Test changing from dynamic to inline-signing

Add a kasp system test that reconfigures a dnssec-policy zone from
maintaining DNSSEC records directly to the zone to using inline-signing.

Add a similar test case to the nsec3 system test, testing the same
thing but now with NSEC3 in use.

(cherry picked from commit 9018fbb205608229a8e92c3e4a8ec93695ef6e92)

diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index 7e62fa9dd59f447e275d2aa09fd0993d55d53d11..f00594b784dd9af6a293c608b5af7acaad798d1b 100644 (file)
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -38,6 +38,14 @@ controls {
        inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+       type primary;
+       file "dynamic2inline.kasp.db";
+       allow-update { any; };
+       dnssec-policy "default";
+};
+
 /* These zones are going insecure. */
 zone "step1.going-insecure.kasp" {
        type primary;

diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index 79fc7768e7cb452d976cad47a37385e66a1ce3d2..1bb6242b6d2db3179a423b48d7b2f9024e6bfb29 100644 (file)
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -37,6 +37,15 @@ controls {
        inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+       type primary;
+       file "dynamic2inline.kasp.db";
+       allow-update { any; };
+       inline-signing yes;
+       dnssec-policy "default";
+};
+
 /* Zones for testing going insecure. */
 zone "step1.going-insecure.kasp" {
         type primary;

diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
index 683c9ef500947a4572a0b50fad3ae09f201ff90a..810b91d6ada2bbcc77e6a5bb2b39dee3b78a5b83 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@@ -20,6 +20,10 @@ dnssec-policy "unsigning" {
        };
 };
 
+dnssec-policy "nsec3" {
+       nsec3param iterations 0 optout no salt-length 0;
+};
+
 dnssec-policy "rsasha256" {
        signatures-refresh P5D;
        signatures-validity 30d;

diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 3f3f193a66fab52690aa12d5bb4d68fdd10b5fda..94fc9067c0a9c2545342d9d8d491a698bf55d078 100644 (file)
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -389,3 +389,6 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
 #
 echo "example" >> zones
 cp example.db.in example.db
+
+setup "dynamic2inline.kasp"
+cp template.db.in $zonefile

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index eefe12e541da82f040aea4aefcc23a15b9ea3d7b..834c725c671b0fbf095fe07102b3b476a117e5e9 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -3540,6 +3540,34 @@ set_policy "default" "1" "3600"
 set_server "ns3" "10.53.0.3"
 # TODO (GL #2471).
 
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
 #
 # Testing algorithm rollover.
 #
@@ -3807,6 +3835,34 @@ wait_for_done_signing() {
        status=$((status+ret))
 }
 
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
 #
 # Testing going insecure.
 #

diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in
index c94fa5d67915e73b79d38d85183672da16600cef..dc885f0066856c4df798544fec675e8aa70b2b9e 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -184,3 +184,11 @@ zone "nsec3-fails-to-load.kasp" {
        dnssec-policy "nsec3";
        allow-update { any; };
 };
+
+/* The zone switches from dynamic to inline-signing. */
+zone "nsec3-dynamic-to-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-to-inline.kasp.db";
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};

diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in
index d9764abcad6dea54341f189d806e3e002c41788a..26b49ea109e1acc6429b87a0677084e26fd53f96 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -193,3 +193,12 @@ zone "nsec3-fails-to-load.kasp" {
        dnssec-policy "nsec3";
        allow-update { any; };
 };
+
+/* The zone switches from dynamic to inline-signing. */
+zone "nsec3-dynamic-to-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-to-inline.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};

diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh
index e2478ac3df171fec4f2c1975491b904a2b394aa4..a0dd7932362921c4dd532f525828aa0ebca3066e 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -25,7 +25,8 @@ setup() {
 }
 
 for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
-         nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change
+         nsec3-to-optout nsec3-from-optout nsec3-dynamic \
+         nsec3-dynamic-change nsec3-dynamic-to-inline
 do
        setup "${zn}.kasp"
 done

diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh
index 1d9adbc3a229bf6729b483a568fc9254b51b7db6..7317d7906098ff3fda10b92efddcc295a2466f65 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -297,6 +297,13 @@ set_key_default_values "KEY1"
 echo_i "initial check zone ${ZONE}"
 check_nsec3
 
+# Zone: nsec3-dynamic-to-inline.kasp.
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp.
 set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600
 set_nsec3param "0" "0" "0"
@@ -419,6 +426,13 @@ set_key_default_values "KEY1"
 echo_i "check zone ${ZONE} after reconfig"
 check_nsec3
 
+# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "0" "0"
+set_key_default_values "KEY1"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
 # Zone: nsec3-to-nsec.kasp. (reconfigured)
 set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600
 set_nsec3param "1" "11" "8"