From e90f93fc68ae511af5496cc17cbb204c003b38b6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nicki=20K=C5=99=C3=AD=C5=BEek?= Date: Wed, 11 Jun 2025 16:10:53 +0200 Subject: [PATCH] Isolate rollover-zsk-prepub test case (cherry picked from commit 64199e062d6579e5a63bcaa67a9fab7008e916fa) --- bin/tests/system/Makefile.am | 1 + .../system/rollover-zsk-prepub/common.py | 1 + .../rollover-zsk-prepub/ns3/kasp.conf.j2 | 31 +++ .../ns3/named.common.conf.j2 | 1 + .../rollover-zsk-prepub/ns3/named.conf.j2 | 46 ++++ .../rollover-zsk-prepub/ns3/template.db.in | 1 + bin/tests/system/rollover-zsk-prepub/setup.sh | 216 ++++++++++++++++++ .../tests_rollover_zsk_prepublication.py | 168 ++++++++++++++ bin/tests/system/rollover/ns3/kasp.conf.j2 | 19 -- bin/tests/system/rollover/ns3/named.conf.j2 | 34 --- bin/tests/system/rollover/ns3/setup.sh | 176 -------------- bin/tests/system/rollover/tests_rollover.py | 139 ----------- 12 files changed, 465 insertions(+), 368 deletions(-) create mode 120000 bin/tests/system/rollover-zsk-prepub/common.py create mode 100644 bin/tests/system/rollover-zsk-prepub/ns3/kasp.conf.j2 create mode 120000 bin/tests/system/rollover-zsk-prepub/ns3/named.common.conf.j2 create mode 100644 bin/tests/system/rollover-zsk-prepub/ns3/named.conf.j2 create mode 120000 bin/tests/system/rollover-zsk-prepub/ns3/template.db.in create mode 100644 bin/tests/system/rollover-zsk-prepub/setup.sh create mode 100644 bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 5d50fca896..1809694989 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -167,6 +167,7 @@ TESTS = \ rollover-ksk-doubleksk \ rollover-lifetime \ rollover-straight2none \ + rollover-zsk-prepub \ rootkeysentinel \ rpzextra \ rrchecker \ diff --git a/bin/tests/system/rollover-zsk-prepub/common.py b/bin/tests/system/rollover-zsk-prepub/common.py new file mode 120000 index 0000000000..64b8084c5a --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/common.py @@ -0,0 +1 @@ +../rollover/common.py \ No newline at end of file diff --git a/bin/tests/system/rollover-zsk-prepub/ns3/kasp.conf.j2 b/bin/tests/system/rollover-zsk-prepub/ns3/kasp.conf.j2 new file mode 100644 index 0000000000..7b92bc1632 --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/ns3/kasp.conf.j2 @@ -0,0 +1,31 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +dnssec-policy "zsk-prepub" { + signatures-refresh P1W; + signatures-validity P2W; + signatures-validity-dnskey P2W; + + dnskey-ttl 3600; + publish-safety P1D; + retire-safety P2D; + purge-keys PT1H; + + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@; + }; + + zone-propagation-delay PT1H; + max-zone-ttl 1d; +}; diff --git a/bin/tests/system/rollover-zsk-prepub/ns3/named.common.conf.j2 b/bin/tests/system/rollover-zsk-prepub/ns3/named.common.conf.j2 new file mode 120000 index 0000000000..5dc26178cb --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/ns3/named.common.conf.j2 @@ -0,0 +1 @@ +../../rollover/ns3/named.common.conf.j2 \ No newline at end of file diff --git a/bin/tests/system/rollover-zsk-prepub/ns3/named.conf.j2 b/bin/tests/system/rollover-zsk-prepub/ns3/named.conf.j2 new file mode 100644 index 0000000000..2e7137762b --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/ns3/named.conf.j2 @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +include "kasp.conf"; +include "named.common.conf"; + +zone "step1.zsk-prepub.autosign" { + type primary; + file "step1.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; +zone "step2.zsk-prepub.autosign" { + type primary; + file "step2.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; +zone "step3.zsk-prepub.autosign" { + type primary; + file "step3.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; +zone "step4.zsk-prepub.autosign" { + type primary; + file "step4.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; +zone "step5.zsk-prepub.autosign" { + type primary; + file "step5.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; +zone "step6.zsk-prepub.autosign" { + type primary; + file "step6.