mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 06:25:31 +00:00
Code Issues Releases Wiki Activity

kasp: stop using RSASHA1 unless necessary for the test

Browse Source 
Moves tests from being RSASHA1 based to RSASHA256 based where possible
and split out the remaining RSASHA1 based tests so that they are not
run on OS's that don't support RSASHA1.
This commit is contained in:
Mark Andrews
2021-12-22 11:14:57 +11:00
committed by Michal Nowak
parent 4fd6d09330
commit 5830aa9dc6
14 changed files with 793 additions and 691 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
bin/tests/system/kasp/clean.sh
View File

@@ -18,6 +18,7 @@ rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
rm -rf ./keys/
rm -f dig.out* rrsig.out.* keyevent.out.*
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
rm -f ns*/named-fips.conf
rm -f ns*/policies/*.conf
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state

4
bin/tests/system/kasp/kasp.conf
View File

@@ -21,7 +21,7 @@ dnssec-policy "kasp" {
keys {
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P30D algorithm 8 1024;
zsk key-directory lifetime P6M algorithm 8 2000;
zsk key-directory lifetime P30D algorithm 8 2048;
zsk key-directory lifetime P6M algorithm 8 3072;
};
};

451
bin/tests/system/kasp/ns3/named-fips.conf.in Normal file
View File

@@ -0,0 +1,451 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
include "policies/kasp.conf";
include "policies/autosign.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "rsasha256";
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Zones that are getting initially signed */
/* The default case: No keys created, using default policy. */
zone "default.kasp" {
type primary;
file "default.kasp.db";
dnssec-policy "default";
};
/* checkds: Zone with one KSK. */
zone "checkds-ksk.kasp" {
type primary;
file "checkds-ksk.kasp.db";
dnssec-policy "checkds-ksk";
};
/* checkds: Zone with two KSKs. */
zone "checkds-doubleksk.kasp" {
type primary;
file "checkds-doubleksk.kasp.db";
dnssec-policy "checkds-doubleksk";
};
/* checkds: Zone with one CSK. */
zone "checkds-csk.kasp" {
type primary;
file "checkds-csk.kasp.db";
dnssec-policy "checkds-csk";
};
/* Key lifetime unlimited. */
zone "unlimited.kasp" {
type primary;
file "unlimited.kasp.db";
dnssec-policy "unlimited";
};
/* Manual rollover. */
zone "manual-rollover.kasp" {
type primary;
file "manual-rollover.kasp.db";
dnssec-policy "manual-rollover";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type primary;
file "inherit.kasp.db";
};
/* A zone that overrides dnssec-policy. */
zone "unsigned.kasp" {
type primary;
file "unsigned.kasp.db";
dnssec-policy "none";
};
/* A zone that is initially set to insecure. */
zone "insecure.kasp" {
type primary;
file "insecure.kasp.db";
dnssec-policy "insecure";
};
/* A primary zone with dnssec-policy but keys already created. */
zone "dnssec-keygen.kasp" {
type primary;
file "dnssec-keygen.kasp.db";
dnssec-policy "rsasha256";
};
/* A secondary zone with dnssec-policy. */
zone "secondary.kasp" {
type secondary;
primaries { 10.53.0.2; };
file "secondary.kasp.db";
dnssec-policy "rsasha256";
};
/* A dynamic zone with dnssec-policy. */
zone "dynamic.kasp" {
type primary;
file "dynamic.kasp.db";
dnssec-policy "default";
allow-update { any; };
};
/* A dynamic inline-signed zone with dnssec-policy. */
zone "dynamic-inline-signing.kasp" {
type primary;
file "dynamic-inline-signing.kasp.db";
dnssec-policy "default";
allow-update { any; };
inline-signing yes;
};
/* An inline-signed zone with dnssec-policy. */
zone "inline-signing.kasp" {
type primary;
file "inline-signing.kasp.db";
dnssec-policy "default";
inline-signing yes;
};
/*
* A configured dnssec-policy but some keys already created.
*/
zone "some-keys.kasp" {
type primary;
file "some-keys.kasp.db";
dnssec-policy "rsasha256";
};
/*
* A configured dnssec-policy but some keys already in use.
*/
zone "legacy-keys.kasp" {
type primary;
file "legacy-keys.kasp.db";
dnssec-policy "migrate-to-dnssec-policy";
};
/*
* A configured dnssec-policy with (too) many keys pregenerated.
*/
zone "pregenerated.kasp" {
type primary;
file "pregenerated.kasp.db";
dnssec-policy "rsasha256";
};
/*
* A configured dnssec-policy with one rumoured key.
* Bugfix case for GL #1593.
*/
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
dnssec-policy "rsasha256";
};
/* RFC 8901 Multi-signer Model 2. */
zone "multisigner-model2.kasp" {
type primary;
file "multisigner-model2.kasp.db";
dnssec-policy "multisigner-model2";
allow-update { any; };
};
/*
* Different algorithms.
*/
zone "rsasha256.kasp" {
type primary;
file "rsasha256.kasp.db";
dnssec-policy "rsasha256";
};
zone "rsasha512.kasp" {
type primary;
file "rsasha512.kasp.db";
dnssec-policy "rsasha512";
};
zone "ecdsa256.kasp" {
