git.ipfire.org Git - thirdparty/bind9.git/commit

author	Matthijs Mekking <matthijs@isc.org>
	Mon, 17 Mar 2025 10:52:18 +0000 (11:52 +0100)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 23 Apr 2025 15:22:04 +0000 (15:22 +0000)
commit	fddf9f778b49f454e68cbefea8c897ac3bd0ea44
tree	db141776fa7b4693c633f783e167636c2925f020	tree \| snapshot
parent	43ded45ae9af1b5ad93a68444ac289574ae703a2	commit \| diff

Update kasp check_signatures for dnssec-policy

The check_signatures code was initially created to be suitable for
the ksr system test, to test the Offline KSK feature. For that, a
key is expected to be signing if the current time is between
the timing metadata Active and Retired.

With dnssec-policy, the key timing metadata is indicative, the key
states determine the actual signing behavior.

Update the check_signatures function so that by default the signing
is derived from the key states (ksigning and zsigning). Add an
argument 'offline_ksk', if set the make sure that the zsigning is set
if the current time is between the Active and Retired timing metadata,
and for ksigning we just use the timing metadata (as the key is offline,
we cannot check the key states).

Another (upcoming) test case is where key files are missing. When the
ZSK private key file is missing, the KSK takes over. Add an argument
'zsk_missing', when set to True the expected zone signing (zsigning)
is reversed.

bin/tests/system/isctest/kasp.py		diff \| blob \| blame \| history
bin/tests/system/ksr/tests_ksr.py		diff \| blob \| blame \| history