From 8a4787d58519150cc5ecafc9e34546f7d3f04759 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 27 Feb 2020 18:15:07 +0100 Subject: [PATCH 1/6] Replace zone_properties --- bin/tests/system/kasp/tests.sh | 443 +++++++++++++++++++++++++-------- 1 file changed, 334 insertions(+), 109 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index d5f6b1808a..c6e49d99d3 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -99,6 +99,7 @@ key_clear() { key_clear "KEY1" key_clear "KEY2" key_clear "KEY3" +key_clear "KEY4" ############################################################################### # Utilities # @@ -142,24 +143,20 @@ log_error() { test $_log -eq 1 && echo_i "error: $1" ret=$((ret+1)) } - -# Set zone properties for testing keys. -# $1: Key directory -# $2: Zone name -# $3: Policy name -# $4: DNSKEY TTL -# $5: Number of keys -# $6: Name server -# -# This will set the following environment variables for testing: -# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS, SERVER -zone_properties() { +# Set server key-directory ($1) and address ($2) for testing keys. +set_server() { DIR=$1 - ZONE=$2 - POLICY=$3 - DNSKEY_TTL=$4 - NUM_KEYS=$5 - SERVER=$6 + SERVER=$2 +} +# Set zone name for testing keys. +set_zone() { + ZONE=$1 +} +# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys. +set_policy() { + POLICY=$1 + NUM_KEYS=$2 + DNSKEY_TTL=$3 } # Set key properties for testing keys. @@ -229,8 +226,7 @@ key_states() { } # Check the key $1 with id $2. -# This requires environment variables to be set with 'zone_properties', -# 'key_properties', 'key_timings', and 'key_states'. +# This requires environment variables to be set. # # This will set the following environment variables for testing: # BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" @@ -404,8 +400,7 @@ check_key() { } # Check the key with key id $1 and see if it is unused. -# This requires environment variables to be set with 'zone_properties', -# and 'key_properties'. +# This requires environment variables to be set. # # This will set the following environment variables for testing: # BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" @@ -475,14 +470,16 @@ next_key_event_threshold=100 # # dnssec-keygen # -zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1" +set_zone "kasp" +set_policy "kasp" "4" "200" +set_server "keys" "10.53.0.1" n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" ret=0 $KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 lines=$(wc -l < "keygen.out.$POLICY.test$n") -test "$lines" -eq 4 || log_error "wrong number of keys created for policy kasp: $lines" +test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" # Temporarily don't log errors because we are searching multiple files. _log=0 @@ -503,7 +500,7 @@ key_timings "KEY4" "none" "none" "none" "none" "none" key_states "KEY4" "none" "none" "none" "none" "none" lines=$(get_keyids "$DIR" "$ZONE" | wc -l) -test "$lines" -eq 4 || log_error "bad number of key ids" +test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do @@ -530,7 +527,10 @@ _log=1 n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 -zone_properties "." "kasp" "default" "3600" "10.53.0.1" +set_zone "kasp" +set_policy "default" "1" "3600" +set_server "." "10.53.0.1" + key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" @@ -547,13 +547,12 @@ status=$((status+ret)) n=$((n+1)) echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" ret=0 -zone_properties "." "kasp" "default" "3600" "10.53.0.1" key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" $KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 lines=$(wc -l < "keygen.out.$POLICY.test$n") -test "$lines" -eq 1 || log_error "wrong number of keys created for policy default: $lines" +test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do check_key "KEY1" "$id" @@ -658,7 +657,10 @@ next_key_event_threshold=$((next_key_event_threshold+i)) # # Check the zone with default kasp policy has loaded and is signed. -zone_properties "ns3" "default.kasp" "default" "3600" "1" "10.53.0.3" +set_zone "default.kasp" +set_policy "default" "1" "3600" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" # The first key is immediately published and activated. key_timings "KEY1" "published" "active" "none" "none" "none" "none" @@ -744,7 +746,10 @@ status=$((status+ret)) # # Zone: rsasha1.kasp. # -zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "rsasha1.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no" key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" @@ -1067,7 +1072,10 @@ dnssec_verify # # Zone: unsigned.kasp. # -zone_properties "ns3" "unsigned.kasp" "none" "0" "0" "10.53.0.3" +set_zone "unsigned.kasp" +set_policy "none" "0" "0" +set_server "ns3" "10.53.0.3" + key_clear "KEY1" key_clear "KEY2" key_clear "KEY3" @@ -1079,7 +1087,10 @@ check_subdomain # # Zone: unlimited.kasp. # -zone_properties "ns3" "unlimited.kasp" "unlimited" "1234" "1" "10.53.0.3" +set_zone "unlimited.kasp" +set_policy "unlimited" "1" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_clear "KEY2" key_clear "KEY3" @@ -1096,7 +1107,10 @@ dnssec_verify # # Zone: inherit.kasp. # -zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "inherit.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no" key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" @@ -1119,7 +1133,10 @@ dnssec_verify # # Zone: dnssec-keygen.kasp. # -zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "dnssec-keygen.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1129,7 +1146,10 @@ dnssec_verify # # Zone: some-keys.kasp. # -zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "some-keys.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1139,7 +1159,10 @@ dnssec_verify # # Zone: legacy-keys.kasp. # -zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "legacy-keys.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1151,7 +1174,10 @@ dnssec_verify # # There are more pregenerated keys than needed, hence the number of keys is # six, not three. -zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" "10.53.0.3" +set_zone "pregenerated.kasp" +set_policy "rsasha1" "6" "1234" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1162,7 +1188,10 @@ dnssec_verify # Zone: rumoured.kasp. # # There are three keys in rumoured state. -zone_properties "ns3" "rumoured.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "rumoured.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1172,7 +1201,10 @@ dnssec_verify # # Zone: secondary.kasp. # -zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" "10.53.0.3" +set_zone "secondary.kasp" +set_policy "rsasha1" "3" "1234" +set_server "ns3" "10.53.0.3" + # KSK properties, timings and states same as above. check_keys check_apex @@ -1218,7 +1250,10 @@ status=$((status+ret)) # # Zone: rsasha1-nsec3.kasp. # -zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3" +set_zone "rsasha1-nsec3.kasp" +set_policy "rsasha1-nsec3" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "2048" "yes" "no" key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no" @@ -1231,7 +1266,10 @@ dnssec_verify # # Zone: rsasha256.kasp. # -zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3" +set_zone "rsasha256.kasp" +set_policy "rsasha256" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "2048" "yes" "no" key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no" @@ -1244,7 +1282,10 @@ dnssec_verify # # Zone: rsasha512.kasp. # -zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3" +set_zone "rsasha512.kasp" +set_policy "rsasha512" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes" key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "2048" "yes" "no" key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no" @@ -1257,7 +1298,10 @@ dnssec_verify # # Zone: ecdsa256.kasp. # -zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" "10.53.0.3" +set_zone "ecdsa256.kasp" +set_policy "ecdsa256" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" @@ -1270,7 +1314,10 @@ dnssec_verify # # Zone: ecdsa512.kasp. # -zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" "10.53.0.3" +set_zone "ecdsa384.kasp" +set_policy "ecdsa384" "3" "1234" +set_server "ns3" "10.53.0.3" + key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes" key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no" key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no" @@ -1285,7 +1332,10 @@ dnssec_verify # # Zone: expired-sigs.autosign. # -zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" "10.53.0.3" +set_zone "expired-sigs.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" + # Both KSK and ZSK stay OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1347,7 +1397,10 @@ check_rrsig_refresh # # Zone: fresh-sigs.autosign. # -zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3" +set_zone "fresh-sigs.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1399,7 +1452,10 @@ check_rrsig_reuse # # Zone: unfresh-sigs.autosign. # -zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3" +set_zone "unfresh-sigs.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" + # key_properties, key_timings and key_states same as above. check_keys check_apex @@ -1410,7 +1466,10 @@ check_rrsig_refresh # # Zone: zsk-missing.autosign. # -zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" "10.53.0.3" +set_zone "zsk-missing.