From: Matthijs Mekking Date: Tue, 7 Apr 2020 13:51:43 +0000 (+0200) Subject: Increase migrate.kasp DNSKEY TTL X-Git-Tag: v9.17.1~9^2 X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=04e67110290dd0fa1157a32dfca04af4f8f8f4c0;p=thirdparty%2Fbind9.git Increase migrate.kasp DNSKEY TTL Increate the DNSKEY TTL of the migrate.kasp zone for the following reason: The key states are initialized depending on the timing metadata. If a key is present long enough in the zone it will be initialized to OMNIPRESENT. Long enough here is the time when it was published (when the setup script was run) plus DNSKEY TTL. Otherwise it is set to RUMOURED, or to HIDDEN if no timing metadata is set or the time is still in the future. Since the TTL is "only" 5 minutes, the DNSKEY state may be initialized to OMNIPRESENT if the test is slow, but we expect it to be in RUMOURED state. If we increase the TTL to a couple of hours it is very unlikely that it will be initialized to something else than RUMOURED. --- diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf index 6b58eaf8250..a02d6816a7e 100644 --- a/bin/tests/system/kasp/ns6/policies/kasp.conf +++ b/bin/tests/system/kasp/ns6/policies/kasp.conf @@ -50,7 +50,7 @@ dnssec-policy "ecdsa256" { }; dnssec-policy "migrate" { - dnskey-ttl 300; + dnskey-ttl 7200; keys { ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 8d01bd23b9d..16c92ce0f0f 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -42,8 +42,8 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) $SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 95c4e2392a2..da770695cb7 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2893,7 +2893,7 @@ check_next_key_event 3600 # Testing good migration. # set_zone "migrate.kasp" -set_policy "none" "2" "300" +set_policy "none" "2" "7200" set_server "ns6" "10.53.0.6" init_migration_match() { @@ -3090,7 +3090,7 @@ next_key_event_threshold=$((next_key_event_threshold+i)) # Testing migration. # set_zone "migrate.kasp" -set_policy "migrate" "2" "300" +set_policy "migrate" "2" "7200" set_server "ns6" "10.53.0.6" # Key properties, timings and metadata should be the same as legacy keys above.