From: Mark Andrews Date: Wed, 22 Dec 2021 00:14:57 +0000 (+1100) Subject: kasp: stop using RSASHA1 unless necessary for the test X-Git-Tag: v9.16.34~8^2~4 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=42727aab9a0fe69f56acc77c0b3b83ff5967bcae;p=thirdparty%2Fbind9.git kasp: stop using RSASHA1 unless necessary for the test Moves tests from being RSASHA1 based to RSASHA256 based where possible and split out the remaining RSASHA1 based tests so that they are not run on OS's that don't support RSASHA1. (cherry picked from commit db028684e50c58100ea5eeadd5aa340981d83151) --- diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 637e5e0ce78..1ed1c80f0d7 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -18,6 +18,7 @@ rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp rm -rf ./keys/ rm -f dig.out* rrsig.out.* keyevent.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* +rm -f ns*/named-fips.conf rm -f ns*/policies/*.conf rm -f ns*/*.jnl ns*/*.jbk rm -f ns*/K*.private ns*/K*.key ns*/K*.state diff --git a/bin/tests/system/kasp/kasp.conf b/bin/tests/system/kasp/kasp.conf index b706558f7f6..e7a2eab9665 100644 --- a/bin/tests/system/kasp/kasp.conf +++ b/bin/tests/system/kasp/kasp.conf @@ -21,7 +21,7 @@ dnssec-policy "kasp" { keys { csk key-directory lifetime P1Y algorithm 13; ksk key-directory lifetime P1Y algorithm 8; - zsk key-directory lifetime P30D algorithm 8 1024; - zsk key-directory lifetime P6M algorithm 8 2000; + zsk key-directory lifetime P30D algorithm 8 2048; + zsk key-directory lifetime P6M algorithm 8 3072; }; }; diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in new file mode 100644 index 00000000000..6199b0496b5 --- /dev/null +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -0,0 +1,508 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS3 + +include "policies/kasp.conf"; +include "policies/autosign.conf"; + +options { + query-source address 10.53.0.3; + notify-source 10.53.0.3; + transfer-source 10.53.0.3; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.3; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + dnssec-policy "rsasha256"; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +/* Zones that are getting initially signed */ + +/* The default case: No keys created, using default policy. */ +zone "default.kasp" { + type primary; + file "default.kasp.db"; + inline-signing yes; + dnssec-policy "default"; +}; + +/* checkds: Zone with one KSK. */ +zone "checkds-ksk.kasp" { + type primary; + file "checkds-ksk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-ksk"; +}; + +/* checkds: Zone with two KSKs. */ +zone "checkds-doubleksk.kasp" { + type primary; + file "checkds-doubleksk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-doubleksk"; +}; + +/* checkds: Zone with one CSK. */ +zone "checkds-csk.kasp" { + type primary; + file "checkds-csk.kasp.db"; + inline-signing yes; + dnssec-policy "checkds-csk"; +}; + +/* Key lifetime unlimited. */ +zone "unlimited.kasp" { + type primary; + file "unlimited.kasp.db"; + inline-signing yes; + dnssec-policy "unlimited"; +}; + +/* Manual rollover. */ +zone "manual-rollover.kasp" { + type primary; + file "manual-rollover.kasp.db"; + inline-signing yes; + dnssec-policy "manual-rollover"; +}; + +/* A zone that inherits dnssec-policy. */ +zone "inherit.kasp" { + type primary; + inline-signing yes; + file "inherit.kasp.db"; +}; + +/* A zone that overrides dnssec-policy. */ +zone "unsigned.kasp" { + type primary; + file "unsigned.kasp.db"; + inline-signing yes; + dnssec-policy "none"; +}; + +/* A zone that is initially set to insecure. */ +zone "insecure.kasp" { + type primary; + file "insecure.kasp.db"; + inline-signing yes; + dnssec-policy "insecure"; +}; + +/* A primary zone with dnssec-policy but keys already created. */ +zone "dnssec-keygen.kasp" { + type primary; + file "dnssec-keygen.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* A secondary zone with dnssec-policy. */ +zone "secondary.kasp" { + type secondary; + primaries { 10.53.0.2; }; + file "secondary.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* A dynamic zone with dnssec-policy. */ +zone "dynamic.kasp" { + type primary; + file "dynamic.kasp.db"; + dnssec-policy "default"; + allow-update { any; }; +}; + +/* A dynamic inline-signed zone with dnssec-policy. */ +zone "dynamic-inline-signing.kasp" { + type primary; + file "dynamic-inline-signing.kasp.db"; + dnssec-policy "default"; + allow-update { any; }; + inline-signing yes; +}; + +/* An inline-signed zone with dnssec-policy. */ +zone "inline-signing.kasp" { + type primary; + file "inline-signing.kasp.db"; + dnssec-policy "default"; + inline-signing yes; +}; + +/* + * A configured dnssec-policy but some keys already created. + */ +zone "some-keys.kasp" { + type primary; + file "some-keys.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* + * A configured dnssec-policy but some keys already in use. + */ +zone "legacy-keys.kasp" { + type primary; + file "legacy-keys.kasp.db"; + inline-signing yes; + dnssec-policy "migrate-to-dnssec-policy"; +}; + +/* + * A configured dnssec-policy with (too) many keys pregenerated. + */ +zone "pregenerated.kasp" { + type primary; + file "pregenerated.