mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 10:10:06 +00:00
Add test for missing key files, don't roll
In this specific case the key files are temporary unavailable, for example because of an operator error, or a mount failure). In such cases, BIND should not try to roll over these keys.
This commit is contained in:
Matthijs Mekking
parent
0699cb9726
commit
a3afbd9d6f
@ -314,6 +314,15 @@ zone "unfresh-sigs.autosign" {
|
||||
dnssec-policy "autosign";
|
||||
};
|
||||
|
||||
/*
|
||||
* Zone that has missing key files.
|
||||
*/
|
||||
zone "keyfiles-missing.autosign" {
|
||||
type primary;
|
||||
file "keyfiles-missing.autosign.db";
|
||||
dnssec-policy "autosign";
|
||||
};
|
||||
|
||||
/*
|
||||
* Zone that has missing private KSK.
|
||||
*/
|
||||
|
||||
@ -286,6 +286,22 @@ echo "ZSK: yes" >>"${ZSK}".state
|
||||
echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y
|
||||
rm -f "${ZSK}".private
|
||||
|
||||
# These signatures are still good, but the key files will be removed
|
||||
# before a second run of reconfiguring keys.
|
||||
setup keyfiles-missing.autosign
|
||||
T="now-6mo"
|
||||
ksktimes="-P $T -A $T -P sync $T"
|
||||
zsktimes="-P $T -A $T"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# These signatures are already expired, and the private ZSK is retired.
|
||||
setup zsk-retired.autosign
|
||||
T="now-6mo"
|
||||
|
||||
@ -385,7 +385,7 @@ echo_i "test that if private key files are inaccessible this doesn't trigger a r
|
||||
basefile=$(key_get KEY1 BASEFILE)
|
||||
mv "${basefile}.private" "${basefile}.offline"
|
||||
rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
|
||||
wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1
|
||||
wait_for_log 3 "zone $ZONE/IN (signed): zone_rekey:verify keys failed: some key files are missing" $DIR/named.run || ret=1
|
||||
mv "${basefile}.offline" "${basefile}.private"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status + ret))
|
||||
@ -1743,6 +1743,68 @@ check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
#
|
||||
# Zone: keyfiles-missing.autosign.
|
||||
#
|
||||
set_zone "keyfiles-missing.autosign"
|
||||
set_policy "autosign" "2" "300"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keylifetime "KEY1" "63072000"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keylifetime "KEY2" "31536000"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "no"
|
||||
set_zonesigning "KEY2" "yes"
|
||||
|
||||
# Both KSK and ZSK stay OMNIPRESENT.
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
||||
|
||||
set_keystate "KEY2" "GOAL" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
|
||||
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_autosign_policy
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
# All good, now remove key files and reload keys.
|
||||
rm_keyfiles() {
|
||||
_basefile=$(key_get "$1" BASEFILE)
|
||||
echo_i "remove key files $_basefile"
|
||||
_keyfile="${_basefile}.key"
|
||||
_privatefile="${_basefile}.private"
|
||||
_statefile="${_basefile}.state"
|
||||
rm -f $_keyfile
|
||||
rm -f $_privatefile
|
||||
rm -f $_statefile
|
||||
}
|
||||
rm_keyfiles "KEY1"
|
||||
rm_keyfiles "KEY2"
|
||||
|
||||
rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
|
||||
wait_for_log 3 "zone $ZONE/IN (signed): zone_rekey:verify keys failed: some key files are missing" $DIR/named.run || ret=1
|
||||
# Check keys again, make sure no new keys are created.
|
||||
set_policy "autosign" "0" "300"
|
||||
key_clear "KEY1"
|
||||
key_clear "KEY2"
|
||||
check_keys
|
||||
# Zone is still signed correctly.
|
||||
dnssec_verify
|
||||
|
||||
#
|
||||
# Test dnssec-policy inheritance.
|
||||
#
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user