return int(os.environ["CONTROLPORT"])
+@pytest.fixture(scope="module")
+def default_algorithm():
+ return isctest.vars.algorithms.Algorithm.default()
+
+
@pytest.fixture(scope="module")
def system_test_name(request):
"""Name of the system test directory."""
assert sigs
-def test_apex_signing():
+def test_apex_signing(default_algorithm):
# check that DNAME at apex with NSEC3 is correctly signed
msg = isctest.query.create("dname-at-apex-nsec3.example.", "TXT")
res = isctest.query.tcp(msg, "10.53.0.3")
sigs = [str(a) for a in res.authority if a.rdtype == rdatatype.RRSIG]
- alg = os.environ.get("DEFAULT_ALGORITHM_NUMBER")
+ alg = default_algorithm.number
assert any(f"NSEC3 {alg} 3 600" in a for a in sigs)
isctest.check.rr_count_eq(res.answer, 4) # A+RRSIG, NSEC+RRSIG
-def test_update_signing():
+def test_update_signing(default_algorithm):
# minimal update test: add and delete a single record
up = update.UpdateMessage("dynamic.example.")
up.add("a.dynamic.example.", 300, "A", "73.80.65.49")
# check that the NSEC3 record for the apex is properly signed
# when a DNSKEY is added via UPDATE
key = keygen(
- "-Kns3", "-q3fk", "-a", os.environ["DEFAULT_ALGORITHM"], "update-nsec3.example."
+ "-Kns3", "-q3fk", "-a", default_algorithm.name, "update-nsec3.example."
)
with open(f"ns3/{key}.key", "r", encoding="utf-8") as f:
assert when < sigs[0].expiration
-def test_offline_ksk_signing(ns2):
+def test_offline_ksk_signing(ns2, default_algorithm):
def getfrom(file):
with open(file, encoding="utf-8") as f:
return f.read().strip()
"-Pnone",
"-Anone",
"-a",
- os.environ["DEFAULT_ALGORITHM"],
+ default_algorithm.name,
"-b",
- os.environ["DEFAULT_BITS"],
+ f"{default_algorithm.bits}",
zone,
)
zsk_2_id = getkeyid(zsk_2)
"-Pnone",
"-Anone",
"-a",
- os.environ["DEFAULT_ALGORITHM"],
+ default_algorithm.name,
"-b",
- os.environ["DEFAULT_BITS"],
+ f"{default_algorithm.bits}",
zone,
)
zsk_3_id = getkeyid(zsk_3)
from re import compile as Re
-import os
import shutil
import time
isctest.check.noadflag(res2)
-def test_secure_root(ns4):
+def test_secure_root(ns4, default_algorithm):
# check that a query for a secure root validates
msg = isctest.query.create(".", "KEY")
res = isctest.query.tcp(msg, "10.53.0.4")
# check that "rndc secroots" dumps the trusted keys
key = int(getfrom("ns1/managed.key.id"))
- alg = os.environ["DEFAULT_ALGORITHM"]
response = ns4.rndc("secroots -")
- assert f"./{alg}/{key} ; static" in response.out
+ assert f"./{default_algorithm.name}/{key} ; static" in response.out
assert len(response.out.splitlines()) == 10
return f.read().strip()
-def test_secure_root_managed(ns4):
+def test_secure_root_managed(ns4, default_algorithm):
# check that a query for a secure root validates
msg = isctest.query.create(".", "KEY")
res = isctest.query.tcp(msg, "10.53.0.4")
# check that "rndc secroots" dumps the trusted keys
key = int(getfrom("ns1/managed.key.id"))
- alg = os.environ["DEFAULT_ALGORITHM"]
response = ns4.rndc("secroots -")
- assert f"./{alg}/{key} ; managed" in response.out
+ assert f"./{default_algorithm.name}/{key} ; managed" in response.out
assert len(response.out.splitlines()) == 10
from re import compile as Re
-import os
-
import isctest
watcher.wait_for_line(pattern)
-def test_secure_roots(ns4):
+def test_secure_roots(ns4, default_algorithm):
# check that "rndc secroots" dumps the trusted keys with multiple views
key = int(getfrom("ns1/managed.key.id"))
- alg = os.environ["DEFAULT_ALGORITHM"]
response = ns4.rndc("secroots -")
- assert f"./{alg}/{key} ; static" in response.out
+ assert f"./{default_algorithm.name}/{key} ; static" in response.out
assert len(response.out.splitlines()) == 17
dst: int
bits: int
+ @classmethod
+ def default(cls):
+ return cls(
+ os.environ["DEFAULT_ALGORITHM"],
+ int(os.environ["DEFAULT_ALGORITHM_NUMBER"]),
+ int(os.environ["DEFAULT_ALGORITHM_DST_NUMBER"]),
+ int(os.environ["DEFAULT_BITS"]),
+ )
+
class AlgorithmSet(NamedTuple):
"""Collection of DEFAULT, ALTERNATIVE and DISABLED algorithms"""
from isctest.kasp import KeyProperties, KeyTimingMetadata, SettimeOptions
from isctest.util import param
-from isctest.vars.algorithms import ECDSAP256SHA256, ECDSAP384SHA384
+from isctest.vars.algorithms import ECDSAP256SHA256, ECDSAP384SHA384, Algorithm
import isctest
import isctest.mark
}
-def autosign_properties(alg, size):
+def autosign_properties(algorithm: Algorithm):
return [
- f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk {lifetime['P1Y']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk {lifetime['P2Y']} {algorithm.number} {algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk {lifetime['P1Y']} {algorithm.number} {algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
"policy": "autosign",
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
- "key-properties": autosign_properties(
- os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
- ),
+ "key-properties": autosign_properties(Algorithm.default()),
},
id="dnskey-ttl-mismatch.autosign",
),
"policy": "autosign",
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
- "key-properties": autosign_properties(
- os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
- ),
+ "key-properties": autosign_properties(Algorithm.default()),
"additional-tests": [
{
"callback": cb_rrsig_refresh,
"policy": "autosign",
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
- "key-properties": autosign_properties(
- os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
- ),
+ "key-properties": autosign_properties(Algorithm.default()),
"additional-tests": [
{
"callback": cb_rrsig_reuse,
"policy": "autosign",
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
- "key-properties": autosign_properties(
- os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
- ),
+ "key-properties": autosign_properties(Algorithm.default()),
"additional-tests": [
{
"callback": cb_rrsig_refresh,
"policy": "autosign",
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
- "key-properties": autosign_properties(
- os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
- ),
+ "key-properties": autosign_properties(Algorithm.default()),
"additional-tests": [
{
"callback": cb_remove_keyfiles,
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
"key-properties": [
- f"ksk 63072000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent missing",
- f"zsk 31536000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk 63072000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent missing",
+ f"zsk 31536000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
],
},
id="ksk-missing.autosign",
"config": autosign_config,
"offset": -timedelta(days=30 * 6),
"key-properties": [
- f"ksk 63072000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk 31536000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent missing",
+ f"ksk 63072000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk 31536000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent missing",
],
},
id="zsk-missing.autosign",
},
"key-directories": ["{keydir}/ksk", "{keydir}/zsk"],
"key-properties": [
- f"ksk unlimited {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk unlimited {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk unlimited {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk unlimited {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
},
id="keystore.kasp",
"policy": "unlimited",
"config": kasp_config,
"key-properties": [
- f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="unlimited.kasp",
assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run"
-def test_kasp_checkds(ns3):
+def test_kasp_checkds(ns3, default_algorithm):
def wait_for_metadata():
return isctest.util.file_contents_contain(ksk.statefile, metadata)
