Make cds-digest-type plural

Allow for configuring multiple CDS records with different digest
types (currently only SHA-256 and SHA-384 are allowed).

diff --git a/bin/named/config.c b/bin/named/config.c
index 7e6391b1b714fb1bce41f261037fadd732ff1315..9c1469abc6c55939fc8d747f841a1cff84273122 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -294,7 +294,7 @@ dnssec-policy \"default\" {\n\
                csk key-directory lifetime unlimited algorithm 13;\n\
        };\n\
 \n\
-       cds-digest-type 2;\n\
+       cds-digest-types { 2; };\n\
        dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
        publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
        retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\

diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c
index 0a1b13ee402ab8f583bc98acd9f6fecc2eef5fe3..5ba6183599c14da4361551a4adde31f25c10aa17 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -1198,7 +1198,13 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
        if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
            ztype != dns_zone_redirect)
        {
+               /* Make a reference to the default policy. */
+               result = dns_kasplist_find(kasplist, "default", &kasp);
+               INSIST(result == ISC_R_SUCCESS && kasp != NULL);
+               dns_zone_setdefaultkasp(zone, kasp);
+
                obj = NULL;
+               kasp = NULL;
                result = named_config_get(maps, "dnssec-policy", &obj);
                if (result == ISC_R_SUCCESS) {
                        kaspname = cfg_obj_asstring(obj);

diff --git a/bin/tests/system/checkconf/bad-kasp-digest-type.conf b/bin/tests/system/checkconf/bad-kasp-digest-type.conf
index d5a160e2f0e786caa7d7b674fde017c97304411e..f1bd4d3029f403424939243a9596d31ff97d3c28 100644 (file)
--- a/bin/tests/system/checkconf/bad-kasp-digest-type.conf
+++ b/bin/tests/system/checkconf/bad-kasp-digest-type.conf
@@ -12,7 +12,7 @@
  */
 
 dnssec-policy "bad-digesttype" {
-       cds-digest-type foobar;
+       cds-digest-types { foobar; 2; };
 };
 
 zone "example.net" {

diff --git a/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf
index e263a0031976788332e4a8309e1e4023a42c1cb5..bdb8c37a9d990762d693e66867d5ed01996799af 100644 (file)
--- a/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf
+++ b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf
@@ -12,7 +12,7 @@
  */
 
 dnssec-policy "bad-digesttype" {
-       cds-digest-type GOST;
+       cds-digest-types { GOST; 2; };
 };
 
 zone "example.net" {

diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf
index 9e19e26cf5e609bd8707cd4ff88ee1bea21f2654..67f3d5d869c0a48c97b2abf2ef19e108e49ccc89 100644 (file)
--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -17,7 +17,9 @@
 
 /* cut here */
 dnssec-policy "test" {
-       cds-digest-type "sha-256";
+       cds-digest-types {
+               "sha-256";
+       };
        dnskey-ttl 3600;
        keys {
                ksk key-directory lifetime P1Y algorithm ecdsa256;

diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in
index 374d111cb81d2a2f610fe9039c55d5691c10aded..a510bef0b253c2f10fcf37a245256894e1fce028 100644 (file)
--- a/bin/tests/system/checkconf/good.conf.in
+++ b/bin/tests/system/checkconf/good.conf.in
@@ -17,7 +17,9 @@
 
 /* cut here */
 dnssec-policy "test" {
-       cds-digest-type "sha-256";
+       cds-digest-types {
+               "sha-256";
+       };
        dnskey-ttl 3600;
        keys {
                ksk key-directory lifetime P1Y algorithm 13 256;

diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index ebe06aa8c5ace3fcb8da1c5d13881c2328fa5cf9..10511506cec9cc6175404757e9645c596118db6c 100644 (file)
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -209,14 +209,14 @@ set_dynamic() {
        DYNAMIC="yes"
 }
 
-# Set policy settings (name $1, number of keys $2, dnskey ttl $3),
-# and digest type ($4) for testing keys.
+# Set policy settings (name $1, number of keys $2, dnskey ttl $3).
 set_policy() {
        POLICY=$1
        NUM_KEYS=$2
        DNSKEY_TTL=$3
-       DIGEST_TYPE=$4
        CDS_DELETE="no"
+       CDS_SHA256="yes"
+       CDS_SHA384="no"
 }
 # By default policies are considered to be secure.
 # If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the
@@ -941,18 +941,18 @@ check_signatures() {
        retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed"
 }
 
-response_has_cds_for_key() (
+response_has_cds_for_key() {
        awk -v zone="${ZONE%%.}." \
            -v ttl="${DNSKEY_TTL}" \
            -v qtype="CDS" \
-           -v keyid="$(key_get "${1}" ID)" \
-           -v keyalg="$(key_get "${1}" ALG_NUM)" \
-           -v hashalg="${DIGEST_TYPE}" \
+           -v keyid="$(key_get "${2}" ID)" \
+           -v keyalg="$(key_get "${2}" ALG_NUM)" \
+           -v hashalg="$1" \
            'BEGIN { ret=1; }
             $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; }
             END { exit ret; }' \
-           "$2"
-)
+           "$3"
+}
 
 response_has_cdnskey_for_key() (
 
@@ -967,6 +967,25 @@ response_has_cdnskey_for_key() (
            "$2"
 )
 
+check_cds_digests() {
+       if [ "$CDS_SHA256" = "yes" ]; then
+               response_has_cds_for_key 2 $1 $2 || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)"
+       else
+               response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
+       fi
+
+       if [ "$CDS_SHA384" = "yes" ]; then
+               response_has_cds_for_key 4 $1 $2 || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)"
+       else
+               response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+       fi
+}
+
+check_cds_digests_invert() {
+       response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
+       response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+}
+
 # Test CDS and CDNSKEY publication.
 check_cds() {
 
@@ -992,11 +1011,11 @@ check_cds() {
        fi
 
        if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then
-               response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)"
+               check_cds_digests KEY1 "dig.out.$DIR.test$n.cds"
                response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)"
                _checksig=1
        elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
-               response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)"
+               check_cds_digests_invert KEY1 "dig.out.$DIR.test$n.cds"
                # KEY1 should not have an associated CDNSKEY, but there may be
                # one for another key.  Since the CDNSKEY has no field for key
                # id, it is hard to check what key the CDNSKEY may belong to
@@ -1004,11 +1023,11 @@ check_cds() {
        fi
 
        if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then
-               response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)"
+               check_cds_digests KEY2 "dig.out.$DIR.test$n.cds"
                response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)"
                _checksig=1
        elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
-               response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)"
+               check_cds_digests_invert KEY2 "dig.out.$DIR.test$n.cds"
                # KEY2 should not have an associated CDNSKEY, but there may be
                # one for another key.  Since the CDNSKEY has no field for key
                # id, it is hard to check what key the CDNSKEY may belong to
@@ -1016,11 +1035,11 @@ check_cds() {
        fi
 
        if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then
-               response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)"
+               check_cds_digests KEY3 "dig.out.$DIR.test$n.cds"
                response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)"
                _checksig=1
        elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
-               response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)"
+               check_cds_digests_invert KEY3 "dig.out.$DIR.test$n.cds"
                # KEY3 should not have an associated CDNSKEY, but there may be
                # one for another key.  Since the CDNSKEY has no field for key
                # id, it is hard to check what key the CDNSKEY may belong to
@@ -1028,11 +1047,11 @@ check_cds() {
        fi
 
        if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then
-               response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)"
+               check_cds_digests KEY4 "dig.out.$DIR.test$n.cds"
                response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)"
                _checksig=1
        elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
-               response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)"
+               check_cds_digests_invert KEY4 "dig.out.$DIR.test$n.cds"
                # KEY4 should not have an associated CDNSKEY, but there may be
                # one for another key.  Since the CDNSKEY has no field for key
                # id, it is hard to check what key the CDNSKEY may belong to
@@ -1174,7 +1193,12 @@ check_cdslog() {
        echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)"
        ret=0
 
