diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 1610bd9504..0aca834267 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -13,7 +13,7 @@ set -e -rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed +rm -f ./K* ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed rm -f ./*/example.bk rm -f ./*/named.conf rm -f ./*/named.memstats @@ -40,18 +40,17 @@ rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db rm -f ./ns1/trusted.keys rm -f ./ns2/algroll.db rm -f ./ns2/badparam.db ./ns2/badparam.db.bad -rm -f ./ns2/cdnskey-kskonly.secure.db -rm -f ./ns2/cdnskey-kskonly.secure.id rm -f ./ns2/cdnskey-update.secure.db +rm -f ./ns2/cdnskey-update.secure.id rm -f ./ns2/cdnskey-x.secure.db rm -f ./ns2/cdnskey.secure.db rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl -rm -f ./ns2/cds-kskonly.secure.db -rm -f ./ns2/cds-kskonly.secure.id rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl +rm -f ./ns2/cds-update.secure.id rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db +rm -f ./ns2/settime.out.* rm -f ./ns2/single-nsec3.db rm -f ./ns2/too-many-iterations.db rm -f ./ns2/updatecheck-kskonly.secure.* @@ -82,7 +81,6 @@ rm -f ./ns3/occluded.example.db rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db rm -f ./ns3/optout.nsec3.example.db rm -f ./ns3/optout.optout.example.db -rm -f ./ns3/publish-inactive.example.db rm -f ./ns3/revkey.example.db rm -f ./ns3/rsasha1-1024.example.tmp rm -f ./ns3/rsasha1.example.tmp diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 94928c1f1d..92cc03d8fc 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -37,6 +37,35 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "dnssec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "kskonly" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 10d; + signatures-validity-dnskey 40d; +}; + +dnssec-policy "not-enough-hours-in-day" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + /* validity 500 days, resign in 449 days */ + signatures-validity-dnskey 500d; + signatures-validity 500d; + signatures-refresh 449d; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -119,23 +148,14 @@ zone "cds-x.secure" { zone "cds-update.secure" { type primary; - dnssec-dnskey-kskonly no; file "cds-update.secure.db.signed"; allow-update { any; }; }; -zone "cds-kskonly.secure" { - type primary; - dnssec-dnskey-kskonly yes; - file "cds-kskonly.secure.db.signed"; - allow-update { any; }; -}; - zone "cds-auto.secure" { type primary; - dnssec-dnskey-kskonly no; file "cds-auto.secure.db.signed"; - auto-dnssec maintain; + dnssec-policy dnssec; allow-update { any; }; }; @@ -151,35 +171,21 @@ zone "cdnskey-x.secure" { zone "cdnskey-update.secure" { type primary; - dnssec-dnskey-kskonly no; file "cdnskey-update.secure.db.signed"; allow-update { any; }; }; -zone "cdnskey-kskonly.secure" { - type primary; - dnssec-dnskey-kskonly yes; - file "cdnskey-kskonly.secure.db.signed"; - allow-update { any; }; -}; - zone "cdnskey-auto.secure" { type primary; - dnssec-dnskey-kskonly no; file "cdnskey-auto.secure.db.signed"; - auto-dnssec maintain; + dnssec-policy dnssec; allow-update { any; }; }; zone "updatecheck-kskonly.secure" { type primary; - auto-dnssec maintain; - key-directory "."; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; - sig-validity-interval 10; - dnskey-sig-validity 40; file "updatecheck-kskonly.secure.db.signed"; + dnssec-policy kskonly; allow-update { any; }; }; @@ -191,9 +197,7 @@ zone "corp" { zone "hours-vs-days" { type primary; file "hours-vs-days.db.signed"; - auto-dnssec maintain; - /* validity 500 days, resign in 499 days */ - sig-validity-interval 500 499; + dnssec-policy not-enough-hours-in-day; allow-update { any; }; }; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 87a5896d76..70203db01c 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -233,15 +233,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 - -zone=cds-kskonly.secure -infile=cds-kskonly.secure.db.in -zonefile=cds-kskonly.secure.db -key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +keyfile_to_key_id "$key1" > cds-update.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in @@ -277,15 +269,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 - -zone=cdnskey-kskonly.secure -infile=cdnskey-kskonly.secure.db.in -zonefile=cdnskey-kskonly.secure.db -key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +keyfile_to_key_id "$key1" > cdnskey-update.