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" + # KSK stays OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1421,7 +1480,10 @@ key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" # # Zone: zsk-retired.autosign. # -zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" "10.53.0.3" +set_zone "zsk-retired.autosign" +set_policy "autosign" "2" "300" +set_server "ns3" "10.53.0.3" + # KSK properties, timings and states same as above. # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. @@ -1453,61 +1515,81 @@ key_clear "KEY1" key_clear "KEY2" key_clear "KEY3" -zone_properties "ns2" "unsigned.tld" "none" "0" "0" "10.53.0.2" +set_zone "unsigned.tld" +set_policy "none" "0" "0" +set_server "ns2" "10.53.0.2" TSIG="" check_keys check_apex check_subdomain -zone_properties "ns4" "none.inherit.signed" "none" "0" "0" "10.53.0.4" +set_zone "none.inherit.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys check_apex check_subdomain -zone_properties "ns4" "none.override.signed" "none" "0" "0" "10.53.0.4" +set_zone "none.override.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys check_apex check_subdomain -zone_properties "ns4" "inherit.none.signed" "none" "0" "0" "10.53.0.4" +set_zone "inherit.none.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys check_apex check_subdomain -zone_properties "ns4" "none.none.signed" "none" "0" "0" "10.53.0.4" +set_zone "none.none.signed" +set_policy "none" "0" "0" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys check_apex check_subdomain -zone_properties "ns5" "inherit.inherit.unsigned" "none" "0" "0" "10.53.0.5" +set_zone "inherit.inherit.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys check_apex check_subdomain -zone_properties "ns5" "none.inherit.unsigned" "none" "0" "0" "10.53.0.5" +set_zone "none.inherit.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys check_apex check_subdomain -zone_properties "ns5" "none.override.unsigned" "none" "0" "0" "10.53.0.5" +set_zone "none.override.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys check_apex check_subdomain -zone_properties "ns5" "inherit.none.unsigned" "none" "0" "0" "10.53.0.5" +set_zone "inherit.none.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys check_apex check_subdomain -zone_properties "ns5" "none.none.unsigned" "none" "0" "0" "10.53.0.5" +set_zone "none.none.unsigned" +set_policy "none" "0" "0" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys check_apex @@ -1523,35 +1605,45 @@ key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" -zone_properties "ns2" "signed.tld" "default" "3600" "1" "10.53.0.2" +set_zone "signed.tld" +set_policy "default" "1" "3600" +set_server "ns2" "10.53.0.2" TSIG="" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns4" "override.inherit.signed" "default" "3600" "1" "10.53.0.4" +set_zone "override.inherit.signed" +set_policy "default" "1" "3600" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns4" "inherit.override.signed" "default" "3600" "1" "10.53.0.4" +set_zone "inherit.override.signed" +set_policy "default" "1" "3600" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns5" "override.inherit.unsigned" "default" "3600" "1" "10.53.0.5" +set_zone "override.inherit.unsigned" +set_policy "default" "1" "3600" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns5" "inherit.override.unsigned" "default" "3600" "1" "10.53.0.5" +set_zone "inherit.override.unsigned" +set_policy "default" "1" "3600" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys check_apex @@ -1568,35 +1660,45 @@ key_properties "KEY1" "csk" "0" "14" "ECDSAP384SHA384" "384" "yes" "yes" key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" -zone_properties "ns4" "inherit.inherit.signed" "test" "3600" "1" "10.53.0.4" +set_zone "inherit.inherit.signed" +set_policy "test" "1" "3600" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns4" "override.override.signed" "test" "3600" "1" "10.53.0.4" +set_zone "override.override.signed" +set_policy "test" "1" "3600" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns4" "override.none.signed" "test" "3600" "1" "10.53.0.4" +set_zone "override.none.signed" +set_policy "test" "1" "3600" +set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns5" "override.override.unsigned" "test" "3600" "1" "10.53.0.5" +set_zone "override.override.unsigned" +set_policy "test" "1" "3600" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys check_apex check_subdomain dnssec_verify -zone_properties "ns5" "override.none.unsigned" "test" "3600" "1" "10.53.0.5" +set_zone "override.none.unsigned" +set_policy "test" "1" "3600" +set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys check_apex @@ -1613,7 +1715,10 @@ TSIG="" # # Zone: step1.enable-dnssec.autosign. # -zone_properties "ns3" "step1.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +set_zone "step1.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" + # The DNSKEY and signatures are introduced first, the DS remains hidden. key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "none" "none" "none" @@ -1655,7 +1760,10 @@ check_next_key_event 900 # # Zone: step2.enable-dnssec.autosign. # -zone_properties "ns3" "step2.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +set_zone "step2.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" + # The DNSKEY and signatures are introduced first, the DS remains hidden. key_states "KEY1" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden" check_keys @@ -1671,7 +1779,10 @@ check_next_key_event 43800 # # Zone: step3.enable-dnssec.autosign. # -zone_properties "ns3" "step3.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +set_zone "step3.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" + # The DS can be introduced. key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" check_keys @@ -1687,7 +1798,10 @@ check_next_key_event 98400 # # Zone: step4.enable-dnssec.autosign. # -zone_properties "ns3" "step4.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3" +set_zone "step4.enable-dnssec.autosign" +set_policy "enable-dnssec" "1" "300" +set_server "ns3" "10.53.0.3" + # The DS is omnipresent. key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" check_keys @@ -1706,7 +1820,10 @@ check_next_key_event 3600 # # Zone: step1.zsk-prepub.autosign. # -zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3" +set_zone "step1.zsk-prepub.autosign" +set_policy "zsk-prepub" "2" "3600" +set_server "ns3" "10.53.0.3" + # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1730,7 +1847,10 @@ check_next_key_event 2498400 # # Zone: step2.zsk-prepub.autosign. # -zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" +set_zone "step2.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" + # KSK (KEY1) doesn't change. # ZSK (KEY2) remains active, no change in properties/timings/states. # New ZSK (KEY3) is prepublished. @@ -1750,7 +1870,10 @@ check_next_key_event 93600 # # Zone: step3.zsk-prepub.autosign. # -zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" +set_zone "step3.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" + # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. @@ -1778,7 +1901,10 @@ check_next_key_event 867600 # # Zone: step4.zsk-prepub.autosign. # -zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" +set_zone "step4.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" + # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) DNSKEY is no longer needed. @@ -1800,7 +1926,10 @@ check_next_key_event 7200 # # Zone: step5.zsk-prepub.autosign. # -zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3" +set_zone "step5.zsk-prepub.autosign" +set_policy "zsk-prepub" "3" "3600" +set_server "ns3" "10.53.0.3" + # KSK (KEY1) doesn't change. # ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. @@ -1824,7 +1953,10 @@ check_next_key_event 1627200 # # Zone: step1.ksk-doubleksk.autosign. # -zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" "10.53.0.3" +set_zone "step1.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "2" "7200" +set_server "ns3" "10.53.0.3" + # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1849,7 +1981,10 @@ check_next_key_event 5000400 # # Zone: step2.ksk-doubleksk.autosign. # -zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" +set_zone "step2.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" + # ZSK (KEY2) doesn't change. # KSK (KEY1) remains active, no change in properties/timings/states. # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). @@ -1869,7 +2004,10 @@ check_next_key_event 97200 # # Zone: step3.ksk-doubleksk.autosign. # -zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" +set_zone "step3.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" + # ZSK (KEY2) doesn't change. # KSK (KEY1) DS will be removed, so it is UNRETENTIVE. key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" @@ -1892,7 +2030,10 @@ check_next_key_event 266400 # # Zone: step4.ksk-doubleksk.autosign. # -zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" +set_zone "step4.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" + # ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no" @@ -1912,7 +2053,10 @@ check_next_key_event 10800 # # Zone: step5.ksk-doubleksk.autosign. # -zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3" +set_zone "step5.