-       grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+       if [ "$CDS_SHA256" = "yes" ]; then
+               grep "CDS (SHA-256) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+       fi
+       if [ "$CDS_SHA384" = "yes" ]; then
+               grep "CDS (SHA-384) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+       fi
        grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
 
        test "$ret" -eq 0 || echo_i "failed"

diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in
index e90e88941a7e5c6a53a608dd6cc8e8ecc82b5d4d..d50fcd0bd7e37f8c7b077221752e5811e8673c21 100644 (file)
--- a/bin/tests/system/kasp/ns3/policies/autosign.conf.in
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in
@@ -99,6 +99,7 @@ dnssec-policy "csk-roll" {
        retire-safety 2h;
        purge-keys PT1H;
 
+       cds-digest-types { "sha-384"; }; // use a different digest type for testing purposes
        keys {
                csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
        };
@@ -121,7 +122,7 @@ dnssec-policy "csk-roll2" {
        retire-safety 1h;
        purge-keys 0;
 
-       cds-digest-type "sha-384"; // use a different digest type for testing purposes
+       cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
        keys {
                csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
        };

diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index c0111203c70dbdf7b72c63b6d417459461878d09..c4554185fcca110996b1504b4af5deb03176c9ff 100644 (file)
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -888,7 +888,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 2:
 # It is time to introduce the new CSK.
@@ -916,7 +916,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 3:
 # It is time to submit the DS and to roll signatures.
@@ -971,7 +971,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
@@ -1018,7 +1018,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 5:
 # After the DS is swapped in step 4, also the KRRSIG records can be removed.
@@ -1054,7 +1054,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 6:
 # After the retire interval has passed the predecessor DNSKEY can be
@@ -1098,7 +1098,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 7:
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
@@ -1133,7 +1133,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 8:
 # The predecessor DNSKEY can be purged.
@@ -1168,7 +1168,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 #
 # The zones at csk-roll2.autosign represent the various steps of a CSK rollover
@@ -1187,7 +1187,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 2:
 # It is time to introduce the new CSK.
@@ -1215,7 +1215,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s
 cat template.db.in "${CSK}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 3:
 # It is time to submit the DS and to roll signatures.
@@ -1270,7 +1270,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 4:
 # Some time later all the ZRRSIG records should be from the new CSK, and the
@@ -1318,7 +1318,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 5:
 # Some time later the DS can be swapped and the old DNSKEY can be removed from
@@ -1355,7 +1355,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 6:
 # Some time later the predecessor DNSKEY enters the HIDDEN state.
@@ -1391,7 +1391,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
 
 # Step 7:
 # The predecessor DNSKEY can be purged, but purge-keys is disabled.
@@ -1426,4 +1426,4 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index bb8620bdaebc5e8fa1248912d3957755c654ff1b..962277fa063cd28a632490a045020925aae8c6f7 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -56,7 +56,7 @@ next_key_event_threshold=100
 # dnssec-keygen
 #
 set_zone "kasp"
-set_policy "kasp" "4" "200" "2"
+set_policy "kasp" "4" "200"
 set_server "keys" "10.53.0.1"
 
 n=$((n+1))
@@ -122,7 +122,7 @@ n=$((n+1))
 echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
 ret=0
 set_zone "kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "." "10.53.0.1"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@@ -277,7 +277,7 @@ set_keytimes_csk_policy() {
 
 # Check the zone with default kasp policy has loaded and is signed.
 set_zone "default.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@@ -398,7 +398,7 @@ dnssec_verify
 #
 set_zone "dynamic.kasp"
 set_dynamic
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
@@ -461,7 +461,7 @@ status=$((status+ret))
 #
 set_zone "dynamic-inline-signing.kasp"
 set_dynamic
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
@@ -489,7 +489,7 @@ status=$((status+ret))
 # Zone: inline-signing.kasp
 #
 set_zone "inline-signing.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 check_keys
@@ -509,7 +509,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 set_zone "checkds-ksk.kasp"
-set_policy "checkds-ksk" "2" "303" "2"
+set_policy "checkds-ksk" "2" "303"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "ksk"
@@ -579,7 +579,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 set_zone "checkds-doubleksk.kasp"
-set_policy "checkds-doubleksk" "3" "303" "2"
+set_policy "checkds-doubleksk" "3" "303"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "ksk"
@@ -680,7 +680,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 set_zone "checkds-csk.kasp"
-set_policy "checkds-csk" "1" "303" "2"
+set_policy "checkds-csk" "1" "303"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@@ -796,7 +796,7 @@ set_keytimes_algorithm_policy() {
 if $SHELL ../testcrypto.sh -q RSASHA1
 then
        set_zone "rsasha1.kasp"
-       set_policy "rsasha1" "3" "1234" "2"
+       set_policy "rsasha1" "3" "1234"
        set_server "ns3" "10.53.0.3"
        # Key properties.
        key_clear        "KEY1"
@@ -850,7 +850,7 @@ fi
 # Zone: unsigned.kasp.
 #
 set_zone "unsigned.kasp"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns3" "10.53.0.3"
 
 key_clear "KEY1"
@@ -874,7 +874,7 @@ status=$((status+ret))
 # Zone: insecure.kasp.
 #
 set_zone "insecure.kasp"
-set_policy "insecure" "0" "0" "0"
+set_policy "insecure" "0" "0"
 set_server "ns3" "10.53.0.3"
 
 key_clear "KEY1"
@@ -891,7 +891,7 @@ check_subdomain
 # Zone: unlimited.kasp.
 #
 set_zone "unlimited.kasp"
-set_policy "unlimited" "1" "1234" "2"
+set_policy "unlimited" "1" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@@ -918,7 +918,7 @@ dnssec_verify
 # Zone: inherit.kasp.
 #
 set_zone "inherit.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 
 # Key properties.
@@ -971,7 +971,7 @@ dnssec_verify
 # Zone: dnssec-keygen.kasp.
 #
 set_zone "dnssec-keygen.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -987,7 +987,7 @@ dnssec_verify
 # Zone: some-keys.kasp.
 #
 set_zone "some-keys.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1005,7 +1005,7 @@ dnssec_verify
 # There are more pregenerated keys than needed, hence the number of keys is
 # six, not three.
 set_zone "pregenerated.kasp"
-set_policy "rsasha256" "6" "1234" "2"
+set_policy "rsasha256" "6" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1022,7 +1022,7 @@ dnssec_verify
 #
 # There are three keys in rumoured state.
 set_zone "rumoured.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1048,7 +1048,7 @@ dnssec_verify
 # Zone: secondary.kasp.
 #
 set_zone "secondary.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1095,7 +1095,7 @@ status=$((status+ret))
 if $SHELL ../testcrypto.sh -q RSASHA1
 then
        set_zone "rsasha1-nsec3.kasp"
-       set_policy "rsasha1-nsec3" "3" "1234" "2"
+       set_policy "rsasha1-nsec3" "3" "1234"
        set_server "ns3" "10.53.0.3"
        # Key properties.
        set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
@@ -1116,7 +1116,7 @@ fi
 # Zone: rsasha256.kasp.
 #
 set_zone "rsasha256.kasp"
-set_policy "rsasha256" "3" "1234" "2"
+set_policy "rsasha256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
@@ -1136,7 +1136,7 @@ dnssec_verify
 # Zone: rsasha512.kasp.
 #
 set_zone "rsasha512.kasp"
-set_policy "rsasha512" "3" "1234" "2"
+set_policy "rsasha512" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
@@ -1156,7 +1156,7 @@ dnssec_verify
 # Zone: ecdsa256.kasp.
 #
 set_zone "ecdsa256.kasp"
-set_policy "ecdsa256" "3" "1234" "2"
+set_policy "ecdsa256" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
@@ -1176,7 +1176,7 @@ dnssec_verify
 # Zone: ecdsa512.kasp.
 #
 set_zone "ecdsa384.kasp"
-set_policy "ecdsa384" "3" "1234" "2"
+set_policy "ecdsa384" "3" "1234"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
@@ -1197,7 +1197,7 @@ dnssec_verify
 #
 if [ -f ed25519-supported.file ]; then
        set_zone "ed25519.kasp"
-       set_policy "ed25519" "3" "1234" "2"
+       set_policy "ed25519" "3" "1234"
        set_server "ns3" "10.53.0.3"
        # Key properties.
        set_keyalgorithm "KEY1" "15" "ED25519" "256"
@@ -1219,7 +1219,7 @@ fi
 #
 if [ -f ed448-supported.file ]; then
        set_zone "ed448.kasp"
-       set_policy "ed448" "3" "1234" "2"
+       set_policy "ed448" "3" "1234"
        set_server "ns3" "10.53.0.3"
        # Key properties.
        set_keyalgorithm "KEY1" "16" "ED448" "456"
@@ -1273,7 +1273,7 @@ set_keytimes_autosign_policy() {
 # Zone: expired-sigs.autosign.
 #
 set_zone "expired-sigs.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@@ -1357,7 +1357,7 @@ check_rrsig_refresh
 # Zone: fresh-sigs.autosign.
 #
 set_zone "fresh-sigs.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1418,7 +1418,7 @@ check_rrsig_reuse
 # Zone: unfresh-sigs.autosign.
 #
 set_zone "unfresh-sigs.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 
@@ -1435,7 +1435,7 @@ check_rrsig_refresh
 # Zone: ksk-missing.autosign.
 #
 set_zone "ksk-missing.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 # Skip checking the private file, because it is missing.
@@ -1454,7 +1454,7 @@ key_set "KEY1" "PRIVATE" "yes"
 # Zone: zsk-missing.autosign.
 #
 set_zone "zsk-missing.autosign"
-set_policy "autosign" "2" "300" "2"
+set_policy "autosign" "2" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties, timings and states same as above.
 # Skip checking the private file, because it is missing.
@@ -1481,7 +1481,7 @@ key_set "KEY2" "PRIVATE" "yes"
 # Zone: zsk-retired.autosign.
 #
 set_zone "zsk-retired.autosign"
-set_policy "autosign" "3" "300" "2"
+set_policy "autosign" "3" "300"
 set_server "ns3" "10.53.0.3"
 # The third key is not yet expected to be signing.
 set_keyrole      "KEY3" "zsk"
@@ -1537,7 +1537,7 @@ check_rrsig_refresh
 set_zone "legacy-keys.kasp"
 # This zone has two active keys and two old keys left in key directory, so
 # expect 4 key files.
-set_policy "migrate-to-dnssec-policy" "4" "1234" "2"
+set_policy "migrate-to-dnssec-policy" "4" "1234"
 set_server "ns3" "10.53.0.3"
 
