mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

dnssec-policy inheritance from options/view

Browse Source 
'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.

This requires a new keyword to be introduced: 'none'.  If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned.  You can use this to break the inheritance.  Of course
you can also break the inheritance by referring to a different
policy.

The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.

Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.

Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).
This commit is contained in:
Matthijs Mekking
2019-11-05 17:22:35 +01:00
parent ce1c1631b3
commit 5f464d15a0
27 changed files with 895 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bin/tests/system/checkconf/bad-kasp1.conf
View File

@@ -9,12 +9,14 @@
* information regarding copyright ownership.
*/
options {
dnssec-policy "notatzonelevel";
// Using the keyword 'default' is not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "default";
};

22
bin/tests/system/checkconf/bad-kasp5.conf Normal file
View File

@@ -0,0 +1,22 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "none";
};

16
bin/tests/system/checkconf/good-kasp.conf
View File

@@ -35,13 +35,25 @@ dnssec-policy "test" {
options {
dnssec-policy "default";
};
options {
dnssec-policy "default";
};
zone "example1" {
type master;
dnssec-policy "test";
file "example1.db";
};
zone "example2" {
type master;
dnssec-policy "default";
file "example2.db";
dnssec-policy "test";
};
zone "example3" {
type master;
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
type master;
file "example4.db";
dnssec-policy "none";
};

41
bin/tests/system/checkconf/good.conf
View File

@@ -14,6 +14,24 @@
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
100;
@@ -60,6 +78,7 @@ options {
validate-except {
"corp";
};
dnssec-policy "test";
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
@@ -140,6 +159,28 @@ view "third" {
};
};
};
view "fourth" {
zone "dnssec-test" {
type master;
file "dnssec-test.db";
dnssec-policy "test";
};
zone "dnssec-default" {
type master;
file "dnssec-default.db";
dnssec-policy "default";
};
zone "dnssec-inherit" {
type master;
file "dnssec-inherit.db";
};
zone "dnssec-none" {
type master;
file "dnssec-none.db";
dnssec-policy "none";
};
dnssec-policy "default";
};
view "chaos" chaos {
zone "hostname.bind" chaos {
type master;

4
bin/tests/system/checkconf/good.zonelist
View File

@@ -8,4 +8,8 @@ clone IN third in-view first
dnssec IN third master
p IN third primary
s IN third secondary
dnssec-test IN fourth master
dnssec-default IN fourth master
dnssec-inherit IN fourth master
dnssec-none IN fourth master
hostname.bind chaos chaos master

2
bin/tests/system/kasp/README
View File

@@ -9,3 +9,5 @@ ns1 is reserved for the root server.
ns2 is running primary service for ns3.
ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.

1
bin/tests/system/kasp/clean.sh
View File

@@ -21,5 +21,6 @@ rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
rm -f ns*/managed-keys.bind
rm -f ns*/*.mkeys
# NS3 specific
rm -f ns3/zones ns3/*.db.infile

16
bin/tests/system/kasp/ns2/named.conf.in
View File

@@ -21,6 +21,7 @@ options {
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "none";
};
key rndc_key {
@@ -32,6 +33,21 @@ controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Inherit dnssec-policy (which is none) */
zone "unsigned.tld" {
type master;
file "unsigned.tld.db";
};
/* Override dnssec-policy */
zone "signed.tld" {
type master;
dnssec-policy "default";
file "signed.tld.db";
};
/* Primary service for ns3 */
zone "secondary.kasp" {

14
bin/tests/system/kasp/ns2/setup.sh
View File

@@ -14,8 +14,20 @@
echo_i "ns2/setup.sh"
echo_i "setting up zone: $zone"
zone="secondary.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
zone="signed.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
zone="unsigned.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile

25
bin/tests/system/kasp/ns2/template.tld.db.in Normal file
View File

@@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3

20
bin/tests/system/kasp/ns3/named.conf.in
View File

@@ -11,6 +11,9 @@
// NS3
include "policies/kasp.conf";
include "policies/autosign.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
@@ -21,6 +24,7 @@ options {
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "rsasha1";
};
key rndc_key {
@@ -32,9 +36,6 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
include "policies/kasp.conf";
include "policies/autosign.conf";
/* Zones that are getting initially signed */
/* The default case: No keys created, using default policy. */
@@ -51,6 +52,19 @@ zone "rsasha1.kasp" {
dnssec-policy "rsasha1";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type master;
file "inherit.kasp.db";
};
/* A zone that overrides dnssec-policy. */
zone "unsigned.kasp" {
type master;
file "unsigned.kasp.db";
dnssec-policy "none";
};
/* A master zone with dnssec-policy but keys already created. */
zone "dnssec-keygen.kasp" {
type master;