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; diff --git a/bin/tests/system/rollover-zsk-prepub/ns3/template.db.in b/bin/tests/system/rollover-zsk-prepub/ns3/template.db.in new file mode 120000 index 0000000000..ce6d526285 --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/ns3/template.db.in @@ -0,0 +1 @@ +../../rollover/ns3/template.db.in \ No newline at end of file diff --git a/bin/tests/system/rollover-zsk-prepub/setup.sh b/bin/tests/system/rollover-zsk-prepub/setup.sh new file mode 100644 index 0000000000..d9555f6e2c --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/setup.sh @@ -0,0 +1,216 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../conf.sh + +cd "ns3" + +setup() { + zone="$1" + echo_i "setting up zone: $zone" + zonefile="${zone}.db" + infile="${zone}.db.infile" + echo "$zone" >>zones +} + +# Set in the key state files the Predecessor/Successor fields. +# Key $1 is the predecessor of key $2. +key_successor() { + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >>"${2}.state" + echo "Successor: ${id2}" >>"${1}.state" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +# +# The zones at zsk-prepub.autosign represent the various steps of a ZSK +# Pre-Publication rollover. +# + +# Step 1: +# Introduce the first key. This will immediately be active. +setup step1.zsk-prepub.autosign +TactN="now-7d" +keytimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 2: +# It is time to pre-publish the successor ZSK. +setup step2.zsk-prepub.autosign +# According to RFC 7583: +# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d +# = now + 26h - 30d = now − 694h +TactN="now-694h" +keytimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 3: +# After the publication interval has passed the DNSKEY of the successor ZSK +# is OMNIPRESENT and the zone can thus be signed with the successor ZSK. +setup step3.zsk-prepub.autosign +# According to RFC 7583: +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Tact(N+1) = Tact(N) + Lzsk +# +# Tact(N) = now - Lzsk = now - 30d +# Tpub(N+1) = now - Ipub = now - 26h +# Tact(N+1) = now +# Tret(N) = now +# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h +TactN="now-30d" +TpubN1="now-26h" +TactN1="now" +TremN="now+241h" +keytimes="-P ${TactN} -A ${TactN}" +oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 4: +# After the retire interval has passed the predecessor DNSKEY can be +# removed from the zone. +setup step4.zsk-prepub.autosign +# Lzsk: 30d +# Ipub: 26h +# Dsgn: 1w +# Dprp: 1h +# TTLsig: 1d +# retire-safety: 2d +# +# According to RFC 7583: +# Iret = Dsgn + Dprp + TTLsig (+retire-safety) +# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h +# +# Tact(N) = now - Iret - Lzsk +# = now - 241h - 30d = now - 241h - 720h +# = now - 961h +# Tpub(N+1) = now - Iret - Ipub +# = now - 241h - 26h +# = now - 267h +# Tact(N+1) = now - Iret = now - 241h +TactN="now-961h" +TpubN1="now-267h" +TactN1="now-241h" +TremN="now" +keytimes="-P ${TactN} -A ${TactN}" +oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 5: +# The predecessor DNSKEY is removed long enough that is has become HIDDEN. +setup step5.zsk-prepub.autosign +# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h). +# Tact(N) = now - 961h - 2h = now - 963h +# Tpub(N+1) = now - 267h - 2h = now - 269h +# Tact(N+1) = now - 241h - 2h = now - 243h +# Trem(N) = Tact(N+1) + Iret = now -2h +TactN="now-963h" +TremN="now-2h" +TpubN1="now-269h" +TactN1="now-243h" +TremN="now-2h" +keytimes="-P ${TactN} -A ${TactN}" +oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + +# Step 6: +# The predecessor DNSKEY can be purged. +setup step6.zsk-prepub.autosign +# Subtract purge-keys interval from all the times (1h). +TactN="now-964h" +TremN="now-3h" +TpubN1="now-270h" +TactN1="now-244h" +TremN="now-3h" +keytimes="-P ${TactN} -A ${TactN}" +oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py new file mode 100644 index 0000000000..24cb04fd8b --- /dev/null +++ b/bin/tests/system/rollover-zsk-prepub/tests_rollover_zsk_prepublication.py @@ -0,0 +1,168 @@ +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# pylint: disable=redefined-outer-name,unused-import + +from datetime import timedelta + +import isctest +from isctest.kasp import Ipub, Iret +from common import ( + pytestmark, + alg, + size, + TIMEDELTA, +) + +CONFIG = { + "dnskey-ttl": TIMEDELTA["PT1H"], + "ds-ttl": TIMEDELTA["P1D"], + "max-zone-ttl": TIMEDELTA["P1D"], + "parent-propagation-delay": TIMEDELTA["PT1H"], + "publish-safety": TIMEDELTA["P1D"], + "purge-keys": TIMEDELTA["PT1H"], + "retire-safety": TIMEDELTA["P2D"], + "signatures-refresh": TIMEDELTA["P7D"], + "signatures-validity": TIMEDELTA["P14D"], + "zone-propagation-delay": TIMEDELTA["PT1H"], +} +POLICY = "zsk-prepub" +ZSK_LIFETIME = TIMEDELTA["P30D"] +LIFETIME_POLICY = int(ZSK_LIFETIME.total_seconds()) +IPUB = Ipub(CONFIG) +IRET = Iret(CONFIG, rollover=True) +KEYTTLPROP = CONFIG["dnskey-ttl"] + CONFIG["zone-propagation-delay"] +OFFSETS = {} +OFFSETS["step1-p"] = -int(TIMEDELTA["P7D"].total_seconds()) +OFFSETS["step2-p"] = -int(ZSK_LIFETIME.total_seconds() - IPUB.total_seconds()) +OFFSETS["step2-s"] = 0 +OFFSETS["step3-p"] = -int(ZSK_LIFETIME.total_seconds()) +OFFSETS["step3-s"] = -int(IPUB.total_seconds()) +OFFSETS["step4-p"] = OFFSETS["step3-p"] - int(IRET.total_seconds()) +OFFSETS["step4-s"] = OFFSETS["step3-s"] - int(IRET.total_seconds()) +OFFSETS["step5-p"] = OFFSETS["step4-p"] - int(KEYTTLPROP.total_seconds()) +OFFSETS["step5-s"] = OFFSETS["step4-s"] - int(KEYTTLPROP.total_seconds()) +OFFSETS["step6-p"] = OFFSETS["step5-p"] - int(CONFIG["purge-keys"].total_seconds()) +OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(CONFIG["purge-keys"].total_seconds()) + + +def test_zsk_prepub_step1(alg, size, servers): + step = { + # Introduce the first key. This will immediately be active. + "zone": "step1.zsk-prepub.autosign", + "keyprops": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}", + ], + # Next key event is when the successor ZSK needs to be published. + # That is the ZSK lifetime - prepublication time (minus time + # already passed). + "nextev": ZSK_LIFETIME - IPUB - timedelta(days=7), + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_zsk_prepub_step2(alg, size, servers): + step = { + # it is time to pre-publish the successor zsk. + # zsk1 goal: omnipresent -> hidden + # zsk2 goal: hidden -> omnipresent + # zsk2 dnskey: hidden -> rumoured + "zone": "step2.zsk-prepub.autosign", + "keyprops": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{OFFSETS['step2-s']}", + ], + "keyrelationships": [1, 2], + # next key event is when the successor zsk becomes omnipresent. + # that is the dnskey ttl plus the zone propagation delay + "nextev": IPUB, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_zsk_prepub_step3(alg, size, servers): + step = { + # predecessor zsk is no longer actively signing. successor zsk is + # now actively signing. + # zsk1 zrrsig: omnipresent -> unretentive + # zsk2 dnskey: rumoured -> omnipresent + # zsk2 zrrsig: hidden -> rumoured + "zone": "step3.zsk-prepub.autosign", + "keyprops": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step3-s']}", + ], + "keyrelationships": [1, 2], + # next key event is when all the rrsig records have been replaced + # with signatures of the new zsk, in other words when zrrsig + # becomes omnipresent. + "nextev": IRET, + # set 'smooth' to true so expected signatures of subdomain are + # from the predecessor zsk. + "smooth": True, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_zsk_prepub_step4(alg, size, servers): + step = { + # predecessor zsk is no longer needed. all rrsets are signed with + # the successor zsk. + # zsk1 dnskey: omnipresent -> unretentive + # zsk1 zrrsig: unretentive -> hidden + # zsk2 zrrsig: rumoured -> omnipresent + "zone": "step4.zsk-prepub.autosign", + "keyprops": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}", + ], + "keyrelationships": [1, 2], + # next key event is when the dnskey enters the hidden state. + # this is the dnskey ttl plus zone propagation delay. + "nextev": KEYTTLPROP, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_zsk_prepub_step5(alg, size, servers): + step = { + # predecessor zsk is now removed. + # zsk1 dnskey: unretentive -> hidden + "zone": "step5.zsk-prepub.autosign", + "keyprops": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-s']}", + ], + "keyrelationships": [1, 2], + # next key event is when the new successor needs to be