 # Key properties.
@@ -1648,7 +1648,7 @@ key_clear "KEY3"
 key_clear "KEY4"
 
 set_zone "unsigned.tld"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns2" "10.53.0.2"
 TSIG=""
 check_keys
@@ -1657,7 +1657,7 @@ check_apex
 check_subdomain
 
 set_zone "none.inherit.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@@ -1666,7 +1666,7 @@ check_apex
 check_subdomain
 
 set_zone "none.override.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@@ -1675,7 +1675,7 @@ check_apex
 check_subdomain
 
 set_zone "inherit.none.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@@ -1684,7 +1684,7 @@ check_apex
 check_subdomain
 
 set_zone "none.none.signed"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@@ -1693,7 +1693,7 @@ check_apex
 check_subdomain
 
 set_zone "inherit.inherit.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@@ -1702,7 +1702,7 @@ check_apex
 check_subdomain
 
 set_zone "none.inherit.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@@ -1711,7 +1711,7 @@ check_apex
 check_subdomain
 
 set_zone "none.override.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@@ -1720,7 +1720,7 @@ check_apex
 check_subdomain
 
 set_zone "inherit.none.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@@ -1729,7 +1729,7 @@ check_apex
 check_subdomain
 
 set_zone "none.none.unsigned"
-set_policy "none" "0" "0" "0"
+set_policy "none" "0" "0"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 check_keys
@@ -1756,7 +1756,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
 set_keystate "KEY1" "STATE_DS"     "hidden"
 
 set_zone "signed.tld"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns2" "10.53.0.2"
 TSIG=""
 check_keys
@@ -1768,7 +1768,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "override.inherit.signed"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@@ -1780,7 +1780,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "inherit.override.signed"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@@ -1792,7 +1792,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "override.inherit.unsigned"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha1:sha1:$SHA1"
 check_keys
@@ -1804,7 +1804,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "inherit.override.unsigned"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 check_keys
@@ -1829,7 +1829,7 @@ set_keysigning   "KEY1" "yes"
 set_zonesigning  "KEY1" "yes"
 
 set_zone "inherit.inherit.signed"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha1:sha1:$SHA1"
 wait_for_nsec
@@ -1842,7 +1842,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "override.override.signed"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha224:sha224:$SHA224"
 wait_for_nsec
@@ -1855,7 +1855,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "override.none.signed"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns4" "10.53.0.4"
 TSIG="hmac-sha256:sha256:$SHA256"
 wait_for_nsec
@@ -1868,7 +1868,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "override.override.unsigned"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha224:sha224:$SHA224"
 wait_for_nsec
@@ -1881,7 +1881,7 @@ check_subdomain
 dnssec_verify
 
 set_zone "override.none.unsigned"
-set_policy "test" "1" "3600" "2"
+set_policy "test" "1" "3600"
 set_server "ns5" "10.53.0.5"
 TSIG="hmac-sha256:sha256:$SHA256"
 wait_for_nsec
@@ -1980,7 +1980,7 @@ TSIG=""
 # Testing RFC 8901 Multi-Signer Model 2.
 #
 set_zone "multisigner-model2.kasp"
-set_policy "multisigner-model2" "2" "3600" "2"
+set_policy "multisigner-model2" "2" "3600"
 set_server "ns3" "10.53.0.3"
 key_clear "KEY1"
 key_clear "KEY2"
@@ -2042,7 +2042,7 @@ status=$((status+ret))
 # Testing manual rollover.
 #
 set_zone "manual-rollover.kasp"
-set_policy "manual-rollover" "2" "3600" "2"
+set_policy "manual-rollover" "2" "3600"
 set_server "ns3" "10.53.0.3"
 key_clear "KEY1"
 key_clear "KEY2"
@@ -2108,7 +2108,7 @@ check_subdomain
 dnssec_verify
 
 # Schedule KSK rollover now.
-set_policy "manual-rollover" "3" "3600" "2"
+set_policy "manual-rollover" "3" "3600"
 set_keystate "KEY1" "GOAL" "hidden"
 # This key was activated one day ago, so lifetime is set to 1d plus
 # prepublication duration (7500 seconds) = 93900 seconds.
@@ -2135,7 +2135,7 @@ check_subdomain
 dnssec_verify
 
 # Schedule ZSK rollover now.
-set_policy "manual-rollover" "4" "3600" "2"
+set_policy "manual-rollover" "4" "3600"
 set_keystate "KEY2" "GOAL" "hidden"
 # This key was activated one day ago, so lifetime is set to 1d plus
 # prepublication duration (7500 seconds) = 93900 seconds.
@@ -2177,7 +2177,7 @@ status=$((status+ret))
 # Zone: step1.enable-dnssec.autosign.
 #
 set_zone "step1.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@@ -2261,7 +2261,7 @@ check_next_key_event 900
 # Zone: step2.enable-dnssec.autosign.
 #
 set_zone "step2.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # The DNSKEY is omnipresent, but the zone signatures not yet.
 # Thus, the DS remains hidden.
@@ -2294,7 +2294,7 @@ check_next_key_event 43800
 # Zone: step3.enable-dnssec.autosign.
 #
 set_zone "step3.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # All signatures should be omnipresent, so the DS can be submitted.
 set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
@@ -2331,7 +2331,7 @@ check_next_key_event 12000
 # Zone: step4.enable-dnssec.autosign.
 #
 set_zone "step4.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300" "2"
+set_policy "enable-dnssec" "1" "300"
 set_server "ns3" "10.53.0.3"
 # The DS is omnipresent.
 set_keystate "KEY1" "STATE_DS" "omnipresent"
@@ -2377,7 +2377,7 @@ IretZSK=867600
 # Zone: step1.zsk-prepub.autosign.
 #
 set_zone "step1.zsk-prepub.autosign"
-set_policy "zsk-prepub" "2" "3600" "2"
+set_policy "zsk-prepub" "2" "3600"
 set_server "ns3" "10.53.0.3"
 
