From: Matthijs Mekking Date: Mon, 16 Aug 2021 09:09:25 +0000 (+0200) Subject: Test migrating CSK to dnssec-policy X-Git-Tag: v9.17.18~27^2~4 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=96ee323622491fd2a11e5b2f70906ccdf76ab2d4;p=thirdparty%2Fbind9.git Test migrating CSK to dnssec-policy Add a test case for migrating CSK to dnssec-policy. The keymgr has no way of telling that the key is used as a CSK, but if there is only one key to migrate it is going to assume it must be a CSK. --- diff --git a/bin/tests/system/keymgr2kasp/ns3/named.conf.in b/bin/tests/system/keymgr2kasp/ns3/named.conf.in index 13652fde5d3..d6fa2e755ce 100644 --- a/bin/tests/system/keymgr2kasp/ns3/named.conf.in +++ b/bin/tests/system/keymgr2kasp/ns3/named.conf.in @@ -43,6 +43,14 @@ zone "migrate.kasp" { update-check-ksk yes; }; +zone "csk.kasp" { + type primary; + file "csk.kasp.db"; + auto-dnssec maintain; + allow-update { any; }; + dnssec-dnskey-kskonly no; +}; + zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; diff --git a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in index 6a7953ae69d..770345055ab 100644 --- a/bin/tests/system/keymgr2kasp/ns3/named2.conf.in +++ b/bin/tests/system/keymgr2kasp/ns3/named2.conf.in @@ -42,6 +42,13 @@ zone "migrate.kasp" { dnssec-policy "migrate"; }; +zone "csk.kasp" { + type primary; + file "csk.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh index f2d8c3bab60..4f2e670ddfe 100644 --- a/bin/tests/system/keymgr2kasp/ns3/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -39,6 +39,17 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +# Set up a Single-Type Signing Scheme zone with auto-dnssec maintain to +# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' +# configured, meaning the zone is signed with a single CSK. +setup csk.kasp +echo "$zone" >> zones +csktimes="-P now -A now -P sync now" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1) +cat template.db.in "${CSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" +$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are # RSASHA1 keys, and will be migrated to a dnssec-policy that dictates diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 342b000bdf6..7bb02bc47ed 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -143,6 +143,47 @@ dnssec_verify _migrate_ksk=$(key_get KEY1 ID) _migrate_zsk=$(key_get KEY2 ID) +# +# Testing a good migration (CSK). +# +set_zone "csk.kasp" +set_policy "none" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "yes" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "none" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Make sure the zone is signed with legacy key. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +# The key is immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +check_keytimes +check_apex +check_subdomain +dnssec_verify +# Remember legacy key tags. +_migrate_csk=$(key_get KEY1 ID) + # # Testing key states derived from key timing metadata (rumoured). # @@ -370,6 +411,56 @@ ret=0 test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) +# +# Testing a good migration (CSK). +# +set_zone "csk.kasp" +set_policy "default" "1" "7200" +set_server "ns3" "10.53.0.3" + +key_clear "KEY1" +key_set "KEY1" "LEGACY" "no" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "rumoured" + +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# Various signing policy checks. +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The key was immediately published and activated. +_created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${_created}" +set_keytime "KEY1" "SYNCPUBLISH" "${_created}" +set_keytime "KEY1" "ACTIVE" "${_created}" + +# Continue signing policy checks. +check_keytimes +check_apex +check_subdomain +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" +ret=0 +[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # # Test migration to dnssec-policy, existing keys do not match key algorithm. #