Test migration to dnssec-policy, change algorithm

Add a test to ensure migration from 'auto-dnssec maintain;' to
dnssec-policy works even if the algorithm is changed.  The existing
keys should not be removed immediately, but their goal should be
changed to become hidden, and the new keys with the different
algorithm should be introduced immediately.

diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in
index f9aa284ef4715ad8abe87730e0a8c0aad7940f06..943c95f12061de285a432125bc81bc223a16dc2e 100644 (file)
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -46,6 +46,15 @@ zone "migrate.kasp" {
        update-check-ksk yes;
 };
 
+zone "migrate-nomatch-algnum.kasp" {
+       type master;
+       file "migrate-nomatch-algnum.kasp.db";
+       auto-dnssec maintain;
+       allow-update { any; };
+       dnssec-dnskey-kskonly yes;
+       update-check-ksk yes;
+};
+
 zone "migrate-nomatch-alglen.kasp" {
        type master;
        file "migrate-nomatch-alglen.kasp.db";

diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in
index d63318c6ac0411d85711db21c0a8bcdeaf0d5203..44059393218316cf30c749b7add179c84d8e7a77 100644 (file)
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -43,6 +43,13 @@ zone "migrate.kasp" {
        dnssec-policy "migrate";
 };
 
+zone "migrate-nomatch-algnum.kasp" {
+       type master;
+       file "migrate-nomatch-algnum.kasp.db";
+       allow-update { any; };
+       dnssec-policy "migrate-nomatch-algnum";
+};
+
 zone "migrate-nomatch-alglen.kasp" {
        type master;
        file "migrate-nomatch-alglen.kasp.db";

diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf
index ae36e0934f70cbf635307f6e218310b2cad347f1..6b58eaf82509bf460e5629bc90dd6b7e8c94d863 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns6/policies/kasp.conf
@@ -58,6 +58,28 @@ dnssec-policy "migrate" {
        };
 };
 
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to ECDSAP256SHA256 keys.
+ */
+dnssec-policy "migrate-nomatch-algnum" {
+       dnskey-ttl 300;
+
+       keys {
+               ksk key-directory lifetime unlimited algorithm ecdsa256;
+               zsk key-directory lifetime P60D algorithm ecdsa256;
+       };
+
+       // Together 12h
+       zone-propagation-delay 3600;
+       max-zone-ttl 11h;
+
+       // Together 24h
+       parent-registration-delay 21h;
+       parent-propagation-delay pt1h;
+       parent-ds-ttl 7200;
+};
+
 /*
  * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
  * to 2048 bits RSASHA1 keys.

diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 7a9ed929c1c7a130f5bd0670deb05af920af5fc4..430e1c9e3e38a7819043e8f521d6c7a69c654142 100644 (file)
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -51,6 +51,24 @@ private_type_record $zone 5 "$KSK" >> "$infile"
 private_type_record $zone 5 "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy.  The existing keys are
+# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
+# ECDSAP256SHA256 keys.
+setup migrate-nomatch-algnum.kasp
+echo "$zone" >> zones
+KSK=$($KEYGEN -a RSASHA1 -b 2048 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2)
+Tds="now-24h"    # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h"   # Zone's maximum TTL + propagation delay
+$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1
+$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
 # time the existing keys do not match the policy.  The existing keys are
 # 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that

diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 50de840ad6b5dbb0b7bf962c562a618bd97ffdbf..cda9d87241502b21f45ae5ccc52e13aa20e0eba0 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -2918,7 +2918,59 @@ _migrate_ksk=$(key_get KEY1 ID)
 _migrate_zsk=$(key_get KEY2 ID)
 
