mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-03 08:05:21 +00:00
Convert keystore and rumoured kasp test cases
For 'keystore.kasp', a setting 'key-directories' is used. If set, this will expect a list of two directories, the first one is where the KSKs will be stored, the second in the list is the ZSK key directory. This may be expanded in the future to test more complex key storage cases. The 'rumoured.kasp' zone is weird, the key timings can never match those key states. But it is a regression test for an early day bug, so we convert it, but skip the expected key times check.
This commit is contained in:
Matthijs Mekking
@@ -400,120 +400,6 @@ set_keytimes_algorithm_policy() {
|
|||||||
set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
|
set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
|
||||||
}
|
}
|
||||||
|
|
||||||
#
|
|
||||||
# Zone: keystore.kasp.
|
|
||||||
#
|
|
||||||
set_zone "keystore.kasp"
|
|
||||||
set_policy "keystore" "2" "303"
|
|
||||||
set_server "ns3" "10.53.0.3"
|
|
||||||
# Key properties.
|
|
||||||
key_clear "KEY1"
|
|
||||||
set_keyrole "KEY1" "ksk"
|
|
||||||
set_keylifetime "KEY1" "0"
|
|
||||||
set_keydir "KEY1" "ns3/ksk"
|
|
||||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
|
||||||
set_keysigning "KEY1" "yes"
|
|
||||||
set_zonesigning "KEY1" "no"
|
|
||||||
|
|
||||||
key_clear "KEY2"
|
|
||||||
set_keyrole "KEY2" "zsk"
|
|
||||||
set_keylifetime "KEY2" "0"
|
|
||||||
set_keydir "KEY2" "ns3/zsk"
|
|
||||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
|
||||||
set_keysigning "KEY2" "no"
|
|
||||||
set_zonesigning "KEY2" "yes"
|
|
||||||
|
|
||||||
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
|
|
||||||
# ZSK: DNSKEY, RRSIG (zsk) published.
|
|
||||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
|
||||||
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
|
|
||||||
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
|
|
||||||
set_keystate "KEY1" "STATE_DS" "hidden"
|
|
||||||
|
|
||||||
set_keystate "KEY2" "GOAL" "omnipresent"
|
|
||||||
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
|
|
||||||
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
|
|
||||||
# Two keys only.
|
|
||||||
key_clear "KEY3"
|
|
||||||
key_clear "KEY4"
|
|
||||||
|
|
||||||
check_keys
|
|
||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
||||||
# Reuse set_keytimes_csk_policy to set the KEY1 keytimes.
|
|
||||||
set_keytimes_csk_policy
|
|
||||||
created=$(key_get KEY2 CREATED)
|
|
||||||
set_keytime "KEY2" "PUBLISHED" "${created}"
|
|
||||||
set_keytime "KEY2" "ACTIVE" "${created}"
|
|
||||||
check_keytimes
|
|
||||||
check_apex
|
|
||||||
check_subdomain
|
|
||||||
dnssec_verify
|
|
||||||
|
|
||||||
# Key properties for tests below.
|
|
||||||
key_clear "KEY1"
|
|
||||||
set_keyrole "KEY1" "ksk"
|
|
||||||
set_keylifetime "KEY1" "315360000"
|
|
||||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
|
||||||
set_keysigning "KEY1" "yes"
|
|
||||||
set_zonesigning "KEY1" "no"
|
|
||||||
|
|
||||||
key_clear "KEY2"
|
|
||||||
set_keyrole "KEY2" "zsk"
|
|
||||||
set_keylifetime "KEY2" "157680000"
|
|
||||||
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
|
|
||||||
set_keysigning "KEY2" "no"
|
|
||||||
set_zonesigning "KEY2" "yes"
|
|
||||||
|
|
||||||
key_clear "KEY3"
|
|
||||||
set_keyrole "KEY3" "zsk"
|
|
||||||
set_keylifetime "KEY3" "31536000"
|
|
||||||
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
|
|
||||||
set_keysigning "KEY3" "no"
|
|
||||||
set_zonesigning "KEY3" "yes"
|
|
||||||
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
|
|
||||||
# ZSK: DNSKEY, RRSIG (zsk) published.
|
|
||||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
|
||||||
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
|
|
||||||
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
|
|
||||||
set_keystate "KEY1" "STATE_DS" "hidden"
|
|
||||||
|
|
||||||
set_keystate "KEY2" "GOAL" "omnipresent"
|
|
||||||
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
|
|
||||||
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
|
|
||||||
|
|
||||||
set_keystate "KEY3" "GOAL" "omnipresent"
|
|
||||||
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
|
|
||||||
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
|
|
||||||
# Three keys only.
|
|
||||||
key_clear "KEY4"
|
|
||||||
|
|
||||||
#
|
|
||||||
# Zone: rumoured.kasp.
|
|
||||||
#
|
|
||||||
# There are three keys in rumoured state.
|
|
||||||
set_zone "rumoured.kasp"
|
|
||||||
set_policy "rsasha256" "3" "1234"
|
|
||||||
set_server "ns3" "10.53.0.3"