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "3" "7200" +set_server "ns3" "10.53.0.3" + # ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY is now HIDDEN. key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" @@ -1935,7 +2079,10 @@ check_next_key_event 4813200 # # Zone: step1.csk-roll.autosign. # -zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" "10.53.0.3" +set_zone "step1.csk-roll.autosign" +set_policy "csk-roll" "1" "3600" +set_server "ns3" "10.53.0.3" + # The CSK (KEY1) starts in OMNIPRESENT. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1958,8 +2105,11 @@ check_next_key_event 15973200 # # Zone: step2.csk-roll.autosign. # +set_zone "step2.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" + # Set key properties for testing keys. -zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # CSK (KEY1) remains active, no change in properties/timings/states. # New CSK (KEY2) is prepublished (and signs DNSKEY RRset). key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" @@ -1978,8 +2128,11 @@ check_next_key_event 10800 # # Zone: step3.csk-roll.autosign. # +set_zone "step3.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" + # Set key properties for testing keys. -zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" @@ -2006,7 +2159,10 @@ check_next_key_event 100800 # # Zone: step4.csk-roll.autosign. # -zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" +set_zone "step4.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" @@ -2027,7 +2183,10 @@ check_next_key_event 7200 # # Zone: step5.csk-roll.autosign. # -zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" +set_zone "step5.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) KRRSIG records are now all hidden. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden" @@ -2047,7 +2206,10 @@ check_next_key_event 2149200 # # Zone: step6.csk-roll.autosign. # -zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" +set_zone "step6.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden" @@ -2067,7 +2229,10 @@ check_next_key_event 7200 # # Zone: step7.csk-roll.autosign. # -zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3" +set_zone "step7.csk-roll.autosign" +set_policy "csk-roll" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) is now completely HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" @@ -2092,7 +2257,10 @@ check_next_key_event 13708800 # # Zone: step1.csk-roll2.autosign. # -zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" "10.53.0.3" +set_zone "step1.csk-roll2.autosign" +set_policy "csk-roll2" "1" "3600" +set_server "ns3" "10.53.0.3" + # The CSK (KEY1) starts in OMNIPRESENT. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -2115,8 +2283,11 @@ check_next_key_event 15454800 # # Zone: step2.csk-roll2.autosign. # +set_zone "step2.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" + # Set key properties for testing keys. -zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # CSK (KEY1) remains active, no change in properties/timings/states. # New CSK (KEY2) is prepublished (and signs DNSKEY RRset). key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" @@ -2135,8 +2306,11 @@ check_next_key_event 10800 # # Zone: step3.csk-roll2.autosign. # +set_zone "step3.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" + # Set key properties for testing keys. -zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" @@ -2164,7 +2338,10 @@ check_next_key_event 136800 # # Zone: step4.csk-roll2.autosign. # -zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" +set_zone "step4.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) ZRRSIG is now HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive" @@ -2188,7 +2365,10 @@ check_next_key_event 478800 # # Zone: step5.csk-roll2.autosign. # -zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3" +set_zone "step5.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) DNSKEY can be removed. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden" @@ -2208,7 +2388,10 @@ check_next_key_event 7200 # # Zone: step6.csk-roll2.autosign. # -zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" "10.53.0.3" +set_zone "step6.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" + # The old CSK (KEY1) is now completely HIDDEN. key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" @@ -2230,7 +2413,10 @@ check_next_key_event 14684400 # # Zone: step1.algorithm-roll.kasp # -zone_properties "ns6" "step1.algorithm-roll.kasp" "rsasha1" "3600" "2" "10.53.0.6" +set_zone "step1.algorithm-roll.kasp" +set_policy "rsasha1" "2" "3600" +set_server "ns6" "10.53.0.6" + # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes" key_timings "KEY1" "published" "active" "none" "none" "none" @@ -2253,7 +2439,10 @@ check_next_key_event 3600 # # Zone: step1.csk-algorithm-roll.kasp # -zone_properties "ns6" "step1.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "1" "10.53.0.6" +set_zone "step1.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "1" "3600" +set_server "ns6" "10.53.0.6" + # The CSK (KEY1) starta in OMNIPRESENT. key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes" key_timings "KEY1" "published" "active" "none" "none" "none" @@ -2311,7 +2500,10 @@ next_key_event_threshold=$((next_key_event_threshold+i)) # # Zone: step1.algorithm-roll.kasp # -zone_properties "ns6" "step1.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +set_zone "step1.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" + # The RSAHSHA1 keys are outroducing. key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -2340,7 +2532,10 @@ check_next_key_event 10800 # # Zone: step2.algorithm-roll.kasp # -zone_properties "ns6" "step2.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +set_zone "step2.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" + # The RSAHSHA1 keys are outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings # and states of the KEY1 and KEY2 are the same as above. @@ -2365,7 +2560,10 @@ check_next_key_event 21600 # # Zone: step3.algorithm-roll.kasp # -zone_properties "ns6" "step3.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +set_zone "step3.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" + # The RSAHSHA1 keys are outroducing, and it is time to swap the DS. key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures @@ -2386,7 +2584,10 @@ check_next_key_event 104400 # # Zone: step4.algorithm-roll.kasp # -zone_properties "ns6" "step4.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +set_zone "step4.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" + # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "no" key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden" @@ -2407,7 +2608,10 @@ check_next_key_event 7200 # # Zone: step5.algorithm-roll.kasp # -zone_properties "ns6" "step5.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +set_zone "step5.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" + # The DNSKEY becomes HIDDEN. key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" key_states "KEY2" "hidden" "hidden" "unretentive" "none" "none" @@ -2426,7 +2630,10 @@ check_next_key_event 25200 # # Zone: step6.algorithm-roll.kasp # -zone_properties "ns6" "step6.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6" +set_zone "step6.algorithm-roll.kasp" +set_policy "ecdsa256" "4" "3600" +set_server "ns6" "10.53.0.6" + # The zone signatures should now also be HIDDEN. key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" @@ -2446,7 +2653,10 @@ check_next_key_event 3600 # # Zone: step1.csk-algorithm-roll.kasp # -zone_properties "ns6" "step1.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +set_zone "step1.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" + # The RSAHSHA1 key is outroducing. key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -2471,7 +2681,10 @@ check_next_key_event 10800 # # Zone: step2.csk-algorithm-roll.kasp # -zone_properties "ns6" "step2.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +set_zone "step2.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" + # The RSAHSHA1 key is outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings # and states of KEY1 is the same as above. @@ -2495,7 +2708,10 @@ check_next_key_event 21600 # # Zone: step3.csk-algorithm-roll.kasp # -zone_properties "ns6" "step3.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +set_zone "step3.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" + # The RSAHSHA1 key is outroducing, and it is time to swap the DS. key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "unretentive" # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures @@ -2515,7 +2731,10 @@ check_next_key_event 104400 # # Zone: step4.csk-algorithm-roll.kasp # -zone_properties "ns6" "step4.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +set_zone "step4.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" + # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "no" "no" key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" @@ -2534,7 +2753,10 @@ check_next_key_event 7200 # # Zone: step5.csk-algorithm-roll.kasp # -zone_properties "ns6" "step5.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +set_zone "step5.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" + # The DNSKEY becomes HIDDEN. key_states "KEY1" "hidden" "hidden" "unretentive" "hidden" "hidden" @@ -2552,7 +2774,10 @@ check_next_key_event 25200 # # Zone: step6.csk-algorithm-roll.kasp # -zone_properties "ns6" "step6.