From: Matthijs Mekking Date: Mon, 26 Oct 2020 16:42:31 +0000 (+0100) Subject: Add a test for RFC 8901 signer model 2 X-Git-Tag: v9.17.7~26^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e0ec9f62448b188972bebb96b720c66efe5a6f9;p=thirdparty%2Fbind9.git Add a test for RFC 8901 signer model 2 The new 'dnssec-policy' was already compatible with multi-signer model 2, now we also have a test for it. --- diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 9ec8a91ee8a..ab5890da77f 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -24,6 +24,7 @@ rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys rm -f ns*/zones ns*/*.db.infile +rm -f ns*/*.zsk1 ns*/*.zsk2 rm -f *.created published.test* retired.test* rm -f rndc.dnssec.*.out.* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index d6e5300e254..3df661b4aed 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -177,6 +177,14 @@ zone "rumoured.kasp" { dnssec-policy "rsasha1"; }; +/* RFC 8901 Multi-signer Model 2. */ +zone "multisigner-model2.kasp" { + type primary; + file "multisigner-model2.kasp.db"; + dnssec-policy "multisigner-model2"; + allow-update { any; }; +}; + /* * Different algorithms. */ diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in index 65d57970798..82306063025 100644 --- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in +++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in @@ -26,6 +26,15 @@ dnssec-policy "manual-rollover" { }; }; +dnssec-policy "multisigner-model2" { + dnskey-ttl 3600; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + dnssec-policy "rsasha1" { dnskey-ttl 1234; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index aefb0ca38d2..521c1923290 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -54,7 +54,7 @@ for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \ dynamic dynamic-inline-signing inline-signing \ checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ - manual-rollover + manual-rollover multisigner-model2 do setup "${zn}.kasp" cp template.db.in "$zonefile" @@ -95,6 +95,18 @@ zone="pregenerated.kasp" $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 +zone="multisigner-model2.kasp" +# Import the ZSK sets of the other providers into their DNSKEY RRset. +ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) +# ZSK1 will be added to the unsigned zonefile. +cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db" +cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1" +rm -f "../${ZSK1}.*" +# ZSK2 will be used with a Dynamic Update. +cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2" +rm -f "../${ZSK2}.*" + zone="rumoured.kasp" Tpub="now" Tact="now+1d" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index e875e406c9d..ae7c315837f 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1374,7 +1374,6 @@ retry_quiet 10 update_is_signed || ret=1 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) - # # Zone: dynamic-inline-signing.kasp # @@ -2687,6 +2686,68 @@ status=$((status+ret)) # Clear TSIG. TSIG="" +# +# Testing RFC 8901 Multi-Signer Model 2. +# +set_zone "multisigner-model2.kasp" +set_policy "multisigner-model2" "2" "3600" +set_server "ns3" "10.53.0.3" +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +# Check that the ZSKs from the other provider are published. +zsks_are_published() { + dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 + # We should have three ZSKs. + lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 3 || return 1 + # And one KSK. + lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) + test "$lines" -eq 1 || return 1 +} + +n=$((n+1)) +echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" +ret=0 +( +echo zone ${ZONE} +echo server 10.53.0.3 "$PORT" +echo update add $(cat "${DIR}/${ZONE}.zsk2") +echo send +) | $NSUPDATE +retry_quiet 10 zsks_are_published || ret=1 +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # # Testing manual rollover. #