 set_retired_removed() {
@@ -2452,7 +2452,7 @@ check_next_key_event 2498400
 # Zone: step2.zsk-prepub.autosign.
 #
 set_zone "step2.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # New ZSK (KEY3) is prepublished, but not yet signing.
 key_clear        "KEY3"
@@ -2499,7 +2499,7 @@ check_next_key_event 93600
 # Zone: step3.zsk-prepub.autosign.
 #
 set_zone "step3.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
 # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
@@ -2547,7 +2547,7 @@ check_next_key_event 867600
 # Zone: step4.zsk-prepub.autosign.
 #
 set_zone "step4.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) DNSKEY is no longer needed.
 # ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
@@ -2584,7 +2584,7 @@ check_next_key_event 7200
 # Zone: step5.zsk-prepub.autosign.
 #
 set_zone "step5.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600" "2"
+set_policy "zsk-prepub" "3" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) DNSKEY is now completely HIDDEN and removed.
 set_keystate "KEY2" "STATE_DNSKEY" "hidden"
@@ -2618,7 +2618,7 @@ check_next_key_event 1627200
 # Zone: step6.zsk-prepub.autosign.
 #
 set_zone "step6.zsk-prepub.autosign"
-set_policy "zsk-prepub" "2" "3600" "2"
+set_policy "zsk-prepub" "2" "3600"
 set_server "ns3" "10.53.0.3"
 # ZSK (KEY2) DNSKEY is purged.
 key_clear "KEY2"
@@ -2650,7 +2650,7 @@ IretZSK=867600
 # Zone: step1.ksk-doubleksk.autosign.
 #
 set_zone "step1.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "2" "7200" "2"
+set_policy "ksk-doubleksk" "2" "7200"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@@ -2699,7 +2699,7 @@ check_next_key_event 5086800
 # Zone: step2.ksk-doubleksk.autosign.
 #
 set_zone "step2.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 # New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
 key_clear        "KEY3"
@@ -2750,7 +2750,7 @@ check_next_key_event 97200
 # Zone: step3.ksk-doubleksk.autosign.
 #
 set_zone "step3.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 
 # The DNSKEY RRset has become omnipresent.
@@ -2800,7 +2800,7 @@ check_next_key_event 180000
 # Zone: step4.ksk-doubleksk.autosign.
 #
 set_zone "step4.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 # KSK (KEY1) DNSKEY can be removed.
 set_keysigning "KEY1" "no"
@@ -2841,7 +2841,7 @@ check_next_key_event 10800
 # Zone: step5.ksk-doubleksk.autosign.
 #
 set_zone "step5.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200" "2"
+set_policy "ksk-doubleksk" "3" "7200"
 set_server "ns3" "10.53.0.3"
 # KSK (KEY1) DNSKEY is now HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@@ -2879,7 +2879,7 @@ check_next_key_event 4899600
 # Zone: step6.ksk-doubleksk.autosign.
 #
 set_zone "step6.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "2" "7200" "2"
+set_policy "ksk-doubleksk" "2" "7200"
 set_server "ns3" "10.53.0.3"
 # KSK (KEY1) DNSKEY is purged.
 key_clear "KEY1"
@@ -2920,7 +2920,9 @@ csk_rollover_predecessor_keytimes() {
 # Zone: step1.csk-roll.autosign.
 #
 set_zone "step1.csk-roll.autosign"
-set_policy "csk-roll" "1" "3600" "2"
+set_policy "csk-roll" "1" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@@ -2960,7 +2962,9 @@ check_next_key_event 16059600
 # Zone: step2.csk-roll.autosign.
 #
 set_zone "step2.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
 key_clear        "KEY2"
@@ -3009,7 +3013,9 @@ check_next_key_event 10800
 # Zone: step3.csk-roll.autosign.
 #
 set_zone "step3.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # Swap zone signing role.
 set_zonesigning  "KEY1" "no"
@@ -3070,7 +3076,9 @@ check_next_key_event 14400
 # Zone: step4.csk-roll.autosign.
 #
 set_zone "step4.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is no longer signing the DNSKEY RRset.
 set_keysigning "KEY1" "no"
@@ -3111,7 +3119,9 @@ check_next_key_event 7200
 # Zone: step5.csk-roll.autosign.
 #
 set_zone "step5.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) KRRSIG records are now all hidden.
 set_keystate "KEY1" "STATE_KRRSIG" "hidden"
@@ -3148,7 +3158,9 @@ check_next_key_event 2235600
 # Zone: step6.csk-roll.autosign.
 #
 set_zone "step6.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can
 # be removed).
@@ -3187,7 +3199,9 @@ check_next_key_event 7200
 # Zone: step7.csk-roll.autosign.
 #
 set_zone "step7.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600" "2"
+set_policy "csk-roll" "2" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is now completely HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@@ -3225,7 +3239,9 @@ check_next_key_event 13795200
 # Zone: step8.csk-roll.autosign.
 #
 set_zone "step8.csk-roll.autosign"
-set_policy "csk-roll" "1" "3600" "2"
+set_policy "csk-roll" "1" "3600"
+CDS_SHA256="no"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is purged.
 key_clear "KEY1"
@@ -3257,7 +3273,8 @@ IretCSK=$IretKSK
 # Zone: step1.csk-roll2.autosign.
 #
 set_zone "step1.csk-roll2.autosign"
-set_policy "csk-roll2" "1" "3600" "4"
+set_policy "csk-roll2" "1" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # Key properties.
 key_clear        "KEY1"
@@ -3298,7 +3315,8 @@ check_next_key_event 16059600
 # Zone: step2.csk-roll2.autosign.
 #
 set_zone "step2.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
 key_clear        "KEY2"
@@ -3346,7 +3364,8 @@ check_next_key_event 10800
 # Zone: step3.csk-roll2.autosign.
 #
 set_zone "step3.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # CSK (KEY1) can be removed, so move to UNRETENTIVE.
 set_zonesigning  "KEY1" "no"
@@ -3412,7 +3431,8 @@ check_next_key_event $next_time
 # Zone: step4.csk-roll2.autosign.
 #
 set_zone "step4.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) ZRRSIG is now HIDDEN.
 set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
@@ -3453,7 +3473,8 @@ check_next_key_event 475200
 # Zone: step5.csk-roll2.autosign.
 #
 set_zone "step5.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) DNSKEY can be removed.
 set_keysigning   "KEY1" "no"
@@ -3493,7 +3514,8 @@ check_next_key_event 7200
 # Zone: step6.csk-roll2.autosign.
 #
 set_zone "step6.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) is now completely HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@@ -3530,7 +3552,8 @@ check_next_key_event 15440400
 # Zone: step7.csk-roll2.autosign.
 #
 set_zone "step7.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600" "4"
+set_policy "csk-roll2" "2" "3600"
+CDS_SHA384="yes"
 set_server "ns3" "10.53.0.3"
 # The old CSK (KEY1) could have been purged, but purge-keys is disabled.
 
@@ -3545,13 +3568,13 @@ dnssec_verify
 # Test #2375: Scheduled rollovers are happening faster than they can finish
 #
 set_zone "step1.three-is-a-crowd.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # TODO (GL #2471).
 