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* + * A configured dnssec-policy with one rumoured key. + * Bugfix case for GL #1593. + */ +zone "rumoured.kasp" { + type primary; + file "rumoured.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; + +/* RFC 8901 Multi-signer Model 2. */ +zone "multisigner-model2.kasp" { + type primary; + file "multisigner-model2.kasp.db"; + dnssec-policy "multisigner-model2"; + allow-update { any; }; +}; + +/* + * Different algorithms. + */ +zone "rsasha256.kasp" { + type primary; + file "rsasha256.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha256"; +}; +zone "rsasha512.kasp" { + type primary; + file "rsasha512.kasp.db"; + inline-signing yes; + dnssec-policy "rsasha512"; +}; +zone "ecdsa256.kasp" { + type primary; + file "ecdsa256.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa256"; +}; +zone "ecdsa384.kasp" { + type primary; + file "ecdsa384.kasp.db"; + inline-signing yes; + dnssec-policy "ecdsa384"; +}; + +/* + * Zone with too high TTL. + */ +zone "max-zone-ttl.kasp" { + type primary; + file "max-zone-ttl.kasp.db"; + inline-signing yes; + dnssec-policy "ttl"; +}; + +/* + * Zones in different signing states. + */ + +/* + * Zone that has expired signatures. + */ +zone "expired-sigs.autosign" { + type primary; + file "expired-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has valid, fresh signatures. + */ +zone "fresh-sigs.autosign" { + type primary; + file "fresh-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has unfresh signatures. + */ +zone "unfresh-sigs.autosign" { + type primary; + file "unfresh-sigs.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has missing private KSK. + */ +zone "ksk-missing.autosign" { + type primary; + file "ksk-missing.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has missing private ZSK. + */ +zone "zsk-missing.autosign" { + type primary; + file "zsk-missing.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zone that has inactive ZSK. + */ +zone "zsk-retired.autosign" { + type primary; + file "zsk-retired.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + +/* + * Zones for testing enabling DNSSEC. + */ +zone "step1.enable-dnssec.autosign" { + type primary; + file "step1.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step2.enable-dnssec.autosign" { + type primary; + file "step2.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step3.enable-dnssec.autosign" { + type primary; + file "step3.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; +zone "step4.enable-dnssec.autosign" { + type primary; + file "step4.enable-dnssec.autosign.db"; + inline-signing yes; + dnssec-policy "enable-dnssec"; +}; + +/* + * Zones for testing ZSK Pre-Publication steps. + */ +zone "step1.zsk-prepub.autosign" { + type primary; + file "step1.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step2.zsk-prepub.autosign" { + type primary; + file "step2.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step3.zsk-prepub.autosign" { + type primary; + file "step3.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step4.zsk-prepub.autosign" { + type primary; + file "step4.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step5.zsk-prepub.autosign" { + type primary; + file "step5.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; +zone "step6.zsk-prepub.autosign" { + type primary; + file "step6.zsk-prepub.autosign.db"; + inline-signing yes; + dnssec-policy "zsk-prepub"; +}; + +/* + * Zones for testing KSK Double-KSK steps. + */ +zone "step1.ksk-doubleksk.autosign" { + type primary; + file "step1.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step2.ksk-doubleksk.autosign" { + type primary; + file "step2.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step3.ksk-doubleksk.autosign" { + type primary; + file "step3.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step4.ksk-doubleksk.autosign" { + type primary; + file "step4.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step5.ksk-doubleksk.autosign" { + type primary; + file "step5.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; +zone "step6.ksk-doubleksk.autosign" { + type primary; + file "step6.ksk-doubleksk.autosign.db"; + inline-signing yes; + dnssec-policy "ksk-doubleksk"; +}; + +/* + * Zones for testing CSK rollover steps. + */ +zone "step1.csk-roll.autosign" { + type primary; + file "step1.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step2.csk-roll.autosign" { + type primary; + file "step2.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step3.csk-roll.autosign" { + type primary; + file "step3.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step4.csk-roll.autosign" { + type primary; + file "step4.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step5.csk-roll.autosign" { + type primary; + file "step5.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step6.csk-roll.autosign" { + type primary; + file "step6.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step7.csk-roll.autosign" { + type primary; + file "step7.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; +zone "step8.csk-roll.autosign" { + type primary; + file "step8.csk-roll.