--- /dev/null
+../rollover/common.py
\ No newline at end of file
--- /dev/null
+../../rollover-dynamic2inline/ns6/named.common.conf.j2
\ No newline at end of file
* information regarding copyright ownership.
*/
-// NS6
-
{% set csk_roll = csk_roll | default(False) %}
{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
-include "kasp.conf";
include "@_csk_file@";
-
include "named.common.conf";
zone "step1.csk-algorithm-roll.kasp" {
--- /dev/null
+../../rollover-dynamic2inline/ns6/template.db.in
\ No newline at end of file
# information regarding copyright ownership.
# shellcheck source=conf.sh
-. ../../conf.sh
+. ../conf.sh
-echo_i "ns6/setup.sh"
+cd "ns6"
setup() {
zone="$1"
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import isctest
+from common import (
+ pytestmark,
+ CDSS,
+ DURATION,
+ TIMEDELTA,
+ ALGOROLL_CONFIG,
+)
+
+
+def test_algoroll_csk_initial(servers):
+ config = ALGOROLL_CONFIG
+ policy = "csk-algoroll"
+
+ step = {
+ "zone": "step1.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}",
+ ],
+ "nextev": TIMEDELTA["PT1H"],
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+import pytest
+
+import isctest
+from isctest.kasp import KeyTimingMetadata
+from common import (
+ pytestmark,
+ alg,
+ size,
+ CDSS,
+ ALGOROLL_CONFIG,
+ ALGOROLL_IPUB,
+ ALGOROLL_IPUBC,
+ ALGOROLL_IRET,
+ ALGOROLL_IRETKSK,
+ ALGOROLL_KEYTTLPROP,
+ ALGOROLL_OFFSETS,
+ ALGOROLL_OFFVAL,
+ TIMEDELTA,
+)
+
+CONFIG = ALGOROLL_CONFIG
+POLICY = "csk-algoroll"
+TIME_PASSED = 0 # set in reconfigure() fixture
+
+
+@pytest.fixture(scope="module", autouse=True)
+def reconfigure(servers, templates):
+ global TIME_PASSED # pylint: disable=global-statement
+ start_time = KeyTimingMetadata.now()
+
+ templates.render("ns6/named.conf", {"csk_roll": True})
+ servers["ns6"].reconfigure()
+
+ # Calculate time passed to correctly check for next key events.
+ TIME_PASSED = KeyTimingMetadata.now().value - start_time.value
+
+
+def test_algoroll_csk_reconfig_step1(servers, alg, size):
+ step = {
+ "zone": "step1.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ # The RSASHA keys are outroducing.
+ f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
+ # The ECDSAP256SHA256 keys are introducing.
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ # Next key event is when the ecdsa256 keys have been propagated.
+ "nextev": ALGOROLL_IPUB,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+
+
+def test_algoroll_csk_reconfig_step2(servers, alg, size):
+ step = {
+ "zone": "step2.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ # The RSASHA keys are outroducing, but need to stay present
+ # until the new algorithm chain of trust has been established.
+ # Thus the expected key states of these keys stay the same.
+ f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
+ # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
+ # omnipresent, but the zone signatures are not.
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
+ ],
+ # Next key event is when all zone signatures are signed with the
+ # new algorithm. This is the child publication interval, minus
+ # the publication interval has already passed. Also, prevent
+ # intermittent false positives on slow platforms by subtracting
+ # the time passed between key creation and invoking 'rndc reconfig'.
+ "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+
+
+def test_algoroll_csk_reconfig_step3(servers, alg, size):
+ step = {
+ "zone": "step3.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ # The DS can be swapped.
+ f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
+ ],
+ # Next key event is when the DS becomes OMNIPRESENT. This happens
+ # after the publication interval of the parent side.
+ "nextev": ALGOROLL_IRETKSK - TIME_PASSED,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+
+
+def test_algoroll_csk_reconfig_step4(servers, alg, size):
+ step = {
+ "zone": "step4.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ # The old DS is HIDDEN, we can remove the old algorithm records.
