CDS_DELETE="no"
CDS_SHA256="yes"
CDS_SHA384="no"
+ CDNSKEY="yes"
}
# By default policies are considered to be secure.
# If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the
check_cds_digests() {
if [ "$CDS_SHA256" = "yes" ]; then
- response_has_cds_for_key 2 $1 $2 || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)"
+ response_has_cds_for_key 2 $1 "${2}.cds" || _log_error "missing CDS 2 record in response for key $(key_get $1 ID)"
else
- response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
+ response_has_cds_for_key 2 $1 "${2}.cds" && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
fi
if [ "$CDS_SHA384" = "yes" ]; then
- response_has_cds_for_key 4 $1 $2 || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)"
+ response_has_cds_for_key 4 $1 "${2}.cds" || _log_error "missing CDS 4 record in response for key $(key_get $1 ID)"
else
- response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+ response_has_cds_for_key 4 $1 "${2}.cds" && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+ fi
+
+ if [ "$CDNSKEY" = "yes" ]; then
+ response_has_cdnskey_for_key $1 "${2}.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get $1 ID)"
+ else
+ response_has_cdnskey_for_key $1 "${2}.cdnskey" && _log_error "unexpected CDNSKEY record in response for key $(key_get $1 ID)"
fi
}
check_cds_digests_invert() {
- response_has_cds_for_key 2 $1 $2 && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
- response_has_cds_for_key 4 $1 $2 && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+ response_has_cds_for_key 2 $1 "${2}.cds" && _log_error "unexpected CDS 2 record in response for key $(key_get $1 ID)"
+ response_has_cds_for_key 4 $1 "${2}.cds" && _log_error "unexpected CDS 4 record in response for key $(key_get $1 ID)"
+ # The key should not have an associated CDNSKEY, but there may be
+ # one for another key. Since the CDNSKEY has no field for key
+ # id, it is hard to check what key the CDNSKEY may belong to
+ # so let's skip this check for now.
}
# Test CDS and CDNSKEY publication.
fi
if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then
- check_cds_digests KEY1 "dig.out.$DIR.test$n.cds"
- response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)"
+ check_cds_digests KEY1 "dig.out.$DIR.test$n"
_checksig=1
elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- check_cds_digests_invert KEY1 "dig.out.$DIR.test$n.cds"
- # KEY1 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
+ check_cds_digests_invert KEY1 "dig.out.$DIR.test$n"
fi
if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then
- check_cds_digests KEY2 "dig.out.$DIR.test$n.cds"
- response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)"
+ check_cds_digests KEY2 "dig.out.$DIR.test$n"
_checksig=1
elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- check_cds_digests_invert KEY2 "dig.out.$DIR.test$n.cds"
- # KEY2 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
+ check_cds_digests_invert KEY2 "dig.out.$DIR.test$n"
fi
if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then
- check_cds_digests KEY3 "dig.out.$DIR.test$n.cds"
- response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)"
+ check_cds_digests KEY3 "dig.out.$DIR.test$n"
_checksig=1
elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- check_cds_digests_invert KEY3 "dig.out.$DIR.test$n.cds"
- # KEY3 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
+ check_cds_digests_invert KEY3 "dig.out.$DIR.test$n"
fi
if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then
- check_cds_digests KEY4 "dig.out.$DIR.test$n.cds"
- response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)"
+ check_cds_digests KEY4 "dig.out.$DIR.test$n"
_checksig=1
elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- check_cds_digests_invert KEY4 "dig.out.$DIR.test$n.cds"
- # KEY4 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
+ check_cds_digests_invert KEY4 "dig.out.$DIR.test$n"
fi
test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK"
- test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK"
+
+ if [ "$CDNSKEY" = "yes" ]; then
+ test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK"
+ fi
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
if [ "$CDS_SHA384" = "yes" ]; then
grep "CDS (SHA-384) for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
fi
- grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+ if [ "$CDNSKEY" = "yes" ]; then
+ grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+ fi
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
# Step 2:
# It is time to submit the introduce the new KSK.
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS.
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
# Step 4:
# The DS should be swapped now.
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
# Step 6:
# The predecessor DNSKEY can be purged.
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
#
# The zones at csk-roll.autosign represent the various steps of a CSK rollover
#
set_zone "step1.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "2" "7200"
+CDNSKEY="no"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
#
set_zone "step2.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "3" "7200"
+CDNSKEY="no"
set_server "ns3" "10.53.0.3"
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
key_clear "KEY3"
#
set_zone "step3.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "3" "7200"
+CDNSKEY="no"
set_server "ns3" "10.53.0.3"
# The DNSKEY RRset has become omnipresent.
#
set_zone "step4.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "3" "7200"
+CDNSKEY="no"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY can be removed.
set_keysigning "KEY1" "no"
#
set_zone "step5.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "3" "7200"
+CDNSKEY="no"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY is now HIDDEN.
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
#
set_zone "step6.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "2" "7200"
+CDNSKEY="no"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY is purged.
key_clear "KEY1"
projects / thirdparty / bind9.git / commitdiff
