1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15# shellcheck source=kasp.sh 16SYSTEMTESTTOP=.. 17. "$SYSTEMTESTTOP/conf.sh" 18. "$SYSTEMTESTTOP/kasp.sh" 19 20start_time="$(TZ=UTC date +%s)" 21status=0 22n=0 23 24############################################################################### 25# Utilities # 26############################################################################### 27 28# Call dig with default options. 29dig_with_opts() { 30 31 if [ -n "$TSIG" ]; then 32 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" 33 else 34 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 35 fi 36} 37 38# RNDC. 39rndccmd() { 40 "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" 41} 42 43# Log error and increment failure rate. 44log_error() { 45 echo_i "error: $1" 46 ret=$((ret+1)) 47} 48 49# Default next key event threshold. May be extended by wait periods. 50next_key_event_threshold=100 51 52############################################################################### 53# Tests # 54############################################################################### 55 56# 57# dnssec-keygen 58# 59set_zone "kasp" 60set_policy "kasp" "4" "200" 61set_server "keys" "10.53.0.1" 62 63n=$((n+1)) 64echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" 65ret=0 66$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 67lines=$(wc -l < "keygen.out.$POLICY.test$n") 68test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" 69# Temporarily don't log errors because we are searching multiple files. 70disable_logerror 71 72# Key properties. 73set_keyrole "KEY1" "csk" 74set_keylifetime "KEY1" "31536000" 75set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 76set_keysigning "KEY1" "yes" 77set_zonesigning "KEY1" "yes" 78 79set_keyrole "KEY2" "ksk" 80set_keylifetime "KEY2" "31536000" 81set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 82set_keysigning "KEY2" "yes" 83set_zonesigning "KEY2" "no" 84 85set_keyrole "KEY3" "zsk" 86set_keylifetime "KEY3" "2592000" 87set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" 88set_keysigning "KEY3" "no" 89set_zonesigning "KEY3" "yes" 90 91set_keyrole "KEY4" "zsk" 92set_keylifetime "KEY4" "16070400" 93set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" 94set_keysigning "KEY4" "no" 95set_zonesigning "KEY4" "yes" 96 97lines=$(get_keyids "$DIR" "$ZONE" | wc -l) 98test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" 99 100ids=$(get_keyids "$DIR" "$ZONE") 101for id in $ids; do 102 # There are four key files with the same algorithm. 103 # Check them until a match is found. 104 ret=0 && check_key "KEY1" "$id" 105 test "$ret" -eq 0 && continue 106 107 ret=0 && check_key "KEY2" "$id" 108 test "$ret" -eq 0 && continue 109 110 ret=0 && check_key "KEY3" "$id" 111 test "$ret" -eq 0 && continue 112 113 ret=0 && check_key "KEY4" "$id" 114 115 # If ret is still non-zero, non of the files matched. 116 test "$ret" -eq 0 || echo_i "failed" 117 status=$((status+ret)) 118done 119# Turn error logs on again. 120enable_logerror 121 122n=$((n+1)) 123echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" 124ret=0 125set_zone "kasp" 126set_policy "default" "1" "3600" 127set_server "." "10.53.0.1" 128# Key properties. 129set_keyrole "KEY1" "csk" 130set_keylifetime "KEY1" "0" 131set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 132set_keysigning "KEY1" "yes" 133set_zonesigning "KEY1" "yes" 134 135key_clear "KEY2" 136key_clear "KEY3" 137key_clear "KEY4" 138 139$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 140lines=$(wc -l < "keygen.out.$POLICY.test$n") 141test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" 142ids=$(get_keyids "$DIR" "$ZONE") 143for id in $ids; do 144 check_key "KEY1" "$id" 145 test "$ret" -eq 0 && key_save KEY1 146 check_keytimes 147done 148test "$ret" -eq 0 || echo_i "failed" 149status=$((status+ret)) 150 151# 152# dnssec-settime 153# 154 155# These test builds upon the latest created key with dnssec-keygen and uses the 156# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. 157CMP_FILE="${BASE_FILE}.cmp" 158n=$((n+1)) 159echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" 160ret=0 161cp "$STATE_FILE" "$CMP_FILE" 162$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" 163grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" 164grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" 165$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" 166test "$ret" -eq 0 || echo_i "failed" 167status=$((status+ret)) 168 169n=$((n+1)) 170echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" 171ret=0 172cp "$STATE_FILE" "$CMP_FILE" 173now=$(date +%Y%m%d%H%M%S) 174$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 175set_keystate "KEY1" "GOAL" "omnipresent" 176set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 177set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 178set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 179set_keystate "KEY1" "STATE_DS" "hidden" 180check_key "KEY1" "$id" 181test "$ret" -eq 0 && key_save KEY1 182set_keytime "KEY1" "PUBLISHED" "${now}" 183check_keytimes 184test "$ret" -eq 0 || echo_i "failed" 185status=$((status+ret)) 186 187n=$((n+1)) 188echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" 189ret=0 190cp "$STATE_FILE" "$CMP_FILE" 191$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 192set_keystate "KEY1" "GOAL" "none" 193set_keystate "KEY1" "STATE_DNSKEY" "none" 194set_keystate "KEY1" "STATE_KRRSIG" "none" 195set_keystate "KEY1" "STATE_ZRRSIG" "none" 196set_keystate "KEY1" "STATE_DS" "none" 197check_key "KEY1" "$id" 198test "$ret" -eq 0 && key_save KEY1 199set_keytime "KEY1" "PUBLISHED" "none" 200check_keytimes 201test "$ret" -eq 0 || echo_i "failed" 202status=$((status+ret)) 203 204n=$((n+1)) 205echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" 206ret=0 207cp "$STATE_FILE" "$CMP_FILE" 208now=$(date +%Y%m%d%H%M%S) 209$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 210set_keystate "KEY1" "GOAL" "hidden" 211set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 212set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 213set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 214set_keystate "KEY1" "STATE_DS" "omnipresent" 215check_key "KEY1" "$id" 216test "$ret" -eq 0 && key_save KEY1 217set_keytime "KEY1" "ACTIVE" "${now}" 218check_keytimes 219test "$ret" -eq 0 || echo_i "failed" 220status=$((status+ret)) 221 222# 223# named 224# 225 226# The NSEC record at the apex of the zone and its RRSIG records are 227# added as part of the last step in signing a zone. We wait for the 228# NSEC records to appear before proceeding with a counter to prevent 229# infinite loops if there is an error. 230n=$((n+1)) 231echo_i "waiting for kasp signing changes to take effect ($n)" 232 233_wait_for_done_apexnsec() { 234 while read -r zone 235 do 236 dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 237 grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 238 grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 239 done < ns3/zones 240 241 while read -r zone 242 do 243 dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 244 grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 245 grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 246 done < ns6/zones 247 248 return 0 249} 250retry_quiet 30 _wait_for_done_apexnsec || ret=1 251test "$ret" -eq 0 || echo_i "failed" 252status=$((status+ret)) 253 254# Test max-zone-ttl rejects zones with too high TTL. 255n=$((n+1)) 256echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)" 257ret=0 258set_zone "max-zone-ttl.kasp" 259grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1 260test "$ret" -eq 0 || echo_i "failed" 261status=$((status+ret)) 262 263# 264# Zone: default.kasp. 265# 266set_keytimes_csk_policy() { 267 # The first key is immediately published and activated. 268 created=$(key_get KEY1 CREATED) 269 set_keytime "KEY1" "PUBLISHED" "${created}" 270 set_keytime "KEY1" "ACTIVE" "${created}" 271 # The DS can be published if the DNSKEY and RRSIG records are 272 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 273 # publish-safety (1h) plus zone-propagation-delay (300s) = 274 # 86400 + 3600 + 300 = 90300. 275 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 276 # Key lifetime is unlimited, so not setting RETIRED and REMOVED. 277} 278 279# Check the zone with default kasp policy has loaded and is signed. 280set_zone "default.kasp" 281set_policy "default" "1" "3600" 282set_server "ns3" "10.53.0.3" 283# Key properties. 284set_keyrole "KEY1" "csk" 285set_keylifetime "KEY1" "0" 286set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 287set_keysigning "KEY1" "yes" 288set_zonesigning "KEY1" "yes" 289# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 290set_keystate "KEY1" "GOAL" "omnipresent" 291set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 292set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 293set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 294set_keystate "KEY1" "STATE_DS" "hidden" 295 296check_keys 297check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 298set_keytimes_csk_policy 299check_keytimes 300check_apex 301check_subdomain 302dnssec_verify 303 304# Trigger a keymgr run. Make sure the key files are not touched if there are 305# no modifications to the key metadata. 306n=$((n+1)) 307echo_i "make sure key files are untouched if metadata does not change ($n)" 308ret=0 309basefile=$(key_get KEY1 BASEFILE) 310privkey_stat=$(key_get KEY1 PRIVKEY_STAT) 311pubkey_stat=$(key_get KEY1 PUBKEY_STAT) 312state_stat=$(key_get KEY1 STATE_STAT) 313 314nextpart $DIR/named.run > /dev/null 315rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 316wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run 317privkey_stat2=$(key_stat "${basefile}.private") 318pubkey_stat2=$(key_stat "${basefile}.key") 319state_stat2=$(key_stat "${basefile}.state") 320test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" 321test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" 322test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" 323test "$ret" -eq 0 || echo_i "failed" 324status=$((status+ret)) 325 326n=$((n+1)) 327echo_i "again ($n)" 328ret=0 329 330nextpart $DIR/named.run > /dev/null 331rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 332wait_for_log 3 "keymgr: done" $DIR/named.run 333privkey_stat2=$(key_stat "${basefile}.private") 334pubkey_stat2=$(key_stat "${basefile}.key") 335state_stat2=$(key_stat "${basefile}.state") 336test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" 337test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" 338test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" 339test "$ret" -eq 0 || echo_i "failed" 340status=$((status+ret)) 341 342# Update zone. 343n=$((n+1)) 344echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 345ret=0 346cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 347rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 348 349update_is_signed() { 350 ip_a=$1 351 ip_d=$2 352 353 if [ "$ip_a" != "-" ]; then 354 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 355 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 356 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1 357 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) 358 test "$lines" -eq 1 || return 1 359 get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 360 fi 361 362 if [ "$ip_d" != "-" ]; then 363 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 364 grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 365 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1 366 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) 367 test "$lines" -eq 1 || return 1 368 get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 369 fi 370} 371 372retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1 373test "$ret" -eq 0 || echo_i "failed" 374status=$((status+ret)) 375 376# Move the private key file, a rekey event should not introduce replacement 377# keys. 378ret=0 379echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)" 380basefile=$(key_get KEY1 BASEFILE) 381mv "${basefile}.private" "${basefile}.offline" 382rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 383wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 384mv "${basefile}.offline" "${basefile}.private" 385test "$ret" -eq 0 || echo_i "failed" 386status=$((status+ret)) 387 388# Nothing has changed. 389check_keys 390check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 391set_keytimes_csk_policy 392check_keytimes 393check_apex 394check_subdomain 395dnssec_verify 396 397# 398# Zone: dynamic.kasp 399# 400set_zone "dynamic.kasp" 401set_dynamic 402set_policy "default" "1" "3600" 403set_server "ns3" "10.53.0.3" 404# Key properties, timings and states same as above. 405check_keys 406check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 407set_keytimes_csk_policy 408check_keytimes 409check_apex 410check_subdomain 411dnssec_verify 412 413# Update zone with nsupdate. 414n=$((n+1)) 415echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 416ret=0 417( 418echo zone ${ZONE} 419echo server 10.53.0.3 "$PORT" 420echo update del "a.${ZONE}" 300 A 10.0.0.1 421echo update add "a.${ZONE}" 300 A 10.0.0.101 422echo update add "d.${ZONE}" 300 A 10.0.0.4 423echo send 424) | $NSUPDATE 425 426retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1 427test "$ret" -eq 0 || echo_i "failed" 428status=$((status+ret)) 429 430# Update zone with nsupdate (reverting the above change). 431n=$((n+1)) 432echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 433ret=0 434( 435echo zone ${ZONE} 436echo server 10.53.0.3 "$PORT" 437echo update add "a.${ZONE}" 300 A 10.0.0.1 438echo update del "a.${ZONE}" 300 A 10.0.0.101 439echo update del "d.${ZONE}" 300 A 10.0.0.4 440echo send 441) | $NSUPDATE 442 443retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1 444test "$ret" -eq 0 || echo_i "failed" 445status=$((status+ret)) 446 447# Update zone with freeze/thaw. 448n=$((n+1)) 449echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)" 450ret=0 451rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 452sleep 1 453echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db" 454rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 455 456retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1 457test "$ret" -eq 0 || echo_i "failed" 458status=$((status+ret)) 459 460# 461# Zone: dynamic-inline-signing.kasp 462# 463set_zone "dynamic-inline-signing.kasp" 464set_dynamic 465set_policy "default" "1" "3600" 466set_server "ns3" "10.53.0.3" 467# Key properties, timings and states same as above. 468check_keys 469check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 470set_keytimes_csk_policy 471check_keytimes 472check_apex 473check_subdomain 474dnssec_verify 475 476# Update zone with freeze/thaw. 477n=$((n+1)) 478echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 479ret=0 480rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 481sleep 1 482cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 483rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 484 485retry_quiet 10 update_is_signed || ret=1 486test "$ret" -eq 0 || echo_i "failed" 487status=$((status+ret)) 488 489# 490# Zone: inline-signing.kasp 491# 492set_zone "inline-signing.kasp" 493set_policy "default" "1" "3600" 494set_server "ns3" "10.53.0.3" 495# Key properties, timings and states same as above. 496check_keys 497check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 498set_keytimes_csk_policy 499check_keytimes 500check_apex 501check_subdomain 502dnssec_verify 503 504# 505# Zone: checkds-ksk.kasp. 506# 507key_clear "KEY1" 508key_clear "KEY2" 509key_clear "KEY3" 510key_clear "KEY4" 511 512set_zone "checkds-ksk.kasp" 513set_policy "checkds-ksk" "2" "303" 514set_server "ns3" "10.53.0.3" 515# Key properties. 516set_keyrole "KEY1" "ksk" 517set_keylifetime "KEY1" "0" 518set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 519set_keysigning "KEY1" "yes" 520set_zonesigning "KEY1" "no" 521 522set_keyrole "KEY2" "zsk" 523set_keylifetime "KEY2" "0" 524set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 525set_keysigning "KEY2" "no" 526set_zonesigning "KEY2" "yes" 527# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 528set_keystate "KEY1" "GOAL" "omnipresent" 529set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 530set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 531set_keystate "KEY1" "STATE_DS" "hidden" 532 533set_keystate "KEY2" "GOAL" "omnipresent" 534set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 535set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 536 537check_keys 538check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 539check_apex 540check_subdomain 541dnssec_verify 542 543basefile=$(key_get KEY1 BASEFILE) 544 545_wait_for_metadata() { 546 _expr=$1 547 _file=$2 548 grep "$_expr" $_file > /dev/null || return 1 549 return 0 550} 551 552n=$((n+1)) 553echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" 554now=$(date +%Y%m%d%H%M%S) 555rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE" 556retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" 557# DS State should be forced into RUMOURED. 558set_keystate "KEY1" "STATE_DS" "rumoured" 559check_keys 560test "$ret" -eq 0 || echo_i "failed" 561status=$((status+ret)) 562 563n=$((n+1)) 564echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" 565now=$(date +%Y%m%d%H%M%S) 566rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE" 567retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" 568# DS State should be forced into UNRETENTIVE. 569set_keystate "KEY1" "STATE_DS" "unretentive" 570check_keys 571test "$ret" -eq 0 || echo_i "failed" 572status=$((status+ret)) 573 574# 575# Zone: checkds-doubleksk.kasp. 576# 577key_clear "KEY1" 578key_clear "KEY2" 579key_clear "KEY3" 580key_clear "KEY4" 581 582set_zone "checkds-doubleksk.kasp" 583set_policy "checkds-doubleksk" "3" "303" 584set_server "ns3" "10.53.0.3" 585# Key properties. 586set_keyrole "KEY1" "ksk" 587set_keylifetime "KEY1" "0" 588set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 589set_keysigning "KEY1" "yes" 590set_zonesigning "KEY1" "no" 591 592set_keyrole "KEY2" "ksk" 593set_keylifetime "KEY2" "0" 594set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 595set_keysigning "KEY2" "yes" 596set_zonesigning "KEY2" "no" 597 598set_keyrole "KEY3" "zsk" 599set_keylifetime "KEY3" "0" 600set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 601set_keysigning "KEY3" "no" 602set_zonesigning "KEY3" "yes" 603# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 604set_keystate "KEY1" "GOAL" "omnipresent" 605set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 606set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 607set_keystate "KEY1" "STATE_DS" "hidden" 608 609set_keystate "KEY2" "GOAL" "omnipresent" 610set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 611set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 612set_keystate "KEY2" "STATE_DS" "hidden" 613 614set_keystate "KEY3" "GOAL" "omnipresent" 615set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 616set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 617 618check_keys 619check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 620check_apex 621check_subdomain 622dnssec_verify 623 624basefile1=$(key_get KEY1 BASEFILE) 625basefile2=$(key_get KEY2 BASEFILE) 626 627n=$((n+1)) 628echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" 629rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" 630grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 631grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 632test "$ret" -eq 0 || echo_i "failed" 633status=$((status+ret)) 634 635n=$((n+1)) 636echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" 637rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" 638grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" 639grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" 640test "$ret" -eq 0 || echo_i "failed" 641status=$((status+ret)) 642 643n=$((n+1)) 644echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)" 645rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n 646grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 647grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 648test "$ret" -eq 0 || echo_i "failed" 649status=$((status+ret)) 650 651n=$((n+1)) 652echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)" 653rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n 654grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" 655grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" 656test "$ret" -eq 0 || echo_i "failed" 657status=$((status+ret)) 658 659n=$((n+1)) 660echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" 661rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE" 662retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state" 663grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 664test "$ret" -eq 0 || echo_i "failed" 665status=$((status+ret)) 666 667n=$((n+1)) 668echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" 669rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE" 670grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 671retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state" 672test "$ret" -eq 0 || echo_i "failed" 673status=$((status+ret)) 674 675# 676# Zone: checkds-csk.kasp. 677# 678key_clear "KEY1" 679key_clear "KEY2" 680key_clear "KEY3" 681key_clear "KEY4" 682 683set_zone "checkds-csk.kasp" 684set_policy "checkds-csk" "1" "303" 685set_server "ns3" "10.53.0.3" 686# Key properties. 