+ f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ ],
+ # Next key event is when the old DNSKEY becomes HIDDEN.
+ # This happens after the DNSKEY TTL plus zone propagation delay.
+ "nextev": ALGOROLL_KEYTTLPROP,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+
+
+def test_algoroll_csk_reconfig_step5(servers, alg, size):
+ step = {
+ "zone": "step5.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ # The DNSKEY becomes HIDDEN.
+ f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
+ ],
+ # Next key event is when the RSASHA signatures become HIDDEN.
+ # This happens after the max-zone-ttl plus zone propagation delay
+ # minus the time already passed since the UNRETENTIVE state has
+ # been reached. Prevent intermittent false positives on slow
+ # platforms by subtracting the number of seconds which passed
+ # between key creation and invoking 'rndc reconfig'.
+ "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
+
+
+def test_algoroll_csk_reconfig_step6(servers, alg, size):
+ step = {
+ "zone": "step6.csk-algorithm-roll.kasp",
+ "cdss": CDSS,
+ "keyprops": [
+ # The zone signatures are now HIDDEN.
+ f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
+ ],
+ # Next key event is never since we established the policy and the
+ # keys have an unlimited lifetime. Fallback to the default
+ # loadkeys interval.
+ "nextev": TIMEDELTA["PT1H"],
+ }
+ isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
size,
CDSS,
ALGOROLL_CONFIG,
+ ALGOROLL_IPUB,
+ ALGOROLL_IPUBC,
+ ALGOROLL_IRET,
+ ALGOROLL_IRETKSK,
+ ALGOROLL_KEYTTLPROP,
+ ALGOROLL_OFFSETS,
+ ALGOROLL_OFFVAL,
TIMEDELTA,
)
-IPUB = Ipub(ALGOROLL_CONFIG)
-IPUBC = IpubC(ALGOROLL_CONFIG, rollover=False)
-IRET = Iret(ALGOROLL_CONFIG, rollover=False)
-IRETKSK = Iret(ALGOROLL_CONFIG, zsk=False, ksk=True, rollover=False)
-KEYTTLPROP = ALGOROLL_CONFIG["dnskey-ttl"] + ALGOROLL_CONFIG["zone-propagation-delay"]
-OFFSETS = {}
-OFFSETS["step2"] = -int(IPUB.total_seconds())
-OFFSETS["step3"] = -int(IRET.total_seconds())
-OFFSETS["step4"] = OFFSETS["step3"] - int(IRETKSK.total_seconds())
-OFFSETS["step5"] = OFFSETS["step4"] - int(KEYTTLPROP.total_seconds())
-OFFSETS["step6"] = OFFSETS["step5"] - int(IRET.total_seconds())
-OFFVAL = -DURATION["P7D"]
CONFIG = ALGOROLL_CONFIG
POLICY = "ecdsa256"
TIME_PASSED = 0 # set in reconfigure() fixture
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing.
- f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFVAL}",
- f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}",
+ f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
+ f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing.
f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
# Next key event is when the ecdsa256 keys have been propagated.
- "nextev": IPUB,
+ "nextev": ALGOROLL_IPUB,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
# The RSASHA keys are outroducing, but need to stay present
# until the new algorithm chain of trust has been established.
# Thus the expected key states of these keys stay the same.
- f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFVAL}",
- f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}",
+ f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
+ f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step2']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step2']}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}",
],
# Next key event is when all zone signatures are signed with the new
# algorithm. This is the max-zone-ttl plus zone propagation delay. But
# the publication interval has already passed. Also, prevent intermittent
# false positives on slow platforms by subtracting the time passed between
# key creation and invoking 'rndc reconfig'.
- "nextev": IPUBC - IPUB - TIME_PASSED,
+ "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
"cdss": CDSS,
"keyprops": [
# The DS can be swapped.
- f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFVAL}",
- f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3']}",
+ f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
+ f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the retire interval.
