From: Matthijs Mekking Date: Tue, 18 Feb 2020 15:36:31 +0000 (+0100) Subject: Add algorithm rollover test case X-Git-Tag: v9.17.1~69^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=88ebe9581b3d061b8fd3006a91976021ffb26fd5;p=thirdparty%2Fbind9.git Add algorithm rollover test case Add a test case for algorithm rollover. This is triggered by changing the dnssec-policy. A new nameserver ns6 is introduced for tests related to dnssec-policy changes. This requires a slight change in check_next_key_event to only check the last occurrence. Also, change the debug log message in lib/dns/zone.c to deal with checks when no next scheduled key event exists (and default to loadkeys interval 3600). --- diff --git a/bin/tests/system/kasp/README b/bin/tests/system/kasp/README index ceafd197721..61c0a2d0959 100644 --- a/bin/tests/system/kasp/README +++ b/bin/tests/system/kasp/README @@ -11,3 +11,5 @@ ns2 is running primary service for ns3. ns3 is an authoritative server for the various test domains. ns4 and ns5 are authoritative servers for various test domains related to views. + +ns6 is an authoritative server that tests changes in dnssec-policy. diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 803dd703cd6..98239093c5c 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -22,5 +22,4 @@ rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys -# NS3 specific -rm -f ns3/zones ns3/*.db.infile +rm -f ns*/zones ns*/*.db.infile diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in new file mode 100644 index 00000000000..5bb8185e478 --- /dev/null +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -0,0 +1,41 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +include "policies/kasp.conf"; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "step1.algorithm-roll.kasp" { + type master; + file "step1.algorithm-roll.kasp.db"; + dnssec-policy "rsasha1"; +}; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in new file mode 100644 index 00000000000..b2810e1bb93 --- /dev/null +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -0,0 +1,71 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS6 + +include "policies/kasp.conf"; + +options { + query-source address 10.53.0.6; + notify-source 10.53.0.6; + transfer-source 10.53.0.6; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.6; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "step1.algorithm-roll.kasp" { + type master; + file "step1.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step2.algorithm-roll.kasp" { + type master; + file "step2.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step3.algorithm-roll.kasp" { + type master; + file "step3.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step4.algorithm-roll.kasp" { + type master; + file "step4.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step5.algorithm-roll.kasp" { + type master; + file "step5.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; + +zone "step6.algorithm-roll.kasp" { + type master; + file "step6.algorithm-roll.kasp.db"; + dnssec-policy "ecdsa256"; +}; diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf new file mode 100644 index 00000000000..ad7028ed0cd --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/kasp.conf @@ -0,0 +1,50 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "rsasha1" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm rsasha1; + zsk lifetime unlimited algorithm rsasha1; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-registration-delay 1d; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +dnssec-policy "ecdsa256" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm ecdsa256; + zsk lifetime unlimited algorithm ecdsa256; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-registration-delay 1d; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh new file mode 100644 index 00000000000..2616d8e952f --- /dev/null +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -0,0 +1,185 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at http://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. "$SYSTEMTESTTOP/conf.sh" + +echo_i "ns6/setup.sh" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" +} + +private_type_record() { + _zone=$1 + _algorithm=$2 + _keyfile=$3 + + _id=$(keyfile_to_key_id "$_keyfile") + + printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" +} + + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# +# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK +# algorithm rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.algorithm-roll.kasp +echo "$zone" >> zones +KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) +TactN="now" +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" +private_type_record $zone 5 "$KSK" >> "$infile" +private_type_record $zone 5 "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# After the publication interval has passed the DNSKEY is OMNIPRESENT. +setup step2.algorithm-roll.kasp +KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +# The time passed since the new algorithm keys have been introduced is 3 hours. +TactN="now-3h" +TpubN1="now-3h" +TactN1="now+6h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 5 "$KSK1" >> "$infile" +private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures