Move kasp migration tests to different directory

The kasp system test was getting pretty large, and more tests are on
the way. Time to split up. Move tests that are related to migrating
to dnssec-policy to a separate directory 'keymgr2kasp'.

bin/tests/system/Makefile.am

@@ -198,7 +198,7 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER
 endif HAVE_PERLMOD_NET_DNS
 
 if HAVE_PYTHON
-TESTS += kasp tcp pipelined
+TESTS += kasp keymgr2kasp tcp pipelined
 
 if HAVE_PYMOD_DNS
 TESTS += qmin cookie timeouts

bin/tests/system/conf.sh.in

@@ -87,6 +87,7 @@ dnssec
 dyndb
 filter-aaaa
 kasp
+keymgr2kasp
 legacy
 logfileconfig
 nzd2nzf

bin/tests/system/kasp/README

@@ -12,7 +12,5 @@ ns3 is an authoritative server for the various test domains.
 
 ns4 and ns5 are authoritative servers for various test domains related to views.
 
-ns6 is an authoritative server that tests changes in dnssec-policy.
-
-ns7 is an authoritative server that tests a specific case where zones
-using views migrate to dnssec-policy.
+ns6 is an authoritative server that tests changes in dnssec-policy (algorithm
+rollover).

bin/tests/system/kasp/ns6/named.conf.in

@@ -36,45 +36,17 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
-/* These are zones that migrate to dnssec-policy. */
-zone "migrate.kasp" {
-	type primary;
-	file "migrate.kasp.db";
-	auto-dnssec maintain;
-	allow-update { any; };
-	dnssec-dnskey-kskonly yes;
-	update-check-ksk yes;
-};
-
-zone "migrate-nomatch-algnum.kasp" {
-	type primary;
-	file "migrate-nomatch-algnum.kasp.db";
-	auto-dnssec maintain;
-	allow-update { any; };
-	dnssec-dnskey-kskonly yes;
-	update-check-ksk yes;
-};
-
-zone "migrate-nomatch-alglen.kasp" {
-	type primary;
-	file "migrate-nomatch-alglen.kasp.db";
-	auto-dnssec maintain;
-	allow-update { any; };
-	dnssec-dnskey-kskonly yes;
-	update-check-ksk yes;
-};
-
 /* These zones are going insecure. */
 zone "step1.going-insecure.kasp" {
 	type master;
 	file "step1.going-insecure.kasp.db";
-	dnssec-policy "migrate";
+	dnssec-policy "unsigning";
 };
 
 zone "step1.going-insecure-dynamic.kasp" {
 	type master;
 	file "step1.going-insecure-dynamic.kasp.db";
-	dnssec-policy "migrate";
+	dnssec-policy "unsigning";
 	allow-update { any; };
 };
 

bin/tests/system/kasp/ns6/named2.conf.in

@@ -35,28 +35,6 @@ controls {
 	inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
-/* These are zones that migrate to dnssec-policy. */
-zone "migrate.kasp" {
-	type primary;
-	file "migrate.kasp.db";
-	allow-update { any; };
-	dnssec-policy "migrate";
-};
-
-zone "migrate-nomatch-algnum.kasp" {
-	type primary;
-	file "migrate-nomatch-algnum.kasp.db";
-	allow-update { any; };
-	dnssec-policy "migrate-nomatch-algnum";
-};
-
-zone "migrate-nomatch-alglen.kasp" {
-	type primary;
-	file "migrate-nomatch-alglen.kasp.db";
-	allow-update { any; };
-	dnssec-policy "migrate-nomatch-alglen";
-};
-
 /* Zones for testing going insecure. */
 zone "step1.going-insecure.kasp" {
         type master;

bin/tests/system/kasp/ns6/policies/kasp.conf.in

@@ -9,6 +9,15 @@
  * information regarding copyright ownership.
  */
 
+dnssec-policy "unsigning" {
+	dnskey-ttl 7200;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
 dnssec-policy "rsasha1" {
 	signatures-refresh P5D;
 	signatures-validity 30d;
@@ -46,54 +55,3 @@ dnssec-policy "ecdsa256" {
 	parent-propagation-delay pt1h;
 	parent-ds-ttl 7200;
 };
-
-dnssec-policy "migrate" {
-	dnskey-ttl 7200;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
-		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
-	};
-};
-
-/*
- * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
- * to ECDSAP256SHA256 keys.
- */
-dnssec-policy "migrate-nomatch-algnum" {
-	dnskey-ttl 300;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm ecdsa256;
-		zsk key-directory lifetime P60D algorithm ecdsa256;
-	};
-
-	// Together 12h
-	zone-propagation-delay 3600;
-	max-zone-ttl 11h;
-
-	// Together 3h
-	parent-propagation-delay pt1h;
-	parent-ds-ttl 7200;
-};
-
-/*
- * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
- * to 2048 bits RSASHA1 keys.
- */
-dnssec-policy "migrate-nomatch-alglen" {
-	dnskey-ttl 300;
-
-	keys {
-		ksk key-directory lifetime unlimited algorithm rsasha1 2048;
-		zsk key-directory lifetime P60D algorithm rsasha1 2048;
-	};
-
-	// Together 12h
-	zone-propagation-delay 3600;
-	max-zone-ttl 11h;
-
-	// Together 3h
-	parent-propagation-delay pt1h;
-	parent-ds-ttl 7200;
-};

bin/tests/system/kasp/ns6/setup.sh

@@ -38,54 +38,6 @@ R="RUMOURED"
 O="OMNIPRESENT"
 U="UNRETENTIVE"
 
-# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
-setup migrate.kasp
-echo "$zone" >> zones
-ksktimes="-P now -A now -P sync now"
-zsktimes="-P now -A now"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
-
-# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
-# time the existing keys do not match the policy.  The existing keys are
-# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
-# ECDSAP256SHA256 keys.
-setup migrate-nomatch-algnum.kasp
-echo "$zone" >> zones
-Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
-Tkey="now-3900s" # DNSKEY TTL + propagation delay
-Tsig="now-12h"   # Zone's maximum TTL + propagation delay
-ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
-zsktimes="-P ${Tsig} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
-
-# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
-# time the existing keys do not match the policy.  The existing keys are
-# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
-# dictates 2048 bits RSASHA1 keys.
-setup migrate-nomatch-alglen.kasp
-echo "$zone" >> zones
-Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
-Tkey="now-3900s" # DNSKEY TTL + propagation delay
-Tsig="now-12h"   # Zone's maximum TTL + propagation delay
-ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
-zsktimes="-P ${Tsig} -A ${Tsig}"
-KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
-
 # The child zones (step1, step2) beneath these zones represent the various
 # steps of unsigning a zone.
 for zn in going-insecure.kasp going-insecure-dynamic.kasp

bin/tests/system/kasp/setup.sh

@@ -23,7 +23,6 @@ copy_setports ns3/named.conf.in ns3/named.conf
 copy_setports ns4/named.conf.in ns4/named.conf
 copy_setports ns5/named.conf.in ns5/named.conf
 copy_setports ns6/named.conf.in ns6/named.conf
-copy_setports ns7/named.conf.in ns7/named.conf
 
 if $SHELL ../testcrypto.sh ed25519; then
 	echo "yes" > ed25519-supported.file
@@ -61,7 +60,3 @@ copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
 	cd ns6
 	$SHELL setup.sh
 )
-(
-	cd ns7
-	$SHELL setup.sh
-)