# Zone: checkds-ksk.kasp.
zone = "checkds-ksk.kasp"
policy = "checkds-ksk"
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
policy_keys = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
]
isctest.kasp.wait_keymgr_done(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
-def test_kasp_checkds_doubleksk(ns3):
+def test_kasp_checkds_doubleksk(ns3, default_algorithm):
def wait_for_metadata():
return isctest.util.file_contents_contain(ksk.statefile, metadata)
# Zone: checkds-doubleksk.kasp.
zone = "checkds-doubleksk.kasp"
policy = "checkds-doubleksk"
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
policy_keys = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
]
isctest.kasp.wait_keymgr_done(ns3, zone)
isctest.kasp.check_keys(zone, keys, expected)
-def test_kasp_checkds_csk(ns3):
+def test_kasp_checkds_csk(ns3, default_algorithm):
def wait_for_metadata():
return isctest.util.file_contents_contain(ksk.statefile, metadata)
# Zone: checkds-csk.kasp.
zone = "checkds-csk.kasp"
policy = "checkds-csk"
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
policy_keys = [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
]
isctest.kasp.wait_keymgr_done(ns3, zone)
isctest.kasp.check_keytimes(keys, expected)
-def test_kasp_zsk_retired(ns3):
+def test_kasp_zsk_retired(ns3, default_algorithm):
config = {
"dnskey-ttl": timedelta(seconds=300),
"ds-ttl": timedelta(days=1),
zone = "zsk-retired.autosign"
policy = "autosign"
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
key_properties = [
- f"ksk 63072000 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"ksk 63072000 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
# zsk predecessor
- f"zsk 31536000 {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
+ f"zsk 31536000 {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
# zsk successor
- f"zsk 31536000 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
+ f"zsk 31536000 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden",
]
isctest.kasp.wait_keymgr_done(ns3, zone)
isctest.run.retry_with_timeout(check_soa_ttl, timeout=10)
-def test_kasp_manual_mode(ns3):
+def test_kasp_manual_mode(ns3, default_algorithm):
keydir = ns3.identifier
zone = "keyfiles-missing.manual"
policy = "manual"
ttl = int(autosign_config["dnskey-ttl"].total_seconds())
offset = -timedelta(days=30 * 6)
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
keyprops = [
- f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk {lifetime['P2M']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk {lifetime['P2Y']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk {lifetime['P2M']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
isctest.kasp.wait_keymgr_done(ns3, zone)
# Check keys again, make sure the rollover has started.
keyprops = [
- f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk {lifetime['P2M']} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
- f"zsk {lifetime['P2M']} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
+ f"ksk {lifetime['P2Y']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk {lifetime['P2M']} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
+ f"zsk {lifetime['P2M']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden",
]
expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=keyprops)
keys = isctest.kasp.keydir_to_keylist(zone, keydir)
import pytest
from isctest.kasp import KeyTimingMetadata
+from isctest.vars.algorithms import Algorithm
import isctest
def check_keys(
keys,
lifetime,
- alg=os.environ["DEFAULT_ALGORITHM_DST_NUMBER"],
- size=os.environ["DEFAULT_BITS"],
+ alg=None,
+ size=None,
offset=0,
with_state=False,
):
# Check keys that were created.
+ if alg is None:
+ alg = Algorithm.default().dst
+ if size is None:
+ size = Algorithm.default().bits
+
num = 0
now = KeyTimingMetadata.now()
import pytest
+from isctest.vars.algorithms import Algorithm
+
import isctest
import isctest.mark
"config": standard_config,
"offset": 0,
"key-properties": [
- f"ksk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
- f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
+ f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
},
id="migrate.kasp",
"config": default_config,
"offset": 0,
"key-properties": [
- f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
],
},
id="csk.kasp",
"config": default_config,
"offset": 0,
"key-properties": [
- f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
],
},
id="csk-nosep.kasp",
"config": timing_config,
"offset": -timedelta(seconds=300),
"key-properties": [
- f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
- f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
+ f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
},
id="rumoured.kasp",
"config": timing_config,
"offset": -timedelta(seconds=3900),
"key-properties": [
- f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
],
},
id="omnipresent.kasp",
"config": timing_config,
"offset": -timedelta(hours=12),
"key-properties": [
- f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured",
- f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured",
+ f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
],
},
id="no-syncpublish.kasp",
"key-properties": [
"ksk - 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
"zsk - 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent",
- f"ksk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
},
id="migrate-nomatch-algnum.kasp",
"config": migrate_config,
"offset": -timedelta(seconds=3900),
"key-properties": [
- f"ksk - {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk - {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk - {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk - {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
