From: Matthijs Mekking Date: Fri, 10 Feb 2023 14:18:36 +0000 (+0100) Subject: Make cds-digest-type plural X-Git-Tag: v9.19.11~14^2~7 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0b606885e880eb49721314dbd473977feb9af03;p=thirdparty%2Fbind9.git Make cds-digest-type plural Allow for configuring multiple CDS records with different digest types (currently only SHA-256 and SHA-384 are allowed). --- diff --git a/bin/named/config.c b/bin/named/config.c index 7e6391b1b71..9c1469abc6c 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -294,7 +294,7 @@ dnssec-policy \"default\" {\n\ csk key-directory lifetime unlimited algorithm 13;\n\ };\n\ \n\ - cds-digest-type 2;\n\ + cds-digest-types { 2; };\n\ dnskey-ttl " DNS_KASP_KEY_TTL ";\n\ publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 0a1b13ee402..5ba6183599c 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1198,7 +1198,13 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, if (ztype != dns_zone_stub && ztype != dns_zone_staticstub && ztype != dns_zone_redirect) { + /* Make a reference to the default policy. */ + result = dns_kasplist_find(kasplist, "default", &kasp); + INSIST(result == ISC_R_SUCCESS && kasp != NULL); + dns_zone_setdefaultkasp(zone, kasp); + obj = NULL; + kasp = NULL; result = named_config_get(maps, "dnssec-policy", &obj); if (result == ISC_R_SUCCESS) { kaspname = cfg_obj_asstring(obj); diff --git a/bin/tests/system/checkconf/bad-kasp-digest-type.conf b/bin/tests/system/checkconf/bad-kasp-digest-type.conf index d5a160e2f0e..f1bd4d3029f 100644 --- a/bin/tests/system/checkconf/bad-kasp-digest-type.conf +++ b/bin/tests/system/checkconf/bad-kasp-digest-type.conf @@ -12,7 +12,7 @@ */ dnssec-policy "bad-digesttype" { - cds-digest-type foobar; + cds-digest-types { foobar; 2; }; }; zone "example.net" { diff --git a/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf index e263a003197..bdb8c37a9d9 100644 --- a/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf +++ b/bin/tests/system/checkconf/bad-kasp-digest-unsupported.conf @@ -12,7 +12,7 @@ */ dnssec-policy "bad-digesttype" { - cds-digest-type GOST; + cds-digest-types { GOST; 2; }; }; zone "example.net" { diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 9e19e26cf5e..67f3d5d869c 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -17,7 +17,9 @@ /* cut here */ dnssec-policy "test" { - cds-digest-type "sha-256"; + cds-digest-types { + "sha-256"; + }; dnskey-ttl 3600; keys { ksk key-directory lifetime P1Y algorithm ecdsa256; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 374d111cb81..a510bef0b25 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -17,7 +17,9 @@ /* cut here */ dnssec-policy "test" { - cds-digest-type "sha-256"; + cds-digest-types { + "sha-256"; + }; dnskey-ttl 3600; keys { ksk key-directory lifetime P1Y algorithm 13 256; diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index ebe06aa8c5a..10511506cec 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -209,14 +209,14 @@ set_dynamic() { DYNAMIC="yes" } -# Set policy settings (name $1, number of keys $2, dnskey ttl $3), -# and digest type ($4) for testing keys. +# Set policy settings (name $1, number of keys $2, dnskey ttl $3). set_policy() { POLICY=$1 NUM_KEYS=$2 DNSKEY_TTL=$3 - DIGEST_TYPE=$4 CDS_DELETE="no" + CDS_SHA256="yes" + CDS_SHA384="no" } # By default policies are considered to be secure. # If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the @@ -941,18 +941,18 @@ check_signatures() { retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed" } -response_has_cds_for_key() ( +response_has_cds_for_key() { awk -v zone="${ZONE%%.}." \ -v ttl="${DNSKEY_TTL}" \ -v qtype="CDS" \ - -v keyid="$(key_get "${1}" ID)" \ - -v keyalg="$(key_get "${1}" ALG_NUM)" \ - -v hashalg="${DIGEST_TYPE}" \ + -v keyid="$(key_get "${2}" ID)" \ + -v keyalg="$(key_get "${2}" ALG_NUM)" \ + -v hashalg="$1" \ 'BEGIN { ret=1; } $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; } END { exit ret; }' \ - "$2" -) + "$3" +} response_has_cdnskey_for_key() ( @@ -967,6 +967,25 @@ response_has_cdnskey_for_key() ( "$2" ) +check_cds_digests() { + if [ "$CDS_SHA256" = "yes" ]; then + response_has_cds_for_key 2 $1 $2 || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)" + else + response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)" + fi + + if [ "$CDS_SHA384" = "yes" ]; then + response_has_cds_for_key 4 $1 $2 || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)" + else + response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)" + fi +} + +check_cds_digests_invert() { + response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)" + response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)" +} + # Test CDS and CDNSKEY publication. check_cds() { @@ -992,11 +1011,11 @@ check_cds() { fi if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)" + check_cds_digests KEY1 "dig.out.$DIR.test$n.cds" response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" _checksig=1 elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" + check_cds_digests_invert KEY1 "dig.out.$DIR.test$n.cds" # KEY1 should not have an associated CDNSKEY, but there may be # one for another key. Since the CDNSKEY has no field for key # id, it is hard to check what key the CDNSKEY may belong to @@ -1004,11 +1023,11 @@ check_cds() { fi if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)" + check_cds_digests KEY2 "dig.out.$DIR.test$n.cds" response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" _checksig=1 elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" + check_cds_digests_invert KEY2 "dig.out.$DIR.test$n.cds" # KEY2 should not have an associated CDNSKEY, but there may be # one for another key. Since the CDNSKEY has no field for key # id, it is hard to check what key the CDNSKEY may belong to @@ -1016,11 +1035,11 @@ check_cds() { fi if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)" + check_cds_digests KEY3 "dig.out.$DIR.test$n.cds" response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" _checksig=1 elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" + check_cds_digests_invert KEY3 "dig.out.$DIR.test$n.cds" # KEY3 should not have an associated CDNSKEY, but there may be # one for another key. Since the CDNSKEY has no field for key # id, it is hard to check what key the CDNSKEY may belong to @@ -1028,11 +1047,11 @@ check_cds() { fi if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then - response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)" + check_cds_digests KEY4 "dig.out.$DIR.test$n.cds" response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" _checksig=1 elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then - response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" + check_cds_digests_invert KEY4 "dig.out.