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6" +set_zone "step6.csk-algorithm-roll.kasp" +set_policy "csk-algoroll" "2" "3600" +set_server "ns6" "10.53.0.6" + # The zone signatures should now also be HIDDEN. key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" From 628e09a4231941737729d72361d30ac5eeae2af9 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 28 Feb 2020 12:02:51 +0100 Subject: [PATCH 2/6] Replace key_properties --- bin/tests/system/kasp/tests.sh | 602 +++++++++++++++++++++------------ 1 file changed, 383 insertions(+), 219 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index c6e49d99d3..8c133d0ec8 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -160,17 +160,9 @@ set_policy() { } # Set key properties for testing keys. -# $1: Key to update -# $2: Role -# $3: Lifetime -# $4: Algorithm (number) -# $5: Algorithm (string-format) -# $6: Algorithm length -# $7: Is zone signing -# $8: Is key signing -# -# This will update either the KEY1, KEY2 or KEY3 array. -key_properties() { +# $1: Key to update (KEY1, KEY2, ...) +# $2: Value +set_keyrole() { key_set "$1" "EXPECT" "yes" key_set "$1" "ROLE" "$2" key_set "$1" "KSK" "no" @@ -179,12 +171,28 @@ key_properties() { test "$2" = "zsk" && key_set "$1" "ZSK" "yes" test "$2" = "csk" && key_set "$1" "KSK" "yes" test "$2" = "csk" && key_set "$1" "ZSK" "yes" - key_set "$1" "LIFETIME" "$3" - key_set "$1" "ALG_NUM" "$4" - key_set "$1" "ALG_STR" "$5" - key_set "$1" "ALG_LEN" "$6" - key_set "$1" "EXPECT_ZRRSIG" "$7" - key_set "$1" "EXPECT_KRRSIG" "$8" +} +set_keylifetime() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "LIFETIME" "$2" +} +# The algorithm value consists of three parts: +# $2: Algorithm (number) +# $3: Algorithm (string-format) +# $4: Algorithm length +set_keyalgorithm() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "ALG_NUM" "$2" + key_set "$1" "ALG_STR" "$3" + key_set "$1" "ALG_LEN" "$4" +} +set_keysigning() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_KRRSIG" "$2" +} +set_zonesigning() { + key_set "$1" "EXPECT" "yes" + key_set "$1" "EXPECT_ZRRSIG" "$2" } # Set key timing metadata. Set to "none" to unset. @@ -483,19 +491,40 @@ test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for polic # Temporarily don't log errors because we are searching multiple files. _log=0 -key_properties "KEY1" "csk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "yes" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "31536000" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" -key_properties "KEY2" "ksk" "31536000" "8" "RSASHA256" "2048" "no" "yes" +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "31536000" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" + key_timings "KEY2" "none" "none" "none" "none" "none" key_states "KEY2" "none" "none" "none" "none" "none" -key_properties "KEY3" "zsk" "2592000" "8" "RSASHA256" "1024" "yes" "no" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "2592000" +set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" + key_timings "KEY3" "none" "none" "none" "none" "none" key_states "KEY3" "none" "none" "none" "none" "none" -key_properties "KEY4" "zsk" "16070400" "8" "RSASHA256" "2000" "yes" "no" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "16070400" +set_keyalgorithm "KEY4" "8" "RSASHA256" "2000" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" + key_timings "KEY4" "none" "none" "none" "none" "none" key_states "KEY4" "none" "none" "none" "none" "none" @@ -530,26 +559,20 @@ ret=0 set_zone "kasp" set_policy "default" "1" "3600" set_server "." "10.53.0.1" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "none" "none" "none" "none" "none" key_states "KEY1" "none" "none" "none" "none" "none" -$KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 -lines=$(wc -l < "keygen.out.default.test$n") -test "$lines" -eq 1 || log_error "wrong number of keys created for policy default: $lines" -ids=$(get_keyids "$DIR" "$ZONE") -for id in $ids; do - check_key "KEY1" "$id" -done -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) -n=$((n+1)) -echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" -ret=0 -key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" -key_timings "KEY1" "none" "none" "none" "none" "none" -key_states "KEY1" "none" "none" "none" "none" "none" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + $KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 lines=$(wc -l < "keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" @@ -660,8 +683,13 @@ next_key_event_threshold=$((next_key_event_threshold+i)) set_zone "default.kasp" set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" # The first key is immediately published and activated. key_timings "KEY1" "published" "active" "none" "none" "none" "none" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. @@ -749,10 +777,27 @@ status=$((status+ret)) set_zone "rsasha1.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "315360000" +set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "157680000" +set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" +set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" -key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" # The first keys are immediately published and activated. # Because lifetime > 0, retired timing is also set. key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1080,6 +1125,7 @@ key_clear "KEY1" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" + check_keys check_apex check_subdomain @@ -1090,15 +1136,18 @@ check_subdomain set_zone "unlimited.kasp" set_policy "unlimited" "1" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" -key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" -key_clear "KEY2" -key_clear "KEY3" -key_clear "KEY4" # The first key is immediately published and activated. key_timings "KEY1" "published" "active" "none" "none" "none" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" + check_keys check_apex check_subdomain @@ -1111,9 +1160,26 @@ set_zone "inherit.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" -key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "315360000" +set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "157680000" +set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +key_clear "KEY3" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" +set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" # The first keys are immediately published and activated. # Because lifetime > 0, retired timing is also set. key_timings "KEY1" "published" "active" "retired" "none" "none" @@ -1125,6 +1191,7 @@ key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none" key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none" key_clear "KEY4" + check_keys check_apex check_subdomain @@ -1136,8 +1203,8 @@ dnssec_verify set_zone "dnssec-keygen.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" +# key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1149,8 +1216,8 @@ dnssec_verify set_zone "some-keys.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" +# key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1162,8 +1229,8 @@ dnssec_verify set_zone "legacy-keys.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" +# key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1177,8 +1244,8 @@ dnssec_verify set_zone "pregenerated.kasp" set_policy "rsasha1" "6" "1234" set_server "ns3" "10.53.0.3" +# key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1191,8 +1258,8 @@ dnssec_verify set_zone "rumoured.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" +# key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1204,8 +1271,8 @@ dnssec_verify set_zone "secondary.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" +# key properties, timings and states same as above. -# KSK properties, timings and states same as above. check_keys check_apex check_subdomain @@ -1253,11 +1320,12 @@ status=$((status+ret)) set_zone "rsasha1-nsec3.kasp" set_policy "rsasha1-nsec3" "3" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" +set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" +set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" +# Key timings and states same as above. -key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "2048" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no" -# key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1269,11 +1337,12 @@ dnssec_verify set_zone "rsasha256.kasp" set_policy "rsasha256" "3" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" +# Key timings and states same as above. -key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "2048" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no" -# key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1285,11 +1354,12 @@ dnssec_verify set_zone "rsasha512.kasp" set_policy "rsasha512" "3" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" +set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" +set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" +# Key timings and states same as above. -key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "2048" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no" -# key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1301,11 +1371,12 @@ dnssec_verify set_zone "ecdsa256.kasp" set_policy "ecdsa256" "3" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +# Key timings and states same as above. -key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" -# key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1317,11 +1388,12 @@ dnssec_verify set_zone "ecdsa384.kasp" set_policy "ecdsa384" "3" "1234" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" +set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" +set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" +# Key timings and states same as above. -key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes" -key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no" -key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no" -# key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1335,12 +1407,23 @@ dnssec_verify set_zone "expired-sigs.