bin/tests/system/kasp/tests.sh

@@ -4501,186 +4501,6 @@ dnssec_verify
 # interval.
 check_next_key_event 3600
 
-#
-# Testing good migration.
-#
-set_zone "migrate.kasp"
-set_policy "none" "2" "7200"
-set_server "ns6" "10.53.0.6"
-
-init_migration_match() {
-	key_clear        "KEY1"
-	key_set          "KEY1" "LEGACY" "yes"
-	set_keyrole      "KEY1" "ksk"
-	set_keylifetime  "KEY1" "0"
-	set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-	set_keysigning   "KEY1" "yes"
-	set_zonesigning  "KEY1" "no"
-
-	key_clear        "KEY2"
-	key_set          "KEY2" "LEGACY" "yes"
-	set_keyrole      "KEY2" "zsk"
-	set_keylifetime  "KEY2" "5184000"
-	set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-	set_keysigning   "KEY2" "no"
-	set_zonesigning  "KEY2" "yes"
-
-	key_clear        "KEY3"
-	key_clear        "KEY4"
-
-	set_keystate "KEY1" "GOAL"         "omnipresent"
-	set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-	set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-	set_keystate "KEY1" "STATE_DS"     "rumoured"
-
-	set_keystate "KEY2" "GOAL"         "omnipresent"
-	set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-	set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-}
-init_migration_match
-
-# Make sure the zone is signed with legacy keys.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# These keys are immediately published and activated.
-rollover_predecessor_keytimes 0
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Remember legacy key tags.
-_migrate_ksk=$(key_get KEY1 ID)
-_migrate_zsk=$(key_get KEY2 ID)
-
-#
-# Testing migration with unmatched existing keys (different algorithm).
-#
-set_zone "migrate-nomatch-algnum.kasp"
-set_policy "none" "2" "300"
-set_server "ns6" "10.53.0.6"
-
-init_migration_nomatch_algnum() {
-	key_clear        "KEY1"
-	key_set          "KEY1" "LEGACY" "yes"
-	set_keyrole      "KEY1" "ksk"
-	set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
-	set_keysigning   "KEY1" "yes"
-	set_zonesigning  "KEY1" "no"
-
-	key_clear        "KEY2"
-	key_set          "KEY2" "LEGACY" "yes"
-	set_keyrole      "KEY2" "zsk"
-	set_keyalgorithm "KEY2" "5" "RSASHA1" "1024"
-	set_keysigning   "KEY2" "no"
-	set_zonesigning  "KEY2" "yes"
-
-	key_clear        "KEY3"
-	key_clear        "KEY4"
-
-	set_keystate "KEY1" "GOAL"         "omnipresent"
-	set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-	set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-	set_keystate "KEY1" "STATE_DS"     "omnipresent"
-
-	set_keystate "KEY2" "GOAL"         "omnipresent"
-	set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-	set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-}
-init_migration_nomatch_algnum
-
-# Make sure the zone is signed with legacy keys.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# The KSK is immediately published and activated.
-# -P     : now-3900s
-# -P sync: now-3h
-# -A     : now-3900s
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
-# The ZSK is immediately published and activated.
-# -P: now-12h
-# -A: now-12h
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -43200
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Remember legacy key tags.
-_migratenomatch_algnum_ksk=$(key_get KEY1 ID)
-_migratenomatch_algnum_zsk=$(key_get KEY2 ID)
-
-#
-# Testing migration with unmatched existing keys (different length).
-#
-set_zone "migrate-nomatch-alglen.kasp"
-set_policy "none" "2" "300"
-set_server "ns6" "10.53.0.6"
-
-init_migration_nomatch_alglen() {
-	key_clear        "KEY1"
-	key_set          "KEY1" "LEGACY" "yes"
-	set_keyrole      "KEY1" "ksk"
-	set_keyalgorithm "KEY1" "5" "RSASHA1" "1024"
-	set_keysigning   "KEY1" "yes"
-	set_zonesigning  "KEY1" "no"
-
-	key_clear        "KEY2"
-	key_set          "KEY2" "LEGACY" "yes"
-	set_keyrole      "KEY2" "zsk"
-	set_keyalgorithm "KEY2" "5" "RSASHA1" "1024"
-	set_keysigning   "KEY2" "no"
-	set_zonesigning  "KEY2" "yes"
-
-	key_clear        "KEY3"
-	key_clear        "KEY4"
-
-	set_keystate "KEY1" "GOAL"         "omnipresent"
-	set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-	set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-	set_keystate "KEY1" "STATE_DS"     "omnipresent"
-
-	set_keystate "KEY2" "GOAL"         "omnipresent"
-	set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-	set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-}
-init_migration_nomatch_alglen
-
-# Make sure the zone is signed with legacy keys.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The KSK is immediately published and activated.
-#   P     : now-3900s
-#   P sync: now-3h
-#   A     : now-3900s
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
-# - The ZSK is immediately published and activated.
-#   P: now-12h
-#   A: now-12h
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -43200
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Remember legacy key tags.
-_migratenomatch_alglen_ksk=$(key_get KEY1 ID)
-_migratenomatch_alglen_zsk=$(key_get KEY2 ID)
-
 #
 # Testing going insecure.
 #
@@ -4689,7 +4509,7 @@ _migratenomatch_alglen_zsk=$(key_get KEY2 ID)
 # Zone step1.going-insecure.kasp
 #
 set_zone "step1.going-insecure.kasp"
-set_policy "migrate" "2" "7200"
+set_policy "unsigning" "2" "7200"
 set_server "ns6" "10.53.0.6"
 
 # Policy parameters.
@@ -4750,7 +4570,7 @@ dnssec_verify
 
 set_zone "step1.going-insecure-dynamic.kasp"
 set_dynamic
-set_policy "migrate" "2" "7200"
+set_policy "unsigning" "2" "7200"
 set_server "ns6" "10.53.0.6"
 init_migration_insecure
 
@@ -4956,287 +4776,6 @@ check_subdomain
 # 5m + 2h = 125m =  7500 seconds.
 check_next_key_event 7500
 