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll"; +}; + +zone "step1.csk-roll2.autosign" { + type primary; + file "step1.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step2.csk-roll2.autosign" { + type primary; + file "step2.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step3.csk-roll2.autosign" { + type primary; + file "step3.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step4.csk-roll2.autosign" { + type primary; + file "step4.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step5.csk-roll2.autosign" { + type primary; + file "step5.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step6.csk-roll2.autosign" { + type primary; + file "step6.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; +zone "step7.csk-roll2.autosign" { + type primary; + file "step7.csk-roll2.autosign.db"; + inline-signing yes; + dnssec-policy "csk-roll2"; +}; diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index aa3bef12031..92e007d1e73 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -13,82 +13,8 @@ // NS3 -include "policies/kasp.conf"; -include "policies/autosign.conf"; +include "named-fips.conf"; -options { - query-source address 10.53.0.3; - notify-source 10.53.0.3; - transfer-source 10.53.0.3; - port @PORT@; - pid-file "named.pid"; - listen-on { 10.53.0.3; }; - listen-on-v6 { none; }; - allow-transfer { any; }; - recursion no; - dnssec-policy "rsasha1"; -}; - -key rndc_key { - secret "1234abcd8765"; - algorithm hmac-sha256; -}; - -controls { - inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; -}; - -/* Zones that are getting initially signed */ - -/* The default case: No keys created, using default policy. */ -zone "default.kasp" { - type primary; - file "default.kasp.db"; - inline-signing yes; - dnssec-policy "default"; -}; - -/* checkds: Zone with one KSK. */ -zone "checkds-ksk.kasp" { - type primary; - file "checkds-ksk.kasp.db"; - inline-signing yes; - dnssec-policy "checkds-ksk"; -}; - -/* checkds: Zone with two KSKs. */ -zone "checkds-doubleksk.kasp" { - type primary; - file "checkds-doubleksk.kasp.db"; - inline-signing yes; - dnssec-policy "checkds-doubleksk"; -}; - -/* checkds: Zone with one CSK. */ -zone "checkds-csk.kasp" { - type primary; - file "checkds-csk.kasp.db"; - inline-signing yes; - dnssec-policy "checkds-csk"; -}; - -/* Key lifetime unlimited. */ -zone "unlimited.kasp" { - type primary; - file "unlimited.kasp.db"; - inline-signing yes; - dnssec-policy "unlimited"; -}; - -/* Manual rollover. */ -zone "manual-rollover.kasp" { - type primary; - file "manual-rollover.kasp.db"; - inline-signing yes; - dnssec-policy "manual-rollover"; -}; - -/* A master zone with dnssec-policy, no keys created. */ zone "rsasha1.kasp" { type primary; file "rsasha1.kasp.db"; @@ -96,427 +22,9 @@ zone "rsasha1.kasp" { dnssec-policy "rsasha1"; }; -/* A zone that inherits dnssec-policy. */ -zone "inherit.kasp" { - type primary; - inline-signing yes; - file "inherit.kasp.db"; -}; - -/* A zone that overrides dnssec-policy. */ -zone "unsigned.kasp" { - type primary; - file "unsigned.kasp.db"; - inline-signing yes; - dnssec-policy "none"; -}; - -/* A zone that is initially set to insecure. */ -zone "insecure.kasp" { - type primary; - file "insecure.kasp.db"; - inline-signing yes; - dnssec-policy "insecure"; -}; - -/* A master zone with dnssec-policy but keys already created. */ -zone "dnssec-keygen.kasp" { - type primary; - file "dnssec-keygen.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha1"; -}; - -/* A secondary zone with dnssec-policy. */ -zone "secondary.kasp" { - type secondary; - primaries { 10.53.0.2; }; - file "secondary.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha1"; -}; - -/* A dynamic zone with dnssec-policy. */ -zone "dynamic.kasp" { - type primary; - file "dynamic.kasp.db"; - dnssec-policy "default"; - allow-update { any; }; -}; - -/* A dynamic inline-signed zone with dnssec-policy. */ -zone "dynamic-inline-signing.kasp" { - type primary; - file "dynamic-inline-signing.kasp.db"; - dnssec-policy "default"; - allow-update { any; }; - inline-signing yes; -}; - -/* An inline-signed zone with dnssec-policy. */ -zone "inline-signing.kasp" { - type primary; - file "inline-signing.kasp.db"; - dnssec-policy "default"; - inline-signing yes; -}; - -/* - * A configured dnssec-policy but some keys already created. - */ -zone "some-keys.kasp" { - type primary; - file "some-keys.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha1"; -}; - -/* - * A configured dnssec-policy but some keys already in use. - */ -zone "legacy-keys.kasp" { - type primary; - file "legacy-keys.kasp.db"; - inline-signing yes; - dnssec-policy "migrate-to-dnssec-policy"; -}; - -/* - * A configured dnssec-policy with (too) many keys pregenerated. - */ -zone "pregenerated.kasp" { - type primary; - file "pregenerated.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha1"; -}; - -/* - * A configured dnssec-policy with one rumoured key. - * Bugfix case for GL #1593. - */ -zone "rumoured.kasp" { - type primary; - file "rumoured.