From: Nicki Křížek Date: Wed, 11 Jun 2025 14:26:37 +0000 (+0200) Subject: Isolate rollover-enable-dnssec test case X-Git-Tag: v9.21.11~38^2~2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e29417731204f7d7e8d5ca5ffe0c149d4c041028;p=thirdparty%2Fbind9.git Isolate rollover-enable-dnssec test case --- diff --git a/bin/tests/system/rollover-enable-dnssec/common.py b/bin/tests/system/rollover-enable-dnssec/common.py new file mode 120000 index 00000000000..64b8084c5ac --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/common.py @@ -0,0 +1 @@ +../rollover/common.py \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf.j2 b/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf.j2 new file mode 100644 index 00000000000..5e3e0a3ac23 --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns3/kasp.conf.j2 @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "enable-dnssec" { + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 300; + max-zone-ttl PT12H; + zone-propagation-delay PT5M; + retire-safety PT20M; + publish-safety PT5M; + + parent-propagation-delay 1h; + parent-ds-ttl 2h; + + keys { + csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; + }; +}; diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/named.common.conf.j2 b/bin/tests/system/rollover-enable-dnssec/ns3/named.common.conf.j2 new file mode 120000 index 00000000000..5dc26178cb1 --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns3/named.common.conf.j2 @@ -0,0 +1 @@ +../../rollover/ns3/named.common.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/named.conf.j2 b/bin/tests/system/rollover-enable-dnssec/ns3/named.conf.j2 new file mode 100644 index 00000000000..988790a20c2 --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns3/named.conf.j2 @@ -0,0 +1,36 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "kasp.conf"; +include "named.common.conf"; + +zone "step1.enable-dnssec.autosign" { + type primary; + file "step1.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; +zone "step2.enable-dnssec.autosign" { + type primary; + file "step2.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; +zone "step3.enable-dnssec.autosign" { + type primary; + file "step3.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; +zone "step4.enable-dnssec.autosign" { + type primary; + file "step4.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; diff --git a/bin/tests/system/rollover-enable-dnssec/ns3/template.db.in b/bin/tests/system/rollover-enable-dnssec/ns3/template.db.in new file mode 120000 index 00000000000..ce6d526285a --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/ns3/template.db.in @@ -0,0 +1 @@ +../../rollover/ns3/template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-enable-dnssec/setup.sh b/bin/tests/system/rollover-enable-dnssec/setup.sh new file mode 100644 index 00000000000..0761de2dc4f --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/setup.sh @@ -0,0 +1,100 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +cd "ns3" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones +} + +# Set in the key state files the Predecessor/Successor fields. +# Key $1 is the predecessor of key $2. +key_successor() { + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >>"${2}.state" + echo "Successor: ${id2}" >>"${1}.state" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# +# The zones at enable-dnssec.autosign represent the various steps of the +# initial signing of a zone. +# + +# Step 1: +# This is an unsigned zone and named should perform the initial steps of +# introducing the DNSSEC records in the right order. +setup step1.enable-dnssec.autosign +cp template.db.in $zonefile + +# Step 2: +# The DNSKEY has been published long enough to become OMNIPRESENT. +setup step2.enable-dnssec.autosign +# DNSKEY TTL: 300 