published. + # this is the zsk lifetime minus IRET minus IPUB minus time + # elapsed. + "nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) + + +def test_zsk_prepub_step6(alg, size, servers): + step = { + # predecessor zsk is now purged. + "zone": "step6.zsk-prepub.autosign", + "keyprops": [ + f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}", + f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}", + ], + "nextev": None, + } + isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step) diff --git a/bin/tests/system/rollover/ns3/kasp.conf.j2 b/bin/tests/system/rollover/ns3/kasp.conf.j2 index 209d72cb09..f432cfc6c0 100644 --- a/bin/tests/system/rollover/ns3/kasp.conf.j2 +++ b/bin/tests/system/rollover/ns3/kasp.conf.j2 @@ -48,22 +48,3 @@ dnssec-policy "enable-dnssec" { csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@; }; }; - -dnssec-policy "zsk-prepub" { - signatures-refresh P1W; - signatures-validity P2W; - signatures-validity-dnskey P2W; - - dnskey-ttl 3600; - publish-safety P1D; - retire-safety P2D; - purge-keys PT1H; - - keys { - ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; - zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@; - }; - - zone-propagation-delay PT1H; - max-zone-ttl 1d; -}; diff --git a/bin/tests/system/rollover/ns3/named.conf.j2 b/bin/tests/system/rollover/ns3/named.conf.j2 index 25e7e9b6ee..ba7df3434c 100644 --- a/bin/tests/system/rollover/ns3/named.conf.j2 +++ b/bin/tests/system/rollover/ns3/named.conf.j2 @@ -66,37 +66,3 @@ zone "step4.enable-dnssec.autosign" { file "step4.enable-dnssec.autosign.db"; dnssec-policy "enable-dnssec"; }; - -/* - * Zones for testing ZSK Pre-Publication steps. - */ -zone "step1.zsk-prepub.autosign" { - type primary; - file "step1.zsk-prepub.autosign.db"; - dnssec-policy "zsk-prepub"; -}; -zone "step2.zsk-prepub.autosign" { - type primary; - file "step2.zsk-prepub.autosign.db"; - dnssec-policy "zsk-prepub"; -}; -zone "step3.zsk-prepub.autosign" { - type primary; - file "step3.zsk-prepub.autosign.db"; - dnssec-policy "zsk-prepub"; -}; -zone "step4.zsk-prepub.autosign" { - type primary; - file "step4.zsk-prepub.autosign.db"; - dnssec-policy "zsk-prepub"; -}; -zone "step5.zsk-prepub.autosign" { - type primary; - file "step5.zsk-prepub.autosign.db"; - dnssec-policy "zsk-prepub"; -}; -zone "step6.zsk-prepub.autosign" { - type primary; - file "step6.zsk-prepub.autosign.db"; - dnssec-policy "zsk-prepub"; -}; diff --git a/bin/tests/system/rollover/ns3/setup.sh b/bin/tests/system/rollover/ns3/setup.sh index 82271ff007..d7f854e880 100644 --- a/bin/tests/system/rollover/ns3/setup.sh +++ b/bin/tests/system/rollover/ns3/setup.sh @@ -139,179 +139,3 @@ cat template.db.in "${CSK}.key" >"$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" cp $infile $zonefile $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# -# The zones at zsk-prepub.autosign represent the various steps of a ZSK -# Pre-Publication rollover. -# - -# Step 1: -# Introduce the first key. This will immediately be active. -setup step1.zsk-prepub.autosign -TactN="now-7d" -keytimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 2: -# It is time to pre-publish the successor ZSK. -setup step2.zsk-prepub.autosign -# According to RFC 7583: -# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d -# = now + 26h - 30d = now − 694h -TactN="now-694h" -keytimes="-P ${TactN} -A ${TactN}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) -ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 -cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" -cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 3: -# After the publication interval has passed the DNSKEY of the successor ZSK -# is OMNIPRESENT and the zone can thus be signed with the successor ZSK. -setup step3.zsk-prepub.autosign -# According to RFC 7583: -# Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# Tact(N+1) = Tact(N) + Lzsk -# -# Tact(N) = now - Lzsk = now - 30d -# Tpub(N+1) = now - Ipub = now - 26h -# Tact(N+1) = now -# Tret(N) = now -# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h -TactN="now-30d" -TpubN1="now-26h" -TactN1="now" -TremN="now+241h" -keytimes="-P ${TactN} -A ${TactN}" -oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" -newtimes="-P ${TpubN1} -A ${TactN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1 -# Set key rollover relationship. -key_successor $ZSK1 $ZSK2 -# Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" -cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 4: -# After the retire interval has passed the predecessor DNSKEY can be -# removed from the zone. -setup step4.zsk-prepub.autosign -# Lzsk: 30d -# Ipub: 26h -# Dsgn: 1w -# Dprp: 1h -# TTLsig: 1d -# retire-safety: 2d -# -# According to RFC 7583: -# Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h -# -# Tact(N) = now - Iret - Lzsk -# = now - 241h - 30d = now - 241h - 720h -# = now - 961h -# Tpub(N+1) = now - Iret - Ipub -# = now - 241h - 26h -# = now - 267h -# Tact(N+1) = now - Iret = now - 241h -TactN="now-961h" -TpubN1="now-267h" -TactN1="now-241h" -TremN="now" -keytimes="-P ${TactN} -A ${TactN}" -oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" -newtimes="-P ${TpubN1} -A ${TactN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1 -# Set key rollover relationship. -key_successor $ZSK1 $ZSK2 -# Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" -cp $infile $zonefile -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 5: -# The predecessor DNSKEY is removed long enough that is has become HIDDEN. -setup step5.zsk-prepub.autosign -# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h). -# Tact(N) = now - 961h - 2h = now - 963h -# Tpub(N+1) = now - 267h - 2h = now - 269h -# Tact(N+1) = now - 241h - 2h = now - 243h -# Trem(N) = Tact(N+1) + Iret = now -2h -TactN="now-963h" -TremN="now-2h" -TpubN1="now-269h" -TactN1="now-243h" -TremN="now-2h" -keytimes="-P ${TactN} -A ${TactN}" -oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" -newtimes="-P ${TpubN1} -A ${TactN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1 -# Set key rollover relationship. -key_successor $ZSK1 $ZSK2 -# Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" -cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 - -# Step 6: -# The predecessor DNSKEY can be purged. -setup step6.zsk-prepub.autosign -# Subtract purge-keys interval from all the times (1h). -TactN="now-964h" -TremN="now-3h" -TpubN1="now-270h" -TactN1="now-244h" -TremN="now-3h" -keytimes="-P ${TactN} -A ${TactN}" -oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}" -newtimes="-P ${TpubN1} -A ${TactN1}" -KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1) -ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2) -ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1 -# Set key rollover relationship. -key_successor $ZSK1 $ZSK2 -# Sign zone. -cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" -private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" -cp $infile $zonefile -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/rollover/tests_rollover.py b/bin/tests/system/rollover/tests_rollover.py index 5b176aae67..1f06007aa4 100644 --- a/bin/tests/system/rollover/tests_rollover.py +++ b/bin/tests/system/rollover/tests_rollover.py @@ -397,142 +397,3 @@ def test_rollover_enable_dnssec(servers): for step in steps: isctest.kasp.check_rollover_step(server, config, policy, step) - - -def test_rollover_zsk_prepublication(servers): - server = servers["ns3"] - policy = "zsk-prepub" - config = { - "dnskey-ttl": timedelta(seconds=3600), - "ds-ttl": timedelta(days=1), - "max-zone-ttl": timedelta(days=1), - "parent-propagation-delay": timedelta(hours=1), - "publish-safety": timedelta(days=1), - "purge-keys": timedelta(hours=1), - "retire-safety": timedelta(days=2), - "signatures-refresh": timedelta(days=7), - "signatures-validity": timedelta(days=14), - "zone-propagation-delay": timedelta(hours=1), - } - alg = os.environ["DEFAULT_ALGORITHM_NUMBER"] - size = os.environ["DEFAULT_BITS"] - zsk_lifetime = timedelta(days=30) - lifetime_policy = int(zsk_lifetime.total_seconds()) - - ipub = Ipub(config) - iret = Iret(config, rollover=True) - keyttlprop = config["dnskey-ttl"] + config["zone-propagation-delay"] - offsets = {} - offsets["step1-p"] = -int(timedelta(days=7).total_seconds()) - offsets["step2-p"] = -int(zsk_lifetime.total_seconds() - ipub.total_seconds()) - offsets["step2-s"] = 