$DIR.test$n.cds" # KEY4 should not have an associated CDNSKEY, but there may be # one for another key. Since the CDNSKEY has no field for key # id, it is hard to check what key the CDNSKEY may belong to @@ -1174,7 +1193,12 @@ check_cdslog() { echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)" ret=0 - grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + if [ "$CDS_SHA256" = "yes" ]; then + grep "CDS (SHA-256) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + fi + if [ "$CDS_SHA384" = "yes" ]; then + grep "CDS (SHA-384) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 + fi grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1 test "$ret" -eq 0 || echo_i "failed" diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in index e90e88941a7..d50fcd0bd7e 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf.in +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in @@ -99,6 +99,7 @@ dnssec-policy "csk-roll" { retire-safety 2h; purge-keys PT1H; + cds-digest-types { "sha-384"; }; // use a different digest type for testing purposes keys { csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; }; @@ -121,7 +122,7 @@ dnssec-policy "csk-roll2" { retire-safety 1h; purge-keys 0; - cds-digest-type "sha-384"; // use a different digest type for testing purposes + cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes keys { csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; }; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index c0111203c70..c4554185fcc 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -888,7 +888,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -916,7 +916,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -971,7 +971,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1018,7 +1018,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # After the DS is swapped in step 4, also the KRRSIG records can be removed. @@ -1054,7 +1054,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # After the retire interval has passed the predecessor DNSKEY can be @@ -1098,7 +1098,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1133,7 +1133,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 8: # The predecessor DNSKEY can be purged. @@ -1168,7 +1168,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-roll2.autosign represent the various steps of a CSK rollover @@ -1187,7 +1187,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -1215,7 +1215,7 @@ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > s cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -1270,7 +1270,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1318,7 +1318,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # Some time later the DS can be swapped and the old DNSKEY can be removed from @@ -1355,7 +1355,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1391,7 +1391,7 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 7: # The predecessor DNSKEY can be purged, but purge-keys is disabled. @@ -1426,4 +1426,4 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 +$SIGNER -S -z -x -G -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index bb8620bdaeb..962277fa063 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -56,7 +56,7 @@ next_key_event_threshold=100 # dnssec-keygen # set_zone "kasp" -set_policy "kasp" "4" "200" "2" +set_policy "kasp" "4" "200" set_server "keys" "10.53.0.1" n=$((n+1)) @@ -122,7 +122,7 @@ n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 set_zone "kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "." "10.53.0.1" # Key properties. set_keyrole "KEY1" "csk" @@ -277,7 +277,7 @@ set_keytimes_csk_policy() { # Check the zone with default kasp policy has loaded and is signed. set_zone "default.kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "csk" @@ -398,7 +398,7 @@ dnssec_verify # set_zone "dynamic.kasp" set_dynamic -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys @@ -461,7 +461,7 @@ status=$((status+ret)) # set_zone "dynamic-inline-signing.kasp" set_dynamic -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys @@ -489,7 +489,7 @@ status=$((status+ret)) # Zone: inline-signing.kasp # set_zone "inline-signing.kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys @@ -509,7 +509,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "checkds-ksk.kasp" -set_policy "checkds-ksk" "2" "303" "2" +set_policy "checkds-ksk" "2" "303" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "ksk" @@ -579,7 +579,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "checkds-doubleksk.kasp" -set_policy "checkds-doubleksk" "3" "303" "2" +set_policy "checkds-doubleksk" "3" "303" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "ksk" @@ -680,7 +680,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "checkds-csk.kasp" -set_policy "checkds-csk" "1" "303" "2" +set_policy "checkds-csk" "1" "303" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "csk" @@ -796,7 +796,7 @@ set_keytimes_algorithm_policy() { if $SHELL ../testcrypto.sh -q RSASHA1 then set_zone "rsasha1.kasp" - set_policy "rsasha1" "3" "1234" "2" + set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -850,7 +850,7 @@ fi # Zone: unsigned.kasp. # set_zone "unsigned.kasp" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -874,7 +874,7 @@ status=$((status+ret)) # Zone: insecure.kasp. # set_zone "insecure.kasp" -set_policy "insecure" "0" "0" "0" +set_policy "insecure" "0" "0" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -891,7 +891,7 @@ check_subdomain # Zone: unlimited.kasp. # set_zone "unlimited.kasp" -set_policy "unlimited" "1" "1234" "2" +set_policy "unlimited" "1" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyrole "KEY1" "csk" @@ -918,7 +918,7 @@ dnssec_verify # Zone: inherit.kasp. # set_zone "inherit.kasp" -set_policy "rsasha256" "3" "1234" "2" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. @@ -971,7 +971,7 @@ dnssec_verify # Zone: dnssec-keygen.kasp. # set_zone "dnssec-keygen.kasp" -set_policy "rsasha256" "3" "1234" "2" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -987,7 +987,7 @@ dnssec_verify # Zone: some-keys.kasp. # set_zone "some-keys.kasp" -set_policy "rsasha256" "3" "1234" "2" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1005,7 +1005,7 @@ dnssec_verify # There are more pregenerated keys than needed, hence the number of keys is # six, not three. set_zone "pregenerated.kasp" -set_policy "rsasha256" "6" "1234" "2" +set_policy "rsasha256" "6" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1022,7 +1022,7 @@ dnssec_verify # # There are three keys in rumoured state. set_zone "rumoured.kasp" -set_policy "rsasha256" "3" "1234" "2" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1048,7 +1048,7 @@ dnssec_verify # Zone: secondary.kasp. # set_zone "secondary.kasp" -set_policy "rsasha256" "3" "1234" "2" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1095,7 +1095,7 @@ status=$((status+ret)) if $SHELL ../testcrypto.sh -q RSASHA1 then set_zone "rsasha1-nsec3.kasp" - set_policy "rsasha1-nsec3" "3" "1234" "2" + set_policy "rsasha1-nsec3" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" @@ -1116,7 +1116,7 @@ fi # Zone: rsasha256.kasp. # set_zone "rsasha256.kasp" -set_policy "rsasha256" "3" "1234" "2" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" @@ -1136,7 +1136,7 @@ dnssec_verify # Zone: rsasha512.kasp. # set_zone "rsasha512.kasp" -set_policy "rsasha512" "3" "1234" "2" +set_policy "rsasha512" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" @@ -1156,7 +1156,7 @@ dnssec_verify # Zone: ecdsa256.kasp. # set_zone "ecdsa256.kasp" -set_policy "ecdsa256" "3" "1234" "2" +set_policy "ecdsa256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" @@ -1176,7 +1176,7 @@ dnssec_verify # Zone: ecdsa512.kasp. # set_zone "ecdsa384.kasp" -set_policy "ecdsa384" "3" "1234" "2" +set_policy "ecdsa384" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" @@ -1197,7 +1197,7 @@ dnssec_verify # if [ -f ed25519-supported.file ]; then set_zone "ed25519.kasp" - set_policy "ed25519" "3" "1234" "2" + set_policy "ed25519" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "15" "ED25519" "256" @@ -1219,7 +1219,7 @@ fi # if [ -f ed448-supported.file ]; then set_zone "ed448.kasp" - set_policy "ed448" "3" "1234" "2" + set_policy "ed448" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "16" "ED448" "456" @@ -1273,7 +1273,7 @@ set_keytimes_autosign_policy() { # Zone: expired-sigs.autosign. # set_zone "expired-sigs.autosign" -set_policy "autosign" "2" "300" "2" +set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -1357,7 +1357,7 @@ check_rrsig_refresh # Zone: fresh-sigs.autosign. # set_zone "fresh-sigs.autosign" -set_policy "autosign" "2" "300" "2" +set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1418,7 +1418,7 @@ check_rrsig_reuse # Zone: unfresh-sigs.autosign. # set_zone "unfresh-sigs.autosign" -set_policy "autosign" "2" "300" "2" +set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1435,7 +1435,7 @@ check_rrsig_refresh # Zone: ksk-missing.autosign. # set_zone "ksk-missing.autosign" -set_policy "autosign" "2" "300" "2" +set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. # Skip checking the private file, because it is missing. @@ -1454,7 +1454,7 @@ key_set "KEY1" "PRIVATE" "yes" # Zone: zsk-missing.autosign. # set_zone "zsk-missing.autosign" -set_policy "autosign" "2" "300" "2" +set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. # Skip checking the private file, because it is missing. @@ -1481,7 +1481,7 @@ key_set "KEY2" "PRIVATE" "yes" # Zone: zsk-retired.autosign. # set_zone "zsk-retired.autosign" -set_policy "autosign" "3" "300" "2" +set_policy "autosign" "3" "300" set_server "ns3" "10.53.0.3" # The third key is not yet expected to be signing. set_keyrole "KEY3" "zsk" @@ -1537,7 +1537,7 @@ check_rrsig_refresh set_zone "legacy-keys.kasp" # This zone has two active keys and two old keys left in key directory, so # expect 4 key files. -set_policy "migrate-to-dnssec-policy" "4" "1234" "2" +set_policy "migrate-to-dnssec-policy" "4" "1234" set_server "ns3" "10.53.0.3" # Key properties. @@ -1648,7 +1648,7 @@ key_clear "KEY3" key_clear "KEY4" set_zone "unsigned.tld" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns2" "10.53.0.2" TSIG="" check_keys @@ -1657,7 +1657,7 @@ check_apex check_subdomain set_zone "none.inherit.signed" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1666,7 +1666,7 @@ check_apex check_subdomain set_zone "none.override.signed" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1675,7 +1675,7 @@ check_apex check_subdomain set_zone "inherit.none.signed" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1684,7 +1684,7 @@ check_apex check_subdomain set_zone "none.none.signed" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1693,7 +1693,7 @@ check_apex check_subdomain set_zone "inherit.inherit.unsigned" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1702,7 +1702,7 @@ check_apex check_subdomain set_zone "none.inherit.unsigned" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1711,7 +1711,7 @@ check_apex check_subdomain set_zone "none.override.unsigned" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1720,7 +1720,7 @@ check_apex check_subdomain set_zone "inherit.none.unsigned" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1729,7 +1729,7 @@ check_apex check_subdomain set_zone "none.none.unsigned" -set_policy "none" "0" "0" "0" +set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys @@ -1756,7 +1756,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" set_zone "signed.tld" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns2" "10.53.0.2" TSIG="" check_keys @@ -1768,7 +1768,7 @@ check_subdomain dnssec_verify set_zone "override.inherit.signed" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1780,7 +1780,7 @@ check_subdomain dnssec_verify set_zone "inherit.override.signed" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1792,7 +1792,7 @@ check_subdomain dnssec_verify set_zone "override.inherit.unsigned" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys @@ -1804,7 +1804,7 @@ check_subdomain dnssec_verify set_zone "inherit.override.unsigned" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys @@ -1829,7 +1829,7 @@ set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" set_zone "inherit.inherit.signed" -set_policy "test" "1" "3600" "2" +set_policy "test" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" wait_for_nsec @@ -1842,7 +1842,7 @@ check_subdomain dnssec_verify set_zone "override.override.signed" -set_policy "test" "1" "3600" "2" +set_policy "test" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec @@ -1855,7 +1855,7 @@ check_subdomain dnssec_verify set_zone "override.none.signed" -set_policy "test" "1" "3600" "2" +set_policy "test" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec @@ -1868,7 +1868,7 @@ check_subdomain dnssec_verify set_zone "override.override.unsigned" -set_policy "test" "1" "3600" "2" +set_policy "test" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec @@ -1881,7 +1881,7 @@ check_subdomain dnssec_verify set_zone "override.none.unsigned" -set_policy "test" "1" "3600" "2" +set_policy "test" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec @@ -1980,7 +1980,7 @@ TSIG="" # Testing RFC 8901 Multi-Signer Model 2. # set_zone "multisigner-model2.kasp" -set_policy "multisigner-model2" "2" "3600" "2" +set_policy "multisigner-model2" "2" "3600" set_server "ns3" "10.53.0.3" key_clear "KEY1" key_clear "KEY2" @@ -2042,7 +2042,7 @@ status=$((status+ret)) # Testing manual rollover. # set_zone "manual-rollover.kasp" -set_policy "manual-rollover" "2" "3600" "2" +set_policy "manual-rollover" "2" "3600" set_server "ns3" "10.53.0.3" key_clear "KEY1" key_clear "KEY2" @@ -2108,7 +2108,7 @@ check_subdomain dnssec_verify # Schedule KSK rollover now. -set_policy "manual-rollover" "3" "3600" "2" +set_policy "manual-rollover" "3" "3600" set_keystate "KEY1" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. @@ -2135,7 +2135,7 @@ check_subdomain dnssec_verify # Schedule ZSK rollover now. -set_policy "manual-rollover" "4" "3600" "2" +set_policy "manual-rollover" "4" "3600" set_keystate "KEY2" "GOAL" "hidden" # This key was activated one day ago, so lifetime is set to 1d plus # prepublication duration (7500 seconds) = 93900 seconds. @@ -2177,7 +2177,7 @@ status=$((status+ret)) # Zone: step1.enable-dnssec.autosign. # set_zone "step1.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" "2" +set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2261,7 +2261,7 @@ check_next_key_event 900 # Zone: step2.enable-dnssec.autosign. # set_zone "step2.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" "2" +set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # The DNSKEY is omnipresent, but the zone signatures not yet. # Thus, the DS remains hidden. @@ -2294,7 +2294,7 @@ check_next_key_event 43800 # Zone: step3.enable-dnssec.autosign. # set_zone "step3.