1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15# shellcheck source=kasp.sh 16SYSTEMTESTTOP=.. 17. "$SYSTEMTESTTOP/conf.sh" 18. "$SYSTEMTESTTOP/kasp.sh" 19 20start_time="$(TZ=UTC date +%s)" 21status=0 22n=0 23 24############################################################################### 25# Utilities # 26############################################################################### 27 28# Call dig with default options. 29dig_with_opts() { 30 31 if [ -n "$TSIG" ]; then 32 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" 33 else 34 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 35 fi 36} 37 38# RNDC. 39rndccmd() { 40 "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" 41} 42 43# Log error and increment failure rate. 44log_error() { 45 echo_i "error: $1" 46 ret=$((ret+1)) 47} 48 49# Default next key event threshold. May be extended by wait periods. 50next_key_event_threshold=100 51 52############################################################################### 53# Tests # 54############################################################################### 55 56# 57# dnssec-keygen 58# 59set_zone "kasp" 60set_policy "kasp" "4" "200" 61set_server "keys" "10.53.0.1" 62 63n=$((n+1)) 64echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" 65ret=0 66$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 67lines=$(wc -l < "keygen.out.$POLICY.test$n") 68test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" 69# Temporarily don't log errors because we are searching multiple files. 70disable_logerror 71 72# Key properties. 73set_keyrole "KEY1" "csk" 74set_keylifetime "KEY1" "31536000" 75set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 76set_keysigning "KEY1" "yes" 77set_zonesigning "KEY1" "yes" 78 79set_keyrole "KEY2" "ksk" 80set_keylifetime "KEY2" "31536000" 81set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 82set_keysigning "KEY2" "yes" 83set_zonesigning "KEY2" "no" 84 85set_keyrole "KEY3" "zsk" 86set_keylifetime "KEY3" "2592000" 87set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" 88set_keysigning "KEY3" "no" 89set_zonesigning "KEY3" "yes" 90 91set_keyrole "KEY4" "zsk" 92set_keylifetime "KEY4" "16070400" 93set_keyalgorithm "KEY4" "8" "RSASHA256" "2000" 94set_keysigning "KEY4" "no" 95set_zonesigning "KEY4" "yes" 96 97lines=$(get_keyids "$DIR" "$ZONE" | wc -l) 98test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" 99 100ids=$(get_keyids "$DIR" "$ZONE") 101for id in $ids; do 102 # There are four key files with the same algorithm. 103 # Check them until a match is found. 104 ret=0 && check_key "KEY1" "$id" 105 test "$ret" -eq 0 && continue 106 107 ret=0 && check_key "KEY2" "$id" 108 test "$ret" -eq 0 && continue 109 110 ret=0 && check_key "KEY3" "$id" 111 test "$ret" -eq 0 && continue 112 113 ret=0 && check_key "KEY4" "$id" 114 115 # If ret is still non-zero, non of the files matched. 116 test "$ret" -eq 0 || echo_i "failed" 117 status=$((status+ret)) 118done 119# Turn error logs on again. 120enable_logerror 121 122n=$((n+1)) 123echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" 124ret=0 125set_zone "kasp" 126set_policy "default" "1" "3600" 127set_server "." "10.53.0.1" 128# Key properties. 129set_keyrole "KEY1" "csk" 130set_keylifetime "KEY1" "0" 131set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 132set_keysigning "KEY1" "yes" 133set_zonesigning "KEY1" "yes" 134 135key_clear "KEY2" 136key_clear "KEY3" 137key_clear "KEY4" 138 139$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 140lines=$(wc -l < "keygen.out.$POLICY.test$n") 141test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" 142ids=$(get_keyids "$DIR" "$ZONE") 143for id in $ids; do 144 check_key "KEY1" "$id" 145 test "$ret" -eq 0 && key_save KEY1 146 check_keytimes 147done 148test "$ret" -eq 0 || echo_i "failed" 149status=$((status+ret)) 150 151# 152# dnssec-settime 153# 154 155# These test builds upon the latest created key with dnssec-keygen and uses the 156# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. 157CMP_FILE="${BASE_FILE}.cmp" 158n=$((n+1)) 159echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" 160ret=0 161cp "$STATE_FILE" "$CMP_FILE" 162$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" 163grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" 164grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" 165$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" 166test "$ret" -eq 0 || echo_i "failed" 167status=$((status+ret)) 168 169n=$((n+1)) 170echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" 171ret=0 172cp "$STATE_FILE" "$CMP_FILE" 173now=$(date +%Y%m%d%H%M%S) 174$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 175set_keystate "KEY1" "GOAL" "omnipresent" 176set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 177set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 178set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 179set_keystate "KEY1" "STATE_DS" "hidden" 180check_key "KEY1" "$id" 181test "$ret" -eq 0 && key_save KEY1 182set_keytime "KEY1" "PUBLISHED" "${now}" 183check_keytimes 184test "$ret" -eq 0 || echo_i "failed" 185status=$((status+ret)) 186 187n=$((n+1)) 188echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" 189ret=0 190cp "$STATE_FILE" "$CMP_FILE" 191$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 192set_keystate "KEY1" "GOAL" "none" 193set_keystate "KEY1" "STATE_DNSKEY" "none" 194set_keystate "KEY1" "STATE_KRRSIG" "none" 195set_keystate "KEY1" "STATE_ZRRSIG" "none" 196set_keystate "KEY1" "STATE_DS" "none" 197check_key "KEY1" "$id" 198test "$ret" -eq 0 && key_save KEY1 199set_keytime "KEY1" "PUBLISHED" "none" 200check_keytimes 201test "$ret" -eq 0 || echo_i "failed" 202status=$((status+ret)) 203 204n=$((n+1)) 205echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" 206ret=0 207cp "$STATE_FILE" "$CMP_FILE" 208now=$(date +%Y%m%d%H%M%S) 209$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 210set_keystate "KEY1" "GOAL" "hidden" 211set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 212set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 213set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 214set_keystate "KEY1" "STATE_DS" "omnipresent" 215check_key "KEY1" "$id" 216test "$ret" -eq 0 && key_save KEY1 217set_keytime "KEY1" "ACTIVE" "${now}" 218check_keytimes 219test "$ret" -eq 0 || echo_i "failed" 220status=$((status+ret)) 221 222# 223# named 224# 225 226# The NSEC record at the apex of the zone and its RRSIG records are 227# added as part of the last step in signing a zone. We wait for the 228# NSEC records to appear before proceeding with a counter to prevent 229# infinite loops if there is an error. 230n=$((n+1)) 231echo_i "waiting for kasp signing changes to take effect ($n)" 232 233_wait_for_done_apexnsec() { 234 while read -r zone 235 do 236 dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 237 grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 238 grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 239 done < ns3/zones 240 241 while read -r zone 242 do 243 dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 244 grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 245 grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 246 done < ns6/zones 247 248 return 0 249} 250retry_quiet 30 _wait_for_done_apexnsec || ret=1 251test "$ret" -eq 0 || echo_i "failed" 252status=$((status+ret)) 253 254next_key_event_threshold=$((next_key_event_threshold+i)) 255 256# Test max-zone-ttl rejects zones with too high TTL. 257n=$((n+1)) 258echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)" 259ret=0 260set_zone "max-zone-ttl.kasp" 261grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1 262test "$ret" -eq 0 || echo_i "failed" 263status=$((status+ret)) 264 265# 266# Zone: default.kasp. 267# 268set_keytimes_csk_policy() { 269 # The first key is immediately published and activated. 270 created=$(key_get KEY1 CREATED) 271 set_keytime "KEY1" "PUBLISHED" "${created}" 272 set_keytime "KEY1" "ACTIVE" "${created}" 273 # The DS can be published if the DNSKEY and RRSIG records are 274 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 275 # publish-safety (1h) plus zone-propagation-delay (300s) = 276 # 86400 + 3600 + 300 = 90300. 277 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 278 # Key lifetime is unlimited, so not setting RETIRED and REMOVED. 279} 280 281# Check the zone with default kasp policy has loaded and is signed. 282set_zone "default.kasp" 283set_policy "default" "1" "3600" 284set_server "ns3" "10.53.0.3" 285# Key properties. 286set_keyrole "KEY1" "csk" 287set_keylifetime "KEY1" "0" 288set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 289set_keysigning "KEY1" "yes" 290set_zonesigning "KEY1" "yes" 291# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 292set_keystate "KEY1" "GOAL" "omnipresent" 293set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 294set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 295set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 296set_keystate "KEY1" "STATE_DS" "hidden" 297 298check_keys 299check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 300set_keytimes_csk_policy 301check_keytimes 302check_apex 303check_subdomain 304dnssec_verify 305 306# Trigger a keymgr run. Make sure the key files are not touched if there are 307# no modifications to the key metadata. 308n=$((n+1)) 309echo_i "make sure key files are untouched if metadata does not change ($n)" 310ret=0 311basefile=$(key_get KEY1 BASEFILE) 312privkey_stat=$(key_get KEY1 PRIVKEY_STAT) 313pubkey_stat=$(key_get KEY1 PUBKEY_STAT) 314state_stat=$(key_get KEY1 STATE_STAT) 315 316nextpart $DIR/named.run > /dev/null 317rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 318wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run 319privkey_stat2=$(key_stat "${basefile}.private") 320pubkey_stat2=$(key_stat "${basefile}.key") 321state_stat2=$(key_stat "${basefile}.state") 322test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" 323test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" 324test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" 325test "$ret" -eq 0 || echo_i "failed" 326status=$((status+ret)) 327 328n=$((n+1)) 329echo_i "again ($n)" 330ret=0 331 332nextpart $DIR/named.run > /dev/null 333rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 334wait_for_log 3 "keymgr: done" $DIR/named.run 335privkey_stat2=$(key_stat "${basefile}.private") 336pubkey_stat2=$(key_stat "${basefile}.key") 337state_stat2=$(key_stat "${basefile}.state") 338test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file stat (expected $privkey_stat got $privkey_stat2)" 339test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)" 340test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)" 341test "$ret" -eq 0 || echo_i "failed" 342status=$((status+ret)) 343 344# Update zone. 345n=$((n+1)) 346echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 347ret=0 348cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 349rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 350 351update_is_signed() { 352 ip_a=$1 353 ip_d=$2 354 355 if [ "$ip_a" != "-" ]; then 356 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 357 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 358 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1 359 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) 360 test "$lines" -eq 1 || return 1 361 get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 362 fi 363 364 if [ "$ip_d" != "-" ]; then 365 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 366 grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 367 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1 368 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) 369 test "$lines" -eq 1 || return 1 370 get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 371 fi 372} 373 374retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1 375test "$ret" -eq 0 || echo_i "failed" 376status=$((status+ret)) 377 378# Move the private key file, a rekey event should not introduce replacement 379# keys. 380ret=0 381echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)" 382basefile=$(key_get KEY1 BASEFILE) 383mv "${basefile}.private" "${basefile}.offline" 384rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 385wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 386mv "${basefile}.offline" "${basefile}.private" 387test "$ret" -eq 0 || echo_i "failed" 388status=$((status+ret)) 389 390# Nothing has changed. 391check_keys 392check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 393set_keytimes_csk_policy 394check_keytimes 395check_apex 396check_subdomain 397dnssec_verify 398 399# 400# Zone: dynamic.kasp 401# 402set_zone "dynamic.kasp" 403set_dynamic 404set_policy "default" "1" "3600" 405set_server "ns3" "10.53.0.3" 406# Key properties, timings and states same as above. 407check_keys 408check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 409set_keytimes_csk_policy 410check_keytimes 411check_apex 412check_subdomain 413dnssec_verify 414 415# Update zone with nsupdate. 416n=$((n+1)) 417echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 418ret=0 419( 420echo zone ${ZONE} 421echo server 10.53.0.3 "$PORT" 422echo update del "a.${ZONE}" 300 A 10.0.0.1 423echo update add "a.${ZONE}" 300 A 10.0.0.101 424echo update add "d.${ZONE}" 300 A 10.0.0.4 425echo send 426) | $NSUPDATE 427 428retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1 429test "$ret" -eq 0 || echo_i "failed" 430status=$((status+ret)) 431 432# Update zone with nsupdate (reverting the above change). 433n=$((n+1)) 434echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 435ret=0 436( 437echo zone ${ZONE} 438echo server 10.53.0.3 "$PORT" 439echo update add "a.${ZONE}" 300 A 10.0.0.1 440echo update del "a.${ZONE}" 300 A 10.0.0.101 441echo update del "d.${ZONE}" 300 A 10.0.0.4 442echo send 443) | $NSUPDATE 444 445retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1 446test "$ret" -eq 0 || echo_i "failed" 447status=$((status+ret)) 448 449# Update zone with freeze/thaw. 450n=$((n+1)) 451echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)" 452ret=0 453rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 454sleep 1 455echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db" 456rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 457 458retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1 459test "$ret" -eq 0 || echo_i "failed" 460status=$((status+ret)) 461 462# 463# Zone: dynamic-inline-signing.kasp 464# 465set_zone "dynamic-inline-signing.kasp" 466set_dynamic 467set_policy "default" "1" "3600" 468set_server "ns3" "10.53.0.3" 469# Key properties, timings and states same as above. 470check_keys 471check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 472set_keytimes_csk_policy 473check_keytimes 474check_apex 475check_subdomain 476dnssec_verify 477 478# Update zone with freeze/thaw. 479n=$((n+1)) 480echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 481ret=0 482rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 483sleep 1 484cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 485rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 486 487retry_quiet 10 update_is_signed || ret=1 488test "$ret" -eq 0 || echo_i "failed" 489status=$((status+ret)) 490 491# 492# Zone: inline-signing.kasp 493# 494set_zone "inline-signing.kasp" 495set_policy "default" "1" "3600" 496set_server "ns3" "10.53.0.3" 497# Key properties, timings and states same as above. 498check_keys 499check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 500set_keytimes_csk_policy 501check_keytimes 502check_apex 503check_subdomain 504dnssec_verify 505 506# 507# Zone: checkds-ksk.kasp. 508# 509key_clear "KEY1" 510key_clear "KEY2" 511key_clear "KEY3" 512key_clear "KEY4" 513 514set_zone "checkds-ksk.kasp" 515set_policy "checkds-ksk" "2" "303" 516set_server "ns3" "10.53.0.3" 517# Key properties. 518set_keyrole "KEY1" "ksk" 519set_keylifetime "KEY1" "0" 520set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 521set_keysigning "KEY1" "yes" 522set_zonesigning "KEY1" "no" 523 524set_keyrole "KEY2" "zsk" 525set_keylifetime "KEY2" "0" 526set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 527set_keysigning "KEY2" "no" 528set_zonesigning "KEY2" "yes" 529# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 530set_keystate "KEY1" "GOAL" "omnipresent" 531set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 532set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 533set_keystate "KEY1" "STATE_DS" "hidden" 534 535set_keystate "KEY2" "GOAL" "omnipresent" 536set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 537set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 538 539check_keys 540check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 541check_apex 542check_subdomain 543dnssec_verify 544 545basefile=$(key_get KEY1 BASEFILE) 546 547_wait_for_metadata() { 548 _expr=$1 549 _file=$2 550 grep "$_expr" $_file > /dev/null || return 1 551 return 0 552} 553 554n=$((n+1)) 555echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" 556rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" 557retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" 558test "$ret" -eq 0 || echo_i "failed" 559status=$((status+ret)) 560 561n=$((n+1)) 562echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" 563rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" 564retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" 565test "$ret" -eq 0 || echo_i "failed" 566status=$((status+ret)) 567 568# 569# Zone: checkds-doubleksk.kasp. 570# 571key_clear "KEY1" 572key_clear "KEY2" 573key_clear "KEY3" 574key_clear "KEY4" 575 576set_zone "checkds-doubleksk.kasp" 577set_policy "checkds-doubleksk" "3" "303" 578set_server "ns3" "10.53.0.3" 579# Key properties. 580set_keyrole "KEY1" "ksk" 581set_keylifetime "KEY1" "0" 582set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 583set_keysigning "KEY1" "yes" 584set_zonesigning "KEY1" "no" 585 586set_keyrole "KEY2" "ksk" 587set_keylifetime "KEY2" "0" 588set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 589set_keysigning "KEY2" "yes" 590set_zonesigning "KEY2" "no" 591 592set_keyrole "KEY3" "zsk" 593set_keylifetime "KEY3" "0" 594set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 595set_keysigning "KEY3" "no" 596set_zonesigning "KEY3" "yes" 597# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 598set_keystate "KEY1" "GOAL" "omnipresent" 599set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 600set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 601set_keystate "KEY1" "STATE_DS" "hidden" 602 603set_keystate "KEY2" "GOAL" "omnipresent" 604set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 605set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 606set_keystate "KEY2" "STATE_DS" "hidden" 607 608set_keystate "KEY3" "GOAL" "omnipresent" 609set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 610set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 611 612check_keys 613check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 614check_apex 615check_subdomain 616dnssec_verify 617 618basefile1=$(key_get KEY1 BASEFILE) 619basefile2=$(key_get KEY2 BASEFILE) 620 621n=$((n+1)) 622echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" 623rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" 624grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 625grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 626test "$ret" -eq 0 || echo_i "failed" 627status=$((status+ret)) 628 629n=$((n+1)) 630echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" 631rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" 632grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" 633grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" 634test "$ret" -eq 0 || echo_i "failed" 635status=$((status+ret)) 636 637n=$((n+1)) 638echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)" 639rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n 640grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 641grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 642test "$ret" -eq 0 || echo_i "failed" 643status=$((status+ret)) 644 645n=$((n+1)) 646echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)" 647rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n 648grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" 649grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" 650test "$ret" -eq 0 || echo_i "failed" 651status=$((status+ret)) 652 653n=$((n+1)) 654echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" 655rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE" 656retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state" 657grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 658test "$ret" -eq 0 || echo_i "failed" 659status=$((status+ret)) 660 661n=$((n+1)) 662echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" 663rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE" 664grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 665retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state" 666test "$ret" -eq 0 || echo_i "failed" 667status=$((status+ret)) 668 669# 670# Zone: checkds-csk.kasp. 671# 672key_clear "KEY1" 673key_clear "KEY2" 674key_clear "KEY3" 675key_clear "KEY4" 676 677set_zone "checkds-csk.kasp" 678set_policy "checkds-csk" "1" "303" 679set_server "ns3" "10.53.0.3" 680# Key properties. 