From: Nicki Křížek Date: Fri, 6 Jun 2025 14:49:14 +0000 (+0200) Subject: Isolate rollover-algo-csk test X-Git-Tag: v9.21.11~38^2~9 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fdecef5378654204295bbee0410657b337e49c43;p=thirdparty%2Fbind9.git Isolate rollover-algo-csk test --- diff --git a/bin/tests/system/rollover-algo-csk/common.py b/bin/tests/system/rollover-algo-csk/common.py new file mode 120000 index 00000000000..64b8084c5ac --- /dev/null +++ b/bin/tests/system/rollover-algo-csk/common.py @@ -0,0 +1 @@ +../rollover/common.py \ No newline at end of file diff --git a/bin/tests/system/rollover/ns6/csk1.conf.j2 b/bin/tests/system/rollover-algo-csk/ns6/csk1.conf.j2 similarity index 100% rename from bin/tests/system/rollover/ns6/csk1.conf.j2 rename to bin/tests/system/rollover-algo-csk/ns6/csk1.conf.j2 diff --git a/bin/tests/system/rollover/ns6/csk2.conf.j2 b/bin/tests/system/rollover-algo-csk/ns6/csk2.conf.j2 similarity index 100% rename from bin/tests/system/rollover/ns6/csk2.conf.j2 rename to bin/tests/system/rollover-algo-csk/ns6/csk2.conf.j2 diff --git a/bin/tests/system/rollover-algo-csk/ns6/named.common.conf.j2 b/bin/tests/system/rollover-algo-csk/ns6/named.common.conf.j2 new file mode 120000 index 00000000000..6b841ab2ad3 --- /dev/null +++ b/bin/tests/system/rollover-algo-csk/ns6/named.common.conf.j2 @@ -0,0 +1 @@ +../../rollover-dynamic2inline/ns6/named.common.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/rollover/ns6/named.conf.j2 b/bin/tests/system/rollover-algo-csk/ns6/named.conf.j2 similarity index 97% rename from bin/tests/system/rollover/ns6/named.conf.j2 rename to bin/tests/system/rollover-algo-csk/ns6/named.conf.j2 index 2d08069a709..d5e785bb27e 100644 --- a/bin/tests/system/rollover/ns6/named.conf.j2 +++ b/bin/tests/system/rollover-algo-csk/ns6/named.conf.j2 @@ -11,14 +11,10 @@ * information regarding copyright ownership. */ -// NS6 - {% set csk_roll = csk_roll | default(False) %} {% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %} -include "kasp.conf"; include "@_csk_file@"; - include "named.common.conf"; zone "step1.csk-algorithm-roll.kasp" { diff --git a/bin/tests/system/rollover-algo-csk/ns6/template.db.in b/bin/tests/system/rollover-algo-csk/ns6/template.db.in new file mode 120000 index 00000000000..21598660d1e --- /dev/null +++ b/bin/tests/system/rollover-algo-csk/ns6/template.db.in @@ -0,0 +1 @@ +../../rollover-dynamic2inline/ns6/template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover/ns6/setup.sh b/bin/tests/system/rollover-algo-csk/setup.sh similarity index 99% rename from bin/tests/system/rollover/ns6/setup.sh rename to bin/tests/system/rollover-algo-csk/setup.sh index f0963108d7c..65318e6b948 100644 --- a/bin/tests/system/rollover/ns6/setup.sh +++ b/bin/tests/system/rollover-algo-csk/setup.sh @@ -12,9 +12,9 @@ # information regarding copyright ownership. # shellcheck source=conf.sh -. ../../conf.sh +. ../conf.sh -echo_i "ns6/setup.sh" +cd "ns6" setup() { zone="$1" diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py new file mode 100644 index 00000000000..e3b1053c39a --- /dev/null +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py @@ -0,0 +1,36 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=redefined-outer-name,unused-import + +import isctest +from common import ( + pytestmark, + CDSS, + DURATION, + TIMEDELTA, + ALGOROLL_CONFIG, +) + + +def test_algoroll_csk_initial(servers): + config = ALGOROLL_CONFIG + policy = "csk-algoroll" + + step = { + "zone": "step1.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}", + ], + "nextev": TIMEDELTA["PT1H"], + } + isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step) diff --git a/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py new file mode 100644 index 00000000000..7037238db80 --- /dev/null +++ b/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py @@ -0,0 +1,156 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=redefined-outer-name,unused-import + +import pytest + +import isctest +from isctest.kasp import KeyTimingMetadata +from common import ( + pytestmark, + alg, + size, + CDSS, + ALGOROLL_CONFIG, + ALGOROLL_IPUB, + ALGOROLL_IPUBC, + ALGOROLL_IRET, + ALGOROLL_IRETKSK, + ALGOROLL_KEYTTLPROP, + ALGOROLL_OFFSETS, + ALGOROLL_OFFVAL, + TIMEDELTA, +) + +CONFIG = ALGOROLL_CONFIG +POLICY = "csk-algoroll" +TIME_PASSED = 0 # set in reconfigure() fixture + + +@pytest.fixture(scope="module", autouse=True) +def reconfigure(servers, templates): + global TIME_PASSED # pylint: disable=global-statement + start_time = KeyTimingMetadata.now() + + templates.render("ns6/named.conf", {"csk_roll": True}) + servers["ns6"].reconfigure() + + # Calculate time passed to correctly check for next key events. + TIME_PASSED = KeyTimingMetadata.now().value - start_time.value + + +def test_algoroll_csk_reconfig_step1(servers, alg, size): + step = { + "zone": "step1.