From: Matthijs Mekking Date: Tue, 31 Jan 2023 09:20:00 +0000 (+0100) Subject: Add test case for different digest type X-Git-Tag: v9.19.11~14^2~11 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9f3e3fcfc875b6e8f663de8a04b1c5952e8f7a89;p=thirdparty%2Fbind9.git Add test case for different digest type Change one of the test cases to use a different digest type (4). The system tests and kasp script need to be updated to take into account the new algorithm (instead of the hard coded 2). --- diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index f0c83b19ab9..ebe06aa8c5a 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -209,11 +209,13 @@ set_dynamic() { DYNAMIC="yes" } -# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys. +# Set policy settings (name $1, number of keys $2, dnskey ttl $3), +# and digest type ($4) for testing keys. set_policy() { POLICY=$1 NUM_KEYS=$2 DNSKEY_TTL=$3 + DIGEST_TYPE=$4 CDS_DELETE="no" } # By default policies are considered to be secure. @@ -945,7 +947,7 @@ response_has_cds_for_key() ( -v qtype="CDS" \ -v keyid="$(key_get "${1}" ID)" \ -v keyalg="$(key_get "${1}" ALG_NUM)" \ - -v hashalg="2" \ + -v hashalg="${DIGEST_TYPE}" \ 'BEGIN { ret=1; } $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; } END { exit ret; }' \ diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in index 5564ec52a77..e90e88941a7 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf.in +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in @@ -121,6 +121,7 @@ dnssec-policy "csk-roll2" { retire-safety 1h; purge-keys 0; + cds-digest-type "sha-384"; // use a different digest type for testing purposes keys { csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; }; diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 2be9284cabb..bb8620bdaeb 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -56,7 +56,7 @@ next_key_event_threshold=100 # dnssec-keygen # set_zone "kasp" -set_policy "kasp" "4" "200" +set_policy "kasp" "4" "200" "2" set_server "keys" "10.53.0.1" n=$((n+1)) @@ -122,7 +122,7 @@ n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 set_zone "kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "." "10.53.0.1" # Key properties. set_keyrole "KEY1" "csk" @@ -277,7 +277,7 @@ set_keytimes_csk_policy() { # Check the zone with default kasp policy has loaded and is signed. set_zone "default.kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "csk" @@ -398,7 +398,7 @@ dnssec_verify # set_zone "dynamic.kasp" set_dynamic -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys @@ -461,7 +461,7 @@ status=$((status+ret)) # set_zone "dynamic-inline-signing.kasp" set_dynamic -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys @@ -489,7 +489,7 @@ status=$((status+ret)) # Zone: inline-signing.kasp # set_zone "inline-signing.kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys @@ -509,7 +509,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "checkds-ksk.kasp" -set_policy "checkds-ksk" "2" "303" +set_policy "checkds-ksk" "2" "303" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "ksk" @@ -579,7 +579,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "checkds-doubleksk.kasp" -set_policy "checkds-doubleksk" "3" "303" +set_policy "checkds-doubleksk" "3" "303" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "ksk" @@ -680,7 +680,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "checkds-csk.kasp" -set_policy "checkds-csk" "1" "303" +set_policy "checkds-csk" "1" "303" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "csk" @@ -796,7 +796,7 @@ set_keytimes_algorithm_policy() { if $SHELL ../testcrypto.sh -q RSASHA1 then set_zone "rsasha1.kasp" - set_policy "rsasha1" "3" "1234" + set_policy "rsasha1" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -850,7 +850,7 @@ fi # Zone: unsigned.kasp. # set_zone "unsigned.kasp" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -874,7 +874,7 @@ status=$((status+ret)) # Zone: insecure.kasp. # set_zone "insecure.kasp" -set_policy "insecure" "0" "0" +set_policy "insecure" "0" "0" "0" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -891,7 +891,7 @@ check_subdomain # Zone: unlimited.kasp. # set_zone "unlimited.kasp" -set_policy "unlimited" "1" "1234" +set_policy "unlimited" "1" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "csk" @@ -918,7 +918,7 @@ dnssec_verify # Zone: inherit.kasp. # set_zone "inherit.kasp" -set_policy "rsasha256" "3" "1234" +set_policy "rsasha256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. @@ -971,7 +971,7 @@ dnssec_verify # Zone: dnssec-keygen.kasp. # set_zone "dnssec-keygen.kasp" -set_policy "rsasha256" "3" "1234" +set_policy "rsasha256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -987,7 +987,7 @@ dnssec_verify # Zone: some-keys.kasp. # set_zone "some-keys.kasp" -set_policy "rsasha256" "3" "1234" +set_policy "rsasha256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1005,7 +1005,7 @@ dnssec_verify # There are more pregenerated keys than needed, hence the number of keys is # six, not three. set_zone "pregenerated.kasp" -set_policy "rsasha256" "6" "1234" +set_policy "rsasha256" "6" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1022,7 +1022,7 @@ dnssec_verify # # There are three keys in rumoured state. set_zone "rumoured.kasp" -set_policy "rsasha256" "3" "1234" +set_policy "rsasha256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1048,7 +1048,7 @@ dnssec_verify # Zone: secondary.kasp. # set_zone "secondary.kasp" -set_policy "rsasha256" "3" "1234" +set_policy "rsasha256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1095,7 +1095,7 @@ status=$((status+ret)) if $SHELL ../testcrypto.sh -q RSASHA1 then set_zone "rsasha1-nsec3.kasp" - set_policy "rsasha1-nsec3" "3" "1234" + set_policy "rsasha1-nsec3" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" @@ -1116,7 +1116,7 @@ fi # Zone: rsasha256.kasp. # set_zone "rsasha256.kasp" -set_policy "rsasha256" "3" "1234" +set_policy "rsasha256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" @@ -1136,7 +1136,7 @@ dnssec_verify # Zone: rsasha512.kasp. # set_zone "rsasha512.kasp" -set_policy "rsasha512" "3" "1234" +set_policy "rsasha512" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" @@ -1156,7 +1156,7 @@ dnssec_verify # Zone: ecdsa256.kasp. # set_zone "ecdsa256.kasp" -set_policy "ecdsa256" "3" "1234" +set_policy "ecdsa256" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" @@ -1176,7 +1176,7 @@ dnssec_verify # Zone: ecdsa512.kasp. # set_zone "ecdsa384.kasp" -set_policy "ecdsa384" "3" "1234" +set_policy "ecdsa384" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" @@ -1197,7 +1197,7 @@ dnssec_verify # if [ -f ed25519-supported.file ]; then set_zone "ed25519.kasp" - set_policy "ed25519" "3" "1234" + set_policy "ed25519" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "15" "ED25519" "256" @@ -1219,7 +1219,7 @@ fi # if [ -f ed448-supported.file ]; then set_zone "ed448.kasp" - set_policy "ed448" "3" "1234" + set_policy "ed448" "3" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "16" "ED448" "456" @@ -1273,7 +1273,7 @@ set_keytimes_autosign_policy() { # Zone: expired-sigs.autosign. # set_zone "expired-sigs.autosign" -set_policy "autosign" "2" "300" +set_policy "autosign" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -1357,7 +1357,7 @@ check_rrsig_refresh # Zone: fresh-sigs.autosign. # set_zone "fresh-sigs.autosign" -set_policy "autosign" "2" "300" +set_policy "autosign" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1418,7 +1418,7 @@ check_rrsig_reuse # Zone: unfresh-sigs.autosign. # set_zone "unfresh-sigs.autosign" -set_policy "autosign" "2" "300" +set_policy "autosign" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1435,7 +1435,7 @@ check_rrsig_refresh # Zone: ksk-missing.autosign. # set_zone "ksk-missing.autosign" -set_policy "autosign" "2" "300" +set_policy "autosign" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. # Skip checking the private file, because it is missing. @@ -1454,7 +1454,7 @@ key_set "KEY1" "PRIVATE" "yes" # Zone: zsk-missing.autosign. # set_zone "zsk-missing.autosign" -set_policy "autosign" "2" "300" +set_policy "autosign" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. # Skip checking the private file, because it is missing. @@ -1481,7 +1481,7 @@ key_set "KEY2" "PRIVATE" "yes" # Zone: zsk-retired.autosign. # set_zone "zsk-retired.autosign" -set_policy "autosign" "3" "300" +set_policy "autosign" "3" "300" "2" set_server "ns3" "10.53.0.3" # The third key is not yet expected to be signing. set_keyrole "KEY3" "zsk" @@ -1537,7 +1537,7 @@ check_rrsig_refresh set_zone "legacy-keys.kasp" # This zone has two active keys and two old keys left in key directory, so # expect 4 key files. -set_policy "migrate-to-dnssec-policy" "4" "1234" +set_policy "migrate-to-dnssec-policy" "4" "1234" "2" set_server "ns3" "10.53.0.3" # Key properties. @@ -1648,7 +1648,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "unsigned.tld" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns2" "10.53.0.2" TSIG="" check_keys @@ -1657,7 +1657,7 @@ check_apex check_subdomain set_zone "none.inherit.signed" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1666,7 +1666,7 @@ check_apex check_subdomain set_zone "none.override.signed" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1675,7 +1675,7 @@ check_apex check_subdomain set_zone "inherit.none.signed" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1684,7 +1684,7 @@ check_apex check_subdomain set_zone "none.none.signed" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1693,7 +1693,7 @@ check_apex check_subdomain set_zone "inherit.inherit.unsigned" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1702,7 +1702,7 @@ check_apex check_subdomain set_zone "none.inherit.unsigned" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1711,7 +1711,7 @@ check_apex check_subdomain set_zone "none.override.unsigned" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1720,7 +1720,7 @@ check_apex check_subdomain set_zone "inherit.none.unsigned" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1729,7 +1729,7 @@ check_apex check_subdomain set_zone "none.none.unsigned" -set_policy "none" "0" "0" +set_policy "none" "0" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1756,7 +1756,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" set_zone "signed.tld" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns2" "10.53.0.2" TSIG="" check_keys @@ -1768,7 +1768,7 @@ check_subdomain dnssec_verify set_zone "override.inherit.signed" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1780,7 +1780,7 @@ check_subdomain dnssec_verify set_zone "inherit.override.signed" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1792,7 +1792,7 @@ check_subdomain dnssec_verify set_zone "override.inherit.unsigned" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1804,7 +1804,7 @@ check_subdomain dnssec_verify set_zone "inherit.override.unsigned" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1829,7 +1829,7 @@ set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" set_zone "inherit.inherit.signed" -set_policy "test" "1" "3600" +set_policy "test" "1" "3600" "2" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" wait_for_nsec @@ -1842,7 +1842,7 @@ check_subdomain dnssec_verify set_zone "override.override.signed" -set_policy "test" "1" "3600" +set_policy "test" "1" "3600" "2" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec @@ -1855,7 +1855,7 @@ check_subdomain dnssec_verify set_zone "override.none.signed" -set_policy "test" "1" "3600" +set_policy "test" "1" "3600" "2" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec @@ -1868,7 +1868,7 @@ check_subdomain dnssec_verify set_zone "override.override.unsigned" -set_policy "test" "1" "3600" +set_policy "test" "1" "3600" "2" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec @@ -1881,7 +1881,7 @@ check_subdomain dnssec_verify set_zone "override.none.unsigned" -set_policy "test" "1" "3600" +set_policy "test" "1" "3600" "2" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec @@ -1980,7 +1980,7 @@ TSIG="" # Testing RFC 8901 Multi-Signer Model 2. # set_zone "multisigner-model2.kasp" -set_policy "multisigner-model2" "2" "3600" +set_policy "multisigner-model2" "2" "3600" "2" set_server "ns3" "10.53.0.3" key_clear "KEY1" key_clear "KEY2" @@ -2042,7 +2042,7 @@ status=$((status+ret)) # Testing manual rollover. # set_zone "manual-rollover.kasp" -set_policy "manual-rollover" "2" "3600" +set_policy "manual-rollover" "2" "3600" "2" set_server "ns3" "10.53.0.3" key_clear "KEY1" key_clear "KEY2" @@ -2108,7 +2108,7 @@ check_subdomain dnssec_verify # Schedule KSK rollover now. -set_policy "manual-rollover" "3" "3600" +set_policy "manual-rollover" "3" "3600" "2" set_keystate "KEY1" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. @@ -2135,7 +2135,7 @@ check_subdomain dnssec_verify # Schedule ZSK rollover now. -set_policy "manual-rollover" "4" "3600" +set_policy "manual-rollover" "4" "3600" "2" set_keystate "KEY2" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. @@ -2177,7 +2177,7 @@ status=$((status+ret)) # Zone: step1.enable-dnssec.autosign. # set_zone "step1.