seconds +# zone-propagation-delay: 5 minutes (300 seconds) +# publish-safety: 5 minutes (300 seconds) +# Total: 900 seconds +TpubN="now-900s" +keytimes="-P ${TpubN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures have been published long enough to become OMNIPRESENT. +setup step3.enable-dnssec.autosign +# Passed time since publication: +# max-zone-ttl: 12 hours (43200 seconds) +# zone-propagation-delay: 5 minutes (300 seconds) +TpubN="now-43500s" +# We can submit the DS now. +keytimes="-P ${TpubN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 4: +# The DS has been submitted long enough ago to become OMNIPRESENT. +setup step4.enable-dnssec.autosign +# DS TTL: 2 hour (7200 seconds) +# parent-propagation-delay: 1 hour (3600 seconds) +# Total aditional time: 10800 seconds +# 43500 + 10800 = 54300 +TpubN="now-54300s" +TsbmN="now-10800s" +keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}" +CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py new file mode 100644 index 00000000000..a41f699af8b --- /dev/null +++ b/bin/tests/system/rollover-enable-dnssec/tests_rollover_enable_dnssec.py @@ -0,0 +1,109 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=redefined-outer-name,unused-import + +import isctest +from isctest.kasp import Ipub, IpubC, Iret +from common import ( + pytestmark, + alg, + size, + CDSS, + TIMEDELTA, +) + +CONFIG = { + "dnskey-ttl": TIMEDELTA["PT5M"], + "ds-ttl": TIMEDELTA["PT2H"], + "max-zone-ttl": TIMEDELTA["PT12H"], + "parent-propagation-delay": TIMEDELTA["PT1H"], + "publish-safety": TIMEDELTA["PT5M"], + "retire-safety": TIMEDELTA["PT20M"], + "signatures-refresh": TIMEDELTA["P7D"], + "signatures-validity": TIMEDELTA["P14D"], + "zone-propagation-delay": TIMEDELTA["PT5M"], +} +POLICY = "enable-dnssec" +IPUB = Ipub(CONFIG) +IPUBC = IpubC(CONFIG, rollover=False) +IRETZSK = Iret(CONFIG, rollover=False) +IRETKSK = Iret(CONFIG, zsk=False, ksk=True, rollover=False) +OFFSETS = {} +OFFSETS["step1"] = 0 +OFFSETS["step2"] = -int(IPUB.total_seconds()) +OFFSETS["step3"] = -int(IRETZSK.total_seconds()) +OFFSETS["step4"] = -int(IPUBC.total_seconds() + IRETKSK.total_seconds()) + + +def test_rollover_enable_dnssec_step1(alg, size, servers): + step = { + "zone": "step1.enable-dnssec.autosign", + "cdss": CDSS, + "keyprops": [ + f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}", + ], + # Next key event is when the DNSKEY RRset becomes OMNIPRESENT, + # after the publication interval. + "nextev": IPUB, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_rollover_enable_dnssec_step2(alg, size, servers): + step = { + "zone": "step2.enable-dnssec.autosign", + "cdss": CDSS, + # The DNSKEY is omnipresent, but the zone signatures not yet. + # Thus, the DS remains hidden. + # dnskey: rumoured -> omnipresent + # krrsig: rumoured -> omnipresent + "keyprops": [ + f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{OFFSETS['step2']}", + ], + # Next key event is when the zone signatures become OMNIPRESENT, + # Minus the time already elapsed. + "nextev": IRETZSK - IPUB, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_rollover_enable_dnssec_step3(alg, size, servers): + step = { + "zone": "step3.enable-dnssec.autosign", + "cdss": CDSS, + # All signatures should be omnipresent, so the DS can be submitted. + # zrrsig: rumoured -> omnipresent + # ds: hidden -> rumoured + "keyprops": [ + f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}", + ], + # Next key event is when the DS can move to the OMNIPRESENT state. + # This is after the retire interval. + "nextev": IRETKSK, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_rollover_enable_dnssec_step4(alg, size, servers): + step = { + "zone": "step4.enable-dnssec.autosign", + "cdss": CDSS, + # DS has been published long enough. + # ds: rumoured -> omnipresent + "keyprops": [ + f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}", + ], + # Next key event is never, the zone dnssec-policy has been + # established. So we fall back to the default loadkeys interval. + "nextev": TIMEDELTA["PT1H"], + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover/common.py b/bin/tests/system/rollover/common.py index 1e3ab1585a8..ff2cf2b7810 100644 --- a/bin/tests/system/rollover/common.py +++ b/bin/tests/system/rollover/common.py @@ -44,6 +44,7 @@ pytestmark = pytest.mark.extra_artifacts( TIMEDELTA = { 0: timedelta(seconds=0), "PT5M": timedelta(minutes=5), + "PT20M": timedelta(minutes=20), "PT1H": timedelta(hours=1), "PT2H": timedelta(hours=2), "PT6H": timedelta(hours=6), diff --git a/bin/tests/system/rollover/ns3/kasp.conf.j2 b/bin/tests/system/rollover/ns3/kasp.conf.j2 index f432cfc6c01..2ab26877f0e 100644 --- a/bin/tests/system/rollover/ns3/kasp.conf.j2 +++ b/bin/tests/system/rollover/ns3/kasp.conf.j2 @@ -29,22 +29,3 @@ dnssec-policy "multisigner-model2" { zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@ tag-range 32768 65535; }; }; - -dnssec-policy "enable-dnssec" { - signatures-refresh P1W; - signatures-validity P2W; - signatures-validity-dnskey P2W; - - dnskey-ttl 300; - max-zone-ttl PT12H; - zone-propagation-delay PT5M; - retire-safety PT20M; - publish-safety PT5M; - - parent-propagation-delay 1h; - parent-ds-ttl 2h; - - keys { - csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; - }; -}; diff --git a/bin/tests/system/rollover/ns3/named.conf.j2 b/bin/tests/system/rollover/ns3/named.conf.j2 index ba7df3434c5..63a6909144a 100644 --- a/bin/tests/system/rollover/ns3/named.conf.j2 +++ b/bin/tests/system/rollover/ns3/named.conf.j2 @@ -42,27 +42,3 @@ zone "single-to-multisigner.kasp" { dnssec-policy "multisigner-model2"; allow-update { any; }; }; - -/* - * Zones for testing enabling DNSSEC. - */ -zone "step1.enable-dnssec.autosign" { - type primary; - file "step1.enable-dnssec.autosign.db"; - dnssec-policy "enable-dnssec"; -}; -zone "step2.enable-dnssec.autosign" { - type primary; - file "step2.enable-dnssec.autosign.db"; - dnssec-policy "enable-dnssec"; -}; -zone "step3.enable-dnssec.autosign" { - type primary; - file "step3.enable-dnssec.autosign.db"; - dnssec-policy "enable-dnssec"; -}; -zone "step4.enable-dnssec.autosign" { - type primary; - file "step4.enable-dnssec.autosign.db"; - dnssec-policy "enable-dnssec"; -}; diff --git a/bin/tests/system/rollover/ns3/setup.sh b/bin/tests/system/rollover/ns3/setup.sh index d7f854e880b..969b6a7e6c1 100644 --- a/bin/tests/system/rollover/ns3/setup.sh +++ b/bin/tests/system/rollover/ns3/setup.sh @@ -79,63 +79,3 @@ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" $SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}" $infile >signer.out.$zone.1 2>&1 echo "Lifetime: 0" >>"${KSK}".state echo "Lifetime: 0" >>"${ZSK}".state - -# -# The zones at enable-dnssec.autosign represent the various steps of the -# initial signing of a zone. -# - -# Step 1: -# This is an unsigned zone and named should perform the initial steps of -# introducing the DNSSEC records in the right order. -setup step1.enable-dnssec.autosign -cp template.db.in $zonefile - -# Step 2: -# The DNSKEY has been published long enough to become OMNIPRESENT. -setup step2.enable-dnssec.autosign -# DNSKEY TTL: 300 seconds -# zone-propagation-delay: 5 minutes (300 seconds) -# publish-safety: 5 minutes (300 seconds) -# Total: 900 seconds -TpubN="now-900s" -keytimes="-P ${TpubN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) -$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 3: -# The zone signatures have been published long enough to become OMNIPRESENT. -setup step3.enable-dnssec.autosign -# Passed time since publication: -# max-zone-ttl: 12 hours (43200 