681set_keyrole "KEY1" "csk" 682set_keylifetime "KEY1" "0" 683set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 684set_keysigning "KEY1" "yes" 685set_zonesigning "KEY1" "yes" 686# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 687set_keystate "KEY1" "GOAL" "omnipresent" 688set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 689set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 690set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 691set_keystate "KEY1" "STATE_DS" "hidden" 692 693check_keys 694check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 695check_apex 696check_subdomain 697dnssec_verify 698 699basefile=$(key_get KEY1 BASEFILE) 700 701n=$((n+1)) 702echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" 703rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" 704retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" 705test "$ret" -eq 0 || echo_i "failed" 706status=$((status+ret)) 707 708n=$((n+1)) 709echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" 710rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" 711retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" 712test "$ret" -eq 0 || echo_i "failed" 713status=$((status+ret)) 714 715# Set keytimes for dnssec-policy with various algorithms. 716# These all use the same time values. 717set_keytimes_algorithm_policy() { 718 # The first KSK is immediately published and activated. 719 created=$(key_get KEY1 CREATED) 720 set_keytime "KEY1" "PUBLISHED" "${created}" 721 set_keytime "KEY1" "ACTIVE" "${created}" 722 # Key was pregenerated. 723 if [ "$1" = "pregenerated" ]; then 724 keyfile=$(key_get KEY1 BASEFILE) 725 grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 726 published=$(awk '{print $3}' < published.test${n}.key1) 727 set_keytime "KEY1" "PUBLISHED" "${published}" 728 set_keytime "KEY1" "ACTIVE" "${published}" 729 fi 730 published=$(key_get KEY1 PUBLISHED) 731 732 # The DS can be published if the DNSKEY and RRSIG records are 733 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 734 # publish-safety (1h) plus zone-propagation-delay (300s) = 735 # 86400 + 3600 + 300 = 90300. 736 set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 737 # Key lifetime is 10 years, 315360000 seconds. 738 set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 739 # The key is removed after the retire time plus DS TTL (1d), 740 # parent propagation delay (1h), and retire safety (1h) = 741 # 86400 + 3600 + 3600 = 93600. 742 retired=$(key_get KEY1 RETIRED) 743 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 744 745 # The first ZSKs are immediately published and activated. 746 created=$(key_get KEY2 CREATED) 747 set_keytime "KEY2" "PUBLISHED" "${created}" 748 set_keytime "KEY2" "ACTIVE" "${created}" 749 # Key was pregenerated. 750 if [ "$1" = "pregenerated" ]; then 751 keyfile=$(key_get KEY2 BASEFILE) 752 grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 753 published=$(awk '{print $3}' < published.test${n}.key2) 754 set_keytime "KEY2" "PUBLISHED" "${published}" 755 set_keytime "KEY2" "ACTIVE" "${published}" 756 fi 757 published=$(key_get KEY2 PUBLISHED) 758 759 # Key lifetime for KSK2 is 5 years, 157680000 seconds. 760 set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 761 # The key is removed after the retire time plus max zone ttl (1d), zone 762 # propagation delay (300s), retire safety (1h), and sign delay 763 # (signature validity minus refresh, 9d) = 764 # 86400 + 300 + 3600 + 777600 = 867900. 765 retired=$(key_get KEY2 RETIRED) 766 set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 767 768 # Second ZSK (KEY3). 769 created=$(key_get KEY3 CREATED) 770 set_keytime "KEY3" "PUBLISHED" "${created}" 771 set_keytime "KEY3" "ACTIVE" "${created}" 772 # Key was pregenerated. 773 if [ "$1" = "pregenerated" ]; then 774 keyfile=$(key_get KEY3 BASEFILE) 775 grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 776 published=$(awk '{print $3}' < published.test${n}.key3) 777 set_keytime "KEY3" "PUBLISHED" "${published}" 778 set_keytime "KEY3" "ACTIVE" "${published}" 779 fi 780 published=$(key_get KEY3 PUBLISHED) 781 782 # Key lifetime for KSK3 is 1 year, 31536000 seconds. 783 set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 784 retired=$(key_get KEY3 RETIRED) 785 set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 786} 787 788# 789# Zone: rsasha1.kasp. 790# 791set_zone "rsasha1.kasp" 792set_policy "rsasha1" "3" "1234" 793set_server "ns3" "10.53.0.3" 794# Key properties. 795key_clear "KEY1" 796set_keyrole "KEY1" "ksk" 797set_keylifetime "KEY1" "315360000" 798set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 799set_keysigning "KEY1" "yes" 800set_zonesigning "KEY1" "no" 801 802key_clear "KEY2" 803set_keyrole "KEY2" "zsk" 804set_keylifetime "KEY2" "157680000" 805set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 806set_keysigning "KEY2" "no" 807set_zonesigning "KEY2" "yes" 808 809key_clear "KEY3" 810set_keyrole "KEY3" "zsk" 811set_keylifetime "KEY3" "31536000" 812set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 813set_keysigning "KEY3" "no" 814set_zonesigning "KEY3" "yes" 815 816# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 817# ZSK: DNSKEY, RRSIG (zsk) published. 818set_keystate "KEY1" "GOAL" "omnipresent" 819set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 820set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 821set_keystate "KEY1" "STATE_DS" "hidden" 822 823set_keystate "KEY2" "GOAL" "omnipresent" 824set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 825set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 826 827set_keystate "KEY3" "GOAL" "omnipresent" 828set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 829set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 830# Three keys only. 831key_clear "KEY4" 832 833check_keys 834check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 835set_keytimes_algorithm_policy 836check_keytimes 837check_apex 838check_subdomain 839dnssec_verify 840 841# 842# Zone: unsigned.kasp. 843# 844set_zone "unsigned.kasp" 845set_policy "none" "0" "0" 846set_server "ns3" "10.53.0.3" 847 848key_clear "KEY1" 849key_clear "KEY2" 850key_clear "KEY3" 851key_clear "KEY4" 852 853check_keys 854check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 855check_apex 856check_subdomain 857# Make sure the zone file is untouched. 858n=$((n+1)) 859echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)" 860ret=0 861diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1 862test "$ret" -eq 0 || echo_i "failed" 863status=$((status+ret)) 864 865# 866# Zone: insecure.kasp. 867# 868set_zone "insecure.kasp" 869set_policy "insecure" "0" "0" 870set_server "ns3" "10.53.0.3" 871 872key_clear "KEY1" 873key_clear "KEY2" 874key_clear "KEY3" 875key_clear "KEY4" 876 877check_keys 878check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 879check_apex 880check_subdomain 881 882# 883# Zone: unlimited.kasp. 884# 885set_zone "unlimited.kasp" 886set_policy "unlimited" "1" "1234" 887set_server "ns3" "10.53.0.3" 888# Key properties. 889set_keyrole "KEY1" "csk" 890set_keylifetime "KEY1" "0" 891set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 892set_keysigning "KEY1" "yes" 893set_zonesigning "KEY1" "yes" 894# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 895set_keystate "KEY1" "GOAL" "omnipresent" 896set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 897set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 898set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 899set_keystate "KEY1" "STATE_DS" "hidden" 900 901check_keys 902check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 903set_keytimes_csk_policy 904check_keytimes 905check_apex 906check_subdomain 907dnssec_verify 908 909# 910# Zone: inherit.kasp. 911# 912set_zone "inherit.kasp" 913set_policy "rsasha1" "3" "1234" 914set_server "ns3" "10.53.0.3" 915 916# Key properties. 917key_clear "KEY1" 918set_keyrole "KEY1" "ksk" 919set_keylifetime "KEY1" "315360000" 920set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 921set_keysigning "KEY1" "yes" 922set_zonesigning "KEY1" "no" 923 924key_clear "KEY2" 925set_keyrole "KEY2" "zsk" 926set_keylifetime "KEY2" "157680000" 927set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 928set_keysigning "KEY2" "no" 929set_zonesigning "KEY2" "yes" 930 931key_clear "KEY3" 932set_keyrole "KEY3" "zsk" 933set_keylifetime "KEY3" "31536000" 934set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 935set_keysigning "KEY3" "no" 936set_zonesigning "KEY3" "yes" 937# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 938# ZSK: DNSKEY, RRSIG (zsk) published. 939set_keystate "KEY1" "GOAL" "omnipresent" 940set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 941set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 942set_keystate "KEY1" "STATE_DS" "hidden" 943 944set_keystate "KEY2" "GOAL" "omnipresent" 945set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 946set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 947 948set_keystate "KEY3" "GOAL" "omnipresent" 949set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 950set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 951# Three keys only. 952key_clear "KEY4" 953 954check_keys 955check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 956set_keytimes_algorithm_policy 957check_keytimes 958check_apex 959check_subdomain 960dnssec_verify 961 962# 963# Zone: dnssec-keygen.kasp. 964# 965set_zone "dnssec-keygen.kasp" 966set_policy "rsasha1" "3" "1234" 967set_server "ns3" "10.53.0.3" 968# Key properties, timings and states same as above. 969 970check_keys 971check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 972set_keytimes_algorithm_policy 973check_keytimes 974check_apex 975check_subdomain 976dnssec_verify 977 978# 979# Zone: some-keys.kasp. 980# 981set_zone "some-keys.kasp" 982set_policy "rsasha1" "3" "1234" 983set_server "ns3" "10.53.0.3" 984# Key properties, timings and states same as above. 985 986check_keys 987check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 988set_keytimes_algorithm_policy "pregenerated" 989check_keytimes 990check_apex 991check_subdomain 992dnssec_verify 993 994# 995# Zone: pregenerated.kasp. 996# 997# There are more pregenerated keys than needed, hence the number of keys is 998# six, not three. 999set_zone "pregenerated.kasp" 1000set_policy "rsasha1" "6" "1234" 1001set_server "ns3" "10.53.0.3" 1002# Key properties, timings and states same as above. 1003 1004check_keys 1005check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1006set_keytimes_algorithm_policy "pregenerated" 1007check_keytimes 1008check_apex 1009check_subdomain 1010dnssec_verify 1011 1012# 1013# Zone: rumoured.kasp. 1014# 1015# There are three keys in rumoured state. 1016set_zone "rumoured.kasp" 1017set_policy "rsasha1" "3" "1234" 1018set_server "ns3" "10.53.0.3" 1019# Key properties, timings and states same as above. 1020 1021check_keys 1022check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1023set_keytimes_algorithm_policy 1024# Activation date is a day later. 1025set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 1026set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 1027set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 1028set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 1029set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 1030set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 1031set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 1032set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 1033set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 1034check_keytimes 1035check_apex 1036check_subdomain 1037dnssec_verify 1038 1039# 1040# Zone: secondary.kasp. 1041# 1042set_zone "secondary.kasp" 1043set_policy "rsasha1" "3" "1234" 1044set_server "ns3" "10.53.0.3" 1045# Key properties, timings and states same as above. 1046 1047check_keys 1048check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1049set_keytimes_algorithm_policy 1050check_keytimes 1051check_apex 1052check_subdomain 1053dnssec_verify 1054 1055# Update zone. 1056n=$((n+1)) 1057echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" 1058ret=0 1059cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db 1060rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 1061 1062_wait_for_done_subdomains() { 1063 ret=0 1064 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 1065 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1066 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1067 check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" 1068 if [ $ret -gt 0 ]; then return $ret; fi 1069 1070 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 1071 grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1072 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1073 check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" 1074 return $ret 1075} 1076retry_quiet 5 _wait_for_done_subdomains || ret=1 1077test "$ret" -eq 0 || echo_i "failed" 1078status=$((status+ret)) 1079 1080# TODO: we might want to test: 1081# - configuring a zone with too many active keys (should trigger retire). 1082# - configuring a zone with keys not matching the policy. 1083 1084# 1085# Zone: rsasha1-nsec3.kasp. 1086# 1087set_zone "rsasha1-nsec3.kasp" 1088set_policy "rsasha1-nsec3" "3" "1234" 1089set_server "ns3" "10.53.0.3" 1090# Key properties. 1091set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" 1092set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" 1093set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" 1094# Key timings and states same as above. 1095 1096check_keys 1097check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1098set_keytimes_algorithm_policy 1099check_keytimes 1100check_apex 1101check_subdomain 1102dnssec_verify 1103 1104# 1105# Zone: rsasha256.kasp. 1106# 1107set_zone "rsasha256.kasp" 1108set_policy "rsasha256" "3" "1234" 1109set_server "ns3" "10.53.0.3" 1110# Key properties. 1111set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1112set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1113set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" 1114# Key timings and states same as above. 1115 1116check_keys 1117check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1118set_keytimes_algorithm_policy 1119check_keytimes 1120check_apex 1121check_subdomain 1122dnssec_verify 1123 1124# 1125# Zone: rsasha512.kasp. 1126# 1127set_zone "rsasha512.kasp" 1128set_policy "rsasha512" "3" "1234" 1129set_server "ns3" "10.53.0.3" 1130# Key properties. 1131set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" 1132set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" 1133set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" 1134# Key timings and states same as above. 1135 1136check_keys 1137check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1138set_keytimes_algorithm_policy 1139check_keytimes 1140check_apex 1141check_subdomain 1142dnssec_verify 1143 1144# 1145# Zone: ecdsa256.kasp. 1146# 1147set_zone "ecdsa256.kasp" 1148set_policy "ecdsa256" "3" "1234" 1149set_server "ns3" "10.53.0.3" 1150# Key properties. 1151set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1152set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 1153set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 1154# Key timings and states same as above. 1155 1156check_keys 1157check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1158set_keytimes_algorithm_policy 1159check_keytimes 1160check_apex 1161check_subdomain 1162dnssec_verify 1163 1164# 1165# Zone: ecdsa512.kasp. 1166# 1167set_zone "ecdsa384.kasp" 1168set_policy "ecdsa384" "3" "1234" 1169set_server "ns3" "10.53.0.3" 1170# Key properties. 1171set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1172set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" 1173set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" 1174# Key timings and states same as above. 1175 1176check_keys 1177check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1178set_keytimes_algorithm_policy 1179check_keytimes 1180check_apex 1181check_subdomain 1182dnssec_verify 1183 1184# 1185# Zone: ed25519.kasp. 1186# 1187if [ -f ed25519-supported.file ]; then 1188 set_zone "ed25519.kasp" 1189 set_policy "ed25519" "3" "1234" 1190 set_server "ns3" "10.53.0.3" 1191 # Key properties. 1192 set_keyalgorithm "KEY1" "15" "ED25519" "256" 1193 set_keyalgorithm "KEY2" "15" "ED25519" "256" 1194 set_keyalgorithm "KEY3" "15" "ED25519" "256" 1195 # Key timings and states same as above. 1196 1197 check_keys 1198 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1199 set_keytimes_algorithm_policy 1200 check_keytimes 1201 check_apex 1202 check_subdomain 1203 dnssec_verify 1204fi 1205 1206# 1207# Zone: ed448.kasp. 1208# 1209if [ -f ed448-supported.file ]; then 1210 set_zone "ed448.kasp" 1211 set_policy "ed448" "3" "1234" 1212 set_server "ns3" "10.53.0.3" 1213 # Key properties. 1214 set_keyalgorithm "KEY1" "16" "ED448" "456" 1215 set_keyalgorithm "KEY2" "16" "ED448" "456" 1216 set_keyalgorithm "KEY3" "16" "ED448" "456" 1217 # Key timings and states same as above. 1218 1219 check_keys 1220 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1221 set_keytimes_algorithm_policy 1222 check_keytimes 1223 check_apex 1224 check_subdomain 1225 dnssec_verify 1226fi 1227 1228# Set key times for 'autosign' policy. 1229set_keytimes_autosign_policy() { 1230 # The KSK was published six months ago (with settime). 1231 created=$(key_get KEY1 CREATED) 1232 set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 1233 set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 1234 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 1235 # Key lifetime is 2 years, 63072000 seconds. 1236 active=$(key_get KEY1 ACTIVE) 1237 set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 1238 # The key is removed after the retire time plus DS TTL (1d), 1239 # parent propagation delay (1h), retire safety (1h) = 1240 # 86400 + 3600 + 3600 = 93600 1241 retired=$(key_get KEY1 RETIRED) 1242 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1243 1244 # The ZSK was published six months ago (with settime). 1245 created=$(key_get KEY2 CREATED) 1246 set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 1247 set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 1248 # Key lifetime for KSK2 is 1 year, 31536000 seconds. 1249 active=$(key_get KEY2 ACTIVE) 1250 set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 1251 # The key is removed after the retire time plus: 1252 # TTLsig (RRSIG TTL): 1 day (86400 seconds) 1253 # Dprp (propagation delay): 5 minutes (300 seconds) 1254 # retire-safety: 1 hour (3600 seconds) 1255 # Dsgn (sign delay): 7 days (604800 seconds) 1256 # Iret: 695100 seconds. 1257 retired=$(key_get KEY2 RETIRED) 1258 set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 1259} 1260 1261# 1262# Zone: expired-sigs.autosign. 1263# 1264set_zone "expired-sigs.autosign" 1265set_policy "autosign" "2" "300" 1266set_server "ns3" "10.53.0.3" 1267# Key properties. 