687set_keyrole "KEY1" "csk" 688set_keylifetime "KEY1" "0" 689set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 690set_keysigning "KEY1" "yes" 691set_zonesigning "KEY1" "yes" 692# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 693set_keystate "KEY1" "GOAL" "omnipresent" 694set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 695set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 696set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 697set_keystate "KEY1" "STATE_DS" "hidden" 698 699check_keys 700check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 701check_apex 702check_subdomain 703dnssec_verify 704 705basefile=$(key_get KEY1 BASEFILE) 706 707n=$((n+1)) 708echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" 709rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" 710retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" 711test "$ret" -eq 0 || echo_i "failed" 712status=$((status+ret)) 713 714n=$((n+1)) 715echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" 716rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" 717retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" 718test "$ret" -eq 0 || echo_i "failed" 719status=$((status+ret)) 720 721# Set keytimes for dnssec-policy with various algorithms. 722# These all use the same time values. 723set_keytimes_algorithm_policy() { 724 # The first KSK is immediately published and activated. 725 created=$(key_get KEY1 CREATED) 726 set_keytime "KEY1" "PUBLISHED" "${created}" 727 set_keytime "KEY1" "ACTIVE" "${created}" 728 # Key was pregenerated. 729 if [ "$1" = "pregenerated" ]; then 730 keyfile=$(key_get KEY1 BASEFILE) 731 grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 732 published=$(awk '{print $3}' < published.test${n}.key1) 733 set_keytime "KEY1" "PUBLISHED" "${published}" 734 set_keytime "KEY1" "ACTIVE" "${published}" 735 fi 736 published=$(key_get KEY1 PUBLISHED) 737 738 # The DS can be published if the DNSKEY and RRSIG records are 739 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 740 # publish-safety (1h) plus zone-propagation-delay (300s) = 741 # 86400 + 3600 + 300 = 90300. 742 set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 743 # Key lifetime is 10 years, 315360000 seconds. 744 set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 745 # The key is removed after the retire time plus DS TTL (1d), 746 # parent propagation delay (1h), and retire safety (1h) = 747 # 86400 + 3600 + 3600 = 93600. 748 retired=$(key_get KEY1 RETIRED) 749 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 750 751 # The first ZSKs are immediately published and activated. 752 created=$(key_get KEY2 CREATED) 753 set_keytime "KEY2" "PUBLISHED" "${created}" 754 set_keytime "KEY2" "ACTIVE" "${created}" 755 # Key was pregenerated. 756 if [ "$1" = "pregenerated" ]; then 757 keyfile=$(key_get KEY2 BASEFILE) 758 grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 759 published=$(awk '{print $3}' < published.test${n}.key2) 760 set_keytime "KEY2" "PUBLISHED" "${published}" 761 set_keytime "KEY2" "ACTIVE" "${published}" 762 fi 763 published=$(key_get KEY2 PUBLISHED) 764 765 # Key lifetime for KSK2 is 5 years, 157680000 seconds. 766 set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 767 # The key is removed after the retire time plus max zone ttl (1d), zone 768 # propagation delay (300s), retire safety (1h), and sign delay 769 # (signature validity minus refresh, 9d) = 770 # 86400 + 300 + 3600 + 777600 = 867900. 771 retired=$(key_get KEY2 RETIRED) 772 set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 773 774 # Second ZSK (KEY3). 775 created=$(key_get KEY3 CREATED) 776 set_keytime "KEY3" "PUBLISHED" "${created}" 777 set_keytime "KEY3" "ACTIVE" "${created}" 778 # Key was pregenerated. 779 if [ "$1" = "pregenerated" ]; then 780 keyfile=$(key_get KEY3 BASEFILE) 781 grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 782 published=$(awk '{print $3}' < published.test${n}.key3) 783 set_keytime "KEY3" "PUBLISHED" "${published}" 784 set_keytime "KEY3" "ACTIVE" "${published}" 785 fi 786 published=$(key_get KEY3 PUBLISHED) 787 788 # Key lifetime for KSK3 is 1 year, 31536000 seconds. 789 set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 790 retired=$(key_get KEY3 RETIRED) 791 set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 792} 793 794# 795# Zone: rsasha1.kasp. 796# 797if $SHELL ../testcrypto.sh -q RSASHA1 798then 799 set_zone "rsasha1.kasp" 800 set_policy "rsasha1" "3" "1234" 801 set_server "ns3" "10.53.0.3" 802 # Key properties. 803 key_clear "KEY1" 804 set_keyrole "KEY1" "ksk" 805 set_keylifetime "KEY1" "315360000" 806 set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 807 set_keysigning "KEY1" "yes" 808 set_zonesigning "KEY1" "no" 809 810 key_clear "KEY2" 811 set_keyrole "KEY2" "zsk" 812 set_keylifetime "KEY2" "157680000" 813 set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 814 set_keysigning "KEY2" "no" 815 set_zonesigning "KEY2" "yes" 816 817 key_clear "KEY3" 818 set_keyrole "KEY3" "zsk" 819 set_keylifetime "KEY3" "31536000" 820 set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 821 set_keysigning "KEY3" "no" 822 set_zonesigning "KEY3" "yes" 823 824 # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 825 # ZSK: DNSKEY, RRSIG (zsk) published. 826 set_keystate "KEY1" "GOAL" "omnipresent" 827 set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 828 set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 829 set_keystate "KEY1" "STATE_DS" "hidden" 830 831 set_keystate "KEY2" "GOAL" "omnipresent" 832 set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 833 set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 834 835 set_keystate "KEY3" "GOAL" "omnipresent" 836 set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 837 set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 838 # Three keys only. 839 key_clear "KEY4" 840 841 check_keys 842 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 843 set_keytimes_algorithm_policy 844 check_keytimes 845 check_apex 846 check_subdomain 847 dnssec_verify 848fi 849 850# 851# Zone: unsigned.kasp. 852# 853set_zone "unsigned.kasp" 854set_policy "none" "0" "0" 855set_server "ns3" "10.53.0.3" 856 857key_clear "KEY1" 858key_clear "KEY2" 859key_clear "KEY3" 860key_clear "KEY4" 861 862check_keys 863check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 864check_apex 865check_subdomain 866# Make sure the zone file is untouched. 867n=$((n+1)) 868echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)" 869ret=0 870diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1 871test "$ret" -eq 0 || echo_i "failed" 872status=$((status+ret)) 873 874# 875# Zone: insecure.kasp. 876# 877set_zone "insecure.kasp" 878set_policy "insecure" "0" "0" 879set_server "ns3" "10.53.0.3" 880 881key_clear "KEY1" 882key_clear "KEY2" 883key_clear "KEY3" 884key_clear "KEY4" 885 886check_keys 887check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 888check_apex 889check_subdomain 890 891# 892# Zone: unlimited.kasp. 893# 894set_zone "unlimited.kasp" 895set_policy "unlimited" "1" "1234" 896set_server "ns3" "10.53.0.3" 897# Key properties. 898set_keyrole "KEY1" "csk" 899set_keylifetime "KEY1" "0" 900set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 901set_keysigning "KEY1" "yes" 902set_zonesigning "KEY1" "yes" 903# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 904set_keystate "KEY1" "GOAL" "omnipresent" 905set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 906set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 907set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 908set_keystate "KEY1" "STATE_DS" "hidden" 909 910check_keys 911check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 912set_keytimes_csk_policy 913check_keytimes 914check_apex 915check_subdomain 916dnssec_verify 917 918# 919# Zone: inherit.kasp. 920# 921set_zone "inherit.kasp" 922set_policy "rsasha256" "3" "1234" 923set_server "ns3" "10.53.0.3" 924 925# Key properties. 926key_clear "KEY1" 927set_keyrole "KEY1" "ksk" 928set_keylifetime "KEY1" "315360000" 929set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 930set_keysigning "KEY1" "yes" 931set_zonesigning "KEY1" "no" 932 933key_clear "KEY2" 934set_keyrole "KEY2" "zsk" 935set_keylifetime "KEY2" "157680000" 936set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 937set_keysigning "KEY2" "no" 938set_zonesigning "KEY2" "yes" 939 940key_clear "KEY3" 941set_keyrole "KEY3" "zsk" 942set_keylifetime "KEY3" "31536000" 943set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" 944set_keysigning "KEY3" "no" 945set_zonesigning "KEY3" "yes" 946# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 947# ZSK: DNSKEY, RRSIG (zsk) published. 948set_keystate "KEY1" "GOAL" "omnipresent" 949set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 950set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 951set_keystate "KEY1" "STATE_DS" "hidden" 952 953set_keystate "KEY2" "GOAL" "omnipresent" 954set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 955set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 956 957set_keystate "KEY3" "GOAL" "omnipresent" 958set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 959set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 960# Three keys only. 961key_clear "KEY4" 962 963check_keys 964check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 965set_keytimes_algorithm_policy 966check_keytimes 967check_apex 968check_subdomain 969dnssec_verify 970 971# 972# Zone: dnssec-keygen.kasp. 973# 974set_zone "dnssec-keygen.kasp" 975set_policy "rsasha256" "3" "1234" 976set_server "ns3" "10.53.0.3" 977# Key properties, timings and states same as above. 978 979check_keys 980check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 981set_keytimes_algorithm_policy 982check_keytimes 983check_apex 984check_subdomain 985dnssec_verify 986 987# 988# Zone: some-keys.kasp. 989# 990set_zone "some-keys.kasp" 991set_policy "rsasha256" "3" "1234" 992set_server "ns3" "10.53.0.3" 993# Key properties, timings and states same as above. 994 995check_keys 996check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 997set_keytimes_algorithm_policy "pregenerated" 998check_keytimes 999check_apex 1000check_subdomain 1001dnssec_verify 1002 1003# 1004# Zone: pregenerated.kasp. 1005# 1006# There are more pregenerated keys than needed, hence the number of keys is 1007# six, not three. 1008set_zone "pregenerated.kasp" 1009set_policy "rsasha256" "6" "1234" 1010set_server "ns3" "10.53.0.3" 1011# Key properties, timings and states same as above. 1012 1013check_keys 1014check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1015set_keytimes_algorithm_policy "pregenerated" 1016check_keytimes 1017check_apex 1018check_subdomain 1019dnssec_verify 1020 1021# 1022# Zone: rumoured.kasp. 1023# 1024# There are three keys in rumoured state. 1025set_zone "rumoured.kasp" 1026set_policy "rsasha256" "3" "1234" 1027set_server "ns3" "10.53.0.3" 1028# Key properties, timings and states same as above. 1029 1030check_keys 1031check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1032set_keytimes_algorithm_policy 1033# Activation date is a day later. 1034set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 1035set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 1036set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 1037set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 1038set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 1039set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 1040set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 1041set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 1042set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 1043check_keytimes 1044check_apex 1045check_subdomain 1046dnssec_verify 1047 1048# 1049# Zone: secondary.kasp. 1050# 1051set_zone "secondary.kasp" 1052set_policy "rsasha256" "3" "1234" 1053set_server "ns3" "10.53.0.3" 1054# Key properties, timings and states same as above. 1055 1056check_keys 1057check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1058set_keytimes_algorithm_policy 1059check_keytimes 1060check_apex 1061check_subdomain 1062dnssec_verify 1063 1064# Update zone. 1065n=$((n+1)) 1066echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" 1067ret=0 1068cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db 1069rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 1070 1071_wait_for_done_subdomains() { 1072 ret=0 1073 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 1074 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1075 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1076 check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" 1077 if [ $ret -gt 0 ]; then return $ret; fi 1078 1079 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 1080 grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1081 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1082 check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" 1083 return $ret 1084} 1085retry_quiet 5 _wait_for_done_subdomains || ret=1 1086test "$ret" -eq 0 || echo_i "failed" 1087status=$((status+ret)) 1088 1089# TODO: we might want to test: 1090# - configuring a zone with too many active keys (should trigger retire). 1091# - configuring a zone with keys not matching the policy. 1092 1093# 1094# Zone: rsasha1-nsec3.kasp. 1095# 1096if $SHELL ../testcrypto.sh -q RSASHA1 1097then 1098 set_zone "rsasha1-nsec3.kasp" 1099 set_policy "rsasha1-nsec3" "3" "1234" 1100 set_server "ns3" "10.53.0.3" 1101 # Key properties. 1102 set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" 1103 set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" 1104 set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" 1105 # Key timings and states same as above. 1106 1107 check_keys 1108 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1109 set_keytimes_algorithm_policy 1110 check_keytimes 1111 check_apex 1112 check_subdomain 1113 dnssec_verify 1114fi 1115 1116# 1117# Zone: rsasha256.kasp. 1118# 1119set_zone "rsasha256.kasp" 1120set_policy "rsasha256" "3" "1234" 1121set_server "ns3" "10.53.0.3" 1122# Key properties. 1123set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1124set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1125set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" 1126# Key timings and states same as above. 1127 1128check_keys 1129check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1130set_keytimes_algorithm_policy 1131check_keytimes 1132check_apex 1133check_subdomain 1134dnssec_verify 1135 1136# 1137# Zone: rsasha512.kasp. 1138# 1139set_zone "rsasha512.kasp" 1140set_policy "rsasha512" "3" "1234" 1141set_server "ns3" "10.53.0.3" 1142# Key properties. 1143set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" 1144set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" 1145set_keyalgorithm "KEY3" "10" "RSASHA512" "3072" 1146# Key timings and states same as above. 1147 1148check_keys 1149check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1150set_keytimes_algorithm_policy 1151check_keytimes 1152check_apex 1153check_subdomain 1154dnssec_verify 1155 1156# 1157# Zone: ecdsa256.kasp. 1158# 1159set_zone "ecdsa256.kasp" 1160set_policy "ecdsa256" "3" "1234" 1161set_server "ns3" "10.53.0.3" 1162# Key properties. 1163set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1164set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 1165set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 1166# Key timings and states same as above. 1167 1168check_keys 1169check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1170set_keytimes_algorithm_policy 1171check_keytimes 1172check_apex 1173check_subdomain 1174dnssec_verify 1175 1176# 1177# Zone: ecdsa512.kasp. 1178# 1179set_zone "ecdsa384.kasp" 1180set_policy "ecdsa384" "3" "1234" 1181set_server "ns3" "10.53.0.3" 1182# Key properties. 1183set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1184set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" 1185set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" 1186# Key timings and states same as above. 1187 1188check_keys 1189check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1190set_keytimes_algorithm_policy 1191check_keytimes 1192check_apex 1193check_subdomain 1194dnssec_verify 1195 1196# 1197# Zone: ed25519.kasp. 1198# 1199if [ -f ed25519-supported.file ]; then 1200 set_zone "ed25519.kasp" 1201 set_policy "ed25519" "3" "1234" 1202 set_server "ns3" "10.53.0.3" 1203 # Key properties. 1204 set_keyalgorithm "KEY1" "15" "ED25519" "256" 1205 set_keyalgorithm "KEY2" "15" "ED25519" "256" 1206 set_keyalgorithm "KEY3" "15" "ED25519" "256" 1207 # Key timings and states same as above. 1208 1209 check_keys 1210 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1211 set_keytimes_algorithm_policy 1212 check_keytimes 1213 check_apex 1214 check_subdomain 1215 dnssec_verify 1216fi 1217 1218# 1219# Zone: ed448.kasp. 1220# 1221if [ -f ed448-supported.file ]; then 1222 set_zone "ed448.kasp" 1223 set_policy "ed448" "3" "1234" 1224 set_server "ns3" "10.53.0.3" 1225 # Key properties. 1226 set_keyalgorithm "KEY1" "16" "ED448" "456" 1227 set_keyalgorithm "KEY2" "16" "ED448" "456" 1228 set_keyalgorithm "KEY3" "16" "ED448" "456" 1229 # Key timings and states same as above. 1230 1231 check_keys 1232 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1233 set_keytimes_algorithm_policy 1234 check_keytimes 1235 check_apex 1236 check_subdomain 1237 dnssec_verify 1238fi 1239 1240# Set key times for 'autosign' policy. 1241set_keytimes_autosign_policy() { 1242 # The KSK was published six months ago (with settime). 1243 created=$(key_get KEY1 CREATED) 1244 set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 1245 set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 1246 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 1247 # Key lifetime is 2 years, 63072000 seconds. 1248 active=$(key_get KEY1 ACTIVE) 1249 set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 1250 # The key is removed after the retire time plus DS TTL (1d), 1251 # parent propagation delay (1h), retire safety (1h) = 1252 # 86400 + 3600 + 3600 = 93600 1253 retired=$(key_get KEY1 RETIRED) 1254 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1255 1256 # The ZSK was published six months ago (with settime). 1257 created=$(key_get KEY2 CREATED) 1258 set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 1259 set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 1260 # Key lifetime for KSK2 is 1 year, 31536000 seconds. 1261 active=$(key_get KEY2 ACTIVE) 1262 set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 1263 # The key is removed after the retire time plus: 1264 # TTLsig (RRSIG TTL): 1 day (86400 seconds) 1265 # Dprp (propagation delay): 5 minutes (300 seconds) 1266 # retire-safety: 1 hour (3600 seconds) 1267 # Dsgn (sign delay): 7 days (604800 seconds) 1268 # Iret: 695100 seconds. 1269 retired=$(key_get KEY2 RETIRED) 1270 set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 1271} 1272 1273# 1274# Zone: expired-sigs.autosign. 1275# 1276set_zone "expired-sigs.autosign" 1277set_policy "autosign" "2" "300" 1278set_server "ns3" "10.53.0.3" 1279# Key properties. 1280key_clear "KEY1" 1281set_keyrole "KEY1" "ksk" 1282set_keylifetime "KEY1" "63072000" 1283set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1284set_keysigning "KEY1" "yes" 1285set_zonesigning "KEY1" "no" 1286 1287key_clear "KEY2" 1288set_keyrole "KEY2" "zsk" 1289set_keylifetime "KEY2" "31536000" 1290set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1291set_keysigning "KEY2" "no" 1292set_zonesigning "KEY2" "yes" 1293 1294# Both KSK and ZSK stay OMNIPRESENT. 