POLICY=$1
NUM_KEYS=$2
DNSKEY_TTL=$3
+ KEYFILE_TTL=${4:-$3}
CDS_DELETE="no"
CDS_SHA256="yes"
CDS_SHA384="no"
_alg_numpad=$(printf "%03d" "$_alg_num")
_alg_string=$(key_get "$1" ALG_STR)
_length=$(key_get "$1" "ALG_LEN")
- _dnskey_ttl="$DNSKEY_TTL"
+ _dnskey_ttl="$KEYFILE_TTL"
_lifetime=$(key_get "$1" LIFETIME)
_legacy=$(key_get "$1" LEGACY)
_private=$(key_get "$1" PRIVATE)
_flags="$(key_get $1 FLAGS)"
_key_file="$(key_get $1 BASEFILE).key"
- awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file"
+ awk '$1 == "'"$_owner"'" && $2 == "'"$KEYFILE_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file"
}
# Test DNSKEY query.
dnssec-policy "autosign";
};
+/*
+ * Zone that has DNSKEY TTL mismatch with the dnssec-policy.
+ */
+zone "dnskey-ttl-mismatch.autosign" {
+ type primary;
+ file "dnskey-ttl-mismatch.autosign.db";
+ dnssec-policy "autosign";
+};
+
/*
* Zone that has valid, fresh signatures.
*/
cp $infile $zonefile
$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+# The DNSKEY's TTLs do not match the policy.
+setup dnskey-ttl-mismatch.autosign
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 $zsktimes $zone 2>keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+cp $infile $zonefile
+$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
# These signatures are still good, and can be reused.
setup fresh-sigs.autosign
T="now-6mo"
check_rrsig_refresh
+#
+# Zone: dnskey-ttl-mismatch.autosign
+#
+set_zone "dnskey-ttl-mismatch.autosign"
+set_policy "autosign" "2" "300" "30"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "63072000"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
+
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "31536000"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
+
+# Both KSK and ZSK stay OMNIPRESENT.
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+# Expect only two keys.
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+set_keytimes_autosign_policy
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
#
# Zone: fresh-sigs.autosign.
#
POLICY=$2
NUM_KEYS=$3
DNSKEY_TTL=$4
+ KEYFILE_TTL=${5:-$4}
# The CDS digest type in these tests are all the default,
# which is SHA-256 (2).
CDS_SHA256="yes"
projects / thirdparty / bind9.git / commitdiff