1268key_clear "KEY1" 1269set_keyrole "KEY1" "ksk" 1270set_keylifetime "KEY1" "63072000" 1271set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1272set_keysigning "KEY1" "yes" 1273set_zonesigning "KEY1" "no" 1274 1275key_clear "KEY2" 1276set_keyrole "KEY2" "zsk" 1277set_keylifetime "KEY2" "31536000" 1278set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1279set_keysigning "KEY2" "no" 1280set_zonesigning "KEY2" "yes" 1281 1282# Both KSK and ZSK stay OMNIPRESENT. 1283set_keystate "KEY1" "GOAL" "omnipresent" 1284set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 1285set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 1286set_keystate "KEY1" "STATE_DS" "omnipresent" 1287 1288set_keystate "KEY2" "GOAL" "omnipresent" 1289set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1290set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1291# Expect only two keys. 1292key_clear "KEY3" 1293key_clear "KEY4" 1294 1295check_keys 1296check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1297set_keytimes_autosign_policy 1298check_keytimes 1299check_apex 1300check_subdomain 1301dnssec_verify 1302 1303# Verify all signatures have been refreshed. 1304check_rrsig_refresh() { 1305 # Apex. 1306 _qtypes="DNSKEY SOA NS NSEC" 1307 for _qtype in $_qtypes 1308 do 1309 n=$((n+1)) 1310 echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1311 ret=0 1312 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1313 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1314 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1315 # If this exact RRSIG is also in the zone file it is not refreshed. 1316 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1317 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1318 test "$ret" -eq 0 || echo_i "failed" 1319 status=$((status+ret)) 1320 done 1321 1322 # Below apex. 1323 _labels="a b c ns3" 1324 for _label in $_labels; 1325 do 1326 _qtypes="A NSEC" 1327 for _qtype in $_qtypes 1328 do 1329 n=$((n+1)) 1330 echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1331 ret=0 1332 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1333 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1334 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1335 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1336 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1337 test "$ret" -eq 0 || echo_i "failed" 1338 status=$((status+ret)) 1339 done 1340 done 1341} 1342 1343check_rrsig_refresh 1344 1345# 1346# Zone: fresh-sigs.autosign. 1347# 1348set_zone "fresh-sigs.autosign" 1349set_policy "autosign" "2" "300" 1350set_server "ns3" "10.53.0.3" 1351# Key properties, timings and states same as above. 1352 1353check_keys 1354check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1355set_keytimes_autosign_policy 1356check_keytimes 1357check_apex 1358check_subdomain 1359dnssec_verify 1360 1361# Verify signature reuse. 1362check_rrsig_reuse() { 1363 # Apex. 1364 _qtypes="NS NSEC" 1365 for _qtype in $_qtypes 1366 do 1367 n=$((n+1)) 1368 echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1369 ret=0 1370 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1371 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1372 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1373 # If this exact RRSIG is also in the zone file it is not refreshed. 1374 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1375 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1376 test "$ret" -eq 0 || echo_i "failed" 1377 status=$((status+ret)) 1378 done 1379 1380 # Below apex. 1381 _labels="a b c ns3" 1382 for _label in $_labels; 1383 do 1384 _qtypes="A NSEC" 1385 for _qtype in $_qtypes 1386 do 1387 n=$((n+1)) 1388 echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1389 ret=0 1390 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1391 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1392 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1393 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1394 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1395 test "$ret" -eq 0 || echo_i "failed" 1396 status=$((status+ret)) 1397 done 1398 done 1399} 1400 1401check_rrsig_reuse 1402 1403# 1404# Zone: unfresh-sigs.autosign. 1405# 1406set_zone "unfresh-sigs.autosign" 1407set_policy "autosign" "2" "300" 1408set_server "ns3" "10.53.0.3" 1409# Key properties, timings and states same as above. 1410 1411check_keys 1412check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1413set_keytimes_autosign_policy 1414check_keytimes 1415check_apex 1416check_subdomain 1417dnssec_verify 1418check_rrsig_refresh 1419 1420# 1421# Zone: ksk-missing.autosign. 1422# 1423set_zone "ksk-missing.autosign" 1424set_policy "autosign" "2" "300" 1425set_server "ns3" "10.53.0.3" 1426# Key properties, timings and states same as above. 1427# Skip checking the private file, because it is missing. 1428key_set "KEY1" "PRIVATE" "no" 1429 1430check_keys 1431check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1432check_apex 1433check_subdomain 1434dnssec_verify 1435 1436# Restore the PRIVATE variable. 1437key_set "KEY1" "PRIVATE" "yes" 1438 1439# 1440# Zone: zsk-missing.autosign. 1441# 1442set_zone "zsk-missing.autosign" 1443set_policy "autosign" "2" "300" 1444set_server "ns3" "10.53.0.3" 1445# Key properties, timings and states same as above. 1446# Skip checking the private file, because it is missing. 1447key_set "KEY2" "PRIVATE" "no" 1448 1449check_keys 1450check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1451# For the apex, we expect the SOA to be signed with the KSK because the ZSK is 1452# offline. Temporary treat KEY1 as a zone signing key too. 1453set_keyrole "KEY1" "csk" 1454set_zonesigning "KEY1" "yes" 1455set_zonesigning "KEY2" "no" 1456check_apex 1457set_keyrole "KEY1" "ksk" 1458set_zonesigning "KEY1" "no" 1459set_zonesigning "KEY2" "yes" 1460check_subdomain 1461dnssec_verify 1462 1463# Restore the PRIVATE variable. 1464key_set "KEY2" "PRIVATE" "yes" 1465 1466# 1467# Zone: zsk-retired.autosign. 1468# 1469set_zone "zsk-retired.autosign" 1470set_policy "autosign" "3" "300" 1471set_server "ns3" "10.53.0.3" 1472# The third key is not yet expected to be signing. 1473set_keyrole "KEY3" "zsk" 1474set_keylifetime "KEY3" "31536000" 1475set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1476set_keysigning "KEY3" "no" 1477set_zonesigning "KEY3" "no" 1478# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK 1479# is active. 1480set_keystate "KEY2" "GOAL" "hidden" 1481set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1482set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1483# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, 1484# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. 1485set_keystate "KEY3" "GOAL" "omnipresent" 1486set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 1487set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 1488 1489check_keys 1490check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1491set_keytimes_autosign_policy 1492 1493# The old ZSK is retired. 1494created=$(key_get KEY2 CREATED) 1495set_keytime "KEY2" "RETIRED" "${created}" 1496set_addkeytime "KEY2" "REMOVED" "${created}" 695100 1497# The new ZSK is immediately published. 1498created=$(key_get KEY3 CREATED) 1499set_keytime "KEY3" "PUBLISHED" "${created}" 1500# And becomes active after Ipub: 1501# DNSKEY TTL: 300 seconds 1502# zone-propagation-delay 5 minutes (300 seconds) 1503# publish-safety: 1 hour (3600 seconds) 1504# Ipub: 4200 seconds 1505published=$(key_get KEY3 PUBLISHED) 1506set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 1507# Lzsk: 1 year (31536000 seconds) 1508active=$(key_get KEY3 ACTIVE) 1509set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 1510# Iret: 695100 seconds. 1511retired=$(key_get KEY3 RETIRED) 1512set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 1513 1514check_keytimes 1515check_apex 1516check_subdomain 1517dnssec_verify 1518check_rrsig_refresh 1519 1520# 1521# Zone: legacy-keys.kasp. 1522# 1523set_zone "legacy-keys.kasp" 1524# This zone has two active keys and two old keys left in key directory, so 1525# expect 4 key files. 1526set_policy "migrate-to-dnssec-policy" "4" "1234" 1527set_server "ns3" "10.53.0.3" 1528 1529# Key properties. 1530key_clear "KEY1" 1531set_keyrole "KEY1" "ksk" 1532set_keylifetime "KEY1" "16070400" 1533set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 1534set_keysigning "KEY1" "yes" 1535set_zonesigning "KEY1" "no" 1536 1537key_clear "KEY2" 1538set_keyrole "KEY2" "zsk" 1539set_keylifetime "KEY2" "16070400" 1540set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 1541set_keysigning "KEY2" "no" 1542set_zonesigning "KEY2" "yes" 1543# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 1544# ZSK: DNSKEY, RRSIG (zsk) published. 1545set_keystate "KEY1" "GOAL" "omnipresent" 1546set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1547set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1548set_keystate "KEY1" "STATE_DS" "hidden" 1549 1550set_keystate "KEY2" "GOAL" "omnipresent" 1551set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1552set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1553# Two keys only. 1554key_clear "KEY3" 1555key_clear "KEY4" 1556 1557check_keys 1558check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1559 1560# Make sure the correct legacy keys were used (and not the removed predecessor 1561# keys). 1562n=$((n+1)) 1563echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)" 1564ret=0 1565kskfile=$(cat ns3/legacy-keys.kasp.ksk) 1566basefile=$(key_get KEY1 BASEFILE) 1567echo_i "filename: $basefile (expect $kskfile)" 1568test "$DIR/$kskfile" = "$basefile" || ret=1 1569zskfile=$(cat ns3/legacy-keys.kasp.zsk) 1570basefile=$(key_get KEY2 BASEFILE) 1571echo_i "filename: $basefile (expect $zskfile)" 1572test "$DIR/$zskfile" = "$basefile" || ret=1 1573test "$ret" -eq 0 || echo_i "failed" 1574status=$((status+ret)) 1575 1576# KSK times. 1577created=$(key_get KEY1 CREATED) 1578keyfile=$(key_get KEY1 BASEFILE) 1579grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 1580published=$(awk '{print $3}' < published.test${n}.key1) 1581set_keytime "KEY1" "PUBLISHED" "${published}" 1582set_keytime "KEY1" "ACTIVE" "${published}" 1583published=$(key_get KEY1 PUBLISHED) 1584# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT. 1585# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus 1586# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300. 1587set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 1588# Key lifetime is 6 months, 315360000 seconds. 1589set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 1590# The key is removed after the retire time plus DS TTL (1d), parent 1591# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600. 1592retired=$(key_get KEY1 RETIRED) 1593set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1594 1595# ZSK times. 1596created=$(key_get KEY2 CREATED) 1597keyfile=$(key_get KEY2 BASEFILE) 1598grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 1599published=$(awk '{print $3}' < published.test${n}.key2) 1600set_keytime "KEY2" "PUBLISHED" "${published}" 1601set_keytime "KEY2" "ACTIVE" "${published}" 1602published=$(key_get KEY2 PUBLISHED) 1603# Key lifetime is 6 months, 315360000 seconds. 1604set_addkeytime "KEY2" "RETIRED" "${published}" 16070400 1605# The key is removed after the retire time plus max zone ttl (1d), zone 1606# propagation delay (300s), retire safety (1h), and sign delay (signature 1607# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900. 1608retired=$(key_get KEY2 RETIRED) 1609set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 1610 1611check_keytimes 1612check_apex 1613check_subdomain 1614dnssec_verify 1615 1616# 1617# Test dnssec-policy inheritance. 1618# 1619 1620# These zones should be unsigned: 1621# ns2/unsigned.tld 1622# ns4/none.inherit.signed 1623# ns4/none.override.signed 1624# ns4/inherit.none.signed 1625# ns4/none.none.signed 1626# ns5/inherit.inherit.unsigned 1627# ns5/none.inherit.unsigned 1628# ns5/none.override.unsigned 1629# ns5/inherit.none.unsigned 1630# ns5/none.none.unsigned 1631key_clear "KEY1" 1632key_clear "KEY2" 1633key_clear "KEY3" 1634key_clear "KEY4" 1635 1636set_zone "unsigned.tld" 1637set_policy "none" "0" "0" 1638set_server "ns2" "10.53.0.2" 1639TSIG="" 1640check_keys 1641check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1642check_apex 1643check_subdomain 1644 1645set_zone "none.inherit.signed" 1646set_policy "none" "0" "0" 1647set_server "ns4" "10.53.0.4" 1648TSIG="hmac-sha1:sha1:$SHA1" 1649check_keys 1650check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1651check_apex 1652check_subdomain 1653 1654set_zone "none.override.signed" 1655set_policy "none" "0" "0" 1656set_server "ns4" "10.53.0.4" 1657TSIG="hmac-sha224:sha224:$SHA224" 1658check_keys 1659check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1660check_apex 1661check_subdomain 1662 1663set_zone "inherit.none.signed" 1664set_policy "none" "0" "0" 1665set_server "ns4" "10.53.0.4" 1666TSIG="hmac-sha256:sha256:$SHA256" 1667check_keys 1668check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1669check_apex 1670check_subdomain 1671 1672set_zone "none.none.signed" 1673set_policy "none" "0" "0" 1674set_server "ns4" "10.53.0.4" 1675TSIG="hmac-sha256:sha256:$SHA256" 1676check_keys 1677check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1678check_apex 1679check_subdomain 1680 1681set_zone "inherit.inherit.unsigned" 1682set_policy "none" "0" "0" 1683set_server "ns5" "10.53.0.5" 1684TSIG="hmac-sha1:sha1:$SHA1" 1685check_keys 1686check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1687check_apex 1688check_subdomain 1689 1690set_zone "none.inherit.unsigned" 1691set_policy "none" "0" "0" 1692set_server "ns5" "10.53.0.5" 1693TSIG="hmac-sha1:sha1:$SHA1" 1694check_keys 1695check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1696check_apex 1697check_subdomain 1698 1699set_zone "none.override.unsigned" 1700set_policy "none" "0" "0" 1701set_server "ns5" "10.53.0.5" 1702TSIG="hmac-sha224:sha224:$SHA224" 1703check_keys 1704check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1705check_apex 1706check_subdomain 1707 1708set_zone "inherit.none.unsigned" 1709set_policy "none" "0" "0" 1710set_server "ns5" "10.53.0.5" 1711TSIG="hmac-sha256:sha256:$SHA256" 1712check_keys 1713check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1714check_apex 1715check_subdomain 1716 1717set_zone "none.none.unsigned" 1718set_policy "none" "0" "0" 1719set_server "ns5" "10.53.0.5" 1720TSIG="hmac-sha256:sha256:$SHA256" 1721check_keys 1722check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1723check_apex 1724check_subdomain 1725 1726# These zones should be signed with the default policy: 1727# ns2/signed.tld 1728# ns4/override.inherit.signed 1729# ns4/inherit.override.signed 1730# ns5/override.inherit.signed 1731# ns5/inherit.override.signed 1732set_keyrole "KEY1" "csk" 1733set_keylifetime "KEY1" "0" 1734set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1735set_keysigning "KEY1" "yes" 1736set_zonesigning "KEY1" "yes" 1737 1738set_keystate "KEY1" "GOAL" "omnipresent" 1739set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1740set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1741set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 1742set_keystate "KEY1" "STATE_DS" "hidden" 1743 1744set_zone "signed.tld" 1745set_policy "default" "1" "3600" 1746set_server "ns2" "10.53.0.2" 1747TSIG="" 1748check_keys 1749check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1750set_keytimes_csk_policy 1751check_keytimes 1752check_apex 1753check_subdomain 1754dnssec_verify 1755 1756set_zone "override.inherit.signed" 1757set_policy "default" "1" "3600" 1758set_server "ns4" "10.53.0.4" 1759TSIG="hmac-sha1:sha1:$SHA1" 1760check_keys 1761check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1762set_keytimes_csk_policy 1763check_keytimes 1764check_apex 1765check_subdomain 1766dnssec_verify 1767 1768set_zone "inherit.override.signed" 1769set_policy "default" "1" "3600" 1770set_server "ns4" "10.53.0.4" 1771TSIG="hmac-sha224:sha224:$SHA224" 1772check_keys 1773check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1774set_keytimes_csk_policy 1775check_keytimes 1776check_apex 1777check_subdomain 1778dnssec_verify 1779 1780set_zone "override.inherit.unsigned" 1781set_policy "default" "1" "3600" 1782set_server "ns5" "10.53.0.5" 1783TSIG="hmac-sha1:sha1:$SHA1" 1784check_keys 1785check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1786set_keytimes_csk_policy 1787check_keytimes 1788check_apex 1789check_subdomain 1790dnssec_verify 1791 1792set_zone "inherit.override.unsigned" 1793set_policy "default" "1" "3600" 1794set_server "ns5" "10.53.0.5" 1795TSIG="hmac-sha224:sha224:$SHA224" 1796check_keys 1797check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1798set_keytimes_csk_policy 1799check_keytimes 1800check_apex 1801check_subdomain 1802dnssec_verify 1803 1804# These zones should be signed with the test policy: 1805# ns4/inherit.inherit.signed 1806# ns4/override.override.signed 1807# ns4/override.none.signed 1808# ns5/override.override.unsigned 1809# ns5/override.none.unsigned 1810# ns4/example.net (both views) 1811set_keyrole "KEY1" "csk" 1812set_keylifetime "KEY1" "0" 1813set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1814set_keysigning "KEY1" "yes" 1815set_zonesigning "KEY1" "yes" 1816 1817set_zone "inherit.inherit.signed" 1818set_policy "test" "1" "3600" 1819set_server "ns4" "10.53.0.4" 1820TSIG="hmac-sha1:sha1:$SHA1" 1821wait_for_nsec 1822check_keys 1823check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1824set_keytimes_csk_policy 1825check_keytimes 1826check_apex 1827check_subdomain 1828dnssec_verify 1829 1830set_zone "override.override.signed" 1831set_policy "test" "1" "3600" 1832set_server "ns4" "10.53.0.4" 1833TSIG="hmac-sha224:sha224:$SHA224" 1834wait_for_nsec 1835check_keys 1836check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1837set_keytimes_csk_policy 1838check_keytimes 1839check_apex 1840check_subdomain 1841dnssec_verify 1842 1843set_zone "override.none.signed" 1844set_policy "test" "1" "3600" 1845set_server "ns4" "10.53.0.4" 1846TSIG="hmac-sha256:sha256:$SHA256" 1847wait_for_nsec 1848check_keys 1849check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1850set_keytimes_csk_policy 1851check_keytimes 1852check_apex 1853check_subdomain 1854dnssec_verify 1855 1856set_zone "override.override.unsigned" 1857set_policy "test" "1" "3600" 1858set_server "ns5" "10.53.0.5" 1859TSIG="hmac-sha224:sha224:$SHA224" 1860wait_for_nsec 1861check_keys 1862check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1863set_keytimes_csk_policy 1864check_keytimes 1865check_apex 1866check_subdomain 1867dnssec_verify 1868 1869set_zone "override.none.unsigned" 1870set_policy "test" "1" "3600" 1871set_server "ns5" "10.53.0.5" 1872TSIG="hmac-sha256:sha256:$SHA256" 1873wait_for_nsec 1874check_keys 1875check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1876set_keytimes_csk_policy 1877check_keytimes 1878check_apex 1879check_subdomain 1880dnssec_verify 1881 1882# Test with views. 