-../../rollover/ns3/template.db.in
\ No newline at end of file
+template.db.in
\ No newline at end of file
-../../rollover/ns3/template.db.in
\ No newline at end of file
+template.db.in
\ No newline at end of file
-../../rollover/ns3/template.db.in
\ No newline at end of file
+template.db.in
\ No newline at end of file
--- /dev/null
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; SPDX-License-Identifier: MPL-2.0
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, you can obtain one at https://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@ IN SOA mname1. . (
+ 1 ; serial
+ 20 ; refresh (20 seconds)
+ 20 ; retry (20 seconds)
+ 1814400 ; expire (3 weeks)
+ 3600 ; minimum (1 hour)
+ )
+
+ NS ns3
+ns3 A 10.53.0.3
+
+a A 10.0.0.1
+b A 10.0.0.2
+c A 10.0.0.3
+
-../../rollover/ns3/template.db.in
\ No newline at end of file
+template.db.in
\ No newline at end of file
--- /dev/null
+../../rollover/ns3/template.db.j2.manual
\ No newline at end of file
+++ /dev/null
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-cd "ns3"
-
-setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
- echo "$zone" >>zones
-}
-
-# Set in the key state files the Predecessor/Successor fields.
-# Key $1 is the predecessor of key $2.
-key_successor() {
- id1=$(keyfile_to_key_id "$1")
- id2=$(keyfile_to_key_id "$2")
- echo "Predecessor: ${id1}" >>"${2}.state"
- echo "Successor: ${id2}" >>"${1}.state"
-}
-
-# Make lines shorter by storing key states in environment variables.
-H="HIDDEN"
-R="RUMOURED"
-O="OMNIPRESENT"
-U="UNRETENTIVE"
-
-# Multi-signer zones.
-setup "multisigner-model2.kasp"
-cp template.db.in "$zonefile"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.2)
-cat "${KSK}.key" | grep -v ";.*" >>"${zone}.db"
-cat "${ZSK}.key" | grep -v ";.*" >>"${zone}.db"
-# Import a ZSK of another provider into the DNSKEY RRset.
-ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 -M 0:32767 $zone 2>keygen.out.$zone.3)
-cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db"
-
-# We are changing an existing single-signed zone to multi-signed
-# zone where the key tags do not match the dnssec-policy key tag range
-setup single-to-multisigner.kasp
-T="now-7d"
-S="now-8635mi" # T - 1d5m
-keytimes="-P $T -A $T"
-cdstimes="-P sync $S"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 -f KSK $keytimes $cdstimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}" $infile >signer.out.$zone.1 2>&1
-echo "Lifetime: 0" >>"${KSK}".state
-echo "Lifetime: 0" >>"${ZSK}".state
alg,
size,
)
+from rollover.setup import CmdHelper, fake_lifetime, render_and_sign_zone
+
+
+def bootstrap():
+ templates = isctest.template.TemplateEngine(".")
+
+ # Multi-signer zones.
+ keygen = CmdHelper("KEYGEN", "-a ECDSA256 -L 3600")
+ settime = CmdHelper("SETTIME", "-s")
+
+ # Model 2.
+ zonename = "multisigner-model2.kasp"
+ isctest.log.info(f"setup {zonename}")
+ # Key generation.
+ ksk_name = keygen(f"-M 32768:65535 -f KSK {zonename}", cwd="ns3").strip()
+ zsk_name = keygen(f"-M 32768:65535 {zonename}", cwd="ns3").strip()
+ # Signing.
+ dnskeys = []
+ for key_name in [ksk_name, zsk_name]:
+ key = isctest.kasp.Key(key_name, keydir="ns3")
+ dnskeys.append(key.dnskey)
+ # Import a ZSK of another provider into the DNSKEY RRset.
+ zsk_extra = keygen(f"-M 0:32767 {zonename}").strip()
+ key = isctest.kasp.Key(zsk_extra)
+ dnskeys.append(key.dnskey)
+ # Render zone file.
+ outfile = f"{zonename}.db"
+ templates = isctest.template.TemplateEngine(".")
+ template = "template.db.j2.manual"
+ tdata = {
+ "fqdn": f"{zonename}.",
+ "dnskeys": dnskeys,
+ "privaterrs": [],
+ }
+ templates.render(f"ns3/{outfile}", tdata, template=f"ns3/{template}")
+
+ # We are changing an existing single-signed zone to multi-signed
+ # zone where the key tags do not match the dnssec-policy key tag range
+ zonename = "single-to-multisigner.kasp"
+ isctest.log.info(f"setup {zonename}")
+ # Timing metadata.
+ TpubN = "now-7d"
+ TsbmN = "now-8635mi" # T - 1d5m
+ keytimes = f"-P {TpubN} -A {TpubN}"
+ cdstimes = f"-P sync {TsbmN}"
+ # Key generation.
+ ksk_name = keygen(
+ f"-M 0:32767 -f KSK {keytimes} {cdstimes} {zonename}", cwd="ns3"
+ ).strip()
+ zsk_name = keygen(f"-M 0:32767 {keytimes} {zonename}", cwd="ns3").strip()
+ settime(
+ f"-g OMNIPRESENT -d OMNIPRESENT {TpubN} -k OMNIPRESENT {TpubN} -r OMNIPRESENT {TpubN} {ksk_name}",
+ cwd="ns3",
+ )
+ settime(
+ f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -z OMNIPRESENT {TpubN} {zsk_name}",
+ cwd="ns3",
+ )
+ # Signing.
+ fake_lifetime(ksk_name, 0)
+ fake_lifetime(zsk_name, 0)
+ render_and_sign_zone(zonename, [ksk_name, zsk_name])
+
+ return {}
def test_rollover_multisigner(ns3, alg, size):
projects / thirdparty / bind9.git / commitdiff