-#
-# Testing migration.
-#
-set_zone "migrate.kasp"
-set_policy "migrate" "2" "7200"
-set_server "ns6" "10.53.0.6"
-
-# Key properties, timings and metadata should be the same as legacy keys above.
-# However, because the zsk has a lifetime, kasp will set the retired time.
-init_migration_match
-key_set     "KEY1" "LEGACY"  "no"
-key_set     "KEY2" "LEGACY"  "no"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-rollover_predecessor_keytimes 0
-# - Key now has lifetime of 60 days (5184000 seconds).
-#   The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
-#   TTLsig:        1d (86400 seconds)
-#   Dprp:          5m (300 seconds)
-#   Dsgn:          9d (777600 seconds)
-#   retire-safety: 1h (3600 seconds)
-#   IretZSK:       10d65m (867900 seconds)
-IretZSK=867900
-Lzsk=5184000
-active=$(key_get KEY2 ACTIVE)
-set_addkeytime "KEY2" "RETIRED"     "${active}"  "${Lzsk}"
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED"     "${retired}" "${IretZSK}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Check key tags, should be the same.
-n=$((n+1))
-echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
-ret=0
-[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
-status=$((status+ret))
-
-# Test migration to dnssec-policy, existing keys do not match key algorithm.
-set_zone "migrate-nomatch-algnum.kasp"
-set_policy "migrate-nomatch-algnum" "4" "300"
-set_server "ns6" "10.53.0.6"
-
-# The legacy keys need to be retired, but otherwise stay present until the
-# new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_nomatch_algnum
-
-key_set      "KEY1" "LEGACY"  "no"
-set_keystate "KEY1" "GOAL"    "hidden"
-
-key_set      "KEY2" "LEGACY"  "no"
-set_keystate "KEY2" "GOAL"    "hidden"
-
-set_keyrole      "KEY3" "ksk"
-set_keylifetime  "KEY3" "0"
-set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning   "KEY3" "yes"
-set_zonesigning  "KEY3" "no"
-
-set_keyrole      "KEY4" "zsk"
-set_keylifetime  "KEY4" "5184000"
-set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning   "KEY4" "no"
-set_zonesigning  "KEY4" "yes"
-
-set_keystate "KEY3" "GOAL"         "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS"     "hidden"
-
-set_keystate "KEY4" "GOAL"         "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - KSK must be retired since it no longer matches the policy.
-#   P     : now-3900s
-#   P sync: now-3h
-#   A     : now-3900s
-# - The key is removed after the retire interval:
-#   IretKSK = TTLds + DprpP + retire_safety.
-#   TTLds:         2h (7200 seconds)
-#   Dprp:          1h (3600 seconds)
-#   retire-safety: 1h (3600 seconds)
-#   IretKSK:       4h (14400 seconds)
-IretKSK=14400
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime    "KEY1" "RETIRED" "${retired}"
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-# - ZSK must be retired since it no longer matches the policy.
-#   P: now-12h
-#   A: now-12h
-# - The key is removed after the retire interval:
-#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
-#   TTLsig:        11h (39600 seconds)
-#   Dprp:          1h (3600 seconds)
-#   Dsgn:          9d (777600 seconds)
-#   retire-safety: 1h (3600 seconds)
-#   IretZSK:       9d13h (824400 seconds)
-IretZSK=824400
-Lzsk=5184000
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -43200
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
-keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime    "KEY2" "RETIRED" "${retired}"
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new KSK is immediately published and activated.
-created=$(key_get KEY3 CREATED)
-set_keytime    "KEY3" "PUBLISHED"   "${created}"
-set_keytime    "KEY3" "ACTIVE"      "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
-#   TTLsig:         11h (39600 seconds)
-#   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           13h (46800 seconds)
-Ipub=46800
-set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
-# - The ZSK is immediately published and activated.
-created=$(key_get KEY4 CREATED)
-set_keytime    "KEY4" "PUBLISHED"   "${created}"
-set_keytime    "KEY4" "ACTIVE"      "${created}"
-active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED"     "${active}"  "${Lzsk}"
-retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED"     "${retired}" "${IretZSK}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Check key tags, should be the same.
-n=$((n+1))
-echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
-ret=0
-[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
-status=$((status+ret))
-
-# Test migration to dnssec-policy, existing keys do not match key length.
-set_zone "migrate-nomatch-alglen.kasp"
-set_policy "migrate-nomatch-alglen" "4" "300"
-set_server "ns6" "10.53.0.6"
-
-# The legacy keys need to be retired, but otherwise stay present until the
-# new keys are omnipresent, and can be used to construct a chain of trust.
-init_migration_nomatch_alglen
-
-key_set      "KEY1" "LEGACY"  "no"
-set_keystate "KEY1" "GOAL"    "hidden"
-
-key_set      "KEY2" "LEGACY"  "no"
-set_keystate "KEY2" "GOAL"    "hidden"
-
-set_keyrole      "KEY3" "ksk"
-set_keylifetime  "KEY3" "0"
-set_keyalgorithm "KEY3" "5" "RSASHA1" "2048"
-set_keysigning   "KEY3" "yes"
-set_zonesigning  "KEY3" "no"
-
-set_keyrole      "KEY4" "zsk"
-set_keylifetime  "KEY4" "5184000"
-set_keyalgorithm "KEY4" "5" "RSASHA1" "2048"
-set_keysigning   "KEY4" "no"
-# This key is considered to be prepublished, so it is not yet signing.
-set_zonesigning  "KEY4" "no"
-
-set_keystate "KEY3" "GOAL"         "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS"     "hidden"
-
-set_keystate "KEY4" "GOAL"         "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - KSK must be retired since it no longer matches the policy.
-#   P     : now-3900s
-#   P sync: now-3h
-#   A     : now-3900s
-# - The key is removed after the retire interval:
-#   IretKSK = TTLds + DprpP + retire_safety.
-#   TTLds:         2h (7200 seconds)
-#   Dprp:          1h (3600 seconds)
-#   retire-safety: 1h (3600 seconds)
-#   IretKSK:       4h (14400 seconds)
-IretKSK=14400
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED"   "${created}" -3900
-set_addkeytime "KEY1" "ACTIVE"      "${created}" -3900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime    "KEY1" "RETIRED" "${retired}"
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-# - ZSK must be retired since it no longer matches the policy.
-#   P: now-12h
-#   A: now-12h
-# - The key is removed after the retire interval:
-#   IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
-#   TTLsig:         11h (39600 seconds)
-#   Dprp:           1h (3600 seconds)
-#   Dsgn:           9d (777600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   IretZSK:        9d13h (824400 seconds)
-IretZSK=824400
-Lzsk=5184000
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED"   "${created}" -43200
-set_addkeytime "KEY2" "ACTIVE"      "${created}" -43200
-keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime    "KEY2" "RETIRED" "${retired}"
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new KSK is immediately published and activated.
-created=$(key_get KEY3 CREATED)
-set_keytime    "KEY3" "PUBLISHED"   "${created}"
-set_keytime    "KEY3" "ACTIVE"      "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
-#   TTLsig:         11h (39600 seconds)
-#   Dprp:           1h (3600 seconds)
-#   publish-safety: 1h (3600 seconds)
-#   Ipub:           13h (46800 seconds)
-Ipub=46800
-set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
-# - The ZSK is immediately published and activated.
-created=$(key_get KEY4 CREATED)
-set_keytime    "KEY4" "PUBLISHED"   "${created}"
-set_keytime    "KEY4" "ACTIVE"      "${created}"
-active=$(key_get KEY4 ACTIVE)
-set_addkeytime "KEY4" "RETIRED"     "${active}"  "${Lzsk}"
-retired=$(key_get KEY4 RETIRED)
-set_addkeytime "KEY4" "REMOVED"     "${retired}" "${IretZSK}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Check key tags, should be the same.
-n=$((n+1))
-echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)"
-ret=0
-[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
-status=$((status+ret))
-
 #
 # Testing KSK/ZSK algorithm rollover.
 #
@@ -5958,230 +5497,5 @@ dnssec_verify
 # an unlimited lifetime.  Fallback to the default loadkeys interval.
 check_next_key_event 3600
 