# This key is considered to be prepublished, so it is not yet signing, nor is the DS introduced.
- f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden",
],
},
id="migrate-nomatch-kzc.kasp",
]
)
-ALGORITHM = os.environ["DEFAULT_ALGORITHM_NUMBER"]
-SIZE = os.environ["DEFAULT_BITS"]
CONFIG = {
"dnskey-ttl": timedelta(hours=1),
"ds-ttl": timedelta(days=1),
check_dnssec(server, zone, keys, expected)
-def test_multisigner(ns2, ns3, ns4):
+def test_multisigner(ns2, ns3, ns4, default_algorithm):
zone = "model2.multisigner"
keyprops = [
- f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
# First make sure the zone is properly signed.
check_dnssec(ns4, zone, keys4, expected4)
# Add DNSKEY to RRset.
- newprops = [f"zsk unlimited {ALGORITHM} {SIZE}"]
+ newprops = [f"zsk unlimited {default_algorithm.number} {default_algorithm.bits}"]
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
extra[0].private = False
extra[0].legacy = True
check_no_dnssec_in_journal(ns4, zone)
# Add CDNSKEY RRset.
- newprops = [f"ksk unlimited {ALGORITHM} {SIZE}"]
+ newprops = [f"ksk unlimited {default_algorithm.number} {default_algorithm.bits}"]
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
extra[0].private = False
extra[0].legacy = True
)
-def test_multisigner_secondary(ns2, ns3, ns4, ns5):
+def test_multisigner_secondary(ns2, ns3, ns4, ns5, default_algorithm):
zone = "model2.secondary"
keyprops = [
- f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
# First make sure the zone is properly signed.
check_dnssec(ns4, zone, keys4, expected4)
# Add DNSKEY to RRset.
- newprops = [f"zsk unlimited {ALGORITHM} {SIZE}"]
+ newprops = [f"zsk unlimited {default_algorithm.number} {default_algorithm.bits}"]
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
extra[0].private = False
extra[0].legacy = True
check_no_dnssec_in_journal(ns4, zone)
# Add CDNSKEY RRset.
- newprops = [f"ksk unlimited {ALGORITHM} {SIZE}"]
+ newprops = [f"ksk unlimited {default_algorithm.number} {default_algorithm.bits}"]
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
extra[0].private = False
extra[0].legacy = True
from datetime import timedelta
-import os
-
import dns
import pytest
]
)
-ALGORITHM = os.environ["DEFAULT_ALGORITHM_NUMBER"]
-SIZE = os.environ["DEFAULT_BITS"]
-
default_config = {
"dnskey-ttl": timedelta(hours=1),
"ds-ttl": timedelta(days=1),
import dns.update
import pytest
-from isctest.vars.algorithms import RSASHA1
-from nsec3.common import ALGORITHM, SIZE, check_nsec3_case, default_config, pytestmark
+from isctest.vars.algorithms import RSASHA1, Algorithm
+from nsec3.common import check_nsec3_case, default_config, pytestmark
import isctest
import isctest.mark
"salt-length": 8,
},
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
}
zone = params["zone"]
import dns.update
import pytest
-from isctest.vars.algorithms import RSASHA1
-from nsec3.common import ALGORITHM, SIZE, check_nsec3_case, default_config, pytestmark
+from isctest.vars.algorithms import RSASHA1, Algorithm
+from nsec3.common import check_nsec3_case, default_config, pytestmark
import isctest
import isctest.mark
"zone": "nsec-to-nsec3.kasp",
"policy": "nsec",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec-to-nsec3.kasp",
"zone": "nsec3-xfr-inline.kasp",
"policy": "nsec",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
"external-keys": [
- f"csk 0 {ALGORITHM} {SIZE}",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits}",
],
"external-keydir": "ns2",
},
"zone": "nsec3-dynamic-update-inline.kasp",
"policy": "nsec",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic-update-inline.kasp",
"zone": "nsec3-to-rsasha1.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
],
},
id="nsec3-to-rsasha1.kasp",
"zone": "nsec3-to-rsasha1-ds.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
],
},
id="nsec3-to-rsasha1-ds.kasp",
"zone": "nsec3.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3.kasp",
"zone": "nsec3-dynamic.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic.kasp",
"zone": "nsec3-change.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-change.kasp",
"zone": "nsec3-dynamic-change.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic-change.kasp",
"zone": "nsec3-dynamic-to-inline.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic-to-inline.kasp",
"zone": "nsec3-inline-to-dynamic.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-inline-to-dynamic.kasp",
"zone": "nsec3-to-nsec.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-to-nsec.kasp",
"zone": "nsec3-to-optout.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-to-optout.kasp",
"salt-length": 0,
},
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-from-optout.kasp",
"salt-length": 8,
},
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-other.kasp",
import dns.update
import pytest
-from isctest.vars.algorithms import RSASHA1
-from nsec3.common import ALGORITHM, SIZE, check_nsec3_case, default_config, pytestmark
+from isctest.vars.algorithms import RSASHA1, Algorithm
+from nsec3.common import check_nsec3_case, default_config, pytestmark
import isctest
import isctest.mark
"policy": "nsec3",
"key-properties": [
f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="rsasha1-to-nsec3.kasp",
"policy": "nsec3",
"key-properties": [
f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="rsasha1-to-nsec3-wait.kasp",
"zone": "nsec3-to-rsasha1.kasp",
"policy": "rsasha1",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
"zone": "nsec3-to-rsasha1-ds.kasp",
"policy": "rsasha1",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
"zone": "nsec3-to-nsec.kasp",
"policy": "nsec",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-to-nsec.kasp",
"zone": "nsec-to-nsec3.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec-to-nsec3.kasp",
"zone": "nsec3.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3.kasp",
"zone": "nsec3-dynamic.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic.kasp",
"salt-length": 8,
},
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic-change.kasp",
"zone": "nsec3-dynamic-to-inline.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-dynamic-to-inline.kasp",
"zone": "nsec3-inline-to-dynamic.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-inline-to-dynamic.kasp",
# "salt-length": 0,
# },
# "key-properties": [
- # f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ # f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
# ],
# },
# id="nsec3-to-optout.kasp",
# "zone": "nsec3-from-optout.kasp",
# "policy": "optout",
# "key-properties": [
- # f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ # f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
# ],
# },
# id="nsec3-from-optout.kasp",
"salt-length": 8,
},
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-other.kasp",
"zone": "nsec3-ent.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
}
import dns
import pytest
-from nsec3.common import ALGORITHM, SIZE, check_nsec3_case
+from nsec3.common import check_nsec3_case
import isctest
}
-def test_nsec3_case(ns3):
+def test_nsec3_case(ns3, default_algorithm):