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + # The RSASHA keys are outroducing. + f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}", + # The ECDSAP256SHA256 keys are introducing. + f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden", + ], + # Next key event is when the ecdsa256 keys have been propagated. + "nextev": ALGOROLL_IPUB, + } + isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + + +def test_algoroll_csk_reconfig_step2(servers, alg, size): + step = { + "zone": "step2.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + # The RSASHA keys are outroducing, but need to stay present + # until the new algorithm chain of trust has been established. + # Thus the expected key states of these keys stay the same. + f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}", + # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is + # omnipresent, but the zone signatures are not. + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}", + ], + # Next key event is when all zone signatures are signed with the + # new algorithm. This is the child publication interval, minus + # the publication interval has already passed. Also, prevent + # intermittent false positives on slow platforms by subtracting + # the time passed between key creation and invoking 'rndc reconfig'. + "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED, + } + isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + + +def test_algoroll_csk_reconfig_step3(servers, alg, size): + step = { + "zone": "step3.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + # The DS can be swapped. + f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}", + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}", + ], + # Next key event is when the DS becomes OMNIPRESENT. This happens + # after the publication interval of the parent side. + "nextev": ALGOROLL_IRETKSK - TIME_PASSED, + } + isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + + +def test_algoroll_csk_reconfig_step4(servers, alg, size): + step = { + "zone": "step4.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + # The old DS is HIDDEN, we can remove the old algorithm records. + f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}", + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}", + ], + # Next key event is when the old DNSKEY becomes HIDDEN. + # This happens after the DNSKEY TTL plus zone propagation delay. + "nextev": ALGOROLL_KEYTTLPROP, + } + isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + + +def test_algoroll_csk_reconfig_step5(servers, alg, size): + step = { + "zone": "step5.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + # The DNSKEY becomes HIDDEN. + f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}", + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}", + ], + # Next key event is when the RSASHA signatures become HIDDEN. + # This happens after the max-zone-ttl plus zone propagation delay + # minus the time already passed since the UNRETENTIVE state has + # been reached. Prevent intermittent false positives on slow + # platforms by subtracting the number of seconds which passed + # between key creation and invoking 'rndc reconfig'. + "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED, + } + isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) + + +def test_algoroll_csk_reconfig_step6(servers, alg, size): + step = { + "zone": "step6.csk-algorithm-roll.kasp", + "cdss": CDSS, + "keyprops": [ + # The zone signatures are now HIDDEN. + f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}", + f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}", + ], + # Next key event is never since we established the policy and the + # keys have an unlimited lifetime. Fallback to the default + # loadkeys interval. + "nextev": TIMEDELTA["PT1H"], + } + isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py