 # Test dynamic zones that switch to inline-signing.
 set_zone "dynamic2inline.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@@ -3589,7 +3612,7 @@ IretZSK=0
 # Zone: step1.algorithm-roll.kasp
 #
 set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha256" "2" "3600" "2"
+set_policy "rsasha256" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@@ -3637,7 +3660,7 @@ check_next_key_event 3600
 # Zone: step1.csk-algorithm-roll.kasp
 #
 set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "1" "3600" "2"
+set_policy "csk-algoroll" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@@ -3681,7 +3704,7 @@ check_next_key_event 3600
 # Zone step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "unsigning" "2" "7200" "2"
+set_policy "unsigning" "2" "7200"
 set_server "ns6" "10.53.0.6"
 
 # Policy parameters.
@@ -3742,7 +3765,7 @@ dnssec_verify
 
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "unsigning" "2" "7200" "2"
+set_policy "unsigning" "2" "7200"
 set_server "ns6" "10.53.0.6"
 init_migration_insecure
 
@@ -3761,7 +3784,7 @@ dnssec_verify
 # Zone step1.going-straight-to-none.kasp
 #
 set_zone "step1.going-straight-to-none.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 set_keyrole      "KEY1" "csk"
@@ -3846,7 +3869,7 @@ wait_for_done_signing() {
 
 # Test dynamic zones that switch to inline-signing.
 set_zone "dynamic2inline.kasp"
-set_policy "default" "1" "3600" "2"
+set_policy "default" "1" "3600"
 set_server "ns6" "10.53.0.6"
 # Key properties.
 key_clear        "KEY1"
@@ -3880,7 +3903,7 @@ dnssec_verify
 # Zone: step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -3917,7 +3940,7 @@ check_next_key_event 93600
 # Zone: step2.going-insecure.kasp
 #
 set_zone "step2.going-insecure.kasp"
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
@@ -3947,7 +3970,7 @@ check_next_key_event 7500
 #
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 # Expect a CDS/CDNSKEY Delete Record.
 set_cdsdelete
@@ -3985,7 +4008,7 @@ check_next_key_event 93600
 #
 set_zone "step2.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "insecure" "2" "7200" "2"
+set_policy "insecure" "2" "7200"
 set_server "ns6" "10.53.0.6"
 
 # The DS is long enough removed from the zone to be considered HIDDEN.
@@ -4014,7 +4037,7 @@ check_next_key_event 7500
 # Zone: step1.going-straight-to-none.kasp
 #
 set_zone "step1.going-straight-to-none.kasp"
-set_policy "none" "1" "3600" "2"
+set_policy "none" "1" "3600"
 set_server "ns6" "10.53.0.6"
 
 # The zone will go bogus after signatures expire, but remains validly signed for now.
@@ -4055,7 +4078,7 @@ Lzsk=0
 # Zone: step1.algorithm-roll.kasp
 #
 set_zone "step1.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # Old RSASHA1 keys.
 key_clear        "KEY1"
@@ -4168,7 +4191,7 @@ check_next_key_event 10800
 # Zone: step2.algorithm-roll.kasp
 #
 set_zone "step2.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 keys are outroducing, but need to stay present until the new
 # algorithm chain of trust has been established. Thus the properties, timings
@@ -4227,7 +4250,7 @@ check_next_key_event $next_time
 # Zone: step3.algorithm-roll.kasp
 #
 set_zone "step3.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The ECDSAP256SHA256 keys are introducing.
 set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
@@ -4285,7 +4308,7 @@ check_next_key_event 18000
 # Zone: step4.algorithm-roll.kasp
 #
 set_zone "step4.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
 set_keysigning   "KEY1" "no"
@@ -4344,7 +4367,7 @@ check_next_key_event 7200
 # Zone: step5.algorithm-roll.kasp
 #
 set_zone "step5.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The DNSKEY becomes HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@@ -4400,7 +4423,7 @@ check_next_key_event $next_time
 # Zone: step6.algorithm-roll.kasp
 #
 set_zone "step6.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600" "2"
+set_policy "ecdsa256" "4" "3600"
 set_server "ns6" "10.53.0.6"
 # The old zone signatures (KEY2) should now also be HIDDEN.
 set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
@@ -4457,7 +4480,7 @@ Lcksk=0
 # Zone: step1.csk-algorithm-roll.kasp
 #
 set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # Old RSASHA1 key.
 key_clear       "KEY1"
@@ -4536,7 +4559,7 @@ check_next_key_event 10800
 # Zone: step2.csk-algorithm-roll.kasp
 #
 set_zone "step2.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 key is outroducing, but need to stay present until the new
 # algorithm chain of trust has been established. Thus the properties, timings
@@ -4586,7 +4609,7 @@ check_next_key_event $next_time
 # Zone: step3.csk-algorithm-roll.kasp
 #
 set_zone "step3.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The RSAHSHA1 key is outroducing, and it is time to swap the DS.
 # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
@@ -4636,7 +4659,7 @@ check_next_key_event 18000
 # Zone: step4.csk-algorithm-roll.kasp
 #
 set_zone "step4.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
 set_keysigning   "KEY1" "no"
@@ -4682,7 +4705,7 @@ check_next_key_event 7200
 # Zone: step5.csk-algorithm-roll.kasp
 #
 set_zone "step5.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The DNSKEY becomes HIDDEN.
 set_keystate "KEY1" "STATE_DNSKEY" "hidden"
@@ -4727,7 +4750,7 @@ check_next_key_event $next_time
 # Zone: step6.csk-algorithm-roll.kasp
 #
 set_zone "step6.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600" "2"
+set_policy "csk-algoroll" "2" "3600"
 set_server "ns6" "10.53.0.6"
 # The zone signatures should now also be HIDDEN.
 set_keystate "KEY1" "STATE_ZRRSIG" "hidden"

diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh
index 68844f4af8adf6ec4a1382708d743f1849a0d36b..62b58a7d781ce45e4ca4c56d30c6d2fe961193a2 100644 (file)
--- a/bin/tests/system/keymgr2kasp/tests.sh
+++ b/bin/tests/system/keymgr2kasp/tests.sh
@@ -126,7 +126,7 @@ init_migration_states() {
 # Testing a good migration.
 #
 set_zone "migrate.kasp"
-set_policy "none" "2" "7200" "2"
+set_policy "none" "2" "7200"
 set_server "ns3" "10.53.0.3"
 
 init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
@@ -149,7 +149,7 @@ _migrate_zsk=$(key_get KEY2 ID)
 # Testing a good migration (CSK).
 #
 set_zone "csk.kasp"
-set_policy "none" "1" "7200" "2"
+set_policy "none" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
 key_clear        "KEY1"
@@ -192,7 +192,7 @@ _migrate_csk=$(key_get KEY1 ID)
 # Testing a good migration (CSK, no SEP).
 #
 set_zone "csk-nosep.kasp"
-set_policy "none" "1" "7200" "2"
+set_policy "none" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
 key_clear        "KEY1"
@@ -235,7 +235,7 @@ _migrate_csk_nosep=$(key_get KEY1 ID)
 # Testing key states derived from key timing metadata (rumoured).
 #
 set_zone "rumoured.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"
 
 init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
@@ -255,7 +255,7 @@ _rumoured_zsk=$(key_get KEY2 ID)
 # Testing key states derived from key timing metadata (omnipresent).
 #
 set_zone "omnipresent.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"
 
 init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
@@ -275,7 +275,7 @@ _omnipresent_zsk=$(key_get KEY2 ID)
 # Testing migration with unmatched existing keys (different algorithm).
 #
 set_zone "migrate-nomatch-algnum.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"
 
 init_migration_keys "8" "RSASHA256" "2048" "2048"
@@ -312,7 +312,7 @@ _migratenomatch_algnum_zsk=$(key_get KEY2 ID)
 # Testing migration with unmatched existing keys (different length).
 #
 set_zone "migrate-nomatch-alglen.kasp"
-set_policy "none" "2" "300" "2"
+set_policy "none" "2" "300"
 set_server "ns3" "10.53.0.3"
 
 init_migration_keys "8" "RSASHA256" "2048" "2048"
@@ -411,7 +411,7 @@ IretZSK=867900
 # Testing good migration.
 #
 set_zone "migrate.kasp"
-set_policy "migrate" "2" "7200" "2"
+set_policy "migrate" "2" "7200"
 set_server "ns3" "10.53.0.3"
 
 # Key properties, timings and metadata should be the same as legacy keys above.
@@ -462,7 +462,7 @@ status=$((status+ret))
 # Testing a good migration (CSK).
 #
 set_zone "csk.kasp"
-set_policy "default" "1" "7200" "2"
+set_policy "default" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
 key_clear        "KEY1"
@@ -512,7 +512,7 @@ status=$((status+ret))
 # Testing a good migration (CSK, no SEP).
 #
 set_zone "csk-nosep.kasp"
-set_policy "default" "1" "7200" "2"
+set_policy "default" "1" "7200"
 set_server "ns3" "10.53.0.3"
 
 key_clear        "KEY1"
@@ -563,7 +563,7 @@ status=$((status+ret))
 # Test migration to dnssec-policy, existing keys do not match key algorithm.
 #
 set_zone "migrate-nomatch-algnum.kasp"
-set_policy "migrate-nomatch-algnum" "4" "300" "2"
+set_policy "migrate-nomatch-algnum" "4" "300"
 set_server "ns3" "10.53.0.3"
 # The legacy keys need to be retired, but otherwise stay present until the
 # new keys are omnipresent, and can be used to construct a chain of trust.
@@ -678,7 +678,7 @@ status=$((status+ret))
 # Test migration to dnssec-policy, existing keys do not match key length.
 #
 set_zone "migrate-nomatch-alglen.kasp"
-set_policy "migrate-nomatch-alglen" "4" "300" "2"
+set_policy "migrate-nomatch-alglen" "4" "300"
 set_server "ns3" "10.53.0.3"
 