9
bin/tests/system/kasp/ns3/setup.sh
View File

@@ -43,12 +43,19 @@ U="UNRETENTIVE"
# Set up zones that will be initially signed.
#
for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384
rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit
do
setup "${zn}.kasp"
cp template.db.in $zonefile
done
# Set up zone that stays unsigned.
zone="unsigned.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
cp template.db.in $zonefile
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1

117
bin/tests/system/kasp/ns4/named.conf.in Normal file
View File

@@ -0,0 +1,117 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
key "sha1" {
algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
};
key "sha224" {
algorithm "hmac-sha224";
secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
};
key "sha256" {
algorithm "hmac-sha256";
secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
};
dnssec-policy "test" {
keys {
csk key-directory lifetime 0 algorithm 14;
};
};
options {
query-source address 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
dnssec-policy "test";
};
view "inherit" {
match-clients { key "sha1"; };
/* Inherit dnssec-policy 'test' */
zone "inherit.inherit.signed" {
type master;
file "inherit.inherit.signed.db";
};
/* Override dnssec-policy */
zone "override.inherit.signed" {
type master;
dnssec-policy "default";
file "override.inherit.signed.db";
};
/* Unset dnssec-policy */
zone "none.inherit.signed" {
type master;
dnssec-policy "none";
file "none.inherit.signed.db";
};
};
view "override" {
match-clients { key "sha224"; };
dnssec-policy "default";
/* Inherit dnssec-policy 'test' */
zone "inherit.override.signed" {
type master;
file "inherit.override.signed.db";
};
/* Override dnssec-policy */
zone "override.override.signed" {
type master;
dnssec-policy "test";
file "override.override.signed.db";
};
/* Unset dnssec-policy */
zone "none.override.signed" {
type master;
dnssec-policy "none";
file "none.override.signed.db";
};
};
view "none" {
match-clients { key "sha256"; };
dnssec-policy "none";
/* Inherit dnssec-policy 'none' */
zone "inherit.none.signed" {
type master;
file "inherit.none.signed.db";
};
/* Override dnssec-policy */
zone "override.none.signed" {
type master;
dnssec-policy "test";
file "override.none.signed.db";
};
/* Unset dnssec-policy */
zone "none.none.signed" {
type master;
dnssec-policy "none";
file "none.none.signed.db";
};
};

28
bin/tests/system/kasp/ns4/setup.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns4/setup.sh"
#
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
inherit.override override.override none.override \
inherit.none override.none none.none
do
zone="$zn.signed"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
cp template.db.in $zonefile
done

25
bin/tests/system/kasp/ns4/template.db.in Normal file
View File

@@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns4
ns4 A 10.53.0.4
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3

117
bin/tests/system/kasp/ns5/named.conf.in Normal file
View File

@@ -0,0 +1,117 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS5
key "sha1" {
algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
};
key "sha224" {
algorithm "hmac-sha224";
secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
};
key "sha256" {
algorithm "hmac-sha256";
secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
};
dnssec-policy "test" {
keys {
csk key-directory lifetime 0 algorithm 14;
};
};
options {
query-source address 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
dnssec-policy "none";
};
view "inherit" {
match-clients { key "sha1"; };
/* Inherit dnssec-policy 'none' */
zone "inherit.inherit.unsigned" {
type master;
file "inherit.inherit.unsigned.db";
};
/* Override dnssec-policy */
zone "override.inherit.unsigned" {
type master;
dnssec-policy "default";
file "override.inherit.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.inherit.unsigned" {
type master;
dnssec-policy "none";
file "none.inherit.unsigned.db";
};
};
view "override" {
match-clients { key "sha224"; };
dnssec-policy "default";
/* Inherit dnssec-policy 'default' */
zone "inherit.override.unsigned" {
type master;
file "inherit.override.unsigned.db";
};
/* Override dnssec-policy */
zone "override.override.unsigned" {
type master;
dnssec-policy "test";
file "override.override.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.override.unsigned" {
type master;
dnssec-policy "none";
file "none.override.unsigned.db";
};
};
view "none" {
match-clients { key "sha256"; };
dnssec-policy "none";
/* Inherit dnssec-policy 'none' */
zone "inherit.none.unsigned" {
type master;
file "inherit.none.unsigned.db";
};
/* Override dnssec-policy */
zone "override.none.unsigned" {
type master;
dnssec-policy "test";
file "override.none.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.none.unsigned" {
type master;
dnssec-policy "none";
file "none.none.unsigned.db";
};
};