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" "2" +set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # All signatures should be omnipresent, so the DS can be submitted. set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" @@ -2331,7 +2331,7 @@ check_next_key_event 12000 # Zone: step4.enable-dnssec.autosign. # set_zone "step4.enable-dnssec.autosign" -set_policy "enable-dnssec" "1" "300" "2" +set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # The DS is omnipresent. set_keystate "KEY1" "STATE_DS" "omnipresent" @@ -2377,7 +2377,7 @@ IretZSK=867600 # Zone: step1.zsk-prepub.autosign. # set_zone "step1.zsk-prepub.autosign" -set_policy "zsk-prepub" "2" "3600" "2" +set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" set_retired_removed() { @@ -2452,7 +2452,7 @@ check_next_key_event 2498400 # Zone: step2.zsk-prepub.autosign. # set_zone "step2.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" "2" +set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. key_clear "KEY3" @@ -2499,7 +2499,7 @@ check_next_key_event 93600 # Zone: step3.zsk-prepub.autosign. # set_zone "step3.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" "2" +set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. @@ -2547,7 +2547,7 @@ check_next_key_event 867600 # Zone: step4.zsk-prepub.autosign. # set_zone "step4.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" "2" +set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is no longer needed. # ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. @@ -2584,7 +2584,7 @@ check_next_key_event 7200 # Zone: step5.zsk-prepub.autosign. # set_zone "step5.zsk-prepub.autosign" -set_policy "zsk-prepub" "3" "3600" "2" +set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. set_keystate "KEY2" "STATE_DNSKEY" "hidden" @@ -2618,7 +2618,7 @@ check_next_key_event 1627200 # Zone: step6.zsk-prepub.autosign. # set_zone "step6.zsk-prepub.autosign" -set_policy "zsk-prepub" "2" "3600" "2" +set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is purged. key_clear "KEY2" @@ -2650,7 +2650,7 @@ IretZSK=867600 # Zone: step1.ksk-doubleksk.autosign. # set_zone "step1.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "2" "7200" "2" +set_policy "ksk-doubleksk" "2" "7200" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2699,7 +2699,7 @@ check_next_key_event 5086800 # Zone: step2.ksk-doubleksk.autosign. # set_zone "step2.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" "2" +set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). key_clear "KEY3" @@ -2750,7 +2750,7 @@ check_next_key_event 97200 # Zone: step3.ksk-doubleksk.autosign. # set_zone "step3.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" "2" +set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # The DNSKEY RRset has become omnipresent. @@ -2800,7 +2800,7 @@ check_next_key_event 180000 # Zone: step4.ksk-doubleksk.autosign. # set_zone "step4.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" "2" +set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" @@ -2841,7 +2841,7 @@ check_next_key_event 10800 # Zone: step5.ksk-doubleksk.autosign. # set_zone "step5.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "3" "7200" "2" +set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is now HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -2879,7 +2879,7 @@ check_next_key_event 4899600 # Zone: step6.ksk-doubleksk.autosign. # set_zone "step6.ksk-doubleksk.autosign" -set_policy "ksk-doubleksk" "2" "7200" "2" +set_policy "ksk-doubleksk" "2" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is purged. key_clear "KEY1" @@ -2920,7 +2920,9 @@ csk_rollover_predecessor_keytimes() { # Zone: step1.csk-roll.autosign. # set_zone "step1.csk-roll.autosign" -set_policy "csk-roll" "1" "3600" "2" +set_policy "csk-roll" "1" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -2960,7 +2962,9 @@ check_next_key_event 16059600 # Zone: step2.csk-roll.autosign. # set_zone "step2.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" "2" +set_policy "csk-roll" "2" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). key_clear "KEY2" @@ -3009,7 +3013,9 @@ check_next_key_event 10800 # Zone: step3.csk-roll.autosign. # set_zone "step3.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" "2" +set_policy "csk-roll" "2" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # Swap zone signing role. set_zonesigning "KEY1" "no" @@ -3070,7 +3076,9 @@ check_next_key_event 14400 # Zone: step4.csk-roll.autosign. # set_zone "step4.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" "2" +set_policy "csk-roll" "2" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is no longer signing the DNSKEY RRset. set_keysigning "KEY1" "no" @@ -3111,7 +3119,9 @@ check_next_key_event 7200 # Zone: step5.csk-roll.autosign. # set_zone "step5.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" "2" +set_policy "csk-roll" "2" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) KRRSIG records are now all hidden. set_keystate "KEY1" "STATE_KRRSIG" "hidden" @@ -3148,7 +3158,9 @@ check_next_key_event 2235600 # Zone: step6.csk-roll.autosign. # set_zone "step6.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" "2" +set_policy "csk-roll" "2" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can # be removed). @@ -3187,7 +3199,9 @@ check_next_key_event 7200 # Zone: step7.csk-roll.autosign. # set_zone "step7.csk-roll.autosign" -set_policy "csk-roll" "2" "3600" "2" +set_policy "csk-roll" "2" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -3225,7 +3239,9 @@ check_next_key_event 13795200 # Zone: step8.csk-roll.autosign. # set_zone "step8.csk-roll.autosign" -set_policy "csk-roll" "1" "3600" "2" +set_policy "csk-roll" "1" "3600" +CDS_SHA256="no" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is purged. key_clear "KEY1" @@ -3257,7 +3273,8 @@ IretCSK=$IretKSK # Zone: step1.csk-roll2.autosign. # set_zone "step1.csk-roll2.autosign" -set_policy "csk-roll2" "1" "3600" "4" +set_policy "csk-roll2" "1" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" @@ -3298,7 +3315,8 @@ check_next_key_event 16059600 # Zone: step2.csk-roll2.autosign. # set_zone "step2.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" "4" +set_policy "csk-roll2" "2" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). key_clear "KEY2" @@ -3346,7 +3364,8 @@ check_next_key_event 10800 # Zone: step3.csk-roll2.autosign. # set_zone "step3.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" "4" +set_policy "csk-roll2" "2" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # CSK (KEY1) can be removed, so move to UNRETENTIVE. set_zonesigning "KEY1" "no" @@ -3412,7 +3431,8 @@ check_next_key_event $next_time # Zone: step4.csk-roll2.autosign. # set_zone "step4.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" "4" +set_policy "csk-roll2" "2" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) ZRRSIG is now HIDDEN. set_keystate "KEY1" "STATE_ZRRSIG" "hidden" @@ -3453,7 +3473,8 @@ check_next_key_event 475200 # Zone: step5.csk-roll2.autosign. # set_zone "step5.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" "4" +set_policy "csk-roll2" "2" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" @@ -3493,7 +3514,8 @@ check_next_key_event 7200 # Zone: step6.csk-roll2.autosign. # set_zone "step6.