-#
-# Testing good migration with views.
-#
-init_view_migration() {
-	key_clear        "KEY1"
-	key_set          "KEY1" "LEGACY" "yes"
-	set_keyrole      "KEY1" "ksk"
-	set_keylifetime  "KEY1" "0"
-	set_keysigning   "KEY1" "yes"
-	set_zonesigning  "KEY1" "no"
-
-	key_clear        "KEY2"
-	key_set          "KEY2" "LEGACY" "yes"
-	set_keyrole      "KEY2" "zsk"
-	set_keylifetime  "KEY2" "0"
-	set_keysigning   "KEY2" "no"
-	set_zonesigning  "KEY2" "yes"
-
-	key_clear        "KEY3"
-	key_clear        "KEY4"
-
-	set_keystate "KEY1" "GOAL"         "omnipresent"
-	set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-	set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-	set_keystate "KEY1" "STATE_DS"     "rumoured"
-
-	set_keystate "KEY2" "GOAL"         "omnipresent"
-	set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-	set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-}
-
-set_keytimes_view_migration() {
-	# Key is six months in use.
-	created=$(key_get KEY1 CREATED)
-	set_addkeytime "KEY1" "PUBLISHED"   "${created}" -16070400
-	set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400
-	set_addkeytime "KEY1" "ACTIVE"      "${created}" -16070400
-	created=$(key_get KEY2 CREATED)
-	set_addkeytime "KEY2" "PUBLISHED"   "${created}" -16070400
-	set_addkeytime "KEY2" "ACTIVE"      "${created}" -16070400
-}
-
-# Zone view.rsasha256.kasp (external)
-set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "2" "21600"
-set_server "ns7" "10.53.0.7"
-init_view_migration
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
-TSIG="hmac-sha1:external:$VIEW1"
-wait_for_nsec
-# Make sure the zone is signed with legacy keys.
-check_keys
-set_keytimes_view_migration
-check_keytimes
-dnssec_verify
-
-n=$((n+1))
-# check subdomain
-echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)"
-ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
-check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-# Remember legacy key tags.
-_migrate_ext8_ksk=$(key_get KEY1 ID)
-_migrate_ext8_zsk=$(key_get KEY2 ID)
-
-# Zone view.rsasha256.kasp (internal)
-set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "2" "21600"
-set_server "ns7" "10.53.0.7"
-init_view_migration
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
-TSIG="hmac-sha1:internal:$VIEW2"
-wait_for_nsec
-# Make sure the zone is signed with legacy keys.
-check_keys
-set_keytimes_view_migration
-check_keytimes
-dnssec_verify
-
-n=$((n+1))
-# check subdomain
-echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)"
-ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
-check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
-test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
-
-# Remember legacy key tags.
-_migrate_int8_ksk=$(key_get KEY1 ID)
-_migrate_int8_zsk=$(key_get KEY2 ID)
-
-# Reconfig dnssec-policy.
-echo_i "reconfig to switch to dnssec-policy"
-copy_setports ns7/named2.conf.in ns7/named.conf
-rndc_reconfig ns7 10.53.0.7
-
-# Calculate time passed to correctly check for next key events.
-now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
-echo_i "${time_passed} seconds passed between start of tests and reconfig"
-
-#
-# Testing migration (RSASHA256, views).
-#
-set_zone "view-rsasha256.kasp"
-set_policy "rsasha256" "3" "21600"
-set_server "ns7" "10.53.0.7"
-init_migration_match
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
-# Key properties, timings and metadata should be the same as legacy keys above.
-# However, because the keys have a lifetime, kasp will set the retired time.
-key_set          "KEY1" "LEGACY" "no"
-set_keylifetime  "KEY1" "31536000"
-set_keystate     "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate     "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate     "KEY1" "STATE_DS"     "omnipresent"
-
-key_set          "KEY2" "LEGACY" "no"
-set_keylifetime  "KEY2" "8035200"
-set_keystate     "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate     "KEY2" "STATE_ZRRSIG" "omnipresent"
-# The ZSK needs to be replaced.
-set_keystate     "KEY2" "GOAL" "hidden"
-set_keystate     "KEY3" "GOAL" "omnipresent"
-set_keyrole      "KEY3" "zsk"
-set_keylifetime  "KEY3" "8035200"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "1024"
-set_keysigning   "KEY3" "no"
-set_zonesigning  "KEY3" "no" # not yet
-set_keystate     "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate     "KEY3" "STATE_ZRRSIG" "hidden"
-
-# Various signing policy checks (external).
-TSIG="hmac-sha1:external:$VIEW1"
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "external-view"
-set_keytimes_view_migration
-
-# Set expected key times:
-published=$(key_get KEY1 PUBLISHED)
-set_keytime "KEY1" "ACTIVE"      "${published}"
-set_keytime "KEY1" "SYNCPUBLISH" "${published}"
-# Lifetime: 1 year (8035200 seconds)
-active=$(key_get KEY1 ACTIVE)
-set_addkeytime "KEY1" "RETIRED" "${active}"  "31536000"
-# Retire interval:
-# DS TTL:                  1d
-# Parent zone propagation: 3h
-# Retire safety:           1h
-# Total:                   100800 seconds
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "100800"
-
-published=$(key_get KEY2 PUBLISHED)
-set_keytime "KEY2" "ACTIVE" "${published}"
-# Lifetime: 3 months (8035200 seconds)
-active=$(key_get KEY2 ACTIVE)
-set_addkeytime "KEY2" "RETIRED" "${active}" "8035200"
-# Retire interval:
-# Sign delay:             9d (14-5)
-# Max zone TTL:           1d
-# Retire safety:          1h
-# Zone propagation delay: 300s
-# Total:                  867900 seconds
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
-
-created=$(key_get KEY3 CREATED)
-set_keytime    "KEY3" "PUBLISHED" "${created}"
-# Publication interval:
-# DNSKEY TTL:             6h
-# Publish safety:         1h
-# Zone propagation delay: 300s
-# Total:                  25500 seconds
-set_addkeytime "KEY3" "ACTIVE" "${created}" "25500"
-# Lifetime: 3 months (8035200 seconds)
-active=$(key_get KEY3 ACTIVE)
-set_addkeytime "KEY3" "RETIRED" "${active}" "8035200"
-# Retire interval:
-# Sign delay:             9d (14-5)
-# Max zone TTL:           1d
-# Retire safety:          1h
-# Zone propagation delay: 300s
-# Total:                  867900 seconds
-retired=$(key_get KEY3 RETIRED)
-set_addkeytime "KEY3" "REMOVED" "${retired}" "867900"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-dnssec_verify
-
-# Various signing policy checks (external).
-TSIG="hmac-sha1:internal:$VIEW2"
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "internal-view"
-set_keytimes_view_migration
-check_keytimes
-check_apex
-dnssec_verify
-
-# Check key tags, should be the same.
-n=$((n+1))
-echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
-ret=0
-[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag"
-[ $_migrate_ext8_zsk = $_migrate_int8_zsk ] || log_error "mismatch zsk tag"
-[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
-[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
-status=$((status+ret))
-
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