28
bin/tests/system/kasp/ns5/setup.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns5/setup.sh"
#
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
inherit.override override.override none.override \
inherit.none override.none none.none
do
zone="$zn.unsigned"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
cp template.db.in $zonefile
done

25
bin/tests/system/kasp/ns5/template.db.in Normal file
View File

@@ -0,0 +1,25 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns5
ns5 A 10.53.0.5
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3

13
bin/tests/system/kasp/setup.sh
View File

@@ -20,14 +20,23 @@ mkdir keys
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
# ns2: Setup zones
# Setup zones
(
cd ns2
$SHELL setup.sh
)
# ns3: Setup zones
(
cd ns3
$SHELL setup.sh
)
(
cd ns4
$SHELL setup.sh
)
(
cd ns5
$SHELL setup.sh
)

370
bin/tests/system/kasp/tests.sh
View File

@@ -21,6 +21,14 @@ n=0
###############################################################################
DEFAULT_TTL=300
###############################################################################
# Query properties #
###############################################################################
TSIG=""
SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0="
SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA=="
SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY="
###############################################################################
# Key properties #
###############################################################################
@@ -82,7 +90,12 @@ key_clear "KEY3"
# Call dig with default options.
dig_with_opts() {
"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
_tsig=""
if [ -n "$TSIG" ]; then
_tsig="-y $TSIG"
fi
"$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p $PORT $_tsig "$@"
}
# RNDC.
@@ -108,7 +121,9 @@ get_keyids() {
_start="${_dir}/K${_zone}.+${_algorithm}+"
_end=".key"
ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/"
if [ $_algorithm -ne 0 ]; then
ls ${_start}*${_end} | sed "s/$_dir\/K${_zone}.+${_algorithm}+\([0-9]\{5\}\)${_end}/\1/"
fi
}
# By default log errors and don't quit immediately.
@@ -124,15 +139,17 @@ log_error() {
# $3: Policy name
# $4: DNSKEY TTL
# $5: Number of keys
# $6: Name server
#
# This will set the following environment variables for testing:
# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS
# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS, SERVER
zone_properties() {
DIR=$1
ZONE=$2
POLICY=$3
DNSKEY_TTL=$4
NUM_KEYS=$5
SERVER=$6
}
# Set key properties for testing keys.
@@ -492,7 +509,7 @@ dnssec_verify()
n=$((n+1))
echo_i "dnssec-verify zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed"
dig_with_opts $ZONE @${SERVER} AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed"
$VERIFY -z -o $ZONE dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
@@ -505,7 +522,7 @@ dnssec_verify()
#
# dnssec-keygen
#
zone_properties "keys" "kasp" "kasp" "200"
zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1"
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)"
@@ -557,7 +574,7 @@ _log=1
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
zone_properties "." "kasp" "default" "3600"
zone_properties "." "kasp" "default" "3600" "10.53.0.1"
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
@@ -572,7 +589,7 @@ status=$((status+ret))
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
zone_properties "." "kasp" "default" "3600"
zone_properties "." "kasp" "default" "3600" "10.53.0.1"
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
@@ -672,7 +689,7 @@ status=$((status+ret))
#
# Check the zone with default kasp policy has loaded and is signed.
zone_properties "ns3" "default.kasp" "_default" "3600"
zone_properties "ns3" "default.kasp" "default" "3600" "1" "10.53.0.3"
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
# The first key is immediately published and activated.
key_timings "KEY1" "published" "active" "none" "none" "none" "none"
@@ -695,7 +712,7 @@ qtype="DNSKEY"
n=$((n+1))
echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${qtype}.*257.*.3.*${KEY1[$ALG_NUM]}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response"
lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l)
@@ -709,7 +726,7 @@ qtype="SOA"
n=$((n+1))
echo_i "check ${qtype} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
dig_with_opts $ZONE @${SERVER} $qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${qtype}.*mname1\..*\." dig.out.$DIR.test$n > /dev/null || log_error "missing ${qtype} record in response"
lines=$(get_keys_which_signed $qtype dig.out.$DIR.test$n | wc -l)
@@ -730,14 +747,14 @@ while [ $i -lt 5 ]
do
ret=0
dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response"
grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response"
lines=$(get_keys_which_signed A dig.out.$DIR.test$n.a | wc -l)