- "nextev": IRETKSK - TIME_PASSED,
+ "nextev": ALGOROLL_IRETKSK - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
"cdss": CDSS,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
- f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFVAL}",
- f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4']}",
+ f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
+ f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
- "nextev": KEYTTLPROP,
+ "nextev": ALGOROLL_KEYTTLPROP,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
"cdss": CDSS,
"keyprops": [
# The DNSKEY becomes HIDDEN.
- f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFVAL}",
- f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5']}",
+ f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
+ f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
# been reached. Prevent intermittent false positives on slow
# platforms by subtracting the number of seconds which passed
# between key creation and invoking 'rndc reconfig'.
- "nextev": IRET - IRETKSK - KEYTTLPROP - TIME_PASSED,
+ "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
"cdss": CDSS,
"keyprops": [
# The zone signatures are now HIDDEN.
- f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFVAL}",
- f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFVAL}",
- f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6']}",
- f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6']}",
+ f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
+ f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{ALGOROLL_OFFVAL}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default
import pytest
+from isctest.kasp import Ipub, IpubC, Iret
+
pytestmark = pytest.mark.extra_artifacts(
[
"*.axfr*",
"signatures-validity": TIMEDELTA["P30D"],
"zone-propagation-delay": TIMEDELTA["PT1H"],
}
+ALGOROLL_IPUB = Ipub(ALGOROLL_CONFIG)
+ALGOROLL_IPUBC = IpubC(ALGOROLL_CONFIG, rollover=False)
+ALGOROLL_IRET = Iret(ALGOROLL_CONFIG, rollover=False)
+ALGOROLL_IRETKSK = Iret(ALGOROLL_CONFIG, zsk=False, ksk=True, rollover=False)
+ALGOROLL_KEYTTLPROP = (
+ ALGOROLL_CONFIG["dnskey-ttl"] + ALGOROLL_CONFIG["zone-propagation-delay"]
+)
+ALGOROLL_OFFSETS = {}
+ALGOROLL_OFFSETS["step2"] = -int(ALGOROLL_IPUB.total_seconds())
+ALGOROLL_OFFSETS["step3"] = -int(ALGOROLL_IRET.total_seconds())
+ALGOROLL_OFFSETS["step4"] = ALGOROLL_OFFSETS["step3"] - int(
+ ALGOROLL_IRETKSK.total_seconds()
+)
+ALGOROLL_OFFSETS["step5"] = ALGOROLL_OFFSETS["step4"] - int(
+ ALGOROLL_KEYTTLPROP.total_seconds()
+)
+ALGOROLL_OFFSETS["step6"] = ALGOROLL_OFFSETS["step5"] - int(
+ ALGOROLL_IRET.total_seconds()
+)
+ALGOROLL_OFFVAL = -DURATION["P7D"]
@pytest.fixture
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-dnssec-policy "unsigning" {
- dnskey-ttl 7200;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "rsasha256" {
- signatures-refresh P5D;
- signatures-validity 30d;
- signatures-validity-dnskey 30d;
-
- keys {
- ksk lifetime unlimited algorithm rsasha256;
- zsk lifetime unlimited algorithm rsasha256;
- };
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 2h;
- zone-propagation-delay 3600;
- max-zone-ttl 6h;
- parent-propagation-delay pt1h;
- parent-ds-ttl 7200;
-};
-
-dnssec-policy "ecdsa256" {
- signatures-refresh P5D;
- signatures-validity 30d;
- signatures-validity-dnskey 30d;
-
- keys {
- ksk lifetime unlimited algorithm ecdsa256;
- zsk lifetime unlimited algorithm ecdsa256;
- };
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 2h;
- zone-propagation-delay 3600;
- max-zone-ttl 6h;
- parent-propagation-delay pt1h;
- parent-ds-ttl 7200;
-};
-
-{% if RSASHA1_SUPPORTED == "1" %}
-dnssec-policy "rsasha1" {
- signatures-refresh P5D;
- signatures-validity 30d;
- signatures-validity-dnskey 30d;
-
- keys {
- ksk lifetime unlimited algorithm rsasha1;
- zsk lifetime unlimited algorithm rsasha1;
- };
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 2h;
- zone-propagation-delay 3600;
- max-zone-ttl 6h;
- parent-propagation-delay pt1h;
- parent-ds-ttl 7200;
-};
-{% endif %}
+++ /dev/null
-/*
- * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
- *
- * SPDX-License-Identifier: MPL-2.0
- *
- * This Source Code Form is subject to the terms of the Mozilla Public
- * License, v. 2.0. If a copy of the MPL was not distributed with this
- * file, you can obtain one at https://mozilla.org/MPL/2.0/.
