From: Matthijs Mekking Date: Mon, 17 Mar 2025 14:32:43 +0000 (+0100) Subject: Convert keystore and rumoured kasp test cases X-Git-Tag: v9.21.8~13^2~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ee7120eb34c889d571cca15ec1a3fb068e6e7545;p=thirdparty%2Fbind9.git Convert keystore and rumoured kasp test cases For 'keystore.kasp', a setting 'key-directories' is used. If set, this will expect a list of two directories, the first one is where the KSKs will be stored, the second in the list is the ZSK key directory. This may be expanded in the future to test more complex key storage cases. The 'rumoured.kasp' zone is weird, the key timings can never match those key states. But it is a regression test for an early day bug, so we convert it, but skip the expected key times check. --- diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 7429b869dfd..d8497a40fdb 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -400,120 +400,6 @@ set_keytimes_algorithm_policy() { set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 } -# -# Zone: keystore.kasp. -# -set_zone "keystore.kasp" -set_policy "keystore" "2" "303" -set_server "ns3" "10.53.0.3" -# Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "0" -set_keydir "KEY1" "ns3/ksk" -set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" - -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "0" -set_keydir "KEY2" "ns3/zsk" -set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" - -# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. -# ZSK: DNSKEY, RRSIG (zsk) published. -set_keystate "KEY1" "GOAL" "omnipresent" -set_keystate "KEY1" "STATE_DNSKEY" "rumoured" -set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" - -set_keystate "KEY2" "GOAL" "omnipresent" -set_keystate "KEY2" "STATE_DNSKEY" "rumoured" -set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" -# Two keys only. -key_clear "KEY3" -key_clear "KEY4" - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# Reuse set_keytimes_csk_policy to set the KEY1 keytimes. -set_keytimes_csk_policy -created=$(key_get KEY2 CREATED) -set_keytime "KEY2" "PUBLISHED" "${created}" -set_keytime "KEY2" "ACTIVE" "${created}" -check_keytimes -check_apex -check_subdomain -dnssec_verify - -# Key properties for tests below. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "315360000" -set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" - -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "157680000" -set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" - -key_clear "KEY3" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "31536000" -set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" -# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. -# ZSK: DNSKEY, RRSIG (zsk) published. -set_keystate "KEY1" "GOAL" "omnipresent" -set_keystate "KEY1" "STATE_DNSKEY" "rumoured" -set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" - -set_keystate "KEY2" "GOAL" "omnipresent" -set_keystate "KEY2" "STATE_DNSKEY" "rumoured" -set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" - -set_keystate "KEY3" "GOAL" "omnipresent" -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" -# Three keys only. -key_clear "KEY4" - -# -# Zone: rumoured.kasp. -# -# There are three keys in rumoured state. -set_zone "rumoured.kasp" -set_policy "rsasha256" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties, timings and states same as above. - -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -# Activation date is a day later. -set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 -set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 -set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 -set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 -set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 -set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 -set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 -set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 -set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 -check_keytimes -check_apex -check_subdomain -dnssec_verify - # TODO: we might want to test: # - configuring a zone with too many active keys (should trigger retire). # - configuring a zone with keys not matching the policy. diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index eba8e732772..05f4e4254b1 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -310,11 +310,18 @@ def test_kasp_cases(servers): ttl=ttl, keys=test["key-properties"] ) # Key files. - keys = isctest.kasp.keydir_to_keylist( - zone, test["config"]["key-directory"], in_use=pregenerated - ) - ksks = [k for k in keys if k.is_ksk()] - zsks = [k for k in keys if not k.is_ksk()] + if "key-directories" in test: + kdir = test["key-directories"][0] + ksks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated) + kdir = test["key-directories"][1] + zsks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated) + keys = ksks + zsks + else: + keys = isctest.kasp.keydir_to_keylist( + zone, test["config"]["key-directory"], in_use=pregenerated + ) + ksks = [k for k in keys if k.is_ksk()] + zsks = [k for k in keys if not k.is_ksk()] isctest.kasp.check_zone_is_signed(server, zone) isctest.kasp.check_keys(zone, keys, expected) @@ -326,7 +333,8 @@ def test_kasp_cases(servers): test["config"], offset=offset, pregenerated=pregenerated ) - isctest.kasp.check_keytimes(keys, expected) + if "rumoured" not in test: + isctest.kasp.check_keytimes(keys, expected) check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing) @@ -458,6 +466,27 @@ def test_kasp_cases(servers): "config": kasp_config, "key-properties": fips_properties(8), }, + { + "zone": "keystore.kasp", + "policy": "keystore", + "config": { + "dnskey-ttl": timedelta(seconds=303), + "ds-ttl": timedelta(days=1), + "key-directory": keydir, + "max-zone-ttl": timedelta(days=1), + "parent-propagation-delay": timedelta(hours=1), + "publish-safety": timedelta(hours=1), + "retire-safety": timedelta(hours=1), + "signatures-refresh": timedelta(days=5), + "signatures-validity": timedelta(days=14), + "zone-propagation-delay": timedelta(minutes=5), + }, + "key-directories": [f"{keydir}/ksk", f"{keydir}/zsk"], + "key-properties": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden", + f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured", + ], + }, { "zone": "legacy-keys.kasp", "policy": "migrate-to-dnssec-policy", @@ -493,6 +522,13 @@ def test_kasp_cases(servers): "config": kasp_config, "key-properties": fips_properties(10), }, + { + "zone": "rumoured.kasp", + "policy": "rsasha256", + "config": kasp_config, + "rumoured": True, + "key-properties": fips_properties(8), + }, { "zone": "secondary.kasp", "policy": "rsasha256",