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" "4" +set_policy "csk-roll2" "2" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -3530,7 +3552,8 @@ check_next_key_event 15440400 # Zone: step7.csk-roll2.autosign. # set_zone "step7.csk-roll2.autosign" -set_policy "csk-roll2" "2" "3600" "4" +set_policy "csk-roll2" "2" "3600" +CDS_SHA384="yes" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) could have been purged, but purge-keys is disabled. @@ -3545,13 +3568,13 @@ dnssec_verify # Test #2375: Scheduled rollovers are happening faster than they can finish # set_zone "step1.three-is-a-crowd.kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # TODO (GL #2471). # Test dynamic zones that switch to inline-signing. set_zone "dynamic2inline.kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3589,7 +3612,7 @@ IretZSK=0 # Zone: step1.algorithm-roll.kasp # set_zone "step1.algorithm-roll.kasp" -set_policy "rsasha256" "2" "3600" "2" +set_policy "rsasha256" "2" "3600" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3637,7 +3660,7 @@ check_next_key_event 3600 # Zone: step1.csk-algorithm-roll.kasp # set_zone "step1.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "1" "3600" "2" +set_policy "csk-algoroll" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3681,7 +3704,7 @@ check_next_key_event 3600 # Zone step1.going-insecure.kasp # set_zone "step1.going-insecure.kasp" -set_policy "unsigning" "2" "7200" "2" +set_policy "unsigning" "2" "7200" set_server "ns6" "10.53.0.6" # Policy parameters. @@ -3742,7 +3765,7 @@ dnssec_verify set_zone "step1.going-insecure-dynamic.kasp" set_dynamic -set_policy "unsigning" "2" "7200" "2" +set_policy "unsigning" "2" "7200" set_server "ns6" "10.53.0.6" init_migration_insecure @@ -3761,7 +3784,7 @@ dnssec_verify # Zone step1.going-straight-to-none.kasp # set_zone "step1.going-straight-to-none.kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. set_keyrole "KEY1" "csk" @@ -3846,7 +3869,7 @@ wait_for_done_signing() { # Test dynamic zones that switch to inline-signing. set_zone "dynamic2inline.kasp" -set_policy "default" "1" "3600" "2" +set_policy "default" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" @@ -3880,7 +3903,7 @@ dnssec_verify # Zone: step1.going-insecure.kasp # set_zone "step1.going-insecure.kasp" -set_policy "insecure" "2" "7200" "2" +set_policy "insecure" "2" "7200" set_server "ns6" "10.53.0.6" # Expect a CDS/CDNSKEY Delete Record. set_cdsdelete @@ -3917,7 +3940,7 @@ check_next_key_event 93600 # Zone: step2.going-insecure.kasp # set_zone "step2.going-insecure.kasp" -set_policy "insecure" "2" "7200" "2" +set_policy "insecure" "2" "7200" set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. @@ -3947,7 +3970,7 @@ check_next_key_event 7500 # set_zone "step1.going-insecure-dynamic.kasp" set_dynamic -set_policy "insecure" "2" "7200" "2" +set_policy "insecure" "2" "7200" set_server "ns6" "10.53.0.6" # Expect a CDS/CDNSKEY Delete Record. set_cdsdelete @@ -3985,7 +4008,7 @@ check_next_key_event 93600 # set_zone "step2.going-insecure-dynamic.kasp" set_dynamic -set_policy "insecure" "2" "7200" "2" +set_policy "insecure" "2" "7200" set_server "ns6" "10.53.0.6" # The DS is long enough removed from the zone to be considered HIDDEN. @@ -4014,7 +4037,7 @@ check_next_key_event 7500 # Zone: step1.going-straight-to-none.kasp # set_zone "step1.going-straight-to-none.kasp" -set_policy "none" "1" "3600" "2" +set_policy "none" "1" "3600" set_server "ns6" "10.53.0.6" # The zone will go bogus after signatures expire, but remains validly signed for now. @@ -4055,7 +4078,7 @@ Lzsk=0 # Zone: step1.algorithm-roll.kasp # set_zone "step1.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" "2" +set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # Old RSASHA1 keys. key_clear "KEY1" @@ -4168,7 +4191,7 @@ check_next_key_event 10800 # Zone: step2.algorithm-roll.kasp # set_zone "step2.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" "2" +set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The RSAHSHA1 keys are outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings @@ -4227,7 +4250,7 @@ check_next_key_event $next_time # Zone: step3.algorithm-roll.kasp # set_zone "step3.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" "2" +set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The ECDSAP256SHA256 keys are introducing. set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" @@ -4285,7 +4308,7 @@ check_next_key_event 18000 # Zone: step4.algorithm-roll.kasp # set_zone "step4.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" "2" +set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. set_keysigning "KEY1" "no" @@ -4344,7 +4367,7 @@ check_next_key_event 7200 # Zone: step5.algorithm-roll.kasp # set_zone "step5.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" "2" +set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The DNSKEY becomes HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -4400,7 +4423,7 @@ check_next_key_event $next_time # Zone: step6.algorithm-roll.kasp # set_zone "step6.algorithm-roll.kasp" -set_policy "ecdsa256" "4" "3600" "2" +set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The old zone signatures (KEY2) should now also be HIDDEN. set_keystate "KEY2" "STATE_ZRRSIG" "hidden" @@ -4457,7 +4480,7 @@ Lcksk=0 # Zone: step1.csk-algorithm-roll.kasp # set_zone "step1.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" "2" +set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # Old RSASHA1 key. key_clear "KEY1" @@ -4536,7 +4559,7 @@ check_next_key_event 10800 # Zone: step2.csk-algorithm-roll.kasp # set_zone "step2.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" "2" +set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The RSAHSHA1 key is outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings @@ -4586,7 +4609,7 @@ check_next_key_event $next_time # Zone: step3.csk-algorithm-roll.kasp # set_zone "step3.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" "2" +set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The RSAHSHA1 key is outroducing, and it is time to swap the DS. # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures @@ -4636,7 +4659,7 @@ check_next_key_event 18000 # Zone: step4.csk-algorithm-roll.kasp # set_zone "step4.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" "2" +set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. set_keysigning "KEY1" "no" @@ -4682,7 +4705,7 @@ check_next_key_event 7200 # Zone: step5.csk-algorithm-roll.kasp # set_zone "step5.