Add KSK roll test case

Add a test case for Offline KSK where during the lifespan of the Signed
Key Response a KSK rollover happens. Ensure that the correct DNSKEY,
CDNSKEY, and CDS records are published at the right times.

diff --git a/bin/tests/system/ksr/ns1/named.conf.in b/bin/tests/system/ksr/ns1/named.conf.in
index 75710b42dc6290685b51e9a2667543b08356c463..72830693215ed9022feaf1b6c1eef0f6b62b0bb7 100644 (file)
--- a/bin/tests/system/ksr/ns1/named.conf.in
+++ b/bin/tests/system/ksr/ns1/named.conf.in
@@ -85,3 +85,11 @@ dnssec-policy "two-tone" {
                zsk lifetime P3M algorithm @DEFAULT_ALGORITHM@;
        };
 };
+
+dnssec-policy "ksk-roll" {
+       offline-ksk yes;
+       keys {
+               ksk lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+               zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+       };
+};

diff --git a/bin/tests/system/ksr/ns1/setup.sh b/bin/tests/system/ksr/ns1/setup.sh
index a04b01a23e8e53a2451cef9d09127fb0f0f4bc3d..2179ab251d39abf8874d28957d4c9916f0007af1 100644 (file)
--- a/bin/tests/system/ksr/ns1/setup.sh
+++ b/bin/tests/system/ksr/ns1/setup.sh
@@ -26,3 +26,4 @@ cp template.db.in last-bundle.test.db
 cp template.db.in in-the-middle.test.db
 cp template.db.in unlimited.test.db
 cp template.db.in two-tone.test.db
+cp template.db.in ksk-roll.test.db

diff --git a/bin/tests/system/ksr/tests_ksr.py b/bin/tests/system/ksr/tests_ksr.py
index 3c9f4ee85e13672b5468eae6794e2fb421171cef..8fcdbdb7d8550a1c20a4391a6352c370a706ba03 100644 (file)
--- a/bin/tests/system/ksr/tests_ksr.py
+++ b/bin/tests/system/ksr/tests_ksr.py
@@ -1103,3 +1103,77 @@ def test_ksr_twotone(servers):
     isctest.kasp.check_apex(ns1, zone, ksks, zsks)
     # - check subdomain
     isctest.kasp.check_subdomain(ns1, zone, ksks, zsks)
+
+
+def test_ksr_kskroll(servers):
+    zone = "ksk-roll.test"
+    policy = "ksk-roll"
+    n = 1
+
+    # create ksk
+    kskdir = "ns1/offline"
+    out, _ = ksr(zone, policy, "keygen", options=f"-K {kskdir} -i now -e +1y -o")
+    ksks = keystr_to_keylist(out, kskdir)
+    assert len(ksks) == 2
+
+    lifetime = timedelta(days=31 * 6)
+    check_keys(ksks, lifetime)
+
+    # check that 'dnssec-ksr keygen' pregenerates right amount of keys
+    zskdir = "ns1"
+    out, _ = ksr(zone, policy, "keygen", options=f"-K {zskdir} -i now -e +1y")
+    zsks = keystr_to_keylist(out, zskdir)
+    assert len(zsks) == 1
+
+    check_keys(zsks, None)
+
+    # check that 'dnssec-ksr request' creates correct ksr
+    now = zsks[0].get_timing("Created")
+    until = now + timedelta(days=365)
+    out, _ = ksr(zone, policy, "request", options=f"-K {zskdir} -i {now} -e +1y")
+
+    fname = f"{zone}.ksr.{n}"
+    with open(fname, "w", encoding="utf-8") as file:
+        file.write(out)
+
+    check_keysigningrequest(out, zsks, now, until)
+
+    # check that 'dnssec-ksr sign' creates correct skr
+    out, _ = ksr(
+        zone, policy, "sign", options=f"-K {kskdir} -f {fname} -i {now} -e +1y"
+    )
+
+    skrfile = f"{zone}.skr.{n}"
+    with open(skrfile, "w", encoding="utf-8") as file:
+        file.write(out)
+
+    refresh = -432000  # 5 days
+    check_signedkeyresponse(out, zone, ksks, zsks, now, until, refresh)
+
+    # add zone
+    ns1 = servers["ns1"]
+    ns1.rndc(
+        f"addzone {zone} "
+        + "{ type primary; file "
+        + f'"{zone}.db"; dnssec-policy {policy}; '
+        + "};",
+        log=False,
+    )
+
+    # import skr
+    shutil.copyfile(skrfile, f"ns1/{skrfile}")
+    ns1.rndc(f"skr -import {skrfile} {zone}", log=False)
+
+    # test zone is correctly signed
+    # - check rndc dnssec -status output
+    isctest.kasp.check_dnssecstatus(ns1, zone, zsks, policy=policy)
+    # - zone is signed
+    isctest.kasp.check_zone_is_signed(ns1, zone)
+    # - dnssec_verify
+    isctest.kasp.check_dnssec_verify(ns1, zone)
+    # - check keys
+    check_keys(zsks, None, with_state=True)
+    # - check apex
+    isctest.kasp.check_apex(ns1, zone, ksks, zsks)
+    # - check subdomain
+    isctest.kasp.check_subdomain(ns1, zone, ksks, zsks)