1883set_zone "example.net" 1884set_server "ns4" "10.53.0.4" 1885TSIG="hmac-sha1:keyforview1:$VIEW1" 1886wait_for_nsec 1887check_keys 1888check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1" 1889set_keytimes_csk_policy 1890check_keytimes 1891check_apex 1892dnssec_verify 1893# check zonestatus 1894n=$((n+1)) 1895echo_i "check $ZONE (view example1) zonestatus ($n)" 1896ret=0 1897check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic" 1898check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled" 1899test "$ret" -eq 0 || echo_i "failed" 1900status=$((status+ret)) 1901# check subdomain 1902n=$((n+1)) 1903echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" 1904ret=0 1905dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1906grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1907grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1908check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1909test "$ret" -eq 0 || echo_i "failed" 1910status=$((status+ret)) 1911 1912TSIG="hmac-sha1:keyforview2:$VIEW2" 1913wait_for_nsec 1914check_keys 1915check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" 1916check_apex 1917dnssec_verify 1918# check zonestatus 1919n=$((n+1)) 1920echo_i "check $ZONE (view example2) zonestatus ($n)" 1921ret=0 1922check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected" 1923check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled" 1924test "$ret" -eq 0 || echo_i "failed" 1925status=$((status+ret)) 1926# check subdomain 1927n=$((n+1)) 1928echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" 1929ret=0 1930dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1931grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1932grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1933check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1934test "$ret" -eq 0 || echo_i "failed" 1935status=$((status+ret)) 1936 1937TSIG="hmac-sha1:keyforview3:$VIEW3" 1938wait_for_nsec 1939check_keys 1940check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3" 1941check_apex 1942dnssec_verify 1943# check zonestatus 1944n=$((n+1)) 1945echo_i "check $ZONE (view example3) zonestatus ($n)" 1946ret=0 1947check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected" 1948check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled" 1949test "$ret" -eq 0 || echo_i "failed" 1950status=$((status+ret)) 1951# check subdomain 1952n=$((n+1)) 1953echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)" 1954ret=0 1955dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1956grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1957grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1958check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1959test "$ret" -eq 0 || echo_i "failed" 1960status=$((status+ret)) 1961 1962# Clear TSIG. 1963TSIG="" 1964 1965# 1966# Testing RFC 8901 Multi-Signer Model 2. 1967# 1968set_zone "multisigner-model2.kasp" 1969set_policy "multisigner-model2" "2" "3600" 1970set_server "ns3" "10.53.0.3" 1971key_clear "KEY1" 1972key_clear "KEY2" 1973key_clear "KEY3" 1974key_clear "KEY4" 1975 1976# Key properties. 1977set_keyrole "KEY1" "ksk" 1978set_keylifetime "KEY1" "0" 1979set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1980set_keysigning "KEY1" "yes" 1981set_zonesigning "KEY1" "no" 1982 1983set_keyrole "KEY2" "zsk" 1984set_keylifetime "KEY2" "0" 1985set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1986set_keysigning "KEY2" "no" 1987set_zonesigning "KEY2" "yes" 1988 1989set_keystate "KEY1" "GOAL" "omnipresent" 1990set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1991set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1992set_keystate "KEY1" "STATE_DS" "hidden" 1993set_keystate "KEY2" "GOAL" "omnipresent" 1994set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1995set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1996 1997check_keys 1998check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1999check_apex 2000check_subdomain 2001dnssec_verify 2002 2003# Check that the ZSKs from the other provider are published. 2004zsks_are_published() { 2005 dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 2006 # We should have three ZSKs. 2007 lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) 2008 test "$lines" -eq 3 || return 1 2009 # And one KSK. 2010 lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) 2011 test "$lines" -eq 1 || return 1 2012} 2013 2014n=$((n+1)) 2015echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" 2016ret=0 2017( 2018echo zone ${ZONE} 2019echo server 10.53.0.3 "$PORT" 2020echo update add $(cat "${DIR}/${ZONE}.zsk2") 2021echo send 2022) | $NSUPDATE 2023retry_quiet 10 zsks_are_published || ret=1 2024test "$ret" -eq 0 || echo_i "failed" 2025status=$((status+ret)) 2026 2027# 2028# Testing manual rollover. 2029# 2030set_zone "manual-rollover.kasp" 2031set_policy "manual-rollover" "2" "3600" 2032set_server "ns3" "10.53.0.3" 2033key_clear "KEY1" 2034key_clear "KEY2" 2035key_clear "KEY3" 2036key_clear "KEY4" 2037# Key properties. 2038set_keyrole "KEY1" "ksk" 2039set_keylifetime "KEY1" "0" 2040set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2041set_keysigning "KEY1" "yes" 2042set_zonesigning "KEY1" "no" 2043 2044set_keyrole "KEY2" "zsk" 2045set_keylifetime "KEY2" "0" 2046set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2047set_keysigning "KEY2" "no" 2048set_zonesigning "KEY2" "yes" 2049# During set up everything was set to OMNIPRESENT. 2050set_keystate "KEY1" "GOAL" "omnipresent" 2051set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2052set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2053set_keystate "KEY1" "STATE_DS" "omnipresent" 2054 2055set_keystate "KEY2" "GOAL" "omnipresent" 2056set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2057set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2058 2059check_keys 2060check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2061 2062# The first keys were published and activated a day ago. 2063created=$(key_get KEY1 CREATED) 2064set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 2065set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 2066set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 2067created=$(key_get KEY2 CREATED) 2068set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 2069set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 2070# Key lifetimes are unlimited, so not setting RETIRED and REMOVED. 2071check_keytimes 2072check_apex 2073check_subdomain 2074dnssec_verify 2075 2076# Schedule KSK rollover in six months (15552000 seconds). 2077active=$(key_get KEY1 ACTIVE) 2078set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 2079retired=$(key_get KEY1 RETIRED) 2080rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE" 2081# Rollover starts in six months, but lifetime is set to six months plus 2082# prepublication duration = 15552000 + 7500 = 15559500 seconds. 2083set_keylifetime "KEY1" "15559500" 2084set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 2085retired=$(key_get KEY1 RETIRED) 2086# Retire interval of this policy is 26h (93600 seconds). 2087set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 2088 2089check_keys 2090check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2091check_keytimes 2092check_apex 2093check_subdomain 2094dnssec_verify 2095 2096# Schedule KSK rollover now. 2097set_policy "manual-rollover" "3" "3600" 2098set_keystate "KEY1" "GOAL" "hidden" 2099# This key was activated one day ago, so lifetime is set to 1d plus 2100# prepublication duration (7500 seconds) = 93900 seconds. 2101set_keylifetime "KEY1" "93900" 2102created=$(key_get KEY1 CREATED) 2103set_keytime "KEY1" "RETIRED" "${created}" 2104rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE" 2105# New key is introduced. 2106set_keyrole "KEY3" "ksk" 2107set_keylifetime "KEY3" "0" 2108set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 2109set_keysigning "KEY3" "yes" 2110set_zonesigning "KEY3" "no" 2111 2112set_keystate "KEY3" "GOAL" "omnipresent" 2113set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2114set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2115set_keystate "KEY3" "STATE_DS" "hidden" 2116 2117check_keys 2118check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2119check_apex 2120check_subdomain 2121dnssec_verify 2122 2123# Schedule ZSK rollover now. 2124set_policy "manual-rollover" "4" "3600" 2125set_keystate "KEY2" "GOAL" "hidden" 2126# This key was activated one day ago, so lifetime is set to 1d plus 2127# prepublication duration (7500 seconds) = 93900 seconds. 2128set_keylifetime "KEY2" "93900" 2129created=$(key_get KEY2 CREATED) 2130set_keytime "KEY2" "RETIRED" "${created}" 2131rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" 2132# New key is introduced. 2133set_keyrole "KEY4" "zsk" 2134set_keylifetime "KEY4" "0" 2135set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 2136set_keysigning "KEY4" "no" 2137set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. 2138 2139set_keystate "KEY4" "GOAL" "omnipresent" 2140set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 2141set_keystate "KEY4" "STATE_ZRRSIG" "hidden" 2142 2143check_keys 2144check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2145check_apex 2146check_subdomain 2147dnssec_verify 2148 2149# Try to schedule a ZSK rollover for an inactive key (should fail). 2150n=$((n+1)) 2151echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)" 2152ret=0 2153rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n 2154grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message" 2155test "$ret" -eq 0 || echo_i "failed" 2156status=$((status+ret)) 2157 2158# 2159# Testing DNSSEC introduction. 2160# 2161 2162# 2163# Zone: step1.enable-dnssec.autosign. 2164# 2165set_zone "step1.enable-dnssec.autosign" 2166set_policy "enable-dnssec" "1" "300" 2167set_server "ns3" "10.53.0.3" 2168# Key properties. 2169key_clear "KEY1" 2170set_keyrole "KEY1" "csk" 2171set_keylifetime "KEY1" "0" 2172set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2173set_keysigning "KEY1" "yes" 2174set_zonesigning "KEY1" "yes" 2175# The DNSKEY and signatures are introduced first, the DS remains hidden. 2176set_keystate "KEY1" "GOAL" "omnipresent" 2177set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 2178set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 2179set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 2180set_keystate "KEY1" "STATE_DS" "hidden" 2181# This policy lists only one key (CSK). 2182key_clear "KEY2" 2183key_clear "KEY3" 2184key_clear "KEY4" 2185 2186check_keys 2187check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2188 2189# Set expected key times: 2190# - The first key is immediately published and activated. 2191created=$(key_get KEY1 CREATED) 2192set_keytime "KEY1" "PUBLISHED" "${created}" 2193set_keytime "KEY1" "ACTIVE" "${created}" 2194# - The DS can be published if the DNSKEY and RRSIG records are 2195# OMNIPRESENT. This happens after max-zone-ttl (12h) plus 2196# publish-safety (5m) plus zone-propagation-delay (5m) = 2197# 43200 + 300 + 300 = 43800. 2198set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2199# - Key lifetime is unlimited, so not setting RETIRED and REMOVED. 2200 2201# Various signing policy checks. 2202check_keytimes 2203check_apex 2204check_subdomain 2205dnssec_verify 2206 2207_check_next_key_event() { 2208 _expect=$1 2209 2210 grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1 2211 2212 # Get the latest next key event. 2213 if [ "${DYNAMIC}" = "yes" ]; then 2214 _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1) 2215 else 2216 # inline-signing zone adds "(signed)" 2217 _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) 2218 fi 2219 2220 # The next key event time must within threshold of the 2221 # expected time. 2222 _expectmin=$((_expect-next_key_event_threshold)) 2223 _expectmax=$((_expect+next_key_event_threshold)) 2224 2225 test $_expectmin -le "$_time" || return 1 2226 test $_expectmax -ge "$_time" || return 1 2227 2228 return 0 2229} 2230 2231check_next_key_event() { 2232 n=$((n+1)) 2233 echo_i "check next key event for zone ${ZONE} ($n)" 2234 ret=0 2235 2236 retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" 2237 test "$ret" -eq 0 || echo_i "failed" 2238 status=$((status+ret)) 2239 2240} 2241 2242# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus 2243# publish safety plus the zone propagation delay: 900 seconds. 2244check_next_key_event 900 2245 2246# 2247# Zone: step2.enable-dnssec.autosign. 2248# 2249set_zone "step2.enable-dnssec.autosign" 2250set_policy "enable-dnssec" "1" "300" 2251set_server "ns3" "10.53.0.3" 2252# The DNSKEY is omnipresent, but the zone signatures not yet. 2253# Thus, the DS remains hidden. 2254set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2255set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2256 2257# Various signing policy checks. 2258check_keys 2259check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2260 2261# Set expected key times: 2262# - The key was published and activated 900 seconds ago (with settime). 2263created=$(key_get KEY1 CREATED) 2264set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 2265set_addkeytime "KEY1" "ACTIVE" "${created}" -900 2266set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2267 2268# Continue signing policy checks. 2269check_keytimes 2270check_apex 2271check_subdomain 2272dnssec_verify 2273 2274# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl 2275# plus zone propagation delay plus retire safety minus the already elapsed 2276# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds 2277check_next_key_event 43800 2278 2279# 2280# Zone: step3.enable-dnssec.autosign. 2281# 2282set_zone "step3.enable-dnssec.autosign" 2283set_policy "enable-dnssec" "1" "300" 2284set_server "ns3" "10.53.0.3" 2285# All signatures should be omnipresent, so the DS can be submitted. 2286set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2287set_keystate "KEY1" "STATE_DS" "rumoured" 2288 2289# Various signing policy checks. 2290check_keys 2291check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2292 2293# Set expected key times: 2294# - The key was published and activated 44700 seconds ago (with settime). 2295created=$(key_get KEY1 CREATED) 2296set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 2297set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 2298set_keytime "KEY1" "SYNCPUBLISH" "${created}" 2299 2300# Continue signing policy checks. 2301check_keytimes 2302check_apex 2303check_subdomain 2304dnssec_verify 2305# Check that CDS publication is logged. 2306check_cdslog "$DIR" "$ZONE" KEY1 2307 2308# The DS can be introduced. We ignore any parent registration delay, so set 2309# the DS publish time to now. 2310rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE" 2311# Next key event is when the DS can move to the OMNIPRESENT state. This occurs 2312# when the parent propagation delay have passed, plus the DS TTL and retire 2313# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds 2314check_next_key_event 12000 2315 2316# 2317# Zone: step4.enable-dnssec.autosign. 2318# 2319set_zone "step4.enable-dnssec.autosign" 2320set_policy "enable-dnssec" "1" "300" 2321set_server "ns3" "10.53.0.3" 2322# The DS is omnipresent. 2323set_keystate "KEY1" "STATE_DS" "omnipresent" 2324 2325# Various signing policy checks. 2326check_keys 2327check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2328 2329# Set expected key times: 2330# - The key was published and activated 56700 seconds ago (with settime). 2331created=$(key_get KEY1 CREATED) 2332set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 2333set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 2334set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 2335 2336# Continue signing policy checks. 2337check_keytimes 2338check_apex 2339check_subdomain 2340dnssec_verify 2341 2342# Next key event is never, the zone dnssec-policy has been established. So we 2343# fall back to the default loadkeys interval. 2344check_next_key_event 3600 2345 2346# 2347# Testing ZSK Pre-Publication rollover. 2348# 2349 2350# Policy parameters. 2351# Lksk: 2 years (63072000 seconds) 2352# Lzsk: 30 days (2592000 seconds) 2353# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) 2354# Iret(KSK): 3d1h (262800 seconds) 2355# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2356# Iret(ZSK): 10d1h (867600 seconds) 2357Lksk=63072000 2358Lzsk=2592000 2359IretKSK=262800 2360IretZSK=867600 2361 2362# 2363# Zone: step1.zsk-prepub.autosign. 2364# 2365set_zone "step1.zsk-prepub.autosign" 2366set_policy "zsk-prepub" "2" "3600" 2367set_server "ns3" "10.53.0.3" 2368 2369set_retired_removed() { 2370 _Lkey=$2 2371 _Iret=$3 2372 2373 _active=$(key_get $1 ACTIVE) 2374 set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" 2375 _retired=$(key_get $1 RETIRED) 2376 set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" 2377} 2378 2379rollover_predecessor_keytimes() { 2380 _addtime=$1 2381 2382 _created=$(key_get KEY1 CREATED) 2383 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2384 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2385 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2386 [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 2387 2388 _created=$(key_get KEY2 CREATED) 2389 set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" 2390 set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" 2391 [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 2392} 2393 2394# Key properties. 2395key_clear "KEY1" 2396set_keyrole "KEY1" "ksk" 2397set_keylifetime "KEY1" "${Lksk}" 2398set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2399set_keysigning "KEY1" "yes" 2400set_zonesigning "KEY1" "no" 2401 2402key_clear "KEY2" 2403set_keyrole "KEY2" "zsk" 2404set_keylifetime "KEY2" "${Lzsk}" 2405set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2406set_keysigning "KEY2" "no" 2407set_zonesigning "KEY2" "yes" 2408# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2409set_keystate "KEY1" "GOAL" "omnipresent" 2410set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2411set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2412set_keystate "KEY1" "STATE_DS" "omnipresent" 2413 2414set_keystate "KEY2" "GOAL" "omnipresent" 2415set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2416set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2417# Initially only two keys. 2418key_clear "KEY3" 2419key_clear "KEY4" 2420 2421# Various signing policy checks. 2422check_keys 2423check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2424# These keys are immediately published and activated. 2425rollover_predecessor_keytimes 0 2426check_keytimes 2427check_apex 2428check_subdomain 2429dnssec_verify 2430 2431# Next key event is when the successor ZSK needs to be published. That is 2432# the ZSK lifetime - prepublication time. The prepublication time is DNSKEY 2433# TTL plus publish safety plus the zone propagation delay. For the 2434# zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds. 2435check_next_key_event 2498400 2436 2437# 2438# Zone: step2.zsk-prepub.autosign. 2439# 2440set_zone "step2.zsk-prepub.autosign" 2441set_policy "zsk-prepub" "3" "3600" 2442set_server "ns3" "10.53.0.3" 2443# New ZSK (KEY3) is prepublished, but not yet signing. 2444key_clear "KEY3" 2445set_keyrole "KEY3" "zsk" 2446set_keylifetime "KEY3" "${Lzsk}" 2447set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2448set_keysigning "KEY3" "no" 2449set_zonesigning "KEY3" "no" 2450# Key states. 2451set_keystate "KEY2" "GOAL" "hidden" 2452set_keystate "KEY3" "GOAL" "omnipresent" 2453set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2454set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 2455 2456# Various signing policy checks. 2457check_keys 2458check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2459 2460# Set expected key times: 2461# - The old keys were activated 694 hours ago (2498400 seconds). 2462rollover_predecessor_keytimes -2498400 2463# - The new ZSK is published now. 2464created=$(key_get KEY3 CREATED) 2465set_keytime "KEY3" "PUBLISHED" "${created}" 2466# - The new ZSK becomes active when the DNSKEY is OMNIPRESENT. 2467# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) 2468# Ipub: 26 hour (93600 seconds). 2469IpubZSK=93600 2470set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" 2471set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2472 2473# Continue signing policy checks. 2474check_keytimes 2475check_apex 2476check_subdomain 2477dnssec_verify 2478 2479# Next key event is when the successor ZSK becomes OMNIPRESENT. That is the 2480# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2481# the zsk-prepub policy, this means: 3600s + 1h + 1d = 93600 seconds. 2482check_next_key_event 93600 2483 2484# 2485# Zone: step3.zsk-prepub.autosign. 2486# 2487set_zone "step3.zsk-prepub.autosign" 2488set_policy "zsk-prepub" "3" "3600" 2489set_server "ns3" "10.53.0.3" 2490# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. 2491# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2492set_zonesigning "KEY2" "no" 2493set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 2494set_zonesigning "KEY3" "yes" 2495set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2496set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 2497 2498# Various signing policy checks. 