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" +set_policy "enable-dnssec" "1" "300" "2" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2261,7 +2261,7 @@ check_next_key_event 900 # Zone: step2.enable-dnssec.autosign. # set_zone "step2.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" +set_policy "enable-dnssec" "1" "300" "2" set_server "ns3" "10.53.0.3" # The DNSKEY is omnipresent, but the zone signatures not yet. # Thus, the DS remains hidden. @@ -2294,7 +2294,7 @@ check_next_key_event 43800 # Zone: step3.enable-dnssec.autosign. # set_zone "step3.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" +set_policy "enable-dnssec" "1" "300" "2" set_server "ns3" "10.53.0.3" # All signatures should be omnipresent, so the DS can be submitted. set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" @@ -2331,7 +2331,7 @@ check_next_key_event 12000 # Zone: step4.enable-dnssec.autosign. # set_zone "step4.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" +set_policy "enable-dnssec" "1" "300" "2" set_server "ns3" "10.53.0.3" # The DS is omnipresent. set_keystate "KEY1" "STATE_DS" "omnipresent" @@ -2377,7 +2377,7 @@ IretZSK=867600 # Zone: step1.zsk-prepub.autosign. # set_zone "step1.zsk-prepub.autosign" -set_policy "zsk-prepub" "2" "3600" +set_policy "zsk-prepub" "2" "3600" "2" set_server "ns3" "10.53.0.3" set_retired_removed() { @@ -2452,7 +2452,7 @@ check_next_key_event 2498400 # Zone: step2.zsk-prepub.autosign. # set_zone "step2.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" +set_policy "zsk-prepub" "3" "3600" "2" set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. key_clear "KEY3" @@ -2499,7 +2499,7 @@ check_next_key_event 93600 # Zone: step3.zsk-prepub.autosign. # set_zone "step3.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" +set_policy "zsk-prepub" "3" "3600" "2" set_server "ns3" "10.53.0.3" # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. @@ -2547,7 +2547,7 @@ check_next_key_event 867600 # Zone: step4.zsk-prepub.autosign. # set_zone "step4.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" +set_policy "zsk-prepub" "3" "3600" "2" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is no longer needed. # ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. @@ -2584,7 +2584,7 @@ check_next_key_event 7200 # Zone: step5.zsk-prepub.autosign. # set_zone "step5.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" +set_policy "zsk-prepub" "3" "3600" "2" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. set_keystate "KEY2" "STATE_DNSKEY" "hidden" @@ -2618,7 +2618,7 @@ check_next_key_event 1627200 # Zone: step6.zsk-prepub.autosign. # set_zone "step6.zsk-prepub.autosign" -set_policy "zsk-prepub" "2" "3600" +set_policy "zsk-prepub" "2" "3600" "2" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is purged. key_clear "KEY2" @@ -2650,7 +2650,7 @@ IretZSK=867600 # Zone: step1.ksk-doubleksk.autosign. # set_zone "step1.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "2" "7200" +set_policy "ksk-doubleksk" "2" "7200" "2" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2699,7 +2699,7 @@ check_next_key_event 5086800 # Zone: step2.ksk-doubleksk.autosign. # set_zone "step2.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" +set_policy "ksk-doubleksk" "3" "7200" "2" set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). key_clear "KEY3" @@ -2750,7 +2750,7 @@ check_next_key_event 97200 # Zone: step3.ksk-doubleksk.autosign. # set_zone "step3.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" +set_policy "ksk-doubleksk" "3" "7200" "2" set_server "ns3" "10.53.0.3" # The DNSKEY RRset has become omnipresent. @@ -2800,7 +2800,7 @@ check_next_key_event 180000 # Zone: step4.ksk-doubleksk.autosign. # set_zone "step4.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" +set_policy "ksk-doubleksk" "3" "7200" "2" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" @@ -2841,7 +2841,7 @@ check_next_key_event 10800 # Zone: step5.ksk-doubleksk.autosign. # set_zone "step5.