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in @@ -305,11 +289,11 @@ keyfile_to_key_id "$key1" > $zone.ksk.id keyfile_to_key_id "$key2" > $zone.zsk.id echo "${key1}" > $zone.ksk.key echo "${key2}" > $zone.zsk.key -# Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" -# Don't sign, let auto-dnssec maintain do it. +# Make sure dnssec-policy adds CDS and CDNSKEY records +$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1 +$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1 +# Don't sign, let dnssec-policy maintain do it. +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" mv $zonefile "$zonefile.signed" zone=hours-vs-days diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index fbcb8d865f..85105085b7 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -37,6 +37,42 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "dnssec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "autonsec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; +}; + +dnssec-policy "autonsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -209,21 +245,21 @@ zone "expired.example" { zone "update-nsec3.example" { type primary; - auto-dnssec maintain; + dnssec-policy nsec3; allow-update { any; }; file "update-nsec3.example.db.signed"; }; zone "auto-nsec.example" { type primary; - auto-dnssec maintain; + dnssec-policy autonsec; allow-update { !0.0.0.0; }; file "auto-nsec.example.db.signed"; }; zone "auto-nsec3.example" { type primary; - auto-dnssec maintain; + dnssec-policy autonsec3; allow-update { !0.0.0.0; }; file "auto-nsec3.example.db.signed"; }; @@ -286,15 +322,7 @@ zone "inline.example" { type primary; file "inline.example.db"; inline-signing yes; - auto-dnssec maintain; -}; - -zone "publish-inactive.example" { - type primary; - file "publish-inactive.example.db"; - auto-dnssec maintain; - dnssec-dnskey-kskonly no; - update-policy local; + dnssec-policy dnssec; }; zone "future.example" { @@ -389,6 +417,28 @@ zone "rsasha1-1024.example" { file "rsasha1-1024.example.db"; }; +dnssec-policy "siginterval1" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 1d; + signatures-refresh 21h; + signatures-validity-dnskey 90d; +}; + +dnssec-policy "siginterval2" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 35d; + signatures-refresh 28d; + signatures-validity-dnskey 90d; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf index 4674cf381f..1d82f680d1 100644 --- a/bin/tests/system/dnssec/ns3/siginterval1.conf +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -14,8 +14,6 @@ zone "siginterval.example" { type primary; allow-update { any; }; - sig-validity-interval 1 23; - dnskey-sig-validity 90; - auto-dnssec maintain; + dnssec-policy siginterval1; file "siginterval.example.db"; }; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf index 46a20077d8..fa9c6267fe 100644 --- a/bin/tests/system/dnssec/ns3/siginterval2.conf +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -14,8 +14,6 @@ zone "siginterval.example" { type primary; allow-update { any; }; - sig-validity-interval 35 28; - dnskey-sig-validity 90; - auto-dnssec maintain; + dnssec-policy siginterval2; file "siginterval.example.db"; }; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 701cd97ba3..2d3b56a1ba 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -419,7 +419,7 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # -# A NSEC signed zone that will have auto-dnssec enabled and +# A NSEC signed zone that will have dnssec-policy enabled and # extra keys not in the initial signed zone. # zone=auto-nsec.example. @@ -428,13 +428,13 @@ zonefile=auto-nsec.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # -# A NSEC3 signed zone that will have auto-dnssec enabled and +# A NSEC3 signed zone that will have dnssec-policy enabled and # extra keys not in the initial signed zone. # zone=auto-nsec3.example. @@ -443,8 +443,8 @@ zonefile=auto-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") -zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null @@ -569,20 +569,6 @@ zone=inline.example. kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -# -# publish a new key while deactivating another key at the same time. -# -zone=publish-inactive.example -infile=publish-inactive.example.db.in -zonefile=publish-inactive.example.db -now=$(date -u +%Y%m%d%H%M%S) -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null - # # A zone which will change its sig-validity-interval # diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 33f9a4c490..cba1089a14 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2763,7 +2763,6 @@ status=$((status+ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) ( echo zone update-nsec3.example @@ -2780,7 +2779,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" +echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)" ret=0 dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -2790,7 +2789,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" +echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)" ret=0 dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -2842,121 +2841,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" = "-" ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" != "-" ] || ret=1 -[ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" -ret=0 -oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" != "$oldsalt" ] || ret=1 -[ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check rndc signing -list output ($n)" ret=0 { rndccmd 10.53.0.3 signing -list dynamic.example > signing.out.dynamic.example; } 2>&1 @@ -3398,26 +3282,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" -ret=0 -cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 -done -test "$keys" -gt 2 || ret=1 -sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) -test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) - -echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" +echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" ret=0 before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) cp ns3/siginterval2.conf ns3/siginterval.conf @@ -3434,7 +3299,7 @@ if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi status=$((status+ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" + echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)" ret=0 rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i # convert expiry date to a comma-separated list of integers python can @@ -3641,11 +3506,11 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" +echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3668,8 +3533,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" +echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)" ret=0 +keyid=$(cat ns2/cds-update.secure.id) ( echo zone cds-update.secure echo server 10.53.0.2 "$PORT" @@ -3683,30 +3549,6 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that CDS records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cds-kskonly.secure.id) -( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 @@ -3716,18 +3558,17 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS deletion records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)" ret=0 -keyid=$(cat ns2/cds-kskonly.secure.id) +keyid=$(cat ns2/cds-update.secure.id) ( -echo zone cds-kskonly.secure +echo zone cds-update.secure echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 +echo update delete cds-update.secure CDS +echo update add cds-update.secure 0 CDS 0 0 0 00 echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3771,7 +3612,7 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 n=$((n+1)) @@ -3820,7 +3661,7 @@ echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n) ret=0 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3892,8 +3733,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" +echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)" ret=0 +keyid=$(cat ns2/cdnskey-update.secure.id) ( echo zone cdnskey-update.secure echo server 10.53.0.2 "$PORT" @@ -3904,27 +3746,6 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that CDNSKEY records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-kskonly.secure.id) -( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 @@ -3934,29 +3755,8 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-kskonly.secure.id) -( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +echo_i "status: $status" +exit $status echo_i "checking initialization with a revoked managed key ($n)" ret=0 @@ -3983,7 +3783,7 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 n=$((n+1)) @@ -4312,7 +4112,7 @@ get_keys_which_signed() { # Basic checks to make sure everything is fine before the KSK is made offline. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4324,7 +4124,7 @@ do status=$((status+ret)) done -echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" +echo_i "checking SOA RRset is signed with ZSK only ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) @@ -4339,10 +4139,9 @@ status=$((status+ret)) zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) - -echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" ret=0 -dnssec_loadkeys_on 2 $zone || ret=1 +echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)" +rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4351,7 +4150,7 @@ status=$((status+ret)) echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 $SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 > /dev/null dnssec_loadkeys_on 2 $zone || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -4374,7 +4173,7 @@ echo send # Redo the tests now that the zone is updated and the KSK is offline. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4389,7 +4188,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4414,10 +4213,10 @@ ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null +$SETTIME -s -k UNRETENTIVE -z HIDDEN -D now -K ns2 $ZSK > /dev/null $SETTIME -I +3600 -K ns2 $zsk2 > /dev/null $SETTIME -A +3600 -K ns2 $zsk3 > /dev/null -dnssec_loadkeys_on 2 $zone || ret=1 +rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4439,7 +4238,7 @@ echo send # Redo the tests now that the ZSK roll has deleted the old key. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4455,7 +4254,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4471,8 +4270,9 @@ done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I now -K ns2 $zsk2 > /dev/null +$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 > /dev/null + dnssec_loadkeys_on 2 $zone || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -4506,7 +4306,7 @@ status=$((status+ret)) # Redo the tests one more time. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4522,7 +4322,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l)