0 - offsets["step3-p"] = -int(zsk_lifetime.total_seconds()) - offsets["step3-s"] = -int(ipub.total_seconds()) - offsets["step4-p"] = offsets["step3-p"] - int(iret.total_seconds()) - offsets["step4-s"] = offsets["step3-s"] - int(iret.total_seconds()) - offsets["step5-p"] = offsets["step4-p"] - int(keyttlprop.total_seconds()) - offsets["step5-s"] = offsets["step4-s"] - int(keyttlprop.total_seconds()) - offsets["step6-p"] = offsets["step5-p"] - int(config["purge-keys"].total_seconds()) - offsets["step6-s"] = offsets["step5-s"] - int(config["purge-keys"].total_seconds()) - - steps = [ - { - # Step 1. - # Introduce the first key. This will immediately be active. - "zone": "step1.zsk-prepub.autosign", - "keyprops": [ - f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step1-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step1-p']}", - ], - # Next key event is when the successor ZSK needs to be published. - # That is the ZSK lifetime - prepublication time (minus time - # already passed). - "nextev": zsk_lifetime - ipub - timedelta(days=7), - }, - { - # Step 2. - # It is time to pre-publish the successor ZSK. - # ZSK1 goal: omnipresent -> hidden - # ZSK2 goal: hidden -> omnipresent - # ZSK2 dnskey: hidden -> rumoured - "zone": "step2.zsk-prepub.autosign", - "keyprops": [ - f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step2-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step2-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{offsets['step2-s']}", - ], - "keyrelationships": [1, 2], - # Next key event is when the successor ZSK becomes OMNIPRESENT. - # That is the DNSKEY TTL plus the zone propagation delay - "nextev": ipub, - }, - { - # Step 3. - # Predecessor ZSK is no longer actively signing. Successor ZSK is - # now actively signing. - # ZSK1 zrrsig: omnipresent -> unretentive - # ZSK2 dnskey: rumoured -> omnipresent - # ZSK2 zrrsig: hidden -> rumoured - "zone": "step3.zsk-prepub.autosign", - "keyprops": [ - f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step3-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{offsets['step3-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{offsets['step3-s']}", - ], - "keyrelationships": [1, 2], - # Next key event is when all the RRSIG records have been replaced - # with signatures of the new ZSK, in other words when ZRRSIG - # becomes OMNIPRESENT. - "nextev": iret, - # Set 'smooth' to true so expected signatures of subdomain are - # from the predecessor ZSK. - "smooth": True, - }, - { - # Step 4. - # Predecessor ZSK is no longer needed. All RRsets are signed with - # the successor ZSK. - # ZSK1 dnskey: omnipresent -> unretentive - # ZSK1 zrrsig: unretentive -> hidden - # ZSK2 zrrsig: rumoured -> omnipresent - "zone": "step4.zsk-prepub.autosign", - "keyprops": [ - f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step4-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{offsets['step4-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step4-s']}", - ], - "keyrelationships": [1, 2], - # Next key event is when the DNSKEY enters the HIDDEN state. - # This is the DNSKEY TTL plus zone propagation delay. - "nextev": keyttlprop, - }, - { - # Step 5. - # Predecessor ZSK is now removed. - # ZSK1 dnskey: unretentive -> hidden - "zone": "step5.zsk-prepub.autosign", - "keyprops": [ - f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step5-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{offsets['step5-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step5-s']}", - ], - "keyrelationships": [1, 2], - # Next key event is when the new successor needs to be published. - # This is the ZSK lifetime minus Iret minus Ipub minus time - # elapsed. - "nextev": zsk_lifetime - iret - ipub - keyttlprop, - }, - { - # Step 6. - # Predecessor ZSK is now purged. - "zone": "step6.zsk-prepub.autosign", - "keyprops": [ - f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step6-p']}", - f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step6-s']}", - ], - "nextev": None, - }, - ] - - for step in steps: - isctest.kasp.check_rollover_step(server, config, policy, step)