From: Matthijs Mekking Date: Thu, 30 Apr 2020 11:48:07 +0000 (+0200) Subject: Test keytimes on enable-dnssec case X-Git-Tag: v9.17.2~39^2~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cf51c87fadc7182a96b1b1d5870a7a2fc2a2513b;p=thirdparty%2Fbind9.git Test keytimes on enable-dnssec case This improves keytime testing for enabling DNSSEC. It now tests for specific times, and also tests for SyncPublish. --- diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 9aec5642ec5..fc8ca76354b 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -183,8 +183,18 @@ cp template.db.in $zonefile # Step 2: # The DNSKEY has been published long enough to become OMNIPRESENT. setup step2.enable-dnssec.autosign +# DNSKEY TTL: 300 seconds +# zone-propagation-delay: 5 minutes (300 seconds) +# publish-safety: 5 minutes (300 seconds) +# Total: 900 seconds TpubN="now-900s" -keytimes="-P ${TpubN} -A ${TpubN}" +# RRSIG TTL: 12 hour (43200 seconds) +# zone-propagation-delay: 5 minutes (300 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Already passed time: -900 seconds +# Total: 43800 seconds +TsbmN="now+43800s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" @@ -194,11 +204,15 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. setup step3.enable-dnssec.autosign +# Passed time since publications: 43800 + 900 = 44700 seconds. TpubN="now-44700s" -TactN="now-43800s" -keytimes="-P ${TpubN} -A ${TpubN}" +# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. +TcotN="now-43800s" +# We can submit the DS now. +TsbmN="now" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -206,14 +220,20 @@ setup step3.enable-dnssec.autosign # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. -# Add 27 hour plus retire safety of 20 minutes (98400 seconds) to the times. setup step4.enable-dnssec.autosign +# DS TTL: 1 day (86400 seconds) +# parent-registration-delay: 1 day (86400 seconds) +# parent-propagation-delay: 1 hour (3600 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Total aditional time: 98400 seconds +# 44700 + 98400 = 143100 TpubN="now-143100s" -TactN="now-142200s" -TomnN="now-98400s" -keytimes="-P ${TpubN} -A ${TpubN}" +# 43800 + 98400 = 142200 +TcotN="now-142200s" +TsbmN="now-98400s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $R $TomnN -z $O $TomnN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index dd6ef564a80..ab1e5c58e65 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2281,9 +2281,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -2296,6 +2293,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# The first key is immediately published and activated. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" +# The DS can be published if the DNSKEY and RRSIG records are +# OMNIPRESENT. This happens after max-zone-ttl (12h) plus +# publish-safety (5m) plus zone-propagation-delay (5m) = +# 43200 + 300 + 300 = 43800. +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +# Key lifetime is unlimited, so not setting RETIRED and REMOVED. + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2339,6 +2350,15 @@ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" check_keys + +# The key was published and activated 900 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2359,6 +2379,15 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "rumoured" check_keys + +# The key was published and activated 44700 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 +set_keytime "KEY1" "SYNCPUBLISH" "${created}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2378,6 +2407,15 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys + +# The key was published and activated 143100 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -143100 +set_addkeytime "KEY1" "ACTIVE" "${created}" -143100 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400 + +check_keytimes + check_apex check_subdomain dnssec_verify