index 929557822ef..c23eb018750 100644 --- a/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py +++ b/bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py @@ -21,21 +21,16 @@ from common import ( size, CDSS, ALGOROLL_CONFIG, + ALGOROLL_IPUB, + ALGOROLL_IPUBC, + ALGOROLL_IRET, + ALGOROLL_IRETKSK, + ALGOROLL_KEYTTLPROP, + ALGOROLL_OFFSETS, + ALGOROLL_OFFVAL, TIMEDELTA, ) -IPUB = Ipub(ALGOROLL_CONFIG) -IPUBC = IpubC(ALGOROLL_CONFIG, rollover=False) -IRET = Iret(ALGOROLL_CONFIG, rollover=False) -IRETKSK = Iret(ALGOROLL_CONFIG, zsk=False, ksk=True, rollover=False) -KEYTTLPROP = ALGOROLL_CONFIG["dnskey-ttl"] + ALGOROLL_CONFIG["zone-propagation-delay"] -OFFSETS = {} -OFFSETS["step2"] = -int(IPUB.total_seconds()) -OFFSETS["step3"] = -int(IRET.total_seconds()) -OFFSETS["step4"] = OFFSETS["step3"] - int(IRETKSK.total_seconds()) -OFFSETS["step5"] = OFFSETS["step4"] - int(KEYTTLPROP.total_seconds()) -OFFSETS["step6"] = OFFSETS["step5"] - int(IRET.total_seconds()) -OFFVAL = -DURATION["P7D"] CONFIG = ALGOROLL_CONFIG POLICY = "ecdsa256" TIME_PASSED = 0 # set in reconfigure() fixture @@ -59,14 +54,14 @@ def test_algoroll_ksk_zsk_reconfig_step1(servers, alg, size): "cdss": CDSS, "keyprops": [ # The RSASHA keys are outroducing. - f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFVAL}", - f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}", + f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}", + f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}", # The ECDSAP256SHA256 keys are introducing. f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden", f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured", ], # Next key event is when the ecdsa256 keys have been propagated. - "nextev": IPUB, + "nextev": ALGOROLL_IPUB, } isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) @@ -79,19 +74,19 @@ def test_algoroll_ksk_zsk_reconfig_step2(servers, alg, size): # The RSASHA keys are outroducing, but need to stay present # until the new algorithm chain of trust has been established. # Thus the expected key states of these keys stay the same. - f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFVAL}", - f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}", + f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}", + f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}", # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is # omnipresent, but the zone signatures are not. - f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step2']}", - f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step2']}", + f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}", + f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}", ], # Next key event is when all zone signatures are signed with the new # algorithm. This is the max-zone-ttl plus zone propagation delay. But # the publication interval has already passed. Also, prevent intermittent # false positives on slow platforms by subtracting the time passed between # key creation and invoking 'rndc reconfig'. - "nextev": IPUBC - IPUB - TIME_PASSED, + "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED, } isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) @@ -102,14 +97,14 @@ def test_algoroll_ksk_zsk_reconfig_step3(servers, alg, size): "cdss": CDSS, "keyprops": [ # The DS can be swapped. - f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFVAL}", - f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}", - f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}", - f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3']}", + f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}", + f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}", + f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}", + f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}", ], # Next key event is when the DS becomes OMNIPRESENT. This happens # after the retire interval. - "nextev": IRETKSK - TIME_PASSED, + "nextev": ALGOROLL_IRETKSK - TIME_PASSED, } isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) @@ -120,14 +115,14 @@ def test_algoroll_ksk_zsk_reconfig_step4(servers, alg, size): "cdss": CDSS, "keyprops": [ # The old DS is HIDDEN, we can remove the old algorithm