are also OMNIPRESENT. +setup step3.algorithm-roll.kasp +KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +# The time passed since the new algorithm keys have been introduced is 9 hours. +TactN="now-9h" +TpubN1="now-9h" +TactN1="now" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 5 "$KSK1" >> "$infile" +private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# The DS is swapped and can become OMNIPRESENT. +setup step4.algorithm-roll.kasp +KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +# The time passed since the DS has been swapped is 29 hours. +TactN="now-38h" +TpubN1="now-38h" +TactN1="now-29h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 5 "$KSK1" >> "$infile" +private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# The DNSKEY is removed long enough to be HIDDEN. +setup step5.algorithm-roll.kasp +KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +# The time passed since the DNSKEY has been removed is 2 hours. +TactN="now-40h" +TpubN1="now-40h" +TactN1="now-31h" +TremN="now-2h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TremN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TremN "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 5 "$KSK1" >> "$infile" +private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# The RRSIGs have been removed long enough to be HIDDEN. +setup step6.algorithm-roll.kasp +KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) +# Additional time passed: 7h. +TactN="now-47h" +TpubN1="now-47h" +TactN1="now-38h" +TremN="now-9h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TremN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TremN "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${KSK1}.state" +echo "Lifetime: 0" >> "${ZSK1}.state" +cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone 5 "$KSK1" >> "$infile" +private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 13 "$KSK2" >> "$infile" +private_type_record $zone 13 "$ZSK2" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns6/template.db.in b/bin/tests/system/kasp/ns6/template.db.in new file mode 100644 index 00000000000..051a312891a --- /dev/null +++ b/bin/tests/system/kasp/ns6/template.db.in @@ -0,0 +1,25 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns3 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 0d93046ae1f..a41b0ca946c 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -22,6 +22,7 @@ copy_setports ns2/named.conf.in ns2/named.conf copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf +copy_setports ns6/named.conf.in ns6/named.conf # Setup zones ( @@ -40,3 +41,7 @@ copy_setports ns5/named.conf.in ns5/named.conf cd ns5 $SHELL setup.sh ) +( + cd ns6 + $SHELL setup.sh +) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index e6c30289045..ddd15242321 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1629,7 +1629,8 @@ check_next_key_event() { ret=0 grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || log_error "no next key event for zone ${ZONE}" - _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n") + # Get the latest next key event. + _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) # The next key event time must within 60 seconds of the # expected time. @@ -2081,7 +2082,7 @@ dnssec_verify check_next_key_event 13708800 # -# Testing CSK key rollover (1). +# Testing CSK key rollover (2). # # @@ -2218,5 +2219,163 @@ dnssec_verify # Next key event is when the new successor needs to be published. check_next_key_event 14684400 +# +# Testing algorithm rollover. +# + +# +# Zone: step1.algorithm-roll.kasp +# +zone_properties "ns6" "step1.algorithm-roll.kasp" "rsasha1" "3600" "2" "10.53.0.6" +# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. +key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" +key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" +key_properties "KEY2" "zsk" "0" "5" "RSASHA1" "2048" "yes" "no" +key_timings "KEY2" "published" "active" "none" "none" "none" +key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +key_clear "KEY3" +key_clear "KEY4" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor keys need to be published. +# Since the lifetime of the keys are unlimited, so default to loadkeys +# interval. +check_next_key_event 3600 + +# Reconfig dnssec-policy (triggering algorithm roll). +echo_i "reconfig dnssec-policy to trigger algorithm rollover" +copy_setports ns6/named2.conf.in ns6/named.conf +rndc_reconfig ns6 10.53.0.6 + +zone_properties "ns6" "step1.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +# The RSAHSHA1 keys are outroducing. +key_timings "KEY1" "published" "active" "retired" "none" "none" +key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "omnipresent" +key_timings "KEY2" "published" "active" "retired" "none" "none" +key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" +# The ECDSAP256SHA256 keys are introducing. +key_properties "KEY3" "ksk" "0" "13" "ECDSAP256SHA256" "256" "no" "yes" +key_timings "KEY3" "published" "active" "none" "none" "none" +key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" +key_properties "KEY4" "zsk" "0" "13" "ECDSAP256SHA256" "256" "yes" "no" +key_timings "KEY4" "published" "active" "none" "none" "none" +key_states "KEY4" "omnipresent" "rumoured" "rumoured" "none" "none" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the ecdsa256 keys have been propagated. +# This is the DNSKEY TTL plus publish safety plus zone propagation delay: +# 3 times an hour: 10800 seconds. +check_next_key_event 10800 + +# +# Zone: step2.algorithm-roll.kasp +# +zone_properties "ns6" "step2.