From: Matthijs Mekking Date: Tue, 18 Feb 2020 15:33:41 +0000 (+0100) Subject: Introduce enable dnssec test case X-Git-Tag: v9.17.1~69^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdb3f6f40019e0010cb320a8425399d3026c29a2;p=thirdparty%2Fbind9.git Introduce enable dnssec test case --- diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index 38a656b0d34..84451742bfb 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -202,6 +202,30 @@ zone "zsk-retired.autosign" { dnssec-policy "autosign"; }; +/* + * Zones for testing enabling DNSSEC. + */ +zone "step1.enable-dnssec.autosign" { + type master; + file "step1.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; +zone "step2.enable-dnssec.autosign" { + type master; + file "step2.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; +zone "step3.enable-dnssec.autosign" { + type master; + file "step3.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; +zone "step4.enable-dnssec.autosign" { + type master; + file "step4.enable-dnssec.autosign.db"; + dnssec-policy "enable-dnssec"; +}; + /* * Zones for testing ZSK Pre-Publication steps. */ diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf b/bin/tests/system/kasp/ns3/policies/autosign.conf index 751783ee0e1..bafbe859ef4 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf @@ -23,6 +23,27 @@ dnssec-policy "autosign" { }; }; +dnssec-policy "enable-dnssec" { + + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 300; + max-zone-ttl PT12H; + zone-propagation-delay PT5M; + retire-safety PT20M; + publish-safety PT5M; + + parent-propagation-delay 1h; + parent-registration-delay P1D; + parent-ds-ttl 2h; + + keys { + csk lifetime unlimited algorithm 13; + }; +}; + dnssec-policy "zsk-prepub" { signatures-refresh P1W; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index e1f065dce2b..5be0f0b0c04 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -149,6 +149,53 @@ private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 $SETTIME -s -I now -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 +# +# The zones at enable-dnssec.autosign represent the various steps of the +# initial signing of a zone. +# + +# Step 1: +# This is an unsigned zone and named should perform the initial steps of +# introducing the DNSSEC records in the right order. +setup step1.enable-dnssec.autosign +cp template.db.in $zonefile + +# Step 2: +# The DNSKEY has been published long enough to become OMNIPRESENT. +setup step2.enable-dnssec.autosign +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +TpubN="now-900s" +$SETTIME -s -P $TpubN -A $TpubN -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 3: +# The zone signatures have been published long enough to become OMNIPRESENT. +setup step3.enable-dnssec.autosign +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +TpubN="now-44700s" +TactN="now-43800s" +$SETTIME -s -P $TpubN -A $TpubN -g $O -k $O $TactN -r $O $TactN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +setup step3.enable-dnssec.autosign + +# Step 4: +# The DS has been submitted long enough ago to become OMNIPRESENT. +# Add 27 hour plus retire safety of 20 minutes (98400 seconds) to the times. +setup step4.enable-dnssec.autosign +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +TpubN="now-143100s" +TactN="now-142200s" +TomnN="now-98400s" +$SETTIME -s -P $TpubN -A $TpubN -g $O -k $O $TactN -r $O $TactN -d $R $TomnN -z $O $TomnN "$CSK" > settime.out.$zone.1 2>&1 +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone 13 "$CSK" >> "$infile" +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +setup step3.enable-dnssec.autosign + # # The zones at zsk-prepub.autosign represent the various steps of a ZSK # Pre-Publication rollover. diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 6988613d6e0..e6c30289045 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1603,21 +1603,18 @@ dnssec_verify TSIG="" # -# Testing ZSK Pre-Publication rollover. +# Testing DNSSEC introduction. # # -# Zone: step1.zsk-prepub.autosign. +# Zone: step1.enable-dnssec.autosign. # -zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3" -# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" -key_timings "KEY1" "published" "active" "retired" "none" "none" -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no" -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" -key_timings "KEY2" "published" "active" "retired" "none" "none" -# Initially only two keys. +zone_properties "ns3" "step1.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +# The DNSKEY and signatures are introduced first, the DS remains hidden. +key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" +key_timings "KEY1" "published" "active" "none" "none" "none" +key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +key_clear "KEY2" key_clear "KEY3" check_keys check_apex @@ -1646,11 +1643,85 @@ check_next_key_event() { status=$((status+ret)) } +# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus +# publish safety plus the zone propagation delay: 900 seconds. +check_next_key_event 900 + +# +# Zone: step2.enable-dnssec.autosign. +# +zone_properties "ns3" "step2.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +# The DNSKEY and signatures are introduced first, the DS remains hidden. +key_states "KEY1" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl +# plus zone propagation delay plus retire safety minus the already elapsed +# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds +check_next_key_event 43800 + +# +# Zone: step3.enable-dnssec.autosign. +# +zone_properties "ns3" "step3.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +# The DS can be introduced. +key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is when the DS can move to the OMNIPRESENT state. This occurs +# when the parent registration and propagation delay have passed, plus the +# DS TTL and retire safety delay: 1d + 1h + 2h + 20m = 27h20m = 98400 seconds +check_next_key_event 98400 + +# +# Zone: step4.enable-dnssec.autosign. +# +zone_properties "ns3" "step4.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +# The DS is omnipresent. +key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +check_keys +check_apex +check_subdomain +dnssec_verify + +# Next key event is never, the zone dnssec-policy has been established. So we +# fall back to the default loadkeys interval. +check_next_key_event 3600 + +# +# Testing ZSK Pre-Publication rollover. +# + +# +# Zone: step1.zsk-prepub.autosign. +# +zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3" +# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. +key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" +key_timings "KEY1" "published" "active" "retired" "none" "none" +key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" +key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no" +key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +key_timings "KEY2" "published" "active" "retired" "none" "none" +# Initially only two keys. +key_clear "KEY3" +check_keys +check_apex +check_subdomain +dnssec_verify + # Next key event is when the successor ZSK needs to be published. That is # the ZSK lifetime - prepublication time. The prepublication time is DNSKEY # TTL plus publish safety plus the zone propagation delay. For the # zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds. check_next_key_event 2498400 + # # Zone: step2.zsk-prepub.autosign. #