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" "2" +set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The DNSKEY becomes HIDDEN. set_keystate "KEY1" "STATE_DNSKEY" "hidden" @@ -4727,7 +4750,7 @@ check_next_key_event $next_time # Zone: step6.csk-algorithm-roll.kasp # set_zone "step6.csk-algorithm-roll.kasp" -set_policy "csk-algoroll" "2" "3600" "2" +set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The zone signatures should now also be HIDDEN. set_keystate "KEY1" "STATE_ZRRSIG" "hidden" diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 68844f4af8a..62b58a7d781 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -126,7 +126,7 @@ init_migration_states() { # Testing a good migration. # set_zone "migrate.kasp" -set_policy "none" "2" "7200" "2" +set_policy "none" "2" "7200" set_server "ns3" "10.53.0.3" init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" @@ -149,7 +149,7 @@ _migrate_zsk=$(key_get KEY2 ID) # Testing a good migration (CSK). # set_zone "csk.kasp" -set_policy "none" "1" "7200" "2" +set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -192,7 +192,7 @@ _migrate_csk=$(key_get KEY1 ID) # Testing a good migration (CSK, no SEP). # set_zone "csk-nosep.kasp" -set_policy "none" "1" "7200" "2" +set_policy "none" "1" "7200" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -235,7 +235,7 @@ _migrate_csk_nosep=$(key_get KEY1 ID) # Testing key states derived from key timing metadata (rumoured). # set_zone "rumoured.kasp" -set_policy "none" "2" "300" "2" +set_policy "none" "2" "300" set_server "ns3" "10.53.0.3" init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" @@ -255,7 +255,7 @@ _rumoured_zsk=$(key_get KEY2 ID) # Testing key states derived from key timing metadata (omnipresent). # set_zone "omnipresent.kasp" -set_policy "none" "2" "300" "2" +set_policy "none" "2" "300" set_server "ns3" "10.53.0.3" init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" @@ -275,7 +275,7 @@ _omnipresent_zsk=$(key_get KEY2 ID) # Testing migration with unmatched existing keys (different algorithm). # set_zone "migrate-nomatch-algnum.kasp" -set_policy "none" "2" "300" "2" +set_policy "none" "2" "300" set_server "ns3" "10.53.0.3" init_migration_keys "8" "RSASHA256" "2048" "2048" @@ -312,7 +312,7 @@ _migratenomatch_algnum_zsk=$(key_get KEY2 ID) # Testing migration with unmatched existing keys (different length). # set_zone "migrate-nomatch-alglen.kasp" -set_policy "none" "2" "300" "2" +set_policy "none" "2" "300" set_server "ns3" "10.53.0.3" init_migration_keys "8" "RSASHA256" "2048" "2048" @@ -411,7 +411,7 @@ IretZSK=867900 # Testing good migration. # set_zone "migrate.kasp" -set_policy "migrate" "2" "7200" "2" +set_policy "migrate" "2" "7200" set_server "ns3" "10.53.0.3" # Key properties, timings and metadata should be the same as legacy keys above. @@ -462,7 +462,7 @@ status=$((status+ret)) # Testing a good migration (CSK). # set_zone "csk.kasp" -set_policy "default" "1" "7200" "2" +set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -512,7 +512,7 @@ status=$((status+ret)) # Testing a good migration (CSK, no SEP). # set_zone "csk-nosep.kasp" -set_policy "default" "1" "7200" "2" +set_policy "default" "1" "7200" set_server "ns3" "10.53.0.3" key_clear "KEY1" @@ -563,7 +563,7 @@ status=$((status+ret)) # Test migration to dnssec-policy, existing keys do not match key algorithm. # set_zone "migrate-nomatch-algnum.kasp" -set_policy "migrate-nomatch-algnum" "4" "300" "2" +set_policy "migrate-nomatch-algnum" "4" "300" set_server "ns3" "10.53.0.3" # The legacy keys need to be retired, but otherwise stay present until the # new keys are omnipresent, and can be used to construct a chain of trust. @@ -678,7 +678,7 @@ status=$((status+ret)) # Test migration to dnssec-policy, existing keys do not match key length. # set_zone "migrate-nomatch-alglen.kasp" -set_policy "migrate-nomatch-alglen" "4" "300" "2" +set_policy "migrate-nomatch-alglen" "4" "300" set_server "ns3" "10.53.0.3" # The legacy keys need to be retired, but otherwise stay present until the @@ -811,7 +811,7 @@ IretZSK=651600 # Testing rumoured state. # set_zone "rumoured.kasp" -set_policy "timing-metadata" "2" "300" "2" +set_policy "timing-metadata" "2" "300" set_server "ns3" "10.53.0.3" # Key properties, timings and metadata should be the same as legacy keys above. @@ -861,7 +861,7 @@ status=$((status+ret)) # Testing omnipresent state. # set_zone "omnipresent.kasp" -set_policy "timing-metadata" "2" "300" "2" +set_policy "timing-metadata" "2" "300" set_server "ns3" "10.53.0.3" # Key properties, timings and metadata should be the same as legacy keys above. @@ -952,7 +952,7 @@ set_keytimes_view_migration() { # Zone view.rsasha256.kasp (external) set_zone "view-rsasha256.kasp" -set_policy "rsasha256" "2" "300" "2" +set_policy "rsasha256" "2" "300" set_server "ns4" "10.53.0.4" init_view_migration set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" @@ -982,7 +982,7 @@ _migrate_ext8_zsk=$(key_get KEY2 ID) # Zone view.rsasha256.kasp (internal) set_zone "view-rsasha256.kasp" -set_policy "rsasha256" "2" "300" "2" +set_policy "rsasha256" "2" "300" set_server "ns4" "10.53.0.4" init_view_migration set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" @@ -1024,7 +1024,7 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig" # Testing migration (RSASHA256, views). # set_zone "view-rsasha256.kasp" -set_policy "rsasha256" "3" "300" "2" +set_policy "rsasha256" "3" "300" set_server "ns4" "10.53.0.4" init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "rumoured" diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index a5661e6fbd0..1646e89d6b4 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -41,7 +41,8 @@ set_zone_policy() { DNSKEY_TTL=$4 # The CDS digest type in these tests are all the default, # which is SHA-256 (2). - DIGEST_TYPE=2 + CDS_SHA256="yes" + CDS_SHA384="no" } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3). diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 0cc405c1ebd..df9f042a447 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6257,12 +6257,12 @@ retired when the existing key's lifetime ends. The following options can be specified in a :any:`dnssec-policy` statement: -.. namedconf:statement:: cds-digest-type +.. namedconf:statement:: cds-digest-types :tags: dnssec - :short: Specifies the digest type to use for CDS resource records. + :short: Specifies the digest types to use for CDS resource records. - This indicates the digest type to use when generating CDS resource - records. The default is SHA-256. + This indicates the digest types to use when generating CDS resource + records. The default is SHA-256 only. .. namedconf:statement:: dnskey-ttl :tags: dnssec diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf index 2cce43cca64..e21bb36dc9e 100644 --- a/doc/misc/dnssec-policy.default.conf +++ b/doc/misc/dnssec-policy.default.conf @@ -18,7 +18,7 @@ dnssec-policy "default" { }; // Key timings - cds-digest-type 2; + cds-digest-types { 2; }; dnskey-ttl 3600; publish-safety 1h; retire-safety 1h; diff --git a/doc/misc/options b/doc/misc/options index eda2fec2871..38c4e5c825e 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -11,7 +11,7 @@ dlz { }; // may occur multiple times dnssec-policy { - cds-digest-type ; + cds-digest-types { ; ... }; dnskey-ttl ; keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; diff --git a/lib/dns/dnssec.c b/lib/dns/dnssec.c index d3b0517bc7c..6c6093d3dfc 100644 --- a/lib/dns/dnssec.c +++ b/lib/dns/dnssec.c @@ -1959,6 +1959,41 @@ exists(dns_rdataset_t *rdataset, dns_rdata_t *rdata) { return (false); } +static isc_result_t +add_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr, + dns_rdataset_t *cds, unsigned int digesttype, dns_ttl_t ttl, + dns_diff_t *diff, isc_mem_t *mctx) { + isc_result_t r = ISC_R_SUCCESS; + unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + dns_rdata_t cdsrdata = DNS_RDATA_INIT; + dns_name_t *origin = dst_key_name(key->key); + + r = dns_ds_buildrdata(origin, keyrdata, digesttype, dsbuf, &cdsrdata); + if (r != ISC_R_SUCCESS) { + char