records. - f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFVAL}", - f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{OFFVAL}", - f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}", - f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4']}", + f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}", + f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{ALGOROLL_OFFVAL}", + f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}", + f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}", ], # Next key event is when the old DNSKEY becomes HIDDEN. # This happens after the DNSKEY TTL plus zone propagation delay. - "nextev": KEYTTLPROP, + "nextev": ALGOROLL_KEYTTLPROP, } isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) @@ -138,10 +133,10 @@ def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size): "cdss": CDSS, "keyprops": [ # The DNSKEY becomes HIDDEN. - f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFVAL}", - f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{OFFVAL}", - f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5']}", - f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5']}", + f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}", + f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{ALGOROLL_OFFVAL}", + f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}", + f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}", ], # Next key event is when the RSASHA signatures become HIDDEN. # This happens after the max-zone-ttl plus zone propagation delay @@ -149,7 +144,7 @@ def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size): # been reached. Prevent intermittent false positives on slow # platforms by subtracting the number of seconds which passed # between key creation and invoking 'rndc reconfig'. - "nextev": IRET - IRETKSK - KEYTTLPROP - TIME_PASSED, + "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED, } isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step) @@ -160,10 +155,10 @@ def test_algoroll_ksk_zsk_reconfig_step6(servers, alg, size): "cdss": CDSS, "keyprops": [ # The zone signatures are now HIDDEN. - f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFVAL}", - f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFVAL}", - f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6']}", - f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6']}", + f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}", + f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{ALGOROLL_OFFVAL}", + f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}", + f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}", ], # Next key event is never since we established the policy and the # keys have an unlimited lifetime. Fallback to the default diff --git a/bin/tests/system/rollover/common.py b/bin/tests/system/rollover/common.py index d2d75dcce5a..a597b8d49f1 100644 --- a/bin/tests/system/rollover/common.py +++ b/bin/tests/system/rollover/common.py @@ -14,6 +14,8 @@ import os import pytest +from isctest.kasp import Ipub, IpubC, Iret + pytestmark = pytest.mark.extra_artifacts( [ "*.axfr*", @@ -84,6 +86,26 @@ ALGOROLL_CONFIG = { "signatures-validity": TIMEDELTA["P30D"], "zone-propagation-delay": TIMEDELTA["PT1H"], } +ALGOROLL_IPUB = Ipub(ALGOROLL_CONFIG) +ALGOROLL_IPUBC = IpubC(ALGOROLL_CONFIG, rollover=False) +ALGOROLL_IRET = Iret(ALGOROLL_CONFIG, rollover=False) +ALGOROLL_IRETKSK = Iret(ALGOROLL_CONFIG, zsk=False, ksk=True, rollover=False) +ALGOROLL_KEYTTLPROP = ( + ALGOROLL_CONFIG["dnskey-ttl"] + ALGOROLL_CONFIG["zone-propagation-delay"] +) +ALGOROLL_OFFSETS = {} +ALGOROLL_OFFSETS["step2"] = -int(ALGOROLL_IPUB.total_seconds()) +ALGOROLL_OFFSETS["step3"] = -int(ALGOROLL_IRET.total_seconds()) +ALGOROLL_OFFSETS["step4"] = ALGOROLL_OFFSETS["step3"] - int( + ALGOROLL_IRETKSK.total_seconds() +) +ALGOROLL_OFFSETS["step5"] = ALGOROLL_OFFSETS["step4"] - int( + ALGOROLL_KEYTTLPROP.total_seconds() +) +ALGOROLL_OFFSETS["step6"] = ALGOROLL_OFFSETS["step5"] - int( + ALGOROLL_IRET.total_seconds() +) +ALGOROLL_OFFVAL = -DURATION["P7D"] @pytest.fixture diff --git a/bin/tests/system/rollover/ns6/kasp.conf.j2 b/bin/tests/system/rollover/ns6/kasp.conf.j2 deleted file mode 100644 index bb00e853112..00000000000 --- a/bin/tests/system/rollover/ns6/kasp.conf.j2 +++ /dev/null @@ -1,80 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -dnssec-policy "unsigning" { - dnskey-ttl 7200; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; - }; -}; - -dnssec-policy "rsasha256" { - signatures-refresh