From: Matthijs Mekking Date: Wed, 19 Feb 2020 11:28:36 +0000 (+0100) Subject: Add CSK algorithm rollover test X-Git-Tag: v9.17.1~69^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=917cf5f86fadb187c78a13823407eb858190c451;p=thirdparty%2Fbind9.git Add CSK algorithm rollover test --- diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index 5bb8185e478..5a6ca042c42 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -12,6 +12,7 @@ // NS6 include "policies/kasp.conf"; +include "policies/csk1.conf"; options { query-source address 10.53.0.6; @@ -39,3 +40,9 @@ zone "step1.algorithm-roll.kasp" { file "step1.algorithm-roll.kasp.db"; dnssec-policy "rsasha1"; }; + +zone "step1.csk-algorithm-roll.kasp" { + type master; + file "step1.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index b2810e1bb93..52660c60846 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -12,6 +12,7 @@ // NS6 include "policies/kasp.conf"; +include "policies/csk2.conf"; options { query-source address 10.53.0.6; @@ -69,3 +70,42 @@ zone "step6.algorithm-roll.kasp" { file "step6.algorithm-roll.kasp.db"; dnssec-policy "ecdsa256"; }; + +/* + * Zones for testing CSK algorithm roll. + */ +zone "step1.csk-algorithm-roll.kasp" { + type master; + file "step1.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step2.csk-algorithm-roll.kasp" { + type master; + file "step2.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step3.csk-algorithm-roll.kasp" { + type master; + file "step3.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step4.csk-algorithm-roll.kasp" { + type master; + file "step4.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step5.csk-algorithm-roll.kasp" { + type master; + file "step5.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; + +zone "step6.csk-algorithm-roll.kasp" { + type master; + file "step6.csk-algorithm-roll.kasp.db"; + dnssec-policy "csk-algoroll"; +}; diff --git a/bin/tests/system/kasp/ns6/policies/csk1.conf b/bin/tests/system/kasp/ns6/policies/csk1.conf new file mode 100644 index 00000000000..8f93444807c --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/csk1.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "csk-algoroll" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + csk lifetime unlimited algorithm rsasha1; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-registration-delay 1d; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/policies/csk2.conf b/bin/tests/system/kasp/ns6/policies/csk2.conf new file mode 100644 index 00000000000..f379c0574f1 --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/csk2.conf @@ -0,0 +1,29 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "csk-algoroll" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + csk lifetime unlimited algorithm 13; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-registration-delay 1d; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 2616d8e952f..09d8bd0d791 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -183,3 +183,113 @@ private_type_record $zone 5 "$ZSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" private_type_record $zone 13 "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# +# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK +# algorithm rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.csk-algorithm-roll.kasp +echo "$zone" >> zones +CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) +TactN="now" +$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone 5 "$CSK" >> "$infile" +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 2: +# After the publication interval has passed the DNSKEY is OMNIPRESENT. +setup step2.csk-algorithm-roll.kasp +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) +# The time passed since the new algorithm keys have been introduced is 3 hours. +TactN="now-3h" +TpubN1="now-3h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures are also OMNIPRESENT. +setup step3.csk-algorithm-roll.kasp +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) +# The time passed since the new algorithm keys have been introduced is 9 hours. +TactN="now-9h" +TpubN1="now-9h" +TactN1="now-6h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 4: +# The DS is swapped and can become OMNIPRESENT. +setup step4.csk-algorithm-roll.kasp +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) +# The time passed since the DS has been swapped is 29 hours. +TactN="now-38h" +TpubN1="now-38h" +TactN1="now-35h" +TsubN1="now-29h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.1 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 5: +# The DNSKEY is removed long enough to be HIDDEN. +setup step5.csk-algorithm-roll.kasp +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) +# The time passed since the DNSKEY has been removed is 2 hours. +TactN="now-40h" +TpubN1="now-40h" +TactN1="now-37h" +TsubN1="now-31h" +TremN="now-2h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.1 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 6: +# The RRSIGs have been removed long enough to be HIDDEN. +setup step6.csk-algorithm-roll.kasp +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) +# Additional time passed: 7h. +TactN="now-47h" +TpubN1="now-47h" +TactN1="now-44h" +TsubN1="now-38h" +TremN="now-9h" +$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.1 2>&1 +# Fake lifetime of old algorithm keys. +echo "Lifetime: 0" >> "${CSK1}.state" +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone 5 "$CSK1" >> "$infile" +private_type_record $zone 13 "$CSK2" >> "$infile" +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index ddd15242321..f1cef6cd528 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2246,15 +2246,45 @@ dnssec_verify # interval. check_next_key_event 3600 +# +# Zone: step1.