- *
- * See the COPYRIGHT file distributed with this work for additional
- * information regarding copyright ownership.
- */
-
-options {
- query-source address 10.53.0.6;
- notify-source 10.53.0.6;
- transfer-source 10.53.0.6;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.6; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- recursion no;
- key-directory ".";
- dnssec-validation no;
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm @DEFAULT_HMAC@;
-};
-
-controls {
- inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
+++ /dev/null
-; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-;
-; SPDX-License-Identifier: MPL-2.0
-;
-; This Source Code Form is subject to the terms of the Mozilla Public
-; License, v. 2.0. If a copy of the MPL was not distributed with this
-; file, you can obtain one at https://mozilla.org/MPL/2.0/.
-;
-; See the COPYRIGHT file distributed with this work for additional
-; information regarding copyright ownership.
-
-$TTL 300
-@ IN SOA mname1. . (
- 1 ; serial
- 20 ; refresh (20 seconds)
- 20 ; retry (20 seconds)
- 1814400 ; expire (3 weeks)
- 3600 ; minimum (1 hour)
- )
-
- NS ns6
-ns6 A 10.53.0.6
-
-a A 10.0.0.1
-b A 10.0.0.2
-c A 10.0.0.3
-
cd ns3
$SHELL setup.sh
)
-(
- cd ns6
- $SHELL setup.sh
-)
for step in steps:
isctest.kasp.check_rollover_step(server, config, policy, step)
-
-
-def test_rollover_policy_changes(servers, templates):
- server = servers["ns6"]
- cdss = ["CDNSKEY", "CDS (SHA-256)"]
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
-
- default_config = {
- "dnskey-ttl": timedelta(hours=1),
- "ds-ttl": timedelta(days=1),
- "max-zone-ttl": timedelta(days=1),
- "parent-propagation-delay": timedelta(hours=1),
- "publish-safety": timedelta(hours=1),
- "purge-keys": timedelta(days=90),
- "retire-safety": timedelta(hours=1),
- "signatures-refresh": timedelta(days=5),
- "signatures-validity": timedelta(days=14),
- "zone-propagation-delay": timedelta(seconds=300),
- }
-
- unsigning_config = default_config.copy()
- unsigning_config["dnskey-ttl"] = timedelta(seconds=7200)
-
- algoroll_config = {
- "dnskey-ttl": timedelta(hours=1),
- "ds-ttl": timedelta(seconds=7200),
- "max-zone-ttl": timedelta(hours=6),
- "parent-propagation-delay": timedelta(hours=1),
- "publish-safety": timedelta(hours=1),
- "purge-keys": timedelta(days=90),
- "retire-safety": timedelta(hours=2),
- "signatures-refresh": timedelta(days=5),
- "signatures-validity": timedelta(days=30),
- "zone-propagation-delay": timedelta(seconds=3600),
- }
-
- start_time = KeyTimingMetadata.now()
-
- # Test algorithm rollover (CSK).