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "63072000" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "31536000" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK and ZSK stay OMNIPRESENT. -key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" key_timings "KEY2" "published" "active" "retired" "none" "none" # Expect only two keys. @@ -1400,8 +1483,8 @@ check_rrsig_refresh set_zone "fresh-sigs.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1455,8 +1538,8 @@ check_rrsig_reuse set_zone "unfresh-sigs.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" +# Key properties, timings and states same as above. -# key_properties, key_timings and key_states same as above. check_keys check_apex check_subdomain @@ -1469,13 +1552,8 @@ check_rrsig_refresh set_zone "zsk-missing.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" - -# KSK stays OMNIPRESENT. -key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" -key_timings "KEY1" "published" "active" "retired" "none" "none" -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -# key_properties, key_timings and key_states same as above. -# TODO +# Key properties, timings and states same as above. +# TODO. # # Zone: zsk-retired.autosign. @@ -1483,16 +1561,18 @@ key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" set_zone "zsk-retired.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" - -# KSK properties, timings and states same as above. +# The third key is not yet expected to be signing. +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "31536000" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. -key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" # A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, # the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. -key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no" "no" key_timings "KEY3" "published" "active" "retired" "none" "none" key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" @@ -1514,6 +1594,7 @@ key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" key_clear "KEY1" key_clear "KEY2" key_clear "KEY3" +key_clear "KEY4" set_zone "unsigned.tld" set_policy "none" "0" "0" @@ -1601,7 +1682,12 @@ check_subdomain # ns4/inherit.override.signed # ns5/override.inherit.signed # ns5/inherit.override.signed -key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" + key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" @@ -1656,9 +1742,11 @@ dnssec_verify # ns4/override.none.signed # ns5/override.override.unsigned # ns5/override.none.unsigned -key_properties "KEY1" "csk" "0" "14" "ECDSAP384SHA384" "384" "yes" "yes" -key_timings "KEY1" "published" "active" "none" "none" "none" -key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" set_zone "inherit.inherit.signed" set_policy "test" "1" "3600" @@ -1718,13 +1806,20 @@ TSIG="" set_zone "step1.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" - +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. -key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +# This policy lists only one key (CSK). key_clear "KEY2" key_clear "KEY3" +key_clear "KEY4" + check_keys check_apex check_subdomain @@ -1763,9 +1858,9 @@ check_next_key_event 900 set_zone "step2.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" - # The DNSKEY and signatures are introduced first, the DS remains hidden. key_states "KEY1" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden" + check_keys check_apex check_subdomain @@ -1782,9 +1877,9 @@ check_next_key_event 43800 set_zone "step3.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" - # The DS can be introduced. key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" + check_keys check_apex check_subdomain @@ -1801,9 +1896,9 @@ check_next_key_event 98400 set_zone "step4.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" - # The DS is omnipresent. key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -1823,16 +1918,28 @@ check_next_key_event 3600 set_zone "step1.zsk-prepub.autosign" set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "63072000" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "2592000" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" key_timings "KEY2" "published" "active" "retired" "none" "none" # Initially only two keys. key_clear "KEY3" +key_clear "KEY4" + check_keys check_apex check_subdomain @@ -1850,13 +1957,17 @@ check_next_key_event 2498400 set_zone "step2.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" - +# New ZSK (KEY3) is prepublished, but not yet signing. +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "2592000" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # KSK (KEY1) doesn't change. # ZSK (KEY2) remains active, no change in properties/timings/states. -# New ZSK (KEY3) is prepublished. -key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" key_timings "KEY3" "published" "active" "retired" "none" "none" + check_keys check_apex check_subdomain @@ -1873,22 +1984,24 @@ check_next_key_event 93600 set_zone "step3.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" - -# KSK (KEY1) doesn't change. -# ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. -key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no" +set_zonesigning "KEY2" "no" +set_zonesigning "KEY3" "yes" key_states "KEY2" "hidden" "omnipresent" "unretentive" "none" "none" - -key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_states "KEY3" "omnipresent" "omnipresent" "rumoured" "none" "none" + check_keys check_apex -# Subdomain still has good signatures of ZSK (KEY2) -key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no" -key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no" +# Subdomain still has good signatures of ZSK (KEY2). +# Set expected zone signing on for KEY2 and off for KEY3, +# testing whether signatures which are still valid are being reused. +set_zonesigning "KEY2" "yes" +set_zonesigning "KEY3" "no" check_subdomain +# Restore the expected zone signing properties. +set_zonesigning "KEY2" "no" +set_zonesigning "KEY3" "yes" dnssec_verify # Next key event is when all the RRSIG records have been replaced with @@ -1904,15 +2017,11 @@ check_next_key_event 867600 set_zone "step4.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" - -# KSK (KEY1) doesn't change. -# ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY2) DNSKEY is no longer needed. # ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. -key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY2" "hidden" "unretentive" "hidden" "none" "none" -key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_states "KEY3" "omnipresent" "omnipresent" "omnipresent" "none" "none" + check_keys check_apex check_subdomain @@ -1929,12 +2038,10 @@ check_next_key_event 7200 set_zone "step5.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" - -# KSK (KEY1) doesn't change. -# ZSK (KEY2) properties and timing metadata same as above. # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. key_timings "KEY2" "published" "active" "retired" "none" "removed" key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" + # ZSK (KEY3) remains actively signing, staying in OMNIPRESENT. check_keys check_apex @@ -1956,16 +2063,28 @@ check_next_key_event 1627200 set_zone "step1.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "2" "7200" set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "5184000" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "31536000" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no" key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" # Initially only two keys. key_clear "KEY3" +key_clear "KEY4" + check_keys check_apex check_subdomain @@ -1984,13 +2103,15 @@ check_next_key_event 5000400 set_zone "step2.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" - -# ZSK (KEY2) doesn't change. -# KSK (KEY1) remains active, no change in properties/timings/states. # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). -key_properties "KEY3" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes" +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "5184000" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" key_timings "KEY3" "published" "active" "retired" "none" "none" + check_keys check_apex check_subdomain @@ -2007,8 +2128,6 @@ check_next_key_event 97200 set_zone "step3.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" - -# ZSK (KEY2) doesn't change. # KSK (KEY1) DS will be removed, so it is UNRETENTIVE. key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" # New KSK (KEY3) has its DS submitted. @@ -2033,13 +2152,12 @@ check_next_key_event 266400 set_zone "step4.