2499check_keys 2500check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2501 2502# Set expected key times: 2503# - The old keys are activated 30 days ago (2592000 seconds). 2504rollover_predecessor_keytimes -2592000 2505# - The new ZSK is published 26 hours ago (93600 seconds). 2506created=$(key_get KEY3 CREATED) 2507set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 2508set_keytime "KEY3" "ACTIVE" "${created}" 2509set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2510 2511# Continue signing policy checks. 2512check_keytimes 2513check_apex 2514# Subdomain still has good signatures of ZSK (KEY2). 2515# Set expected zone signing on for KEY2 and off for KEY3, 2516# testing whether signatures which are still valid are being reused. 2517set_zonesigning "KEY2" "yes" 2518set_zonesigning "KEY3" "no" 2519check_subdomain 2520# Restore the expected zone signing properties. 2521set_zonesigning "KEY2" "no" 2522set_zonesigning "KEY3" "yes" 2523dnssec_verify 2524 2525# Next key event is when all the RRSIG records have been replaced with 2526# signatures of the new ZSK, in other words when ZRRSIG becomes OMNIPRESENT. 2527# That is Dsgn plus the maximum zone TTL plus the zone propagation delay plus 2528# retire-safety. For the zsk-prepub policy that means: 1w (because 2w validity 2529# and refresh within a week) + 1d + 1h + 2d = 10d1h = 867600 seconds. 2530check_next_key_event 867600 2531 2532# 2533# Zone: step4.zsk-prepub.autosign. 2534# 2535set_zone "step4.zsk-prepub.autosign" 2536set_policy "zsk-prepub" "3" "3600" 2537set_server "ns3" "10.53.0.3" 2538# ZSK (KEY2) DNSKEY is no longer needed. 2539# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2540set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 2541set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2542set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" 2543 2544# Various signing policy checks. 2545check_keys 2546check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2547 2548# Set expected key times: 2549# - The old keys are activated 961 hours ago (3459600 seconds). 2550rollover_predecessor_keytimes -3459600 2551# - The new ZSK is published 267 hours ago (961200 seconds). 2552created=$(key_get KEY3 CREATED) 2553set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 2554published=$(key_get KEY3 PUBLISHED) 2555set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2556set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2557 2558# Continue signing policy checks. 2559check_keytimes 2560check_apex 2561check_subdomain 2562dnssec_verify 2563 2564# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2565# DNSKEY TTL plus zone propagation delay. For the zsk-prepub policy this is: 2566# 3600s + 1h = 7200s 2567check_next_key_event 7200 2568 2569# 2570# Zone: step5.zsk-prepub.autosign. 2571# 2572set_zone "step5.zsk-prepub.autosign" 2573set_policy "zsk-prepub" "3" "3600" 2574set_server "ns3" "10.53.0.3" 2575# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. 2576set_keystate "KEY2" "STATE_DNSKEY" "hidden" 2577 2578# Various signing policy checks. 2579check_keys 2580check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2581 2582# Set expected key times: 2583# - The old keys are activated 962 hours ago (3463200 seconds). 2584rollover_predecessor_keytimes -3463200 2585# - The new ZSK is published 268 hours ago (964800 seconds). 2586created=$(key_get KEY3 CREATED) 2587set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 2588published=$(key_get KEY3 PUBLISHED) 2589set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2590set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2591 2592# Continue signing policy checks. 2593check_keytimes 2594check_apex 2595check_subdomain 2596dnssec_verify 2597 2598# Next key event is when the new successor needs to be published. This is the 2599# ZSK lifetime minus Iret minus Ipub minus DNSKEY TTL. For the zsk-prepub 2600# policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds. 2601check_next_key_event 1627200 2602 2603# 2604# Zone: step6.zsk-prepub.autosign. 2605# 2606set_zone "step6.zsk-prepub.autosign" 2607set_policy "zsk-prepub" "2" "3600" 2608set_server "ns3" "10.53.0.3" 2609# ZSK (KEY2) DNSKEY is purged. 2610key_clear "KEY2" 2611 2612# Various signing policy checks. 2613check_keys 2614check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2615check_apex 2616check_subdomain 2617dnssec_verify 2618 2619# 2620# Testing KSK Double-KSK rollover. 2621# 2622 2623# Policy parameters. 2624# Lksk: 60 days (16070400 seconds) 2625# Lzsk: 1 year (31536000 seconds) 2626# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) 2627# Iret(KSK): 50h (180000 seconds) 2628# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2629# Iret(ZSK): 10d1h (867600 seconds) 2630Lksk=5184000 2631Lzsk=31536000 2632IretKSK=180000 2633IretZSK=867600 2634 2635# 2636# Zone: step1.ksk-doubleksk.autosign. 2637# 2638set_zone "step1.ksk-doubleksk.autosign" 2639set_policy "ksk-doubleksk" "2" "7200" 2640set_server "ns3" "10.53.0.3" 2641# Key properties. 2642key_clear "KEY1" 2643set_keyrole "KEY1" "ksk" 2644set_keylifetime "KEY1" "${Lksk}" 2645set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2646set_keysigning "KEY1" "yes" 2647set_zonesigning "KEY1" "no" 2648 2649key_clear "KEY2" 2650set_keyrole "KEY2" "zsk" 2651set_keylifetime "KEY2" "${Lzsk}" 2652set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2653set_keysigning "KEY2" "no" 2654set_zonesigning "KEY2" "yes" 2655# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2656set_keystate "KEY1" "GOAL" "omnipresent" 2657set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2658set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2659set_keystate "KEY1" "STATE_DS" "omnipresent" 2660 2661set_keystate "KEY2" "GOAL" "omnipresent" 2662set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2663set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2664# Initially only two keys. 2665key_clear "KEY3" 2666key_clear "KEY4" 2667 2668# Various signing policy checks. 2669check_keys 2670check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2671# These keys are immediately published and activated. 2672rollover_predecessor_keytimes 0 2673check_keytimes 2674check_apex 2675check_subdomain 2676dnssec_verify 2677 2678# Next key event is when the successor KSK needs to be published. That is 2679# the KSK lifetime - prepublication time. The prepublication time is 2680# DNSKEY TTL plus publish safety plus the zone propagation delay. 2681# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds. 2682check_next_key_event 5086800 2683 2684# 2685# Zone: step2.ksk-doubleksk.autosign. 2686# 2687set_zone "step2.ksk-doubleksk.autosign" 2688set_policy "ksk-doubleksk" "3" "7200" 2689set_server "ns3" "10.53.0.3" 2690# New KSK (KEY3) is prepublished (and signs DNSKEY RRset). 2691key_clear "KEY3" 2692set_keyrole "KEY3" "ksk" 2693set_keylifetime "KEY3" "${Lksk}" 2694set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2695set_keysigning "KEY3" "yes" 2696set_zonesigning "KEY3" "no" 2697# Key states. 2698set_keystate "KEY1" "GOAL" "hidden" 2699set_keystate "KEY3" "GOAL" "omnipresent" 2700set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2701set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2702set_keystate "KEY3" "STATE_DS" "hidden" 2703 2704# Various signing policy checks. 2705check_keys 2706check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2707 2708# Set expected key times: 2709# - The old keys were activated 1413 hours ago (5086800 seconds). 2710rollover_predecessor_keytimes -5086800 2711# - The new KSK is published now. 2712created=$(key_get KEY3 CREATED) 2713set_keytime "KEY3" "PUBLISHED" "${created}" 2714# The new KSK should publish the CDS after the prepublication time. 2715# TTLkey: 2h 2716# DprpC: 1h 2717# publish-safety: 1d 2718# IpubC: 27h (97200 seconds) 2719IpubC=97200 2720set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" 2721set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" 2722set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2723 2724# Continue signing policy checks. 2725check_keytimes 2726check_apex 2727check_subdomain 2728dnssec_verify 2729 2730# Next key event is when the successor KSK becomes OMNIPRESENT. That is the 2731# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2732# the ksk-doubleksk policy, this means: 7200s + 1h + 1d = 97200 seconds. 2733check_next_key_event 97200 2734 2735# 2736# Zone: step3.ksk-doubleksk.autosign. 2737# 2738set_zone "step3.ksk-doubleksk.autosign" 2739set_policy "ksk-doubleksk" "3" "7200" 2740set_server "ns3" "10.53.0.3" 2741 2742# The DNSKEY RRset has become omnipresent. 2743# Check keys before we tell named that we saw the DS has been replaced. 2744set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2745set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 2746# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. 2747set_keystate "KEY1" "STATE_DS" "unretentive" 2748set_keystate "KEY3" "STATE_DS" "rumoured" 2749 2750# Various signing policy checks. 2751check_keys 2752check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2753# Check that CDS publication is logged. 2754check_cdslog "$DIR" "$ZONE" KEY3 2755 2756# Set expected key times: 2757# - The old keys were activated 60 days ago (5184000 seconds). 2758rollover_predecessor_keytimes -5184000 2759# - The new KSK is published 27 hours ago (97200 seconds). 2760created=$(key_get KEY3 CREATED) 2761set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 2762# - The new KSK CDS is published now. 2763set_keytime "KEY3" "SYNCPUBLISH" "${created}" 2764syncpub=$(key_get KEY3 SYNCPUBLISH) 2765set_keytime "KEY3" "ACTIVE" "${syncpub}" 2766set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2767 2768# Continue signing policy checks. 2769check_keytimes 2770check_apex 2771check_subdomain 2772dnssec_verify 2773 2774# We ignore any parent registration delay, so set the DS publish time to now. 2775rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 2776rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" 2777# Next key event is when the predecessor DS has been replaced with the 2778# successor DS and enough time has passed such that the all validators that 2779# have this DS RRset cached only know about the successor DS. This is the 2780# the retire interval, which is the parent propagation delay plus the DS TTL 2781# plus the retire-safety. For the ksk-double-ksk policy this means: 2782# 1h + 3600s + 2d = 2d2h = 180000 seconds. 2783check_next_key_event 180000 2784 2785# 2786# Zone: step4.ksk-doubleksk.autosign. 2787# 2788set_zone "step4.ksk-doubleksk.autosign" 2789set_policy "ksk-doubleksk" "3" "7200" 2790set_server "ns3" "10.53.0.3" 2791# KSK (KEY1) DNSKEY can be removed. 2792set_keysigning "KEY1" "no" 2793set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 2794set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 2795set_keystate "KEY1" "STATE_DS" "hidden" 2796# New KSK (KEY3) DS is now OMNIPRESENT. 2797set_keystate "KEY3" "STATE_DS" "omnipresent" 2798 2799# Various signing policy checks. 2800check_keys 2801check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2802 2803# Set expected key times: 2804# - The old keys were activated 1490 hours ago (5364000 seconds). 2805rollover_predecessor_keytimes -5364000 2806# - The new KSK is published 77 hours ago (277200 seconds). 2807created=$(key_get KEY3 CREATED) 2808set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 2809published=$(key_get KEY3 PUBLISHED) 2810set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2811syncpub=$(key_get KEY3 SYNCPUBLISH) 2812set_keytime "KEY3" "ACTIVE" "${syncpub}" 2813set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2814 2815# Continue signing policy checks. 2816check_keytimes 2817check_apex 2818check_subdomain 2819dnssec_verify 2820 2821# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2822# DNSKEY TTL plus zone propagation delay. For the ksk-doubleksk policy this is: 2823# 7200s + 1h = 10800s 2824check_next_key_event 10800 2825 2826# 2827# Zone: step5.ksk-doubleksk.autosign. 2828# 2829set_zone "step5.ksk-doubleksk.autosign" 2830set_policy "ksk-doubleksk" "3" "7200" 2831set_server "ns3" "10.53.0.3" 2832# KSK (KEY1) DNSKEY is now HIDDEN. 2833set_keystate "KEY1" "STATE_DNSKEY" "hidden" 2834set_keystate "KEY1" "STATE_KRRSIG" "hidden" 2835 2836# Various signing policy checks. 2837check_keys 2838check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2839 2840# Set expected key times: 2841# - The old KSK is activated 1492 hours ago (5371200 seconds). 2842rollover_predecessor_keytimes -5371200 2843# - The new KSK is published 79 hours ago (284400 seconds). 2844created=$(key_get KEY3 CREATED) 2845set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 2846published=$(key_get KEY3 PUBLISHED) 2847set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2848syncpub=$(key_get KEY3 SYNCPUBLISH) 2849set_keytime "KEY3" "ACTIVE" "${syncpub}" 2850set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2851 2852# Various signing policy checks. 2853check_keytimes 2854check_apex 2855check_subdomain 2856dnssec_verify 2857 2858# Next key event is when the new successor needs to be published. This is the 2859# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL. For the 2860# ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h = 2861# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds. 2862check_next_key_event 4899600 2863 2864# 2865# Zone: step6.ksk-doubleksk.autosign. 2866# 2867set_zone "step6.ksk-doubleksk.autosign" 2868set_policy "ksk-doubleksk" "2" "7200" 2869set_server "ns3" "10.53.0.3" 2870# KSK (KEY1) DNSKEY is purged. 2871key_clear "KEY1" 2872 2873# Various signing policy checks. 2874check_keys 2875check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2876check_apex 2877check_subdomain 2878dnssec_verify 2879 2880# 2881# Testing CSK key rollover (1). 2882# 2883 2884# Policy parameters. 2885# Lcsk: 186 days (5184000 seconds) 2886# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) 2887# Iret(KSK): 4h (14400 seconds) 2888# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) 2889# Iret(ZSK): 26d3h (2257200 seconds) 2890Lcsk=16070400 2891IretKSK=14400 2892IretZSK=2257200 2893IretCSK=$IretZSK 2894 2895csk_rollover_predecessor_keytimes() { 2896 _addtime=$1 2897 2898 _created=$(key_get KEY1 CREATED) 2899 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2900 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2901 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2902 [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" 2903} 2904 2905# 2906# Zone: step1.csk-roll.autosign. 2907# 2908set_zone "step1.csk-roll.autosign" 2909set_policy "csk-roll" "1" "3600" 2910set_server "ns3" "10.53.0.3" 2911# Key properties. 2912key_clear "KEY1" 2913set_keyrole "KEY1" "csk" 2914set_keylifetime "KEY1" "${Lcsk}" 2915set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2916set_keysigning "KEY1" "yes" 2917set_zonesigning "KEY1" "yes" 2918# The CSK (KEY1) starts in OMNIPRESENT. 2919set_keystate "KEY1" "GOAL" "omnipresent" 2920set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2921set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2922set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2923set_keystate "KEY1" "STATE_DS" "omnipresent" 2924# Initially only one key. 2925key_clear "KEY2" 2926key_clear "KEY3" 2927key_clear "KEY4" 2928 2929# Various signing policy checks. 2930check_keys 2931check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2932# This key is immediately published and activated. 2933csk_rollover_predecessor_keytimes 0 2934check_keytimes 2935check_apex 2936check_subdomain 2937dnssec_verify 2938 2939# Next key event is when the successor CSK needs to be published. 2940# This is Lcsk - Ipub - Dreg. 2941# Lcsk: 186d (16070400 seconds) 2942# Ipub: 3h (10800 seconds) 2943check_next_key_event 16059600 2944 2945# 2946# Zone: step2.csk-roll.autosign. 2947# 2948set_zone "step2.csk-roll.autosign" 2949set_policy "csk-roll" "2" "3600" 2950set_server "ns3" "10.53.0.3" 2951# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 2952key_clear "KEY2" 2953set_keyrole "KEY2" "csk" 2954set_keylifetime "KEY2" "16070400" 2955set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2956set_keysigning "KEY2" "yes" 2957set_zonesigning "KEY2" "no" 2958# Key states. 2959set_keystate "KEY1" "GOAL" "hidden" 2960set_keystate "KEY2" "GOAL" "omnipresent" 2961set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 2962set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 2963set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2964set_keystate "KEY2" "STATE_DS" "hidden" 2965 2966# Various signing policy checks. 2967check_keys 2968check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2969 2970# Set expected key times: 2971# - This key was activated 4461 hours ago (16059600 seconds). 2972csk_rollover_predecessor_keytimes -16059600 2973# - The new CSK is published now. 2974created=$(key_get KEY2 CREATED) 2975set_keytime "KEY2" "PUBLISHED" "${created}" 2976# - The new CSK should publish the CDS after the prepublication time. 2977# Ipub: 3 hour (10800 seconds) 2978Ipub="10800" 2979set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 2980set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 2981set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 2982 2983# Continue signing policy checks. 2984check_keytimes 2985check_apex 2986check_subdomain 2987dnssec_verify 2988 2989# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 2990# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2991# the csk-roll policy, this means 3 hours = 10800 seconds. 2992check_next_key_event 10800 2993 2994# 2995# Zone: step3.csk-roll.autosign. 2996# 2997set_zone "step3.csk-roll.autosign" 2998set_policy "csk-roll" "2" "3600" 2999set_server "ns3" "10.53.0.3" 3000# Swap zone signing role. 3001set_zonesigning "KEY1" "no" 3002set_zonesigning "KEY2" "yes" 3003# CSK (KEY1) will be removed, so moving to UNRETENTIVE. 3004set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3005# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. 3006set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3007set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3008set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3009# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 3010set_keystate "KEY1" "STATE_DS" "unretentive" 3011set_keystate "KEY2" "STATE_DS" "rumoured" 3012 3013# Various signing policy checks. 3014check_keys 3015check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3016# Check that CDS publication is logged. 3017check_cdslog "$DIR" "$ZONE" KEY2 3018 3019# Set expected key times: 3020# - This key was activated 186 days ago (16070400 seconds). 3021csk_rollover_predecessor_keytimes -16070400 3022# - The new CSK is published three hours ago, CDS must be published now. 3023created=$(key_get KEY2 CREATED) 3024set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3025set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3026# - Also signatures are being introduced now. 3027set_keytime "KEY2" "ACTIVE" "${created}" 3028set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3029 3030# Continue signing policy checks. 3031check_keytimes 3032check_apex 3033# Subdomain still has good signatures of old CSK (KEY1). 3034# Set expected zone signing on for KEY1 and off for KEY2, 3035# testing whether signatures which are still valid are being reused. 3036set_zonesigning "KEY1" "yes" 3037set_zonesigning "KEY2" "no" 3038check_subdomain 3039# Restore the expected zone signing properties. 3040set_zonesigning "KEY1" "no" 3041set_zonesigning "KEY2" "yes" 3042dnssec_verify 3043 3044# We ignore any parent registration delay, so set the DS publish time to now. 3045rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 3046rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 3047# Next key event is when the predecessor DS has been replaced with the 3048# successor DS and enough time has passed such that the all validators that 3049# have this DS RRset cached only know about the successor DS. This is the 3050# the retire interval, which is the parent propagation delay plus the DS TTL 3051# plus the retire-safety. For the csk-roll policy this means: 3052# 1h + 1h + 2h = 4h = 14400 seconds. 3053check_next_key_event 14400 3054 3055# 3056# Zone: step4.csk-roll.autosign. 