From 672b07a5038cd083757510590062642f7bf52cb2 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Fri, 19 Jan 2024 16:00:46 +0100 Subject: [PATCH 1/6] Re-enable accidentally disabled dnssec checks Remove the premature exit statement which made the rest of the checks unreachable. --- bin/tests/system/dnssec/tests.sh | 3 --- 1 file changed, 3 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 4e957486d6..e519b97b6d 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -3734,9 +3734,6 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) -echo_i "status: $status" -exit $status - echo_i "checking initialization with a revoked managed key ($n)" ret=0 copy_setports ns5/named2.conf.in ns5/named.conf From 2e26eac31ca9e3978369b4d44a394a3a0507e861 Mon Sep 17 00:00:00 2001 From: Tom Krizek Date: Fri, 19 Jan 2024 16:01:47 +0100 Subject: [PATCH 2/6] Ensure dnssec test doesn't leak queries to root servers The config was recently modified to ensure ns4 won't leak any queries to root servers. However, the test wasn't executed and it turns out the way this was handled actually broke the test case. Add our custom root hint to both of the views to ensure the test can still pass without leaking any queries. --- bin/tests/system/dnssec/ns4/named4.conf.in | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/bin/tests/system/dnssec/ns4/named4.conf.in b/bin/tests/system/dnssec/ns4/named4.conf.in index 7d9d6e7ba3..941211993d 100644 --- a/bin/tests/system/dnssec/ns4/named4.conf.in +++ b/bin/tests/system/dnssec/ns4/named4.conf.in @@ -39,11 +39,6 @@ key auth { include "trusted.conf"; -zone "." { - type hint; - file "../../_common/root.hint"; -}; - view rec { match-recursive-only yes; recursion yes; @@ -51,6 +46,11 @@ view rec { dnssec-accept-expired yes; minimal-responses no; + zone "." { + type hint; + file "../../_common/root.hint"; + }; + zone secure.example { type static-stub; server-addresses { 10.53.0.4; }; @@ -66,6 +66,11 @@ view auth { recursion no; allow-recursion { none; }; + zone "." { + type hint; + file "../../_common/root.hint"; + }; + zone secure.example { type secondary; primaries { 10.53.0.3; }; From ebb90ba77f96c740d630cc52d51e07719f945a06 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 30 Jan 2024 16:16:47 +0100 Subject: [PATCH 3/6] Fix ZSK rollovers in dnssec system test 1. When generating keys, don't set timing metadata. Otherwise keys are considered to be in use and won't be selected when dnssec-policy starts a new key rollover. 2. Add an extra check to make sure the new ZSK (zsk2) is prepublished. Also add a check to make sure it has become active. 3. When using dnssec-settime, add -s to also write to key state files. --- bin/tests/system/dnssec/tests.sh | 52 +++++++++++++++++++++++++------- 1 file changed, 41 insertions(+), 11 deletions(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index e519b97b6d..30e4b80095 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4080,6 +4080,10 @@ ZSK_ID=$(cat ns2/${zone}.zsk.id) SECTIONS="+answer +noauthority +noadditional" echo_i "testing zone $zone KSK=$KSK_ID ZSK=$ZSK_ID" +# Set key state for KSK. The ZSK rollovers below assume that there is a chain +# of trust established, so we tell named that the DS is in omnipresent state. +$SETTIME -s -d OMNIPRESENT now -K ns2 $KSK >/dev/null + # Print IDs of keys used for generating RRSIG records for RRsets of type $1 # found in dig output file $2. get_keys_which_signed() { @@ -4115,7 +4119,7 @@ test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) # Roll the ZSK. -zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") +zsk2=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") keyfile_to_key_id "$zsk2" >ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) ret=0 @@ -4125,16 +4129,43 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +zsk_count_equals() { + expectedzsks=$1 + dig_with_opts @10.53.0.2 DNSKEY $zone >dig.out.test$n + lines=$(cat dig.out.test$n | grep "DNSKEY.*256 3 13" | wc -l) + test "$lines" -eq $expectedzsks || return 1 +} +echo_i "check DNSKEY RRset has successor ZSK $ZSK_ID2 ($n)" +ret=0 +# The expected number of ZSKs is 2. +retry_quiet 5 zsk_count_equals 2 || ret=1 +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + # Make new ZSK active. echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 -$SETTIME -I now -K ns2 $ZSK >/dev/null +$SETTIME -s -I now -K ns2 $ZSK >/dev/null $SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 >/dev/null dnssec_loadkeys_on 2 $zone || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +# Wait for newest ZSK to become active. +echo_i "wait until new ZSK $ZSK_ID2 active and ZSK $ZSK_ID inactive" +for i in 1 2 3 4 5 6 7 8 9 10; do + ret=0 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID2 (ZSK) is now active" ns2/named.run >/dev/null || ret=1 + grep "DNSKEY $zone/$DEFAULT_ALGORITHM/$ZSK_ID (ZSK) is now inactive" ns2/named.run >/dev/null || ret=1 + [ "$ret" -eq 0 ] && break + sleep 1 +done +n=$((n + 1)) +test "$ret" -eq 0 || echo_i "failed" +status=$((status + ret)) + # Remove the KSK from disk. echo_i "remove the KSK $KSK_ID for zone $zone from disk" mv ns2/$KSK.key ns2/$KSK.key.bak @@ -4184,15 +4215,14 @@ mv ns2/$KSK.key.bak ns2/$KSK.key mv ns2/$KSK.private.bak ns2/$KSK.private # Roll the ZSK again. -zsk3=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") +echo_i "delete old ZSK $ZSK_ID, schedule ZSK $ZSK_ID2 inactive, and new ZSK $ZSK_ID3 active for zone $zone ($n)" +zsk3=$("$KEYGEN" -q -P none -A none -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") +ret=0 keyfile_to_key_id "$zsk3" >ns2/$zone.zsk.id3 ZSK_ID3=$(cat ns2/$zone.zsk.id3) - -# Schedule the new ZSK (ZSK3) to become active. -echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -s -k UNRETENTIVE -z HIDDEN -D now -K ns2 $ZSK >/dev/null -$SETTIME -I +3600 -K ns2 $zsk2 >/dev/null -$SETTIME -A +3600 -K ns2 $zsk3 >/dev/null +$SETTIME -s -k HIDDEN now -z HIDDEN now -D now -K ns2 $ZSK >/dev/null +$SETTIME -s -k OMNIPRESENT now -z OMNIPRESENT now -K ns2 $zsk2 >/dev/null +dnssec_loadkeys_on 2 $zone || ret=1 rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" @@ -4245,9 +4275,9 @@ done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I now -K ns2 $zsk2 >/dev/null +ret=0 +$SETTIME -s -I now -K ns2 $zsk2 >/dev/null $SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 >/dev/null - dnssec_loadkeys_on 2 $zone || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" From fc5eb493c9920e06351b0b30c48acd5497e8322b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 30 Jan 2024 17:10:28 +0100 Subject: [PATCH 4/6] Offline KSK and dnssec-policy not yet supported If the key is offline and the keymgr runs, it will treat it as a missing key, and generate a new key (according to the policy). Fix the test by putting back the KSK temporarily when we run 'rndc loadkeys'. --- bin/tests/system/dnssec/tests.sh | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 30e4b80095..1bd0386b7a 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4273,6 +4273,11 @@ for qtype in "SOA" "TXT"; do status=$((status + ret)) done +# Put back the KSK. +echo_i "put back the KSK $KSK_ID for zone $zone from disk" +mv ns2/$KSK.key.bak ns2/$KSK.key +mv ns2/$KSK.private.bak ns2/$KSK.private + # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" ret=0 @@ -4296,6 +4301,11 @@ n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) +# Remove the KSK from disk. +echo_i "remove the KSK $KSK_ID for zone $zone from disk" +mv ns2/$KSK.key ns2/$KSK.key.bak +mv ns2/$KSK.private ns2/$KSK.private.bak + # Update the zone that requires a resign of the SOA RRset. echo_i "update the zone with $zone IN TXT nsupdate added me one more time" ( From a68f8c7cf0f5b0cd3cd2e210a11d06156c47fcf8 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 30 Jan 2024 17:21:34 +0100 Subject: [PATCH 5/6] Fix dnssec system test iterations too high After we have changed the maximum allowed iterations to 51 for signing, the NSEC3 chain has changed and requires one more NSEC to be returned in the answer (plus corresponding RRSIG). So the expected number or records in the authority section is now 8. --- bin/tests/system/dnssec/tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 1bd0386b7a..db91fae310 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4396,7 +4396,7 @@ dig_with_opts @10.53.0.4 does-not-exist.too-many-iterations >dig.out.ns4.test$n digcomp dig.out.ns2.test$n dig.out.ns4.test$n || ret=1 grep "flags: qr rd ra;" dig.out.ns4.test$n >/dev/null || ret=1 grep "status: NXDOMAIN" dig.out.ns4.test$n >/dev/null || ret=1 -grep "ANSWER: 0, AUTHORITY: 6" dig.out.ns4.test$n >/dev/null || ret=1 +grep "ANSWER: 0, AUTHORITY: 8" dig.out.ns4.test$n >/dev/null || ret=1 n=$((n + 1)) test "$ret" -eq 0 || echo_i "failed" status=$((status + ret)) From 02f5d82333dfc1ee032fd1382bdf39b04d4f5df3 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 31 Jan 2024 13:55:29 +0100 Subject: [PATCH 6/6] Update hours-vs-days test This test is outdated because it tested the 'sig-validity-interval' option that has been replaced by dnssec-policy's 'signatures-validity', 'signatures-refresh', and 'signatures-jitter' options. Nevertheless, it tests if the jitter is spread correctly. Update the test to make use of 'signatures-jitter', set the value to 1 day (meaning resign in 499 days since 'signatures-validity' is set to 500 days). Note that this previously changed erroneously the refresh value to 449 days (should have been 499 days, but that is not allowed by checkconf, since it is above 90% of 'signatures-validity'). --- bin/tests/system/dnssec/ns2/named.conf.in | 4 ++-- bin/tests/system/dnssec/tests.sh | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 78d43c7208..6a3e6ca4a7 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -60,10 +60,10 @@ dnssec-policy "not-enough-hours-in-day" { zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; }; - /* validity 500 days, resign in 449 days */ + /* validity 500 days, with one 1 day jitter (resign in 499 days) */ + signatures-jitter 1d; signatures-validity-dnskey 500d; signatures-validity 500d; - signatures-refresh 449d; }; zone "." { diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index db91fae310..ffbba1b033 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -4360,7 +4360,7 @@ status=$((status + ret)) echo_i "checking signatures-validity second field hours vs days ($n)" ret=0 -# zone configured with 'signatures-validity 500 499;' +# zone configured with 'signatures-validity 500d; signatures-refresh 1d' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') dig_with_opts @10.53.0.2 hours-vs-days AXFR >dig.out.ns2.test$n