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha1"; -}; - -/* RFC 8901 Multi-signer Model 2. */ -zone "multisigner-model2.kasp" { - type primary; - file "multisigner-model2.kasp.db"; - dnssec-policy "multisigner-model2"; - allow-update { any; }; -}; - -/* - * Different algorithms. - */ zone "rsasha1-nsec3.kasp" { type primary; file "rsasha1-nsec3.kasp.db"; inline-signing yes; dnssec-policy "rsasha1-nsec3"; }; -zone "rsasha256.kasp" { - type primary; - file "rsasha256.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha256"; -}; -zone "rsasha512.kasp" { - type primary; - file "rsasha512.kasp.db"; - inline-signing yes; - dnssec-policy "rsasha512"; -}; -zone "ecdsa256.kasp" { - type primary; - file "ecdsa256.kasp.db"; - inline-signing yes; - dnssec-policy "ecdsa256"; -}; -zone "ecdsa384.kasp" { - type primary; - file "ecdsa384.kasp.db"; - inline-signing yes; - dnssec-policy "ecdsa384"; -}; - -/* - * Zone with too high TTL. - */ -zone "max-zone-ttl.kasp" { - type primary; - file "max-zone-ttl.kasp.db"; - inline-signing yes; - dnssec-policy "ttl"; -}; - -/* - * Zones in different signing states. - */ - -/* - * Zone that has expired signatures. - */ -zone "expired-sigs.autosign" { - type primary; - file "expired-sigs.autosign.db"; - inline-signing yes; - dnssec-policy "autosign"; -}; - -/* - * Zone that has valid, fresh signatures. - */ -zone "fresh-sigs.autosign" { - type primary; - file "fresh-sigs.autosign.db"; - inline-signing yes; - dnssec-policy "autosign"; -}; - -/* - * Zone that has unfresh signatures. - */ -zone "unfresh-sigs.autosign" { - type primary; - file "unfresh-sigs.autosign.db"; - inline-signing yes; - dnssec-policy "autosign"; -}; - -/* - * Zone that has missing private KSK. - */ -zone "ksk-missing.autosign" { - type primary; - file "ksk-missing.autosign.db"; - inline-signing yes; - dnssec-policy "autosign"; -}; - -/* - * Zone that has missing private ZSK. - */ -zone "zsk-missing.autosign" { - type primary; - file "zsk-missing.autosign.db"; - inline-signing yes; - dnssec-policy "autosign"; -}; - -/* - * Zone that has inactive ZSK. - */ -zone "zsk-retired.autosign" { - type primary; - file "zsk-retired.autosign.db"; - inline-signing yes; - dnssec-policy "autosign"; -}; - -/* - * Zones for testing enabling DNSSEC. - */ -zone "step1.enable-dnssec.autosign" { - type primary; - file "step1.enable-dnssec.autosign.db"; - inline-signing yes; - dnssec-policy "enable-dnssec"; -}; -zone "step2.enable-dnssec.autosign" { - type primary; - file "step2.enable-dnssec.autosign.db"; - inline-signing yes; - dnssec-policy "enable-dnssec"; -}; -zone "step3.enable-dnssec.autosign" { - type primary; - file "step3.enable-dnssec.autosign.db"; - inline-signing yes; - dnssec-policy "enable-dnssec"; -}; -zone "step4.enable-dnssec.autosign" { - type primary; - file "step4.enable-dnssec.autosign.db"; - inline-signing yes; - dnssec-policy "enable-dnssec"; -}; - -/* - * Zones for testing ZSK Pre-Publication steps. - */ -zone "step1.zsk-prepub.autosign" { - type primary; - file "step1.zsk-prepub.autosign.db"; - inline-signing yes; - dnssec-policy "zsk-prepub"; -}; -zone "step2.zsk-prepub.autosign" { - type primary; - file "step2.zsk-prepub.autosign.db"; - inline-signing yes; - dnssec-policy "zsk-prepub"; -}; -zone "step3.zsk-prepub.autosign" { - type primary; - file "step3.zsk-prepub.autosign.db"; - inline-signing yes; - dnssec-policy "zsk-prepub"; -}; -zone "step4.zsk-prepub.autosign" { - type primary; - file "step4.zsk-prepub.autosign.db"; - inline-signing yes; - dnssec-policy "zsk-prepub"; -}; -zone "step5.zsk-prepub.autosign" { - type primary; - file "step5.zsk-prepub.autosign.db"; - inline-signing yes; - dnssec-policy "zsk-prepub"; -}; -zone "step6.zsk-prepub.autosign" { - type primary; - file "step6.zsk-prepub.autosign.db"; - inline-signing yes; - dnssec-policy "zsk-prepub"; -}; - -/* - * Zones for testing KSK Double-KSK steps. - */ -zone "step1.ksk-doubleksk.autosign" { - type primary; - file "step1.ksk-doubleksk.autosign.db"; - inline-signing yes; - dnssec-policy "ksk-doubleksk"; -}; -zone "step2.ksk-doubleksk.autosign" { - type primary; - file "step2.ksk-doubleksk.autosign.db"; - inline-signing yes; - dnssec-policy "ksk-doubleksk"; -}; -zone "step3.ksk-doubleksk.autosign" { - type primary; - file "step3.ksk-doubleksk.autosign.db"; - inline-signing yes; - dnssec-policy "ksk-doubleksk"; -}; -zone "step4.ksk-doubleksk.autosign" { - type primary; - file "step4.ksk-doubleksk.autosign.db"; - inline-signing yes; - dnssec-policy "ksk-doubleksk"; -}; -zone "step5.ksk-doubleksk.autosign" { - type primary; - file "step5.ksk-doubleksk.autosign.db"; - inline-signing yes; - dnssec-policy "ksk-doubleksk"; -}; -zone "step6.ksk-doubleksk.autosign" { - type primary; - file "step6.ksk-doubleksk.autosign.db"; - inline-signing yes; - dnssec-policy "ksk-doubleksk"; -}; - -/* - * Zones for testing CSK rollover steps. - */ -zone "step1.csk-roll.autosign" { - type primary; - file "step1.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step2.csk-roll.autosign" { - type primary; - file "step2.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step3.csk-roll.autosign" { - type primary; - file "step3.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step4.csk-roll.autosign" { - type primary; - file "step4.