bind/bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py

# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0.  If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

# pylint: disable=redefined-outer-name,unused-import

import pytest

import isctest
from isctest.kasp import KeyTimingMetadata
from common import (
    pytestmark,
    alg,
    size,
    CDSS,
    ALGOROLL_CONFIG,
    ALGOROLL_IPUB,
    ALGOROLL_IPUBC,
    ALGOROLL_IRET,
    ALGOROLL_IRETKSK,
    ALGOROLL_KEYTTLPROP,
    ALGOROLL_OFFSETS,
    ALGOROLL_OFFVAL,
    TIMEDELTA,
)

CONFIG = ALGOROLL_CONFIG
POLICY = "csk-algoroll"
TIME_PASSED = 0  # set in reconfigure() fixture


@pytest.fixture(scope="module", autouse=True)
def reconfigure(servers, templates):
    global TIME_PASSED  # pylint: disable=global-statement
    start_time = KeyTimingMetadata.now()

    templates.render("ns6/named.conf", {"csk_roll": True})
    servers["ns6"].reconfigure()

    # Calculate time passed to correctly check for next key events.
    TIME_PASSED = KeyTimingMetadata.now().value - start_time.value


def test_algoroll_csk_reconfig_step1(servers, alg, size):
    step = {
        "zone": "step1.csk-algorithm-roll.kasp",
        "cdss": CDSS,
        "keyprops": [
            # The RSASHA keys are outroducing.
            f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
            # The ECDSAP256SHA256 keys are introducing.
            f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
        ],
        # Next key event is when the ecdsa256 keys have been propagated.
        "nextev": ALGOROLL_IPUB,
    }
    isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)


def test_algoroll_csk_reconfig_step2(servers, alg, size):
    step = {
        "zone": "step2.csk-algorithm-roll.kasp",
        "cdss": CDSS,
        "keyprops": [
            # The RSASHA keys are outroducing, but need to stay present
            # until the new algorithm chain of trust has been established.
            # Thus the expected key states of these keys stay the same.
            f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
            # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
            # omnipresent, but the zone signatures are not.
            f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
        ],
        # Next key event is when all zone signatures are signed with the
        # new algorithm.  This is the child publication interval, minus
        # the publication interval has already passed. Also, prevent
        # intermittent false positives on slow platforms by subtracting
        # the time passed between key creation and invoking 'rndc reconfig'.
        "nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
    }
    isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)


def test_algoroll_csk_reconfig_step3(servers, alg, size):
    step = {
        "zone": "step3.csk-algorithm-roll.kasp",
        "cdss": CDSS,
        "keyprops": [
            # The DS can be swapped.
            f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
            f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
        ],
        # Next key event is when the DS becomes OMNIPRESENT. This happens
        # after the publication interval of the parent side.
        "nextev": ALGOROLL_IRETKSK - TIME_PASSED,
    }
    isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)


def test_algoroll_csk_reconfig_step4(servers, alg, size):
    step = {
        "zone": "step4.csk-algorithm-roll.kasp",
        "cdss": CDSS,
        "keyprops": [
            # The old DS is HIDDEN, we can remove the old algorithm records.
            f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
            f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
        ],
        # Next key event is when the old DNSKEY becomes HIDDEN.
        # This happens after the DNSKEY TTL plus zone propagation delay.
        "nextev": ALGOROLL_KEYTTLPROP,
    }
    isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)


def test_algoroll_csk_reconfig_step5(servers, alg, size):
    step = {
        "zone": "step5.csk-algorithm-roll.kasp",
        "cdss": CDSS,
        "keyprops": [
            # The DNSKEY becomes HIDDEN.
            f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
            f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
        ],
        # Next key event is when the RSASHA signatures become HIDDEN.
        # This happens after the max-zone-ttl plus zone propagation delay
        # minus the time already passed since the UNRETENTIVE state has
        # been reached. Prevent intermittent false positives on slow
        # platforms by subtracting the number of seconds which passed
        # between key creation and invoking 'rndc reconfig'.
        "nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
    }
    isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)


def test_algoroll_csk_reconfig_step6(servers, alg, size):
    step = {
        "zone": "step6.csk-algorithm-roll.kasp",
        "cdss": CDSS,
        "keyprops": [
            # The zone signatures are now HIDDEN.
            f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
            f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
        ],
        # Next key event is never since we established the policy and the
        # keys have an unlimited lifetime.  Fallback to the default
        # loadkeys interval.
        "nextev": TIMEDELTA["PT1H"],
    }
    isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
Isolate rollover-algo-csk test 2025-06-06 16:49:14 +02:00			`# Copyright (C) Internet Systems Consortium, Inc. ("ISC")`
			`#`
			`# SPDX-License-Identifier: MPL-2.0`
			`#`
			`# This Source Code Form is subject to the terms of the Mozilla Public`
			`# License, v. 2.0. If a copy of the MPL was not distributed with this`
			`# file, you can obtain one at https://mozilla.org/MPL/2.0/.`
			`#`
			`# See the COPYRIGHT file distributed with this work for additional`
			`# information regarding copyright ownership.`

