From: Matthijs Mekking Date: Wed, 4 Sep 2024 13:57:55 +0000 (+0200) Subject: Add KSK roll test case X-Git-Tag: v9.21.3~49^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=8cf5f972f4e92b732d34a7715a789c64cdf997e4;p=thirdparty%2Fbind9.git Add KSK roll test case Add a test case for Offline KSK where during the lifespan of the Signed Key Response a KSK rollover happens. Ensure that the correct DNSKEY, CDNSKEY, and CDS records are published at the right times. --- diff --git a/bin/tests/system/ksr/ns1/named.conf.in b/bin/tests/system/ksr/ns1/named.conf.in index 75710b42dc6..72830693215 100644 --- a/bin/tests/system/ksr/ns1/named.conf.in +++ b/bin/tests/system/ksr/ns1/named.conf.in @@ -85,3 +85,11 @@ dnssec-policy "two-tone" { zsk lifetime P3M algorithm @DEFAULT_ALGORITHM@; }; }; + +dnssec-policy "ksk-roll" { + offline-ksk yes; + keys { + ksk lifetime P6M algorithm @DEFAULT_ALGORITHM@; + zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh index a04b01a23e8..2179ab251d3 100644 --- a/bin/tests/system/ksr/ns1/setup.sh +++ b/bin/tests/system/ksr/ns1/setup.sh @@ -26,3 +26,4 @@ cp template.db.in last-bundle.test.db cp template.db.in in-the-middle.test.db cp template.db.in unlimited.test.db cp template.db.in two-tone.test.db +cp template.db.in ksk-roll.test.db diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py index 3c9f4ee85e1..8fcdbdb7d85 100644 --- a/bin/tests/system/ksr/tests_ksr.py +++ b/bin/tests/system/ksr/tests_ksr.py @@ -1103,3 +1103,77 @@ def test_ksr_twotone(servers): isctest.kasp.check_apex(ns1, zone, ksks, zsks) # - check subdomain isctest.kasp.check_subdomain(ns1, zone, ksks, zsks) + + +def test_ksr_kskroll(servers): + zone = "ksk-roll.test" + policy = "ksk-roll" + n = 1 + + # create ksk + kskdir = "ns1/offline" + out, _ = ksr(zone, policy, "keygen", options=f"-K {kskdir} -i now -e +1y -o") + ksks = keystr_to_keylist(out, kskdir) + assert len(ksks) == 2 + + lifetime = timedelta(days=31 * 6) + check_keys(ksks, lifetime) + + # check that 'dnssec-ksr keygen' pregenerates right amount of keys + zskdir = "ns1" + out, _ = ksr(zone, policy, "keygen", options=f"-K {zskdir} -i now -e +1y") + zsks = keystr_to_keylist(out, zskdir) + assert len(zsks) == 1 + + check_keys(zsks, None) + + # check that 'dnssec-ksr request' creates correct ksr + now = zsks[0].get_timing("Created") + until = now + timedelta(days=365) + out, _ = ksr(zone, policy, "request", options=f"-K {zskdir} -i {now} -e +1y") + + fname = f"{zone}.ksr.{n}" + with open(fname, "w", encoding="utf-8") as file: + file.write(out) + + check_keysigningrequest(out, zsks, now, until) + + # check that 'dnssec-ksr sign' creates correct skr + out, _ = ksr( + zone, policy, "sign", options=f"-K {kskdir} -f {fname} -i {now} -e +1y" + ) + + skrfile = f"{zone}.skr.{n}" + with open(skrfile, "w", encoding="utf-8") as file: + file.write(out) + + refresh = -432000 # 5 days + check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh) + + # add zone + ns1 = servers["ns1"] + ns1.rndc( + f"addzone {zone} " + + "{ type primary; file " + + f'"{zone}.db"; dnssec-policy {policy}; ' + + "};", + log=False, + ) + + # import skr + shutil.copyfile(skrfile, f"ns1/{skrfile}") + ns1.rndc(f"skr -import {skrfile} {zone}", log=False) + + # test zone is correctly signed + # - check rndc dnssec -status output + isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy) + # - zone is signed + isctest.kasp.check_zone_is_signed(ns1, zone) + # - dnssec_verify + isctest.kasp.check_dnssec_verify(ns1, zone) + # - check keys + check_keys(zsks, None, with_state=True) + # - check apex + isctest.kasp.check_apex(ns1, zone, ksks, zsks) + # - check subdomain + isctest.kasp.check_subdomain(ns1, zone, ksks, zsks)