test "$lines" -eq 1 || log_error "bad number ($lines) of RRSIG records in DNS response"
get_keys_which_signed A dig.out.$DIR.test$n.a | grep "^${KEY_ID}$" > /dev/null || log_error "A RRset not signed with key ${KEY_ID}"
dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response"
grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response"
lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l)
@@ -756,7 +773,7 @@ status=$((status+ret))
#
# Zone: rsasha1.kasp.
#
zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3"
zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
@@ -895,7 +912,7 @@ check_cds() {
n=$((n+1))
echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
if [ "${KEY1[$STATE_DS]}" == "rumoured" ] || [ "${KEY1[$STATE_DS]}" == "omnipresent" ]; then
@@ -933,9 +950,33 @@ check_apex() {
n=$((n+1))
echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response"
if [ "${KEY1[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY1[$STATE_DNSKEY]}" == "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY1[$ID]}"
check_signatures $_qtype dig.out.$DIR.test$n $KSK
numkeys=$((numkeys+1))
elif [ "${KEY1[$EXPECT]}" == "yes" ]; then
grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY1[$ID]}"
fi
if [ "${KEY2[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY2[$STATE_DNSKEY]}" == "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY2[$ID]}"
check_signatures $_qtype dig.out.$DIR.test$n $KSK
numkeys=$((numkeys+1))
elif [ "${KEY2[$EXPECT]}" == "yes" ]; then
grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY2[$ID]}"
fi
if [ "${KEY3[$STATE_DNSKEY]}" == "rumoured" ] || [ "${KEY3[$STATE_DNSKEY]}" == "omnipresent" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response for key ${KEY3[$ID]}"
check_signatures $_qtype dig.out.$DIR.test$n $KSK
numkeys=$((numkeys+1))
elif [ "${KEY3[$EXPECT]}" == "yes" ]; then
grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*${_key_algnum}" dig.out.$DIR.test$n > /dev/null && log_error "unexpected ${_qtype} record in response for key ${KEY3[$ID]}"
fi
lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l)
check_signatures $_qtype dig.out.$DIR.test$n $KSK
test "$ret" -eq 0 || echo_i "failed"
@@ -946,7 +987,7 @@ check_apex() {
n=$((n+1))
echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" dig.out.$DIR.test$n > /dev/null || log_error "missing ${_qtype} record in response"
lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l)
@@ -964,7 +1005,7 @@ check_subdomain() {
n=$((n+1))
echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts a.$ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed"
dig_with_opts a.$ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig a.${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" dig.out.$DIR.test$n > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response"
lines=$(get_keys_which_signed $_qtype dig.out.$DIR.test$n | wc -l)
@@ -978,10 +1019,43 @@ check_apex
check_subdomain
dnssec_verify
#
# Zone: unsigned.kasp.
#
zone_properties "ns3" "unsigned.kasp" "none" "0" "0" "10.53.0.3"
key_clear "KEY1"
key_clear "KEY2"
key_clear "KEY3"
check_keys
check_apex
check_subdomain
#
# Zone: inherit.kasp.
#
zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
# The first keys are immediately published and activated.
# Because lifetime > 0, retired timing is also set.
key_timings "KEY1" "published" "active" "retired" "none" "none"
key_timings "KEY2" "published" "active" "retired" "none" "none"
key_timings "KEY3" "published" "active" "retired" "none" "none"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden"
key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none"
key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none"
check_keys
check_apex
check_subdomain
dnssec_verify
#
# Zone: dnssec-keygen.kasp.
#
zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3"
zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" "10.53.0.3"
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
@@ -991,7 +1065,7 @@ dnssec_verify
#
# Zone: some-keys.kasp.
#
zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3"
zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3"
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
@@ -1001,7 +1075,7 @@ dnssec_verify
#
# Zone: legacy-keys.kasp.
#
zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3"
zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3"
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
@@ -1013,7 +1087,7 @@ dnssec_verify
#
# There are more pregenerated keys than needed, hence the number of keys is
# six, not three.
zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6"
zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" "10.53.0.3"
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
@@ -1023,7 +1097,7 @@ dnssec_verify
#
# Zone: secondary.kasp.
#
zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3"
zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" "10.53.0.3"
# KSK properties, timings and states same as above.
check_keys
check_apex
@@ -1042,12 +1116,12 @@ while [ $i -lt 5 ]
do
ret=0
dig_with_opts "a.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
dig_with_opts "a.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.a || log_error "dig a.${ZONE} A failed"
grep "status: NOERROR" dig.out.$DIR.test$n.a > /dev/null || log_error "mismatch status in DNS response"
grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" dig.out.$DIR.test$n.a > /dev/null || log_error "missing a.${ZONE} A record in response"
check_signatures $_qtype dig.out.$DIR.test$n.a $ZSK
dig_with_opts "d.${ZONE}" @10.53.0.3 A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
dig_with_opts "d.${ZONE}" @${SERVER} A > dig.out.$DIR.test$n.d || log_error "dig d.${ZONE} A failed"
grep "status: NOERROR" dig.out.$DIR.test$n.d > /dev/null || log_error "mismatch status in DNS response"
grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" dig.out.$DIR.test$n.d > /dev/null || log_error "missing d.${ZONE} A record in response"
lines=$(get_keys_which_signed A dig.out.$DIR.test$n.d | wc -l)
@@ -1069,7 +1143,7 @@ status=$((status+ret))
#
# Zone: rsasha1-nsec3.kasp.
#
zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3"
zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
@@ -1082,7 +1156,7 @@ dnssec_verify
#
# Zone: rsasha256.kasp.
#
zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3"
zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
@@ -1095,7 +1169,7 @@ dnssec_verify
#
# Zone: rsasha512.kasp.
#
zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3"
zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
@@ -1108,7 +1182,7 @@ dnssec_verify
#
# Zone: ecdsa256.kasp.
#
zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3"
zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
@@ -1121,7 +1195,7 @@ dnssec_verify
#
# Zone: ecdsa512.kasp.
#
zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3"
zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" "10.53.0.3"
key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no"
@@ -1136,7 +1210,7 @@ dnssec_verify
#
# Zone: expired-sigs.autosign.
#
zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2"
zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
# Both KSK and ZSK stay OMNIPRESENT.
key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
@@ -1161,7 +1235,7 @@ check_rrsig_refresh() {
n=$((n+1))
echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
# If this exact RRSIG is also in the zone file it is not refreshed.
@@ -1181,7 +1255,7 @@ check_rrsig_refresh() {
n=$((n+1))
echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
_rrsig=`cat rrsig.out.$ZONE.$_qtype`
@@ -1197,7 +1271,7 @@ check_rrsig_refresh
#
# Zone: fresh-sigs.autosign.
#
zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2"
zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
@@ -1213,7 +1287,7 @@ check_rrsig_reuse() {
n=$((n+1))
echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts $ZONE @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
dig_with_opts $ZONE @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
# If this exact RRSIG is also in the zone file it is not refreshed.
@@ -1233,7 +1307,7 @@ check_rrsig_reuse() {
n=$((n+1))
echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
ret=0
dig_with_opts "${_label}.${ZONE}" @10.53.0.3 $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
dig_with_opts "${_label}.${ZONE}" @${SERVER} $_qtype > dig.out.$DIR.test$n || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
grep "status: NOERROR" dig.out.$DIR.test$n > /dev/null || log_error "mismatch status in DNS response"
grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" dig.out.$DIR.test$n > rrsig.out.$ZONE.$_qtype || log_error "missing RRSIG (${_qtype}) record in response"
_rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < rrsig.out.$ZONE.$_qtype)
@@ -1249,7 +1323,7 @@ check_rrsig_reuse
#
# Zone: unfresh-sigs.autosign.
#
zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2"
zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
@@ -1260,7 +1334,7 @@ check_rrsig_refresh
#
# Zone: zsk-missing.autosign.
#
zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2"
zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" "10.53.0.3"
# KSK stays OMNIPRESENT.
key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
@@ -1271,7 +1345,7 @@ key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
#
# Zone: zsk-retired.autosign.
#
zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3"
zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" "10.53.0.3"
# KSK properties, timings and states same as above.
# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
