--- /dev/null
+../rollover/common.py
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unlimited-lifetime" {
+ keys {
+ csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+dnssec-policy "short-lifetime" {
+ keys {
+ csk lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "long-lifetime" {
+ keys {
+ csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
+ };
+};
--- /dev/null
+../../rollover-dynamic2inline/ns6/template.db.in
\ No newline at end of file
--- /dev/null
+../../rollover-dynamic2inline/ns6/template.db.in
\ No newline at end of file
--- /dev/null
+../../rollover-dynamic2inline/ns6/named.common.conf.j2
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+{% set change_lifetime = change_lifetime | default(False) %}
+{% set longer = "short-lifetime" if not change_lifetime else "long-lifetime" %}
+{% set shorter = "long-lifetime" if not change_lifetime else "short-lifetime" %}
+{% set limit = "unlimited-lifetime" if not change_lifetime else "short-lifetime" %}
+{% set unlimit = "short-lifetime" if not change_lifetime else "unlimited-lifetime" %}
+
+include "kasp.conf";
+include "named.common.conf";
+
+zone longer-lifetime {
+ type primary;
+ file "longer-lifetime.db";
+ dnssec-policy @longer@;
+};
+
+zone shorter-lifetime {
+ type primary;
+ file "shorter-lifetime.db";
+ dnssec-policy @shorter@;
+};
+
+zone limit-lifetime {
+ type primary;
+ file "limit-lifetime.db";
+ dnssec-policy @limit@;
+};
+
+zone unlimit-lifetime {
+ type primary;
+ file "unlimit-lifetime.db";
+ dnssec-policy @unlimit@;
+};
--- /dev/null
+../../rollover-dynamic2inline/ns6/template.db.in
\ No newline at end of file
--- /dev/null
+../../rollover-dynamic2inline/ns6/template.db.in
\ No newline at end of file
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import pytest
+
+import isctest
+from isctest.util import param
+from common import (
+ pytestmark,
+ alg,
+ size,
+ CDSS,
+ DEFAULT_CONFIG,
+ DURATION,
+)
+
+
+@pytest.mark.parametrize(
+ "zone, policy, lifetime",
+ [
+ param("shorter-lifetime", "long-lifetime", "P1Y"),
+ param("longer-lifetime", "short-lifetime", "P6M"),
+ param("limit-lifetime", "unlimited-lifetime", 0),
+ param("unlimit-lifetime", "short-lifetime", "P6M"),
+ ],
+)
+def test_lifetime_initial(zone, policy, lifetime, alg, size, servers):
+ config = DEFAULT_CONFIG
+
+ step = {
+ "zone": zone,
+ "cdss": CDSS,
+ "keyprops": [
+ f"csk {DURATION[lifetime]} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ "nextev": None,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import pytest
+
+import isctest
+from isctest.util import param
+from common import (
+ pytestmark,
+ alg,
+ size,
+ CDSS,
+ DEFAULT_CONFIG,
+ DURATION,
+)
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure_policy(servers, templates):
+ templates.render("ns6/named.conf", {"change_lifetime": True})
+ servers["ns6"].reconfigure()
+
+
+@pytest.mark.parametrize(
+ "zone, policy, lifetime",
+ [
+ param("shorter-lifetime", "short-lifetime", "P6M"),
+ param("longer-lifetime", "long-lifetime", "P1Y"),
+ param(
+ "limit-lifetime",
+ "short-lifetime",
+ "P6M",
+ ),
+ param("unlimit-lifetime", "unlimited-lifetime", 0),
+ ],
+)
+def test_lifetime_reconfig(zone, policy, lifetime, alg, size, servers):
+ config = DEFAULT_CONFIG
+
+ step = {
+ "zone": zone,
+ "cdss": CDSS,
+ "keyprops": [
+ f"csk {DURATION[lifetime]} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ "nextev": None,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
TIMEDELTA = {
+ 0: timedelta(seconds=0),
"PT5M": timedelta(minutes=5),
"PT1H": timedelta(hours=1),
"PT2H": timedelta(hours=2),
* information regarding copyright ownership.