type primary;
file "ecdsa256.kasp.db";
dnssec-policy "ecdsa256";
};
zone "ecdsa384.kasp" {
type primary;
file "ecdsa384.kasp.db";
dnssec-policy "ecdsa384";
};
/*
* Zone with too high TTL.
*/
zone "max-zone-ttl.kasp" {
type primary;
file "max-zone-ttl.kasp.db";
dnssec-policy "ttl";
};
/*
* Zones in different signing states.
*/
/*
* Zone that has expired signatures.
*/
zone "expired-sigs.autosign" {
type primary;
file "expired-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has valid, fresh signatures.
*/
zone "fresh-sigs.autosign" {
type primary;
file "fresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has unfresh signatures.
*/
zone "unfresh-sigs.autosign" {
type primary;
file "unfresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has missing private KSK.
*/
zone "ksk-missing.autosign" {
type primary;
file "ksk-missing.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has missing private ZSK.
*/
zone "zsk-missing.autosign" {
type primary;
file "zsk-missing.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has inactive ZSK.
*/
zone "zsk-retired.autosign" {
type primary;
file "zsk-retired.autosign.db";
dnssec-policy "autosign";
};
/*
* Zones for testing enabling DNSSEC.
*/
zone "step1.enable-dnssec.autosign" {
type primary;
file "step1.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
zone "step2.enable-dnssec.autosign" {
type primary;
file "step2.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
zone "step3.enable-dnssec.autosign" {
type primary;
file "step3.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
zone "step4.enable-dnssec.autosign" {
type primary;
file "step4.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
/*
* Zones for testing ZSK Pre-Publication steps.
*/
zone "step1.zsk-prepub.autosign" {
type primary;
file "step1.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step2.zsk-prepub.autosign" {
type primary;
file "step2.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step3.zsk-prepub.autosign" {
type primary;
file "step3.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step4.zsk-prepub.autosign" {
type primary;
file "step4.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step5.zsk-prepub.autosign" {
type primary;
file "step5.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step6.zsk-prepub.autosign" {
type primary;
file "step6.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
/*
* Zones for testing KSK Double-KSK steps.
*/
zone "step1.ksk-doubleksk.autosign" {
type primary;
file "step1.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step2.ksk-doubleksk.autosign" {
type primary;
file "step2.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step3.ksk-doubleksk.autosign" {
type primary;
file "step3.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step4.ksk-doubleksk.autosign" {
type primary;
file "step4.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step5.ksk-doubleksk.autosign" {
type primary;
file "step5.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step6.ksk-doubleksk.autosign" {
type primary;
file "step6.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
/*
* Zones for testing CSK rollover steps.
*/
zone "step1.csk-roll.autosign" {
type primary;
file "step1.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step2.csk-roll.autosign" {
type primary;
file "step2.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step3.csk-roll.autosign" {
type primary;
file "step3.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step4.csk-roll.autosign" {
type primary;
file "step4.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step5.csk-roll.autosign" {
type primary;
file "step5.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step6.csk-roll.autosign" {
type primary;
file "step6.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step7.csk-roll.autosign" {
type primary;
file "step7.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step8.csk-roll.autosign" {
type primary;
file "step8.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step1.csk-roll2.autosign" {
type primary;
file "step1.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step2.csk-roll2.autosign" {
type primary;
file "step2.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step3.csk-roll2.autosign" {
type primary;
file "step3.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step4.csk-roll2.autosign" {
type primary;
file "step4.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step5.csk-roll2.autosign" {
type primary;
file "step5.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step6.csk-roll2.autosign" {
type primary;
file "step6.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step7.csk-roll2.autosign" {
type primary;
file "step7.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};