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" +set_policy "ksk-doubleksk" "3" "7200" "2" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is now HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -2879,7 +2879,7 @@ check_next_key_event 4899600 # Zone: step6.ksk-doubleksk.autosign. # set_zone "step6.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "2" "7200" +set_policy "ksk-doubleksk" "2" "7200" "2" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is purged. key_clear "KEY1" @@ -2920,7 +2920,7 @@ csk_rollover_predecessor_keytimes() { # Zone: step1.csk-roll.autosign. # set_zone "step1.csk-roll.autosign" -set_policy "csk-roll" "1" "3600" +set_policy "csk-roll" "1" "3600" "2" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2960,7 +2960,7 @@ check_next_key_event 16059600 # Zone: step2.csk-roll.autosign. # set_zone "step2.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" +set_policy "csk-roll" "2" "3600" "2" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). key_clear "KEY2" @@ -3009,7 +3009,7 @@ check_next_key_event 10800 # Zone: step3.csk-roll.autosign. # set_zone "step3.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" +set_policy "csk-roll" "2" "3600" "2" set_server "ns3" "10.53.0.3" # Swap zone signing role. set_zonesigning "KEY1" "no" @@ -3070,7 +3070,7 @@ check_next_key_event 14400 # Zone: step4.csk-roll.autosign. # set_zone "step4.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" +set_policy "csk-roll" "2" "3600" "2" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is no longer signing the DNSKEY RRset. set_keysigning "KEY1" "no" @@ -3111,7 +3111,7 @@ check_next_key_event 7200 # Zone: step5.csk-roll.autosign. # set_zone "step5.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" +set_policy "csk-roll" "2" "3600" "2" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) KRRSIG records are now all hidden. set_keystate "KEY1" "STATE_KRRSIG" "hidden" @@ -3148,7 +3148,7 @@ check_next_key_event 2235600 # Zone: step6.csk-roll.autosign. # set_zone "step6.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" +set_policy "csk-roll" "2" "3600" "2" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can # be removed). @@ -3187,7 +3187,7 @@ check_next_key_event 7200 # Zone: step7.csk-roll.autosign. # set_zone "step7.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" +set_policy "csk-roll" "2" "3600" "2" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -3225,7 +3225,7 @@ check_next_key_event 13795200 # Zone: step8.csk-roll.autosign. # set_zone "step8.csk-roll.autosign" -set_policy "csk-roll" "1" "3600" +set_policy "csk-roll" "1" "3600" "2" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is purged. key_clear "KEY1" @@ -3257,7 +3257,7 @@ IretCSK=$IretKSK # Zone: step1.csk-roll2.autosign. # set_zone "step1.csk-roll2.autosign" -set_policy "csk-roll2" "1" "3600" +set_policy "csk-roll2" "1" "3600" "4" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -3298,7 +3298,7 @@ check_next_key_event 16059600 # Zone: step2.csk-roll2.autosign. # set_zone "step2.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" +set_policy "csk-roll2" "2" "3600" "4" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). key_clear "KEY2" @@ -3346,7 +3346,7 @@ check_next_key_event 10800 # Zone: step3.csk-roll2.autosign. # set_zone "step3.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" +set_policy "csk-roll2" "2" "3600" "4" set_server "ns3" "10.53.0.3" # CSK (KEY1) can be removed, so move to UNRETENTIVE. set_zonesigning "KEY1" "no" @@ -3412,7 +3412,7 @@ check_next_key_event $next_time # Zone: step4.csk-roll2.autosign. # set_zone "step4.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" +set_policy "csk-roll2" "2" "3600" "4" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) ZRRSIG is now HIDDEN. set_keystate "KEY1" "STATE_ZRRSIG" "hidden" @@ -3453,7 +3453,7 @@ check_next_key_event 475200 # Zone: step5.csk-roll2.autosign. # set_zone "step5.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" +set_policy "csk-roll2" "2" "3600" "4" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" @@ -3493,7 +3493,7 @@ check_next_key_event 7200 # Zone: step6.csk-roll2.autosign. # set_zone "step6.