Similar to rollover-ksk-doubleksk.
--- /dev/null
+../rollover/ns1
\ No newline at end of file
--- /dev/null
+../rollover/ns2
\ No newline at end of file
-../../rollover-ksk-doubleksk/ns3/kasp.conf.j2
\ No newline at end of file
+../../rollover-ksk-doubleksk/ns3/kasp.conf
\ No newline at end of file
--- /dev/null
+../../rollover/ns3/template.db.j2.manual
\ No newline at end of file
--- /dev/null
+../../_common/trusted.conf.j2
\ No newline at end of file
+++ /dev/null
-#!/bin/sh -e
-
-# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
-#
-# SPDX-License-Identifier: MPL-2.0
-#
-# This Source Code Form is subject to the terms of the Mozilla Public
-# License, v. 2.0. If a copy of the MPL was not distributed with this
-# file, you can obtain one at https://mozilla.org/MPL/2.0/.
-#
-# See the COPYRIGHT file distributed with this work for additional
-# information regarding copyright ownership.
-
-# shellcheck source=conf.sh
-. ../conf.sh
-
-cd "ns3"
-
-setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
- echo "$zone" >>zones
-}
-
-# Set in the key state files the Predecessor/Successor fields.
-# Key $1 is the predecessor of key $2.
-key_successor() {
- id1=$(keyfile_to_key_id "$1")
- id2=$(keyfile_to_key_id "$2")
- echo "Predecessor: ${id1}" >>"${2}.state"
- echo "Successor: ${id2}" >>"${1}.state"
-}
-
-# Make lines shorter by storing key states in environment variables.
-H="HIDDEN"
-R="RUMOURED"
-O="OMNIPRESENT"
-U="UNRETENTIVE"
-
-# Test #2375, the "three is a crowd" bug, where a new key is introduced but the
-# previous rollover has not finished yet. In other words, we have a key KEY2
-# that is the successor of key KEY1, and we introduce a new key KEY3 that is
-# the successor of key KEY2:
-#
-# KEY1 < KEY2 < KEY3.
-#
-# The expected behavior is that all three keys remain in the zone, and not
-# the bug behavior where KEY2 is removed and immediately replaced with KEY3.
-#
-# Set up a zone that has a KSK (KEY1) and have the successor key (KEY2)
-# published as well.
-setup three-is-a-crowd.kasp
-# These times are the same as step3.ksk-doubleksk.autosign.
-TpubN="now-60d"
-TactN="now-1413h"
-TretN="now"
-TremN="now+50h"
-TpubN1="now-27h"
-TsbmN1="now"
-TactN1="${TretN}"
-TretN1="now+60d"
-TremN1="now+1490h"
-ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
-zsktimes="-P ${TpubN} -A ${TpubN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $KSK1 $KSK2
-# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
KSK_IPUB,
KSK_IRET,
)
+from rollover.setup import (
+ configure_root,
+ configure_tld,
+ configure_ksk_3crowd,
+)
CDSS = ["CDS (SHA-256)"]
TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds())
+def bootstrap():
+ data = {
+ "tlds": [],
+ "trust_anchors": [],
+ }
+
+ tlds = []
+ tld_name = "kasp"
+ delegations = configure_ksk_3crowd(tld_name)
+ tld = configure_tld(tld_name, delegations)
+ tlds.append(tld)
+ data["tlds"].append(tld_name)
+ ta = configure_root(tlds)
+ data["trust_anchors"].append(ta)
+ return data
+
+
def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
"""Test #2375: Scheduled rollovers are happening faster than they can finish."""
zone = "three-is-a-crowd.kasp"
)
return zones
+
+
+def configure_ksk_3crowd(tld: str) -> List[Zone]:
+ # Test #2375, the "three is a crowd" bug, where a new key is introduced but the
+ # previous rollover has not finished yet. In other words, we have a key KEY2
+ # that is the successor of key KEY1, and we introduce a new key KEY3 that is
+ # the successor of key KEY2:
+ #
+ # KEY1 < KEY2 < KEY3.
+ #
+ # The expected behavior is that all three keys remain in the zone, and not
+ # the bug behavior where KEY2 is removed and immediately replaced with KEY3.
+ #
+ zones = []
+ cds = "cds:sha-256"
+ keygen = CmdHelper("KEYGEN", "-a ECDSAP256SHA256 -L 7200")
+ settime = CmdHelper("SETTIME", "-s")
+
+ # Set up a zone that has a KSK (KEY1) and have the successor key (KEY2)
+ # published as well.
+ zonename = f"three-is-a-crowd.{tld}"
+ zones.append(Zone(zonename, f"{zonename}.db", Nameserver("ns3", "10.53.0.3")))
+ isctest.log.info(f"setup {zonename}")
+ # These times are the same as step3.ksk-doubleksk.autosign.
+ TpubN = "now-60d"
+ TactN = "now-1413h"
+ TretN = "now"
+ TremN = "now+50h"
+ TpubN1 = "now-27h"
+ TactN1 = TretN
+ TretN1 = "now+60d"
+ TremN1 = "now+1490h"
+ ksktimes = (
+ f"-P {TpubN} -A {TpubN} -P sync {TactN} -I {TretN} -D {TremN} -D sync {TactN1}"
+ )
+ newtimes = f"-P {TpubN1} -A {TactN1} -P sync {TactN1} -I {TretN1} -D {TremN1}"
+ zsktimes = f"-P {TpubN} -A {TpubN}"
+ # Key generation.
+ ksk1_name = keygen(f"-f KSK {ksktimes} {zonename}", cwd="ns3").strip()
+ ksk2_name = keygen(f"-f KSK {newtimes} {zonename}", cwd="ns3").strip()
+ zsk_name = keygen(f"{zsktimes} {zonename}", cwd="ns3").strip()
+ settime(
+ f"-g HIDDEN -k OMNIPRESENT {TactN} -r OMNIPRESENT {TactN} -d OMNIPRESENT {TactN} {ksk1_name}",
+ cwd="ns3",
+ )
+ settime(
+ f"-g OMNIPRESENT -k RUMOURED {TpubN1} -r RUMOURED {TpubN1} -d HIDDEN {TpubN1} {ksk2_name}",
+ cwd="ns3",
+ )
+ settime(
+ f"-g OMNIPRESENT -k OMNIPRESENT {TpubN} -z OMNIPRESENT {TpubN} {zsk_name}",
+ cwd="ns3",
+ )
+ # Set key rollover relationship.
+ set_key_relationship(ksk1_name, ksk2_name)
+ # Signing.
+ render_and_sign_zone(
+ zonename, [ksk1_name, ksk2_name, zsk_name], extra_options=f"-G {cds}"
+ )
+
+ return zones
projects / thirdparty / bind9.git / commitdiff