1295set_keystate "KEY1" "GOAL" "omnipresent" 1296set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 1297set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 1298set_keystate "KEY1" "STATE_DS" "omnipresent" 1299 1300set_keystate "KEY2" "GOAL" "omnipresent" 1301set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1302set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1303# Expect only two keys. 1304key_clear "KEY3" 1305key_clear "KEY4" 1306 1307check_keys 1308check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1309set_keytimes_autosign_policy 1310check_keytimes 1311check_apex 1312check_subdomain 1313dnssec_verify 1314 1315# Verify all signatures have been refreshed. 1316check_rrsig_refresh() { 1317 # Apex. 1318 _qtypes="DNSKEY SOA NS NSEC" 1319 for _qtype in $_qtypes 1320 do 1321 n=$((n+1)) 1322 echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1323 ret=0 1324 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1325 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1326 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1327 # If this exact RRSIG is also in the zone file it is not refreshed. 1328 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1329 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1330 test "$ret" -eq 0 || echo_i "failed" 1331 status=$((status+ret)) 1332 done 1333 1334 # Below apex. 1335 _labels="a b c ns3" 1336 for _label in $_labels; 1337 do 1338 _qtypes="A NSEC" 1339 for _qtype in $_qtypes 1340 do 1341 n=$((n+1)) 1342 echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1343 ret=0 1344 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1345 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1346 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1347 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1348 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1349 test "$ret" -eq 0 || echo_i "failed" 1350 status=$((status+ret)) 1351 done 1352 done 1353} 1354 1355check_rrsig_refresh 1356 1357# 1358# Zone: fresh-sigs.autosign. 1359# 1360set_zone "fresh-sigs.autosign" 1361set_policy "autosign" "2" "300" 1362set_server "ns3" "10.53.0.3" 1363# Key properties, timings and states same as above. 1364 1365check_keys 1366check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1367set_keytimes_autosign_policy 1368check_keytimes 1369check_apex 1370check_subdomain 1371dnssec_verify 1372 1373# Verify signature reuse. 1374check_rrsig_reuse() { 1375 # Apex. 1376 _qtypes="NS NSEC" 1377 for _qtype in $_qtypes 1378 do 1379 n=$((n+1)) 1380 echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1381 ret=0 1382 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1383 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1384 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1385 # If this exact RRSIG is also in the signed zone file it is not refreshed. 1386 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1387 $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null 1388 grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1389 test "$ret" -eq 0 || echo_i "failed" 1390 status=$((status+ret)) 1391 done 1392 1393 # Below apex. 1394 _labels="a b c ns3" 1395 for _label in $_labels; 1396 do 1397 _qtypes="A NSEC" 1398 for _qtype in $_qtypes 1399 do 1400 n=$((n+1)) 1401 echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1402 ret=0 1403 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1404 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1405 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1406 # If this exact RRSIG is also in the signed zone file it is not refreshed. 1407 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1408 $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null 1409 grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1410 test "$ret" -eq 0 || echo_i "failed" 1411 status=$((status+ret)) 1412 done 1413 done 1414} 1415 1416check_rrsig_reuse 1417 1418# 1419# Zone: unfresh-sigs.autosign. 1420# 1421set_zone "unfresh-sigs.autosign" 1422set_policy "autosign" "2" "300" 1423set_server "ns3" "10.53.0.3" 1424# Key properties, timings and states same as above. 1425 1426check_keys 1427check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1428set_keytimes_autosign_policy 1429check_keytimes 1430check_apex 1431check_subdomain 1432dnssec_verify 1433check_rrsig_refresh 1434 1435# 1436# Zone: ksk-missing.autosign. 1437# 1438set_zone "ksk-missing.autosign" 1439set_policy "autosign" "2" "300" 1440set_server "ns3" "10.53.0.3" 1441# Key properties, timings and states same as above. 1442# Skip checking the private file, because it is missing. 1443key_set "KEY1" "PRIVATE" "no" 1444 1445check_keys 1446check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1447check_apex 1448check_subdomain 1449dnssec_verify 1450 1451# Restore the PRIVATE variable. 1452key_set "KEY1" "PRIVATE" "yes" 1453 1454# 1455# Zone: zsk-missing.autosign. 1456# 1457set_zone "zsk-missing.autosign" 1458set_policy "autosign" "2" "300" 1459set_server "ns3" "10.53.0.3" 1460# Key properties, timings and states same as above. 1461# Skip checking the private file, because it is missing. 1462key_set "KEY2" "PRIVATE" "no" 1463 1464check_keys 1465check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1466# For the apex, we expect the SOA to be signed with the KSK because the ZSK is 1467# offline. Temporary treat KEY1 as a zone signing key too. 1468set_keyrole "KEY1" "csk" 1469set_zonesigning "KEY1" "yes" 1470set_zonesigning "KEY2" "no" 1471check_apex 1472set_keyrole "KEY1" "ksk" 1473set_zonesigning "KEY1" "no" 1474set_zonesigning "KEY2" "yes" 1475check_subdomain 1476dnssec_verify 1477 1478# Restore the PRIVATE variable. 1479key_set "KEY2" "PRIVATE" "yes" 1480 1481# 1482# Zone: zsk-retired.autosign. 1483# 1484set_zone "zsk-retired.autosign" 1485set_policy "autosign" "3" "300" 1486set_server "ns3" "10.53.0.3" 1487# The third key is not yet expected to be signing. 1488set_keyrole "KEY3" "zsk" 1489set_keylifetime "KEY3" "31536000" 1490set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1491set_keysigning "KEY3" "no" 1492set_zonesigning "KEY3" "no" 1493# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK 1494# is active. 1495set_keystate "KEY2" "GOAL" "hidden" 1496set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1497set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1498# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, 1499# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. 1500set_keystate "KEY3" "GOAL" "omnipresent" 1501set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 1502set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 1503 1504check_keys 1505check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1506set_keytimes_autosign_policy 1507 1508# The old ZSK is retired. 1509created=$(key_get KEY2 CREATED) 1510set_keytime "KEY2" "RETIRED" "${created}" 1511set_addkeytime "KEY2" "REMOVED" "${created}" 695100 1512# The new ZSK is immediately published. 1513created=$(key_get KEY3 CREATED) 1514set_keytime "KEY3" "PUBLISHED" "${created}" 1515# And becomes active after Ipub: 1516# DNSKEY TTL: 300 seconds 1517# zone-propagation-delay 5 minutes (300 seconds) 1518# publish-safety: 1 hour (3600 seconds) 1519# Ipub: 4200 seconds 1520published=$(key_get KEY3 PUBLISHED) 1521set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 1522# Lzsk: 1 year (31536000 seconds) 1523active=$(key_get KEY3 ACTIVE) 1524set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 1525# Iret: 695100 seconds. 1526retired=$(key_get KEY3 RETIRED) 1527set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 1528 1529check_keytimes 1530check_apex 1531check_subdomain 1532dnssec_verify 1533check_rrsig_refresh 1534 1535# 1536# Zone: legacy-keys.kasp. 1537# 1538set_zone "legacy-keys.kasp" 1539# This zone has two active keys and two old keys left in key directory, so 1540# expect 4 key files. 1541set_policy "migrate-to-dnssec-policy" "4" "1234" 1542set_server "ns3" "10.53.0.3" 1543 1544# Key properties. 1545key_clear "KEY1" 1546set_keyrole "KEY1" "ksk" 1547set_keylifetime "KEY1" "16070400" 1548set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1549set_keysigning "KEY1" "yes" 1550set_zonesigning "KEY1" "no" 1551 1552key_clear "KEY2" 1553set_keyrole "KEY2" "zsk" 1554set_keylifetime "KEY2" "16070400" 1555set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1556set_keysigning "KEY2" "no" 1557set_zonesigning "KEY2" "yes" 1558# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 1559# ZSK: DNSKEY, RRSIG (zsk) published. 1560set_keystate "KEY1" "GOAL" "omnipresent" 1561set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1562set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1563set_keystate "KEY1" "STATE_DS" "hidden" 1564 1565set_keystate "KEY2" "GOAL" "omnipresent" 1566set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1567set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1568# Two keys only. 1569key_clear "KEY3" 1570key_clear "KEY4" 1571 1572check_keys 1573check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1574 1575# Make sure the correct legacy keys were used (and not the removed predecessor 1576# keys). 1577n=$((n+1)) 1578echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)" 1579ret=0 1580kskfile=$(cat ns3/legacy-keys.kasp.ksk) 1581basefile=$(key_get KEY1 BASEFILE) 1582echo_i "filename: $basefile (expect $kskfile)" 1583test "$DIR/$kskfile" = "$basefile" || ret=1 1584zskfile=$(cat ns3/legacy-keys.kasp.zsk) 1585basefile=$(key_get KEY2 BASEFILE) 1586echo_i "filename: $basefile (expect $zskfile)" 1587test "$DIR/$zskfile" = "$basefile" || ret=1 1588test "$ret" -eq 0 || echo_i "failed" 1589status=$((status+ret)) 1590 1591# KSK times. 1592created=$(key_get KEY1 CREATED) 1593keyfile=$(key_get KEY1 BASEFILE) 1594grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 1595published=$(awk '{print $3}' < published.test${n}.key1) 1596set_keytime "KEY1" "PUBLISHED" "${published}" 1597set_keytime "KEY1" "ACTIVE" "${published}" 1598published=$(key_get KEY1 PUBLISHED) 1599# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT. 1600# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus 1601# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300. 1602set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 1603# Key lifetime is 6 months, 315360000 seconds. 1604set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 1605# The key is removed after the retire time plus DS TTL (1d), parent 1606# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600. 1607retired=$(key_get KEY1 RETIRED) 1608set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1609 1610# ZSK times. 1611created=$(key_get KEY2 CREATED) 1612keyfile=$(key_get KEY2 BASEFILE) 1613grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 1614published=$(awk '{print $3}' < published.test${n}.key2) 1615set_keytime "KEY2" "PUBLISHED" "${published}" 1616set_keytime "KEY2" "ACTIVE" "${published}" 1617published=$(key_get KEY2 PUBLISHED) 1618# Key lifetime is 6 months, 315360000 seconds. 1619set_addkeytime "KEY2" "RETIRED" "${published}" 16070400 1620# The key is removed after the retire time plus max zone ttl (1d), zone 1621# propagation delay (300s), retire safety (1h), and sign delay (signature 1622# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900. 1623retired=$(key_get KEY2 RETIRED) 1624set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 1625 1626check_keytimes 1627check_apex 1628check_subdomain 1629dnssec_verify 1630 1631# 1632# Test dnssec-policy inheritance. 1633# 1634 1635# These zones should be unsigned: 1636# ns2/unsigned.tld 1637# ns4/none.inherit.signed 1638# ns4/none.override.signed 1639# ns4/inherit.none.signed 1640# ns4/none.none.signed 1641# ns5/inherit.inherit.unsigned 1642# ns5/none.inherit.unsigned 1643# ns5/none.override.unsigned 1644# ns5/inherit.none.unsigned 1645# ns5/none.none.unsigned 1646key_clear "KEY1" 1647key_clear "KEY2" 1648key_clear "KEY3" 1649key_clear "KEY4" 1650 1651set_zone "unsigned.tld" 1652set_policy "none" "0" "0" 1653set_server "ns2" "10.53.0.2" 1654TSIG="" 1655check_keys 1656check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1657check_apex 1658check_subdomain 1659 1660set_zone "none.inherit.signed" 1661set_policy "none" "0" "0" 1662set_server "ns4" "10.53.0.4" 1663TSIG="hmac-sha1:sha1:$SHA1" 1664check_keys 1665check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1666check_apex 1667check_subdomain 1668 1669set_zone "none.override.signed" 1670set_policy "none" "0" "0" 1671set_server "ns4" "10.53.0.4" 1672TSIG="hmac-sha224:sha224:$SHA224" 1673check_keys 1674check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1675check_apex 1676check_subdomain 1677 1678set_zone "inherit.none.signed" 1679set_policy "none" "0" "0" 1680set_server "ns4" "10.53.0.4" 1681TSIG="hmac-sha256:sha256:$SHA256" 1682check_keys 1683check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1684check_apex 1685check_subdomain 1686 1687set_zone "none.none.signed" 1688set_policy "none" "0" "0" 1689set_server "ns4" "10.53.0.4" 1690TSIG="hmac-sha256:sha256:$SHA256" 1691check_keys 1692check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1693check_apex 1694check_subdomain 1695 1696set_zone "inherit.inherit.unsigned" 1697set_policy "none" "0" "0" 1698set_server "ns5" "10.53.0.5" 1699TSIG="hmac-sha1:sha1:$SHA1" 1700check_keys 1701check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1702check_apex 1703check_subdomain 1704 1705set_zone "none.inherit.unsigned" 1706set_policy "none" "0" "0" 1707set_server "ns5" "10.53.0.5" 1708TSIG="hmac-sha1:sha1:$SHA1" 1709check_keys 1710check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1711check_apex 1712check_subdomain 1713 1714set_zone "none.override.unsigned" 1715set_policy "none" "0" "0" 1716set_server "ns5" "10.53.0.5" 1717TSIG="hmac-sha224:sha224:$SHA224" 1718check_keys 1719check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1720check_apex 1721check_subdomain 1722 1723set_zone "inherit.none.unsigned" 1724set_policy "none" "0" "0" 1725set_server "ns5" "10.53.0.5" 1726TSIG="hmac-sha256:sha256:$SHA256" 1727check_keys 1728check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1729check_apex 1730check_subdomain 1731 1732set_zone "none.none.unsigned" 1733set_policy "none" "0" "0" 1734set_server "ns5" "10.53.0.5" 1735TSIG="hmac-sha256:sha256:$SHA256" 1736check_keys 1737check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1738check_apex 1739check_subdomain 1740 1741# These zones should be signed with the default policy: 1742# ns2/signed.tld 1743# ns4/override.inherit.signed 1744# ns4/inherit.override.signed 1745# ns5/override.inherit.signed 1746# ns5/inherit.override.signed 1747set_keyrole "KEY1" "csk" 1748set_keylifetime "KEY1" "0" 1749set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1750set_keysigning "KEY1" "yes" 1751set_zonesigning "KEY1" "yes" 1752 1753set_keystate "KEY1" "GOAL" "omnipresent" 1754set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1755set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1756set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 1757set_keystate "KEY1" "STATE_DS" "hidden" 1758 1759set_zone "signed.tld" 1760set_policy "default" "1" "3600" 1761set_server "ns2" "10.53.0.2" 1762TSIG="" 1763check_keys 1764check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1765set_keytimes_csk_policy 1766check_keytimes 1767check_apex 1768check_subdomain 1769dnssec_verify 1770 1771set_zone "override.inherit.signed" 1772set_policy "default" "1" "3600" 1773set_server "ns4" "10.53.0.4" 1774TSIG="hmac-sha1:sha1:$SHA1" 1775check_keys 1776check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1777set_keytimes_csk_policy 1778check_keytimes 1779check_apex 1780check_subdomain 1781dnssec_verify 1782 1783set_zone "inherit.override.signed" 1784set_policy "default" "1" "3600" 1785set_server "ns4" "10.53.0.4" 1786TSIG="hmac-sha224:sha224:$SHA224" 1787check_keys 1788check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1789set_keytimes_csk_policy 1790check_keytimes 1791check_apex 1792check_subdomain 1793dnssec_verify 1794 1795set_zone "override.inherit.unsigned" 1796set_policy "default" "1" "3600" 1797set_server "ns5" "10.53.0.5" 1798TSIG="hmac-sha1:sha1:$SHA1" 1799check_keys 1800check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1801set_keytimes_csk_policy 1802check_keytimes 1803check_apex 1804check_subdomain 1805dnssec_verify 1806 1807set_zone "inherit.override.unsigned" 1808set_policy "default" "1" "3600" 1809set_server "ns5" "10.53.0.5" 1810TSIG="hmac-sha224:sha224:$SHA224" 1811check_keys 1812check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1813set_keytimes_csk_policy 1814check_keytimes 1815check_apex 1816check_subdomain 1817dnssec_verify 1818 1819# These zones should be signed with the test policy: 1820# ns4/inherit.inherit.signed 1821# ns4/override.override.signed 1822# ns4/override.none.signed 1823# ns5/override.override.unsigned 1824# ns5/override.none.unsigned 1825# ns4/example.net (both views) 1826set_keyrole "KEY1" "csk" 1827set_keylifetime "KEY1" "0" 1828set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1829set_keysigning "KEY1" "yes" 1830set_zonesigning "KEY1" "yes" 1831 1832set_zone "inherit.inherit.signed" 1833set_policy "test" "1" "3600" 1834set_server "ns4" "10.53.0.4" 1835TSIG="hmac-sha1:sha1:$SHA1" 1836wait_for_nsec 1837check_keys 1838check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1839set_keytimes_csk_policy 1840check_keytimes 1841check_apex 1842check_subdomain 1843dnssec_verify 1844 1845set_zone "override.override.signed" 1846set_policy "test" "1" "3600" 1847set_server "ns4" "10.53.0.4" 1848TSIG="hmac-sha224:sha224:$SHA224" 1849wait_for_nsec 1850check_keys 1851check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1852set_keytimes_csk_policy 1853check_keytimes 1854check_apex 1855check_subdomain 1856dnssec_verify 1857 1858set_zone "override.none.signed" 1859set_policy "test" "1" "3600" 1860set_server "ns4" "10.53.0.4" 1861TSIG="hmac-sha256:sha256:$SHA256" 1862wait_for_nsec 1863check_keys 1864check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1865set_keytimes_csk_policy 1866check_keytimes 1867check_apex 1868check_subdomain 1869dnssec_verify 1870 1871set_zone "override.override.unsigned" 1872set_policy "test" "1" "3600" 1873set_server "ns5" "10.53.0.5" 1874TSIG="hmac-sha224:sha224:$SHA224" 1875wait_for_nsec 1876check_keys 1877check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1878set_keytimes_csk_policy 1879check_keytimes 1880check_apex 1881check_subdomain 1882dnssec_verify 1883 1884set_zone "override.none.unsigned" 1885set_policy "test" "1" "3600" 1886set_server "ns5" "10.53.0.5" 1887TSIG="hmac-sha256:sha256:$SHA256" 1888wait_for_nsec 1889check_keys 1890check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1891set_keytimes_csk_policy 1892check_keytimes 1893check_apex 1894check_subdomain 1895dnssec_verify 1896 1897# Test with views. 1898set_zone "example.net" 1899set_server "ns4" "10.53.0.4" 1900TSIG="$DEFAULT_HMAC:keyforview1:$VIEW1" 1901wait_for_nsec 1902check_keys 1903check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1" 1904set_keytimes_csk_policy 1905check_keytimes 1906check_apex 1907dnssec_verify 1908# check zonestatus 1909n=$((n+1)) 1910echo_i "check $ZONE (view example1) zonestatus ($n)" 1911ret=0 1912check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" 1913check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" 1914test "$ret" -eq 0 || echo_i "failed" 1915status=$((status+ret)) 1916# check subdomain 1917n=$((n+1)) 1918echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" 1919ret=0 1920dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1921grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1922grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1923check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1924test "$ret" -eq 0 || echo_i "failed" 1925status=$((status+ret)) 1926 1927TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2" 1928wait_for_nsec 1929check_keys 1930check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" 1931check_apex 1932dnssec_verify 1933# check zonestatus 1934n=$((n+1)) 1935echo_i "check $ZONE (view example2) zonestatus ($n)" 1936ret=0 1937check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" 1938check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" 1939test "$ret" -eq 0 || echo_i "failed" 1940status=$((status+ret)) 1941# check subdomain 1942n=$((n+1)) 1943echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" 1944ret=0 1945dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1946grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1947grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1948check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1949test "$ret" -eq 0 || echo_i "failed" 1950status=$((status+ret)) 1951 1952TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3" 1953wait_for_nsec 1954check_keys 1955check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" 1956check_apex 1957dnssec_verify 1958# check zonestatus 1959n=$((n+1)) 1960echo_i "check $ZONE (view example3) zonestatus ($n)" 1961ret=0 1962check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" 1963check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" 1964test "$ret" -eq 0 || echo_i "failed" 1965status=$((status+ret)) 1966# check subdomain 1967n=$((n+1)) 1968echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" 1969ret=0 1970dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1971grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1972grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1973check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1974test "$ret" -eq 0 || echo_i "failed" 1975status=$((status+ret)) 1976 1977# Clear TSIG. 1978TSIG="" 1979 1980# 1981# Testing RFC 8901 Multi-Signer Model 2. 