# Get test parameters.
params = {
"zone": "nsec3-fails-to-load.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
}
zone = params["zone"]
import dns.update
import pytest
-from nsec3.common import (
- ALGORITHM,
- SIZE,
- check_nsec3_case,
- check_nsec3param,
- default_config,
- pytestmark,
-)
+from isctest.vars.algorithms import Algorithm
+from nsec3.common import check_nsec3_case, check_nsec3param, default_config, pytestmark
import isctest
import isctest.mark
"zone": "nsec3.kasp",
"policy": "nsec3",
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3.kasp",
"salt-length": 8,
},
"key-properties": [
- f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
},
id="nsec3-other.kasp",
CDSS,
DURATION,
TIMEDELTA,
- alg,
pytestmark,
- size,
)
from rollover.setup import configure_algo_csk, configure_root, configure_tld
param("manual"),
],
)
-def test_algoroll_csk_reconfig_step1(tld, ns3, alg, size):
+def test_algoroll_csk_reconfig_step1(tld, ns3, default_algorithm):
zone = f"step1.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
# The RSASHA keys are outroducing.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing.
- f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ALGOROLL_IPUB,
param("manual"),
],
)
-def test_algoroll_csk_reconfig_step2(tld, ns3, alg, size):
+def test_algoroll_csk_reconfig_step2(tld, ns3, default_algorithm):
zone = f"step2.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
],
# Next key event is when all zone signatures are signed with the
# new algorithm. This is the child publication interval, minus
param("manual"),
],
)
-def test_algoroll_csk_reconfig_step3(tld, ns3, alg, size):
+def test_algoroll_csk_reconfig_step3(tld, ns3, default_algorithm):
zone = f"step3.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
],
"manual-mode": True,
"nextev": None,
"keyprops": [
# The DS can be swapped.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the publication interval of the parent side.
param("manual"),
],
)
-def test_algoroll_csk_reconfig_step4(tld, ns3, alg, size):
+def test_algoroll_csk_reconfig_step4(tld, ns3, default_algorithm):
zone = f"step4.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFVAL}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
"manual-mode": True,
"nextev": None,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
param("manual"),
],
)
-def test_algoroll_csk_reconfig_step5(tld, ns3, alg, size):
+def test_algoroll_csk_reconfig_step5(tld, ns3, default_algorithm):
zone = f"step5.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
"keyprops": [
# The DNSKEY becomes HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
param("manual"),
],
)
-def test_algoroll_csk_reconfig_step6(tld, ns3, alg, size):
+def test_algoroll_csk_reconfig_step6(tld, ns3, default_algorithm):
zone = f"step6.csk-algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
"keyprops": [
# The zone signatures are now HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default
CDSS,
DURATION,
TIMEDELTA,
- alg,
pytestmark,
- size,
)
from rollover.setup import configure_algo_ksk_zsk, configure_root, configure_tld
param("manual"),
],
)
-def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, default_algorithm):
zone = f"step1.algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing.
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ALGOROLL_IPUB,
param("manual"),
],
)
-def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, default_algorithm):
zone = f"step2.algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}",
],
# Next key event is when all zone signatures are signed with the new
# algorithm. This is the max-zone-ttl plus zone propagation delay. But
param("manual"),
],
)
-def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, default_algorithm):
zone = f"step3.algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
"keyprops": [
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
],
"manual-mode": True,
"nextev": None,
# The DS can be swapped.
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the retire interval.
param("manual"),
],
)
-def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, default_algorithm):
zone = f"step4.algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
"keyprops": [
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
"manual-mode": True,
"nextev": None,
# The old DS is HIDDEN, we can remove the old algorithm records.
f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
param("manual"),
],
)
-def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, default_algorithm):
zone = f"step5.algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
# The DNSKEY becomes HIDDEN.
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
param("manual"),
],
)
-def test_algoroll_ksk_zsk_reconfig_step6(tld, ns3, alg, size):
+def test_algoroll_ksk_zsk_reconfig_step6(tld, ns3, default_algorithm):
zone = f"step6.algorithm-roll.{tld}"
policy = f"{POLICY}-{tld}"
# The zone signatures are now HIDDEN.
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{ALGOROLL_OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
+ f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default
from isctest.kasp import Ipub, Iret
from isctest.util import param
-from rollover.common import TIMEDELTA, alg, pytestmark, size
+from rollover.common import TIMEDELTA, pytestmark
from rollover.setup import configure_cskroll1, configure_root, configure_tld
import isctest
param("manual"),
],
)
-def test_csk_roll1_step1(tld, ns3, alg, size):
+def test_csk_roll1_step1(tld, ns3, default_algorithm):
zone = f"step1.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
],
# Next key event is when the successor CSK needs to be published
# minus time already elapsed. This is Lcsk - Ipub + Dreg (we ignore
param("manual"),
],
)
-def test_csk_roll1_step2(tld, alg, size, ns3):
+def test_csk_roll1_step2(tld, ns3, default_algorithm):
zone = f"step2.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
],
"manual-mode": True,
"nextev": None,
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the successor CSK becomes OMNIPRESENT.