algbuf[DNS_DSDIGEST_FORMATSIZE]; + dns_dsdigest_format(digesttype, algbuf, + DNS_DSDIGEST_FORMATSIZE); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_ERROR, + "build rdata CDS (%s) for key %s failed", algbuf, + keystr); + return (r); + } + + cdsrdata.type = dns_rdatatype_cds; + if (!dns_rdataset_isassociated(cds) || !exists(cds, &cdsrdata)) { + char algbuf[DNS_DSDIGEST_FORMATSIZE]; + dns_dsdigest_format(digesttype, algbuf, + DNS_DSDIGEST_FORMATSIZE); + isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, + DNS_LOGMODULE_DNSSEC, ISC_LOG_INFO, + "CDS (%s) for key %s is now published", algbuf, + keystr); + r = addrdata(&cdsrdata, diff, origin, ttl, mctx); + } + return (r); +} + static isc_result_t delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr, dns_rdataset_t *cds, unsigned int digesttype, dns_diff_t *diff, @@ -1990,36 +2025,36 @@ delete_cds(dns_dnsseckey_t *key, dns_rdata_t *keyrdata, const char *keystr, isc_result_t dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, dns_rdataset_t *cds, dns_rdataset_t *cdnskey, - isc_stdtime_t now, unsigned int digesttype, dns_ttl_t ttl, - dns_diff_t *diff, isc_mem_t *mctx) { - unsigned char dsbuf[DNS_DS_BUFFERSIZE]; + isc_stdtime_t now, dns_kasp_digestlist_t *digests, + dns_ttl_t ttl, dns_diff_t *diff, isc_mem_t *mctx) { unsigned char keybuf[DST_KEY_MAXSIZE]; isc_result_t result; dns_dnsseckey_t *key; + REQUIRE(digests != NULL); + for (key = ISC_LIST_HEAD(*keys); key != NULL; key = ISC_LIST_NEXT(key, link)) { - dns_rdata_t cdsrdata = DNS_RDATA_INIT; dns_rdata_t cdnskeyrdata = DNS_RDATA_INIT; dns_name_t *origin = dst_key_name(key->key); RETERR(make_dnskey(key->key, keybuf, sizeof(keybuf), &cdnskeyrdata)); - RETERR(dns_ds_buildrdata(origin, &cdnskeyrdata, digesttype, - dsbuf, &cdsrdata)); - - /* - * Now that the we have created the DS records convert - * the rdata to CDNSKEY and CDS for comparison. - */ cdnskeyrdata.type = dns_rdatatype_cdnskey; - cdsrdata.type = dns_rdatatype_cds; if (syncpublish(key->key, now)) { char keystr[DST_KEY_FORMATSIZE]; dst_key_format(key->key, keystr, sizeof(keystr)); + for (dns_kasp_digest_t *alg = ISC_LIST_HEAD(*digests); + alg != NULL; alg = ISC_LIST_NEXT(alg, link)) + { + RETERR(add_cds(key, &cdnskeyrdata, + (const char *)keystr, cds, + alg->digest, ttl, diff, mctx)); + } + if (!dns_rdataset_isassociated(cdnskey) || !exists(cdnskey, &cdnskeyrdata)) { @@ -2031,18 +2066,6 @@ dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, RETERR(addrdata(&cdnskeyrdata, diff, origin, ttl, mctx)); } - - if (!dns_rdataset_isassociated(cds) || - !exists(cds, &cdsrdata)) - { - isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, - DNS_LOGMODULE_DNSSEC, - ISC_LOG_INFO, - "CDS for key %s is now published", - keystr); - RETERR(addrdata(&cdsrdata, diff, origin, ttl, - mctx)); - } } if (syncdelete(key->key, now)) { diff --git a/lib/dns/include/dns/dnssec.h b/lib/dns/include/dns/dnssec.h index 85a1995528e..40a3c531efe 100644 --- a/lib/dns/include/dns/dnssec.h +++ b/lib/dns/include/dns/dnssec.h @@ -351,7 +351,7 @@ dns_dnssec_updatekeys(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *newkeys, isc_result_t dns_dnssec_syncupdate(dns_dnsseckeylist_t *keys, dns_dnsseckeylist_t *rmkeys, dns_rdataset_t *cds, dns_rdataset_t *cdnskey, - isc_stdtime_t now, unsigned int digesttype, + isc_stdtime_t now, dns_kasp_digestlist_t *digests, dns_ttl_t hint_ttl, dns_diff_t *diff, isc_mem_t *mctx); /*%< * Update the CDS and CDNSKEY RRsets, adding and removing keys as needed. diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index fb0af46bca4..4e14f400b09 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -34,6 +34,12 @@ ISC_LANG_BEGINDECLS +/* For storing a list of digest types */ +struct dns_kasp_digest { + dns_dsdigest_t digest; + ISC_LINK(dns_kasp_digest_t) link; +}; + /* Stores a KASP key */ struct dns_kasp_key { isc_mem_t *mctx; @@ -80,9 +86,9 @@ struct dns_kasp { uint32_t signatures_validity_dnskey; /* Configuration: Keys */ - dns_kasp_keylist_t keys; - dns_ttl_t dnskey_ttl; - unsigned int cds_digesttype; + dns_kasp_digestlist_t digests; + dns_kasp_keylist_t keys; + dns_ttl_t dnskey_ttl; /* Configuration: Denial of existence */ bool nsec3; @@ -310,31 +316,6 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl); *\li 'kasp' is a valid, thawed kasp. */ -unsigned int -dns_kasp_cdsdigesttype(dns_kasp_t *kasp); -/*%< - * Get CDS digest-type. - * - * Requires: - * - *\li 'kasp' is a valid, frozen kasp. - * - * Returns: - * - *\li CDS digest-type. - */ - -void -dns_kasp_setcdsdigesttype(dns_kasp_t *kasp, unsigned int digesttype); -/*%< - * Set CDS digest-type. - * If 'digesttype' is not supported, this will not change the digest-type. - * - * Requires: - * - *\li 'kasp' is a valid, thawed kasp. - */ - uint32_t dns_kasp_purgekeys(dns_kasp_t *kasp); /*%< @@ -737,4 +718,31 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout, * */ +dns_kasp_digestlist_t +dns_kasp_digests(dns_kasp_t *kasp); +/*%< + * Get the list of kasp CDS digest types. + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li #ISC_R_SUCCESS + *\li #ISC_R_NOMEMORY + * + *\li Other errors are possible. + */ + +void +dns_kasp_adddigest(dns_kasp_t *kasp, dns_dsdigest_t alg); +/*%< + * Add a digest type. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + ISC_LANG_ENDDECLS diff --git a/lib/dns/include/dns/types.h b/lib/dns/include/dns/types.h index 363683bff12..ce3e52bb732 100644 --- a/lib/dns/include/dns/types.h +++ b/lib/dns/include/dns/types.h @@ -95,6 +95,8 @@ typedef struct dns_iptable dns_iptable_t; typedef uint32_t dns_iterations_t; typedef struct dns_kasp dns_kasp_t; typedef ISC_LIST(dns_kasp_t) dns_kasplist_t; +typedef struct dns_kasp_digest dns_kasp_digest_t; +typedef ISC_LIST(dns_kasp_digest_t) dns_kasp_digestlist_t; typedef struct dns_kasp_key dns_kasp_key_t; typedef ISC_LIST(dns_kasp_key_t) dns_kasp_keylist_t; typedef struct dns_kasp_nsec3param dns_kasp_nsec3param_t; diff --git a/lib/dns/include/dns/zone.h b/lib/dns/include/dns/zone.h index f9f2fb582b5..aa765ac21e5 100644 --- a/lib/dns/include/dns/zone.h +++ b/lib/dns/include/dns/zone.h @@ -715,6 +715,8 @@ dns_zone_getkasp(dns_zone_t *zone); void dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp); +void +dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp); /*%< * Set kasp for zone. If a kasp is already set, it will be detached. * diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index c08297c8f25..5a9d907e7cf 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -34,6 +34,9 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { dns_kasp_t *kasp; dns_kasp_t k = { .magic = DNS_KASP_MAGIC, + .digests = ISC_LIST_INITIALIZER, + .keys = ISC_LIST_INITIALIZER, + .link = ISC_LINK_INITIALIZER, }; REQUIRE(name != NULL); @@ -48,9 +51,6 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { isc_mutex_init(&kasp->lock); isc_refcount_init(&kasp->references, 1); - ISC_LINK_INIT(kasp, link); - ISC_LIST_INIT(kasp->keys); - *kaspp = kasp; return (ISC_R_SUCCESS); } @@ -66,8 +66,8 @@ dns_kasp_attach(dns_kasp_t *source, dns_kasp_t **targetp) { static void destroy(dns_kasp_t *kasp) { - dns_kasp_key_t *key; - dns_kasp_key_t *key_next; + dns_kasp_key_t *key, *key_next; + dns_kasp_digest_t *digest, *digest_next; REQUIRE(!ISC_LINK_LINKED(kasp, link)); @@ -78,6 +78,15 @@ destroy(dns_kasp_t *kasp) { } INSIST(ISC_LIST_EMPTY(kasp->keys)); + for (digest = ISC_LIST_HEAD(kasp->digests); digest != NULL; + digest = digest_next) + { + digest_next = ISC_LIST_NEXT(digest, link); + ISC_LIST_UNLINK(kasp->digests, digest, link); + isc_mem_put(kasp->mctx, digest, sizeof(*digest)); + } + INSIST(ISC_LIST_EMPTY(kasp->digests)); + isc_mutex_destroy(&kasp->lock); isc_mem_free(kasp->mctx, kasp->name); isc_mem_putanddetach(&kasp->mctx, kasp, sizeof(*kasp)); @@ -190,24 +199,6 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) { kasp->dnskey_ttl = ttl; } -unsigned int -dns_kasp_cdsdigesttype(dns_kasp_t *kasp) { - REQUIRE(DNS_KASP_VALID(kasp)); - REQUIRE(kasp->frozen); - - return (kasp->cds_digesttype); -} - -void -dns_kasp_setcdsdigesttype(dns_kasp_t *kasp, unsigned int digesttype) { - REQUIRE(DNS_KASP_VALID(kasp)); - REQUIRE(!kasp->frozen); - - if (dst_ds_digest_supported(digesttype)) { - kasp->cds_digesttype = digesttype; - } -} - uint32_t dns_kasp_purgekeys(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); @@ -527,3 +518,25 @@ dns_kasp_setnsec3param(dns_kasp_t *kasp, uint8_t iter, bool optout, kasp->nsec3param.optout = optout; kasp->nsec3param.saltlen = saltlen; } + +dns_kasp_digestlist_t +dns_kasp_digests(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + + return (kasp->digests); +} + +void +dns_kasp_adddigest(dns_kasp_t *kasp, dns_dsdigest_t alg) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + + if (dst_ds_digest_supported(alg)) { + dns_kasp_digest_t *digest = isc_mem_get(kasp->mctx, + sizeof(*digest)); + digest->digest = alg; + ISC_LINK_INIT(digest, link); + ISC_LIST_APPEND(kasp->digests, digest, link); + } +} diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3f3eb591ab0..18b7d187d7f 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -352,6 +352,7 @@ struct dns_zone { dns_view_t *view; dns_view_t *prev_view; dns_kasp_t *kasp; + dns_kasp_t *defaultkasp; dns_checkmxfunc_t checkmx; dns_checksrvfunc_t checksrv; dns_checknsfunc_t checkns; @@ -1118,6 +1119,7 @@ dns_zone_create(dns_zone_t **zonep, isc_mem_t *mctx, unsigned int tid) { zone->primaries = r; zone->parentals = r; zone->notify = r; + zone->defaultkasp = NULL; result = isc_stats_create(mctx, &zone->gluecachestats, dns_gluecachestatscounter_max); @@ -1230,6 +1232,9 @@ zone_free(dns_zone_t *zone) { if (zone->kasp != NULL) { dns_kasp_detach(&zone->kasp); } + if (zone->defaultkasp != NULL) { + dns_kasp_detach(&zone->defaultkasp); + } if (!ISC_LIST_EMPTY(zone->checkds_ok)) { clear_keylist(&zone->checkds_ok, zone->mctx); } @@ -5714,6 +5719,20 @@ dns_zone_setkasp(dns_zone_t *zone, dns_kasp_t *kasp) { UNLOCK_ZONE(zone); } +void +dns_zone_setdefaultkasp(dns_zone_t *zone, dns_kasp_t *kasp) { + REQUIRE(DNS_ZONE_VALID(zone)); + + LOCK_ZONE(zone); + if (zone->defaultkasp != NULL) { + dns_kasp_t *oldkasp = zone->defaultkasp; + zone->defaultkasp = NULL; + dns_kasp_detach(&oldkasp); + } + zone->defaultkasp = kasp; + UNLOCK_ZONE(zone); +} + dns_kasp_t * dns_zone_getkasp(dns_zone_t *zone) { REQUIRE(DNS_ZONE_VALID(zone)); @@ -20462,7 +20481,7 @@ zone_rekey(dns_zone_t *zone) { KASP_UNLOCK(kasp); if (result == ISC_R_SUCCESS) { - unsigned int cds_digesttype = DNS_DSDIGEST_SHA256; + dns_kasp_digestlist_t digests; bool cdsdel = false; bool cdnskeydel = false; bool sane_diff, sane_dnskey; @@ -20477,7 +20496,7 @@ zone_rekey(dns_zone_t *zone) { cdsdel = true; cdnskeydel = true; } - cds_digesttype = dns_kasp_cdsdigesttype(kasp); + digests = dns_kasp_digests(kasp); } else { /* Check if there is a CDS DELETE record. */ if (dns_rdataset_isassociated(&cdsset)) { @@ -20528,6 +20547,8 @@ zone_rekey(dns_zone_t *zone) { } } } + + digests = dns_kasp_digests(zone->defaultkasp); } /* @@ -20555,8 +20576,8 @@ zone_rekey(dns_zone_t *zone) { * Update CDS / CDNSKEY records. */ result = dns_dnssec_syncupdate(&dnskeys, &rmkeys, &cdsset, - &cdnskeyset, now, cds_digesttype, - ttl, &diff, mctx); + &cdnskeyset, now, &digests, ttl, + &diff, mctx); if (result != ISC_R_SUCCESS) { dnssec_log(zone, ISC_LOG_ERROR, "zone_rekey:couldn't update CDS/CDNSKEY: %s", diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index f7d5e31ee77..abb18008d31 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -298,6 +298,32 @@ cfg_nsec3param_fromconfig(const cfg_obj_t *config, dns_kasp_t *kasp, return (ISC_R_SUCCESS); } +static isc_result_t +add_digest(dns_kasp_t *kasp, const cfg_obj_t *digest, isc_log_t *logctx) { + isc_result_t result = ISC_R_SUCCESS; + isc_textregion_t r; + dns_dsdigest_t alg; + const char *str = cfg_obj_asstring(digest); + + DE_CONST(str, r.base); + r.length = strlen(str); + result = dns_dsdigest_fromtext(&alg, &r); + if (result != ISC_R_SUCCESS) { + cfg_obj_log(digest, logctx, ISC_LOG_ERROR, + "dnssec-policy: bad cds digest-type %s", str); + result = DNS_R_BADALG; + } else if (!dst_ds_digest_supported(alg)) { + cfg_obj_log(digest, logctx, ISC_LOG_ERROR, + "dnssec-policy: unsupported cds " + "digest-type %s", + str); + result = DST_R_UNSUPPORTEDALG; + } else { + dns_kasp_adddigest(kasp, alg); + } + return (result); +} + isc_result_t cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, isc_mem_t *mctx, isc_log_t *logctx, @@ -312,7 +338,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, const char *kaspname = NULL; dns_kasp_t *kasp = NULL; size_t i = 0; - unsigned int cds_digesttype = DNS_DSDIGEST_SHA256; uint32_t sigrefresh = 0, sigvalidity = 0; uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0; uint32_t publishsafety = 0, retiresafety = 0; @@ -410,33 +435,20 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, dns_kasp_setparentpropagationdelay(kasp, parentpropdelay); /* Configuration: Keys */ - (void)confget(maps, "cds-digest-type", &obj); + (void)confget(maps, "cds-digest-types", &obj); if (obj != NULL) { - isc_textregion_t r; - dns_dsdigest_t alg; - const char *str = cfg_obj_asstring(obj); - - DE_CONST(str, r.base); - r.length = strlen(str); - result = dns_dsdigest_fromtext(&alg, &r); - if (result != ISC_R_SUCCESS) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-policy: bad cds digest-type %s", - str); - result = DNS_R_BADALG; - goto cleanup; - } - if (!dst_ds_digest_supported(alg)) { - cfg_obj_log(obj, logctx, ISC_LOG_ERROR, - "dnssec-policy: unsupported cds " - "digest-type %s", - str); - result = DST_R_UNSUPPORTEDALG; - goto cleanup; + for (element = cfg_list_first(obj); element != NULL; + element = cfg_list_next(element)) + { + result = add_digest(kasp, cfg_listelt_value(element), + logctx); + if (result != ISC_R_SUCCESS) { + goto cleanup; + } } - cds_digesttype = (unsigned int)alg; + } else { + dns_kasp_adddigest(kasp, DNS_DSDIGEST_SHA256); } - dns_kasp_setcdsdigesttype(kasp, cds_digesttype); dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL); dns_kasp_setdnskeyttl(kasp, dnskeyttl); diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index d246e04e8dd..ff938f1fac3 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2193,7 +2193,7 @@ static cfg_type_t cfg_type_validityinterval = { * Clauses that can be found in a 'dnssec-policy' statement. */ static cfg_clausedef_t dnssecpolicy_clauses[] = { - { "cds-digest-type", &cfg_type_astring, 0 }, + { "cds-digest-types", &cfg_type_algorithmlist, 0 }, { "dnskey-ttl", &cfg_type_duration, 0 }, { "keys", &cfg_type_kaspkeys, 0 }, { "max-zone-ttl", &cfg_type_duration, 0 },