3057# 3058set_zone "step4.csk-roll.autosign" 3059set_policy "csk-roll" "2" "3600" 3060set_server "ns3" "10.53.0.3" 3061# The old CSK (KEY1) is no longer signing the DNSKEY RRset. 3062set_keysigning "KEY1" "no" 3063# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public 3064# but can remove the KRRSIG records. 3065set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3066set_keystate "KEY1" "STATE_DS" "hidden" 3067# The new CSK (KEY2) DS is now OMNIPRESENT. 3068set_keystate "KEY2" "STATE_DS" "omnipresent" 3069 3070# Various signing policy checks. 3071check_keys 3072check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3073 3074# Set expected key times: 3075# - This key was activated 4468 hours ago (16084800 seconds). 3076csk_rollover_predecessor_keytimes -16084800 3077# - The new CSK started signing 4h ago (14400 seconds). 3078created=$(key_get KEY2 CREATED) 3079set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 3080set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 3081syncpub=$(key_get KEY2 SYNCPUBLISH) 3082set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3083set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3084 3085# Continue signing policy checks. 3086check_keytimes 3087check_apex 3088check_subdomain 3089dnssec_verify 3090 3091# Next key event is when the KRRSIG enters the HIDDEN state. This is the 3092# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3093# 1h + 1h = 7200 seconds. 3094check_next_key_event 7200 3095 3096# 3097# Zone: step5.csk-roll.autosign. 3098# 3099set_zone "step5.csk-roll.autosign" 3100set_policy "csk-roll" "2" "3600" 3101set_server "ns3" "10.53.0.3" 3102# The old CSK (KEY1) KRRSIG records are now all hidden. 3103set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3104 3105# Various signing policy checks. 3106check_keys 3107check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3108 3109# Set expected key times: 3110# - This key was activated 4470 hours ago (16092000 seconds). 3111csk_rollover_predecessor_keytimes -16092000 3112# - The new CSK started signing 6h ago (21600 seconds). 3113created=$(key_get KEY2 CREATED) 3114set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 3115set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 3116syncpub=$(key_get KEY2 SYNCPUBLISH) 3117set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3118set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3119 3120# Continue signing policy checks. 3121check_keytimes 3122check_apex 3123check_subdomain 3124dnssec_verify 3125 3126# Next key event is when the DNSKEY can be removed. This is when all ZRRSIG 3127# records have been replaced with signatures of the new CSK. We have 3128# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus 3129# 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in 3130# 26d3h - 4h - 2h = 621h = 2235600 seconds. 3131check_next_key_event 2235600 3132 3133# 3134# Zone: step6.csk-roll.autosign. 3135# 3136set_zone "step6.csk-roll.autosign" 3137set_policy "csk-roll" "2" "3600" 3138set_server "ns3" "10.53.0.3" 3139# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can 3140# be removed). 3141set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3142set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3143# The new CSK (KEY2) is now fully OMNIPRESENT. 3144set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3145 3146# Various signing policy checks. 3147check_keys 3148check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3149 3150# Set expected key times 3151# - This key was activated 5091 hours ago (18327600 seconds). 3152csk_rollover_predecessor_keytimes -18327600 3153# - The new CSK is activated 627 hours ago (2257200 seconds). 3154created=$(key_get KEY2 CREATED) 3155set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 3156set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 3157syncpub=$(key_get KEY2 SYNCPUBLISH) 3158set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3159set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3160 3161# Continue signing policy checks. 3162check_keytimes 3163check_apex 3164check_subdomain 3165dnssec_verify 3166 3167# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3168# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3169# 1h + 1h = 7200 seconds. 3170check_next_key_event 7200 3171 3172# 3173# Zone: step7.csk-roll.autosign. 3174# 3175set_zone "step7.csk-roll.autosign" 3176set_policy "csk-roll" "2" "3600" 3177set_server "ns3" "10.53.0.3" 3178# The old CSK (KEY1) is now completely HIDDEN. 3179set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3180 3181# Various signing policy checks. 3182check_keys 3183check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3184 3185# Set expected key times: 3186# - This key was activated 5093 hours ago (18334800 seconds). 3187csk_rollover_predecessor_keytimes -18334800 3188# - The new CSK is activated 629 hours ago (2264400 seconds). 3189created=$(key_get KEY2 CREATED) 3190set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 3191set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 3192syncpub=$(key_get KEY2 SYNCPUBLISH) 3193set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3194set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3195 3196# Continue signing policy checks. 3197check_keytimes 3198check_apex 3199check_subdomain 3200dnssec_verify 3201 3202# Next key event is when the new successor needs to be published. 3203# This is the Lcsk, minus time passed since the key started signing, 3204# minus the prepublication time. 3205# Lcsk: 186d (16070400 seconds) 3206# Time passed: 629h (2264400 seconds) 3207# Ipub: 3h (10800 seconds) 3208check_next_key_event 13795200 3209 3210# 3211# Zone: step8.csk-roll.autosign. 3212# 3213set_zone "step8.csk-roll.autosign" 3214set_policy "csk-roll" "1" "3600" 3215set_server "ns3" "10.53.0.3" 3216# The old CSK (KEY1) is purged. 3217key_clear "KEY1" 3218 3219# Various signing policy checks. 3220check_keys 3221check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3222check_apex 3223check_subdomain 3224dnssec_verify 3225 3226# 3227# Testing CSK key rollover (2). 3228# 3229 3230# Policy parameters. 3231# Lcsk: 186 days (16070400 seconds) 3232# Dreg: N/A 3233# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h) 3234# Iret(KSK): 170h (61200 seconds) 3235# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) 3236# Iret(ZSK): 38h (136800 seconds) 3237Lcsk=16070400 3238IretKSK=612000 3239IretZSK=136800 3240IretCSK=$IretKSK 3241 3242# 3243# Zone: step1.csk-roll2.autosign. 3244# 3245set_zone "step1.csk-roll2.autosign" 3246set_policy "csk-roll2" "1" "3600" 3247set_server "ns3" "10.53.0.3" 3248# Key properties. 3249key_clear "KEY1" 3250set_keyrole "KEY1" "csk" 3251set_keylifetime "KEY1" "16070400" 3252set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3253set_keysigning "KEY1" "yes" 3254set_zonesigning "KEY1" "yes" 3255# The CSK (KEY1) starts in OMNIPRESENT. 3256set_keystate "KEY1" "GOAL" "omnipresent" 3257set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3258set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3259set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3260set_keystate "KEY1" "STATE_DS" "omnipresent" 3261# Initially only one key. 3262key_clear "KEY2" 3263key_clear "KEY3" 3264key_clear "KEY4" 3265 3266# Various signing policy checks. 3267check_keys 3268check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3269# This key is immediately published and activated. 3270csk_rollover_predecessor_keytimes 0 3271check_keytimes 3272check_apex 3273check_subdomain 3274dnssec_verify 3275 3276# Next key event is when the successor CSK needs to be published. 3277# This is Lcsk - Ipub. 3278# Lcsk: 186d (16070400 seconds) 3279# Ipub: 3h (10800 seconds) 3280# Total: 186d3h (16059600 seconds) 3281check_next_key_event 16059600 3282 3283# 3284# Zone: step2.csk-roll2.autosign. 3285# 3286set_zone "step2.csk-roll2.autosign" 3287set_policy "csk-roll2" "2" "3600" 3288set_server "ns3" "10.53.0.3" 3289# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 3290key_clear "KEY2" 3291set_keyrole "KEY2" "csk" 3292set_keylifetime "KEY2" "16070400" 3293set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3294set_keysigning "KEY2" "yes" 3295set_zonesigning "KEY2" "no" 3296# Key states. 3297set_keystate "KEY1" "GOAL" "hidden" 3298set_keystate "KEY2" "GOAL" "omnipresent" 3299set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 3300set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 3301set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 3302set_keystate "KEY2" "STATE_DS" "hidden" 3303 3304# Various signing policy checks. 3305check_keys 3306check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3307 3308# Set expected key times: 3309# - This key was activated 4461 hours ago (16059600 seconds). 3310csk_rollover_predecessor_keytimes -16059600 3311# - The new CSK is published now. 3312created=$(key_get KEY2 CREATED) 3313set_keytime "KEY2" "PUBLISHED" "${created}" 3314# - The new CSK should publish the CDS after the prepublication time. 3315# - Ipub: 3 hour (10800 seconds) 3316Ipub="10800" 3317set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 3318set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 3319set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3320 3321# Continue signing policy checks. 3322check_apex 3323check_subdomain 3324dnssec_verify 3325 3326# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 3327# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 3328# the csk-roll2 policy, this means 3h hours = 10800 seconds. 3329check_next_key_event 10800 3330 3331# 3332# Zone: step3.csk-roll2.autosign. 3333# 3334set_zone "step3.csk-roll2.autosign" 3335set_policy "csk-roll2" "2" "3600" 3336set_server "ns3" "10.53.0.3" 3337# CSK (KEY1) can be removed, so move to UNRETENTIVE. 3338set_zonesigning "KEY1" "no" 3339set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3340# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. 3341set_zonesigning "KEY2" "yes" 3342set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3343set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3344set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3345# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 3346set_keystate "KEY1" "STATE_DS" "unretentive" 3347set_keystate "KEY2" "STATE_DS" "rumoured" 3348 3349# Various signing policy checks. 3350check_keys 3351check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3352# Check that CDS publication is logged. 3353check_cdslog "$DIR" "$ZONE" KEY2 3354 3355# Set expected key times: 3356# - This key was activated 186 days ago (16070400 seconds). 3357csk_rollover_predecessor_keytimes -16070400 3358# - The new CSK is published three hours ago, CDS must be published now. 3359created=$(key_get KEY2 CREATED) 3360set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3361set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3362# - Also signatures are being introduced now. 3363set_keytime "KEY2" "ACTIVE" "${created}" 3364set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3365 3366# Continue signing policy checks. 3367check_keytimes 3368check_apex 3369# Subdomain still has good signatures of old CSK (KEY1). 3370# Set expected zone signing on for KEY1 and off for KEY2, 3371# testing whether signatures which are still valid are being reused. 3372set_zonesigning "KEY1" "yes" 3373set_zonesigning "KEY2" "no" 3374check_subdomain 3375# Restore the expected zone signing properties. 3376set_zonesigning "KEY1" "no" 3377set_zonesigning "KEY2" "yes" 3378dnssec_verify 3379 3380# We ignore any parent registration delay, so set the DS publish time to now. 3381rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 3382rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 3383# Next key event is when the predecessor ZRRSIG records have been replaced 3384# with that of the successor and enough time has passed such that the all 3385# validators that have such signed RRsets in cache only know about the 3386# successor signatures. This is the retire interval: Dsgn plus the 3387# maximum zone TTL plus the zone propagation delay plus retire-safety. For the 3388# csk-roll2 policy that means: 12h (because 1d validity and refresh within 3389# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds. Prevent intermittent false 3390# positives on slow platforms by subtracting the number of seconds which 3391# passed between key creation and invoking 'rndc dnssec -checkds'. 3392now="$(TZ=UTC date +%s)" 3393time_passed=$((now-start_time)) 3394next_time=$((136800-time_passed)) 3395check_next_key_event $next_time 3396 3397# 3398# Zone: step4.csk-roll2.autosign. 3399# 3400set_zone "step4.csk-roll2.autosign" 3401set_policy "csk-roll2" "2" "3600" 3402set_server "ns3" "10.53.0.3" 3403# The old CSK (KEY1) ZRRSIG is now HIDDEN. 3404set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3405# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. 3406set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3407 3408# Various signing policy checks. 3409check_keys 3410check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3411 3412# Set expected key times: 3413# - This key was activated 4502 hours ago (16207200 seconds). 3414csk_rollover_predecessor_keytimes -16207200 3415# - The new CSK was published 41 hours (147600 seconds) ago. 3416created=$(key_get KEY2 CREATED) 3417set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 3418published=$(key_get KEY2 PUBLISHED) 3419set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3420set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3421set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3422 3423# Continue signing policy checks. 3424check_keytimes 3425check_apex 3426check_subdomain 3427dnssec_verify 3428 3429# Next key event is when the predecessor DS has been replaced with the 3430# successor DS and enough time has passed such that the all validators that 3431# have this DS RRset cached only know about the successor DS. This is the 3432# registration delay plus the retire interval, which is the parent 3433# propagation delay plus the DS TTL plus the retire-safety. For the 3434# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds. 3435# However, 136800 seconds have passed already, so 478800 seconds left. 3436check_next_key_event 475200 3437 3438# 3439# Zone: step5.csk-roll2.autosign. 3440# 3441set_zone "step5.csk-roll2.autosign" 3442set_policy "csk-roll2" "2" "3600" 3443set_server "ns3" "10.53.0.3" 3444# The old CSK (KEY1) DNSKEY can be removed. 3445set_keysigning "KEY1" "no" 3446set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3447set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3448set_keystate "KEY1" "STATE_DS" "hidden" 3449# The new CSK (KEY2) is now fully OMNIPRESENT. 3450set_keystate "KEY2" "STATE_DS" "omnipresent" 3451 3452# Various signing policy checks. 3453check_keys 3454check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3455 3456# Set expected key times: 3457# - This key was activated 4634 hours ago (16682400 seconds). 3458csk_rollover_predecessor_keytimes -16682400 3459# - The new CSK was published 173 hours (622800 seconds) ago. 3460created=$(key_get KEY2 CREATED) 3461set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 3462published=$(key_get KEY2 PUBLISHED) 3463set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3464set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3465set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3466 3467# Continue signing policy checks. 3468check_keytimes 3469check_apex 3470check_subdomain 3471dnssec_verify 3472 3473# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3474# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3475# 1h + 1h = 7200 seconds. 3476check_next_key_event 7200 3477 3478# 3479# Zone: step6.csk-roll2.autosign. 3480# 3481set_zone "step6.csk-roll2.autosign" 3482set_policy "csk-roll2" "2" "3600" 3483set_server "ns3" "10.53.0.3" 3484# The old CSK (KEY1) is now completely HIDDEN. 3485set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3486set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3487 3488# Various signing policy checks. 3489check_keys 3490check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3491 3492# Set expected key times: 3493# - This key was activated 4636 hours ago (16689600 seconds). 3494csk_rollover_predecessor_keytimes -16689600 3495# - The new CSK was published 175 hours (630000 seconds) ago. 3496created=$(key_get KEY2 CREATED) 3497set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 3498published=$(key_get KEY2 PUBLISHED) 3499set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3500set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3501set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3502 3503# Continue signing policy checks. 3504check_keytimes 3505check_apex 3506check_subdomain 3507dnssec_verify 3508 3509# Next key event is when the new successor needs to be published. 3510# This is the Lcsk, minus time passed since the key was published. 3511# Lcsk: 186d (16070400 seconds) 3512# Time passed: 175h (630000 seconds) 3513check_next_key_event 15440400 3514 3515# 3516# Zone: step7.csk-roll2.autosign. 3517# 3518set_zone "step7.csk-roll2.autosign" 3519set_policy "csk-roll2" "2" "3600" 3520set_server "ns3" "10.53.0.3" 3521# The old CSK (KEY1) could have been purged, but purge-keys is disabled. 3522 3523# Various signing policy checks. 3524check_keys 3525check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3526check_apex 3527check_subdomain 3528dnssec_verify 3529 3530# 3531# Test #2375: Scheduled rollovers are happening faster than they can finish 3532# 3533set_zone "step1.three-is-a-crowd.kasp" 3534set_policy "default" "1" "3600" 3535set_server "ns3" "10.53.0.3" 3536# TODO (GL #2471). 3537 3538# 3539# Testing algorithm rollover. 3540# 3541Lksk=0 3542Lzsk=0 3543IretKSK=0 3544IretZSK=0 3545 3546# 3547# Zone: step1.algorithm-roll.kasp 3548# 3549set_zone "step1.algorithm-roll.kasp" 3550set_policy "rsasha1" "2" "3600" 3551set_server "ns6" "10.53.0.6" 3552# Key properties. 3553key_clear "KEY1" 3554set_keyrole "KEY1" "ksk" 3555set_keylifetime "KEY1" "0" 3556set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3557set_keysigning "KEY1" "yes" 3558set_zonesigning "KEY1" "no" 3559 3560key_clear "KEY2" 3561set_keyrole "KEY2" "zsk" 3562set_keylifetime "KEY2" "0" 3563set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 3564set_keysigning "KEY2" "no" 3565set_zonesigning "KEY2" "yes" 3566key_clear "KEY3" 3567key_clear "KEY4" 3568 3569# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 3570set_keystate "KEY1" "GOAL" "omnipresent" 3571set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3572set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3573set_keystate "KEY1" "STATE_DS" "omnipresent" 3574 3575set_keystate "KEY2" "GOAL" "omnipresent" 3576set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3577set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3578 3579# Various signing policy checks. 3580check_keys 3581check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3582# These keys are immediately published and activated. 3583rollover_predecessor_keytimes 0 3584check_keytimes 3585check_apex 3586check_subdomain 3587dnssec_verify 3588 3589# Next key event is when the successor keys need to be published. 3590# Since the lifetime of the keys are unlimited, so default to loadkeys 3591# interval. 3592check_next_key_event 3600 3593 3594# 3595# Zone: step1.csk-algorithm-roll.kasp 3596# 3597set_zone "step1.csk-algorithm-roll.kasp" 3598set_policy "csk-algoroll" "1" "3600" 3599set_server "ns6" "10.53.0.6" 3600# Key properties. 3601key_clear "KEY1" 3602set_keyrole "KEY1" "csk" 3603set_keylifetime "KEY1" "0" 3604set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3605set_keysigning "KEY1" "yes" 3606set_zonesigning "KEY1" "yes" 3607key_clear "KEY2" 3608key_clear "KEY3" 3609key_clear "KEY4" 3610# The CSK (KEY1) starts in OMNIPRESENT. 3611set_keystate "KEY1" "GOAL" "omnipresent" 3612set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3613set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3614set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3615set_keystate "KEY1" "STATE_DS" "omnipresent" 3616 3617# Various signing policy checks. 