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" +set_policy "csk-roll2" "2" "3600" "4" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -3530,7 +3530,7 @@ check_next_key_event 15440400 # Zone: step7.csk-roll2.autosign. # set_zone "step7.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" +set_policy "csk-roll2" "2" "3600" "4" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) could have been purged, but purge-keys is disabled. @@ -3545,13 +3545,13 @@ dnssec_verify # Test #2375: Scheduled rollovers are happening faster than they can finish # set_zone "step1.three-is-a-crowd.kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns3" "10.53.0.3" # TODO (GL #2471). # Test dynamic zones that switch to inline-signing. set_zone "dynamic2inline.kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3589,7 +3589,7 @@ IretZSK=0 # Zone: step1.algorithm-roll.kasp # set_zone "step1.algorithm-roll.kasp" -set_policy "rsasha256" "2" "3600" +set_policy "rsasha256" "2" "3600" "2" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3637,7 +3637,7 @@ check_next_key_event 3600 # Zone: step1.csk-algorithm-roll.kasp # set_zone "step1.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "1" "3600" +set_policy "csk-algoroll" "1" "3600" "2" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3681,7 +3681,7 @@ check_next_key_event 3600 # Zone step1.going-insecure.kasp # set_zone "step1.going-insecure.kasp" -set_policy "unsigning" "2" "7200" +set_policy "unsigning" "2" "7200" "2" set_server "ns6" "10.53.0.6" # Policy parameters. @@ -3742,7 +3742,7 @@ dnssec_verify set_zone "step1.going-insecure-dynamic.kasp" set_dynamic -set_policy "unsigning" "2" "7200" +set_policy "unsigning" "2" "7200" "2" set_server "ns6" "10.53.0.6" init_migration_insecure @@ -3761,7 +3761,7 @@ dnssec_verify # Zone step1.going-straight-to-none.kasp # set_zone "step1.going-straight-to-none.kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns6" "10.53.0.6" # Key properties. set_keyrole "KEY1" "csk" @@ -3846,7 +3846,7 @@ wait_for_done_signing() { # Test dynamic zones that switch to inline-signing. set_zone "dynamic2inline.kasp" -set_policy "default" "1" "3600" +set_policy "default" "1" "3600" "2" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3880,7 +3880,7 @@ dnssec_verify # Zone: step1.going-insecure.kasp # set_zone "step1.going-insecure.kasp" -set_policy "insecure" "2" "7200" +set_policy "insecure" "2" "7200" "2" set_server "ns6" "10.53.0.6" # Expect a CDS/CDNSKEY Delete Record. set_cdsdelete @@ -3917,7 +3917,7 @@ check_next_key_event 93600 # Zone: step2.going-insecure.kasp # set_zone "step2.going-insecure.kasp" -set_policy "insecure" "2" "7200" +set_policy "insecure" "2" "7200" "2" set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. @@ -3947,7 +3947,7 @@ check_next_key_event 7500 # set_zone "step1.going-insecure-dynamic.kasp" set_dynamic -set_policy "insecure" "2" "7200" +set_policy "insecure" "2" "7200" "2" set_server "ns6" "10.53.0.6" # Expect a CDS/CDNSKEY Delete Record. set_cdsdelete @@ -3985,7 +3985,7 @@ check_next_key_event 93600 # set_zone "step2.going-insecure-dynamic.kasp" set_dynamic -set_policy "insecure" "2" "7200" +set_policy "insecure" "2" "7200" "2" set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. @@ -4014,7 +4014,7 @@ check_next_key_event 7500 # Zone: step1.going-straight-to-none.kasp # set_zone "step1.going-straight-to-none.kasp" -set_policy "none" "1" "3600" +set_policy "none" "1" "3600" "2" set_server "ns6" "10.53.0.6" # The zone will go bogus after signatures expire, but remains validly signed for now. @@ -4055,7 +4055,7 @@ Lzsk=0 # Zone: step1.algorithm-roll.kasp # set_zone "step1.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" +set_policy "ecdsa256" "4" "3600" "2" set_server "ns6" "10.53.0.6" # Old RSASHA1 keys. key_clear "KEY1" @@ -4168,7 +4168,7 @@ check_next_key_event 10800 # Zone: step2.algorithm-roll.kasp # set_zone "step2.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" +set_policy "ecdsa256" "4" "3600" "2" set_server "ns6" "10.53.0.6" # The RSAHSHA1 keys are outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings @@ -4227,7 +4227,7 @@ check_next_key_event $next_time # Zone: step3.algorithm-roll.kasp # set_zone "step3.