$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
-# time the existing keys do not match the policy.
-setup migrate-nomatch.kasp
+# time the existing keys do not match the policy. The existing keys are
+# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
+# dictates 2048 bits RSASHA1 keys.
+setup migrate-nomatch-alglen.kasp
echo "$zone" >> zones
KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)
#
# Testing migration with unmatched existing keys.
#
-set_zone "migrate-nomatch.kasp"
+set_zone "migrate-nomatch-alglen.kasp"
set_policy "none" "2" "300"
set_server "ns6" "10.53.0.6"
-init_migration_nomatch() {
+init_migration_nomatch_alglen() {
key_clear "KEY1"
key_set "KEY1" "LEGACY" "yes"
set_keyrole "KEY1" "ksk"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
}
-init_migration_nomatch
+init_migration_nomatch_alglen
# Make sure the zone is signed with legacy keys.
check_keys
dnssec_verify
# Remember legacy key tags.
-_migratenomatch_ksk=$(key_get KEY1 ID)
-_migratenomatch_zsk=$(key_get KEY2 ID)
+_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
+_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
# changes).
status=$((status+ret))
# Test migration to dnssec-policy, existing keys do not match.
-set_zone "migrate-nomatch.kasp"
-set_policy "migrate-nomatch" "4" "300"
+set_zone "migrate-nomatch-alglen.kasp"
+set_policy "migrate-nomatch-alglen" "4" "300"
set_server "ns6" "10.53.0.6"
# The legacy keys need to be retired, but otherwise stay present until the
# new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_nomatch
+init_migration_nomatch_alglen
key_set "KEY1" "LEGACY" "no"
set_keytime "KEY1" "RETIRED" "yes"
set_keylifetime "KEY4" "5184000"
set_keyalgorithm "KEY4" "5" "RSASHA1" "2048"
set_keysigning "KEY4" "no"
-# This key is not active yet, first the DNSKEY needs to be omnipresent.
+# This key is considered to be prepublished, so it is not yet signing.
set_zonesigning "KEY4" "no"
set_keytime "KEY3" "PUBLISHED" "yes"
n=$((n+1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
ret=0
-[ $_migratenomatch_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migratenomatch_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+[ $_migratenomatch_alglen_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_alglen_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
status=$((status+ret))
#
keystr, keymgr_keyrole(dkey->key),
dns_kasp_getname(kasp));
- /* Initialize lifetime and goal, if not set. */
+ /* Initialize lifetime if not set. */
uint32_t l;
if (dst_key_getnum(dkey->key, DST_NUM_LIFETIME,
&l) != ISC_R_SUCCESS) {
lifetime);
}
- dst_key_state_t goal;
- if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
- &goal) != ISC_R_SUCCESS) {
- dst_key_setstate(dkey->key,
- DST_KEY_GOAL,
- OMNIPRESENT);
- }
-
if (active_key) {
/* We already have an active key that
* matches the kasp policy.
continue;
}
+ /*
+ * This is possibly an active key created
+ * outside dnssec-policy. Initialize goal,
+ * if not set.
+ */
+ dst_key_state_t goal;
+ if (dst_key_getstate(dkey->key, DST_KEY_GOAL,
+ &goal) != ISC_R_SUCCESS) {
+ dst_key_setstate(dkey->key,
+ DST_KEY_GOAL,
+ OMNIPRESENT);
+ }
+
/*
* Save the matched key only if it is active
* or desires to be active.
projects / thirdparty / bind9.git / commitdiff