param("manual"),
],
)
-def test_csk_roll1_step3(tld, alg, size, ns3):
+def test_csk_roll1_step3(tld, ns3, default_algorithm):
zone = f"step3.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [0, 1],
"manual-mode": True,
# CSK1 ds: omnipresent -> unretentive
# CSK2 ds: hidden -> rumoured
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the predecessor DS has been replaced with
param("manual"),
],
)
-def test_csk_roll1_step4(tld, alg, size, ns3):
+def test_csk_roll1_step4(tld, ns3, default_algorithm):
zone = f"step4.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [0, 1],
"manual-mode": True,
# CSK1 ds: unretentive -> hidden
# CSK2 ds: rumoured -> omnipresent
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:unretentive zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:unretentive zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the KRRSIG enters the HIDDEN state.
param("manual"),
],
)
-def test_csk_roll1_step5(tld, alg, size, ns3):
+def test_csk_roll1_step5(tld, ns3, default_algorithm):
zone = f"step5.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
# The predecessor KRRSIG records are now all hidden.
# CSK1 krrsig: unretentive -> hidden
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:hidden zrrsig:unretentive ds:hidden offset:{OFFSETS['step5-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step5-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:hidden zrrsig:unretentive ds:hidden offset:{OFFSETS['step5-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step5-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the DNSKEY can be removed. This is when
param("manual"),
],
)
-def test_csk_roll1_step6(tld, alg, size, ns3):
+def test_csk_roll1_step6(tld, ns3, default_algorithm):
zone = f"step6.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
# CSK1 zrrsig: unretentive -> hidden
# CSK2 zrrsig: rumoured -> omnipresent
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the DNSKEY enters the HIDDEN state.
param("manual"),
],
)
-def test_csk_roll1_step7(tld, alg, size, ns3):
+def test_csk_roll1_step7(tld, ns3, default_algorithm):
zone = f"step7.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
"cdss": CDSS,
# The predecessor CSK is now completely HIDDEN.
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the new successor needs to be published.
param("manual"),
],
)
-def test_csk_roll1_step8(tld, alg, size, ns3):
+def test_csk_roll1_step8(tld, ns3, default_algorithm):
zone = f"step8.csk-roll1.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step8-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step8-s']}",
],
"nextev": None,
}
from isctest.kasp import Ipub, Iret
from isctest.util import param
-from rollover.common import TIMEDELTA, alg, pytestmark, size
+from rollover.common import TIMEDELTA, pytestmark
from rollover.setup import configure_cskroll2, configure_root, configure_tld
import isctest
param("manual"),
],
)
-def test_csk_roll2_step1(tld, alg, size, ns3):
+def test_csk_roll2_step1(tld, ns3, default_algorithm):
zone = f"step1.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
],
# Next key event is when the successor CSK needs to be published
# minus time already elapsed. This is Lcsk - Ipub + Dreg (we ignore
param("manual"),
],
)
-def test_csk_roll2_step2(tld, alg, size, ns3):
+def test_csk_roll2_step2(tld, ns3, default_algorithm):
zone = f"step2.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
],
"manual-mode": True,
"nextev": None,
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the successor CSK becomes OMNIPRESENT.
param("manual"),
],
)
-def test_csk_roll2_step3(tld, alg, size, ns3):
+def test_csk_roll2_step3(tld, ns3, default_algorithm):
zone = f"step3.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [0, 1],
"manual-mode": True,
# CSK1 ds: omnipresent -> unretentive
# CSK2 ds: hidden -> rumoured
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the predecessor DS has been replaced with
param("manual"),
],
)
-def test_csk_roll2_step4(tld, alg, size, ns3):
+def test_csk_roll2_step4(tld, ns3, default_algorithm):
zone = f"step4.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
# CSK1 zrrsig: unretentive -> hidden
# CSK2 zrrsig: rumoured -> omnipresent
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:unretentive offset:{OFFSETS['step4-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step4-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:unretentive offset:{OFFSETS['step4-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the predecessor DS has been replaced with
param("manual"),
],
)
-def test_csk_roll2_step5(tld, alg, size, ns3):
+def test_csk_roll2_step5(tld, ns3, default_algorithm):
zone = f"step5.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
],
"keyrelationships": [0, 1],
"manual-mode": True,
# The successor key is now fully OMNIPRESENT.
# CSK2 ds: rumoured -> omnipresent
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the DNSKEY enters the HIDDEN state.
param("manual"),
],
)
-def test_csk_roll2_step6(tld, alg, size, ns3):
+def test_csk_roll2_step6(tld, ns3, default_algorithm):
zone = f"step6.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
# CSK1 dnskey: unretentive -> hidden
# CSK1 krrsig: unretentive -> hidden
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
],
"keyrelationships": [0, 1],
# Next key event is when the new successor needs to be published.
param("manual"),
],
)
-def test_csk_roll2_step7(tld, alg, size, ns3):
+def test_csk_roll2_step7(tld, ns3, default_algorithm):
zone = f"step7.csk-roll2.{tld}"
policy = f"{POLICY}-{tld}"
"cdss": CDSS,
# The predecessor CSK is now completely HIDDEN.
"keyprops": [
- f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
- f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
+ f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
],
"keyrelationships": [0, 1],
"nextev": None,
# pylint: disable=redefined-outer-name,unused-import
-from rollover.common import CDSS, DEFAULT_CONFIG, alg, pytestmark, size
+from rollover.common import CDSS, DEFAULT_CONFIG, pytestmark
import isctest
-def test_dynamic2inline(alg, size, ns3, templates):
+def test_dynamic2inline(ns3, default_algorithm, templates):
config = DEFAULT_CONFIG
policy = "default"
zone = "dynamic2inline.kasp"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
"nextev": None,
}
from isctest.kasp import Ipub, IpubC, Iret
from isctest.util import param
-from rollover.common import CDSS, TIMEDELTA, alg, pytestmark, size
+from rollover.common import CDSS, TIMEDELTA, pytestmark
from rollover.setup import configure_enable_dnssec, configure_root, configure_tld
import isctest
param("manual"),
],
)
-def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
+def test_rollover_enable_dnssec_step1(tld, default_algorithm, ns3):
zone = f"step1.enable-dnssec.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}",