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" - -# ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY can be removed. -key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no" +set_keysigning "KEY1" "no" key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden" # New KSK (KEY3) DS is now OMNIPRESENT. key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2056,11 +2174,9 @@ check_next_key_event 10800 set_zone "step5.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" - -# ZSK (KEY2) doesn't change. # KSK (KEY1) DNSKEY is now HIDDEN. key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" -# New KSK (KEY3) stays OMNIPRESENT. + check_keys check_apex check_subdomain @@ -2082,14 +2198,20 @@ check_next_key_event 4813200 set_zone "step1.csk-roll.autosign" set_policy "csk-roll" "1" "3600" set_server "ns3" "10.53.0.3" - +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" +key_clear "KEY4" + check_keys check_apex check_subdomain @@ -2108,13 +2230,15 @@ check_next_key_event 15973200 set_zone "step2.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" - -# Set key properties for testing keys. -# CSK (KEY1) remains active, no change in properties/timings/states. -# New CSK (KEY2) is prepublished (and signs DNSKEY RRset). -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" +# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden" key_timings "KEY2" "published" "active" "retired" "none" "none" + check_keys check_apex check_subdomain @@ -2131,21 +2255,26 @@ check_next_key_event 10800 set_zone "step3.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" - -# Set key properties for testing keys. +# Swap zone signing role. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" # New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG # are in RUMOURED state. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "rumoured" + check_keys check_apex -# Subdomain still has good signatures of old CSK (KEY1) -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" +# Subdomain still has good signatures of old CSK (KEY1). +# Set expected zone signing on for KEY1 and off for KEY2, +# testing whether signatures which are still valid are being reused. +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" check_subdomain +# Restore the expected zone signing properties. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" dnssec_verify # Next key event is when the predecessor DS has been replaced with the @@ -2162,14 +2291,14 @@ check_next_key_event 100800 set_zone "step4.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" - +# The old CSK (KEY1) is no longer signing the DNSKEY RRset. +set_keysigning "KEY1" "no" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "omnipresent" "unretentive" "unretentive" "hidden" # The new CSK (KEY2) DS is now OMNIPRESENT. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2186,11 +2315,9 @@ check_next_key_event 7200 set_zone "step5.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" - # The old CSK (KEY1) KRRSIG records are now all hidden. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden" -# The new CSK (KEY2) state does not change. + check_keys check_apex check_subdomain @@ -2209,13 +2336,11 @@ check_next_key_event 2149200 set_zone "step6.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" - -# The old CSK (KEY1) DNSKEY can be removed. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" +# The old CSK (KEY1) ZRRSIG records are now all hidden. key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2232,13 +2357,11 @@ check_next_key_event 7200 set_zone "step7.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" - # The old CSK (KEY1) is now completely HIDDEN. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2260,14 +2383,20 @@ check_next_key_event 13708800 set_zone "step1.csk-roll2.autosign" set_policy "csk-roll2" "1" "3600" set_server "ns3" "10.53.0.3" - +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "16070400" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" +key_clear "KEY4" + check_keys check_apex check_subdomain @@ -2286,13 +2415,15 @@ check_next_key_event 15454800 set_zone "step2.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" - -# Set key properties for testing keys. -# CSK (KEY1) remains active, no change in properties/timings/states. -# New CSK (KEY2) is prepublished (and signs DNSKEY RRset). -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" +# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "16070400" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden" key_timings "KEY2" "published" "active" "retired" "none" "none" + check_keys check_apex check_subdomain @@ -2309,21 +2440,26 @@ check_next_key_event 10800 set_zone "step3.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" - -# Set key properties for testing keys. +# Swap zone signing role. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" # New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG # are in RUMOURED state. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "rumoured" + check_keys check_apex -# Subdomain still has good signatures of old CSK (KEY1) -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" +# Subdomain still has good signatures of old CSK (KEY1). +# Set expected zone signing on for KEY1 and off for KEY2, +# testing whether signatures which are still valid are being reused. +set_zonesigning "KEY1" "yes" +set_zonesigning "KEY2" "no" check_subdomain +# Restore the expected zone signing properties. +set_zonesigning "KEY1" "no" +set_zonesigning "KEY2" "yes" dnssec_verify # Next key event is when the predecessor ZRRSIG records have been replaced @@ -2341,12 +2477,9 @@ check_next_key_event 136800 set_zone "step4.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" - # The old CSK (KEY1) ZRRSIG is now HIDDEN. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes" key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive" # The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" check_keys check_apex @@ -2368,13 +2501,12 @@ check_next_key_event 478800 set_zone "step5.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" - # The old CSK (KEY1) DNSKEY can be removed. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" +set_keysigning "KEY1" "no" key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2391,13 +2523,11 @@ check_next_key_event 7200 set_zone "step6.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" - # The old CSK (KEY1) is now completely HIDDEN. -key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no" key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2416,16 +2546,27 @@ check_next_key_event 14684400 set_zone "step1.algorithm-roll.kasp" set_policy "rsasha1" "2" "3600" set_server "ns6" "10.53.0.6" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" -# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes" -key_timings "KEY1" "published" "active" "none" "none" "none" -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_properties "KEY2" "zsk" "0" "5" "RSASHA1" "2048" "yes" "no" -key_timings "KEY2" "published" "active" "none" "none" "none" -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" +# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. +key_timings "KEY1" "published" "active" "none" "none" "none" +key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" +key_timings "KEY2" "published" "active" "none" "none" "none" +key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" + check_keys check_apex check_subdomain @@ -2442,14 +2583,19 @@ check_next_key_event 3600 set_zone "step1.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "1" "3600" set_server "ns6" "10.53.0.6" - -# The CSK (KEY1) starta in OMNIPRESENT. -key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes" -key_timings "KEY1" "published" "active" "none" "none" "none" -key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" +# The CSK (KEY1) starts in OMNIPRESENT. +key_timings "KEY1" "published" "active" "none" "none" "none" +key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" + check_keys check_apex check_subdomain @@ -2503,19 +2649,36 @@ next_key_event_threshold=$((next_key_event_threshold+i)) set_zone "step1.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" - +# Old RSASHA1 keys. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# New ECDSAP256SHA256 keys. +set_keyrole "KEY3" "ksk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "yes" +set_zonesigning "KEY3" "no" +set_keyrole "KEY4" "zsk" +set_keylifetime "KEY4" "0" +set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY4" "no" +set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "omnipresent" -key_properties "KEY2" "zsk" "0" "5" "RSASHA1" "2048" "yes" "no" key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" # The ECDSAP256SHA256 keys are introducing. -key_properties "KEY3" "ksk" "0" "13" "ECDSAP256SHA256" "256" "no" "yes" key_timings "KEY3" "published" "active" "none" "none" "none" key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" -key_properties "KEY4" "zsk" "0" "13" "ECDSAP256SHA256" "256" "yes" "no" key_timings "KEY4" "published" "active" "none" "none" "none" key_states "KEY4" "omnipresent" "rumoured" "rumoured" "none" "none" @@ -2535,7 +2698,6 @@ check_next_key_event 10800 set_zone "step2.