437
bin/tests/system/kasp/ns3/named.conf.in
View File

@@ -13,451 +13,16 @@
// NS3
include "policies/kasp.conf";
include "policies/autosign.conf";
include "named-fips.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "rsasha1";
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Zones that are getting initially signed */
/* The default case: No keys created, using default policy. */
zone "default.kasp" {
type primary;
file "default.kasp.db";
dnssec-policy "default";
};
/* checkds: Zone with one KSK. */
zone "checkds-ksk.kasp" {
type primary;
file "checkds-ksk.kasp.db";
dnssec-policy "checkds-ksk";
};
/* checkds: Zone with two KSKs. */
zone "checkds-doubleksk.kasp" {
type primary;
file "checkds-doubleksk.kasp.db";
dnssec-policy "checkds-doubleksk";
};
/* checkds: Zone with one CSK. */
zone "checkds-csk.kasp" {
type primary;
file "checkds-csk.kasp.db";
dnssec-policy "checkds-csk";
};
/* Key lifetime unlimited. */
zone "unlimited.kasp" {
type primary;
file "unlimited.kasp.db";
dnssec-policy "unlimited";
};
/* Manual rollover. */
zone "manual-rollover.kasp" {
type primary;
file "manual-rollover.kasp.db";
dnssec-policy "manual-rollover";
};
/* A primary zone with dnssec-policy, no keys created. */
zone "rsasha1.kasp" {
type primary;
file "rsasha1.kasp.db";
dnssec-policy "rsasha1";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type primary;
file "inherit.kasp.db";
};
/* A zone that overrides dnssec-policy. */
zone "unsigned.kasp" {
type primary;
file "unsigned.kasp.db";
dnssec-policy "none";
};
/* A zone that is initially set to insecure. */
zone "insecure.kasp" {
type primary;
file "insecure.kasp.db";
dnssec-policy "insecure";
};
/* A primary zone with dnssec-policy but keys already created. */
zone "dnssec-keygen.kasp" {
type primary;
file "dnssec-keygen.kasp.db";
dnssec-policy "rsasha1";
};
/* A secondary zone with dnssec-policy. */
zone "secondary.kasp" {
type secondary;
primaries { 10.53.0.2; };
file "secondary.kasp.db";
dnssec-policy "rsasha1";
};
/* A dynamic zone with dnssec-policy. */
zone "dynamic.kasp" {
type primary;
file "dynamic.kasp.db";
dnssec-policy "default";
allow-update { any; };
};
/* A dynamic inline-signed zone with dnssec-policy. */
zone "dynamic-inline-signing.kasp" {
type primary;
file "dynamic-inline-signing.kasp.db";
dnssec-policy "default";
allow-update { any; };
inline-signing yes;
};
/* An inline-signed zone with dnssec-policy. */
zone "inline-signing.kasp" {
type primary;
file "inline-signing.kasp.db";
dnssec-policy "default";
inline-signing yes;
};
/*
* A configured dnssec-policy but some keys already created.
*/
zone "some-keys.kasp" {
type primary;
file "some-keys.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy but some keys already in use.
*/
zone "legacy-keys.kasp" {
type primary;
file "legacy-keys.kasp.db";
dnssec-policy "migrate-to-dnssec-policy";
};
/*
* A configured dnssec-policy with (too) many keys pregenerated.
*/
zone "pregenerated.kasp" {
type primary;
file "pregenerated.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy with one rumoured key.
* Bugfix case for GL #1593.
*/
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
dnssec-policy "rsasha1";
};
/* RFC 8901 Multi-signer Model 2. */
zone "multisigner-model2.kasp" {
type primary;
file "multisigner-model2.kasp.db";
dnssec-policy "multisigner-model2";
allow-update { any; };
};
/*
* Different algorithms.
*/
zone "rsasha1-nsec3.kasp" {
type primary;
file "rsasha1-nsec3.kasp.db";
dnssec-policy "rsasha1-nsec3";
};
zone "rsasha256.kasp" {
type primary;
file "rsasha256.kasp.db";
dnssec-policy "rsasha256";
};
zone "rsasha512.kasp" {
type primary;
file "rsasha512.kasp.db";
dnssec-policy "rsasha512";
};
zone "ecdsa256.kasp" {
type primary;
file "ecdsa256.kasp.db";
dnssec-policy "ecdsa256";
};
zone "ecdsa384.kasp" {
type primary;
file "ecdsa384.kasp.db";
dnssec-policy "ecdsa384";
};
/*
* Zone with too high TTL.
*/
zone "max-zone-ttl.kasp" {
type primary;
file "max-zone-ttl.kasp.db";
dnssec-policy "ttl";
};
/*
* Zones in different signing states.
*/
/*
* Zone that has expired signatures.
*/
zone "expired-sigs.autosign" {
type primary;
file "expired-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has valid, fresh signatures.
*/
zone "fresh-sigs.autosign" {