1982# 1983set_zone "multisigner-model2.kasp" 1984set_policy "multisigner-model2" "2" "3600" 1985set_server "ns3" "10.53.0.3" 1986key_clear "KEY1" 1987key_clear "KEY2" 1988key_clear "KEY3" 1989key_clear "KEY4" 1990 1991# Key properties. 1992set_keyrole "KEY1" "ksk" 1993set_keylifetime "KEY1" "0" 1994set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1995set_keysigning "KEY1" "yes" 1996set_zonesigning "KEY1" "no" 1997 1998set_keyrole "KEY2" "zsk" 1999set_keylifetime "KEY2" "0" 2000set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2001set_keysigning "KEY2" "no" 2002set_zonesigning "KEY2" "yes" 2003 2004set_keystate "KEY1" "GOAL" "omnipresent" 2005set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 2006set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 2007set_keystate "KEY1" "STATE_DS" "hidden" 2008set_keystate "KEY2" "GOAL" "omnipresent" 2009set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 2010set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 2011 2012check_keys 2013check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2014check_apex 2015check_subdomain 2016dnssec_verify 2017 2018# Check that the ZSKs from the other provider are published. 2019zsks_are_published() { 2020 dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 2021 # We should have three ZSKs. 2022 lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) 2023 test "$lines" -eq 3 || return 1 2024 # And one KSK. 2025 lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) 2026 test "$lines" -eq 1 || return 1 2027} 2028 2029n=$((n+1)) 2030echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" 2031ret=0 2032( 2033echo zone ${ZONE} 2034echo server 10.53.0.3 "$PORT" 2035echo update add $(cat "${DIR}/${ZONE}.zsk2") 2036echo send 2037) | $NSUPDATE 2038retry_quiet 10 zsks_are_published || ret=1 2039test "$ret" -eq 0 || echo_i "failed" 2040status=$((status+ret)) 2041 2042# 2043# Testing manual rollover. 2044# 2045set_zone "manual-rollover.kasp" 2046set_policy "manual-rollover" "2" "3600" 2047set_server "ns3" "10.53.0.3" 2048key_clear "KEY1" 2049key_clear "KEY2" 2050key_clear "KEY3" 2051key_clear "KEY4" 2052# Key properties. 2053set_keyrole "KEY1" "ksk" 2054set_keylifetime "KEY1" "0" 2055set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2056set_keysigning "KEY1" "yes" 2057set_zonesigning "KEY1" "no" 2058 2059set_keyrole "KEY2" "zsk" 2060set_keylifetime "KEY2" "0" 2061set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2062set_keysigning "KEY2" "no" 2063set_zonesigning "KEY2" "yes" 2064# During set up everything was set to OMNIPRESENT. 2065set_keystate "KEY1" "GOAL" "omnipresent" 2066set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2067set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2068set_keystate "KEY1" "STATE_DS" "omnipresent" 2069 2070set_keystate "KEY2" "GOAL" "omnipresent" 2071set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2072set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2073 2074check_keys 2075check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2076 2077# The first keys were published and activated a day ago. 2078created=$(key_get KEY1 CREATED) 2079set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 2080set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 2081set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 2082created=$(key_get KEY2 CREATED) 2083set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 2084set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 2085# Key lifetimes are unlimited, so not setting RETIRED and REMOVED. 2086check_keytimes 2087check_apex 2088check_subdomain 2089dnssec_verify 2090 2091# Schedule KSK rollover in six months (15552000 seconds). 2092active=$(key_get KEY1 ACTIVE) 2093set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 2094retired=$(key_get KEY1 RETIRED) 2095rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE" 2096# Rollover starts in six months, but lifetime is set to six months plus 2097# prepublication duration = 15552000 + 7500 = 15559500 seconds. 2098set_keylifetime "KEY1" "15559500" 2099set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 2100retired=$(key_get KEY1 RETIRED) 2101# Retire interval of this policy is 26h (93600 seconds). 2102set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 2103 2104check_keys 2105check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2106check_keytimes 2107check_apex 2108check_subdomain 2109dnssec_verify 2110 2111# Schedule KSK rollover now. 2112set_policy "manual-rollover" "3" "3600" 2113set_keystate "KEY1" "GOAL" "hidden" 2114# This key was activated one day ago, so lifetime is set to 1d plus 2115# prepublication duration (7500 seconds) = 93900 seconds. 2116set_keylifetime "KEY1" "93900" 2117created=$(key_get KEY1 CREATED) 2118set_keytime "KEY1" "RETIRED" "${created}" 2119rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE" 2120# New key is introduced. 2121set_keyrole "KEY3" "ksk" 2122set_keylifetime "KEY3" "0" 2123set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 2124set_keysigning "KEY3" "yes" 2125set_zonesigning "KEY3" "no" 2126 2127set_keystate "KEY3" "GOAL" "omnipresent" 2128set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2129set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2130set_keystate "KEY3" "STATE_DS" "hidden" 2131 2132check_keys 2133check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2134check_apex 2135check_subdomain 2136dnssec_verify 2137 2138# Schedule ZSK rollover now. 2139set_policy "manual-rollover" "4" "3600" 2140set_keystate "KEY2" "GOAL" "hidden" 2141# This key was activated one day ago, so lifetime is set to 1d plus 2142# prepublication duration (7500 seconds) = 93900 seconds. 2143set_keylifetime "KEY2" "93900" 2144created=$(key_get KEY2 CREATED) 2145set_keytime "KEY2" "RETIRED" "${created}" 2146rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" 2147# New key is introduced. 2148set_keyrole "KEY4" "zsk" 2149set_keylifetime "KEY4" "0" 2150set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 2151set_keysigning "KEY4" "no" 2152set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. 2153 2154set_keystate "KEY4" "GOAL" "omnipresent" 2155set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 2156set_keystate "KEY4" "STATE_ZRRSIG" "hidden" 2157 2158check_keys 2159check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2160check_apex 2161check_subdomain 2162dnssec_verify 2163 2164# Try to schedule a ZSK rollover for an inactive key (should fail). 2165n=$((n+1)) 2166echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)" 2167ret=0 2168rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n 2169grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message" 2170test "$ret" -eq 0 || echo_i "failed" 2171status=$((status+ret)) 2172 2173# 2174# Testing DNSSEC introduction. 2175# 2176 2177# 2178# Zone: step1.enable-dnssec.autosign. 2179# 2180set_zone "step1.enable-dnssec.autosign" 2181set_policy "enable-dnssec" "1" "300" 2182set_server "ns3" "10.53.0.3" 2183# Key properties. 2184key_clear "KEY1" 2185set_keyrole "KEY1" "csk" 2186set_keylifetime "KEY1" "0" 2187set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2188set_keysigning "KEY1" "yes" 2189set_zonesigning "KEY1" "yes" 2190# The DNSKEY and signatures are introduced first, the DS remains hidden. 2191set_keystate "KEY1" "GOAL" "omnipresent" 2192set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 2193set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 2194set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 2195set_keystate "KEY1" "STATE_DS" "hidden" 2196# This policy lists only one key (CSK). 2197key_clear "KEY2" 2198key_clear "KEY3" 2199key_clear "KEY4" 2200 2201check_keys 2202check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2203 2204# Set expected key times: 2205# - The first key is immediately published and activated. 2206created=$(key_get KEY1 CREATED) 2207set_keytime "KEY1" "PUBLISHED" "${created}" 2208set_keytime "KEY1" "ACTIVE" "${created}" 2209# - The DS can be published if the DNSKEY and RRSIG records are 2210# OMNIPRESENT. This happens after max-zone-ttl (12h) plus 2211# publish-safety (5m) plus zone-propagation-delay (5m) = 2212# 43200 + 300 + 300 = 43800. 2213set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2214# - Key lifetime is unlimited, so not setting RETIRED and REMOVED. 2215 2216# Various signing policy checks. 2217check_keytimes 2218check_apex 2219check_subdomain 2220dnssec_verify 2221 2222_check_next_key_event() { 2223 _expect=$1 2224 2225 grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1 2226 2227 # Get the latest next key event. 2228 if [ "${DYNAMIC}" = "yes" ]; then 2229 _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1) 2230 else 2231 # inline-signing zone adds "(signed)" 2232 _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) 2233 fi 2234 2235 # The next key event time must within threshold of the 2236 # expected time. 2237 _expectmin=$((_expect-next_key_event_threshold)) 2238 _expectmax=$((_expect+next_key_event_threshold)) 2239 2240 test $_expectmin -le "$_time" || return 1 2241 test $_expectmax -ge "$_time" || return 1 2242 2243 return 0 2244} 2245 2246check_next_key_event() { 2247 n=$((n+1)) 2248 echo_i "check next key event for zone ${ZONE} ($n)" 2249 ret=0 2250 2251 retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" 2252 test "$ret" -eq 0 || echo_i "failed" 2253 status=$((status+ret)) 2254 2255} 2256 2257# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus 2258# publish safety plus the zone propagation delay: 900 seconds. 2259check_next_key_event 900 2260 2261# 2262# Zone: step2.enable-dnssec.autosign. 2263# 2264set_zone "step2.enable-dnssec.autosign" 2265set_policy "enable-dnssec" "1" "300" 2266set_server "ns3" "10.53.0.3" 2267# The DNSKEY is omnipresent, but the zone signatures not yet. 2268# Thus, the DS remains hidden. 2269set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2270set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2271 2272# Various signing policy checks. 2273check_keys 2274check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2275 2276# Set expected key times: 2277# - The key was published and activated 900 seconds ago (with settime). 2278created=$(key_get KEY1 CREATED) 2279set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 2280set_addkeytime "KEY1" "ACTIVE" "${created}" -900 2281set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2282 2283# Continue signing policy checks. 2284check_keytimes 2285check_apex 2286check_subdomain 2287dnssec_verify 2288 2289# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl 2290# plus zone propagation delay plus retire safety minus the already elapsed 2291# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds 2292check_next_key_event 43800 2293 2294# 2295# Zone: step3.enable-dnssec.autosign. 2296# 2297set_zone "step3.enable-dnssec.autosign" 2298set_policy "enable-dnssec" "1" "300" 2299set_server "ns3" "10.53.0.3" 2300# All signatures should be omnipresent, so the DS can be submitted. 2301set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2302set_keystate "KEY1" "STATE_DS" "rumoured" 2303 2304# Various signing policy checks. 2305check_keys 2306check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2307 2308# Set expected key times: 2309# - The key was published and activated 44700 seconds ago (with settime). 2310created=$(key_get KEY1 CREATED) 2311set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 2312set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 2313set_keytime "KEY1" "SYNCPUBLISH" "${created}" 2314 2315# Continue signing policy checks. 2316check_keytimes 2317check_apex 2318check_subdomain 2319dnssec_verify 2320# Check that CDS publication is logged. 2321check_cdslog "$DIR" "$ZONE" KEY1 2322 2323# The DS can be introduced. We ignore any parent registration delay, so set 2324# the DS publish time to now. 2325rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE" 2326# Next key event is when the DS can move to the OMNIPRESENT state. This occurs 2327# when the parent propagation delay have passed, plus the DS TTL and retire 2328# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds 2329check_next_key_event 12000 2330 2331# 2332# Zone: step4.enable-dnssec.autosign. 2333# 2334set_zone "step4.enable-dnssec.autosign" 2335set_policy "enable-dnssec" "1" "300" 2336set_server "ns3" "10.53.0.3" 2337# The DS is omnipresent. 2338set_keystate "KEY1" "STATE_DS" "omnipresent" 2339 2340# Various signing policy checks. 2341check_keys 2342check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2343 2344# Set expected key times: 2345# - The key was published and activated 56700 seconds ago (with settime). 2346created=$(key_get KEY1 CREATED) 2347set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 2348set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 2349set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 2350 2351# Continue signing policy checks. 2352check_keytimes 2353check_apex 2354check_subdomain 2355dnssec_verify 2356 2357# Next key event is never, the zone dnssec-policy has been established. So we 2358# fall back to the default loadkeys interval. 2359check_next_key_event 3600 2360 2361# 2362# Testing ZSK Pre-Publication rollover. 2363# 2364 2365# Policy parameters. 2366# Lksk: 2 years (63072000 seconds) 2367# Lzsk: 30 days (2592000 seconds) 2368# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) 2369# Iret(KSK): 3d1h (262800 seconds) 2370# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2371# Iret(ZSK): 10d1h (867600 seconds) 2372Lksk=63072000 2373Lzsk=2592000 2374IretKSK=262800 2375IretZSK=867600 2376 2377# 2378# Zone: step1.zsk-prepub.autosign. 2379# 2380set_zone "step1.zsk-prepub.autosign" 2381set_policy "zsk-prepub" "2" "3600" 2382set_server "ns3" "10.53.0.3" 2383 2384set_retired_removed() { 2385 _Lkey=$2 2386 _Iret=$3 2387 2388 _active=$(key_get $1 ACTIVE) 2389 set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" 2390 _retired=$(key_get $1 RETIRED) 2391 set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" 2392} 2393 2394rollover_predecessor_keytimes() { 2395 _addtime=$1 2396 2397 _created=$(key_get KEY1 CREATED) 2398 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2399 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2400 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2401 [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 2402 2403 _created=$(key_get KEY2 CREATED) 2404 set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" 2405 set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" 2406 [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 2407} 2408 2409# Key properties. 2410key_clear "KEY1" 2411set_keyrole "KEY1" "ksk" 2412set_keylifetime "KEY1" "${Lksk}" 2413set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2414set_keysigning "KEY1" "yes" 2415set_zonesigning "KEY1" "no" 2416 2417key_clear "KEY2" 2418set_keyrole "KEY2" "zsk" 2419set_keylifetime "KEY2" "${Lzsk}" 2420set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2421set_keysigning "KEY2" "no" 2422set_zonesigning "KEY2" "yes" 2423# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2424set_keystate "KEY1" "GOAL" "omnipresent" 2425set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2426set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2427set_keystate "KEY1" "STATE_DS" "omnipresent" 2428 2429set_keystate "KEY2" "GOAL" "omnipresent" 2430set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2431set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2432# Initially only two keys. 2433key_clear "KEY3" 2434key_clear "KEY4" 2435 2436# Various signing policy checks. 2437check_keys 2438check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2439# These keys are immediately published and activated. 2440rollover_predecessor_keytimes 0 2441check_keytimes 2442check_apex 2443check_subdomain 2444dnssec_verify 2445 2446# Next key event is when the successor ZSK needs to be published. That is 2447# the ZSK lifetime - prepublication time. The prepublication time is DNSKEY 2448# TTL plus publish safety plus the zone propagation delay. For the 2449# zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds. 2450check_next_key_event 2498400 2451 2452# 2453# Zone: step2.zsk-prepub.autosign. 2454# 2455set_zone "step2.zsk-prepub.autosign" 2456set_policy "zsk-prepub" "3" "3600" 2457set_server "ns3" "10.53.0.3" 2458# New ZSK (KEY3) is prepublished, but not yet signing. 2459key_clear "KEY3" 2460set_keyrole "KEY3" "zsk" 2461set_keylifetime "KEY3" "${Lzsk}" 2462set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2463set_keysigning "KEY3" "no" 2464set_zonesigning "KEY3" "no" 2465# Key states. 2466set_keystate "KEY2" "GOAL" "hidden" 2467set_keystate "KEY3" "GOAL" "omnipresent" 2468set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2469set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 2470 2471# Various signing policy checks. 2472check_keys 2473check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2474 2475# Set expected key times: 2476# - The old keys were activated 694 hours ago (2498400 seconds). 2477rollover_predecessor_keytimes -2498400 2478# - The new ZSK is published now. 2479created=$(key_get KEY3 CREATED) 2480set_keytime "KEY3" "PUBLISHED" "${created}" 2481# - The new ZSK becomes active when the DNSKEY is OMNIPRESENT. 2482# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) 2483# Ipub: 26 hour (93600 seconds). 2484IpubZSK=93600 2485set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" 2486set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2487 2488# Continue signing policy checks. 2489check_keytimes 2490check_apex 2491check_subdomain 2492dnssec_verify 2493 2494# Next key event is when the successor ZSK becomes OMNIPRESENT. That is the 2495# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2496# the zsk-prepub policy, this means: 3600s + 1h + 1d = 93600 seconds. 2497check_next_key_event 93600 2498 2499# 2500# Zone: step3.zsk-prepub.autosign. 2501# 2502set_zone "step3.zsk-prepub.autosign" 2503set_policy "zsk-prepub" "3" "3600" 2504set_server "ns3" "10.53.0.3" 2505# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. 2506# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2507set_zonesigning "KEY2" "no" 2508set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 2509set_zonesigning "KEY3" "yes" 2510set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2511set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 2512 2513# Various signing policy checks. 2514check_keys 2515check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2516 2517# Set expected key times: 2518# - The old keys are activated 30 days ago (2592000 seconds). 2519rollover_predecessor_keytimes -2592000 2520# - The new ZSK is published 26 hours ago (93600 seconds). 2521created=$(key_get KEY3 CREATED) 2522set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 2523set_keytime "KEY3" "ACTIVE" "${created}" 2524set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2525 2526# Continue signing policy checks. 2527check_keytimes 2528check_apex 2529# Subdomain still has good signatures of ZSK (KEY2). 2530# Set expected zone signing on for KEY2 and off for KEY3, 2531# testing whether signatures which are still valid are being reused. 