],
# Next key event is when the DNSKEY RRset becomes OMNIPRESENT,
# after the publication interval.
param("manual"),
],
)
-def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
+def test_rollover_enable_dnssec_step2(tld, default_algorithm, ns3):
zone = f"step2.enable-dnssec.{tld}"
policy = f"{POLICY}-{tld}"
# dnskey: rumoured -> omnipresent
# krrsig: rumoured -> omnipresent
"keyprops": [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{OFFSETS['step2']}",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{OFFSETS['step2']}",
],
# Next key event is when the zone signatures become OMNIPRESENT,
# Minus the time already elapsed.
param("manual"),
],
)
-def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
+def test_rollover_enable_dnssec_step3(tld, default_algorithm, ns3):
zone = f"step3.enable-dnssec.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{OFFSETS['step3']}",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{OFFSETS['step3']}",
],
"manual-mode": True,
"nextev": None,
# zrrsig: rumoured -> omnipresent
# ds: hidden -> rumoured
"keyprops": [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}",
],
# Next key event is when the DS can move to the OMNIPRESENT state.
# This is after the retire interval.
param("manual"),
],
)
-def test_rollover_enable_dnssec_step4(tld, alg, size, ns3):
+def test_rollover_enable_dnssec_step4(tld, default_algorithm, ns3):
zone = f"step4.enable-dnssec.{tld}"
policy = f"{POLICY}-{tld}"
# DS has been published long enough.
# ds: rumoured -> omnipresent
"keyprops": [
- f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}",
+ f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}",
],
# Next key event is never, the zone dnssec-policy has been
# established. So we fall back to the default loadkeys interval.
import pytest
-from rollover.common import CDSS, DURATION, UNSIGNING_CONFIG, alg, pytestmark, size
+from rollover.common import CDSS, DURATION, UNSIGNING_CONFIG, pytestmark
from rollover.setup import configure_going_insecure, configure_root, configure_tld
import isctest
"going-insecure-dynamic.kasp",
],
)
-def test_going_insecure_initial(zone, ns3, alg, size):
+def test_going_insecure_initial(zone, ns3, default_algorithm):
config = UNSIGNING_CONFIG
policy = "unsigning"
zone = f"step1.{zone}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
- f"zsk {DURATION['P60D']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
+ f"zsk {DURATION['P60D']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
],
"nextev": None,
}
import pytest
-from rollover.common import (
- CDSS,
- DEFAULT_CONFIG,
- DURATION,
- UNSIGNING_CONFIG,
- alg,
- pytestmark,
- size,
-)
+from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, UNSIGNING_CONFIG, pytestmark
from rollover.setup import configure_going_insecure, configure_root, configure_tld
import isctest
"going-insecure-dynamic.kasp",
],
)
-def test_going_insecure_reconfig_step1(zone, alg, size, ns3):
+def test_going_insecure_reconfig_step1(zone, ns3, default_algorithm):
config = DEFAULT_CONFIG
policy = "insecure"
szone = f"step1.{zone}"
"zone": szone,
"cdss": CDSS,
"keyprops": [
- f"ksk 0 {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}",
- f"zsk {DURATION['P60D']} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}",
+ f"zsk {DURATION['P60D']} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
],
# Next key event is when the DS becomes HIDDEN. This
# happens after the# parent propagation delay plus DS TTL.
"going-insecure-dynamic.kasp",
],
)
-def test_going_insecure_reconfig_step2(zone, alg, size, ns3):
+def test_going_insecure_reconfig_step2(zone, ns3, default_algorithm):
config = DEFAULT_CONFIG
policy = "insecure"
zone = f"step2.{zone}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"ksk 0 {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{-DURATION['P10D']}",
- f"zsk {DURATION['P60D']} {alg} {size} goal:hidden dnskey:unretentive zrrsig:unretentive offset:{-DURATION['P10D']}",
+ f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{-DURATION['P10D']}",
+ f"zsk {DURATION['P60D']} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive zrrsig:unretentive offset:{-DURATION['P10D']}",
],
# Next key event is when the DNSKEY becomes HIDDEN.
# This happens after the propagation delay, plus DNSKEY TTL.
KSK_IPUB,
KSK_IRET,
KSK_LIFETIME_POLICY,
- alg,
pytestmark,
- size,
)
from rollover.setup import configure_ksk_3crowd, configure_root, configure_tld
return data
-def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
+def test_rollover_ksk_three_is_a_crowd(ns3, default_algorithm):
"""Test #2375: Scheduled rollovers are happening faster than they can finish."""
zone = "three-is-a-crowd.kasp"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
],
"keyrelationships": [0, 1],
}
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
],
"check-keytimes": False, # checked manually with modified values
}
KSK_LIFETIME,
KSK_LIFETIME_POLICY,
TIMEDELTA,
- alg,
pytestmark,
- size,
)
from rollover.setup import configure_ksk_doubleksk, configure_root, configure_tld
param("manual"),
],
)
-def test_ksk_doubleksk_step1(tld, alg, size, ns3):
+def test_ksk_doubleksk_step1(tld, ns3, default_algorithm):
zone = f"step1.ksk-doubleksk.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
],
# Next key event is when the successor KSK needs to be published.
# That is the KSK lifetime - prepublication time (minus time
param("manual"),
],
)
-def test_ksk_doubleksk_step2(tld, alg, size, ns3):
+def test_ksk_doubleksk_step2(tld, ns3, default_algorithm):
zone = f"step2.ksk-doubleksk.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
],
"manual-mode": True,
"nextev": None,
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:{OFFSETS['step2-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:{OFFSETS['step2-s']}",
],
"keyrelationships": [1, 2],
# Next key event is when the successor KSK becomes OMNIPRESENT.
param("manual"),
],
)
-def test_ksk_doubleksk_step3(tld, alg, size, ns3):
+def test_ksk_doubleksk_step3(tld, ns3, default_algorithm):
zone = f"step3.ksk-doubleksk.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step3-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [1, 2],
"manual-mode": True,
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSETS['step3-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSETS['step3-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [1, 2],
# Next key event is when the predecessor DS has been replaced with
param("manual"),
],
)
-def test_ksk_doubleksk_step4(tld, alg, size, ns3):
+def test_ksk_doubleksk_step4(tld, ns3, default_algorithm):
zone = f"step4.ksk-doubleksk.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step4-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step4-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [1, 2],