3618check_keys 3619check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3620# This key is immediately published and activated. 3621Lcsk=0 3622IretCSK=0 3623csk_rollover_predecessor_keytimes 0 3624check_keytimes 3625check_apex 3626check_subdomain 3627dnssec_verify 3628 3629# Next key event is when the successor keys need to be published. 3630# Since the lifetime of the keys are unlimited, so default to loadkeys 3631# interval. 3632check_next_key_event 3600 3633 3634# 3635# Testing going insecure. 3636# 3637 3638# 3639# Zone step1.going-insecure.kasp 3640# 3641set_zone "step1.going-insecure.kasp" 3642set_policy "unsigning" "2" "7200" 3643set_server "ns6" "10.53.0.6" 3644 3645# Policy parameters. 3646# Lksk: 0 3647# Lzsk: 60 days (5184000 seconds) 3648# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h) 3649# Iret(KSK): 1d2h (93600 seconds) 3650# Iret(ZSK): RRSIG TTL (1d) + Dprp (5m) + Dsgn (9d) + retire-safety (1h) 3651# Iret(ZSK): 10d1h5m (867900 seconds) 3652Lksk=0 3653Lzsk=5184000 3654IretKSK=93600 3655IretZSK=867900 3656 3657init_migration_insecure() { 3658 key_clear "KEY1" 3659 set_keyrole "KEY1" "ksk" 3660 set_keylifetime "KEY1" "${Lksk}" 3661 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3662 set_keysigning "KEY1" "yes" 3663 set_zonesigning "KEY1" "no" 3664 3665 set_keystate "KEY1" "GOAL" "omnipresent" 3666 set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3667 set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3668 set_keystate "KEY1" "STATE_DS" "omnipresent" 3669 3670 key_clear "KEY2" 3671 set_keyrole "KEY2" "zsk" 3672 set_keylifetime "KEY2" "${Lzsk}" 3673 set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3674 set_keysigning "KEY2" "no" 3675 set_zonesigning "KEY2" "yes" 3676 3677 set_keystate "KEY2" "GOAL" "omnipresent" 3678 set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3679 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3680 3681 key_clear "KEY3" 3682 key_clear "KEY4" 3683} 3684init_migration_insecure 3685 3686# Various signing policy checks. 3687check_keys 3688check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3689 3690# We have set the timing metadata to now - 10 days (864000 seconds). 3691rollover_predecessor_keytimes -864000 3692check_keytimes 3693check_apex 3694check_subdomain 3695dnssec_verify 3696 3697# 3698# Zone step1.going-insecure-dynamic.kasp 3699# 3700 3701set_zone "step1.going-insecure-dynamic.kasp" 3702set_dynamic 3703set_policy "unsigning" "2" "7200" 3704set_server "ns6" "10.53.0.6" 3705init_migration_insecure 3706 3707# Various signing policy checks. 3708check_keys 3709check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3710 3711# We have set the timing metadata to now - 10 days (864000 seconds). 3712rollover_predecessor_keytimes -864000 3713check_keytimes 3714check_apex 3715check_subdomain 3716dnssec_verify 3717 3718# 3719# Zone step1.going-straight-to-none.kasp 3720# 3721set_zone "step1.going-straight-to-none.kasp" 3722set_policy "default" "1" "3600" 3723set_server "ns6" "10.53.0.6" 3724# Key properties. 3725set_keyrole "KEY1" "csk" 3726set_keylifetime "KEY1" "0" 3727set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3728set_keysigning "KEY1" "yes" 3729set_zonesigning "KEY1" "yes" 3730# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 3731set_keystate "KEY1" "GOAL" "omnipresent" 3732set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3733set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3734set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3735set_keystate "KEY1" "STATE_DS" "omnipresent" 3736# This policy only has one key. 3737key_clear "KEY2" 3738key_clear "KEY3" 3739key_clear "KEY4" 3740 3741check_keys 3742check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3743 3744# The first key is immediately published and activated. 3745created=$(key_get KEY1 CREATED) 3746set_keytime "KEY1" "PUBLISHED" "${created}" 3747set_keytime "KEY1" "ACTIVE" "${created}" 3748set_keytime "KEY1" "SYNCPUBLISH" "${created}" 3749# Key lifetime is unlimited, so not setting RETIRED and REMOVED. 3750check_keytimes 3751 3752check_apex 3753check_subdomain 3754dnssec_verify 3755 3756# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy 3757# changes). 3758echo_i "reconfig dnssec-policy to trigger algorithm rollover" 3759copy_setports ns6/named2.conf.in ns6/named.conf 3760rndc_reconfig ns6 10.53.0.6 3761 3762# Calculate time passed to correctly check for next key events. 3763now="$(TZ=UTC date +%s)" 3764time_passed=$((now-start_time)) 3765echo_i "${time_passed} seconds passed between start of tests and reconfig" 3766 3767# Wait until we have seen "zone_rekey done:" message for this key. 3768_wait_for_done_signing() { 3769 _zone=$1 3770 3771 _ksk=$(key_get $2 KSK) 3772 _zsk=$(key_get $2 ZSK) 3773 if [ "$_ksk" = "yes" ]; then 3774 _role="KSK" 3775 _expect_type=EXPECT_KRRSIG 3776 elif [ "$_zsk" = "yes" ]; then 3777 _role="ZSK" 3778 _expect_type=EXPECT_ZRRSIG 3779 fi 3780 3781 if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then 3782 _keyid=$(key_get $2 ID) 3783 _keyalg=$(key_get $2 ALG_STR) 3784 echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" 3785 grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 3786 fi 3787 3788 return 0 3789} 3790 3791wait_for_done_signing() { 3792 n=$((n+1)) 3793 echo_i "wait for zone ${ZONE} is done signing ($n)" 3794 ret=0 3795 3796 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 3797 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 3798 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 3799 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 3800 3801 test "$ret" -eq 0 || echo_i "failed" 3802 status=$((status+ret)) 3803} 3804 3805# 3806# Testing going insecure. 3807# 3808 3809# 3810# Zone: step1.going-insecure.kasp 3811# 3812set_zone "step1.going-insecure.kasp" 3813set_policy "insecure" "2" "7200" 3814set_server "ns6" "10.53.0.6" 3815# Expect a CDS/CDNSKEY Delete Record. 3816set_cdsdelete 3817 3818# Key goal states should be HIDDEN. 3819init_migration_insecure 3820set_keystate "KEY1" "GOAL" "hidden" 3821set_keystate "KEY2" "GOAL" "hidden" 3822# The DS may be removed if we are going insecure. 3823set_keystate "KEY1" "STATE_DS" "unretentive" 3824 3825# Various signing policy checks. 3826check_keys 3827wait_for_done_signing 3828check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3829check_apex 3830check_subdomain 3831dnssec_verify 3832 3833# Tell named that the DS has been removed. 3834rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" 3835wait_for_done_signing 3836check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3837check_apex 3838check_subdomain 3839dnssec_verify 3840 3841# Next key event is when the DS becomes HIDDEN. This happens after the 3842# parent propagation delay, retire safety delay, and DS TTL: 3843# 1h + 1h + 1d = 26h = 93600 seconds. 3844check_next_key_event 93600 3845 3846# 3847# Zone: step2.going-insecure.kasp 3848# 3849set_zone "step2.going-insecure.kasp" 3850set_policy "insecure" "2" "7200" 3851set_server "ns6" "10.53.0.6" 3852 3853# The DS is long enough removed from the zone to be considered HIDDEN. 3854# This means the DNSKEY and the KSK signatures can be removed. 3855set_keystate "KEY1" "STATE_DS" "hidden" 3856set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3857set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3858set_keysigning "KEY1" "no" 3859 3860set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 3861set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 3862set_zonesigning "KEY2" "no" 3863 3864# Various signing policy checks. 3865check_keys 3866check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3867check_apex 3868check_subdomain 3869 3870# Next key event is when the DNSKEY becomes HIDDEN. This happens after the 3871# propagation delay, plus DNSKEY TTL: 3872# 5m + 2h = 125m = 7500 seconds. 3873check_next_key_event 7500 3874 3875# 3876# Zone: step1.going-insecure-dynamic.kasp 3877# 3878set_zone "step1.going-insecure-dynamic.kasp" 3879set_dynamic 3880set_policy "insecure" "2" "7200" 3881set_server "ns6" "10.53.0.6" 3882# Expect a CDS/CDNSKEY Delete Record. 3883set_cdsdelete 3884 3885# Key goal states should be HIDDEN. 3886init_migration_insecure 3887set_keystate "KEY1" "GOAL" "hidden" 3888set_keystate "KEY2" "GOAL" "hidden" 3889# The DS may be removed if we are going insecure. 3890set_keystate "KEY1" "STATE_DS" "unretentive" 3891 3892# Various signing policy checks. 3893check_keys 3894wait_for_done_signing 3895check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3896check_apex 3897check_subdomain 3898dnssec_verify 3899 3900# Tell named that the DS has been removed. 3901rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" 3902wait_for_done_signing 3903check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3904check_apex 3905check_subdomain 3906dnssec_verify 3907 3908# Next key event is when the DS becomes HIDDEN. This happens after the 3909# parent propagation delay, retire safety delay, and DS TTL: 3910# 1h + 1h + 1d = 26h = 93600 seconds. 3911check_next_key_event 93600 3912 3913# 3914# Zone: step2.going-insecure-dynamic.kasp 3915# 3916set_zone "step2.going-insecure-dynamic.kasp" 3917set_dynamic 3918set_policy "insecure" "2" "7200" 3919set_server "ns6" "10.53.0.6" 3920 3921# The DS is long enough removed from the zone to be considered HIDDEN. 3922# This means the DNSKEY and the KSK signatures can be removed. 3923set_keystate "KEY1" "STATE_DS" "hidden" 3924set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3925set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3926set_keysigning "KEY1" "no" 3927 3928set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 3929set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 3930set_zonesigning "KEY2" "no" 3931 3932# Various signing policy checks. 3933check_keys 3934check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3935check_apex 3936check_subdomain 3937 3938# Next key event is when the DNSKEY becomes HIDDEN. This happens after the 3939# propagation delay, plus DNSKEY TTL: 3940# 5m + 2h = 125m = 7500 seconds. 3941check_next_key_event 7500 3942 3943# 3944# Zone: step1.going-straight-to-none.kasp 3945# 3946set_zone "step1.going-straight-to-none.kasp" 3947set_policy "none" "1" "3600" 3948set_server "ns6" "10.53.0.6" 3949 3950# The zone will go bogus after signatures expire, but remains validly signed for now. 3951 3952# Key properties. 3953set_keyrole "KEY1" "csk" 3954set_keylifetime "KEY1" "0" 3955set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3956set_keysigning "KEY1" "yes" 3957set_zonesigning "KEY1" "yes" 3958# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 3959set_keystate "KEY1" "GOAL" "omnipresent" 3960set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3961set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3962set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3963set_keystate "KEY1" "STATE_DS" "omnipresent" 3964# This policy only has one key. 3965key_clear "KEY2" 3966key_clear "KEY3" 3967key_clear "KEY4" 3968 3969# Various signing policy checks. 3970check_keys 3971check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3972check_apex 3973check_subdomain 3974dnssec_verify 3975 3976# 3977# Testing KSK/ZSK algorithm rollover. 3978# 3979 3980# Policy parameters. 3981# Lksk: unlimited 3982# Lzsk: unlimited 3983Lksk=0 3984Lzsk=0 3985 3986# 3987# Zone: step1.algorithm-roll.kasp 3988# 3989set_zone "step1.algorithm-roll.kasp" 3990set_policy "ecdsa256" "4" "3600" 3991set_server "ns6" "10.53.0.6" 3992# Old RSASHA1 keys. 3993key_clear "KEY1" 3994set_keyrole "KEY1" "ksk" 3995set_keylifetime "KEY1" "0" 3996set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3997set_keysigning "KEY1" "yes" 3998set_zonesigning "KEY1" "no" 3999 4000key_clear "KEY2" 4001set_keyrole "KEY2" "zsk" 4002set_keylifetime "KEY2" "0" 4003set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 4004set_keysigning "KEY2" "no" 4005set_zonesigning "KEY2" "yes" 4006# New ECDSAP256SHA256 keys. 4007key_clear "KEY3" 4008set_keyrole "KEY3" "ksk" 4009set_keylifetime "KEY3" "0" 4010set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 4011set_keysigning "KEY3" "yes" 4012set_zonesigning "KEY3" "no" 4013 4014key_clear "KEY4" 4015set_keyrole "KEY4" "zsk" 4016set_keylifetime "KEY4" "0" 4017set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 4018set_keysigning "KEY4" "no" 4019set_zonesigning "KEY4" "yes" 4020# The RSAHSHA1 keys are outroducing. 4021set_keystate "KEY1" "GOAL" "hidden" 4022set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4023set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4024set_keystate "KEY1" "STATE_DS" "omnipresent" 4025set_keystate "KEY2" "GOAL" "hidden" 4026set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4027set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4028# The ECDSAP256SHA256 keys are introducing. 4029set_keystate "KEY3" "GOAL" "omnipresent" 4030set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 4031set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 4032set_keystate "KEY3" "STATE_DS" "hidden" 4033set_keystate "KEY4" "GOAL" "omnipresent" 4034set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 4035set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" 4036 4037# Various signing policy checks. 4038check_keys 4039wait_for_done_signing 4040check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4041 4042# Set expected key times: 4043# - The old keys are published and activated. 4044rollover_predecessor_keytimes 0 4045# - KSK must be retired since it no longer matches the policy. 4046keyfile=$(key_get KEY1 BASEFILE) 4047grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4048retired=$(awk '{print $3}' < retired.test${n}.ksk) 4049set_keytime "KEY1" "RETIRED" "${retired}" 4050# - The key is removed after the retire interval: 4051# IretKSK = TTLds + DprpP + retire-safety 4052# TTLds: 2h (7200 seconds) 4053# DprpP: 1h (3600 seconds) 4054# retire-safety: 2h (7200 seconds) 4055# IretKSK: 5h (18000 seconds) 4056IretKSK=18000 4057set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4058# - ZSK must be retired since it no longer matches the policy. 4059keyfile=$(key_get KEY2 BASEFILE) 4060grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk 4061retired=$(awk '{print $3}' < retired.test${n}.zsk) 4062set_keytime "KEY2" "RETIRED" "${retired}" 4063# - The key is removed after the retire interval: 4064# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4065# TTLsig: 6h (21600 seconds) 4066# Dprp: 1h (3600 seconds) 4067# Dsgn: 25d (2160000 seconds) 4068# retire-safety: 2h (7200 seconds) 4069# IretZSK: 25d9h (2192400 seconds) 4070IretZSK=2192400 4071set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4072# - The new KSK is published and activated. 4073created=$(key_get KEY3 CREATED) 4074set_keytime "KEY3" "PUBLISHED" "${created}" 4075set_keytime "KEY3" "ACTIVE" "${created}" 4076# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 4077# TTLsig: 6h (39600 seconds) 4078# Dprp: 1h (3600 seconds) 4079# publish-safety: 1h (3600 seconds) 4080# Ipub: 8h (28800 seconds) 4081Ipub=28800 4082set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 4083# - The new ZSK is published and activated. 4084created=$(key_get KEY4 CREATED) 4085set_keytime "KEY4" "PUBLISHED" "${created}" 4086set_keytime "KEY4" "ACTIVE" "${created}" 4087 4088# Continue signing policy checks. 4089check_keytimes 4090check_apex 4091check_subdomain 4092dnssec_verify 4093 4094# Next key event is when the ecdsa256 keys have been propagated. 4095# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4096# 3 times an hour: 10800 seconds. 4097check_next_key_event 10800 4098 4099# 4100# Zone: step2.algorithm-roll.kasp 4101# 4102set_zone "step2.algorithm-roll.kasp" 4103set_policy "ecdsa256" "4" "3600" 4104set_server "ns6" "10.53.0.6" 4105# The RSAHSHA1 keys are outroducing, but need to stay present until the new 4106# algorithm chain of trust has been established. Thus the properties, timings 4107# and states of the KEY1 and KEY2 are the same as above. 4108 4109# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4110# but the zone signatures are not. 4111set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 4112set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 4113set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" 4114 4115# Various signing policy checks. 4116check_keys 4117wait_for_done_signing 4118check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4119 4120# Set expected key times: 4121# - The old keys were activated three hours ago (10800 seconds). 4122rollover_predecessor_keytimes -10800 4123# - KSK must be retired since it no longer matches the policy. 4124created=$(key_get KEY1 CREATED) 4125set_keytime "KEY1" "RETIRED" "${created}" 4126set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" 4127# - ZSK must be retired since it no longer matches the policy. 4128created=$(key_get KEY2 CREATED) 4129set_keytime "KEY2" "RETIRED" "${created}" 4130set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" 4131# - The new keys are published 3 hours ago. 4132created=$(key_get KEY3 CREATED) 4133set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 4134set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 4135published=$(key_get KEY3 PUBLISHED) 4136set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" 4137 4138created=$(key_get KEY4 CREATED) 4139set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 4140set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 4141 4142# Continue signing policy checks. 4143check_keytimes 4144check_apex 4145check_subdomain 4146dnssec_verify 4147 4148# Next key event is when all zone signatures are signed with the new 4149# algorithm. This is the max-zone-ttl plus zone propagation delay 4150# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4151# (the time it took to make the DNSKEY omnipresent), so the next event 4152# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4153# false positives on slow platforms by subtracting the number of seconds 4154# which passed between key creation and invoking 'rndc reconfig'. 4155next_time=$((21600-time_passed)) 4156check_next_key_event $next_time 4157 4158# 4159# Zone: step3.algorithm-roll.kasp 4160# 4161set_zone "step3.algorithm-roll.kasp" 4162set_policy "ecdsa256" "4" "3600" 4163set_server "ns6" "10.53.0.6" 4164# The ECDSAP256SHA256 keys are introducing. 4165set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" 4166# The DS can be swapped. 4167set_keystate "KEY1" "STATE_DS" "unretentive" 4168set_keystate "KEY3" "STATE_DS" "rumoured" 4169 4170# Various signing policy checks. 4171check_keys 4172wait_for_done_signing 4173check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4174# Check that CDS publication is logged. 4175check_cdslog "$DIR" "$ZONE" KEY3 4176 4177# Set expected key times: 4178# - The old keys were activated 9 hours ago (32400 seconds). 4179rollover_predecessor_keytimes -32400 4180# - And retired 6 hours ago (21600 seconds). 4181created=$(key_get KEY1 CREATED) 4182set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4183retired=$(key_get KEY1 RETIRED) 4184set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4185 4186created=$(key_get KEY2 CREATED) 4187set_addkeytime "KEY2" "RETIRED" "${created}" -21600 4188retired=$(key_get KEY2 RETIRED) 4189set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4190# - The new keys are published 9 hours ago. 4191created=$(key_get KEY3 CREATED) 4192set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 4193set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 4194published=$(key_get KEY3 PUBLISHED) 4195set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4196 4197created=$(key_get KEY4 CREATED) 4198set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 4199set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 4200 4201# Continue signing policy checks. 4202check_keytimes 4203check_apex 4204check_subdomain 4205dnssec_verify 4206 4207# Tell named we "saw" the parent swap the DS and see if the next key event is 4208# scheduled at the correct time. 4209rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 4210rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" 4211# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4212# parent propagation delay, retire safety delay, and DS TTL: 4213# 1h + 2h + 2h = 5h = 18000 seconds. 