2532set_zonesigning "KEY2" "yes" 2533set_zonesigning "KEY3" "no" 2534check_subdomain 2535# Restore the expected zone signing properties. 2536set_zonesigning "KEY2" "no" 2537set_zonesigning "KEY3" "yes" 2538dnssec_verify 2539 2540# Next key event is when all the RRSIG records have been replaced with 2541# signatures of the new ZSK, in other words when ZRRSIG becomes OMNIPRESENT. 2542# That is Dsgn plus the maximum zone TTL plus the zone propagation delay plus 2543# retire-safety. For the zsk-prepub policy that means: 1w (because 2w validity 2544# and refresh within a week) + 1d + 1h + 2d = 10d1h = 867600 seconds. 2545check_next_key_event 867600 2546 2547# 2548# Zone: step4.zsk-prepub.autosign. 2549# 2550set_zone "step4.zsk-prepub.autosign" 2551set_policy "zsk-prepub" "3" "3600" 2552set_server "ns3" "10.53.0.3" 2553# ZSK (KEY2) DNSKEY is no longer needed. 2554# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2555set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 2556set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2557set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" 2558 2559# Various signing policy checks. 2560check_keys 2561check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2562 2563# Set expected key times: 2564# - The old keys are activated 961 hours ago (3459600 seconds). 2565rollover_predecessor_keytimes -3459600 2566# - The new ZSK is published 267 hours ago (961200 seconds). 2567created=$(key_get KEY3 CREATED) 2568set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 2569published=$(key_get KEY3 PUBLISHED) 2570set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2571set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2572 2573# Continue signing policy checks. 2574check_keytimes 2575check_apex 2576check_subdomain 2577dnssec_verify 2578 2579# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2580# DNSKEY TTL plus zone propagation delay. For the zsk-prepub policy this is: 2581# 3600s + 1h = 7200s 2582check_next_key_event 7200 2583 2584# 2585# Zone: step5.zsk-prepub.autosign. 2586# 2587set_zone "step5.zsk-prepub.autosign" 2588set_policy "zsk-prepub" "3" "3600" 2589set_server "ns3" "10.53.0.3" 2590# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. 2591set_keystate "KEY2" "STATE_DNSKEY" "hidden" 2592 2593# Various signing policy checks. 2594check_keys 2595check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2596 2597# Set expected key times: 2598# - The old keys are activated 962 hours ago (3463200 seconds). 2599rollover_predecessor_keytimes -3463200 2600# - The new ZSK is published 268 hours ago (964800 seconds). 2601created=$(key_get KEY3 CREATED) 2602set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 2603published=$(key_get KEY3 PUBLISHED) 2604set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2605set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2606 2607# Continue signing policy checks. 2608check_keytimes 2609check_apex 2610check_subdomain 2611dnssec_verify 2612 2613# Next key event is when the new successor needs to be published. This is the 2614# ZSK lifetime minus Iret minus Ipub minus DNSKEY TTL. For the zsk-prepub 2615# policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds. 2616check_next_key_event 1627200 2617 2618# 2619# Zone: step6.zsk-prepub.autosign. 2620# 2621set_zone "step6.zsk-prepub.autosign" 2622set_policy "zsk-prepub" "2" "3600" 2623set_server "ns3" "10.53.0.3" 2624# ZSK (KEY2) DNSKEY is purged. 2625key_clear "KEY2" 2626 2627# Various signing policy checks. 2628check_keys 2629check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2630check_apex 2631check_subdomain 2632dnssec_verify 2633 2634# 2635# Testing KSK Double-KSK rollover. 2636# 2637 2638# Policy parameters. 2639# Lksk: 60 days (16070400 seconds) 2640# Lzsk: 1 year (31536000 seconds) 2641# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) 2642# Iret(KSK): 50h (180000 seconds) 2643# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2644# Iret(ZSK): 10d1h (867600 seconds) 2645Lksk=5184000 2646Lzsk=31536000 2647IretKSK=180000 2648IretZSK=867600 2649 2650# 2651# Zone: step1.ksk-doubleksk.autosign. 2652# 2653set_zone "step1.ksk-doubleksk.autosign" 2654set_policy "ksk-doubleksk" "2" "7200" 2655set_server "ns3" "10.53.0.3" 2656# Key properties. 2657key_clear "KEY1" 2658set_keyrole "KEY1" "ksk" 2659set_keylifetime "KEY1" "${Lksk}" 2660set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2661set_keysigning "KEY1" "yes" 2662set_zonesigning "KEY1" "no" 2663 2664key_clear "KEY2" 2665set_keyrole "KEY2" "zsk" 2666set_keylifetime "KEY2" "${Lzsk}" 2667set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2668set_keysigning "KEY2" "no" 2669set_zonesigning "KEY2" "yes" 2670# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2671set_keystate "KEY1" "GOAL" "omnipresent" 2672set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2673set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2674set_keystate "KEY1" "STATE_DS" "omnipresent" 2675 2676set_keystate "KEY2" "GOAL" "omnipresent" 2677set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2678set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2679# Initially only two keys. 2680key_clear "KEY3" 2681key_clear "KEY4" 2682 2683# Various signing policy checks. 2684check_keys 2685check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2686# These keys are immediately published and activated. 2687rollover_predecessor_keytimes 0 2688check_keytimes 2689check_apex 2690check_subdomain 2691dnssec_verify 2692 2693# Next key event is when the successor KSK needs to be published. That is 2694# the KSK lifetime - prepublication time. The prepublication time is 2695# DNSKEY TTL plus publish safety plus the zone propagation delay. 2696# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds. 2697check_next_key_event 5086800 2698 2699# 2700# Zone: step2.ksk-doubleksk.autosign. 2701# 2702set_zone "step2.ksk-doubleksk.autosign" 2703set_policy "ksk-doubleksk" "3" "7200" 2704set_server "ns3" "10.53.0.3" 2705# New KSK (KEY3) is prepublished (and signs DNSKEY RRset). 2706key_clear "KEY3" 2707set_keyrole "KEY3" "ksk" 2708set_keylifetime "KEY3" "${Lksk}" 2709set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2710set_keysigning "KEY3" "yes" 2711set_zonesigning "KEY3" "no" 2712# Key states. 2713set_keystate "KEY1" "GOAL" "hidden" 2714set_keystate "KEY3" "GOAL" "omnipresent" 2715set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2716set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2717set_keystate "KEY3" "STATE_DS" "hidden" 2718 2719# Various signing policy checks. 2720check_keys 2721check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2722 2723# Set expected key times: 2724# - The old keys were activated 1413 hours ago (5086800 seconds). 2725rollover_predecessor_keytimes -5086800 2726# - The new KSK is published now. 2727created=$(key_get KEY3 CREATED) 2728set_keytime "KEY3" "PUBLISHED" "${created}" 2729# The new KSK should publish the CDS after the prepublication time. 2730# TTLkey: 2h 2731# DprpC: 1h 2732# publish-safety: 1d 2733# IpubC: 27h (97200 seconds) 2734IpubC=97200 2735set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" 2736set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" 2737set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2738 2739# Continue signing policy checks. 2740check_keytimes 2741check_apex 2742check_subdomain 2743dnssec_verify 2744 2745# Next key event is when the successor KSK becomes OMNIPRESENT. That is the 2746# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2747# the ksk-doubleksk policy, this means: 7200s + 1h + 1d = 97200 seconds. 2748check_next_key_event 97200 2749 2750# 2751# Zone: step3.ksk-doubleksk.autosign. 2752# 2753set_zone "step3.ksk-doubleksk.autosign" 2754set_policy "ksk-doubleksk" "3" "7200" 2755set_server "ns3" "10.53.0.3" 2756 2757# The DNSKEY RRset has become omnipresent. 2758# Check keys before we tell named that we saw the DS has been replaced. 2759set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2760set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 2761# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. 2762set_keystate "KEY1" "STATE_DS" "unretentive" 2763set_keystate "KEY3" "STATE_DS" "rumoured" 2764 2765# Various signing policy checks. 2766check_keys 2767check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2768# Check that CDS publication is logged. 2769check_cdslog "$DIR" "$ZONE" KEY3 2770 2771# Set expected key times: 2772# - The old keys were activated 60 days ago (5184000 seconds). 2773rollover_predecessor_keytimes -5184000 2774# - The new KSK is published 27 hours ago (97200 seconds). 2775created=$(key_get KEY3 CREATED) 2776set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 2777# - The new KSK CDS is published now. 2778set_keytime "KEY3" "SYNCPUBLISH" "${created}" 2779syncpub=$(key_get KEY3 SYNCPUBLISH) 2780set_keytime "KEY3" "ACTIVE" "${syncpub}" 2781set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2782 2783# Continue signing policy checks. 2784check_keytimes 2785check_apex 2786check_subdomain 2787dnssec_verify 2788 2789# We ignore any parent registration delay, so set the DS publish time to now. 2790rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 2791rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" 2792# Next key event is when the predecessor DS has been replaced with the 2793# successor DS and enough time has passed such that the all validators that 2794# have this DS RRset cached only know about the successor DS. This is the 2795# the retire interval, which is the parent propagation delay plus the DS TTL 2796# plus the retire-safety. For the ksk-double-ksk policy this means: 2797# 1h + 3600s + 2d = 2d2h = 180000 seconds. 2798check_next_key_event 180000 2799 2800# 2801# Zone: step4.ksk-doubleksk.autosign. 2802# 2803set_zone "step4.ksk-doubleksk.autosign" 2804set_policy "ksk-doubleksk" "3" "7200" 2805set_server "ns3" "10.53.0.3" 2806# KSK (KEY1) DNSKEY can be removed. 2807set_keysigning "KEY1" "no" 2808set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 2809set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 2810set_keystate "KEY1" "STATE_DS" "hidden" 2811# New KSK (KEY3) DS is now OMNIPRESENT. 2812set_keystate "KEY3" "STATE_DS" "omnipresent" 2813 2814# Various signing policy checks. 2815check_keys 2816check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2817 2818# Set expected key times: 2819# - The old keys were activated 1490 hours ago (5364000 seconds). 2820rollover_predecessor_keytimes -5364000 2821# - The new KSK is published 77 hours ago (277200 seconds). 2822created=$(key_get KEY3 CREATED) 2823set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 2824published=$(key_get KEY3 PUBLISHED) 2825set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2826syncpub=$(key_get KEY3 SYNCPUBLISH) 2827set_keytime "KEY3" "ACTIVE" "${syncpub}" 2828set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2829 2830# Continue signing policy checks. 2831check_keytimes 2832check_apex 2833check_subdomain 2834dnssec_verify 2835 2836# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2837# DNSKEY TTL plus zone propagation delay. For the ksk-doubleksk policy this is: 2838# 7200s + 1h = 10800s 2839check_next_key_event 10800 2840 2841# 2842# Zone: step5.ksk-doubleksk.autosign. 2843# 2844set_zone "step5.ksk-doubleksk.autosign" 2845set_policy "ksk-doubleksk" "3" "7200" 2846set_server "ns3" "10.53.0.3" 2847# KSK (KEY1) DNSKEY is now HIDDEN. 2848set_keystate "KEY1" "STATE_DNSKEY" "hidden" 2849set_keystate "KEY1" "STATE_KRRSIG" "hidden" 2850 2851# Various signing policy checks. 2852check_keys 2853check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2854 2855# Set expected key times: 2856# - The old KSK is activated 1492 hours ago (5371200 seconds). 2857rollover_predecessor_keytimes -5371200 2858# - The new KSK is published 79 hours ago (284400 seconds). 2859created=$(key_get KEY3 CREATED) 2860set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 2861published=$(key_get KEY3 PUBLISHED) 2862set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2863syncpub=$(key_get KEY3 SYNCPUBLISH) 2864set_keytime "KEY3" "ACTIVE" "${syncpub}" 2865set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2866 2867# Various signing policy checks. 2868check_keytimes 2869check_apex 2870check_subdomain 2871dnssec_verify 2872 2873# Next key event is when the new successor needs to be published. This is the 2874# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL. For the 2875# ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h = 2876# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds. 2877check_next_key_event 4899600 2878 2879# 2880# Zone: step6.ksk-doubleksk.autosign. 2881# 2882set_zone "step6.ksk-doubleksk.autosign" 2883set_policy "ksk-doubleksk" "2" "7200" 2884set_server "ns3" "10.53.0.3" 2885# KSK (KEY1) DNSKEY is purged. 2886key_clear "KEY1" 2887 2888# Various signing policy checks. 2889check_keys 2890check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2891check_apex 2892check_subdomain 2893dnssec_verify 2894 2895# 2896# Testing CSK key rollover (1). 2897# 2898 2899# Policy parameters. 2900# Lcsk: 186 days (5184000 seconds) 2901# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) 2902# Iret(KSK): 4h (14400 seconds) 2903# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) 2904# Iret(ZSK): 26d3h (2257200 seconds) 2905Lcsk=16070400 2906IretKSK=14400 2907IretZSK=2257200 2908IretCSK=$IretZSK 2909 2910csk_rollover_predecessor_keytimes() { 2911 _addtime=$1 2912 2913 _created=$(key_get KEY1 CREATED) 2914 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2915 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2916 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2917 [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" 2918} 2919 2920# 2921# Zone: step1.csk-roll.autosign. 2922# 2923set_zone "step1.csk-roll.autosign" 2924set_policy "csk-roll" "1" "3600" 2925set_server "ns3" "10.53.0.3" 2926# Key properties. 2927key_clear "KEY1" 2928set_keyrole "KEY1" "csk" 2929set_keylifetime "KEY1" "${Lcsk}" 2930set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2931set_keysigning "KEY1" "yes" 2932set_zonesigning "KEY1" "yes" 2933# The CSK (KEY1) starts in OMNIPRESENT. 2934set_keystate "KEY1" "GOAL" "omnipresent" 2935set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2936set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2937set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2938set_keystate "KEY1" "STATE_DS" "omnipresent" 2939# Initially only one key. 2940key_clear "KEY2" 2941key_clear "KEY3" 2942key_clear "KEY4" 2943 2944# Various signing policy checks. 2945check_keys 2946check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2947# This key is immediately published and activated. 2948csk_rollover_predecessor_keytimes 0 2949check_keytimes 2950check_apex 2951check_subdomain 2952dnssec_verify 2953 2954# Next key event is when the successor CSK needs to be published. 2955# This is Lcsk - Ipub - Dreg. 2956# Lcsk: 186d (16070400 seconds) 2957# Ipub: 3h (10800 seconds) 2958check_next_key_event 16059600 2959 2960# 2961# Zone: step2.csk-roll.autosign. 2962# 2963set_zone "step2.csk-roll.autosign" 2964set_policy "csk-roll" "2" "3600" 2965set_server "ns3" "10.53.0.3" 2966# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 2967key_clear "KEY2" 2968set_keyrole "KEY2" "csk" 2969set_keylifetime "KEY2" "16070400" 2970set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2971set_keysigning "KEY2" "yes" 2972set_zonesigning "KEY2" "no" 2973# Key states. 2974set_keystate "KEY1" "GOAL" "hidden" 2975set_keystate "KEY2" "GOAL" "omnipresent" 2976set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 2977set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 2978set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2979set_keystate "KEY2" "STATE_DS" "hidden" 2980 2981# Various signing policy checks. 2982check_keys 2983check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2984 2985# Set expected key times: 2986# - This key was activated 4461 hours ago (16059600 seconds). 2987csk_rollover_predecessor_keytimes -16059600 2988# - The new CSK is published now. 2989created=$(key_get KEY2 CREATED) 2990set_keytime "KEY2" "PUBLISHED" "${created}" 2991# - The new CSK should publish the CDS after the prepublication time. 2992# Ipub: 3 hour (10800 seconds) 2993Ipub="10800" 2994set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 2995set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 2996set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 2997 2998# Continue signing policy checks. 2999check_keytimes 3000check_apex 3001check_subdomain 3002dnssec_verify 3003 3004# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 3005# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 3006# the csk-roll policy, this means 3 hours = 10800 seconds. 3007check_next_key_event 10800 3008 3009# 3010# Zone: step3.csk-roll.autosign. 3011# 3012set_zone "step3.csk-roll.autosign" 3013set_policy "csk-roll" "2" "3600" 3014set_server "ns3" "10.53.0.3" 3015# Swap zone signing role. 3016set_zonesigning "KEY1" "no" 3017set_zonesigning "KEY2" "yes" 3018# CSK (KEY1) will be removed, so moving to UNRETENTIVE. 3019set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3020# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. 3021set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3022set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3023set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3024# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 3025set_keystate "KEY1" "STATE_DS" "unretentive" 3026set_keystate "KEY2" "STATE_DS" "rumoured" 3027 3028# Various signing policy checks. 3029check_keys 3030check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3031# Check that CDS publication is logged. 3032check_cdslog "$DIR" "$ZONE" KEY2 3033 3034# Set expected key times: 3035# - This key was activated 186 days ago (16070400 seconds). 3036csk_rollover_predecessor_keytimes -16070400 3037# - The new CSK is published three hours ago, CDS must be published now. 3038created=$(key_get KEY2 CREATED) 3039set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3040set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3041# - Also signatures are being introduced now. 3042set_keytime "KEY2" "ACTIVE" "${created}" 3043set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3044 3045# Continue signing policy checks. 3046check_keytimes 3047check_apex 3048# Subdomain still has good signatures of old CSK (KEY1). 3049# Set expected zone signing on for KEY1 and off for KEY2, 3050# testing whether signatures which are still valid are being reused. 3051set_zonesigning "KEY1" "yes" 3052set_zonesigning "KEY2" "no" 3053check_subdomain 3054# Restore the expected zone signing properties. 3055set_zonesigning "KEY1" "no" 3056set_zonesigning "KEY2" "yes" 3057dnssec_verify 3058 3059# We ignore any parent registration delay, so set the DS publish time to now. 3060rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 3061rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 3062# Next key event is when the predecessor DS has been replaced with the 3063# successor DS and enough time has passed such that the all validators that 3064# have this DS RRset cached only know about the successor DS. This is the 3065# the retire interval, which is the parent propagation delay plus the DS TTL 3066# plus the retire-safety. For the csk-roll policy this means: 3067# 1h + 1h + 2h = 4h = 14400 seconds. 3068check_next_key_event 14400 3069 3070# 3071# Zone: step4.csk-roll.autosign. 3072# 3073set_zone "step4.csk-roll.autosign" 3074set_policy "csk-roll" "2" "3600" 3075set_server "ns3" "10.53.0.3" 3076# The old CSK (KEY1) is no longer signing the DNSKEY RRset. 3077set_keysigning "KEY1" "no" 3078# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public 3079# but can remove the KRRSIG records. 3080set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3081set_keystate "KEY1" "STATE_DS" "hidden" 3082# The new CSK (KEY2) DS is now OMNIPRESENT. 3083set_keystate "KEY2" "STATE_DS" "omnipresent" 3084 3085# Various signing policy checks. 3086check_keys 3087check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3088 3089# Set expected key times: 3090# - This key was activated 4468 hours ago (16084800 seconds). 3091csk_rollover_predecessor_keytimes -16084800 3092# - The new CSK started signing 4h ago (14400 seconds). 