds)
# and retired 35 hours ago (126000 seconds).
set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
check_keys
+wait_for_done_signing
# The old keys were activated 40 hours ago (144000 seconds)
# and retired 35 hours ago (133200 seconds).
set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
check_keys
+wait_for_done_signing
# The old keys were activated 47 hours ago (169200 seconds)
# and retired 34 hours ago (158400 seconds).
set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY2" "STATE_DS" "hidden"
check_keys
+wait_for_done_signing
# CSK must be retired since it no longer matches the policy.
csk_rollover_predecessor_keytimes 0 0
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
check_keys
+wait_for_done_signing
# The old key was activated three hours ago (10800 seconds).
csk_rollover_predecessor_keytimes -10800 -10800
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY2" "STATE_DS" "rumoured"
check_keys
+wait_for_done_signing
# The old key was activated 9 hours ago (10800 seconds)
# and retired 6 hours ago (21600 seconds).
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY2" "STATE_DS" "omnipresent"
check_keys
+wait_for_done_signing
# The old key was activated 38 hours ago (136800 seconds)
# and retired 35 hours ago (126000 seconds).
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY1" "STATE_KRRSIG" "hidden"
check_keys
+wait_for_done_signing
# The old key was activated 40 hours ago (144000 seconds)
# and retired 37 hours ago (133200 seconds).
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
check_keys
+wait_for_done_signing
# The old keys were activated 47 hours ago (169200 seconds)
# and retired 44 hours ago (158400 seconds).
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
check_keytimes
-
check_apex
check_subdomain
dnssec_verify
projects / thirdparty / bind9.git / commitdiff