# is active.
@@ -1284,6 +1358,178 @@ key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no" "no"
key_timings "KEY3" "published" "active" "retired" "none" "none"
key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none"
#
# Test dnssec-policy inheritance.
#
# These zones should be unsigned:
# ns2/unsigned.tld
# ns4/none.inherit.signed
# ns4/none.override.signed
# ns4/inherit.none.signed
# ns4/none.none.signed
# ns5/inherit.inherit.unsigned
# ns5/none.inherit.unsigned
# ns5/none.override.unsigned
# ns5/inherit.none.unsigned
# ns5/none.none.unsigned
key_clear "KEY1"
key_clear "KEY2"
key_clear "KEY3"
zone_properties "ns2" "unsigned.tld" "none" "0" "0" "10.53.0.2"
TSIG=""
check_keys
check_apex
check_subdomain
zone_properties "ns4" "none.inherit.signed" "none" "0" "0" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
zone_properties "ns4" "none.override.signed" "none" "0" "0" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
zone_properties "ns4" "inherit.none.signed" "none" "0" "0" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
zone_properties "ns4" "none.none.signed" "none" "0" "0" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
zone_properties "ns5" "inherit.inherit.unsigned" "none" "0" "0" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
zone_properties "ns5" "none.inherit.unsigned" "none" "0" "0" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
zone_properties "ns5" "none.override.unsigned" "none" "0" "0" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
zone_properties "ns5" "inherit.none.unsigned" "none" "0" "0" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
zone_properties "ns5" "none.none.unsigned" "none" "0" "0" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
# These zones should be signed with the default policy:
# ns2/signed.tld
# ns4/override.inherit.signed
# ns4/inherit.override.signed
# ns5/override.inherit.signed
# ns5/inherit.override.signed
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "published" "active" "none" "none" "none" "none"
key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden"
zone_properties "ns2" "signed.tld" "default" "3600" "1" "10.53.0.2"
TSIG=""
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns4" "override.inherit.signed" "default" "3600" "1" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns4" "inherit.override.signed" "default" "3600" "1" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns5" "override.inherit.unsigned" "default" "3600" "1" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns5" "inherit.override.unsigned" "default" "3600" "1" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
# These zones should be signed with the test policy:
# ns4/inherit.inherit.signed
# ns4/override.override.signed
# ns4/override.none.signed
# ns5/override.override.unsigned
# ns5/override.none.unsigned
key_properties "KEY1" "csk" "0" "14" "ECDSAP384SHA384" "384" "yes" "yes"
key_timings "KEY1" "published" "active" "none" "none" "none" "none"
key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden"
zone_properties "ns4" "inherit.inherit.signed" "test" "3600" "1" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns4" "override.override.signed" "test" "3600" "1" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns4" "override.none.signed" "test" "3600" "1" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns5" "override.override.unsigned" "test" "3600" "1" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
zone_properties "ns5" "override.none.unsigned" "test" "3600" "1" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
dnssec_verify
# Clear TSIG.
TSIG=""
#
# Testing ZSK Pre-Publication rollover.
#
@@ -1291,7 +1537,7 @@ key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none"
#
# Zone: step1.zsk-prepub.autosign.
#
zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2"
zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
@@ -1337,7 +1583,7 @@ check_next_key_event 2498400
#
# Zone: step2.zsk-prepub.autosign.
#
zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
# KSK (KEY1) doesn't change.
# ZSK (KEY2) remains active, no change in properties/timings/states.
# New ZSK (KEY3) is prepublished.
@@ -1357,7 +1603,7 @@ check_next_key_event 93600
#
# Zone: step3.zsk-prepub.autosign.
#
zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
# KSK (KEY1) doesn't change.
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
@@ -1385,7 +1631,7 @@ check_next_key_event 867600
#
# Zone: step4.zsk-prepub.autosign.
#
zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
# KSK (KEY1) doesn't change.
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY2) DNSKEY is no longer needed.
@@ -1407,7 +1653,7 @@ check_next_key_event 7200
#
# Zone: step5.zsk-prepub.autosign.
#
zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3"
zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