 #
-# Testing migration with unmatched existing keys.
+# Testing migration with unmatched existing keys (different algorithm).
+#
+set_zone "migrate-nomatch-algnum.kasp"
+set_policy "none" "2" "300"
+set_server "ns6" "10.53.0.6"
+
+init_migration_nomatch_algnum() {
+       key_clear        "KEY1"
+       key_set          "KEY1" "LEGACY" "yes"
+       set_keyrole      "KEY1" "ksk"
+       set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+       set_keysigning   "KEY1" "yes"
+       set_zonesigning  "KEY1" "no"
+
+       key_clear        "KEY2"
+       key_set          "KEY2" "LEGACY" "yes"
+       set_keyrole      "KEY2" "zsk"
+       set_keyalgorithm "KEY2" "5" "RSASHA1" "1024"
+       set_keysigning   "KEY2" "no"
+       set_zonesigning  "KEY2" "yes"
+
+       key_clear        "KEY3"
+       key_clear        "KEY4"
+
+       set_keytime  "KEY1" "PUBLISHED"    "yes"
+       set_keytime  "KEY1" "ACTIVE"       "yes"
+       set_keytime  "KEY1" "RETIRED"      "none"
+       set_keystate "KEY1" "GOAL"         "omnipresent"
+       set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+       set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+       set_keystate "KEY1" "STATE_DS"     "omnipresent"
+
+       set_keytime  "KEY2" "PUBLISHED"    "yes"
+       set_keytime  "KEY2" "ACTIVE"       "yes"
+       set_keytime  "KEY2" "RETIRED"      "none"
+       set_keystate "KEY2" "GOAL"         "omnipresent"
+       set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+       set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+}
+init_migration_nomatch_algnum
+
+# Make sure the zone is signed with legacy keys.
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Remember legacy key tags.
+_migratenomatch_algnum_ksk=$(key_get KEY1 ID)
+_migratenomatch_algnum_zsk=$(key_get KEY2 ID)
+
+#
+# Testing migration with unmatched existing keys (different length).
 #
 set_zone "migrate-nomatch-alglen.kasp"
 set_policy "none" "2" "300"
@@ -3032,7 +3084,64 @@ ret=0
 [ $_migrate_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
 status=$((status+ret))
 
-# Test migration to dnssec-policy, existing keys do not match.
+# Test migration to dnssec-policy, existing keys do not match key algorithm.
+set_zone "migrate-nomatch-algnum.kasp"
+set_policy "migrate-nomatch-algnum" "4" "300"
+set_server "ns6" "10.53.0.6"
+
+# The legacy keys need to be retired, but otherwise stay present until the
+# new keys are omnipresent, and can be used to construct a chain of trust.
+init_migration_nomatch_algnum
+
+key_set      "KEY1" "LEGACY"  "no"
+set_keytime  "KEY1" "RETIRED" "yes"
+set_keystate "KEY1" "GOAL"    "hidden"
+
+key_set      "KEY2" "LEGACY"  "no"
+set_keytime  "KEY2" "RETIRED" "yes"
+set_keystate "KEY2" "GOAL"    "hidden"
+
+set_keyrole      "KEY3" "ksk"
+set_keylifetime  "KEY3" "0"
+set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY3" "yes"
+set_zonesigning  "KEY3" "no"
+
+set_keyrole      "KEY4" "zsk"
+set_keylifetime  "KEY4" "5184000"
+set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY4" "no"
+set_zonesigning  "KEY4" "yes"
+
+set_keytime  "KEY3" "PUBLISHED"    "yes"
+set_keytime  "KEY3" "ACTIVE"       "yes"
+set_keytime  "KEY3" "RETIRED"      "none"
+set_keystate "KEY3" "GOAL"         "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS"     "hidden"
+
+set_keytime  "KEY4" "PUBLISHED"    "yes"
+set_keytime  "KEY4" "ACTIVE"       "yes"
+set_keytime  "KEY4" "RETIRED"      "yes"
+set_keystate "KEY4" "GOAL"         "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
+
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Check key tags, should be the same.
+n=$((n+1))
+echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
+ret=0
+[ $_migratenomatch_algnum_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
+[ $_migratenomatch_algnum_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
+status=$((status+ret))
+
+# Test migration to dnssec-policy, existing keys do not match key length.
 set_zone "migrate-nomatch-alglen.kasp"
 set_policy "migrate-nomatch-alglen" "4" "300"
 set_server "ns6" "10.53.0.6"