*/
-dnssec-policy "unlimited-lifetime" {
- keys {
- csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
-dnssec-policy "short-lifetime" {
- keys {
- csk lifetime P6M algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "long-lifetime" {
- keys {
- csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
dnssec-policy "unsigning" {
dnskey-ttl 7200;
include "named.common.conf";
-/* Lifetime changes. */
-{% set _policy = "short-lifetime" if not csk_roll else "long-lifetime" %}
-zone longer-lifetime {
- type primary;
- file "longer-lifetime.db";
- dnssec-policy @_policy@;
-};
-
-{% set _policy = "long-lifetime" if not csk_roll else "short-lifetime" %}
-zone shorter-lifetime {
- type primary;
- file "shorter-lifetime.db";
- dnssec-policy @_policy@;
-};
-
-{% set _policy = "unlimited-lifetime" if not csk_roll else "short-lifetime" %}
-zone limit-lifetime {
- type primary;
- file "limit-lifetime.db";
- dnssec-policy @_policy@;
-};
-
-{% set _policy = "short-lifetime" if not csk_roll else "unlimited-lifetime" %}
-zone unlimit-lifetime {
- type primary;
- file "unlimit-lifetime.db";
- dnssec-policy @_policy@;
-};
-
{% set _policy = "default" if not csk_roll else "none" %}
zone "step1.going-straight-to-none.kasp" {
type primary;
O="OMNIPRESENT"
U="UNRETENTIVE"
-for zn in shorter-lifetime longer-lifetime limit-lifetime \
- unlimit-lifetime; do
- setup $zn
- cp template.db.in $zonefile
-done
-
# These zones are going straight to "none" policy. This is undefined behavior.
T="now-10d"
S="now-12955mi"
start_time = KeyTimingMetadata.now()
- # Test key lifetime changes.
- isctest.log.info("check key lifetime changes are updated correctly")
- lifetime = {
- "P1Y": int(timedelta(days=365).total_seconds()),
- "P6M": int(timedelta(days=31 * 6).total_seconds()),
- "P60D": int(timedelta(days=60).total_seconds()),
- }
- lifetime_update_tests = [
- {
- "zone": "shorter-lifetime",
- "policy": "long-lifetime",
- "lifetime": lifetime["P1Y"],
- },
- {
- "zone": "longer-lifetime",
- "policy": "short-lifetime",
- "lifetime": lifetime["P6M"],
- },
- {
- "zone": "limit-lifetime",
- "policy": "unlimited-lifetime",
- "lifetime": 0,
- },
- {
- "zone": "unlimit-lifetime",
- "policy": "short-lifetime",
- "lifetime": lifetime["P6M"],
- },
- ]
- for lut in lifetime_update_tests:
- step = {
- "zone": lut["zone"],
- "cdss": cdss,
- "config": default_config,
- "policy": lut["policy"],
- "keyprops": [
- f"csk {lut['lifetime']} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
- ],
- "nextev": None,
- }
- steps.append(step)
-
# Test going straight to none.
isctest.log.info("check going straight to none")
zones = [
now = KeyTimingMetadata.now()
time_passed = now.value - start_time.value
- # Test key lifetime changes (after reconfig).
- lifetime_update_tests = [
- {
- "zone": "shorter-lifetime",
- "policy": "short-lifetime",
- "lifetime": lifetime["P6M"],
- },
- {
- "zone": "longer-lifetime",
- "policy": "long-lifetime",
- "lifetime": lifetime["P1Y"],
- },
- {
- "zone": "limit-lifetime",
- "policy": "short-lifetime",
- "lifetime": lifetime["P6M"],
- },
- {
- "zone": "unlimit-lifetime",
- "policy": "unlimited-lifetime",
- "lifetime": 0,
- },
- ]
- for lut in lifetime_update_tests:
- step = {
- "zone": lut["zone"],
- "cdss": cdss,
- "config": default_config,
- "policy": lut["policy"],
- "keyprops": [
- f"csk {lut['lifetime']} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
- ],
- "nextev": None,
- }
- steps.append(step)
-
# Test going straight to none.
isctest.log.info("check going straight to none (after reconfig)")
zones = [
projects / thirdparty / bind9.git / commitdiff