 # The legacy keys need to be retired, but otherwise stay present until the
@@ -811,7 +811,7 @@ IretZSK=651600
 # Testing rumoured state.
 #
 set_zone "rumoured.kasp"
-set_policy "timing-metadata" "2" "300" "2"
+set_policy "timing-metadata" "2" "300"
 set_server "ns3" "10.53.0.3"
 
 # Key properties, timings and metadata should be the same as legacy keys above.
@@ -861,7 +861,7 @@ status=$((status+ret))
 # Testing omnipresent state.
 #
 set_zone "omnipresent.kasp"
-set_policy "timing-metadata" "2" "300" "2"
+set_policy "timing-metadata" "2" "300"
 set_server "ns3" "10.53.0.3"
 
 # Key properties, timings and metadata should be the same as legacy keys above.
@@ -952,7 +952,7 @@ set_keytimes_view_migration() {
 
 # Zone view.rsasha256.kasp (external)
 set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "2" "300" "2"
+set_policy "rsasha256" "2" "300"
 set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
@@ -982,7 +982,7 @@ _migrate_ext8_zsk=$(key_get KEY2 ID)
 
 # Zone view.rsasha256.kasp (internal)
 set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "2" "300" "2"
+set_policy "rsasha256" "2" "300"
 set_server "ns4" "10.53.0.4"
 init_view_migration
 set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
@@ -1024,7 +1024,7 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig"
 # Testing migration (RSASHA256, views).
 #
 set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "3" "300" "2"
+set_policy "rsasha256" "3" "300"
 set_server "ns4" "10.53.0.4"
 init_migration_keys "8" "RSASHA256" "2048" "2048"
 init_migration_states "omnipresent" "rumoured"

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index a5661e6fbd020483a8466992337929ee90915f95..1646e89d6b4b543e5651d56fefa45fc247ed399e 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -41,7 +41,8 @@ set_zone_policy() {
        DNSKEY_TTL=$4
        # The CDS digest type in these tests are all the default,
        # which is SHA-256 (2).
-       DIGEST_TYPE=2
+       CDS_SHA256="yes"
+       CDS_SHA384="no"
 }
 # Set expected NSEC3 parameters: flags ($1), iterations ($2), and
 # salt length ($3).

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 0cc405c1ebd0d4064399f13f1ae62472cbf69fa7..df9f042a447ca0e9aee2f95d72639fe558cc9739 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6257,12 +6257,12 @@ retired when the existing key's lifetime ends.
 
 The following options can be specified in a :any:`dnssec-policy` statement:
 
-.. namedconf:statement:: cds-digest-type
+.. namedconf:statement:: cds-digest-types
    :tags: dnssec
-   :short: Specifies the digest type to use for CDS resource records.
+   :short: Specifies the digest types to use for CDS resource records.
 
-    This indicates the digest type to use when generating CDS resource
-    records. The default is SHA-256.
+    This indicates the digest types to use when generating CDS resource
+    records. The default is SHA-256 only.
 
 .. namedconf:statement:: dnskey-ttl
    :tags: dnssec

diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index 2cce43cca641342cb40dcb021c5bda428c4e3abc..e21bb36dc9e45376d7df9fa4491482ecacb5456d 100644 (file)
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -18,7 +18,7 @@ dnssec-policy "default" {
        };
 
        // Key timings
-       cds-digest-type 2;
+       cds-digest-types { 2; };
        dnskey-ttl 3600;
        publish-safety 1h;
        retire-safety 1h;

diff --git a/doc/misc/options b/doc/misc/options
index eda2fec28711ca46ea0a8d17f45ddfcf7dc9593f..38c4e5c825e26fe0629e020b4cd75f9a557b0f49 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -11,7 +11,7 @@ dlz <string> {
 }; // may occur multiple times
 
 dnssec-policy <string> {
-       cds-digest-type <string>;
+       cds-digest-types { <string>; ... };
        dnskey-ttl <duration>;
        keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
        max-zone-ttl <duration>;

diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c
index d3b0517bc7cf1dcc89e7ef645f313eaaab838670..6c6093d3dfc2d50e7f389a03b5ecbed95d54b860 100644 (file)
--- a/lib/dns/dnssec.c
+++ b/lib/dns/dnssec.c
@@ -1959,6 +1959,41 @@ exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) {
        return (false);
 }
 
+static isc_result_t
+add_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
+       dns_rdataset_t *cds, unsigned int digesttype, dns_ttl_t ttl,
+       dns_diff_t *diff, isc_mem_t *mctx) {
+       isc_result_t r = ISC_R_SUCCESS;
+       unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+       dns_rdata_t cdsrdata = DNS_RDATA_INIT;
+       dns_name_t *origin = dst_key_name(key->key);
+
+       r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata);
+       if (r != ISC_R_SUCCESS) {
+               char algbuf[DNS_DSDIGEST_FORMATSIZE];
+               dns_dsdigest_format(digesttype, algbuf,
+                                   DNS_DSDIGEST_FORMATSIZE);
+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                             DNS_LOGMODULE_DNSSEC, ISC_LOG_ERROR,
+                             "build rdata CDS (%s) for key %s failed", algbuf,
+                             keystr);
+               return (r);
+       }
+
+       cdsrdata.type = dns_rdatatype_cds;
+       if (!dns_rdataset_isassociated(cds) || !exists(cds, &cdsrdata)) {
+               char algbuf[DNS_DSDIGEST_FORMATSIZE];
+               dns_dsdigest_format(digesttype, algbuf,
+                                   DNS_DSDIGEST_FORMATSIZE);
+               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
+                             DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO,
+                             "CDS (%s) for key %s is now published", algbuf,
+                             keystr);
+               r = addrdata(&cdsrdata, diff, origin, ttl, mctx);
+       }
+       return (r);
+}
+
 static isc_result_t
 delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
           dns_rdataset_t *cds, unsigned int digesttype, dns_diff_t *diff,
@@ -1990,36 +2025,36 @@ delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr,
 isc_result_t
 dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
-                     isc_stdtime_t now, unsigned int digesttype, dns_ttl_t ttl,
-                     dns_diff_t *diff, isc_mem_t *mctx) {
-       unsigned char dsbuf[DNS_DS_BUFFERSIZE];
+                     isc_stdtime_t now, dns_kasp_digestlist_t *digests,
+                     dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx) {
        unsigned char keybuf[DST_KEY_MAXSIZE];
        isc_result_t result;
        dns_dnsseckey_t *key;
 
+       REQUIRE(digests != NULL);
+
        for (key = ISC_LIST_HEAD(*keys); key != NULL;
             key = ISC_LIST_NEXT(key, link))
        {
-               dns_rdata_t cdsrdata = DNS_RDATA_INIT;
                dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT;
                dns_name_t *origin = dst_key_name(key->key);
 
                RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf),
                                   &cdnskeyrdata));
-               RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, digesttype,
-                                        dsbuf, &cdsrdata));
-
-               /*
-                * Now that the we have created the DS records convert
-                * the rdata to CDNSKEY and CDS for comparison.
-                */
                cdnskeyrdata.type = dns_rdatatype_cdnskey;
-               cdsrdata.type = dns_rdatatype_cds;
 
                if (syncpublish(key->key, now)) {
                        char keystr[DST_KEY_FORMATSIZE];
                        dst_key_format(key->key, keystr, sizeof(keystr));
 