# KSK (KEY1) doesn't change.
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY3) DNSKEY is now completely HIDDEN and removed.
@@ -1431,7 +1677,7 @@ check_next_key_event 1627200
#
# Zone: step1.ksk-doubleksk.autosign.
#
zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2"
zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" "10.53.0.3"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
@@ -1456,7 +1702,7 @@ check_next_key_event 5000400
#
# Zone: step2.ksk-doubleksk.autosign.
#
zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
# ZSK (KEY2) doesn't change.
# KSK (KEY1) remains active, no change in properties/timings/states.
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
@@ -1476,7 +1722,7 @@ check_next_key_event 97200
#
# Zone: step3.ksk-doubleksk.autosign.
#
zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DS will be removed, so it is UNRETENTIVE.
key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive"
@@ -1499,7 +1745,7 @@ check_next_key_event 266400
#
# Zone: step4.ksk-doubleksk.autosign.
#
zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DNSKEY can be removed.
key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no"
@@ -1519,7 +1765,7 @@ check_next_key_event 10800
#
# Zone: step5.ksk-doubleksk.autosign.
#
zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DNSKEY is now HIDDEN.
key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden"
@@ -1542,7 +1788,7 @@ check_next_key_event 4813200
#
# Zone: step1.csk-roll.autosign.
#
zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1"
zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" "10.53.0.3"
# The CSK (KEY1) starts in OMNIPRESENT.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
@@ -1566,7 +1812,7 @@ check_next_key_event 15973200
# Zone: step2.csk-roll.autosign.
#
# Set key properties for testing keys.
zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# CSK (KEY1) remains active, no change in properties/timings/states.
# New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
@@ -1586,7 +1832,7 @@ check_next_key_event 10800
# Zone: step3.csk-roll.autosign.
#
# Set key properties for testing keys.
zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
@@ -1613,7 +1859,7 @@ check_next_key_event 100800
#
# Zone: step4.csk-roll.autosign.
#
zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public
# but can remove the KRRSIG records.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
@@ -1634,7 +1880,7 @@ check_next_key_event 7200
#
# Zone: step5.csk-roll.autosign.
#
zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) KRRSIG records are now all hidden.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden"
@@ -1654,7 +1900,7 @@ check_next_key_event 2149200
#
# Zone: step6.csk-roll.autosign.
#
zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) DNSKEY can be removed.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden"
@@ -1674,7 +1920,7 @@ check_next_key_event 7200
#
# Zone: step7.csk-roll.autosign.
#
zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) is now completely HIDDEN.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
@@ -1699,7 +1945,7 @@ check_next_key_event 13708800
#
# Zone: step1.csk-roll2.autosign.
#
zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1"
zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" "10.53.0.3"
# The CSK (KEY1) starts in OMNIPRESENT.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
@@ -1723,7 +1969,7 @@ check_next_key_event 15454800
# Zone: step2.csk-roll2.autosign.
#
# Set key properties for testing keys.
zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2"
zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
# CSK (KEY1) remains active, no change in properties/timings/states.
# New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
@@ -1743,7 +1989,7 @@ check_next_key_event 10800
# Zone: step3.csk-roll2.autosign.
#
# Set key properties for testing keys.
zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2"
zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
@@ -1771,7 +2017,7 @@ check_next_key_event 136800
#
# Zone: step4.csk-roll2.autosign.
#
zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2"
zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) ZRRSIG is now HIDDEN.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive"
@@ -1795,7 +2041,7 @@ check_next_key_event 478800
#
# Zone: step5.csk-roll2.autosign.
#
zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2"
zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) DNSKEY can be removed.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden"
@@ -1815,7 +2061,7 @@ check_next_key_event 7200
#
# Zone: step6.csk-roll2.autosign.
#
zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2"
zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# The old CSK (KEY1) is now completely HIDDEN.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"