"manual-mode": True,
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [1, 2],
# Next key event is when the DNSKEY enters the HIDDEN state.
param("manual"),
],
)
-def test_ksk_doubleksk_step5(tld, alg, size, ns3):
+def test_ksk_doubleksk_step5(tld, ns3, default_algorithm):
zone = f"step5.ksk-doubleksk.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
],
"keyrelationships": [1, 2],
# Next key event is when the new successor needs to be published.
param("manual"),
],
)
-def test_ksk_doubleksk_step6(tld, alg, size, ns3):
+def test_ksk_doubleksk_step6(tld, ns3, default_algorithm):
zone = f"step6.ksk-doubleksk.{tld}"
policy = f"{POLICY}-{tld}"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-p']}",
- f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-p']}",
+ f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
],
"nextev": None,
}
import pytest
from isctest.util import param
-from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
+from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
import isctest
param("unlimit-lifetime", "short-lifetime", "P6M"),
],
)
-def test_lifetime_initial(zone, policy, lifetime, alg, size, ns3):
+def test_lifetime_initial(zone, policy, lifetime, ns3, default_algorithm):
config = DEFAULT_CONFIG
isctest.kasp.wait_keymgr_done(ns3, f"{zone}.kasp")
"zone": f"{zone}.kasp",
"cdss": CDSS,
"keyprops": [
- f"csk {DURATION[lifetime]} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk {DURATION[lifetime]} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
"nextev": None,
}
import pytest
from isctest.util import param
-from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
+from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
import isctest
param("unlimit-lifetime", "unlimited-lifetime", 0),
],
)
-def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns3):
+def test_lifetime_reconfig(zone, policy, lifetime, ns3, default_algorithm):
config = DEFAULT_CONFIG
isctest.kasp.wait_keymgr_done(ns3, f"{zone}.kasp", reconfig=True)
"zone": f"{zone}.kasp",
"cdss": CDSS,
"keyprops": [
- f"csk {DURATION[lifetime]} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ f"csk {DURATION[lifetime]} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
"nextev": None,
}
from isctest.kasp import Iret, SettimeOptions
from isctest.run import EnvCmd
-from rollover.common import alg, pytestmark, size
+from rollover.common import pytestmark
from rollover.setup import fake_lifetime, render_and_sign_zone, setkeytimes
import isctest
return {}
-def test_rollover_multisigner(ns3, alg, size):
+def test_rollover_multisigner(ns3, default_algorithm):
policy = "multisigner-model2"
config = {
"dnskey-ttl": timedelta(hours=1),
keygen_command = [
os.environ.get("KEYGEN"),
"-a",
- alg,
+ default_algorithm.name,
"-L",
"3600",
"-M",
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured tag-range:32768-65535",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured tag-range:32768-65535",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
- newprops = [f"zsk unlimited {alg} {size} tag-range:0-32767"]
+ newprops = [
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} tag-range:0-32767"
+ ]
expected2 = isctest.kasp.policy_to_properties(ttl, newprops)
expected2[0].private = False
expected2[0].legacy = True
# Update zone with ZSK from another provider for zone.
out = keygen(zone)
newkeys = isctest.kasp.keystr_to_keylist(out)
- newprops = [f"zsk unlimited {alg} {size} tag-range:0-32767"]
+ newprops = [
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} tag-range:0-32767"
+ ]
expected2 = isctest.kasp.policy_to_properties(ttl, newprops)
expected2[0].private = False
expected2[0].legacy = True
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden tag-range:32768-65535",
- f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent tag-range:0-32767 offset:{offval}",
- f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent tag-range:0-32767 offset:{offval}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden tag-range:32768-65535",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent tag-range:0-32767 offset:{offval}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent tag-range:0-32767 offset:{offval}",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
import pytest
-from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
+from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
from rollover.setup import configure_root, configure_straight2none, configure_tld
import isctest
"going-straight-to-none-dynamic.kasp",
],
)
-def test_straight2none_initial(zone, ns3, alg, size):
+def test_straight2none_initial(zone, ns3, default_algorithm):
config = DEFAULT_CONFIG
policy = "default"
"zone": zone,
"cdss": CDSS,
"keyprops": [
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
],
"nextev": None,
}
import pytest
-from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
+from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
from rollover.setup import configure_root, configure_straight2none, configure_tld
import isctest
"going-straight-to-none-dynamic.kasp",
],
)
-def test_straight2none_reconfig(zone, ns3, alg, size):
+def test_straight2none_reconfig(zone, ns3, default_algorithm):
config = DEFAULT_CONFIG
policy = None
# These zones will go bogus after signatures expire, but
# remain validly signed for now.
"keyprops": [
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
+ f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
],
"nextev": None,
}
from isctest.kasp import Ipub, Iret
from isctest.util import param
-from rollover.common import TIMEDELTA, alg, pytestmark, size
+from rollover.common import TIMEDELTA, pytestmark
from rollover.setup import configure_root, configure_tld, configure_zsk_prepub
import isctest
param("manual"),
],
)
-def test_zsk_prepub_step1(tld, alg, size, ns3):
+def test_zsk_prepub_step1(tld, ns3, default_algorithm):
zone = f"step1.zsk-prepub.{tld}"
policy = f"{POLICY}-{tld}"