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" - # The RSAHSHA1 keys are outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings # and states of the KEY1 and KEY2 are the same as above. @@ -2563,7 +2725,6 @@ check_next_key_event 21600 set_zone "step3.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" - # The RSAHSHA1 keys are outroducing, and it is time to swap the DS. key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures @@ -2587,11 +2748,10 @@ check_next_key_event 104400 set_zone "step4.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" - # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. -key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "no" +set_keysigning "KEY1" "no" key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden" -key_properties "KEY2" "zsk" "0" "5" "RSASHA1" "2048" "no" "no" +set_zonesigning "KEY2" "no" key_states "KEY2" "hidden" "unretentive" "unretentive" "none" "none" # The ECDSAP256SHA256 DS is now OMNIPRESENT. key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" @@ -2611,7 +2771,6 @@ check_next_key_event 7200 set_zone "step5.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" - # The DNSKEY becomes HIDDEN. key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" key_states "KEY2" "hidden" "hidden" "unretentive" "none" "none" @@ -2633,7 +2792,6 @@ check_next_key_event 25200 set_zone "step6.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" - # The zone signatures should now also be HIDDEN. key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" @@ -2656,17 +2814,27 @@ check_next_key_event 3600 set_zone "step1.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" - +# Old RSASHA1 key. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# New ECDSAP256SHA256 key. +set_keyrole "KEY2" "csk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "yes" +key_clear "KEY3" +key_clear "KEY4" # The RSAHSHA1 key is outroducing. -key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes" key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" # The ECDSAP256SHA256 key is introducing. -key_properties "KEY2" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes" key_timings "KEY2" "published" "active" "none" "none" "none" key_states "KEY2" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" -key_clear "KEY3" -key_clear "KEY4" check_keys check_apex @@ -2684,7 +2852,6 @@ check_next_key_event 10800 set_zone "step2.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" - # The RSAHSHA1 key is outroducing, but need to stay present until the new # algorithm chain of trust has been established. Thus the properties, timings # and states of KEY1 is the same as above. @@ -2711,7 +2878,6 @@ check_next_key_event 21600 set_zone "step3.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" - # The RSAHSHA1 key is outroducing, and it is time to swap the DS. key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "unretentive" # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures @@ -2734,9 +2900,9 @@ check_next_key_event 104400 set_zone "step4.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" - # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. -key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "no" "no" +set_keysigning "KEY1" "no" +set_zonesigning "KEY1" "no" key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" # The ECDSAP256SHA256 DS is now OMNIPRESENT. key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" @@ -2756,7 +2922,6 @@ check_next_key_event 7200 set_zone "step5.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" - # The DNSKEY becomes HIDDEN. key_states "KEY1" "hidden" "hidden" "unretentive" "hidden" "hidden" @@ -2777,7 +2942,6 @@ check_next_key_event 25200 set_zone "step6.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" - # The zone signatures should now also be HIDDEN. key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" From 32e4916c59a50916b941a4a540cdb515db5b1f08 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 28 Feb 2020 12:27:41 +0100 Subject: [PATCH 3/6] Replace key_timings --- bin/tests/system/kasp/tests.sh | 207 ++++++++++++++++++++++----------- 1 file changed, 138 insertions(+), 69 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 8c133d0ec8..87ee019699 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -198,21 +198,12 @@ set_zonesigning() { # Set key timing metadata. Set to "none" to unset. # These times are hard to test, so it is just an indication that we expect the # respective timing metadata in the key files. -# $1: Key to update -# $2: Published -# $3: Active -# $4: Retired -# $5: Revoked -# $6: Removed -# -# This will update either the KEY1, KEY2 or KEY3 array. -key_timings() { +# $1: Key to update (KEY1, KEY2, ...) +# $2: Time to update (PUBLISHED, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $3: Value +set_keytime() { key_set "$1" "EXPECT" "yes" - key_set "$1" "PUBLISHED" "$2" - key_set "$1" "ACTIVE" "$3" - key_set "$1" "RETIRED" "$4" - key_set "$1" "REVOKED" "$5" - key_set "$1" "REMOVED" "$6" + key_set "$1" "$2" "$3" } # Set key state metadata. Set to "none" to unset. @@ -498,36 +489,24 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -key_timings "KEY1" "none" "none" "none" "none" "none" -key_states "KEY1" "none" "none" "none" "none" "none" - set_keyrole "KEY2" "ksk" set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" -key_timings "KEY2" "none" "none" "none" "none" "none" -key_states "KEY2" "none" "none" "none" "none" "none" - set_keyrole "KEY3" "zsk" set_keylifetime "KEY3" "2592000" set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" -key_timings "KEY3" "none" "none" "none" "none" "none" -key_states "KEY3" "none" "none" "none" "none" "none" - set_keyrole "KEY4" "zsk" set_keylifetime "KEY4" "16070400" set_keyalgorithm "KEY4" "8" "RSASHA256" "2000" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" -key_timings "KEY4" "none" "none" "none" "none" "none" -key_states "KEY4" "none" "none" "none" "none" "none" - lines=$(get_keyids "$DIR" "$ZONE" | wc -l) test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" @@ -566,9 +545,6 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -key_timings "KEY1" "none" "none" "none" "none" "none" -key_states "KEY1" "none" "none" "none" "none" "none" - key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" @@ -607,7 +583,7 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -key_timings "KEY1" "published" "none" "none" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" key_states "KEY1" "omnipresent" "rumoured" "omnipresent" "rumoured" "hidden" check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" @@ -618,7 +594,7 @@ echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and sta ret=0 cp "$STATE_FILE" "$CMP_FILE" $SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -key_timings "KEY1" "none" "none" "none" "none" "none" +set_keytime "KEY1" "PUBLISHED" "none" key_states "KEY1" "none" "none" "none" "none" "none" check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" @@ -630,7 +606,7 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -key_timings "KEY1" "none" "active" "none" "none" "none" +set_keytime "KEY1" "ACTIVE" "yes" key_states "KEY1" "hidden" "unretentive" "unretentive" "omnipresent" "omnipresent" check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" @@ -691,7 +667,8 @@ set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # The first key is immediately published and activated. -key_timings "KEY1" "published" "active" "none" "none" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" @@ -797,12 +774,19 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" - # The first keys are immediately published and activated. # Because lifetime > 0, retired timing is also set. -key_timings "KEY1" "published" "active" "retired" "none" "none" -key_timings "KEY2" "published" "active" "retired" "none" "none" -key_timings "KEY3" "published" "active" "retired" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" + +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" + +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" @@ -1144,7 +1128,9 @@ set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # The first key is immediately published and activated. -key_timings "KEY1" "published" "active" "none" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "none" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" @@ -1182,9 +1168,17 @@ set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" # The first keys are immediately published and activated. # Because lifetime > 0, retired timing is also set. -key_timings "KEY1" "published" "active" "retired" "none" "none" -key_timings "KEY2" "published" "active" "retired" "none" "none" -key_timings "KEY3" "published" "active" "retired" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" + +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" + +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" @@ -1420,12 +1414,17 @@ set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" # Both KSK and ZSK stay OMNIPRESENT. -key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" -key_timings "KEY2" "published" "active" "retired" "none" "none" # Expect only two keys. key_clear "KEY3" key_clear "KEY4" @@ -1567,13 +1566,15 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" +# Key timings. +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. -key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" # A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, # the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. -key_timings "KEY3" "published" "active" "retired" "none" "none" key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" # @@ -1688,7 +1689,10 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -key_timings "KEY1" "published" "active" "none" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "none" + key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" set_zone "signed.tld" @@ -1807,13 +1811,16 @@ set_zone "step1.