3093created=$(key_get KEY2 CREATED) 3094set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 3095set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 3096syncpub=$(key_get KEY2 SYNCPUBLISH) 3097set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3098set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3099 3100# Continue signing policy checks. 3101check_keytimes 3102check_apex 3103check_subdomain 3104dnssec_verify 3105 3106# Next key event is when the KRRSIG enters the HIDDEN state. This is the 3107# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3108# 1h + 1h = 7200 seconds. 3109check_next_key_event 7200 3110 3111# 3112# Zone: step5.csk-roll.autosign. 3113# 3114set_zone "step5.csk-roll.autosign" 3115set_policy "csk-roll" "2" "3600" 3116set_server "ns3" "10.53.0.3" 3117# The old CSK (KEY1) KRRSIG records are now all hidden. 3118set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3119 3120# Various signing policy checks. 3121check_keys 3122check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3123 3124# Set expected key times: 3125# - This key was activated 4470 hours ago (16092000 seconds). 3126csk_rollover_predecessor_keytimes -16092000 3127# - The new CSK started signing 6h ago (21600 seconds). 3128created=$(key_get KEY2 CREATED) 3129set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 3130set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 3131syncpub=$(key_get KEY2 SYNCPUBLISH) 3132set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3133set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3134 3135# Continue signing policy checks. 3136check_keytimes 3137check_apex 3138check_subdomain 3139dnssec_verify 3140 3141# Next key event is when the DNSKEY can be removed. This is when all ZRRSIG 3142# records have been replaced with signatures of the new CSK. We have 3143# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus 3144# 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in 3145# 26d3h - 4h - 2h = 621h = 2235600 seconds. 3146check_next_key_event 2235600 3147 3148# 3149# Zone: step6.csk-roll.autosign. 3150# 3151set_zone "step6.csk-roll.autosign" 3152set_policy "csk-roll" "2" "3600" 3153set_server "ns3" "10.53.0.3" 3154# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can 3155# be removed). 3156set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3157set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3158# The new CSK (KEY2) is now fully OMNIPRESENT. 3159set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3160 3161# Various signing policy checks. 3162check_keys 3163check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3164 3165# Set expected key times 3166# - This key was activated 5091 hours ago (18327600 seconds). 3167csk_rollover_predecessor_keytimes -18327600 3168# - The new CSK is activated 627 hours ago (2257200 seconds). 3169created=$(key_get KEY2 CREATED) 3170set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 3171set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 3172syncpub=$(key_get KEY2 SYNCPUBLISH) 3173set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3174set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3175 3176# Continue signing policy checks. 3177check_keytimes 3178check_apex 3179check_subdomain 3180dnssec_verify 3181 3182# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3183# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3184# 1h + 1h = 7200 seconds. 3185check_next_key_event 7200 3186 3187# 3188# Zone: step7.csk-roll.autosign. 3189# 3190set_zone "step7.csk-roll.autosign" 3191set_policy "csk-roll" "2" "3600" 3192set_server "ns3" "10.53.0.3" 3193# The old CSK (KEY1) is now completely HIDDEN. 3194set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3195 3196# Various signing policy checks. 3197check_keys 3198check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3199 3200# Set expected key times: 3201# - This key was activated 5093 hours ago (18334800 seconds). 3202csk_rollover_predecessor_keytimes -18334800 3203# - The new CSK is activated 629 hours ago (2264400 seconds). 3204created=$(key_get KEY2 CREATED) 3205set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 3206set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 3207syncpub=$(key_get KEY2 SYNCPUBLISH) 3208set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3209set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3210 3211# Continue signing policy checks. 3212check_keytimes 3213check_apex 3214check_subdomain 3215dnssec_verify 3216 3217# Next key event is when the new successor needs to be published. 3218# This is the Lcsk, minus time passed since the key started signing, 3219# minus the prepublication time. 3220# Lcsk: 186d (16070400 seconds) 3221# Time passed: 629h (2264400 seconds) 3222# Ipub: 3h (10800 seconds) 3223check_next_key_event 13795200 3224 3225# 3226# Zone: step8.csk-roll.autosign. 3227# 3228set_zone "step8.csk-roll.autosign" 3229set_policy "csk-roll" "1" "3600" 3230set_server "ns3" "10.53.0.3" 3231# The old CSK (KEY1) is purged. 3232key_clear "KEY1" 3233 3234# Various signing policy checks. 3235check_keys 3236check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3237check_apex 3238check_subdomain 3239dnssec_verify 3240 3241# 3242# Testing CSK key rollover (2). 3243# 3244 3245# Policy parameters. 3246# Lcsk: 186 days (16070400 seconds) 3247# Dreg: N/A 3248# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h) 3249# Iret(KSK): 170h (61200 seconds) 3250# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) 3251# Iret(ZSK): 38h (136800 seconds) 3252Lcsk=16070400 3253IretKSK=612000 3254IretZSK=136800 3255IretCSK=$IretKSK 3256 3257# 3258# Zone: step1.csk-roll2.autosign. 3259# 3260set_zone "step1.csk-roll2.autosign" 3261set_policy "csk-roll2" "1" "3600" 3262set_server "ns3" "10.53.0.3" 3263# Key properties. 3264key_clear "KEY1" 3265set_keyrole "KEY1" "csk" 3266set_keylifetime "KEY1" "16070400" 3267set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3268set_keysigning "KEY1" "yes" 3269set_zonesigning "KEY1" "yes" 3270# The CSK (KEY1) starts in OMNIPRESENT. 3271set_keystate "KEY1" "GOAL" "omnipresent" 3272set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3273set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3274set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3275set_keystate "KEY1" "STATE_DS" "omnipresent" 3276# Initially only one key. 3277key_clear "KEY2" 3278key_clear "KEY3" 3279key_clear "KEY4" 3280 3281# Various signing policy checks. 3282check_keys 3283check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3284# This key is immediately published and activated. 3285csk_rollover_predecessor_keytimes 0 3286check_keytimes 3287check_apex 3288check_subdomain 3289dnssec_verify 3290 3291# Next key event is when the successor CSK needs to be published. 3292# This is Lcsk - Ipub. 3293# Lcsk: 186d (16070400 seconds) 3294# Ipub: 3h (10800 seconds) 3295# Total: 186d3h (16059600 seconds) 3296check_next_key_event 16059600 3297 3298# 3299# Zone: step2.csk-roll2.autosign. 3300# 3301set_zone "step2.csk-roll2.autosign" 3302set_policy "csk-roll2" "2" "3600" 3303set_server "ns3" "10.53.0.3" 3304# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 3305key_clear "KEY2" 3306set_keyrole "KEY2" "csk" 3307set_keylifetime "KEY2" "16070400" 3308set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3309set_keysigning "KEY2" "yes" 3310set_zonesigning "KEY2" "no" 3311# Key states. 3312set_keystate "KEY1" "GOAL" "hidden" 3313set_keystate "KEY2" "GOAL" "omnipresent" 3314set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 3315set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 3316set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 3317set_keystate "KEY2" "STATE_DS" "hidden" 3318 3319# Various signing policy checks. 3320check_keys 3321check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3322 3323# Set expected key times: 3324# - This key was activated 4461 hours ago (16059600 seconds). 3325csk_rollover_predecessor_keytimes -16059600 3326# - The new CSK is published now. 3327created=$(key_get KEY2 CREATED) 3328set_keytime "KEY2" "PUBLISHED" "${created}" 3329# - The new CSK should publish the CDS after the prepublication time. 3330# - Ipub: 3 hour (10800 seconds) 3331Ipub="10800" 3332set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 3333set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 3334set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3335 3336# Continue signing policy checks. 3337check_apex 3338check_subdomain 3339dnssec_verify 3340 3341# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 3342# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 3343# the csk-roll2 policy, this means 3h hours = 10800 seconds. 3344check_next_key_event 10800 3345 3346# 3347# Zone: step3.csk-roll2.autosign. 3348# 3349set_zone "step3.csk-roll2.autosign" 3350set_policy "csk-roll2" "2" "3600" 3351set_server "ns3" "10.53.0.3" 3352# CSK (KEY1) can be removed, so move to UNRETENTIVE. 3353set_zonesigning "KEY1" "no" 3354set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3355# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. 3356set_zonesigning "KEY2" "yes" 3357set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3358set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3359set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3360# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 3361set_keystate "KEY1" "STATE_DS" "unretentive" 3362set_keystate "KEY2" "STATE_DS" "rumoured" 3363 3364# Various signing policy checks. 3365check_keys 3366check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3367# Check that CDS publication is logged. 3368check_cdslog "$DIR" "$ZONE" KEY2 3369 3370# Set expected key times: 3371# - This key was activated 186 days ago (16070400 seconds). 3372csk_rollover_predecessor_keytimes -16070400 3373# - The new CSK is published three hours ago, CDS must be published now. 3374created=$(key_get KEY2 CREATED) 3375set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3376set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3377# - Also signatures are being introduced now. 3378set_keytime "KEY2" "ACTIVE" "${created}" 3379set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3380 3381# Continue signing policy checks. 3382check_keytimes 3383check_apex 3384# Subdomain still has good signatures of old CSK (KEY1). 3385# Set expected zone signing on for KEY1 and off for KEY2, 3386# testing whether signatures which are still valid are being reused. 3387set_zonesigning "KEY1" "yes" 3388set_zonesigning "KEY2" "no" 3389check_subdomain 3390# Restore the expected zone signing properties. 3391set_zonesigning "KEY1" "no" 3392set_zonesigning "KEY2" "yes" 3393dnssec_verify 3394 3395# We ignore any parent registration delay, so set the DS publish time to now. 3396rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 3397rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 3398# Next key event is when the predecessor ZRRSIG records have been replaced 3399# with that of the successor and enough time has passed such that the all 3400# validators that have such signed RRsets in cache only know about the 3401# successor signatures. This is the retire interval: Dsgn plus the 3402# maximum zone TTL plus the zone propagation delay plus retire-safety. For the 3403# csk-roll2 policy that means: 12h (because 1d validity and refresh within 3404# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds. Prevent intermittent false 3405# positives on slow platforms by subtracting the number of seconds which 3406# passed between key creation and invoking 'rndc dnssec -checkds'. 3407now="$(TZ=UTC date +%s)" 3408time_passed=$((now-start_time)) 3409next_time=$((136800-time_passed)) 3410check_next_key_event $next_time 3411 3412# 3413# Zone: step4.csk-roll2.autosign. 3414# 3415set_zone "step4.csk-roll2.autosign" 3416set_policy "csk-roll2" "2" "3600" 3417set_server "ns3" "10.53.0.3" 3418# The old CSK (KEY1) ZRRSIG is now HIDDEN. 3419set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3420# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. 3421set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3422 3423# Various signing policy checks. 3424check_keys 3425check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3426 3427# Set expected key times: 3428# - This key was activated 4502 hours ago (16207200 seconds). 3429csk_rollover_predecessor_keytimes -16207200 3430# - The new CSK was published 41 hours (147600 seconds) ago. 3431created=$(key_get KEY2 CREATED) 3432set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 3433published=$(key_get KEY2 PUBLISHED) 3434set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3435set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3436set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3437 3438# Continue signing policy checks. 3439check_keytimes 3440check_apex 3441check_subdomain 3442dnssec_verify 3443 3444# Next key event is when the predecessor DS has been replaced with the 3445# successor DS and enough time has passed such that the all validators that 3446# have this DS RRset cached only know about the successor DS. This is the 3447# registration delay plus the retire interval, which is the parent 3448# propagation delay plus the DS TTL plus the retire-safety. For the 3449# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds. 3450# However, 136800 seconds have passed already, so 478800 seconds left. 3451check_next_key_event 475200 3452 3453# 3454# Zone: step5.csk-roll2.autosign. 3455# 3456set_zone "step5.csk-roll2.autosign" 3457set_policy "csk-roll2" "2" "3600" 3458set_server "ns3" "10.53.0.3" 3459# The old CSK (KEY1) DNSKEY can be removed. 3460set_keysigning "KEY1" "no" 3461set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3462set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3463set_keystate "KEY1" "STATE_DS" "hidden" 3464# The new CSK (KEY2) is now fully OMNIPRESENT. 3465set_keystate "KEY2" "STATE_DS" "omnipresent" 3466 3467# Various signing policy checks. 3468check_keys 3469check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3470 3471# Set expected key times: 3472# - This key was activated 4634 hours ago (16682400 seconds). 3473csk_rollover_predecessor_keytimes -16682400 3474# - The new CSK was published 173 hours (622800 seconds) ago. 3475created=$(key_get KEY2 CREATED) 3476set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 3477published=$(key_get KEY2 PUBLISHED) 3478set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3479set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3480set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3481 3482# Continue signing policy checks. 3483check_keytimes 3484check_apex 3485check_subdomain 3486dnssec_verify 3487 3488# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3489# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3490# 1h + 1h = 7200 seconds. 3491check_next_key_event 7200 3492 3493# 3494# Zone: step6.csk-roll2.autosign. 3495# 3496set_zone "step6.csk-roll2.autosign" 3497set_policy "csk-roll2" "2" "3600" 3498set_server "ns3" "10.53.0.3" 3499# The old CSK (KEY1) is now completely HIDDEN. 3500set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3501set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3502 3503# Various signing policy checks. 3504check_keys 3505check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3506 3507# Set expected key times: 3508# - This key was activated 4636 hours ago (16689600 seconds). 3509csk_rollover_predecessor_keytimes -16689600 3510# - The new CSK was published 175 hours (630000 seconds) ago. 3511created=$(key_get KEY2 CREATED) 3512set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 3513published=$(key_get KEY2 PUBLISHED) 3514set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3515set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3516set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3517 3518# Continue signing policy checks. 3519check_keytimes 3520check_apex 3521check_subdomain 3522dnssec_verify 3523 3524# Next key event is when the new successor needs to be published. 3525# This is the Lcsk, minus time passed since the key was published. 3526# Lcsk: 186d (16070400 seconds) 3527# Time passed: 175h (630000 seconds) 3528check_next_key_event 15440400 3529 3530# 3531# Zone: step7.csk-roll2.autosign. 3532# 3533set_zone "step7.csk-roll2.autosign" 3534set_policy "csk-roll2" "2" "3600" 3535set_server "ns3" "10.53.0.3" 3536# The old CSK (KEY1) could have been purged, but purge-keys is disabled. 3537 3538# Various signing policy checks. 3539check_keys 3540check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3541check_apex 3542check_subdomain 3543dnssec_verify 3544 3545# 3546# Test #2375: Scheduled rollovers are happening faster than they can finish 3547# 3548set_zone "step1.three-is-a-crowd.kasp" 3549set_policy "default" "1" "3600" 3550set_server "ns3" "10.53.0.3" 3551# TODO (GL #2471). 3552 3553# Test dynamic zones that switch to inline-signing. 3554set_zone "dynamic2inline.kasp" 3555set_policy "default" "1" "3600" 3556set_server "ns6" "10.53.0.6" 3557# Key properties. 3558key_clear "KEY1" 3559set_keyrole "KEY1" "csk" 3560set_keylifetime "KEY1" "0" 3561set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3562set_keysigning "KEY1" "yes" 3563set_zonesigning "KEY1" "yes" 3564key_clear "KEY2" 3565key_clear "KEY3" 3566key_clear "KEY4" 3567 3568# The CSK is rumoured. 3569set_keystate "KEY1" "GOAL" "omnipresent" 3570set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 3571set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 3572set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 3573set_keystate "KEY1" "STATE_DS" "hidden" 3574# Various signing policy checks. 3575check_keys 3576check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3577check_apex 3578check_subdomain 3579dnssec_verify 3580 3581# 3582# Testing algorithm rollover. 3583# 3584Lksk=0 3585Lzsk=0 3586IretKSK=0 3587IretZSK=0 3588 3589# 3590# Zone: step1.algorithm-roll.kasp 3591# 3592set_zone "step1.algorithm-roll.kasp" 3593set_policy "rsasha256" "2" "3600" 3594set_server "ns6" "10.53.0.6" 3595# Key properties. 3596key_clear "KEY1" 3597set_keyrole "KEY1" "ksk" 3598set_keylifetime "KEY1" "0" 3599set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 3600set_keysigning "KEY1" "yes" 3601set_zonesigning "KEY1" "no" 3602 3603key_clear "KEY2" 3604set_keyrole "KEY2" "zsk" 3605set_keylifetime "KEY2" "0" 3606set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 3607set_keysigning "KEY2" "no" 3608set_zonesigning "KEY2" "yes" 3609key_clear "KEY3" 3610key_clear "KEY4" 3611 3612# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 3613set_keystate "KEY1" "GOAL" "omnipresent" 3614set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3615set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3616set_keystate "KEY1" "STATE_DS" "omnipresent" 3617 3618set_keystate "KEY2" "GOAL" "omnipresent" 3619set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3620set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3621 3622# Various signing policy checks. 3623check_keys 3624check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3625# These keys are immediately published and activated. 3626rollover_predecessor_keytimes 0 3627check_keytimes 3628check_apex 3629check_subdomain 3630dnssec_verify 3631 3632# Next key event is when the successor keys need to be published. 3633# Since the lifetime of the keys are unlimited, so default to loadkeys 3634# interval. 3635check_next_key_event 3600 3636 3637# 3638# Zone: step1.csk-algorithm-roll.kasp 3639# 3640set_zone "step1.csk-algorithm-roll.kasp" 3641set_policy "csk-algoroll" "1" "3600" 3642set_server "ns6" "10.53.0.6" 3643# Key properties. 3644key_clear "KEY1" 3645set_keyrole "KEY1" "csk" 3646set_keylifetime "KEY1" "0" 3647set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 3648set_keysigning "KEY1" "yes" 3649set_zonesigning "KEY1" "yes" 3650key_clear "KEY2" 3651key_clear "KEY3" 3652key_clear "KEY4" 3653# The CSK (KEY1) starts in OMNIPRESENT. 3654set_keystate "KEY1" "GOAL" "omnipresent" 3655set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3656set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3657set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3658set_keystate "KEY1" "STATE_DS" "omnipresent" 3659 3660# Various signing policy checks. 3661check_keys 3662check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3663# This key is immediately published and activated. 3664Lcsk=0 3665IretCSK=0 3666csk_rollover_predecessor_keytimes 0 3667check_keytimes 3668check_apex 3669check_subdomain 3670dnssec_verify 3671 3672# Next key event is when the successor keys need to be published. 