type primary;
file "fresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has unfresh signatures.
*/
zone "unfresh-sigs.autosign" {
type primary;
file "unfresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has missing private KSK.
*/
zone "ksk-missing.autosign" {
type primary;
file "ksk-missing.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has missing private ZSK.
*/
zone "zsk-missing.autosign" {
type primary;
file "zsk-missing.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has inactive ZSK.
*/
zone "zsk-retired.autosign" {
type primary;
file "zsk-retired.autosign.db";
dnssec-policy "autosign";
};
/*
* Zones for testing enabling DNSSEC.
*/
zone "step1.enable-dnssec.autosign" {
type primary;
file "step1.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
zone "step2.enable-dnssec.autosign" {
type primary;
file "step2.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
zone "step3.enable-dnssec.autosign" {
type primary;
file "step3.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
zone "step4.enable-dnssec.autosign" {
type primary;
file "step4.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
/*
* Zones for testing ZSK Pre-Publication steps.
*/
zone "step1.zsk-prepub.autosign" {
type primary;
file "step1.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step2.zsk-prepub.autosign" {
type primary;
file "step2.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step3.zsk-prepub.autosign" {
type primary;
file "step3.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step4.zsk-prepub.autosign" {
type primary;
file "step4.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step5.zsk-prepub.autosign" {
type primary;
file "step5.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step6.zsk-prepub.autosign" {
type primary;
file "step6.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
/*
* Zones for testing KSK Double-KSK steps.
*/
zone "step1.ksk-doubleksk.autosign" {
type primary;
file "step1.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step2.ksk-doubleksk.autosign" {
type primary;
file "step2.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step3.ksk-doubleksk.autosign" {
type primary;
file "step3.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step4.ksk-doubleksk.autosign" {
type primary;
file "step4.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step5.ksk-doubleksk.autosign" {
type primary;
file "step5.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step6.ksk-doubleksk.autosign" {
type primary;
file "step6.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
/*
* Zones for testing CSK rollover steps.
*/
zone "step1.csk-roll.autosign" {
type primary;
file "step1.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step2.csk-roll.autosign" {
type primary;
file "step2.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step3.csk-roll.autosign" {
type primary;
file "step3.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step4.csk-roll.autosign" {
type primary;
file "step4.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step5.csk-roll.autosign" {
type primary;
file "step5.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step6.csk-roll.autosign" {
type primary;
file "step6.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step7.csk-roll.autosign" {
type primary;
file "step7.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step8.csk-roll.autosign" {
type primary;
file "step8.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step1.csk-roll2.autosign" {
type primary;
file "step1.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step2.csk-roll2.autosign" {
type primary;
file "step2.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step3.csk-roll2.autosign" {
type primary;
file "step3.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step4.csk-roll2.autosign" {
type primary;
file "step4.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step5.csk-roll2.autosign" {
type primary;
file "step5.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step6.csk-roll2.autosign" {
type primary;
file "step6.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step7.csk-roll2.autosign" {
type primary;
file "step7.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};