4214check_next_key_event 18000 4215 4216# 4217# Zone: step4.algorithm-roll.kasp 4218# 4219set_zone "step4.algorithm-roll.kasp" 4220set_policy "ecdsa256" "4" "3600" 4221set_server "ns6" "10.53.0.6" 4222# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4223set_keysigning "KEY1" "no" 4224set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4225set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4226set_keystate "KEY1" "STATE_DS" "hidden" 4227 4228set_zonesigning "KEY2" "no" 4229set_keystate "KEY2" "GOAL" "hidden" 4230set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 4231set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 4232# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4233set_keystate "KEY3" "STATE_DS" "omnipresent" 4234 4235# Various signing policy checks. 4236check_keys 4237wait_for_done_signing 4238check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4239 4240# Set expected key times: 4241# - The old keys were activated 38 hours ago (136800 seconds). 4242rollover_predecessor_keytimes -136800 4243# - And retired 35 hours ago (126000 seconds). 4244created=$(key_get KEY1 CREATED) 4245set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4246retired=$(key_get KEY1 RETIRED) 4247set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4248 4249created=$(key_get KEY2 CREATED) 4250set_addkeytime "KEY2" "RETIRED" "${created}" -126000 4251retired=$(key_get KEY2 RETIRED) 4252set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4253 4254# - The new keys are published 38 hours ago. 4255created=$(key_get KEY3 CREATED) 4256set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 4257set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 4258published=$(key_get KEY3 PUBLISHED) 4259set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4260 4261created=$(key_get KEY4 CREATED) 4262set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 4263set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 4264 4265# Continue signing policy checks. 4266check_keytimes 4267check_apex 4268check_subdomain 4269dnssec_verify 4270 4271# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4272# DNSKEY TTL plus zone propagation delay (2h). 4273check_next_key_event 7200 4274 4275# 4276# Zone: step5.algorithm-roll.kasp 4277# 4278set_zone "step5.algorithm-roll.kasp" 4279set_policy "ecdsa256" "4" "3600" 4280set_server "ns6" "10.53.0.6" 4281# The DNSKEY becomes HIDDEN. 4282set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4283set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4284set_keystate "KEY2" "STATE_DNSKEY" "hidden" 4285 4286# Various signing policy checks. 4287check_keys 4288wait_for_done_signing 4289check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4290 4291# Set expected key times: 4292# - The old keys were activated 40 hours ago (144000 seconds) 4293rollover_predecessor_keytimes -144000 4294# - And retired 37 hours ago (133200 seconds). 4295created=$(key_get KEY1 CREATED) 4296set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4297retired=$(key_get KEY1 RETIRED) 4298set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4299 4300created=$(key_get KEY2 CREATED) 4301set_addkeytime "KEY2" "RETIRED" "${created}" -133200 4302retired=$(key_get KEY2 RETIRED) 4303set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4304 4305# The new keys are published 40 hours ago. 4306created=$(key_get KEY3 CREATED) 4307set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 4308set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 4309published=$(key_get KEY3 PUBLISHED) 4310set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4311 4312created=$(key_get KEY4 CREATED) 4313set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 4314set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 4315 4316# Continue signing policy checks. 4317check_keytimes 4318check_apex 4319check_subdomain 4320dnssec_verify 4321 4322# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4323# after the max-zone-ttl plus zone propagation delay plus retire safety 4324# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4325# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4326# false positives on slow platforms by subtracting the number of seconds 4327# which passed between key creation and invoking 'rndc reconfig'. 4328next_time=$((25200-time_passed)) 4329check_next_key_event $next_time 4330 4331# 4332# Zone: step6.algorithm-roll.kasp 4333# 4334set_zone "step6.algorithm-roll.kasp" 4335set_policy "ecdsa256" "4" "3600" 4336set_server "ns6" "10.53.0.6" 4337# The old zone signatures (KEY2) should now also be HIDDEN. 4338set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 4339 4340# Various signing policy checks. 4341check_keys 4342wait_for_done_signing 4343check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4344 4345# Set expected key times: 4346# - The old keys were activated 47 hours ago (169200 seconds) 4347rollover_predecessor_keytimes -169200 4348# - And retired 44 hours ago (158400 seconds). 4349created=$(key_get KEY1 CREATED) 4350set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4351retired=$(key_get KEY1 RETIRED) 4352set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4353 4354created=$(key_get KEY2 CREATED) 4355set_addkeytime "KEY2" "RETIRED" "${created}" -158400 4356retired=$(key_get KEY2 RETIRED) 4357set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4358 4359# The new keys are published 47 hours ago. 4360created=$(key_get KEY3 CREATED) 4361set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 4362set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 4363published=$(key_get KEY3 PUBLISHED) 4364set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4365 4366created=$(key_get KEY4 CREATED) 4367set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 4368set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 4369 4370# Continue signing policy checks. 4371check_keytimes 4372check_apex 4373check_subdomain 4374dnssec_verify 4375 4376# Next key event is never since we established the policy and the keys have 4377# an unlimited lifetime. Fallback to the default loadkeys interval. 4378check_next_key_event 3600 4379 4380# 4381# Testing CSK algorithm rollover. 4382# 4383 4384# Policy parameters. 4385# Lcsk: unlimited 4386Lcksk=0 4387 4388# 4389# Zone: step1.csk-algorithm-roll.kasp 4390# 4391set_zone "step1.csk-algorithm-roll.kasp" 4392set_policy "csk-algoroll" "2" "3600" 4393set_server "ns6" "10.53.0.6" 4394# Old RSASHA1 key. 4395key_clear "KEY1" 4396set_keyrole "KEY1" "csk" 4397set_keylifetime "KEY1" "0" 4398set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 4399set_keysigning "KEY1" "yes" 4400set_zonesigning "KEY1" "yes" 4401# New ECDSAP256SHA256 key. 4402key_clear "KEY2" 4403set_keyrole "KEY2" "csk" 4404set_keylifetime "KEY2" "0" 4405set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 4406set_keysigning "KEY2" "yes" 4407set_zonesigning "KEY2" "yes" 4408key_clear "KEY3" 4409key_clear "KEY4" 4410# The RSAHSHA1 key is outroducing. 4411set_keystate "KEY1" "GOAL" "hidden" 4412set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4413set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4414set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 4415set_keystate "KEY1" "STATE_DS" "omnipresent" 4416# The ECDSAP256SHA256 key is introducing. 4417set_keystate "KEY2" "GOAL" "omnipresent" 4418set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 4419set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 4420set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 4421set_keystate "KEY2" "STATE_DS" "hidden" 4422 4423# Various signing policy checks. 4424check_keys 4425wait_for_done_signing 4426check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4427 4428# Set expected key times: 4429# - CSK must be retired since it no longer matches the policy. 4430csk_rollover_predecessor_keytimes 0 4431keyfile=$(key_get KEY1 BASEFILE) 4432grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4433retired=$(awk '{print $3}' < retired.test${n}.ksk) 4434set_keytime "KEY1" "RETIRED" "${retired}" 4435# - The key is removed after the retire interval: 4436# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4437# TTLsig: 6h (21600 seconds) 4438# Dprp: 1h (3600 seconds) 4439# Dsgn: 25d (2160000 seconds) 4440# retire-safety: 2h (7200 seconds) 4441# IretZSK: 25d9h (2192400 seconds) 4442IretCSK=2192400 4443set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4444# - The new CSK is published and activated. 4445created=$(key_get KEY2 CREATED) 4446set_keytime "KEY2" "PUBLISHED" "${created}" 4447set_keytime "KEY2" "ACTIVE" "${created}" 4448# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 4449# TTLsig: 6h (39600 seconds) 4450# Dprp: 1h (3600 seconds) 4451# publish-safety: 1h (3600 seconds) 4452# Ipub: 8h (28800 seconds) 4453Ipub=28800 4454set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 4455 4456# Continue signing policy checks. 4457check_keytimes 4458check_apex 4459check_subdomain 4460dnssec_verify 4461 4462# Next key event is when the new key has been propagated. 4463# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4464# 3 times an hour: 10800 seconds. 4465check_next_key_event 10800 4466 4467# 4468# Zone: step2.csk-algorithm-roll.kasp 4469# 4470set_zone "step2.csk-algorithm-roll.kasp" 4471set_policy "csk-algoroll" "2" "3600" 4472set_server "ns6" "10.53.0.6" 4473# The RSAHSHA1 key is outroducing, but need to stay present until the new 4474# algorithm chain of trust has been established. Thus the properties, timings 4475# and states of KEY1 is the same as above. 4476# 4477# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4478# but the zone signatures are not. 4479set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4480set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 4481 4482# Various signing policy checks. 4483check_keys 4484wait_for_done_signing 4485check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4486 4487# Set expected key times: 4488# - The old key was activated three hours ago (10800 seconds). 4489csk_rollover_predecessor_keytimes -10800 4490# - CSK must be retired since it no longer matches the policy. 4491created=$(key_get KEY1 CREATED) 4492set_keytime "KEY1" "RETIRED" "${created}" 4493set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" 4494# - The new key was published 3 hours ago. 4495created=$(key_get KEY2 CREATED) 4496set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 4497set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 4498published=$(key_get KEY2 PUBLISHED) 4499set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4500 4501# Continue signing policy checks. 4502check_keytimes 4503check_apex 4504check_subdomain 4505dnssec_verify 4506 4507# Next key event is when all zone signatures are signed with the new 4508# algorithm. This is the max-zone-ttl plus zone propagation delay 4509# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4510# (the time it took to make the DNSKEY omnipresent), so the next event 4511# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4512# false positives on slow platforms by subtracting the number of seconds 4513# which passed between key creation and invoking 'rndc reconfig'. 4514next_time=$((21600-time_passed)) 4515check_next_key_event $next_time 4516 4517# 4518# Zone: step3.csk-algorithm-roll.kasp 4519# 4520set_zone "step3.csk-algorithm-roll.kasp" 4521set_policy "csk-algoroll" "2" "3600" 4522set_server "ns6" "10.53.0.6" 4523# The RSAHSHA1 key is outroducing, and it is time to swap the DS. 4524# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures 4525# are now omnipresent, so the DS can be introduced. 4526set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4527# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 4528set_keystate "KEY1" "STATE_DS" "unretentive" 4529set_keystate "KEY2" "STATE_DS" "rumoured" 4530 4531# Various signing policy checks. 4532check_keys 4533wait_for_done_signing 4534check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4535# Check that CDS publication is logged. 4536check_cdslog "$DIR" "$ZONE" KEY2 4537 4538# Set expected key times: 4539# - The old key was activated 9 hours ago (32400 seconds). 4540csk_rollover_predecessor_keytimes -32400 4541# - And was retired 6 hours ago (21600 seconds). 4542created=$(key_get KEY1 CREATED) 4543set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4544retired=$(key_get KEY1 RETIRED) 4545set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4546# - The new key was published 9 hours ago. 4547created=$(key_get KEY2 CREATED) 4548set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 4549set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 4550published=$(key_get KEY2 PUBLISHED) 4551set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4552 4553# Continue signing policy checks. 4554check_keytimes 4555check_apex 4556check_subdomain 4557dnssec_verify 4558 4559# We ignore any parent registration delay, so set the DS publish time to now. 4560rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 4561rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 4562# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4563# parent propagation delay, retire safety delay, and DS TTL: 4564# 1h + 2h + 2h = 5h = 18000 seconds. 4565check_next_key_event 18000 4566 4567# 4568# Zone: step4.csk-algorithm-roll.kasp 4569# 4570set_zone "step4.csk-algorithm-roll.kasp" 4571set_policy "csk-algoroll" "2" "3600" 4572set_server "ns6" "10.53.0.6" 4573# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4574set_keysigning "KEY1" "no" 4575set_zonesigning "KEY1" "no" 4576set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4577set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4578set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 4579set_keystate "KEY1" "STATE_DS" "hidden" 4580# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4581set_keystate "KEY2" "STATE_DS" "omnipresent" 4582 4583# Various signing policy checks. 4584check_keys 4585wait_for_done_signing 4586check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4587 4588# Set expected key times: 4589# - The old key was activated 38 hours ago (136800 seconds) 4590csk_rollover_predecessor_keytimes -136800 4591# - And retired 35 hours ago (126000 seconds). 4592created=$(key_get KEY1 CREATED) 4593set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4594retired=$(key_get KEY1 RETIRED) 4595set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4596# - The new key was published 38 hours ago. 4597created=$(key_get KEY2 CREATED) 4598set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 4599set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 4600published=$(key_get KEY2 PUBLISHED) 4601set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4602 4603# Continue signing policy checks. 4604check_keytimes 4605check_apex 4606check_subdomain 4607dnssec_verify 4608 4609# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4610# DNSKEY TTL plus zone propagation delay (2h). 4611check_next_key_event 7200 4612 4613# 4614# Zone: step5.csk-algorithm-roll.kasp 4615# 4616set_zone "step5.csk-algorithm-roll.kasp" 4617set_policy "csk-algoroll" "2" "3600" 4618set_server "ns6" "10.53.0.6" 4619# The DNSKEY becomes HIDDEN. 4620set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4621set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4622 4623# Various signing policy checks. 4624check_keys 4625wait_for_done_signing 4626check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4627 4628# Set expected key times: 4629# - The old key was activated 40 hours ago (144000 seconds) 4630csk_rollover_predecessor_keytimes -144000 4631# - And retired 37 hours ago (133200 seconds). 4632created=$(key_get KEY1 CREATED) 4633set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4634retired=$(key_get KEY1 RETIRED) 4635set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4636# - The new key was published 40 hours ago. 4637created=$(key_get KEY2 CREATED) 4638set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 4639set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 4640published=$(key_get KEY2 PUBLISHED) 4641set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4642 4643# Continue signing policy checks. 4644check_keytimes 4645check_apex 4646check_subdomain 4647dnssec_verify 4648 4649# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4650# after the max-zone-ttl plus zone propagation delay plus retire safety 4651# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4652# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4653# false positives on slow platforms by subtracting the number of seconds 4654# which passed between key creation and invoking 'rndc reconfig'. 4655next_time=$((25200-time_passed)) 4656check_next_key_event $next_time 4657 4658# 4659# Zone: step6.csk-algorithm-roll.kasp 4660# 4661set_zone "step6.csk-algorithm-roll.kasp" 4662set_policy "csk-algoroll" "2" "3600" 4663set_server "ns6" "10.53.0.6" 4664# The zone signatures should now also be HIDDEN. 4665set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 4666 4667# Various signing policy checks. 4668check_keys 4669wait_for_done_signing 4670check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4671 4672# Set expected key times: 4673# - The old keys were activated 47 hours ago (169200 seconds) 4674csk_rollover_predecessor_keytimes -169200 4675# - And retired 44 hours ago (158400 seconds). 4676created=$(key_get KEY1 CREATED) 4677set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4678retired=$(key_get KEY1 RETIRED) 4679set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4680# - The new key was published 47 hours ago. 4681created=$(key_get KEY2 CREATED) 4682set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 4683set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 4684published=$(key_get KEY2 PUBLISHED) 4685set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4686 4687# Continue signing policy checks. 4688check_keytimes 4689check_apex 4690check_subdomain 4691dnssec_verify 4692 4693# Next key event is never since we established the policy and the keys have 4694# an unlimited lifetime. Fallback to the default loadkeys interval. 4695check_next_key_event 3600 4696 4697_check_soa_ttl() { 4698 dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1 4699 soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) 4700 soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) 4701 ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) 4702 ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) 4703 test ${soa1:-1000} -lt ${soa2:-0} || return 1 4704 test ${ttl1:-0} -eq $1 || return 1 4705 test ${ttl2:-0} -eq $2 || return 1 4706} 4707 4708n=$((n+1)) 4709echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" 4710TSIG= 4711ret=0 4712dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 4713cp ns6/example2.db.in ns6/example.db || ret=1 4714nextpart ns6/named.run > /dev/null 4715rndccmd 10.53.0.6 reload || ret=1 4716wait_for_log 3 "all zones loaded" ns6/named.run 4717# Check that the SOA SERIAL increases and check the TTLs (should be 300 as 4718# defined in ns6/example2.db.in). 4719retry_quiet 10 _check_soa_ttl 300 300 || ret=1 4720test "$ret" -eq 0 || echo_i "failed" 4721status=$((status+ret)) 4722 4723n=$((n+1)) 4724echo_i "Check that restart with zone changes and deleted journal works ($n)" 4725TSIG= 4726ret=0 4727dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 4728stop_server --use-rndc --port ${CONTROLPORT} kasp ns6 4729# TTL of all records change from 300 to 400 4730cp ns6/example3.db.in ns6/example.db || ret=1 4731rm ns6/example.db.jnl 4732nextpart ns6/named.run > /dev/null 4733start_server --noclean --restart --port ${PORT} kasp ns6 4734wait_for_log 3 "all zones loaded" ns6/named.run 4735# Check that the SOA SERIAL increases and check the TTLs (should be changed 4736# from 300 to 400 as defined in ns6/example3.db.in). 4737retry_quiet 10 _check_soa_ttl 300 400 || ret=1 4738test "$ret" -eq 0 || echo_i "failed" 4739status=$((status+ret)) 4740 4741echo_i "exit status: $status" 4742[ $status -eq 0 ] || exit 1 4743