3673# Since the lifetime of the keys are unlimited, so default to loadkeys 3674# interval. 3675check_next_key_event 3600 3676 3677# 3678# Testing going insecure. 3679# 3680 3681# 3682# Zone step1.going-insecure.kasp 3683# 3684set_zone "step1.going-insecure.kasp" 3685set_policy "unsigning" "2" "7200" 3686set_server "ns6" "10.53.0.6" 3687 3688# Policy parameters. 3689# Lksk: 0 3690# Lzsk: 60 days (5184000 seconds) 3691# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h) 3692# Iret(KSK): 1d2h (93600 seconds) 3693# Iret(ZSK): RRSIG TTL (1d) + Dprp (5m) + Dsgn (9d) + retire-safety (1h) 3694# Iret(ZSK): 10d1h5m (867900 seconds) 3695Lksk=0 3696Lzsk=5184000 3697IretKSK=93600 3698IretZSK=867900 3699 3700init_migration_insecure() { 3701 key_clear "KEY1" 3702 set_keyrole "KEY1" "ksk" 3703 set_keylifetime "KEY1" "${Lksk}" 3704 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3705 set_keysigning "KEY1" "yes" 3706 set_zonesigning "KEY1" "no" 3707 3708 set_keystate "KEY1" "GOAL" "omnipresent" 3709 set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3710 set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3711 set_keystate "KEY1" "STATE_DS" "omnipresent" 3712 3713 key_clear "KEY2" 3714 set_keyrole "KEY2" "zsk" 3715 set_keylifetime "KEY2" "${Lzsk}" 3716 set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3717 set_keysigning "KEY2" "no" 3718 set_zonesigning "KEY2" "yes" 3719 3720 set_keystate "KEY2" "GOAL" "omnipresent" 3721 set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3722 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3723 3724 key_clear "KEY3" 3725 key_clear "KEY4" 3726} 3727init_migration_insecure 3728 3729# Various signing policy checks. 3730check_keys 3731check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3732 3733# We have set the timing metadata to now - 10 days (864000 seconds). 3734rollover_predecessor_keytimes -864000 3735check_keytimes 3736check_apex 3737check_subdomain 3738dnssec_verify 3739 3740# 3741# Zone step1.going-insecure-dynamic.kasp 3742# 3743 3744set_zone "step1.going-insecure-dynamic.kasp" 3745set_dynamic 3746set_policy "unsigning" "2" "7200" 3747set_server "ns6" "10.53.0.6" 3748init_migration_insecure 3749 3750# Various signing policy checks. 3751check_keys 3752check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3753 3754# We have set the timing metadata to now - 10 days (864000 seconds). 3755rollover_predecessor_keytimes -864000 3756check_keytimes 3757check_apex 3758check_subdomain 3759dnssec_verify 3760 3761# 3762# Zone step1.going-straight-to-none.kasp 3763# 3764set_zone "step1.going-straight-to-none.kasp" 3765set_policy "default" "1" "3600" 3766set_server "ns6" "10.53.0.6" 3767# Key properties. 3768set_keyrole "KEY1" "csk" 3769set_keylifetime "KEY1" "0" 3770set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3771set_keysigning "KEY1" "yes" 3772set_zonesigning "KEY1" "yes" 3773# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 3774set_keystate "KEY1" "GOAL" "omnipresent" 3775set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3776set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3777set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3778set_keystate "KEY1" "STATE_DS" "omnipresent" 3779# This policy only has one key. 3780key_clear "KEY2" 3781key_clear "KEY3" 3782key_clear "KEY4" 3783 3784check_keys 3785check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3786 3787# The first key is immediately published and activated. 3788created=$(key_get KEY1 CREATED) 3789set_keytime "KEY1" "PUBLISHED" "${created}" 3790set_keytime "KEY1" "ACTIVE" "${created}" 3791set_keytime "KEY1" "SYNCPUBLISH" "${created}" 3792# Key lifetime is unlimited, so not setting RETIRED and REMOVED. 3793check_keytimes 3794 3795check_apex 3796check_subdomain 3797dnssec_verify 3798 3799# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy 3800# changes). 3801echo_i "reconfig dnssec-policy to trigger algorithm rollover" 3802copy_setports ns6/named2.conf.in ns6/named.conf 3803rndc_reconfig ns6 10.53.0.6 3804 3805# Calculate time passed to correctly check for next key events. 3806now="$(TZ=UTC date +%s)" 3807time_passed=$((now-start_time)) 3808echo_i "${time_passed} seconds passed between start of tests and reconfig" 3809 3810# Wait until we have seen "zone_rekey done:" message for this key. 3811_wait_for_done_signing() { 3812 _zone=$1 3813 3814 _ksk=$(key_get $2 KSK) 3815 _zsk=$(key_get $2 ZSK) 3816 if [ "$_ksk" = "yes" ]; then 3817 _role="KSK" 3818 _expect_type=EXPECT_KRRSIG 3819 elif [ "$_zsk" = "yes" ]; then 3820 _role="ZSK" 3821 _expect_type=EXPECT_ZRRSIG 3822 fi 3823 3824 if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then 3825 _keyid=$(key_get $2 ID) 3826 _keyalg=$(key_get $2 ALG_STR) 3827 echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" 3828 grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 3829 fi 3830 3831 return 0 3832} 3833 3834wait_for_done_signing() { 3835 n=$((n+1)) 3836 echo_i "wait for zone ${ZONE} is done signing ($n)" 3837 ret=0 3838 3839 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 3840 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 3841 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 3842 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 3843 3844 test "$ret" -eq 0 || echo_i "failed" 3845 status=$((status+ret)) 3846} 3847 3848# Test dynamic zones that switch to inline-signing. 3849set_zone "dynamic2inline.kasp" 3850set_policy "default" "1" "3600" 3851set_server "ns6" "10.53.0.6" 3852# Key properties. 3853key_clear "KEY1" 3854set_keyrole "KEY1" "csk" 3855set_keylifetime "KEY1" "0" 3856set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3857set_keysigning "KEY1" "yes" 3858set_zonesigning "KEY1" "yes" 3859key_clear "KEY2" 3860key_clear "KEY3" 3861key_clear "KEY4" 3862 3863# The CSK is rumoured. 3864set_keystate "KEY1" "GOAL" "omnipresent" 3865set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 3866set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 3867set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 3868set_keystate "KEY1" "STATE_DS" "hidden" 3869# Various signing policy checks. 3870check_keys 3871check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3872check_apex 3873check_subdomain 3874dnssec_verify 3875 3876# 3877# Testing going insecure. 3878# 3879 3880# 3881# Zone: step1.going-insecure.kasp 3882# 3883set_zone "step1.going-insecure.kasp" 3884set_policy "insecure" "2" "7200" 3885set_server "ns6" "10.53.0.6" 3886# Expect a CDS/CDNSKEY Delete Record. 3887set_cdsdelete 3888 3889# Key goal states should be HIDDEN. 3890init_migration_insecure 3891set_keystate "KEY1" "GOAL" "hidden" 3892set_keystate "KEY2" "GOAL" "hidden" 3893# The DS may be removed if we are going insecure. 3894set_keystate "KEY1" "STATE_DS" "unretentive" 3895 3896# Various signing policy checks. 3897check_keys 3898wait_for_done_signing 3899check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3900check_apex 3901check_subdomain 3902dnssec_verify 3903 3904# Tell named that the DS has been removed. 3905rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" 3906wait_for_done_signing 3907check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3908check_apex 3909check_subdomain 3910dnssec_verify 3911 3912# Next key event is when the DS becomes HIDDEN. This happens after the 3913# parent propagation delay, retire safety delay, and DS TTL: 3914# 1h + 1h + 1d = 26h = 93600 seconds. 3915check_next_key_event 93600 3916 3917# 3918# Zone: step2.going-insecure.kasp 3919# 3920set_zone "step2.going-insecure.kasp" 3921set_policy "insecure" "2" "7200" 3922set_server "ns6" "10.53.0.6" 3923 3924# The DS is long enough removed from the zone to be considered HIDDEN. 3925# This means the DNSKEY and the KSK signatures can be removed. 3926set_keystate "KEY1" "STATE_DS" "hidden" 3927set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3928set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3929set_keysigning "KEY1" "no" 3930 3931set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 3932set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 3933set_zonesigning "KEY2" "no" 3934 3935# Various signing policy checks. 3936check_keys 3937check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3938check_apex 3939check_subdomain 3940 3941# Next key event is when the DNSKEY becomes HIDDEN. This happens after the 3942# propagation delay, plus DNSKEY TTL: 3943# 5m + 2h = 125m = 7500 seconds. 3944check_next_key_event 7500 3945 3946# 3947# Zone: step1.going-insecure-dynamic.kasp 3948# 3949set_zone "step1.going-insecure-dynamic.kasp" 3950set_dynamic 3951set_policy "insecure" "2" "7200" 3952set_server "ns6" "10.53.0.6" 3953# Expect a CDS/CDNSKEY Delete Record. 3954set_cdsdelete 3955 3956# Key goal states should be HIDDEN. 3957init_migration_insecure 3958set_keystate "KEY1" "GOAL" "hidden" 3959set_keystate "KEY2" "GOAL" "hidden" 3960# The DS may be removed if we are going insecure. 3961set_keystate "KEY1" "STATE_DS" "unretentive" 3962 3963# Various signing policy checks. 3964check_keys 3965wait_for_done_signing 3966check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3967check_apex 3968check_subdomain 3969dnssec_verify 3970 3971# Tell named that the DS has been removed. 3972rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" 3973wait_for_done_signing 3974check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3975check_apex 3976check_subdomain 3977dnssec_verify 3978 3979# Next key event is when the DS becomes HIDDEN. This happens after the 3980# parent propagation delay, retire safety delay, and DS TTL: 3981# 1h + 1h + 1d = 26h = 93600 seconds. 3982check_next_key_event 93600 3983 3984# 3985# Zone: step2.going-insecure-dynamic.kasp 3986# 3987set_zone "step2.going-insecure-dynamic.kasp" 3988set_dynamic 3989set_policy "insecure" "2" "7200" 3990set_server "ns6" "10.53.0.6" 3991 3992# The DS is long enough removed from the zone to be considered HIDDEN. 3993# This means the DNSKEY and the KSK signatures can be removed. 3994set_keystate "KEY1" "STATE_DS" "hidden" 3995set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3996set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3997set_keysigning "KEY1" "no" 3998 3999set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 4000set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 4001set_zonesigning "KEY2" "no" 4002 4003# Various signing policy checks. 4004check_keys 4005check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4006check_apex 4007check_subdomain 4008 4009# Next key event is when the DNSKEY becomes HIDDEN. This happens after the 4010# propagation delay, plus DNSKEY TTL: 4011# 5m + 2h = 125m = 7500 seconds. 4012check_next_key_event 7500 4013 4014# 4015# Zone: step1.going-straight-to-none.kasp 4016# 4017set_zone "step1.going-straight-to-none.kasp" 4018set_policy "none" "1" "3600" 4019set_server "ns6" "10.53.0.6" 4020 4021# The zone will go bogus after signatures expire, but remains validly signed for now. 4022 4023# Key properties. 4024set_keyrole "KEY1" "csk" 4025set_keylifetime "KEY1" "0" 4026set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 4027set_keysigning "KEY1" "yes" 4028set_zonesigning "KEY1" "yes" 4029# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 4030set_keystate "KEY1" "GOAL" "omnipresent" 4031set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4032set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4033set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 4034set_keystate "KEY1" "STATE_DS" "omnipresent" 4035# This policy only has one key. 4036key_clear "KEY2" 4037key_clear "KEY3" 4038key_clear "KEY4" 4039 4040# Various signing policy checks. 4041check_keys 4042check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4043dnssec_verify 4044 4045# 4046# Testing KSK/ZSK algorithm rollover. 4047# 4048 4049# Policy parameters. 4050# Lksk: unlimited 4051# Lzsk: unlimited 4052Lksk=0 4053Lzsk=0 4054 4055# 4056# Zone: step1.algorithm-roll.kasp 4057# 4058set_zone "step1.algorithm-roll.kasp" 4059set_policy "ecdsa256" "4" "3600" 4060set_server "ns6" "10.53.0.6" 4061# Old RSASHA1 keys. 4062key_clear "KEY1" 4063set_keyrole "KEY1" "ksk" 4064set_keylifetime "KEY1" "0" 4065set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 4066set_keysigning "KEY1" "yes" 4067set_zonesigning "KEY1" "no" 4068 4069key_clear "KEY2" 4070set_keyrole "KEY2" "zsk" 4071set_keylifetime "KEY2" "0" 4072set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 4073set_keysigning "KEY2" "no" 4074set_zonesigning "KEY2" "yes" 4075# New ECDSAP256SHA256 keys. 4076key_clear "KEY3" 4077set_keyrole "KEY3" "ksk" 4078set_keylifetime "KEY3" "0" 4079set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 4080set_keysigning "KEY3" "yes" 4081set_zonesigning "KEY3" "no" 4082 4083key_clear "KEY4" 4084set_keyrole "KEY4" "zsk" 4085set_keylifetime "KEY4" "0" 4086set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 4087set_keysigning "KEY4" "no" 4088set_zonesigning "KEY4" "yes" 4089# The RSAHSHA1 keys are outroducing. 4090set_keystate "KEY1" "GOAL" "hidden" 4091set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4092set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4093set_keystate "KEY1" "STATE_DS" "omnipresent" 4094set_keystate "KEY2" "GOAL" "hidden" 4095set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4096set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4097# The ECDSAP256SHA256 keys are introducing. 4098set_keystate "KEY3" "GOAL" "omnipresent" 4099set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 4100set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 4101set_keystate "KEY3" "STATE_DS" "hidden" 4102set_keystate "KEY4" "GOAL" "omnipresent" 4103set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 4104set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" 4105 4106# Various signing policy checks. 4107check_keys 4108wait_for_done_signing 4109check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4110 4111# Set expected key times: 4112# - The old keys are published and activated. 4113rollover_predecessor_keytimes 0 4114# - KSK must be retired since it no longer matches the policy. 4115keyfile=$(key_get KEY1 BASEFILE) 4116grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4117retired=$(awk '{print $3}' < retired.test${n}.ksk) 4118set_keytime "KEY1" "RETIRED" "${retired}" 4119# - The key is removed after the retire interval: 4120# IretKSK = TTLds + DprpP + retire-safety 4121# TTLds: 2h (7200 seconds) 4122# DprpP: 1h (3600 seconds) 4123# retire-safety: 2h (7200 seconds) 4124# IretKSK: 5h (18000 seconds) 4125IretKSK=18000 4126set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4127# - ZSK must be retired since it no longer matches the policy. 4128keyfile=$(key_get KEY2 BASEFILE) 4129grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk 4130retired=$(awk '{print $3}' < retired.test${n}.zsk) 4131set_keytime "KEY2" "RETIRED" "${retired}" 4132# - The key is removed after the retire interval: 4133# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4134# TTLsig: 6h (21600 seconds) 4135# Dprp: 1h (3600 seconds) 4136# Dsgn: 25d (2160000 seconds) 4137# retire-safety: 2h (7200 seconds) 4138# IretZSK: 25d9h (2192400 seconds) 4139IretZSK=2192400 4140set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4141# - The new KSK is published and activated. 4142created=$(key_get KEY3 CREATED) 4143set_keytime "KEY3" "PUBLISHED" "${created}" 4144set_keytime "KEY3" "ACTIVE" "${created}" 4145# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 4146# TTLsig: 6h (39600 seconds) 4147# Dprp: 1h (3600 seconds) 4148# publish-safety: 1h (3600 seconds) 4149# Ipub: 8h (28800 seconds) 4150Ipub=28800 4151set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 4152# - The new ZSK is published and activated. 4153created=$(key_get KEY4 CREATED) 4154set_keytime "KEY4" "PUBLISHED" "${created}" 4155set_keytime "KEY4" "ACTIVE" "${created}" 4156 4157# Continue signing policy checks. 4158check_keytimes 4159check_apex 4160check_subdomain 4161dnssec_verify 4162 4163# Next key event is when the ecdsa256 keys have been propagated. 4164# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4165# 3 times an hour: 10800 seconds. 4166check_next_key_event 10800 4167 4168# 4169# Zone: step2.algorithm-roll.kasp 4170# 4171set_zone "step2.algorithm-roll.kasp" 4172set_policy "ecdsa256" "4" "3600" 4173set_server "ns6" "10.53.0.6" 4174# The RSAHSHA1 keys are outroducing, but need to stay present until the new 4175# algorithm chain of trust has been established. Thus the properties, timings 4176# and states of the KEY1 and KEY2 are the same as above. 4177 4178# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4179# but the zone signatures are not. 4180set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 4181set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 4182set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" 4183 4184# Various signing policy checks. 4185check_keys 4186wait_for_done_signing 4187check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4188 4189# Set expected key times: 4190# - The old keys were activated three hours ago (10800 seconds). 4191rollover_predecessor_keytimes -10800 4192# - KSK must be retired since it no longer matches the policy. 4193created=$(key_get KEY1 CREATED) 4194set_keytime "KEY1" "RETIRED" "${created}" 4195set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" 4196# - ZSK must be retired since it no longer matches the policy. 4197created=$(key_get KEY2 CREATED) 4198set_keytime "KEY2" "RETIRED" "${created}" 4199set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" 4200# - The new keys are published 3 hours ago. 4201created=$(key_get KEY3 CREATED) 4202set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 4203set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 4204published=$(key_get KEY3 PUBLISHED) 4205set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" 4206 4207created=$(key_get KEY4 CREATED) 4208set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 4209set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 4210 4211# Continue signing policy checks. 4212check_keytimes 4213check_apex 4214check_subdomain 4215dnssec_verify 4216 4217# Next key event is when all zone signatures are signed with the new 4218# algorithm. This is the max-zone-ttl plus zone propagation delay 4219# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4220# (the time it took to make the DNSKEY omnipresent), so the next event 4221# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4222# false positives on slow platforms by subtracting the number of seconds 4223# which passed between key creation and invoking 'rndc reconfig'. 4224next_time=$((21600-time_passed)) 4225check_next_key_event $next_time 4226 4227# 4228# Zone: step3.algorithm-roll.kasp 4229# 4230set_zone "step3.algorithm-roll.kasp" 4231set_policy "ecdsa256" "4" "3600" 4232set_server "ns6" "10.53.0.6" 4233# The ECDSAP256SHA256 keys are introducing. 4234set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" 4235# The DS can be swapped. 4236set_keystate "KEY1" "STATE_DS" "unretentive" 4237set_keystate "KEY3" "STATE_DS" "rumoured" 4238 4239# Various signing policy checks. 4240check_keys 4241wait_for_done_signing 4242check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4243# Check that CDS publication is logged. 4244check_cdslog "$DIR" "$ZONE" KEY3 4245 4246# Set expected key times: 4247# - The old keys were activated 9 hours ago (32400 seconds). 4248rollover_predecessor_keytimes -32400 4249# - And retired 6 hours ago (21600 seconds). 4250created=$(key_get KEY1 CREATED) 4251set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4252retired=$(key_get KEY1 RETIRED) 4253set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4254 4255created=$(key_get KEY2 CREATED) 4256set_addkeytime "KEY2" "RETIRED" "${created}" -21600 4257retired=$(key_get KEY2 RETIRED) 4258set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4259# - The new keys are published 9 hours ago. 4260created=$(key_get KEY3 CREATED) 4261set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 4262set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 4263published=$(key_get KEY3 PUBLISHED) 4264set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4265 4266created=$(key_get KEY4 CREATED) 4267set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 4268set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 4269 4270# Continue signing policy checks. 