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step5.csk-roll.autosign" { - type primary; - file "step5.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step6.csk-roll.autosign" { - type primary; - file "step6.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step7.csk-roll.autosign" { - type primary; - file "step7.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; -zone "step8.csk-roll.autosign" { - type primary; - file "step8.csk-roll.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll"; -}; - -zone "step1.csk-roll2.autosign" { - type primary; - file "step1.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; -zone "step2.csk-roll2.autosign" { - type primary; - file "step2.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; -zone "step3.csk-roll2.autosign" { - type primary; - file "step3.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; -zone "step4.csk-roll2.autosign" { - type primary; - file "step4.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; -zone "step5.csk-roll2.autosign" { - type primary; - file "step5.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; -zone "step6.csk-roll2.autosign" { - type primary; - file "step6.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; -zone "step7.csk-roll2.autosign" { - type primary; - file "step7.csk-roll2.autosign.db"; - inline-signing yes; - dnssec-policy "csk-roll2"; -}; diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in new file mode 100644 index 00000000000..90a92a223c6 --- /dev/null +++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in @@ -0,0 +1,118 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "unlimited" { + dnskey-ttl 1234; + + keys { + csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "manual-rollover" { + dnskey-ttl 3600; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "multisigner-model2" { + dnskey-ttl 3600; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "migrate-to-dnssec-policy" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P6M algorithm 8; + zsk key-directory lifetime P6M algorithm 8; + }; +}; + +dnssec-policy "rsasha256" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 8; + zsk key-directory lifetime P5Y algorithm 8; + zsk key-directory lifetime P1Y algorithm 8 3072; + }; +}; + +dnssec-policy "rsasha512" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 10; + zsk key-directory lifetime P5Y algorithm 10; + zsk key-directory lifetime P1Y algorithm 10 3072; + }; +}; + +dnssec-policy "ecdsa256" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 13; + zsk key-directory lifetime P5Y algorithm 13; + zsk key-directory lifetime P1Y algorithm 13 256; + }; +}; + +dnssec-policy "ecdsa384" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 14; + zsk key-directory lifetime P5Y algorithm 14; + zsk key-directory lifetime P1Y algorithm 14 384; + }; +}; + +dnssec-policy "checkds-ksk" { + dnskey-ttl 303; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "checkds-doubleksk" { + dnskey-ttl 303; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "checkds-csk" { + dnskey-ttl 303; + + keys { + csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "ttl" { + max-zone-ttl 299; +}; diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf.in b/bin/tests/system/kasp/ns3/policies/kasp.conf.in index 17b900c7b37..cb045bcb07a 100644 --- a/bin/tests/system/kasp/ns3/policies/kasp.conf.in +++ b/bin/tests/system/kasp/ns3/policies/kasp.conf.in @@ -11,31 +11,7 @@ * information regarding copyright ownership. */ -dnssec-policy "unlimited" { - dnskey-ttl 1234; - - keys { - csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; -}; - -dnssec-policy "manual-rollover" { - dnskey-ttl 3600; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; -}; - -dnssec-policy "multisigner-model2" { - dnskey-ttl 3600; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; -}; +include "policies/kasp-fips.conf"; dnssec-policy "rsasha1" { dnskey-ttl 1234; @@ -47,15 +23,6 @@ dnssec-policy "rsasha1" { }; }; -dnssec-policy "migrate-to-dnssec-policy" { - dnskey-ttl 1234; - - keys { - ksk key-directory lifetime P6M algorithm 5; - zsk key-directory lifetime P6M algorithm 5; - }; -}; - dnssec-policy "rsasha1-nsec3" { dnskey-ttl 1234; @@ -65,74 +32,3 @@ dnssec-policy "rsasha1-nsec3" { zsk key-directory lifetime P1Y algorithm 7 2000; }; }; - -dnssec-policy "rsasha256" { - dnskey-ttl 1234; - - keys { - ksk key-directory lifetime P10Y algorithm 8; - zsk key-directory lifetime P5Y algorithm 8; - zsk key-directory lifetime P1Y algorithm 8 2000; - }; -}; - -dnssec-policy "rsasha512" { - dnskey-ttl 1234; - - keys { - ksk key-directory lifetime P10Y algorithm 10; - zsk key-directory lifetime P5Y algorithm 10; - zsk key-directory lifetime P1Y algorithm 10 2000; - }; -}; - -dnssec-policy "ecdsa256" { - dnskey-ttl 1234; - - keys { - ksk key-directory lifetime P10Y algorithm 13; - zsk key-directory lifetime P5Y algorithm 13; - zsk key-directory lifetime P1Y algorithm 13 256; - }; -}; - -dnssec-policy "ecdsa384" { - dnskey-ttl 1234; - - keys { - ksk key-directory lifetime P10Y algorithm 14; - zsk key-directory lifetime P5Y algorithm 