Test changing from dynamic to inline-signing

author Matthijs Mekking <matthijs@isc.org>

Mon, 10 Oct 2022 11:26:47 +0000 (13:26 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Thu, 3 Nov 2022 13:39:23 +0000 (14:39 +0100)
author Matthijs Mekking <matthijs@isc.org>
Mon, 10 Oct 2022 11:26:47 +0000 (13:26 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Thu, 3 Nov 2022 13:39:23 +0000 (14:39 +0100)
diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in

index 7b919d4ee121aed35e3aa67a81cc6592e0505162..cb9bd27b299d644802d8b253bcdeb5eb5ebe3742 100644 (file)
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@@ -38,6 +38,14 @@ controls {
         inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
  };
  
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+       type primary;
+       file "dynamic2inline.kasp.db";
+       allow-update { any; };
+       dnssec-policy "default";
+};
+
  /* These zones are going insecure. */
  zone "step1.going-insecure.kasp" {
         type master;
diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in

index 03079f34999ef3d13eadb90020fbc37ccb0246ab..5f4097ebd057bf470835d3a5e8d7c58fe2e7fb9b 100644 (file)
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@@ -37,6 +37,15 @@ controls {
         inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
  };
  
+/* This zone switch from dynamic to inline-signing. */
+zone "dynamic2inline.kasp" {
+       type primary;
+       file "dynamic2inline.kasp.db";
+       allow-update { any; };
+       inline-signing yes;
+       dnssec-policy "default";
+};
+
  /* Zones for testing going insecure. */
  zone "step1.going-insecure.kasp" {
          type master;
diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in

index 683c9ef500947a4572a0b50fad3ae09f201ff90a..810b91d6ada2bbcc77e6a5bb2b39dee3b78a5b83 100644 (file)
--- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@@ -20,6 +20,10 @@ dnssec-policy "unsigning" {
         };
  };
  
+dnssec-policy "nsec3" {
+       nsec3param iterations 0 optout no salt-length 0;
+};
+
  dnssec-policy "rsasha256" {
         signatures-refresh P5D;
         signatures-validity 30d;
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh

index 27686ee3f94f7a6825207ad5c720fb12d01e8577..723fc56a55d542afc466478b29a4daacb3356bb7 100644 (file)
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -389,3 +389,6 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig
  #
  echo "example" >> zones
  cp example.db.in example.db
+
+setup "dynamic2inline.kasp"
+cp template.db.in $zonefile
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh

index 81a4bf2ad90802e0b9a71c5d5cb41df5bab21801..482e22021924f4012a0f0c6d79056a65b373165b 100644 (file)
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -3541,6 +3541,34 @@ set_policy "default" "1" "3600"
  set_server "ns3" "10.53.0.3"
  # TODO (GL #2471).
  
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
  #
  # Testing algorithm rollover.
  #
@@ -3808,6 +3836,34 @@ wait_for_done_signing() {
         status=$((status+ret))
  }
  
+# Test dynamic zones that switch to inline-signing.
+set_zone "dynamic2inline.kasp"
+set_policy "default" "1" "3600"
+set_server "ns6" "10.53.0.6"
+# Key properties.
+key_clear        "KEY1"
+set_keyrole      "KEY1" "csk"
+set_keylifetime  "KEY1" "0"
+set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+set_keysigning   "KEY1" "yes"
+set_zonesigning  "KEY1" "yes"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# The CSK is rumoured.
+set_keystate "KEY1" "GOAL"         "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS"     "hidden"
+# Various signing policy checks.
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
  #
  # Testing going insecure.
  #
diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in

index 85bc591b075bc91e4bca25b961a6c823baa4f17a..c99dc3335fae6c1ff943d66f604c68f4a545106e 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named.conf.in
+++ b/bin/tests/system/nsec3/ns3/named.conf.in
@@ -128,3 +128,11 @@ zone "nsec3-fails-to-load.kasp" {
         dnssec-policy "nsec3";
         allow-update { any; };
  };
+
+/* The zone switches from dynamic to inline-signing. */
+zone "nsec3-dynamic-to-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-to-inline.kasp.db";
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in

index c593e60db13e5f987c4aedbf1fe1cf2a5dec6399..1b8cbec20c71c73c5320703a1569e81f7681f6d6 100644 (file)
--- a/bin/tests/system/nsec3/ns3/named2.conf.in
+++ b/bin/tests/system/nsec3/ns3/named2.conf.in
@@ -134,3 +134,12 @@ zone "nsec3-fails-to-load.kasp" {
         dnssec-policy "nsec3";
         allow-update { any; };
  };
+
+/* The zone switches from dynamic to inline-signing. */
+zone "nsec3-dynamic-to-inline.kasp" {
+       type primary;
+       file "nsec3-dynamic-to-inline.kasp.db";
+       inline-signing yes;
+       dnssec-policy "nsec3";
+       allow-update { any; };
+};
diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh

index cbaf84ce8d456c331e18b735bdecb39fdfbffcf0..b4c744ac26e77f0bf164892828e8d0d41d3cdbdd 100644 (file)
--- a/bin/tests/system/nsec3/ns3/setup.sh
+++ b/bin/tests/system/nsec3/ns3/setup.sh
@@ -25,7 +25,8 @@ setup() {
  }
  
  for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \
-         nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change
+         nsec3-to-optout nsec3-from-optout nsec3-dynamic \
+         nsec3-dynamic-change nsec3-dynamic-to-inline
  do
         setup "${zn}.kasp"
  done
diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh

index 1cd6ff175009f6aa7fc8c84ed05a99c27edf72d2..f8863527399ff5eb49622c0fa40c7c0c69622071 100644 (file)
--- a/bin/tests/system/nsec3/tests.sh
+++ b/bin/tests/system/nsec3/tests.sh
@@ -187,6 +187,12 @@ echo_i "initial check zone ${ZONE}"
  check_nsec3
  dnssec_verify
  
+# Zone: nsec3-dynamic-to-inline.kasp.
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "initial check zone ${ZONE}"
+check_nsec3
+
  # Zone: nsec3-to-nsec.kasp.
  set_zone_policy "nsec3-to-nsec.kasp" "nsec3"
  set_nsec3param "0" "5" "8"
@@ -255,6 +261,12 @@ echo_i "check zone ${ZONE} after reconfig"
  check_nsec3
  dnssec_verify
  
+# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured)
+set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600
+set_nsec3param "0" "5" "8"
+echo_i "check zone ${ZONE} after reconfig"
+check_nsec3
+
  # Zone: nsec3-to-nsec.kasp. (reconfigured)
  set_zone_policy "nsec3-to-nsec.kasp" "nsec"
  set_nsec3param "1" "11" "0"
author	Matthijs Mekking <matthijs@isc.org>
	Mon, 10 Oct 2022 11:26:47 +0000 (13:26 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Thu, 3 Nov 2022 13:39:23 +0000 (14:39 +0100)
bin/tests/system/kasp/ns6/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/kasp/ns6/named2.conf.in		patch \| blob \| blame \| history
bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in		patch \| blob \| blame \| history
bin/tests/system/kasp/ns6/setup.sh		patch \| blob \| blame \| history
bin/tests/system/kasp/tests.sh		patch \| blob \| blame \| history
bin/tests/system/nsec3/ns3/named.conf.in		patch \| blob \| blame \| history
bin/tests/system/nsec3/ns3/named2.conf.in		patch \| blob \| blame \| history
bin/tests/system/nsec3/ns3/setup.sh		patch \| blob \| blame \| history
bin/tests/system/nsec3/tests.sh		patch \| blob \| blame \| history