seconds) -# zone-propagation-delay: 5 minutes (300 seconds) -TpubN="now-43500s" -# We can submit the DS now. -keytimes="-P ${TpubN} -A ${TpubN}" -CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 4: -# The DS has been submitted long enough ago to become OMNIPRESENT. -setup step4.enable-dnssec.autosign -# DS TTL: 2 hour (7200 seconds) -# parent-propagation-delay: 1 hour (3600 seconds) -# Total aditional time: 10800 seconds -# 43500 + 10800 = 54300 -TpubN="now-54300s" -TsbmN="now-10800s" -keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}" -CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1) -$SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1 -cat template.db.in "${CSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py index 1f06007aa4d..025bbb0d7c4 100644 --- a/bin/tests/system/rollover/tests_rollover.py +++ b/bin/tests/system/rollover/tests_rollover.py @@ -308,92 +308,3 @@ def test_rollover_multisigner(servers): isctest.kasp.check_dnssecstatus(server, zone, keys, policy=policy) isctest.kasp.check_apex(server, zone, ksks, zsks) isctest.kasp.check_subdomain(server, zone, ksks, zsks) - - -def test_rollover_enable_dnssec(servers): - server = servers["ns3"] - policy = "enable-dnssec" - cdss = ["CDNSKEY", "CDS (SHA-256)"] - config = { - "dnskey-ttl": timedelta(seconds=300), - "ds-ttl": timedelta(hours=2), - "max-zone-ttl": timedelta(hours=12), - "parent-propagation-delay": timedelta(hours=1), - "publish-safety": timedelta(minutes=5), - "retire-safety": timedelta(minutes=20), - "signatures-refresh": timedelta(days=7), - "signatures-validity": timedelta(days=14), - "zone-propagation-delay": timedelta(minutes=5), - } - alg = os.environ["DEFAULT_ALGORITHM_NUMBER"] - size = os.environ["DEFAULT_BITS"] - - ipub = Ipub(config) - ipubC = IpubC(config, rollover=False) - iretZSK = Iret(config, rollover=False) - iretKSK = Iret(config, zsk=False, ksk=True, rollover=False) - offsets = { - "step1": 0, - "step2": -int(ipub.total_seconds()), - "step3": -int(iretZSK.total_seconds()), - "step4": -int(ipubC.total_seconds() + iretKSK.total_seconds()), - } - - steps = [ - { - # Step 1. - "zone": "step1.enable-dnssec.autosign", - "cdss": cdss, - "keyprops": [ - f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{offsets['step1']}", - ], - # Next key event is when the DNSKEY RRset becomes OMNIPRESENT, - # after the publication interval. - "nextev": ipub, - }, - { - # Step 2. - "zone": "step2.enable-dnssec.autosign", - "cdss": cdss, - # The DNSKEY is omnipresent, but the zone signatures not yet. - # Thus, the DS remains hidden. - # dnskey: rumoured -> omnipresent - # krrsig: rumoured -> omnipresent - "keyprops": [ - f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{offsets['step2']}", - ], - # Next key event is when the zone signatures become OMNIPRESENT, - # Minus the time already elapsed. - "nextev": iretZSK - ipub, - }, - { - # Step 3. - "zone": "step3.enable-dnssec.autosign", - "cdss": cdss, - # All signatures should be omnipresent, so the DS can be submitted. - # zrrsig: rumoured -> omnipresent - # ds: hidden -> rumoured - "keyprops": [ - f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step3']}", - ], - # Next key event is when the DS can move to the OMNIPRESENT state. - # This is after the retire interval. - "nextev": iretKSK, - }, - { - # Step 4. - "zone": "step4.enable-dnssec.autosign", - "cdss": cdss, - # DS has been published long enough. - # ds: rumoured -> omnipresent - "keyprops": [ - f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step4']}", - ], - # Next key event is never, the zone dnssec-policy has been - # established. So we fall back to the default loadkeys interval. - "nextev": timedelta(hours=1), - }, - ] - - for step in steps: - isctest.kasp.check_rollover_step(server, config, policy, step)