14; - zsk key-directory lifetime P1Y algorithm 14 384; - }; -}; - -dnssec-policy "checkds-ksk" { - dnskey-ttl 303; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; -}; - -dnssec-policy "checkds-doubleksk" { - dnskey-ttl 303; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; -}; - -dnssec-policy "checkds-csk" { - dnskey-ttl 303; - - keys { - csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - }; -}; - -dnssec-policy "ttl" { - max-zone-ttl 299; -}; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index bc4a0fc11d6..cc702d13f6e 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -42,8 +42,8 @@ U="UNRETENTIVE" # # Set up zones that will be initially signed. # -for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ - rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \ +for zn in default dnssec-keygen some-keys legacy-keys pregenerated \ + rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ dynamic dynamic-inline-signing inline-signing \ checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ manual-rollover multisigner-model2 @@ -52,6 +52,22 @@ do cp template.db.in "$zonefile" done +# +# Set up RSASHA1 based zones +# +for zn in rsasha1 rsasha1-nsec3 +do + if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1) + then + setup "${zn}.kasp" + cp template.db.in "$zonefile" + else + # don't add to zones. + echo_i "setting up zone: ${zn}.kasp" + cp template.db.in "${zn}.kasp.db" + fi +done + if [ -f ../ed25519-supported.file ]; then setup "ed25519.kasp" cp template.db.in "$zonefile" @@ -78,31 +94,31 @@ done # Some of these zones already have keys. zone="dnssec-keygen.kasp" echo_i "setting up zone: $zone" -$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 zone="some-keys.kasp" echo_i "setting up zone: $zone" -$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 zone="legacy-keys.kasp" echo_i "setting up zone: $zone" -ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) echo $ZSK > legacy-keys.kasp.zsk echo $KSK > legacy-keys.kasp.ksk # Predecessor keys: Tact="now-9mo" Tret="now-3mo" -ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) $SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1 $SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 zone="pregenerated.kasp" echo_i "setting up zone: $zone" -$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 zone="multisigner-model2.kasp" echo_i "setting up zone: $zone" @@ -122,9 +138,9 @@ echo_i "setting up zone: $zone" Tpub="now" Tact="now+1d" keytimes="-P ${Tpub} -A ${Tact}" -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) +KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 $SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index cf9900ff00c..7b919d4ee12 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -65,7 +65,7 @@ zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; inline-signing yes; - dnssec-policy "rsasha1"; + dnssec-policy "rsasha256"; }; zone "step1.csk-algorithm-roll.kasp" { diff --git a/bin/tests/system/kasp/ns6/policies/csk1.conf.in b/bin/tests/system/kasp/ns6/policies/csk1.conf.in index ebaca8835b4..a5ff042db80 100644 --- a/bin/tests/system/kasp/ns6/policies/csk1.conf.in +++ b/bin/tests/system/kasp/ns6/policies/csk1.conf.in @@ -17,7 +17,7 @@ dnssec-policy "csk-algoroll" { signatures-validity-dnskey 30d; keys { - csk lifetime unlimited algorithm rsasha1; + csk lifetime unlimited algorithm rsasha256; }; dnskey-ttl 1h; diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in new file mode 100644 index 00000000000..683c9ef5009 --- /dev/null +++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in @@ -0,0 +1,59 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "unsigning" { + dnskey-ttl 7200; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "rsasha256" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm rsasha256; + zsk lifetime unlimited algorithm rsasha256; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; + +dnssec-policy "ecdsa256" { + signatures-refresh P5D; + signatures-validity 30d; + signatures-validity-dnskey 30d; + + keys { + ksk lifetime unlimited algorithm ecdsa256; + zsk lifetime unlimited algorithm ecdsa256; + }; + + dnskey-ttl 1h; + publish-safety PT1H; + retire-safety 2h; + zone-propagation-delay 3600; + max-zone-ttl 6h; + parent-propagation-delay pt1h; + parent-ds-ttl 7200; +}; diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf.in b/bin/tests/system/kasp/ns6/policies/kasp.conf.in index 2caae022d2c..d634b76ffe7 100644 --- a/bin/tests/system/kasp/ns6/policies/kasp.conf.in +++ b/bin/tests/system/kasp/ns6/policies/kasp.conf.in @@ -11,14 +11,7 @@ * information regarding copyright ownership. */ -dnssec-policy "unsigning" { - dnskey-ttl 7200; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; - }; -}; +include "policies/kasp-fips.conf"; dnssec-policy "rsasha1" { signatures-refresh P5D; @@ -38,22 +31,3 @@ dnssec-policy "rsasha1" { parent-propagation-delay pt1h; parent-ds-ttl 7200; }; - -dnssec-policy "ecdsa256" { - signatures-refresh P5D; - signatures-validity 30d; - signatures-validity-dnskey 30d; - - keys { - ksk lifetime unlimited algorithm ecdsa256; - zsk lifetime unlimited algorithm ecdsa256; - }; - - dnskey-ttl 