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step1.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "1" "10.53.0.6" +# The CSK (KEY1) starta in OMNIPRESENT. +key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" +key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the successor keys need to be published. +# Since the lifetime of the keys are unlimited, so default to loadkeys +# interval. +check_next_key_event 3600 + # Reconfig dnssec-policy (triggering algorithm roll). echo_i "reconfig dnssec-policy to trigger algorithm rollover" copy_setports ns6/named2.conf.in ns6/named.conf rndc_reconfig ns6 10.53.0.6 +# +# Testing KSK/ZSK algorithm rollover. +# + +# +# Zone: step1.algorithm-roll.kasp +# zone_properties "ns6" "step1.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" # The RSAHSHA1 keys are outroducing. +key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "omnipresent" +key_properties "KEY2" "zsk" "0" "5" "RSASHA1" "2048" "yes" "no" key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" # The ECDSAP256SHA256 keys are introducing. @@ -2377,5 +2407,131 @@ dnssec_verify # an unlimited lifetime. Fallback to the default loadkeys interval. check_next_key_event 3600 +# +# Testing CSK algorithm rollover. +# + +# +# Zone: step1.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step1.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +# The RSAHSHA1 key is outroducing. +key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes" +key_timings "KEY1" "published" "active" "retired" "none" "none" +key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +# The ECDSAP256SHA256 key is introducing. +key_properties "KEY2" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" +key_timings "KEY2" "published" "active" "none" "none" "none" +key_states "KEY2" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the new key has been propagated. +# This is the DNSKEY TTL plus publish safety plus zone propagation delay: +# 3 times an hour: 10800 seconds. +check_next_key_event 10800 + +# +# Zone: step2.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step2.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +# The RSAHSHA1 key is outroducing, but need to stay present until the new +# algorithm chain of trust has been established. Thus the properties, timings +# and states of KEY1 is the same as above. +# +# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, +# but the zone signatures are not. +key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when all zone signatures are signed with the new +# algorithm. This is the max-zone-ttl plus zone propagation delay +# plus retire safety: 6h + 1h + 2h. But three hours have already passed +# (the time it took to make the DNSKEY omnipresent), so the next event +# should be scheduled in 6 hour: 21600 seconds. +check_next_key_event 21600 + +# +# Zone: step3.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step3.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +# The RSAHSHA1 key is outroducing, and it is time to swap the DS. +key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "unretentive" +# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures +# are now omnipresent, so the DS can be introduced. +key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DS becomes OMNIPRESENT. This happens after the +# parent registration delay, parent propagation delay, retire safety delay, +# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds. +check_next_key_event 104400 + +# +# Zone: step4.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step4.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. +key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "no" "no" +key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" +# The ECDSAP256SHA256 DS is now OMNIPRESENT. +key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the +# DNSKEY TTL plus zone propagation delay (2h). +check_next_key_event 7200 + +# +# Zone: step5.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step5.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +# The DNSKEY becomes HIDDEN. +key_states "KEY1" "hidden" "hidden" "unretentive" "hidden" "hidden" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the RSASHA1 signatures become HIDDEN. This happens +# after the max-zone-ttl plus zone propagation delay plus retire safety +# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has +# been reached (2h): 9h - 2h = 7h = 25200 +check_next_key_event 25200 + +# +# Zone: step6.csk-algorithm-roll.kasp +# +zone_properties "ns6" "step6.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +# The zone signatures should now also be HIDDEN. +key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" + +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is never since we established the policy and the keys have +# an unlimited lifetime. Fallback to the default loadkeys interval. +check_next_key_event 3600 + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1