			`# pylint: disable=redefined-outer-name,unused-import`

			`import pytest`

			`import isctest`
			`from isctest.kasp import KeyTimingMetadata`
			`from common import (`
			`pytestmark,`
			`alg,`
			`size,`
			`CDSS,`
			`ALGOROLL_CONFIG,`
			`ALGOROLL_IPUB,`
			`ALGOROLL_IPUBC,`
			`ALGOROLL_IRET,`
			`ALGOROLL_IRETKSK,`
			`ALGOROLL_KEYTTLPROP,`
			`ALGOROLL_OFFSETS,`
			`ALGOROLL_OFFVAL,`
			`TIMEDELTA,`
			`)`

			`CONFIG = ALGOROLL_CONFIG`
			`POLICY = "csk-algoroll"`
			`TIME_PASSED = 0 # set in reconfigure() fixture`


			`@pytest.fixture(scope="module", autouse=True)`
			`def reconfigure(servers, templates):`
			`global TIME_PASSED # pylint: disable=global-statement`
			`start_time = KeyTimingMetadata.now()`

			`templates.render("ns6/named.conf", {"csk_roll": True})`
			`servers["ns6"].reconfigure()`

			`# Calculate time passed to correctly check for next key events.`
			`TIME_PASSED = KeyTimingMetadata.now().value - start_time.value`


			`def test_algoroll_csk_reconfig_step1(servers, alg, size):`
			`step = {`
			`"zone": "step1.csk-algorithm-roll.kasp",`
			`"cdss": CDSS,`
			`"keyprops": [`
			`# The RSASHA keys are outroducing.`
			`f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",`
			`# The ECDSAP256SHA256 keys are introducing.`
			`f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",`
			`],`
			`# Next key event is when the ecdsa256 keys have been propagated.`
			`"nextev": ALGOROLL_IPUB,`
			`}`
			`isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)`


			`def test_algoroll_csk_reconfig_step2(servers, alg, size):`
			`step = {`
			`"zone": "step2.csk-algorithm-roll.kasp",`
			`"cdss": CDSS,`
			`"keyprops": [`
			`# The RSASHA keys are outroducing, but need to stay present`
			`# until the new algorithm chain of trust has been established.`
			`# Thus the expected key states of these keys stay the same.`
			`f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",`
			`# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is`
			`# omnipresent, but the zone signatures are not.`
			`f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",`
			`],`
			`# Next key event is when all zone signatures are signed with the`
			`# new algorithm. This is the child publication interval, minus`
			`# the publication interval has already passed. Also, prevent`
			`# intermittent false positives on slow platforms by subtracting`
			`# the time passed between key creation and invoking 'rndc reconfig'.`
			`"nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,`
			`}`
			`isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)`


			`def test_algoroll_csk_reconfig_step3(servers, alg, size):`
			`step = {`
			`"zone": "step3.csk-algorithm-roll.kasp",`
			`"cdss": CDSS,`
			`"keyprops": [`
			`# The DS can be swapped.`
			`f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",`
			`f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",`
			`],`
			`# Next key event is when the DS becomes OMNIPRESENT. This happens`
			`# after the publication interval of the parent side.`
			`"nextev": ALGOROLL_IRETKSK - TIME_PASSED,`
			`}`
			`isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)`


			`def test_algoroll_csk_reconfig_step4(servers, alg, size):`
			`step = {`
			`"zone": "step4.csk-algorithm-roll.kasp",`
			`"cdss": CDSS,`
			`"keyprops": [`
			`# The old DS is HIDDEN, we can remove the old algorithm records.`
			`f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",`
			`f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",`
			`],`
			`# Next key event is when the old DNSKEY becomes HIDDEN.`
			`# This happens after the DNSKEY TTL plus zone propagation delay.`
			`"nextev": ALGOROLL_KEYTTLPROP,`
			`}`
			`isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)`


			`def test_algoroll_csk_reconfig_step5(servers, alg, size):`
			`step = {`
			`"zone": "step5.csk-algorithm-roll.kasp",`
			`"cdss": CDSS,`
			`"keyprops": [`
			`# The DNSKEY becomes HIDDEN.`
			`f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",`
			`f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",`
			`],`
			`# Next key event is when the RSASHA signatures become HIDDEN.`
			`# This happens after the max-zone-ttl plus zone propagation delay`
			`# minus the time already passed since the UNRETENTIVE state has`
			`# been reached. Prevent intermittent false positives on slow`
			`# platforms by subtracting the number of seconds which passed`
			`# between key creation and invoking 'rndc reconfig'.`
			`"nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,`
			`}`
			`isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)`


			`def test_algoroll_csk_reconfig_step6(servers, alg, size):`
			`step = {`
			`"zone": "step6.csk-algorithm-roll.kasp",`
			`"cdss": CDSS,`
			`"keyprops": [`
			`# The zone signatures are now HIDDEN.`
			`f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",`
			`f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",`
			`],`
			`# Next key event is never since we established the policy and the`
			`# keys have an unlimited lifetime. Fallback to the default`
			`# loadkeys interval.`
			`"nextev": TIMEDELTA["PT1H"],`
			`}`
			`isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)`