bin/tests/system/keymgr2kasp/README

@@ -0,0 +1,10 @@
+Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+
+See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
+
+The test setup for migrating to KASP tests.
+
+ns3 is an authoritative server for the various test domains.
+
+ns4 is an authoritative server that tests a specific case where zones
+using views migrate to dnssec-policy.

bin/tests/system/keymgr2kasp/clean.sh

@@ -0,0 +1,31 @@
+#!/bin/sh
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+set -e
+
+rm -f ns*/K*.private ns*/K*.key ns*/K*.state
+rm -f ns*/named.conf ns*/kasp.conf
+rm -f ns*/named.memstats ns*/named.run
+rm -f ns*/keygen.out* ns*/signer.out*
+rm -f ns*/zones
+rm -f ns*/dsset-*
+rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk
+rm -f ns*/*.db.signed* ns*/*.db.infile
+rm -f ns*/managed-keys.bind*
+rm -f ns*/*.mkeys*
+rm -f ./*.created
+rm -f ./created.key-*
+rm -f ./dig.out*
+rm -f ./python.out.*
+rm -f ./retired.*
+rm -f ./rndc.dnssec.*
+rm -f ./unused.key*
+

bin/tests/system/keymgr2kasp/ns3/kasp.conf.in

@@ -0,0 +1,61 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "migrate" {
+	dnskey-ttl 7200;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to ECDSAP256SHA256 keys.
+ */
+dnssec-policy "migrate-nomatch-algnum" {
+	dnskey-ttl 300;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm ecdsa256;
+		zsk key-directory lifetime P60D algorithm ecdsa256;
+	};
+
+	// Together 12h
+	zone-propagation-delay 3600;
+	max-zone-ttl 11h;
+
+	// Together 3h
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};
+
+/*
+ * This policy tests migration from existing keys with 1024 bits RSASHA1 keys
+ * to 2048 bits RSASHA1 keys.
+ */
+dnssec-policy "migrate-nomatch-alglen" {
+	dnskey-ttl 300;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm rsasha1 2048;
+		zsk key-directory lifetime P60D algorithm rsasha1 2048;
+	};
+
+	// Together 12h
+	zone-propagation-delay 3600;
+	max-zone-ttl 11h;
+
+	// Together 3h
+	parent-propagation-delay pt1h;
+	parent-ds-ttl 7200;
+};

bin/tests/system/keymgr2kasp/ns3/named.conf.in

@@ -0,0 +1,62 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+	key-directory ".";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* These are zones that migrate to dnssec-policy. */
+zone "migrate.kasp" {
+	type primary;
+	file "migrate.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "migrate-nomatch-algnum.kasp" {
+	type primary;
+	file "migrate-nomatch-algnum.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};
+
+zone "migrate-nomatch-alglen.kasp" {
+	type primary;
+	file "migrate-nomatch-alglen.kasp.db";
+	auto-dnssec maintain;
+	allow-update { any; };
+	dnssec-dnskey-kskonly yes;
+	update-check-ksk yes;
+};

bin/tests/system/keymgr2kasp/ns3/named2.conf.in

@@ -0,0 +1,57 @@
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "kasp.conf";
+
+options {
+	query-source address 10.53.0.3;
+	notify-source 10.53.0.3;
+	transfer-source 10.53.0.3;
+	port @PORT@;
+	pid-file "named.pid";
+	listen-on { 10.53.0.3; };
+	listen-on-v6 { none; };
+	allow-transfer { any; };
+	recursion no;
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* These are zones that migrate to dnssec-policy. */
+zone "migrate.kasp" {
+	type primary;
+	file "migrate.kasp.db";
+	allow-update { any; };
+	dnssec-policy "migrate";
+};
+
+zone "migrate-nomatch-algnum.kasp" {
+	type primary;
+	file "migrate-nomatch-algnum.kasp.db";
+	allow-update { any; };
+	dnssec-policy "migrate-nomatch-algnum";
+};
+
+zone "migrate-nomatch-alglen.kasp" {
+	type primary;
+	file "migrate-nomatch-alglen.kasp.db";
+	allow-update { any; };
+	dnssec-policy "migrate-nomatch-alglen";
+};

bin/tests/system/keymgr2kasp/ns3/setup.sh

@@ -0,0 +1,87 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../../conf.sh
+
+echo_i "ns3/setup.sh"
+
+setup() {
+	zone="$1"
+	echo_i "setting up zone: $zone"
+	zonefile="${zone}.db"
+	infile="${zone}.db.infile"
+}
+
+private_type_record() {
+	_zone=$1
+	_algorithm=$2
+	_keyfile=$3
+
+	_id=$(keyfile_to_key_id "$_keyfile")
+
+	printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id"
+}
+
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
+setup migrate.kasp
+echo "$zone" >> zones
+ksktimes="-P now -A now -P sync now"
+zsktimes="-P now -A now"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy.  The existing keys are
+# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
+# ECDSAP256SHA256 keys.
+setup migrate-nomatch-algnum.kasp
+echo "$zone" >> zones
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h"   # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tsig} -A ${Tsig}"
+KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
+# time the existing keys do not match the policy.  The existing keys are
+# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
+# dictates 2048 bits RSASHA1 keys.
+setup migrate-nomatch-alglen.kasp
+echo "$zone" >> zones
+Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
+Tkey="now-3900s" # DNSKEY TTL + propagation delay
+Tsig="now-12h"   # Zone's maximum TTL + propagation delay
+ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
+zsktimes="-P ${Tsig} -A ${Tsig}"
+KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
+cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+private_type_record $zone 5 "$KSK" >> "$infile"
+private_type_record $zone 5 "$ZSK" >> "$infile"
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