4271check_keytimes 4272check_apex 4273check_subdomain 4274dnssec_verify 4275 4276# Tell named we "saw" the parent swap the DS and see if the next key event is 4277# scheduled at the correct time. 4278rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 4279rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" 4280# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4281# parent propagation delay, retire safety delay, and DS TTL: 4282# 1h + 2h + 2h = 5h = 18000 seconds. 4283check_next_key_event 18000 4284 4285# 4286# Zone: step4.algorithm-roll.kasp 4287# 4288set_zone "step4.algorithm-roll.kasp" 4289set_policy "ecdsa256" "4" "3600" 4290set_server "ns6" "10.53.0.6" 4291# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4292set_keysigning "KEY1" "no" 4293set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4294set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4295set_keystate "KEY1" "STATE_DS" "hidden" 4296 4297set_zonesigning "KEY2" "no" 4298set_keystate "KEY2" "GOAL" "hidden" 4299set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 4300set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 4301# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4302set_keystate "KEY3" "STATE_DS" "omnipresent" 4303 4304# Various signing policy checks. 4305check_keys 4306wait_for_done_signing 4307check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4308 4309# Set expected key times: 4310# - The old keys were activated 38 hours ago (136800 seconds). 4311rollover_predecessor_keytimes -136800 4312# - And retired 35 hours ago (126000 seconds). 4313created=$(key_get KEY1 CREATED) 4314set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4315retired=$(key_get KEY1 RETIRED) 4316set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4317 4318created=$(key_get KEY2 CREATED) 4319set_addkeytime "KEY2" "RETIRED" "${created}" -126000 4320retired=$(key_get KEY2 RETIRED) 4321set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4322 4323# - The new keys are published 38 hours ago. 4324created=$(key_get KEY3 CREATED) 4325set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 4326set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 4327published=$(key_get KEY3 PUBLISHED) 4328set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4329 4330created=$(key_get KEY4 CREATED) 4331set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 4332set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 4333 4334# Continue signing policy checks. 4335check_keytimes 4336check_apex 4337check_subdomain 4338dnssec_verify 4339 4340# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4341# DNSKEY TTL plus zone propagation delay (2h). 4342check_next_key_event 7200 4343 4344# 4345# Zone: step5.algorithm-roll.kasp 4346# 4347set_zone "step5.algorithm-roll.kasp" 4348set_policy "ecdsa256" "4" "3600" 4349set_server "ns6" "10.53.0.6" 4350# The DNSKEY becomes HIDDEN. 4351set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4352set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4353set_keystate "KEY2" "STATE_DNSKEY" "hidden" 4354 4355# Various signing policy checks. 4356check_keys 4357wait_for_done_signing 4358check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4359 4360# Set expected key times: 4361# - The old keys were activated 40 hours ago (144000 seconds) 4362rollover_predecessor_keytimes -144000 4363# - And retired 37 hours ago (133200 seconds). 4364created=$(key_get KEY1 CREATED) 4365set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4366retired=$(key_get KEY1 RETIRED) 4367set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4368 4369created=$(key_get KEY2 CREATED) 4370set_addkeytime "KEY2" "RETIRED" "${created}" -133200 4371retired=$(key_get KEY2 RETIRED) 4372set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4373 4374# The new keys are published 40 hours ago. 4375created=$(key_get KEY3 CREATED) 4376set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 4377set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 4378published=$(key_get KEY3 PUBLISHED) 4379set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4380 4381created=$(key_get KEY4 CREATED) 4382set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 4383set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 4384 4385# Continue signing policy checks. 4386check_keytimes 4387check_apex 4388check_subdomain 4389dnssec_verify 4390 4391# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4392# after the max-zone-ttl plus zone propagation delay plus retire safety 4393# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4394# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4395# false positives on slow platforms by subtracting the number of seconds 4396# which passed between key creation and invoking 'rndc reconfig'. 4397next_time=$((25200-time_passed)) 4398check_next_key_event $next_time 4399 4400# 4401# Zone: step6.algorithm-roll.kasp 4402# 4403set_zone "step6.algorithm-roll.kasp" 4404set_policy "ecdsa256" "4" "3600" 4405set_server "ns6" "10.53.0.6" 4406# The old zone signatures (KEY2) should now also be HIDDEN. 4407set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 4408 4409# Various signing policy checks. 4410check_keys 4411wait_for_done_signing 4412check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4413 4414# Set expected key times: 4415# - The old keys were activated 47 hours ago (169200 seconds) 4416rollover_predecessor_keytimes -169200 4417# - And retired 44 hours ago (158400 seconds). 4418created=$(key_get KEY1 CREATED) 4419set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4420retired=$(key_get KEY1 RETIRED) 4421set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4422 4423created=$(key_get KEY2 CREATED) 4424set_addkeytime "KEY2" "RETIRED" "${created}" -158400 4425retired=$(key_get KEY2 RETIRED) 4426set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4427 4428# The new keys are published 47 hours ago. 4429created=$(key_get KEY3 CREATED) 4430set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 4431set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 4432published=$(key_get KEY3 PUBLISHED) 4433set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4434 4435created=$(key_get KEY4 CREATED) 4436set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 4437set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 4438 4439# Continue signing policy checks. 4440check_keytimes 4441check_apex 4442check_subdomain 4443dnssec_verify 4444 4445# Next key event is never since we established the policy and the keys have 4446# an unlimited lifetime. Fallback to the default loadkeys interval. 4447check_next_key_event 3600 4448 4449# 4450# Testing CSK algorithm rollover. 4451# 4452 4453# Policy parameters. 4454# Lcsk: unlimited 4455Lcksk=0 4456 4457# 4458# Zone: step1.csk-algorithm-roll.kasp 4459# 4460set_zone "step1.csk-algorithm-roll.kasp" 4461set_policy "csk-algoroll" "2" "3600" 4462set_server "ns6" "10.53.0.6" 4463# Old RSASHA1 key. 4464key_clear "KEY1" 4465set_keyrole "KEY1" "csk" 4466set_keylifetime "KEY1" "0" 4467set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 4468set_keysigning "KEY1" "yes" 4469set_zonesigning "KEY1" "yes" 4470# New ECDSAP256SHA256 key. 4471key_clear "KEY2" 4472set_keyrole "KEY2" "csk" 4473set_keylifetime "KEY2" "0" 4474set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 4475set_keysigning "KEY2" "yes" 4476set_zonesigning "KEY2" "yes" 4477key_clear "KEY3" 4478key_clear "KEY4" 4479# The RSAHSHA1 key is outroducing. 4480set_keystate "KEY1" "GOAL" "hidden" 4481set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4482set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4483set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 4484set_keystate "KEY1" "STATE_DS" "omnipresent" 4485# The ECDSAP256SHA256 key is introducing. 4486set_keystate "KEY2" "GOAL" "omnipresent" 4487set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 4488set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 4489set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 4490set_keystate "KEY2" "STATE_DS" "hidden" 4491 4492# Various signing policy checks. 4493check_keys 4494wait_for_done_signing 4495check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4496 4497# Set expected key times: 4498# - CSK must be retired since it no longer matches the policy. 4499csk_rollover_predecessor_keytimes 0 4500keyfile=$(key_get KEY1 BASEFILE) 4501grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4502retired=$(awk '{print $3}' < retired.test${n}.ksk) 4503set_keytime "KEY1" "RETIRED" "${retired}" 4504# - The key is removed after the retire interval: 4505# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4506# TTLsig: 6h (21600 seconds) 4507# Dprp: 1h (3600 seconds) 4508# Dsgn: 25d (2160000 seconds) 4509# retire-safety: 2h (7200 seconds) 4510# IretZSK: 25d9h (2192400 seconds) 4511IretCSK=2192400 4512set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4513# - The new CSK is published and activated. 4514created=$(key_get KEY2 CREATED) 4515set_keytime "KEY2" "PUBLISHED" "${created}" 4516set_keytime "KEY2" "ACTIVE" "${created}" 4517# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 4518# TTLsig: 6h (39600 seconds) 4519# Dprp: 1h (3600 seconds) 4520# publish-safety: 1h (3600 seconds) 4521# Ipub: 8h (28800 seconds) 4522Ipub=28800 4523set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 4524 4525# Continue signing policy checks. 4526check_keytimes 4527check_apex 4528check_subdomain 4529dnssec_verify 4530 4531# Next key event is when the new key has been propagated. 4532# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4533# 3 times an hour: 10800 seconds. 4534check_next_key_event 10800 4535 4536# 4537# Zone: step2.csk-algorithm-roll.kasp 4538# 4539set_zone "step2.csk-algorithm-roll.kasp" 4540set_policy "csk-algoroll" "2" "3600" 4541set_server "ns6" "10.53.0.6" 4542# The RSAHSHA1 key is outroducing, but need to stay present until the new 4543# algorithm chain of trust has been established. Thus the properties, timings 4544# and states of KEY1 is the same as above. 4545# 4546# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4547# but the zone signatures are not. 4548set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4549set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 4550 4551# Various signing policy checks. 4552check_keys 4553wait_for_done_signing 4554check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4555 4556# Set expected key times: 4557# - The old key was activated three hours ago (10800 seconds). 4558csk_rollover_predecessor_keytimes -10800 4559# - CSK must be retired since it no longer matches the policy. 4560created=$(key_get KEY1 CREATED) 4561set_keytime "KEY1" "RETIRED" "${created}" 4562set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" 4563# - The new key was published 3 hours ago. 4564created=$(key_get KEY2 CREATED) 4565set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 4566set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 4567published=$(key_get KEY2 PUBLISHED) 4568set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4569 4570# Continue signing policy checks. 4571check_keytimes 4572check_apex 4573check_subdomain 4574dnssec_verify 4575 4576# Next key event is when all zone signatures are signed with the new 4577# algorithm. This is the max-zone-ttl plus zone propagation delay 4578# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4579# (the time it took to make the DNSKEY omnipresent), so the next event 4580# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4581# false positives on slow platforms by subtracting the number of seconds 4582# which passed between key creation and invoking 'rndc reconfig'. 4583next_time=$((21600-time_passed)) 4584check_next_key_event $next_time 4585 4586# 4587# Zone: step3.csk-algorithm-roll.kasp 4588# 4589set_zone "step3.csk-algorithm-roll.kasp" 4590set_policy "csk-algoroll" "2" "3600" 4591set_server "ns6" "10.53.0.6" 4592# The RSAHSHA1 key is outroducing, and it is time to swap the DS. 4593# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures 4594# are now omnipresent, so the DS can be introduced. 4595set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4596# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 4597set_keystate "KEY1" "STATE_DS" "unretentive" 4598set_keystate "KEY2" "STATE_DS" "rumoured" 4599 4600# Various signing policy checks. 4601check_keys 4602wait_for_done_signing 4603check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4604# Check that CDS publication is logged. 4605check_cdslog "$DIR" "$ZONE" KEY2 4606 4607# Set expected key times: 4608# - The old key was activated 9 hours ago (32400 seconds). 4609csk_rollover_predecessor_keytimes -32400 4610# - And was retired 6 hours ago (21600 seconds). 4611created=$(key_get KEY1 CREATED) 4612set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4613retired=$(key_get KEY1 RETIRED) 4614set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4615# - The new key was published 9 hours ago. 4616created=$(key_get KEY2 CREATED) 4617set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 4618set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 4619published=$(key_get KEY2 PUBLISHED) 4620set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4621 4622# Continue signing policy checks. 4623check_keytimes 4624check_apex 4625check_subdomain 4626dnssec_verify 4627 4628# We ignore any parent registration delay, so set the DS publish time to now. 4629rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 4630rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 4631# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4632# parent propagation delay, retire safety delay, and DS TTL: 4633# 1h + 2h + 2h = 5h = 18000 seconds. 4634check_next_key_event 18000 4635 4636# 4637# Zone: step4.csk-algorithm-roll.kasp 4638# 4639set_zone "step4.csk-algorithm-roll.kasp" 4640set_policy "csk-algoroll" "2" "3600" 4641set_server "ns6" "10.53.0.6" 4642# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4643set_keysigning "KEY1" "no" 4644set_zonesigning "KEY1" "no" 4645set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4646set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4647set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 4648set_keystate "KEY1" "STATE_DS" "hidden" 4649# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4650set_keystate "KEY2" "STATE_DS" "omnipresent" 4651 4652# Various signing policy checks. 4653check_keys 4654wait_for_done_signing 4655check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4656 4657# Set expected key times: 4658# - The old key was activated 38 hours ago (136800 seconds) 4659csk_rollover_predecessor_keytimes -136800 4660# - And retired 35 hours ago (126000 seconds). 4661created=$(key_get KEY1 CREATED) 4662set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4663retired=$(key_get KEY1 RETIRED) 4664set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4665# - The new key was published 38 hours ago. 4666created=$(key_get KEY2 CREATED) 4667set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 4668set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 4669published=$(key_get KEY2 PUBLISHED) 4670set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4671 4672# Continue signing policy checks. 4673check_keytimes 4674check_apex 4675check_subdomain 4676dnssec_verify 4677 4678# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4679# DNSKEY TTL plus zone propagation delay (2h). 4680check_next_key_event 7200 4681 4682# 4683# Zone: step5.csk-algorithm-roll.kasp 4684# 4685set_zone "step5.csk-algorithm-roll.kasp" 4686set_policy "csk-algoroll" "2" "3600" 4687set_server "ns6" "10.53.0.6" 4688# The DNSKEY becomes HIDDEN. 4689set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4690set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4691 4692# Various signing policy checks. 4693check_keys 4694wait_for_done_signing 4695check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4696 4697# Set expected key times: 4698# - The old key was activated 40 hours ago (144000 seconds) 4699csk_rollover_predecessor_keytimes -144000 4700# - And retired 37 hours ago (133200 seconds). 4701created=$(key_get KEY1 CREATED) 4702set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4703retired=$(key_get KEY1 RETIRED) 4704set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4705# - The new key was published 40 hours ago. 4706created=$(key_get KEY2 CREATED) 4707set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 4708set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 4709published=$(key_get KEY2 PUBLISHED) 4710set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4711 4712# Continue signing policy checks. 4713check_keytimes 4714check_apex 4715check_subdomain 4716dnssec_verify 4717 4718# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4719# after the max-zone-ttl plus zone propagation delay plus retire safety 4720# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4721# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4722# false positives on slow platforms by subtracting the number of seconds 4723# which passed between key creation and invoking 'rndc reconfig'. 4724next_time=$((25200-time_passed)) 4725check_next_key_event $next_time 4726 4727# 4728# Zone: step6.csk-algorithm-roll.kasp 4729# 4730set_zone "step6.csk-algorithm-roll.kasp" 4731set_policy "csk-algoroll" "2" "3600" 4732set_server "ns6" "10.53.0.6" 4733# The zone signatures should now also be HIDDEN. 4734set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 4735 4736# Various signing policy checks. 4737check_keys 4738wait_for_done_signing 4739check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4740 4741# Set expected key times: 4742# - The old keys were activated 47 hours ago (169200 seconds) 4743csk_rollover_predecessor_keytimes -169200 4744# - And retired 44 hours ago (158400 seconds). 4745created=$(key_get KEY1 CREATED) 4746set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4747retired=$(key_get KEY1 RETIRED) 4748set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4749# - The new key was published 47 hours ago. 4750created=$(key_get KEY2 CREATED) 4751set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 4752set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 4753published=$(key_get KEY2 PUBLISHED) 4754set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4755 4756# Continue signing policy checks. 4757check_keytimes 4758check_apex 4759check_subdomain 4760dnssec_verify 4761 4762# Next key event is never since we established the policy and the keys have 4763# an unlimited lifetime. Fallback to the default loadkeys interval. 4764check_next_key_event 3600 4765 4766_check_soa_ttl() { 4767 dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1 4768 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) 4769 soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) 4770 ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) 4771 ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) 4772 test ${soa1:-1000} -lt ${soa2:-0} || return 1 4773 test ${ttl1:-0} -eq $1 || return 1 4774 test ${ttl2:-0} -eq $2 || return 1 4775} 4776 4777n=$((n+1)) 4778echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" 4779TSIG= 4780ret=0 4781dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 4782cp ns6/example2.db.in ns6/example.db || ret=1 4783nextpart ns6/named.run > /dev/null 4784rndccmd 10.53.0.6 reload || ret=1 4785wait_for_log 3 "all zones loaded" ns6/named.run 4786# Check that the SOA SERIAL increases and check the TTLs (should be 300 as 4787# defined in ns6/example2.db.in). 4788retry_quiet 10 _check_soa_ttl 300 300 || ret=1 4789test "$ret" -eq 0 || echo_i "failed" 4790status=$((status+ret)) 4791 4792n=$((n+1)) 4793echo_i "Check that restart with zone changes and deleted journal works ($n)" 4794TSIG= 4795ret=0 4796dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 4797stop_server --use-rndc --port ${CONTROLPORT} ns6 4798# TTL of all records change from 300 to 400 4799cp ns6/example3.db.in ns6/example.db || ret=1 4800rm ns6/example.db.jnl 4801nextpart ns6/named.run > /dev/null 4802start_server --noclean --restart --port ${PORT} ns6 4803wait_for_log 3 "all zones loaded" ns6/named.run 4804# Check that the SOA SERIAL increases and check the TTLs (should be changed 4805# from 300 to 400 as defined in ns6/example3.db.in). 4806retry_quiet 10 _check_soa_ttl 300 400 || ret=1 4807test "$ret" -eq 0 || echo_i "failed" 4808status=$((status+ret)) 4809 4810echo_i "exit status: $status" 4811[ $status -eq 0 ] || exit 1 4812