set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
}
-#
-# Zone: keystore.kasp.
-#
-set_zone "keystore.kasp"
-set_policy "keystore" "2" "303"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keydir "KEY1" "ns3/ksk"
-set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keydir "KEY2" "ns3/zsk"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-# Two keys only.
-key_clear "KEY3"
-key_clear "KEY4"
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Reuse set_keytimes_csk_policy to set the KEY1 keytimes.
-set_keytimes_csk_policy
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Key properties for tests below.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "315360000"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "157680000"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
-# Three keys only.
-key_clear "KEY4"
-
-#
-# Zone: rumoured.kasp.
-#
-# There are three keys in rumoured state.
-set_zone "rumoured.kasp"
-set_policy "rsasha256" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties, timings and states same as above.
-
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-# Activation date is a day later.
-set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
-set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
-set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
-set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
-set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
-set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
-set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
-set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
-set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
# TODO: we might want to test:
# - configuring a zone with too many active keys (should trigger retire).
# - configuring a zone with keys not matching the policy.
ttl=ttl, keys=test["key-properties"]
)
# Key files.
- keys = isctest.kasp.keydir_to_keylist(
- zone, test["config"]["key-directory"], in_use=pregenerated
- )
- ksks = [k for k in keys if k.is_ksk()]
- zsks = [k for k in keys if not k.is_ksk()]
+ if "key-directories" in test:
+ kdir = test["key-directories"][0]
+ ksks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
+ kdir = test["key-directories"][1]
+ zsks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
+ keys = ksks + zsks
+ else:
+ keys = isctest.kasp.keydir_to_keylist(
+ zone, test["config"]["key-directory"], in_use=pregenerated
+ )
+ ksks = [k for k in keys if k.is_ksk()]
+ zsks = [k for k in keys if not k.is_ksk()]
isctest.kasp.check_zone_is_signed(server, zone)
isctest.kasp.check_keys(zone, keys, expected)
test["config"], offset=offset, pregenerated=pregenerated
)
- isctest.kasp.check_keytimes(keys, expected)
+ if "rumoured" not in test:
+ isctest.kasp.check_keytimes(keys, expected)
check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
"config": kasp_config,
"key-properties": fips_properties(8),
},
+ {
+ "zone": "keystore.kasp",
+ "policy": "keystore",
+ "config": {
+ "dnskey-ttl": timedelta(seconds=303),
+ "ds-ttl": timedelta(days=1),
+ "key-directory": keydir,
+ "max-zone-ttl": timedelta(days=1),
+ "parent-propagation-delay": timedelta(hours=1),
+ "publish-safety": timedelta(hours=1),
+ "retire-safety": timedelta(hours=1),
+ "signatures-refresh": timedelta(days=5),
+ "signatures-validity": timedelta(days=14),
+ "zone-propagation-delay": timedelta(minutes=5),
+ },
+ "key-directories": [f"{keydir}/ksk", f"{keydir}/zsk"],
+ "key-properties": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ ],
+ },
{
"zone": "legacy-keys.kasp",
"policy": "migrate-to-dnssec-policy",
"config": kasp_config,
"key-properties": fips_properties(10),
},
+ {
+ "zone": "rumoured.kasp",
+ "policy": "rsasha256",
+ "config": kasp_config,
+ "rumoured": True,
+ "key-properties": fips_properties(8),
+ },
{
"zone": "secondary.kasp",
"policy": "rsasha256",
projects / thirdparty / bind9.git / commitdiff
