mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Increase migrate.kasp DNSKEY TTL

Browse Source 
Increate the DNSKEY TTL of the migrate.kasp zone for the following
reason:  The key states are initialized depending on the timing
metadata. If a key is present long enough in the zone it will be
initialized to OMNIPRESENT.  Long enough here is the time when it
was published (when the setup script was run) plus DNSKEY TTL.
Otherwise it is set to RUMOURED, or to HIDDEN if no timing metadata
is set or the time is still in the future.

Since the TTL is "only" 5 minutes, the DNSKEY state may be
initialized to OMNIPRESENT if the test is slow, but we expect it
to be in RUMOURED state.  If we increase the TTL to a couple of
hours it is very unlikely that it will be initialized to something
else than RUMOURED.
This commit is contained in:
Matthijs Mekking 2020-04-07 15:51:43 +02:00
parent 8d3c0156f4
commit 04e6711029
3 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bin/tests/system/kasp/ns6/policies/kasp.conf
View File

@ -50,7 +50,7 @@ dnssec-policy "ecdsa256" {
};
dnssec-policy "migrate" {
dnskey-ttl 300;
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256;

4
bin/tests/system/kasp/ns6/setup.sh
View File

@ -42,8 +42,8 @@ U="UNRETENTIVE"
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
setup migrate.kasp
echo "$zone" >> zones
KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2)
KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2)
$SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"

4
bin/tests/system/kasp/tests.sh
View File

@ -2893,7 +2893,7 @@ check_next_key_event 3600
# Testing good migration.
#
set_zone "migrate.kasp"
set_policy "none" "2" "300"
set_policy "none" "2" "7200"
set_server "ns6" "10.53.0.6"
init_migration_match() {
@ -3090,7 +3090,7 @@ next_key_event_threshold=$((next_key_event_threshold+i))
# Testing migration.
#
set_zone "migrate.kasp"
set_policy "migrate" "2" "300"
set_policy "migrate" "2" "7200"
set_server "ns6" "10.53.0.6"
# Key properties, timings and metadata should be the same as legacy keys above.