+                       for (dns_kasp_digest_t *alg = ISC_LIST_HEAD(*digests);
+                            alg != NULL; alg = ISC_LIST_NEXT(alg, link))
+                       {
+                               RETERR(add_cds(key, &cdnskeyrdata,
+                                              (const char *)keystr, cds,
+                                              alg->digest, ttl, diff, mctx));
+                       }
+
                        if (!dns_rdataset_isassociated(cdnskey) ||
                            !exists(cdnskey, &cdnskeyrdata))
                        {
@@ -2031,18 +2066,6 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                                RETERR(addrdata(&cdnskeyrdata, diff, origin,
                                                ttl, mctx));
                        }
-
-                       if (!dns_rdataset_isassociated(cds) ||
-                           !exists(cds, &cdsrdata))
-                       {
-                               isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL,
-                                             DNS_LOGMODULE_DNSSEC,
-                                             ISC_LOG_INFO,
-                                             "CDS for key %s is now published",
-                                             keystr);
-                               RETERR(addrdata(&cdsrdata, diff, origin, ttl,
-                                               mctx));
-                       }
                }
 
                if (syncdelete(key->key, now)) {

diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h
index 85a1995528e81fc659d487887462231bb4388797..40a3c531efea133d8354f6e6d113387c6dbb7561 100644 (file)
--- a/lib/dns/include/dns/dnssec.h
+++ b/lib/dns/include/dns/dnssec.h
@@ -351,7 +351,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys,
 isc_result_t
 dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys,
                      dns_rdataset_t *cds, dns_rdataset_t *cdnskey,
-                     isc_stdtime_t now, unsigned int digesttype,
+                     isc_stdtime_t now, dns_kasp_digestlist_t *digests,
                      dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx);
 /*%<
  * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed.

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index fb0af46bca4fa9e246c3c311df4cd8b4f8e83159..4e14f400b0993eaffcf6abbefadea7a3c7c02906 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -34,6 +34,12 @@
 
 ISC_LANG_BEGINDECLS
 
+/* For storing a list of digest types */
+struct dns_kasp_digest {
+       dns_dsdigest_t digest;
+       ISC_LINK(dns_kasp_digest_t) link;
+};
+
 /* Stores a KASP key */
 struct dns_kasp_key {
        isc_mem_t *mctx;
@@ -80,9 +86,9 @@ struct dns_kasp {
        uint32_t signatures_validity_dnskey;
 
        /* Configuration: Keys */
-       dns_kasp_keylist_t keys;
-       dns_ttl_t          dnskey_ttl;
-       unsigned int       cds_digesttype;
+       dns_kasp_digestlist_t digests;
+       dns_kasp_keylist_t    keys;
+       dns_ttl_t             dnskey_ttl;
 
        /* Configuration: Denial of existence */
        bool                  nsec3;
@@ -310,31 +316,6 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
-unsigned int
-dns_kasp_cdsdigesttype(dns_kasp_t *kasp);
-/*%<
- * Get CDS digest-type.
- *
- * Requires:
- *
- *\li   'kasp' is a valid, frozen kasp.
- *
- * Returns:
- *
- *\li   CDS digest-type.
- */
-
-void
-dns_kasp_setcdsdigesttype(dns_kasp_t *kasp, unsigned int digesttype);
-/*%<
- * Set CDS digest-type.
- * If 'digesttype' is not supported, this will not change the digest-type.
- *
- * Requires:
- *
- *\li   'kasp' is a valid, thawed kasp.
- */
-
 uint32_t
 dns_kasp_purgekeys(dns_kasp_t *kasp);
 /*%<
@@ -737,4 +718,31 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
  *
  */
 
+dns_kasp_digestlist_t
+dns_kasp_digests(dns_kasp_t *kasp);
+/*%<
+ * Get the list of kasp CDS digest types.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li  #ISC_R_SUCCESS
+ *\li  #ISC_R_NOMEMORY
+ *
+ *\li  Other errors are possible.
+ */
+
+void
+dns_kasp_adddigest(dns_kasp_t *kasp, dns_dsdigest_t alg);
+/*%<
+ * Add a digest type.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 ISC_LANG_ENDDECLS

diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h
index 363683bff124aa99e77e02697f54fcd63becf651..ce3e52bb732469aa2da1049112a8ca6eb6d3dce3 100644 (file)
--- a/lib/dns/include/dns/types.h
+++ b/lib/dns/include/dns/types.h
@@ -95,6 +95,8 @@ typedef struct dns_iptable       dns_iptable_t;
 typedef uint32_t                  dns_iterations_t;
 typedef struct dns_kasp                   dns_kasp_t;
 typedef ISC_LIST(dns_kasp_t) dns_kasplist_t;
+typedef struct dns_kasp_digest dns_kasp_digest_t;
+typedef ISC_LIST(dns_kasp_digest_t) dns_kasp_digestlist_t;
 typedef struct dns_kasp_key dns_kasp_key_t;
 typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t;
 typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t;

diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h
index f9f2fb582b5f529cf63bb72d2e6987cd0b009b34..aa765ac21e5b56fe02c28b103d1608b717d55fc1 100644 (file)
--- a/lib/dns/include/dns/zone.h
+++ b/lib/dns/include/dns/zone.h
@@ -715,6 +715,8 @@ dns_zone_getkasp(dns_zone_t *zone);
 
 void
 dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp);
+void
+dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp);
 /*%<
  *     Set kasp for zone.  If a kasp is already set, it will be detached.
  *

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index c08297c8f258f3dfaf841675d1eaeb2f345e5bf1..5a9d907e7cf6b02c0de26a8e1983177ae2424f16 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -34,6 +34,9 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
        dns_kasp_t *kasp;
        dns_kasp_t k = {
                .magic = DNS_KASP_MAGIC,
+               .digests = ISC_LIST_INITIALIZER,
+               .keys = ISC_LIST_INITIALIZER,
+               .link = ISC_LINK_INITIALIZER,
        };
 
        REQUIRE(name != NULL);
@@ -48,9 +51,6 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
        isc_mutex_init(&kasp->lock);
        isc_refcount_init(&kasp->references, 1);
 
-       ISC_LINK_INIT(kasp, link);
-       ISC_LIST_INIT(kasp->keys);
-
        *kaspp = kasp;
        return (ISC_R_SUCCESS);
 }
@@ -66,8 +66,8 @@ dns_kasp_attach(dns_kasp_t *source, dns_kasp_t **targetp) {
 
 static void
 destroy(dns_kasp_t *kasp) {
-       dns_kasp_key_t *key;
-       dns_kasp_key_t *key_next;
+       dns_kasp_key_t *key, *key_next;
+       dns_kasp_digest_t *digest, *digest_next;
 
        REQUIRE(!ISC_LINK_LINKED(kasp, link));
 
@@ -78,6 +78,15 @@ destroy(dns_kasp_t *kasp) {
        }
        INSIST(ISC_LIST_EMPTY(kasp->keys));
 
+       for (digest = ISC_LIST_HEAD(kasp->digests); digest != NULL;
+            digest = digest_next)
+       {
+               digest_next = ISC_LIST_NEXT(digest, link);
+               ISC_LIST_UNLINK(kasp->digests, digest, link);
+               isc_mem_put(kasp->mctx, digest, sizeof(*digest));
+       }
+       INSIST(ISC_LIST_EMPTY(kasp->digests));
+
        isc_mutex_destroy(&kasp->lock);
        isc_mem_free(kasp->mctx, kasp->name);
        isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp));
@@ -190,24 +199,6 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
        kasp->dnskey_ttl = ttl;
 }
 
-unsigned int
-dns_kasp_cdsdigesttype(dns_kasp_t *kasp) {
-       REQUIRE(DNS_KASP_VALID(kasp));
-       REQUIRE(kasp->frozen);
-
-       return (kasp->cds_digesttype);
-}
-
-void
-dns_kasp_setcdsdigesttype(dns_kasp_t *kasp, unsigned int digesttype) {
-       REQUIRE(DNS_KASP_VALID(kasp));
-       REQUIRE(!kasp->frozen);
-
-       if (dst_ds_digest_supported(digesttype)) {
-               kasp->cds_digesttype = digesttype;
-       }
-}
-
 uint32_t
 dns_kasp_purgekeys(dns_kasp_t *kasp) {
        REQUIRE(DNS_KASP_VALID(kasp));
@@ -527,3 +518,25 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout,
        kasp->nsec3param.optout = optout;
        kasp->nsec3param.saltlen = saltlen;
 }
+
+dns_kasp_digestlist_t
+dns_kasp_digests(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+
+       return (kasp->digests);
+}
+
+void
+dns_kasp_adddigest(dns_kasp_t *kasp, dns_dsdigest_t alg) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(!kasp->frozen);
+
+       if (dst_ds_digest_supported(alg)) {
+               dns_kasp_digest_t *digest = isc_mem_get(kasp->mctx,
+                                                       sizeof(*digest));
+               digest->digest = alg;
+               ISC_LINK_INIT(digest, link);
+               ISC_LIST_APPEND(kasp->digests, digest, link);
+       }
+}