# Introduce the first key. This will immediately be active.
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
],
# Next key event is when the successor ZSK needs to be published.
# That is the ZSK lifetime - prepublication time (minus time
param("manual"),
],
)
-def test_zsk_prepub_step2(tld, alg, size, ns3):
+def test_zsk_prepub_step2(tld, ns3, default_algorithm):
zone = f"step2.zsk-prepub.{tld}"
policy = f"{POLICY}-{tld}"
step = {
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
],
"manual-mode": True,
"nextev": None,
# zsk2 dnskey: hidden -> rumoured
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{OFFSETS['step2-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{OFFSETS['step2-s']}",
],
"keyrelationships": [1, 2],
# next key event is when the successor zsk becomes omnipresent.
param("manual"),
],
)
-def test_zsk_prepub_step3(tld, alg, size, ns3):
+def test_zsk_prepub_step3(tld, ns3, default_algorithm):
zone = f"step3.zsk-prepub.{tld}"
policy = f"{POLICY}-{tld}"
step = {
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step3-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [1, 2],
"manual-mode": True,
# zsk2 zrrsig: hidden -> rumoured
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step3-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step3-s']}",
],
"keyrelationships": [1, 2],
# next key event is when all the rrsig records have been replaced
param("manual"),
],
)
-def test_zsk_prepub_step4(tld, alg, size, ns3):
+def test_zsk_prepub_step4(tld, ns3, default_algorithm):
zone = f"step4.zsk-prepub.{tld}"
policy = f"{POLICY}-{tld}"
step = {
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step4-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step4-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [1, 2],
"manual-mode": True,
# zsk2 zrrsig: rumoured -> omnipresent
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
],
"keyrelationships": [1, 2],
# next key event is when the dnskey enters the hidden state.
param("manual"),
],
)
-def test_zsk_prepub_step5(tld, alg, size, ns3):
+def test_zsk_prepub_step5(tld, ns3, default_algorithm):
zone = f"step5.zsk-prepub.{tld}"
policy = f"{POLICY}-{tld}"
# zsk1 dnskey: unretentive -> hidden
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-s']}",
],
"keyrelationships": [1, 2],
# next key event is when the new successor needs to be published.
param("manual"),
],
)
-def test_zsk_prepub_step6(tld, alg, size, ns3):
+def test_zsk_prepub_step6(tld, ns3, default_algorithm):
zone = f"step6.zsk-prepub.{tld}"
policy = f"{POLICY}-{tld}"
# predecessor zsk is now purged.
"zone": zone,
"keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}",
- f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}",
+ f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}",
],
"nextev": None,
}
from datetime import timedelta
-import os
-
import pytest
from isctest.kasp import Ipub, IpubC, Iret
-from isctest.vars.algorithms import Algorithm
pytestmark = pytest.mark.extra_artifacts(
[
KSK_IPUBC = IpubC(KSK_CONFIG)
KSK_IRET = Iret(KSK_CONFIG, zsk=False, ksk=True)
KSK_KEYTTLPROP = KSK_CONFIG["dnskey-ttl"] + KSK_CONFIG["zone-propagation-delay"]
-
-
-@pytest.fixture
-def alg():
- return os.environ["DEFAULT_ALGORITHM_NUMBER"]
-
-
-@pytest.fixture
-def size():
- return os.environ["DEFAULT_BITS"]
-
-
-def default_algorithm():
- return Algorithm(
- os.environ["DEFAULT_ALGORITHM"],
- int(os.environ["DEFAULT_ALGORITHM_NUMBER"]),
- int(os.environ["DEFAULT_ALGORITHM_DST_NUMBER"]),
- int(os.environ["DEFAULT_BITS"]),
- )
from isctest.kasp import SettimeOptions, private_type_record
from isctest.run import EnvCmd
from isctest.template import Nameserver, TrustAnchor, Zone
-from rollover.common import default_algorithm
+from isctest.vars.algorithms import Algorithm
import isctest
def configure_tld(zonename: str, delegations: List[Zone]) -> Zone:
templates = isctest.template.TemplateEngine(".")
- alg = default_algorithm()
+ alg = Algorithm.default()
keygen = EnvCmd("KEYGEN", f"-q -a {alg.number} -b {alg.bits} -L 3600")
signer = EnvCmd("SIGNER", "-S -g")
def configure_root(delegations: List[Zone]) -> TrustAnchor:
templates = isctest.template.TemplateEngine(".")
- alg = default_algorithm()
+ alg = Algorithm.default()
keygen = EnvCmd("KEYGEN", f"-q -a {alg.number} -b {alg.bits} -L 3600")
signer = EnvCmd("SIGNER", "-S -g")
from datetime import timedelta
-import os
-
from isctest.kasp import (
Ipub,
Iret,
)
from isctest.run import EnvCmd
from isctest.template import Nameserver, Zone
-from rollover.common import default_algorithm
+from isctest.vars.algorithms import Algorithm
from rollover.setup import configure_root, configure_tld, setkeytimes
import isctest
def setup_zone(zone, ksk_time, ksk_timings, zsk_time, zsk_timings) -> Zone:
templates = isctest.template.TemplateEngine(".")
- alg = default_algorithm()
- keygen = EnvCmd("KEYGEN", f"-q -a {alg.number} -b {alg.bits} -L 3600")
+ default_algorithm = Algorithm.default()
+ keygen = EnvCmd(
+ "KEYGEN",
+ f"-q -a {default_algorithm.number} -b {default_algorithm.bits} -L 3600",
+ )
signer = EnvCmd("SIGNER", "-S -g")
isctest.log.info(f"setup {zone}")
POLICY = "manual-rollover"
-def test_rollover_manual(ns3):
+def test_rollover_manual(ns3, default_algorithm):
ttl = int(CONFIG["dnskey-ttl"].total_seconds())
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
zone = "manual-rollover.kasp"
isctest.kasp.wait_keymgr_done(ns3, zone)
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
- f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
- f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
- f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
assert "key is not actively signing" in response.out
-def test_rollover_manual_zrrsig_rumoured(ns3):
+def test_rollover_manual_zrrsig_rumoured(ns3, default_algorithm):
ttl = int(CONFIG["dnskey-ttl"].total_seconds())
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
zone = "manual-rollover-zrrsig-rumoured.kasp"
isctest.kasp.wait_keymgr_done(ns3, zone)
koffset = -int(timedelta(days=7).total_seconds())
zoffset = -int(timedelta(hours=2).total_seconds())
key_properties = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
isctest.kasp.check_dnssec_verify(ns3, zone)
key_properties = [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
+ f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
# Predecessor DNSKEY must stay until successor ZSK is fully omnipresent.
- f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
- f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:0",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
+ f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:0",
]
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
projects / thirdparty / bind9.git / commitdiff
