Create a test scenario where a signed zone is in multiple views and
then a key may be purged. This is a bug case where the key files are
removed by one view and then the other view starts complaining.
Note: This commit was manually modified because 9.18 does not have
pytest based kasp system tests. The test was translated to a shell
script style test case.
(cherry picked from commit
752d8617f558130cc552cae0e903aca318a3ef02)
// NS4
+include "purgekeys.conf";
+
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
type primary;
file "example1.db";
};
+
+ zone "purgekeys.kasp" {
+ type primary;
+ file "purgekeys.kasp.example1.db";
+ dnssec-policy "purgekeys";
+ inline-signing yes;
+ };
};
view "example2" {
file "example2.db";
inline-signing yes;
};
+
+ zone "purgekeys.kasp" {
+ type primary;
+ file "purgekeys.kasp.example2.db";
+ dnssec-policy "purgekeys";
+ inline-signing yes;
+ };
};
view "example3" {
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "purgekeys" {
+ keys {
+ ksk key-directory lifetime 0 algorithm 13;
+ zsk key-directory lifetime P30D algorithm 13;
+ };
+ /*
+ * Initially set to 0, so no keys are purged. Keys that are no longer
+ * in use will still be in the zone's keyring, one per view. After
+ * reconfig the purge-keys value is set to 7 days, at least one key
+ * will be eligible for purging, and should be purged from both
+ * keyrings without issues.
+ */
+ purge-keys 0;
+ //purge-keys P7D;
+};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "purgekeys" {
+ keys {
+ ksk key-directory lifetime 0 algorithm 13;
+ zsk key-directory lifetime P30D algorithm 13;
+ };
+ //purge-keys 0;
+ purge-keys P7D;
+};
cp example1.db.in example1.db
cp example2.db.in example2.db
+
+# Regression test for GL #5315
+cp purgekeys1.conf purgekeys.conf
+cp example1.db.in purgekeys.kasp.example1.db
+cp example2.db.in purgekeys.kasp.example2.db
+
+zone="purgekeys.kasp"
+H="HIDDEN"
+O="OMNIPRESENT"
+T="now-9mo"
+# KSK omnipresent
+KSK=$($KEYGEN -fk -a 13 -L 3600 $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+# ZSK omnipresent
+ZSK1=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK1" >settime.out.$zone.2 2>&1
+# ZSK hidden (may be purged)
+ZSK2=$($KEYGEN -a 13 -L 3600 $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $T -z $H $T "$ZSK2" >settime.out.$zone.2 2>&1
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
+#
+# Test purge-keys in combination with views [GL #5315].
+#
+set_zone "purgekeys.kasp"
+set_policy "purgekeys" "2" "3600"
+set_server "ns4" "10.53.0.4"
+
+TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1"
+wait_for_nsec
+dnssec_verify
+
+TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
+wait_for_nsec
+dnssec_verify
+
+# Reconfig, make sure the purged key is not an issue when verifying keys.
+cp ns4/purgekeys2.conf ns4/purgekeys.conf || ret=1
+nextpart ns4/named.run >/dev/null
+rndccmd 10.53.0.4 reconfig || ret=1
+wait_for_log 3 "keymgr: $ZONE done" ns4/named.run || ret=1
+
+grep "zone $ZONE/IN/example1 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" ns4/named.run && ret=1
+grep "zone $ZONE/IN/example2 (signed): zone_rekey:zone_verifykeys failed: some key files are missing" ns4/named.run && ret=1
+
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
# Clear TSIG.
TSIG=""
"ns*/*.zsk2",
"ns3/legacy-keys.*",
"ns3/dynamic-signed-inline-signing.kasp.db.signed.signed",
+ "ns4/purgekeys.conf",
+ "ns4/purgekeys2.conf",
]
)
projects / thirdparty / bind9.git / commitdiff