1h; - publish-safety PT1H; - retire-safety 2h; - zone-propagation-delay 3600; - max-zone-ttl 6h; - parent-propagation-delay pt1h; - parent-ds-ttl 7200; -}; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index e53c72a9e60..27686ee3f94 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -92,13 +92,13 @@ echo "$zone" >> zones TactN="now" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -private_type_record $zone 5 "$KSK" >> "$infile" -private_type_record $zone 5 "$ZSK" >> "$infile" +private_type_record $zone 8 "$KSK" >> "$infile" +private_type_record $zone 8 "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: @@ -114,8 +114,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" zsk1times="-P ${TactN} -A ${TactN} -I now" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 @@ -126,8 +126,8 @@ $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 5 "$KSK1" >> "$infile" -private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -144,8 +144,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 @@ -156,8 +156,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 5 "$KSK1" >> "$infile" -private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -175,8 +175,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 @@ -187,8 +187,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2 echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 5 "$KSK1" >> "$infile" -private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -207,8 +207,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 @@ -219,8 +219,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 5 "$KSK1" >> "$infile" -private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -240,8 +240,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" zsk2times="-P ${TpubN1} -A ${TpubN1}" -KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 @@ -252,8 +252,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" -private_type_record $zone 5 "$KSK1" >> "$infile" -private_type_record $zone 5 "$ZSK1" >> "$infile" +private_type_record $zone 8 "$KSK1" >> "$infile" +private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 3b4b26a4a70..d3f4329ac7f 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -21,7 +21,13 @@ $SHELL clean.sh mkdir keys copy_setports ns2/named.conf.in ns2/named.conf -copy_setports ns3/named.conf.in ns3/named.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1 +then + copy_setports ns3/named-fips.conf.in ns3/named.conf +else + copy_setports ns3/named-fips.conf.in ns3/named-fips.conf + copy_setports ns3/named.conf.in ns3/named.conf +fi copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf @@ -35,11 +41,21 @@ if $SHELL ../testcrypto.sh ed448; then fi copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf +copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1 +then + cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf +fi copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf +copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf +if ! $SHELL ../testcrypto.sh -q RSASHA1 +then + cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf +fi # Setup zones ( diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 4a62dbc47fd..81a4bf2ad90 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -84,13 +84,13 @@ set_zonesigning "KEY2" "no" set_keyrole "KEY3" "zsk" set_keylifetime "KEY3" "2592000" -set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" +set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" set_keyrole "KEY4" "zsk" set_keylifetime "KEY4" "16070400" -set_keyalgorithm "KEY4" "8" "RSASHA256" "2000" +set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" @@ -788,55 +788,58 @@ set_keytimes_algorithm_policy() { # # Zone: rsasha1.kasp. # -set_zone "rsasha1.kasp" -set_policy "rsasha1" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties. -key_clear "KEY1" -set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "315360000" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" -set_keysigning "KEY1" "yes" -set_zonesigning "KEY1" "no" +if $SHELL ../testcrypto.sh -q RSASHA1 +then + set_zone "rsasha1.kasp" + set_policy "rsasha1" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + key_clear "KEY1" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "315360000" + set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" -key_clear "KEY2" -set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "157680000" -set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" -set_keysigning "KEY2" "no" -set_zonesigning "KEY2" "yes" + key_clear "KEY2" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "157680000" + set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" -key_clear "KEY3" -set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "31536000" -set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" -set_keysigning "KEY3" "no" -set_zonesigning "KEY3" "yes" + key_clear "KEY3" + set_keyrole "KEY3" "zsk" + set_keylifetime "KEY3" "31536000" + set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" + set_keysigning "KEY3" "no" + set_zonesigning "KEY3" "yes" -# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. -# ZSK: DNSKEY, RRSIG (zsk) published. -set_keystate "KEY1" "GOAL" "omnipresent" -set_keystate "KEY1" "STATE_DNSKEY" "rumoured" -set_keystate "KEY1" "STATE_KRRSIG" "rumoured" -set_keystate "KEY1" "STATE_DS" "hidden" + # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. + # ZSK: DNSKEY, RRSIG (zsk) published. + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "hidden" -set_keystate "KEY2" "GOAL" "omnipresent" -set_keystate "KEY2" "STATE_DNSKEY" "rumoured" -set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY3" "GOAL" "omnipresent" -set_keystate "KEY3" "STATE_DNSKEY" "rumoured" -set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" -# Three keys only. -key_clear "KEY4" + set_keystate "KEY3" "GOAL" "omnipresent" + set_keystate "KEY3" "STATE_DNSKEY" "rumoured" + set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" + # Three keys only. + key_clear "KEY4" -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi # # Zone: unsigned.kasp. @@ -910,28 +913,28 @@ dnssec_verify # Zone: inherit.kasp. # set_zone "inherit.kasp" -set_policy "rsasha1" "3" "1234" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "315360000" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" set_keylifetime "KEY2" "157680000" -set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" key_clear "KEY3" set_keyrole "KEY3" "zsk" set_keylifetime "KEY3" "31536000" -set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. @@ -963,7 +966,7 @@ dnssec_verify # Zone: dnssec-keygen.kasp. # set_zone "dnssec-keygen.kasp" -set_policy "rsasha1" "3" "1234" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -979,7 +982,7 @@ dnssec_verify # Zone: some-keys.kasp. # set_zone "some-keys.kasp" -set_policy "rsasha1" "3" "1234" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -997,7 +1000,7 @@ dnssec_verify # There are more pregenerated keys than needed, hence the number of keys is # six, not three. set_zone "pregenerated.kasp" -set_policy "rsasha1" "6" "1234" +set_policy "rsasha256" "6" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1014,7 +1017,7 @@ dnssec_verify # # There are three keys in rumoured state. set_zone "rumoured.kasp" -set_policy "rsasha1" "3" "1234" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1040,7 +1043,7 @@ dnssec_verify # Zone: secondary.kasp. # set_zone "secondary.kasp" -set_policy "rsasha1" "3" "1234" +set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. @@ -1084,22 +1087,25 @@ status=$((status+ret)) # # Zone: rsasha1-nsec3.kasp. # -set_zone "rsasha1-nsec3.kasp" -set_policy "rsasha1-nsec3" "3" "1234" -set_server "ns3" "10.53.0.3" -# Key properties. -set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" -set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" -set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" -# Key timings and states same as above. +if $SHELL ../testcrypto.sh -q RSASHA1 +then + set_zone "rsasha1-nsec3.kasp" + set_policy "rsasha1-nsec3" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" + set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" + # Key timings and states same as above. -check_keys -check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -set_keytimes_algorithm_policy -check_keytimes -check_apex -check_subdomain -dnssec_verify + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi # # Zone: rsasha256.kasp. @@ -1110,7 +1116,7 @@ set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" -set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" # Key timings and states same as above. check_keys @@ -1130,7 +1136,7 @@ set_server "ns3" "10.53.0.3" # Key properties. set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" -set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" +set_keyalgorithm "KEY3" "10" "RSASHA512" "3072" # Key timings and states same as above. check_keys @@ -1530,14 +1536,14 @@ set_server "ns3" "10.53.0.3" key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "16070400" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" set_keylifetime "KEY2" "16070400" -set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. @@ -3547,20 +3553,20 @@ IretZSK=0 # Zone: step1.algorithm-roll.kasp # set_zone "step1.algorithm-roll.kasp" -set_policy "rsasha1" "2" "3600" +set_policy "rsasha256" "2" "3600" set_server "ns6" "10.53.0.6" # Key properties. key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "0" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" set_keylifetime "KEY2" "0" -set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" key_clear "KEY3" @@ -3601,7 +3607,7 @@ set_server "ns6" "10.53.0.6" key_clear "KEY1" set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "0" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" key_clear "KEY2" @@ -3993,14 +3999,14 @@ set_server "ns6" "10.53.0.6" key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "0" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" set_keylifetime "KEY2" "0" -set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" # New ECDSAP256SHA256 keys. @@ -4395,7 +4401,7 @@ set_server "ns6" "10.53.0.6" key_clear "KEY1" set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "0" -set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # New ECDSAP256SHA256 key.