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +# The RSAHSHA1 keys are outroducing, but need to stay present until the new +# algorithm chain of trust has been established. Thus the properties, timings +# and states of the KEY1 and KEY2 are the same as above. +# +# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, +# but the zone signatures are not. +key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "hidden" +key_states "KEY4" "omnipresent" "omnipresent" "rumoured" "none" "none" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when all zone signatures are signed with the new +# algorithm. This is the max-zone-ttl plus zone propagation delay +# plus retire safety: 6h + 1h + 2h. But three hours have already passed +# (the time it took to make the DNSKEY omnipresent), so the next event +# should be scheduled in 6 hour: 21600 seconds. +check_next_key_event 21600 + +# +# Zone: step3.algorithm-roll.kasp +# +zone_properties "ns6" "step3.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +# The RSAHSHA1 keys are outroducing, and it is time to swap the DS. +key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" +# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures +# are now omnipresent, so the DS can be introduced. +key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "rumoured" +key_states "KEY4" "omnipresent" "omnipresent" "omnipresent" "none" "none" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DS becomes OMNIPRESENT. This happens after the +# parent registration delay, parent propagation delay, retire safety delay, +# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds. +check_next_key_event 104400 + +# +# Zone: step4.algorithm-roll.kasp +# +zone_properties "ns6" "step4.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. +key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "no" +key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden" +key_properties "KEY2" "zsk" "0" "5" "RSASHA1" "2048" "no" "no" +key_states "KEY2" "hidden" "unretentive" "unretentive" "none" "none" +# The ECDSAP256SHA256 DS is now OMNIPRESENT. +key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the +# DNSKEY TTL plus zone propagation delay (2h). +check_next_key_event 7200 + +# +# Zone: step5.algorithm-roll.kasp +# +zone_properties "ns6" "step5.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +# The DNSKEY becomes HIDDEN. +key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" +key_states "KEY2" "hidden" "hidden" "unretentive" "none" "none" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the RSASHA1 signatures become HIDDEN. This happens +# after the max-zone-ttl plus zone propagation delay plus retire safety +# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has +# been reached (2h): 9h - 2h = 7h = 25200 +check_next_key_event 25200 + +# +# Zone: step6.algorithm-roll.kasp +# +zone_properties "ns6" "step6.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +# The zone signatures should now also be HIDDEN. +key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is never since we established the policy and the keys have +# an unlimited lifetime. Fallback to the default loadkeys interval. +check_next_key_event 3600 + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 17cbdeff241..ff02549c78a 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -19657,17 +19657,28 @@ zone_rekey(dns_zone_t *zone) { /* * If keymgr provided a next time, use the calculated next rekey time. */ - if (kasp != NULL && nexttime > 0) { + if (kasp != NULL) { isc_time_t timenext; + uint32_t nexttime_seconds; - DNS_ZONE_TIME_ADD(&timenow, nexttime - now, &timenext); + /* + * Set the key refresh timer to the next scheduled key event + * or to 'dnssec-loadkeys-interval' seconds in the future + * if no next key event is scheduled (nexttime == 0). + */ + if (nexttime > 0) { + nexttime_seconds = nexttime - now; + } else { + nexttime_seconds = zone->refreshkeyinterval; + } + + DNS_ZONE_TIME_ADD(&timenow, nexttime_seconds, &timenext); zone->refreshkeytime = timenext; zone_settimer(zone, &timenow); isc_time_formattimestamp(&zone->refreshkeytime, timebuf, 80); dnssec_log(zone, ISC_LOG_DEBUG(3), - "next key event in %u seconds: %s", (nexttime - now), - timebuf); + "next key event in %u seconds", nexttime_seconds); dnssec_log(zone, ISC_LOG_INFO, "next key event: %s", timebuf); } /* diff --git a/util/copyrights b/util/copyrights index f5f9b4c02c3..65f2e15d5ae 100644 --- a/util/copyrights +++ b/util/copyrights @@ -697,6 +697,7 @@ ./bin/tests/system/kasp/ns3/setup.sh SH 2019,2020 ./bin/tests/system/kasp/ns4/setup.sh SH 2019,2020 ./bin/tests/system/kasp/ns5/setup.sh SH 2019,2020 +./bin/tests/system/kasp/ns6/setup.sh SH 2020 ./bin/tests/system/kasp/setup.sh SH 2019,2020 ./bin/tests/system/kasp/tests.sh SH 2019,2020 ./bin/tests/system/keepalive/clean.sh SH 2017,2018,2019,2020