From 04e67110290dd0fa1157a32dfca04af4f8f8f4c0 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 7 Apr 2020 15:51:43 +0200 Subject: [PATCH] Increase migrate.kasp DNSKEY TTL Increate the DNSKEY TTL of the migrate.kasp zone for the following reason: The key states are initialized depending on the timing metadata. If a key is present long enough in the zone it will be initialized to OMNIPRESENT. Long enough here is the time when it was published (when the setup script was run) plus DNSKEY TTL. Otherwise it is set to RUMOURED, or to HIDDEN if no timing metadata is set or the time is still in the future. Since the TTL is "only" 5 minutes, the DNSKEY state may be initialized to OMNIPRESENT if the test is slow, but we expect it to be in RUMOURED state. If we increase the TTL to a couple of hours it is very unlikely that it will be initialized to something else than RUMOURED. --- bin/tests/system/kasp/ns6/policies/kasp.conf | 2 +- bin/tests/system/kasp/ns6/setup.sh | 4 ++-- bin/tests/system/kasp/tests.sh | 4 ++-- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/bin/tests/system/kasp/ns6/policies/kasp.conf b/bin/tests/system/kasp/ns6/policies/kasp.conf index 6b58eaf825..a02d6816a7 100644 --- a/bin/tests/system/kasp/ns6/policies/kasp.conf +++ b/bin/tests/system/kasp/ns6/policies/kasp.conf @@ -50,7 +50,7 @@ dnssec-policy "ecdsa256" { }; dnssec-policy "migrate" { - dnskey-ttl 300; + dnskey-ttl 7200; keys { ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 8d01bd23b9..16c92ce0f0 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -42,8 +42,8 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) $SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 95c4e2392a..da770695cb 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2893,7 +2893,7 @@ check_next_key_event 3600 # Testing good migration. # set_zone "migrate.kasp" -set_policy "none" "2" "300" +set_policy "none" "2" "7200" set_server "ns6" "10.53.0.6" init_migration_match() { @@ -3090,7 +3090,7 @@ next_key_event_threshold=$((next_key_event_threshold+i)) # Testing migration. # set_zone "migrate.kasp" -set_policy "migrate" "2" "300" +set_policy "migrate" "2" "7200" set_server "ns6" "10.53.0.6" # Key properties, timings and metadata should be the same as legacy keys above.