P5D; - signatures-validity 30d; - signatures-validity-dnskey 30d; - - keys { - ksk lifetime unlimited algorithm rsasha256; - zsk lifetime unlimited algorithm rsasha256; - }; - - dnskey-ttl 1h; - publish-safety PT1H; - retire-safety 2h; - zone-propagation-delay 3600; - max-zone-ttl 6h; - parent-propagation-delay pt1h; - parent-ds-ttl 7200; -}; - -dnssec-policy "ecdsa256" { - signatures-refresh P5D; - signatures-validity 30d; - signatures-validity-dnskey 30d; - - keys { - ksk lifetime unlimited algorithm ecdsa256; - zsk lifetime unlimited algorithm ecdsa256; - }; - - dnskey-ttl 1h; - publish-safety PT1H; - retire-safety 2h; - zone-propagation-delay 3600; - max-zone-ttl 6h; - parent-propagation-delay pt1h; - parent-ds-ttl 7200; -}; - -{% if RSASHA1_SUPPORTED == "1" %} -dnssec-policy "rsasha1" { - signatures-refresh P5D; - signatures-validity 30d; - signatures-validity-dnskey 30d; - - keys { - ksk lifetime unlimited algorithm rsasha1; - zsk lifetime unlimited algorithm rsasha1; - }; - - dnskey-ttl 1h; - publish-safety PT1H; - retire-safety 2h; - zone-propagation-delay 3600; - max-zone-ttl 6h; - parent-propagation-delay pt1h; - parent-ds-ttl 7200; -}; -{% endif %} diff --git a/bin/tests/system/rollover/ns6/named.common.conf.j2 b/bin/tests/system/rollover/ns6/named.common.conf.j2 deleted file mode 100644 index 9299c978461..00000000000 --- a/bin/tests/system/rollover/ns6/named.common.conf.j2 +++ /dev/null @@ -1,35 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - query-source address 10.53.0.6; - notify-source 10.53.0.6; - transfer-source 10.53.0.6; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.6; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; - key-directory "."; - dnssec-validation no; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm @DEFAULT_HMAC@; -}; - -controls { - inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; diff --git a/bin/tests/system/rollover/ns6/template.db.in b/bin/tests/system/rollover/ns6/template.db.in deleted file mode 100644 index f1d8b94e5a6..00000000000 --- a/bin/tests/system/rollover/ns6/template.db.in +++ /dev/null @@ -1,27 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - - NS ns6 -ns6 A 10.53.0.6 - -a A 10.0.0.1 -b A 10.0.0.2 -c A 10.0.0.3 - diff --git a/bin/tests/system/rollover/setup.sh b/bin/tests/system/rollover/setup.sh index 56a89798556..c72052cf48b 100644 --- a/bin/tests/system/rollover/setup.sh +++ b/bin/tests/system/rollover/setup.sh @@ -20,7 +20,3 @@ set -e cd ns3 $SHELL setup.sh ) -( - cd ns6 - $SHELL setup.sh -) diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py index 5b9c4398051..100e8121cfb 100644 --- a/bin/tests/system/rollover/tests_rollover.py +++ b/bin/tests/system/rollover/tests_rollover.py @@ -1122,183 +1122,3 @@ def test_rollover_csk_roll2(servers): for step in steps: isctest.kasp.check_rollover_step(server, config, policy, step) - - -def test_rollover_policy_changes(servers, templates): - server = servers["ns6"] - cdss = ["CDNSKEY", "CDS (SHA-256)"] - alg = os.environ["DEFAULT_ALGORITHM_NUMBER"] - size = os.environ["DEFAULT_BITS"] - - default_config = { - "dnskey-ttl": timedelta(hours=1), - "ds-ttl": timedelta(days=1), - "max-zone-ttl": timedelta(days=1), - "parent-propagation-delay": timedelta(hours=1), - "publish-safety": timedelta(hours=1), - "purge-keys": timedelta(days=90), - "retire-safety": timedelta(hours=1), - "signatures-refresh": timedelta(days=5), - "signatures-validity": timedelta(days=14), - "zone-propagation-delay": timedelta(seconds=300), - } - - unsigning_config = default_config.copy() - unsigning_config["dnskey-ttl"] = timedelta(seconds=7200) - - algoroll_config = { - "dnskey-ttl": timedelta(hours=1), - "ds-ttl": timedelta(seconds=7200), - "max-zone-ttl": timedelta(hours=6), - "parent-propagation-delay": timedelta(hours=1), - "publish-safety": timedelta(hours=1), - "purge-keys": timedelta(days=90), - "retire-safety": timedelta(hours=2), - "signatures-refresh": timedelta(days=5), - "signatures-validity": timedelta(days=30), - "zone-propagation-delay": timedelta(seconds=3600), - } - - start_time = KeyTimingMetadata.now() - - # Test algorithm rollover (CSK). - isctest.log.info("check algorithm rollover csk") - step = { - "zone": "step1.