Test updating dnssec-policy key lifetime

Check if the key lifetime is updated in the key files. Make sure the inactive and removed timing metadata are adjusted accordingly.
2025-08-29 13:38:26 +00:00 · 2024-06-24 11:18:40 +02:00 · 2024-06-24 11:18:40 +02:00 · 2237895bb4
commit 2237895bb4
parent 93326e3e18
5 changed files with 135 additions and 0 deletions
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@ -99,3 +99,27 @@ zone example {
 	file "example.db";
 	dnssec-policy modified;
 };
+
+zone longer-lifetime {
+	type primary;
+	file "longer-lifetime.db";
+	dnssec-policy short-lifetime;
+};
+
+zone shorter-lifetime {
+	type primary;
+	file "shorter-lifetime.db";
+	dnssec-policy long-lifetime;
+};
+
+zone limit-lifetime {
+	type primary;
+	file "limit-lifetime.db";
+	dnssec-policy unlimited-lifetime;
+};
+
+zone unlimit-lifetime {
+	type primary;
+	file "unlimit-lifetime.db";
+	dnssec-policy short-lifetime;
+};
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@ -177,3 +177,27 @@ zone example {
 	file "example.db";
 	dnssec-policy modified;
 };
+
+zone longer-lifetime {
+	type primary;
+	file "longer-lifetime.db";
+	dnssec-policy long-lifetime;
+};
+
+zone shorter-lifetime {
+	type primary;
+	file "shorter-lifetime.db";
+	dnssec-policy short-lifetime;
+};
+
+zone limit-lifetime {
+	type primary;
+	file "limit-lifetime.db";
+	dnssec-policy short-lifetime;
+};
+
+zone unlimit-lifetime {
+	type primary;
+	file "unlimit-lifetime.db";
+	dnssec-policy unlimited-lifetime;
+};
--- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@ -30,6 +30,23 @@ dnssec-policy "modified" {
 	};
 };

+dnssec-policy "unlimited-lifetime" {
+	keys {
+		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+dnssec-policy "short-lifetime" {
+	keys {
+		csk lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "long-lifetime" {
+	keys {
+		csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
 dnssec-policy "rsasha256" {
 	signatures-refresh P5D;
 	signatures-validity 30d;
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@ -29,6 +29,11 @@ R="RUMOURED"
 O="OMNIPRESENT"
 U="UNRETENTIVE"

+for zn in shorter-lifetime longer-lifetime limit-lifetime unlimit-lifetime; do
+  setup $zn
+  cp template.db.in $zonefile
+done
+
 # The child zones (step1, step2) beneath these zones represent the various
 # steps of unsigning a zone.
 for zn in going-insecure.kasp going-insecure-dynamic.kasp; do
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -3793,6 +3793,65 @@ check_apex
 check_subdomain
 dnssec_verify

+# Test key lifetime changes
+set_keytimes_lifetime_update() {
+  if [ $1 -eq 0 ]; then
+    set_keytime "KEY1" "RETIRED" "none"
+    set_keytime "KEY1" "REMOVED" "none"
+  else
+    active=$(key_get KEY1 ACTIVE)
+    set_addkeytime "KEY1" "RETIRED" "${active}" $1
+    # The key is removed after the retire time plus max-zone-ttl (1d),
+    # sign delay (9d), zone propagation delay (5m), retire safety (1h) =
+    # 777600 + 86400 + 300 + 3600 = 867900
+    retired=$(key_get KEY1 RETIRED)
+    set_addkeytime "KEY1" "REMOVED" "${retired}" 867900
+  fi
+}
+
+check_key_lifetime() {
+  zone=$1
+  policy=$2
+  lifetime=$3
+
+  set_zone "$zone"
+  set_policy "$policy" "1" "3600"
+  set_server "ns6" "10.53.0.6"
+  # Key properties.
+  key_clear "KEY1"
+  set_keyrole "KEY1" "csk"
+  set_keylifetime "KEY1" "$lifetime"
+  set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+  set_keysigning "KEY1" "yes"
+  set_zonesigning "KEY1" "yes"
+  key_clear "KEY2"
+  key_clear "KEY3"
+  key_clear "KEY4"
+
+  # The CSK is rumoured.
+  set_keystate "KEY1" "GOAL" "omnipresent"
+  set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+  set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_DS" "hidden"
+  check_keys
+
+  # Key timings.
+  set_keytimes_csk_policy
+  set_keytimes_lifetime_update $lifetime
+
+  # Variuous checks.
+  check_keytimes
+  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+  check_apex
+  check_subdomain
+  dnssec_verify
+}
+check_key_lifetime "shorter-lifetime" "long-lifetime" "31536000"
+check_key_lifetime "longer-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "limit-lifetime" "unlimited-lifetime" "0"
+check_key_lifetime "unlimit-lifetime" "short-lifetime" "16070400"
+
 #
 # Testing algorithm rollover.
 #
@ -4126,6 +4185,12 @@ check_apex
 check_subdomain
 dnssec_verify

+# Test key lifetime updates.
+check_key_lifetime "shorter-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "longer-lifetime" "long-lifetime" "31536000"
+check_key_lifetime "limit-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "unlimit-lifetime" "unlimited-lifetime" "0"
+
 #
 # Testing going insecure.
 #