118
bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in Normal file
View File

@@ -0,0 +1,118 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "unlimited" {
dnskey-ttl 1234;
keys {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "manual-rollover" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "multisigner-model2" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "migrate-to-dnssec-policy" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P6M algorithm 8;
zsk key-directory lifetime P6M algorithm 8;
};
};
dnssec-policy "rsasha256" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 8;
zsk key-directory lifetime P5Y algorithm 8;
zsk key-directory lifetime P1Y algorithm 8 3072;
};
};
dnssec-policy "rsasha512" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 10;
zsk key-directory lifetime P5Y algorithm 10;
zsk key-directory lifetime P1Y algorithm 10 3072;
};
};
dnssec-policy "ecdsa256" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 13;
zsk key-directory lifetime P5Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13 256;
};
};
dnssec-policy "ecdsa384" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 14;
zsk key-directory lifetime P5Y algorithm 14;
zsk key-directory lifetime P1Y algorithm 14 384;
};
};
dnssec-policy "checkds-ksk" {
dnskey-ttl 303;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "checkds-doubleksk" {
dnskey-ttl 303;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "checkds-csk" {
dnskey-ttl 303;
keys {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "ttl" {
max-zone-ttl 299;
};

106
bin/tests/system/kasp/ns3/policies/kasp.conf.in
View File

@@ -11,31 +11,7 @@
* information regarding copyright ownership.
*/
dnssec-policy "unlimited" {
dnskey-ttl 1234;
keys {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "manual-rollover" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "multisigner-model2" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
include "policies/kasp-fips.conf";
dnssec-policy "rsasha1" {
dnskey-ttl 1234;
@@ -47,15 +23,6 @@ dnssec-policy "rsasha1" {
};
};
dnssec-policy "migrate-to-dnssec-policy" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P6M algorithm 5;
zsk key-directory lifetime P6M algorithm 5;
};
};
dnssec-policy "rsasha1-nsec3" {
dnskey-ttl 1234;
@@ -65,74 +32,3 @@ dnssec-policy "rsasha1-nsec3" {
zsk key-directory lifetime P1Y algorithm 7 2000;
};
};
dnssec-policy "rsasha256" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 8;
zsk key-directory lifetime P5Y algorithm 8;
zsk key-directory lifetime P1Y algorithm 8 2000;
};
};
dnssec-policy "rsasha512" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 10;
zsk key-directory lifetime P5Y algorithm 10;
zsk key-directory lifetime P1Y algorithm 10 2000;
};
};
dnssec-policy "ecdsa256" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 13;
zsk key-directory lifetime P5Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13 256;
};
};
dnssec-policy "ecdsa384" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 14;
zsk key-directory lifetime P5Y algorithm 14;
zsk key-directory lifetime P1Y algorithm 14 384;
};
};
dnssec-policy "checkds-ksk" {
dnskey-ttl 303;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "checkds-doubleksk" {
dnskey-ttl 303;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "checkds-csk" {
dnskey-ttl 303;
keys {
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "ttl" {
max-zone-ttl 299;
};