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" +set_policy "ecdsa256" "4" "3600" "2" set_server "ns6" "10.53.0.6" # The ECDSAP256SHA256 keys are introducing. set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" @@ -4285,7 +4285,7 @@ check_next_key_event 18000 # Zone: step4.algorithm-roll.kasp # set_zone "step4.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" +set_policy "ecdsa256" "4" "3600" "2" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. set_keysigning "KEY1" "no" @@ -4344,7 +4344,7 @@ check_next_key_event 7200 # Zone: step5.algorithm-roll.kasp # set_zone "step5.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" +set_policy "ecdsa256" "4" "3600" "2" set_server "ns6" "10.53.0.6" # The DNSKEY becomes HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -4400,7 +4400,7 @@ check_next_key_event $next_time # Zone: step6.algorithm-roll.kasp # set_zone "step6.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" +set_policy "ecdsa256" "4" "3600" "2" set_server "ns6" "10.53.0.6" # The old zone signatures (KEY2) should now also be HIDDEN. set_keystate "KEY2" "STATE_ZRRSIG" "hidden" @@ -4457,7 +4457,7 @@ Lcksk=0 # Zone: step1.csk-algorithm-roll.kasp # set_zone "step1.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" +set_policy "csk-algoroll" "2" "3600" "2" set_server "ns6" "10.53.0.6" # Old RSASHA1 key. key_clear "KEY1" @@ -4536,7 +4536,7 @@ check_next_key_event 10800 # Zone: step2.csk-algorithm-roll.kasp # set_zone "step2.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" +set_policy "csk-algoroll" "2" "3600" "2" set_server "ns6" "10.53.0.6" # The RSAHSHA1 key is outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings @@ -4586,7 +4586,7 @@ check_next_key_event $next_time # Zone: step3.csk-algorithm-roll.kasp # set_zone "step3.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" +set_policy "csk-algoroll" "2" "3600" "2" set_server "ns6" "10.53.0.6" # The RSAHSHA1 key is outroducing, and it is time to swap the DS. # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures @@ -4636,7 +4636,7 @@ check_next_key_event 18000 # Zone: step4.csk-algorithm-roll.kasp # set_zone "step4.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" +set_policy "csk-algoroll" "2" "3600" "2" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. set_keysigning "KEY1" "no" @@ -4682,7 +4682,7 @@ check_next_key_event 7200 # Zone: step5.csk-algorithm-roll.kasp # set_zone "step5.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" +set_policy "csk-algoroll" "2" "3600" "2" set_server "ns6" "10.53.0.6" # The DNSKEY becomes HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -4727,7 +4727,7 @@ check_next_key_event $next_time # Zone: step6.csk-algorithm-roll.kasp # set_zone "step6.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" +set_policy "csk-algoroll" "2" "3600" "2" set_server "ns6" "10.53.0.6" # The zone signatures should now also be HIDDEN. set_keystate "KEY1" "STATE_ZRRSIG" "hidden" diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 62b58a7d781..68844f4af8a 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -126,7 +126,7 @@ init_migration_states() { # Testing a good migration. # set_zone "migrate.kasp" -set_policy "none" "2" "7200" +set_policy "none" "2" "7200" "2" set_server "ns3" "10.53.0.3" init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" @@ -149,7 +149,7 @@ _migrate_zsk=$(key_get KEY2 ID) # Testing a good migration (CSK). # set_zone "csk.kasp" -set_policy "none" "1" "7200" +set_policy "none" "1" "7200" "2" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -192,7 +192,7 @@ _migrate_csk=$(key_get KEY1 ID) # Testing a good migration (CSK, no SEP). # set_zone "csk-nosep.kasp" -set_policy "none" "1" "7200" +set_policy "none" "1" "7200" "2" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -235,7 +235,7 @@ _migrate_csk_nosep=$(key_get KEY1 ID) # Testing key states derived from key timing metadata (rumoured). # set_zone "rumoured.kasp" -set_policy "none" "2" "300" +set_policy "none" "2" "300" "2" set_server "ns3" "10.53.0.3" init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" @@ -255,7 +255,7 @@ _rumoured_zsk=$(key_get KEY2 ID) # Testing key states derived from key timing metadata (omnipresent). # set_zone "omnipresent.kasp" -set_policy "none" "2" "300" +set_policy "none" "2" "300" "2" set_server "ns3" "10.53.0.3" init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" @@ -275,7 +275,7 @@ _omnipresent_zsk=$(key_get KEY2 ID) # Testing migration with unmatched existing keys (different algorithm). # set_zone "migrate-nomatch-algnum.kasp" -set_policy "none" "2" "300" +set_policy "none" "2" "300" "2" set_server "ns3" "10.53.0.3" init_migration_keys "8" "RSASHA256" "2048" "2048" @@ -312,7 +312,7 @@ _migratenomatch_algnum_zsk=$(key_get KEY2 ID) # Testing migration with unmatched existing keys (different length). # set_zone "migrate-nomatch-alglen.kasp" -set_policy "none" "2" "300" +set_policy "none" "2" "300" "2" set_server "ns3" "10.53.0.3" init_migration_keys "8" "RSASHA256" "2048" "2048" @@ -411,7 +411,7 @@ IretZSK=867900 # Testing good migration. # set_zone "migrate.kasp" -set_policy "migrate" "2" "7200" +set_policy "migrate" "2" "7200" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and metadata should be the same as legacy keys above. @@ -462,7 +462,7 @@ status=$((status+ret)) # Testing a good migration (CSK). # set_zone "csk.kasp" -set_policy "default" "1" "7200" +set_policy "default" "1" "7200" "2" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -512,7 +512,7 @@ status=$((status+ret)) # Testing a good migration (CSK, no SEP). # set_zone "csk-nosep.kasp" -set_policy "default" "1" "7200" +set_policy "default" "1" "7200" "2" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -563,7 +563,7 @@ status=$((status+ret)) # Test migration to dnssec-policy, existing keys do not match key algorithm. # set_zone "migrate-nomatch-algnum.kasp" -set_policy "migrate-nomatch-algnum" "4" "300" +set_policy "migrate-nomatch-algnum" "4" "300" "2" set_server "ns3" "10.53.0.3" # The legacy keys need to be retired, but otherwise stay present until the # new keys are omnipresent, and can be used to construct a chain of trust. @@ -678,7 +678,7 @@ status=$((status+ret)) # Test migration to dnssec-policy, existing keys do not match key length. # set_zone "migrate-nomatch-alglen.kasp" -set_policy "migrate-nomatch-alglen" "4" "300" +set_policy "migrate-nomatch-alglen" "4" "300" "2" set_server "ns3" "10.53.0.3" # The legacy keys need to be retired, but otherwise stay present until the @@ -811,7 +811,7 @@ IretZSK=651600 # Testing rumoured state. # set_zone "rumoured.kasp" -set_policy "timing-metadata" "2" "300" +set_policy "timing-metadata" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and metadata should be the same as legacy keys above. @@ -861,7 +861,7 @@ status=$((status+ret)) # Testing omnipresent state. # set_zone "omnipresent.kasp" -set_policy "timing-metadata" "2" "300" +set_policy "timing-metadata" "2" "300" "2" set_server "ns3" "10.53.0.3" # Key properties, timings and metadata should be the same as legacy keys above. @@ -952,7 +952,7 @@ set_keytimes_view_migration() { # Zone view.rsasha256.kasp (external) set_zone "view-rsasha256.kasp" -set_policy "rsasha256" "2" "300" +set_policy "rsasha256" "2" "300" "2" set_server "ns4" "10.53.0.4" init_view_migration set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" @@ -982,7 +982,7 @@ _migrate_ext8_zsk=$(key_get KEY2 ID) # Zone view.rsasha256.kasp (internal) set_zone "view-rsasha256.kasp" -set_policy "rsasha256" "2" "300" +set_policy "rsasha256" "2" "300" "2" set_server "ns4" "10.53.0.4" init_view_migration set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" @@ -1024,7 +1024,7 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig" # Testing migration (RSASHA256, views). # set_zone "view-rsasha256.kasp" -set_policy "rsasha256" "3" "300" +set_policy "rsasha256" "3" "300" "2" set_server "ns4" "10.53.0.4" init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "rumoured" diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 0f21027046e..a5661e6fbd0 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -33,11 +33,15 @@ rndccmd() { } # Set zone name ($1) and policy ($2) for testing nsec3. +# Also set the expected number of keys ($3) and DNSKEY TTL ($4). set_zone_policy() { ZONE=$1 POLICY=$2 NUM_KEYS=$3 DNSKEY_TTL=$4 + # The CDS digest type in these tests are all the default, + # which is SHA-256 (2). + DIGEST_TYPE=2 } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3).