mirror of
https://github.com/isc-projects/bind9.git
synced 2026-03-24 19:35:00 -04:00
Add kasp test policy goes straight to "none"
Add a test case when a dnssec-policy is reconfigured to "none", without setting it to "insecure" first. This is unsupported behavior, but we want to make sure the behavior is somewhat expected. The zone should remain signed (but will go bogus once the signatures expire).
This commit is contained in:
Matthijs Mekking
parent
75024736a4
commit
287428e0aa
4 changed files with 97 additions and 0 deletions
|
|
@ -50,6 +50,12 @@ zone "step1.going-insecure-dynamic.kasp" {
|
|||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "step1.going-straight-to-none.kasp" {
|
||||
type master;
|
||||
file "step1.going-straight-to-none.kasp.db";
|
||||
dnssec-policy "default";
|
||||
};
|
||||
|
||||
/* These are alorithm rollover test zones. */
|
||||
zone "step1.algorithm-roll.kasp" {
|
||||
type primary;
|
||||
|
|
|
|||
|
|
@ -62,6 +62,12 @@ zone "step2.going-insecure-dynamic.kasp" {
|
|||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "step1.going-straight-to-none.kasp" {
|
||||
type master;
|
||||
file "step1.going-straight-to-none.kasp.db";
|
||||
dnssec-policy "none";
|
||||
};
|
||||
|
||||
/*
|
||||
* Zones for testing KSK/ZSK algorithm roll.
|
||||
*/
|
||||
|
|
|
|||
|
|
@ -78,6 +78,17 @@ do
|
|||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
# This zone is going straight to "none" policy. This is undefined behavior.
|
||||
setup step1.going-straight-to-none.kasp
|
||||
echo "$zone" >> zones
|
||||
TactN="now"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||||
CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" > "$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||||
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
|
||||
|
||||
#
|
||||
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
|
||||
# algorithm rollover.
|
||||
|
|
|
|||
|
|
@ -3558,6 +3558,44 @@ check_apex
|
|||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
#
|
||||
# Zone step1.going-straight-to-none.kasp
|
||||
#
|
||||
set_zone "step1.going-straight-to-none.kasp"
|
||||
set_policy "default" "1" "3600"
|
||||
set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
||||
# This policy only has one key.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
|
||||
# The first key is immediately published and activated.
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_keytime "KEY1" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
|
||||
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
||||
check_keytimes
|
||||
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
|
||||
# changes).
|
||||
echo_i "reconfig dnssec-policy to trigger algorithm rollover"
|
||||
|
|
@ -3745,6 +3783,42 @@ check_subdomain
|
|||
# 5m + 2h = 125m = 7500 seconds.
|
||||
check_next_key_event 7500
|
||||
|
||||
#
|
||||
# Zone: step1.going-straight-to-none.kasp
|
||||
#
|
||||
set_zone "step1.going-straight-to-none.kasp"
|
||||
set_policy "none" "1" "3600"
|
||||
set_server "ns6" "10.53.0.6"
|
||||
|
||||
# The zone will go bogus after signatures expire, but remains validly signed for now.
|
||||
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
||||
# This policy only has one key.
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
echo_i "status: $status"
|
||||
exit $status
|
||||
|
||||
#
|
||||
# Testing KSK/ZSK algorithm rollover.
|
||||
#
|
||||
|
|
|
|||
Loading…
Reference in a new issue