- isctest.log.info("check algorithm rollover csk")
- step = {
- "zone": "step1.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
- ],
- "nextev": timedelta(hours=1),
- }
- steps.append(step)
-
- for step in steps:
- isctest.kasp.check_rollover_step(server, step["config"], step["policy"], step)
-
- # Reconfigure, changing DNSSEC policies and other configuration options,
- # triggering algorithm rollovers and other dnssec-policy changes.
- templates.render("ns6/named.conf", {"csk_roll": True})
- server.rndc("reconfig")
- # Calculate time passed to correctly check for next key events.
- now = KeyTimingMetadata.now()
- time_passed = now.value - start_time.value
-
- # Test algorithm rollover (CSK) (after reconfig).
- isctest.log.info("check algorithm rollover csk (after reconfig)")
- offsets = {}
- offsets["step2"] = -int(ipub.total_seconds())
- offsets["step3"] = -int(iret.total_seconds())
- offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds())
- offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds())
- offsets["step6"] = offsets["step5"] - int(iret.total_seconds())
- algo_steps = [
- {
- # Step 1.
- "zone": "step1.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- # The RSASHA keys are outroducing.
- f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
- # The ECDSAP256SHA256 keys are introducing.
- f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
- ],
- # Next key event is when the ecdsa256 keys have been propagated.
- "nextev": ipub,
- },
- {
- # Step 2.
- "zone": "step2.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- # The RSASHA keys are outroducing, but need to stay present
- # until the new algorithm chain of trust has been established.
- # Thus the expected key states of these keys stay the same.
- f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
- # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
- # omnipresent, but the zone signatures are not.
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{offsets['step2']}",
- ],
- # Next key event is when all zone signatures are signed with the
- # new algorithm. This is the child publication interval, minus
- # the publication interval has already passed. Also, prevent
- # intermittent false positives on slow platforms by subtracting
- # the time passed between key creation and invoking 'rndc reconfig'.
- "nextev": ipubc - ipub - time_passed,
- },
- {
- # Step 3.
- "zone": "step3.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- # The DS can be swapped.
- f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{offval}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step3']}",
- ],
- # Next key event is when the DS becomes OMNIPRESENT. This happens
- # after the publication interval of the parent side.
- "nextev": iretKSK - time_passed,
- },
- {
- # Step 4.
- "zone": "step4.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- # The old DS is HIDDEN, we can remove the old algorithm records.
- f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{offval}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step4']}",
- ],
- # Next key event is when the old DNSKEY becomes HIDDEN.
- # This happens after the DNSKEY TTL plus zone propagation delay.
- "nextev": keyttlprop,
- },
- {
- # Step 5.
- "zone": "step5.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- # The DNSKEY becomes HIDDEN.
- f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{offval}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step5']}",
- ],
- # Next key event is when the RSASHA signatures become HIDDEN.
- # This happens after the max-zone-ttl plus zone propagation delay
- # minus the time already passed since the UNRETENTIVE state has
- # been reached. Prevent intermittent false positives on slow
- # platforms by subtracting the number of seconds which passed
- # between key creation and invoking 'rndc reconfig'.
- "nextev": iret - iretKSK - keyttlprop - time_passed,
- },
- {
- # Step 6.
- "zone": "step6.csk-algorithm-roll.kasp",
- "cdss": cdss,
- "config": algoroll_config,
- "policy": "csk-algoroll",
- "keyprops": [
- # The zone signatures are now HIDDEN.
- f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offval}",
- f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step6']}",
- ],
- # Next key event is never since we established the policy and the
- # keys have an unlimited lifetime. Fallback to the default
- # loadkeys interval.
- "nextev": timedelta(hours=1),
- },
- ]
- steps = steps + algo_steps
-
- for step in steps:
- isctest.kasp.check_rollover_step(server, step["config"], step["policy"], step)
projects / thirdparty / bind9.git / commitdiff