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 3f3eb591ab0069d1700c8f9a5c3e096e561d87cb..18b7d187d7f73ce106c871bc15b94b83cf6b5075 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -352,6 +352,7 @@ struct dns_zone {
        dns_view_t *view;
        dns_view_t *prev_view;
        dns_kasp_t *kasp;
+       dns_kasp_t *defaultkasp;
        dns_checkmxfunc_t checkmx;
        dns_checksrvfunc_t checksrv;
        dns_checknsfunc_t checkns;
@@ -1118,6 +1119,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) {
        zone->primaries = r;
        zone->parentals = r;
        zone->notify = r;
+       zone->defaultkasp = NULL;
 
        result = isc_stats_create(mctx, &zone->gluecachestats,
                                  dns_gluecachestatscounter_max);
@@ -1230,6 +1232,9 @@ zone_free(dns_zone_t *zone) {
        if (zone->kasp != NULL) {
                dns_kasp_detach(&zone->kasp);
        }
+       if (zone->defaultkasp != NULL) {
+               dns_kasp_detach(&zone->defaultkasp);
+       }
        if (!ISC_LIST_EMPTY(zone->checkds_ok)) {
                clear_keylist(&zone->checkds_ok, zone->mctx);
        }
@@ -5714,6 +5719,20 @@ dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
        UNLOCK_ZONE(zone);
 }
 
+void
+dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) {
+       REQUIRE(DNS_ZONE_VALID(zone));
+
+       LOCK_ZONE(zone);
+       if (zone->defaultkasp != NULL) {
+               dns_kasp_t *oldkasp = zone->defaultkasp;
+               zone->defaultkasp = NULL;
+               dns_kasp_detach(&oldkasp);
+       }
+       zone->defaultkasp = kasp;
+       UNLOCK_ZONE(zone);
+}
+
 dns_kasp_t *
 dns_zone_getkasp(dns_zone_t *zone) {
        REQUIRE(DNS_ZONE_VALID(zone));
@@ -20462,7 +20481,7 @@ zone_rekey(dns_zone_t *zone) {
        KASP_UNLOCK(kasp);
 
        if (result == ISC_R_SUCCESS) {
-               unsigned int cds_digesttype = DNS_DSDIGEST_SHA256;
+               dns_kasp_digestlist_t digests;
                bool cdsdel = false;
                bool cdnskeydel = false;
                bool sane_diff, sane_dnskey;
@@ -20477,7 +20496,7 @@ zone_rekey(dns_zone_t *zone) {
                                cdsdel = true;
                                cdnskeydel = true;
                        }
-                       cds_digesttype = dns_kasp_cdsdigesttype(kasp);
+                       digests = dns_kasp_digests(kasp);
                } else {
                        /* Check if there is a CDS DELETE record. */
                        if (dns_rdataset_isassociated(&cdsset)) {
@@ -20528,6 +20547,8 @@ zone_rekey(dns_zone_t *zone) {
                                        }
                                }
                        }
+
+                       digests = dns_kasp_digests(zone->defaultkasp);
                }
 
                /*
@@ -20555,8 +20576,8 @@ zone_rekey(dns_zone_t *zone) {
                 * Update CDS / CDNSKEY records.
                 */
                result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset,
-                                              &cdnskeyset, now, cds_digesttype,
-                                              ttl, &diff, mctx);
+                                              &cdnskeyset, now, &digests, ttl,
+                                              &diff, mctx);
                if (result != ISC_R_SUCCESS) {
                        dnssec_log(zone, ISC_LOG_ERROR,
                                   "zone_rekey:couldn't update CDS/CDNSKEY: %s",

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index f7d5e31ee775578f9750fab6276bd0523c4c8ac2..abb18008d312f34d3cacea821e63eeec9d20af46 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -298,6 +298,32 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp,
        return (ISC_R_SUCCESS);
 }
 
+static isc_result_t
+add_digest(dns_kasp_t *kasp, const cfg_obj_t *digest, isc_log_t *logctx) {
+       isc_result_t result = ISC_R_SUCCESS;
+       isc_textregion_t r;
+       dns_dsdigest_t alg;
+       const char *str = cfg_obj_asstring(digest);
+
+       DE_CONST(str, r.base);
+       r.length = strlen(str);
+       result = dns_dsdigest_fromtext(&alg, &r);
+       if (result != ISC_R_SUCCESS) {
+               cfg_obj_log(digest, logctx, ISC_LOG_ERROR,
+                           "dnssec-policy: bad cds digest-type %s", str);
+               result = DNS_R_BADALG;
+       } else if (!dst_ds_digest_supported(alg)) {
+               cfg_obj_log(digest, logctx, ISC_LOG_ERROR,
+                           "dnssec-policy: unsupported cds "
+                           "digest-type %s",
+                           str);
+               result = DST_R_UNSUPPORTEDALG;
+       } else {
+               dns_kasp_adddigest(kasp, alg);
+       }
+       return (result);
+}
+
 isc_result_t
 cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
                    isc_mem_t *mctx, isc_log_t *logctx,
@@ -312,7 +338,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        const char *kaspname = NULL;
        dns_kasp_t *kasp = NULL;
        size_t i = 0;
-       unsigned int cds_digesttype = DNS_DSDIGEST_SHA256;
        uint32_t sigrefresh = 0, sigvalidity = 0;
        uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
        uint32_t publishsafety = 0, retiresafety = 0;
@@ -410,33 +435,20 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        dns_kasp_setparentpropagationdelay(kasp, parentpropdelay);
 
        /* Configuration: Keys */
-       (void)confget(maps, "cds-digest-type", &obj);
+       (void)confget(maps, "cds-digest-types", &obj);
        if (obj != NULL) {
-               isc_textregion_t r;
-               dns_dsdigest_t alg;
-               const char *str = cfg_obj_asstring(obj);
-
-               DE_CONST(str, r.base);
-               r.length = strlen(str);
-               result = dns_dsdigest_fromtext(&alg, &r);
-               if (result != ISC_R_SUCCESS) {
-                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                                   "dnssec-policy: bad cds digest-type %s",
-                                   str);
-                       result = DNS_R_BADALG;
-                       goto cleanup;
-               }
-               if (!dst_ds_digest_supported(alg)) {
-                       cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-                                   "dnssec-policy: unsupported cds "
-                                   "digest-type %s",
-                                   str);
-                       result = DST_R_UNSUPPORTEDALG;
-                       goto cleanup;
+               for (element = cfg_list_first(obj); element != NULL;
+                    element = cfg_list_next(element))
+               {
+                       result = add_digest(kasp, cfg_listelt_value(element),
+                                           logctx);
+                       if (result != ISC_R_SUCCESS) {
+                               goto cleanup;
+                       }
                }
-               cds_digesttype = (unsigned int)alg;
+       } else {
+               dns_kasp_adddigest(kasp, DNS_DSDIGEST_SHA256);
        }
-       dns_kasp_setcdsdigesttype(kasp, cds_digesttype);
 
        dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL);
        dns_kasp_setdnskeyttl(kasp, dnskeyttl);

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index d246e04e8dd7cfc83681b38b1a975c3b308d10af..ff938f1fac3d2c1c2fc6c60ca9916b4700387b30 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2193,7 +2193,7 @@ static cfg_type_t cfg_type_validityinterval = {
  * Clauses that can be found in a 'dnssec-policy' statement.
  */
 static cfg_clausedef_t dnssecpolicy_clauses[] = {
-       { "cds-digest-type", &cfg_type_astring, 0 },
+       { "cds-digest-types", &cfg_type_algorithmlist, 0 },
        { "dnskey-ttl", &cfg_type_duration, 0 },
        { "keys", &cfg_type_kaspkeys, 0 },
        { "max-zone-ttl", &cfg_type_duration, 0 },