bin/tests/system/keymgr2kasp/ns3/template.db.in

@@ -0,0 +1,25 @@
+; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+;
+; This Source Code Form is subject to the terms of the Mozilla Public
+; License, v. 2.0. If a copy of the MPL was not distributed with this
+; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;
+; See the COPYRIGHT file distributed with this work for additional
+; information regarding copyright ownership.
+
+$TTL 300
+@		IN	SOA  mname1. . (
+			1       ; serial
+			20      ; refresh (20 seconds)
+			20      ; retry (20 seconds)
+			1814400 ; expire (3 weeks)
+			3600    ; minimum (1 hour)
+			)
+
+			NS	ns3
+ns3			A	10.53.0.3
+
+a			A	10.0.0.1
+b			A	10.0.0.2
+c			A	10.0.0.3
+

bin/tests/system/keymgr2kasp/ns4/named.conf.in

@@ -9,15 +9,15 @@
  * information regarding copyright ownership.
  */
 
-// NS7
+// NS4
 
 options {
-	query-source address 10.53.0.7;
-	notify-source 10.53.0.7;
-	transfer-source 10.53.0.7;
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
 	port @PORT@;
 	pid-file "named.pid";
-	listen-on { 10.53.0.7; };
+	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
@@ -30,7 +30,7 @@ key rndc_key {
 };
 
 controls {
-	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
 key "external" {

bin/tests/system/keymgr2kasp/ns4/named2.conf.in

@@ -9,15 +9,15 @@
  * information regarding copyright ownership.
  */
 
-// NS7
+// NS4
 
 options {
-	query-source address 10.53.0.7;
-	notify-source 10.53.0.7;
-	transfer-source 10.53.0.7;
+	query-source address 10.53.0.4;
+	notify-source 10.53.0.4;
+	transfer-source 10.53.0.4;
 	port @PORT@;
 	pid-file "named.pid";
-	listen-on { 10.53.0.7; };
+	listen-on { 10.53.0.4; };
 	listen-on-v6 { none; };
 	allow-transfer { any; };
 	recursion no;
@@ -30,7 +30,7 @@ key rndc_key {
 };
 
 controls {
-	inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+	inet 10.53.0.4 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
 };
 
 key "external" {
@@ -49,7 +49,7 @@ dnssec-policy "rsasha256" {
 		ksk key-directory lifetime P1Y algorithm 8 2048;
 	};
 
-	dnskey-ttl 6h;
+	dnskey-ttl 300;
 	publish-safety 1h;
 	retire-safety 1h;
 

bin/tests/system/keymgr2kasp/ns4/setup.sh

@@ -12,7 +12,7 @@
 # shellcheck source=conf.sh
 . ../../conf.sh
 
-echo_i "ns7/setup.sh"
+echo_i "ns4/setup.sh"
 
 private_type_record() {
 	_zone=$1
@@ -40,8 +40,8 @@ echo "$zone" >> zones
 # rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y).
 ksktimes="-P -186d -A -186d -P sync -186d"
 zsktimes="-P -186d -A -186d"
-KSK=$($KEYGEN -a $algo -L 21600 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $algo -L 21600 -b 1024        $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $algo -L 300 -b 1024        $zsktimes $zone 2> keygen.out.$zone.2)
 
 echo_i "setting up zone $zone (external)"
 view="ext"

bin/tests/system/keymgr2kasp/ns4/template.ext.db.in

@@ -16,7 +16,7 @@ $TTL 300
 			3600    ; minimum (1 hour)
 			)
 
-			NS	ns7
-ns7			A	10.53.0.7
+			NS	ns4
+ns4			A	10.53.0.4
 
 view			TXT	"external"

bin/tests/system/keymgr2kasp/ns4/template.int.db.in

@@ -16,7 +16,7 @@ $TTL 300
 			3600    ; minimum (1 hour)
 			)
 
-			NS	ns7
-ns7			A	10.53.0.7
+			NS	ns4
+ns4			A	10.53.0.4
 
 view			TXT	"internal"

bin/tests/system/keymgr2kasp/setup.sh

@@ -0,0 +1,32 @@
+#!/bin/sh -e
+#
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+set -e
+
+$SHELL clean.sh
+
+copy_setports ns3/named.conf.in ns3/named.conf
+copy_setports ns4/named.conf.in ns4/named.conf
+
+copy_setports ns3/kasp.conf.in ns3/kasp.conf
+
+# Setup zones
+(
+	cd ns3
+	$SHELL setup.sh
+)
+(
+	cd ns4
+	$SHELL setup.sh
+)