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}", - ], - "nextev": timedelta(hours=1), - } - steps.append(step) - - for step in steps: - isctest.kasp.check_rollover_step(server, step["config"], step["policy"], step) - - # Reconfigure, changing DNSSEC policies and other configuration options, - # triggering algorithm rollovers and other dnssec-policy changes. - templates.render("ns6/named.conf", {"csk_roll": True}) - server.rndc("reconfig") - # Calculate time passed to correctly check for next key events. - now = KeyTimingMetadata.now() - time_passed = now.value - start_time.value - - # Test algorithm rollover (CSK) (after reconfig). - isctest.log.info("check algorithm rollover csk (after reconfig)") - offsets = {} - offsets["step2"] = -int(ipub.total_seconds()) - offsets["step3"] = -int(iret.total_seconds()) - offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds()) - offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds()) - offsets["step6"] = offsets["step5"] - int(iret.total_seconds()) - algo_steps = [ - { - # Step 1. - "zone": "step1.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - # The RSASHA keys are outroducing. - f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}", - # The ECDSAP256SHA256 keys are introducing. - f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden", - ], - # Next key event is when the ecdsa256 keys have been propagated. - "nextev": ipub, - }, - { - # Step 2. - "zone": "step2.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - # The RSASHA keys are outroducing, but need to stay present - # until the new algorithm chain of trust has been established. - # Thus the expected key states of these keys stay the same. - f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}", - # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is - # omnipresent, but the zone signatures are not. - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{offsets['step2']}", - ], - # Next key event is when all zone signatures are signed with the - # new algorithm. This is the child publication interval, minus - # the publication interval has already passed. Also, prevent - # intermittent false positives on slow platforms by subtracting - # the time passed between key creation and invoking 'rndc reconfig'. - "nextev": ipubc - ipub - time_passed, - }, - { - # Step 3. - "zone": "step3.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - # The DS can be swapped. - f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{offval}", - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step3']}", - ], - # Next key event is when the DS becomes OMNIPRESENT. This happens - # after the publication interval of the parent side. - "nextev": iretKSK - time_passed, - }, - { - # Step 4. - "zone": "step4.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - # The old DS is HIDDEN, we can remove the old algorithm records. - f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{offval}", - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step4']}", - ], - # Next key event is when the old DNSKEY becomes HIDDEN. - # This happens after the DNSKEY TTL plus zone propagation delay. - "nextev": keyttlprop, - }, - { - # Step 5. - "zone": "step5.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - # The DNSKEY becomes HIDDEN. - f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{offval}", - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step5']}", - ], - # Next key event is when the RSASHA signatures become HIDDEN. - # This happens after the max-zone-ttl plus zone propagation delay - # minus the time already passed since the UNRETENTIVE state has - # been reached. Prevent intermittent false positives on slow - # platforms by subtracting the number of seconds which passed - # between key creation and invoking 'rndc reconfig'. - "nextev": iret - iretKSK - keyttlprop - time_passed, - }, - { - # Step 6. - "zone": "step6.csk-algorithm-roll.kasp", - "cdss": cdss, - "config": algoroll_config, - "policy": "csk-algoroll", - "keyprops": [ - # The zone signatures are now HIDDEN. - f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offval}", - f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step6']}", - ], - # Next key event is never since we established the policy and the - # keys have an unlimited lifetime. Fallback to the default - # loadkeys interval. - "nextev": timedelta(hours=1), - }, - ] - steps = steps + algo_steps - - for step in steps: - isctest.kasp.check_rollover_step(server, step["config"], step["policy"], step)