44
bin/tests/system/kasp/ns3/setup.sh
View File

@@ -42,8 +42,8 @@ U="UNRETENTIVE"
#
# Set up zones that will be initially signed.
#
for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
dynamic dynamic-inline-signing inline-signing \
checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
manual-rollover multisigner-model2
@@ -52,6 +52,22 @@ do
cp template.db.in "$zonefile"
done
#
# Set up RSASHA1 based zones
#
for zn in rsasha1 rsasha1-nsec3
do
if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
then
setup "${zn}.kasp"
cp template.db.in "$zonefile"
else
# don't add to zones.
echo_i "setting up zone: ${zn}.kasp"
cp template.db.in "${zn}.kasp.db"
fi
done
if [ -f ../ed25519-supported.file ]; then
setup "ed25519.kasp"
cp template.db.in "$zonefile"
@@ -78,31 +94,31 @@ done
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
echo_i "setting up zone: $zone"
$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
zone="some-keys.kasp"
echo_i "setting up zone: $zone"
$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1
$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
zone="legacy-keys.kasp"
echo_i "setting up zone: $zone"
ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
echo $ZSK > legacy-keys.kasp.zsk
echo $KSK > legacy-keys.kasp.ksk
# Predecessor keys:
Tact="now-9mo"
Tret="now-3mo"
ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1
zone="pregenerated.kasp"
echo_i "setting up zone: $zone"
$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
zone="multisigner-model2.kasp"
echo_i "setting up zone: $zone"
@@ -122,9 +138,9 @@ echo_i "setting up zone: $zone"
Tpub="now"
Tact="now+1d"
keytimes="-P ${Tpub} -A ${Tact}"
KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1

2
bin/tests/system/kasp/ns6/named.conf.in
View File

@@ -62,7 +62,7 @@ zone "step1.going-straight-to-none.kasp" {
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
dnssec-policy "rsasha1";
dnssec-policy "rsasha256";
};
zone "step1.csk-algorithm-roll.kasp" {

2
bin/tests/system/kasp/ns6/policies/csk1.conf.in
View File

@@ -17,7 +17,7 @@ dnssec-policy "csk-algoroll" {
signatures-validity-dnskey 30d;
keys {
csk lifetime unlimited algorithm rsasha1;
csk lifetime unlimited algorithm rsasha256;
};
dnskey-ttl 1h;

59
bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in Normal file
View File

@@ -0,0 +1,59 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "unsigning" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "rsasha256" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
keys {
ksk lifetime unlimited algorithm rsasha256;
zsk lifetime unlimited algorithm rsasha256;
};
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
zone-propagation-delay 3600;
max-zone-ttl 6h;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
dnssec-policy "ecdsa256" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
};
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
zone-propagation-delay 3600;
max-zone-ttl 6h;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};

28
bin/tests/system/kasp/ns6/policies/kasp.conf.in
View File

@@ -11,14 +11,7 @@
* information regarding copyright ownership.
*/
dnssec-policy "unsigning" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
include "policies/kasp-fips.conf";
dnssec-policy "rsasha1" {
signatures-refresh P5D;
@@ -38,22 +31,3 @@ dnssec-policy "rsasha1" {
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
dnssec-policy "ecdsa256" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
};
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
zone-propagation-delay 3600;
max-zone-ttl 6h;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};

48
bin/tests/system/kasp/ns6/setup.sh
View File

@@ -92,13 +92,13 @@ echo "$zone" >> zones
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
private_type_record $zone 8 "$KSK" >> "$infile"
private_type_record $zone 8 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 2:
@@ -114,8 +114,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
zsk1times="-P ${TactN} -A ${TactN} -I now"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
@@ -126,8 +126,8 @@ $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 8 "$KSK1" >> "$infile"
private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -144,8 +144,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
@@ -156,8 +156,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 8 "$KSK1" >> "$infile"
private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -175,8 +175,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
@@ -187,8 +187,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 8 "$KSK1" >> "$infile"
private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -207,8 +207,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
@@ -219,8 +219,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 8 "$KSK1" >> "$infile"
private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
@@ -240,8 +240,8 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
@@ -252,8 +252,8 @@ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.ou
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 8 "$KSK1" >> "$infile"
private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

18
bin/tests/system/kasp/setup.sh
View File

@@ -21,7 +21,13 @@ $SHELL clean.sh
mkdir keys
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1
then
copy_setports ns3/named-fips.conf.in ns3/named.conf
else
copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
copy_setports ns3/named.conf.in ns3/named.conf
fi
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
@@ -35,11 +41,21 @@ if $SHELL ../testcrypto.sh ed448; then
fi
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1
then
cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
fi
copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
if ! $SHELL ../testcrypto.sh -q RSASHA1
then
cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
fi
# Setup zones
(