|
|
||||||
# Key properties, timings and states same as above.
|
|
||||||
|
|
||||||
check_keys
|
|
||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|
||||||
set_keytimes_algorithm_policy
|
|
||||||
# Activation date is a day later.
|
|
||||||
set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
|
|
||||||
set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
|
|
||||||
set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
|
|
||||||
set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
|
|
||||||
set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
|
|
||||||
set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
|
|
||||||
set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
|
|
||||||
set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
|
|
||||||
set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
|
|
||||||
check_keytimes
|
|
||||||
check_apex
|
|
||||||
check_subdomain
|
|
||||||
dnssec_verify
|
|
||||||
|
|
||||||
# TODO: we might want to test:
|
# TODO: we might want to test:
|
||||||
# - configuring a zone with too many active keys (should trigger retire).
|
# - configuring a zone with too many active keys (should trigger retire).
|
||||||
# - configuring a zone with keys not matching the policy.
|
# - configuring a zone with keys not matching the policy.
|
||||||
|
|||||||
@@ -310,11 +310,18 @@ def test_kasp_cases(servers):
|
|||||||
ttl=ttl, keys=test["key-properties"]
|
ttl=ttl, keys=test["key-properties"]
|
||||||
)
|
)
|
||||||
# Key files.
|
# Key files.
|
||||||
keys = isctest.kasp.keydir_to_keylist(
|
if "key-directories" in test:
|
||||||
zone, test["config"]["key-directory"], in_use=pregenerated
|
kdir = test["key-directories"][0]
|
||||||
)
|
ksks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
|
||||||
ksks = [k for k in keys if k.is_ksk()]
|
kdir = test["key-directories"][1]
|
||||||
zsks = [k for k in keys if not k.is_ksk()]
|
zsks = isctest.kasp.keydir_to_keylist(zone, kdir, in_use=pregenerated)
|
||||||
|
keys = ksks + zsks
|
||||||
|
else:
|
||||||
|
keys = isctest.kasp.keydir_to_keylist(
|
||||||
|
zone, test["config"]["key-directory"], in_use=pregenerated
|
||||||
|
)
|
||||||
|
ksks = [k for k in keys if k.is_ksk()]
|
||||||
|
zsks = [k for k in keys if not k.is_ksk()]
|
||||||
|
|
||||||
isctest.kasp.check_zone_is_signed(server, zone)
|
isctest.kasp.check_zone_is_signed(server, zone)
|
||||||
isctest.kasp.check_keys(zone, keys, expected)
|
isctest.kasp.check_keys(zone, keys, expected)
|
||||||
@@ -326,7 +333,8 @@ def test_kasp_cases(servers):
|
|||||||
test["config"], offset=offset, pregenerated=pregenerated
|
test["config"], offset=offset, pregenerated=pregenerated
|
||||||
)
|
)
|
||||||
|
|
||||||
isctest.kasp.check_keytimes(keys, expected)
|
if "rumoured" not in test:
|
||||||
|
isctest.kasp.check_keytimes(keys, expected)
|
||||||
|
|
||||||
check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
|
check_all(server, zone, policy, ksks, zsks, zsk_missing=zsk_missing)
|
||||||
|
|
||||||
@@ -458,6 +466,27 @@ def test_kasp_cases(servers):
|
|||||||
"config": kasp_config,
|
"config": kasp_config,
|
||||||
"key-properties": fips_properties(8),
|
"key-properties": fips_properties(8),
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"zone": "keystore.kasp",
|
||||||
|
"policy": "keystore",
|
||||||
|
"config": {
|
||||||
|
"dnskey-ttl": timedelta(seconds=303),
|
||||||
|
"ds-ttl": timedelta(days=1),
|
||||||
|
"key-directory": keydir,
|
||||||
|
"max-zone-ttl": timedelta(days=1),
|
||||||
|
"parent-propagation-delay": timedelta(hours=1),
|
||||||
|
"publish-safety": timedelta(hours=1),
|
||||||
|
"retire-safety": timedelta(hours=1),
|
||||||
|
"signatures-refresh": timedelta(days=5),
|
||||||
|
"signatures-validity": timedelta(days=14),
|
||||||
|
"zone-propagation-delay": timedelta(minutes=5),
|
||||||
|
},
|
||||||
|
"key-directories": [f"{keydir}/ksk", f"{keydir}/zsk"],
|
||||||
|
"key-properties": [
|
||||||
|
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||||
|
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||||
|
],
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"zone": "legacy-keys.kasp",
|
"zone": "legacy-keys.kasp",
|
||||||
"policy": "migrate-to-dnssec-policy",
|
"policy": "migrate-to-dnssec-policy",
|
||||||
@@ -493,6 +522,13 @@ def test_kasp_cases(servers):
|
|||||||
"config": kasp_config,
|
"config": kasp_config,
|
||||||
"key-properties": fips_properties(10),
|
"key-properties": fips_properties(10),
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"zone": "rumoured.kasp",
|
||||||
|
"policy": "rsasha256",
|
||||||
|
"config": kasp_config,
|
||||||
|
"rumoured": True,
|
||||||
|
"key-properties": fips_properties(8),
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"zone": "secondary.kasp",
|
"zone": "secondary.kasp",
|
||||||
"policy": "rsasha256",
|
"policy": "rsasha256",
|
||||||
|
|||||||
Reference in New Issue
Block a user