mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-28 13:08:06 +00:00
Code Issues Releases Wiki Activity

Add test for missing key files, don't roll

Browse Source 
In this specific case the key files are temporary unavailable, for
example because of an operator error, or a mount failure). In such
cases, BIND should not try to roll over these keys.
This commit is contained in:
Matthijs Mekking 2024-07-03 11:32:11 +02:00
parent 0699cb9726
commit a3afbd9d6f
3 changed files with 88 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
bin/tests/system/kasp/ns3/named-fips.conf.in
View File

@ -314,6 +314,15 @@ zone "unfresh-sigs.autosign" {
dnssec-policy "autosign"; dnssec-policy "autosign";
}; };
/*
* Zone that has missing key files.
*/
zone "keyfiles-missing.autosign" {
type primary;
file "keyfiles-missing.autosign.db";
dnssec-policy "autosign";
};
/* /*
* Zone that has missing private KSK. * Zone that has missing private KSK.
*/ */

16
bin/tests/system/kasp/ns3/setup.sh
View File

@ -286,6 +286,22 @@ echo "ZSK: yes" >>"${ZSK}".state
echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y
rm -f "${ZSK}".private rm -f "${ZSK}".private
# These signatures are still good, but the key files will be removed
# before a second run of reconfiguring keys.
setup keyfiles-missing.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are already expired, and the private ZSK is retired. # These signatures are already expired, and the private ZSK is retired.
setup zsk-retired.autosign setup zsk-retired.autosign
T="now-6mo" T="now-6mo"

64
bin/tests/system/kasp/tests.sh
View File

@ -385,7 +385,7 @@ echo_i "test that if private key files are inaccessible this doesn't trigger a r
basefile=$(key_get KEY1 BASEFILE) basefile=$(key_get KEY1 BASEFILE)
mv "${basefile}.private" "${basefile}.offline" mv "${basefile}.private" "${basefile}.offline"
rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed" rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 wait_for_log 3 "zone $ZONE/IN (signed): zone_rekey:verify keys failed: some key files are missing" $DIR/named.run || ret=1
mv "${basefile}.offline" "${basefile}.private" mv "${basefile}.offline" "${basefile}.private"
test "$ret" -eq 0 || echo_i "failed" test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret)) status=$((status + ret))
@ -1743,6 +1743,68 @@ check_apex
check_subdomain check_subdomain
dnssec_verify dnssec_verify
#
# Zone: keyfiles-missing.autosign.
#
set_zone "keyfiles-missing.autosign"
set_policy "autosign" "2" "300"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "63072000"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "31536000"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
# Both KSK and ZSK stay OMNIPRESENT.
set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_DS" "omnipresent"
set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_autosign_policy
check_keytimes
check_apex
check_subdomain
dnssec_verify
# All good, now remove key files and reload keys.
rm_keyfiles() {
_basefile=$(key_get "$1" BASEFILE)
echo_i "remove key files $_basefile"
_keyfile="${_basefile}.key"
_privatefile="${_basefile}.private"
_statefile="${_basefile}.state"
rm -f $_keyfile
rm -f $_privatefile
rm -f $_statefile
}
rm_keyfiles "KEY1"
rm_keyfiles "KEY2"
rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "zone $ZONE/IN (signed): zone_rekey:verify keys failed: some key files are missing" $DIR/named.run || ret=1
# Check keys again, make sure no new keys are created.
set_policy "autosign" "0" "300"
key_clear "KEY1"
key_clear "KEY2"
check_keys
# Zone is still signed correctly.
dnssec_verify
# #
# Test dnssec-policy inheritance. # Test dnssec-policy inheritance.
# #