166
bin/tests/system/kasp/tests.sh
View File

@@ -83,13 +83,13 @@ set_zonesigning "KEY2" "no"
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "2592000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "1024"
set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "yes"
set_keyrole "KEY4" "zsk"
set_keylifetime "KEY4" "16070400"
set_keyalgorithm "KEY4" "8" "RSASHA256" "2000"
set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
set_keysigning "KEY4" "no"
set_zonesigning "KEY4" "yes"
@@ -787,55 +787,58 @@ set_keytimes_algorithm_policy() {
#
# Zone: rsasha1.kasp.
#
set_zone "rsasha1.kasp"
set_policy "rsasha1" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "315360000"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
if $SHELL ../testcrypto.sh -q RSASHA1
then
set_zone "rsasha1.kasp"
set_policy "rsasha1" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "315360000"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "157680000"
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "157680000"
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY3"
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "yes"
key_clear "KEY3"
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_DS" "hidden"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_DS" "hidden"
set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
# Three keys only.
key_clear "KEY4"
set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
# Three keys only.
key_clear "KEY4"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
fi
#
# Zone: unsigned.kasp.
@@ -909,28 +912,28 @@ dnssec_verify
# Zone: inherit.kasp.
#
set_zone "inherit.kasp"
set_policy "rsasha1" "3" "1234"
set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "315360000"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "157680000"
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY3"
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
@@ -962,7 +965,7 @@ dnssec_verify
# Zone: dnssec-keygen.kasp.
#
set_zone "dnssec-keygen.kasp"
set_policy "rsasha1" "3" "1234"
set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
@@ -978,7 +981,7 @@ dnssec_verify
# Zone: some-keys.kasp.
#
set_zone "some-keys.kasp"
set_policy "rsasha1" "3" "1234"
set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
@@ -996,7 +999,7 @@ dnssec_verify
# There are more pregenerated keys than needed, hence the number of keys is
# six, not three.
set_zone "pregenerated.kasp"
set_policy "rsasha1" "6" "1234"
set_policy "rsasha256" "6" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
@@ -1013,7 +1016,7 @@ dnssec_verify
#
# There are three keys in rumoured state.
set_zone "rumoured.kasp"
set_policy "rsasha1" "3" "1234"
set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
@@ -1039,7 +1042,7 @@ dnssec_verify
# Zone: secondary.kasp.
#
set_zone "secondary.kasp"
set_policy "rsasha1" "3" "1234"
set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
@@ -1083,22 +1086,25 @@ status=$((status+ret))
#
# Zone: rsasha1-nsec3.kasp.
#
set_zone "rsasha1-nsec3.kasp"
set_policy "rsasha1-nsec3" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
# Key timings and states same as above.
if $SHELL ../testcrypto.sh -q RSASHA1
then
set_zone "rsasha1-nsec3.kasp"
set_policy "rsasha1-nsec3" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
# Key timings and states same as above.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
fi
#
# Zone: rsasha256.kasp.
@@ -1109,7 +1115,7 @@ set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY3" "8" "RSASHA256" "2000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
# Key timings and states same as above.
check_keys
@@ -1129,7 +1135,7 @@ set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
set_keyalgorithm "KEY2" "10" "RSASHA512" "2048"
set_keyalgorithm "KEY3" "10" "RSASHA512" "2000"
set_keyalgorithm "KEY3" "10" "RSASHA512" "3072"
# Key timings and states same as above.
check_keys
@@ -1529,14 +1535,14 @@ set_server "ns3" "10.53.0.3"
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "16070400"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
@@ -3546,20 +3552,20 @@ IretZSK=0
# Zone: step1.algorithm-roll.kasp
#
set_zone "step1.algorithm-roll.kasp"
set_policy "rsasha1" "2" "3600"
set_policy "rsasha256" "2" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY3"
@@ -3600,7 +3606,7 @@ set_server "ns6" "10.53.0.6"
key_clear "KEY1"
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "yes"
key_clear "KEY2"
@@ -3992,14 +3998,14 @@ set_server "ns6" "10.53.0.6"
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
# New ECDSAP256SHA256 keys.
@@ -4394,7 +4400,7 @@ set_server "ns6" "10.53.0.6"
key_clear "KEY1"
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "yes"
# New ECDSAP256SHA256 key.