Test updating dnssec-policy key lifetime

Check if the key lifetime is updated in the key files. Make sure the
inactive and removed timing metadata are adjusted accordingly.

diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index dfb2433c7364898d991d62fcec449cbe3b34c2bf..b8d36dc6e42298cdb4430868ddd704c026a9ab9d 100644 (file)
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -99,3 +99,27 @@ zone example {
        file "example.db";
        dnssec-policy modified;
 };
+
+zone longer-lifetime {
+       type primary;
+       file "longer-lifetime.db";
+       dnssec-policy short-lifetime;
+};
+
+zone shorter-lifetime {
+       type primary;
+       file "shorter-lifetime.db";
+       dnssec-policy long-lifetime;
+};
+
+zone limit-lifetime {
+       type primary;
+       file "limit-lifetime.db";
+       dnssec-policy unlimited-lifetime;
+};
+
+zone unlimit-lifetime {
+       type primary;
+       file "unlimit-lifetime.db";
+       dnssec-policy short-lifetime;
+};

diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index be35286369421e753636e3ed59a624f671bd6d19..0c9d6b0a89aa83913caf594eecae45db74036994 100644 (file)
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -177,3 +177,27 @@ zone example {
        file "example.db";
        dnssec-policy modified;
 };
+
+zone longer-lifetime {
+       type primary;
+       file "longer-lifetime.db";
+       dnssec-policy long-lifetime;
+};
+
+zone shorter-lifetime {
+       type primary;
+       file "shorter-lifetime.db";
+       dnssec-policy short-lifetime;
+};
+
+zone limit-lifetime {
+       type primary;
+       file "limit-lifetime.db";
+       dnssec-policy short-lifetime;
+};
+
+zone unlimit-lifetime {
+       type primary;
+       file "unlimit-lifetime.db";
+       dnssec-policy unlimited-lifetime;
+};

diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
index dc234d0c21bd835d5da81625e9cb526d3333bd01..51c4d88488975e18a44d48acde799b049b0955d6 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@@ -30,6 +30,23 @@ dnssec-policy "modified" {
        };
 };
 
+dnssec-policy "unlimited-lifetime" {
+       keys {
+               csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+       };
+};
+dnssec-policy "short-lifetime" {
+       keys {
+               csk lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+       };
+};
+
+dnssec-policy "long-lifetime" {
+       keys {
+               csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
+       };
+};
+
 dnssec-policy "rsasha256" {
        signatures-refresh P5D;
        signatures-validity 30d;

diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index e0ce46040fbe853fe87e7f42f4d74b8070285789..312a70518b87f6e341342f0c1821c2f55504a60c 100644 (file)
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -29,6 +29,11 @@ R="RUMOURED"
 O="OMNIPRESENT"
 U="UNRETENTIVE"
 
+for zn in shorter-lifetime longer-lifetime limit-lifetime unlimit-lifetime; do
+  setup $zn
+  cp template.db.in $zonefile
+done
+
 # The child zones (step1, step2) beneath these zones represent the various
 # steps of unsigning a zone.
 for zn in going-insecure.kasp going-insecure-dynamic.kasp; do

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index c95c607a5fa577f3f91a753bdf7bc305a4d1c8c9..2131d8cc5401f9d8f9d6dfedeaa7f813ac95597f 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -3793,6 +3793,65 @@ check_apex
 check_subdomain
 dnssec_verify
 
+# Test key lifetime changes
+set_keytimes_lifetime_update() {
+  if [ $1 -eq 0 ]; then
+    set_keytime "KEY1" "RETIRED" "none"
+    set_keytime "KEY1" "REMOVED" "none"
+  else
+    active=$(key_get KEY1 ACTIVE)
+    set_addkeytime "KEY1" "RETIRED" "${active}" $1
+    # The key is removed after the retire time plus max-zone-ttl (1d),
+    # sign delay (9d), zone propagation delay (5m), retire safety (1h) =
+    # 777600 + 86400 + 300 + 3600 = 867900
+    retired=$(key_get KEY1 RETIRED)
+    set_addkeytime "KEY1" "REMOVED" "${retired}" 867900
+  fi
+}
+
+check_key_lifetime() {
+  zone=$1
+  policy=$2
+  lifetime=$3
+
+  set_zone "$zone"
+  set_policy "$policy" "1" "3600"
+  set_server "ns6" "10.53.0.6"
+  # Key properties.
+  key_clear "KEY1"
+  set_keyrole "KEY1" "csk"
+  set_keylifetime "KEY1" "$lifetime"
+  set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+  set_keysigning "KEY1" "yes"
+  set_zonesigning "KEY1" "yes"
+  key_clear "KEY2"
+  key_clear "KEY3"
+  key_clear "KEY4"
+
+  # The CSK is rumoured.
+  set_keystate "KEY1" "GOAL" "omnipresent"
+  set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+  set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_DS" "hidden"
+  check_keys
+
+  # Key timings.
+  set_keytimes_csk_policy
+  set_keytimes_lifetime_update $lifetime
+
+  # Variuous checks.
+  check_keytimes
+  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+  check_apex
+  check_subdomain
+  dnssec_verify
+}
+check_key_lifetime "shorter-lifetime" "long-lifetime" "31536000"
+check_key_lifetime "longer-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "limit-lifetime" "unlimited-lifetime" "0"
+check_key_lifetime "unlimit-lifetime" "short-lifetime" "16070400"
+
 #
 # Testing algorithm rollover.
 #
@@ -4126,6 +4185,12 @@ check_apex
 check_subdomain
 dnssec_verify
 
+# Test key lifetime updates.
+check_key_lifetime "shorter-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "longer-lifetime" "long-lifetime" "31536000"
+check_key_lifetime "limit-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "unlimit-lifetime" "unlimited-lifetime" "0"
+
 #
 # Testing going insecure.
 #