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. -key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" # This policy lists only one key (CSK). key_clear "KEY2" @@ -1919,6 +1926,7 @@ set_zone "step1.zsk-prepub.autosign" set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "63072000" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" @@ -1931,11 +1939,17 @@ set_keylifetime "KEY2" "2592000" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" + +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" -key_timings "KEY2" "published" "active" "retired" "none" "none" # Initially only two keys. key_clear "KEY3" key_clear "KEY4" @@ -1958,15 +1972,18 @@ set_zone "step2.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. +key_clear "KEY3" set_keyrole "KEY3" "zsk" set_keylifetime "KEY3" "2592000" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" -# KSK (KEY1) doesn't change. -# ZSK (KEY2) remains active, no change in properties/timings/states. +# Key timings. +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" +# Key states. key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" -key_timings "KEY3" "published" "active" "retired" "none" "none" check_keys check_apex @@ -2039,7 +2056,7 @@ set_zone "step5.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. -key_timings "KEY2" "published" "active" "retired" "none" "removed" +set_keytime "KEY2" "REMOVED" "yes" key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" # ZSK (KEY3) remains actively signing, staying in OMNIPRESENT. @@ -2064,6 +2081,7 @@ set_zone "step1.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "2" "7200" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "5184000" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" @@ -2076,10 +2094,16 @@ set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" + +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" # Initially only two keys. key_clear "KEY3" @@ -2104,13 +2128,18 @@ set_zone "step2.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). +key_clear "KEY3" set_keyrole "KEY3" "ksk" set_keylifetime "KEY3" "5184000" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" +# Key timings. +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" +# Key states. key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" -key_timings "KEY3" "published" "active" "retired" "none" "none" check_keys check_apex @@ -2199,13 +2228,17 @@ set_zone "step1.csk-roll.autosign" set_policy "csk-roll" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" # Initially only one key. key_clear "KEY2" @@ -2231,13 +2264,18 @@ set_zone "step2.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). +key_clear "KEY2" set_keyrole "KEY2" "csk" set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" +# Key timings. +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" +# Key states. key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden" -key_timings "KEY2" "published" "active" "retired" "none" "none" check_keys check_apex @@ -2384,13 +2422,17 @@ set_zone "step1.csk-roll2.autosign" set_policy "csk-roll2" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_timings "KEY1" "published" "active" "retired" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" # Initially only one key. key_clear "KEY2" @@ -2416,13 +2458,18 @@ set_zone "step2.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). +key_clear "KEY2" set_keyrole "KEY2" "csk" set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" +# Key timings. +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" +# Key states. key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden" -key_timings "KEY2" "published" "active" "retired" "none" "none" check_keys check_apex @@ -2547,6 +2594,7 @@ set_zone "step1.algorithm-roll.kasp" set_policy "rsasha1" "2" "3600" set_server "ns6" "10.53.0.6" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" @@ -2561,10 +2609,14 @@ set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" + +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_timings "KEY2" "published" "active" "none" "none" "none" key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" check_keys @@ -2584,6 +2636,7 @@ set_zone "step1.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "1" "3600" set_server "ns6" "10.53.0.6" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "csk" set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" @@ -2592,8 +2645,10 @@ set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" +# Key timings. +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_timings "KEY1" "published" "active" "none" "none" "none" key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" check_keys @@ -2650,36 +2705,46 @@ set_zone "step1.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # Old RSASHA1 keys. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" +key_clear "KEY2" set_keyrole "KEY2" "zsk" set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" # New ECDSAP256SHA256 keys. +key_clear "KEY3" set_keyrole "KEY3" "ksk" set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" +key_clear "KEY4" set_keyrole "KEY4" "zsk" set_keylifetime "KEY4" "0" set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -key_timings "KEY1" "published" "active" "retired" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "omnipresent" -key_timings "KEY2" "published" "active" "retired" "none" "none" key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" # The ECDSAP256SHA256 keys are introducing. -key_timings "KEY3" "published" "active" "none" "none" "none" +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY4" "PUBLISHED" "yes" +set_keytime "KEY4" "ACTIVE" "yes" key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" -key_timings "KEY4" "published" "active" "none" "none" "none" key_states "KEY4" "omnipresent" "rumoured" "rumoured" "none" "none" check_keys @@ -2822,6 +2887,7 @@ set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # New ECDSAP256SHA256 key. +key_clear "KEY2" set_keyrole "KEY2" "csk" set_keylifetime "KEY2" "0" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" @@ -2830,10 +2896,13 @@ set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The RSAHSHA1 key is outroducing. -key_timings "KEY1" "published" "active" "retired" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" # The ECDSAP256SHA256 key is introducing. -key_timings "KEY2" "published" "active" "none" "none" "none" +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" key_states "KEY2" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" check_keys From f500b16f83ad70c13a1eaa9bfcca051995b2e0ce Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 2 Mar 2020 11:50:55 +0100 Subject: [PATCH 4/6] Replace key_states --- bin/tests/system/kasp/tests.sh | 471 ++++++++++++++++++++++----------- 1 file changed, 313 insertions(+), 158 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 87ee019699..dd28ddc77c 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -207,21 +207,12 @@ set_keytime() { } # Set key state metadata. Set to "none" to unset. -# $1: Key to update -# $2: Goal state -# $3: DNSKEY state -# $4: RRSIG state (zsk) -# $5: RRSIG state (ksk) -# $6: DS state -# -# This will update either the KEY1, KEY2, OR KEY3 array. -key_states() { +# $1: Key to update (KEY1, KEY2, ...) +# $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS) +# $3: Value +set_keystate() { key_set "$1" "EXPECT" "yes" - key_set "$1" "GOAL" "$2" - key_set "$1" "STATE_DNSKEY" "$3" - key_set "$1" "STATE_ZRRSIG" "$4" - key_set "$1" "STATE_KRRSIG" "$5" - key_set "$1" "STATE_DS" "$6" + key_set "$1" "$2" "$3" } # Check the key $1 with id $2. @@ -583,8 +574,12 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "PUBLISHED" "yes" -key_states "KEY1" "omnipresent" "rumoured" "omnipresent" "rumoured" "hidden" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "hidden" check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -594,8 +589,12 @@ echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and sta ret=0 cp "$STATE_FILE" "$CMP_FILE" $SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "PUBLISHED" "none" -key_states "KEY1" "none" "none" "none" "none" "none" +set_keytime "KEY1" "PUBLISHED" "none" +set_keystate "KEY1" "GOAL" "none" +set_keystate "KEY1" "STATE_DNSKEY" "none" +set_keystate "KEY1" "STATE_KRRSIG" "none" +set_keystate "KEY1" "STATE_ZRRSIG" "none" +set_keystate "KEY1" "STATE_DS" "none" check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -606,8 +605,12 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "ACTIVE" "yes" -key_states "KEY1" "hidden" "unretentive" "unretentive" "omnipresent" "omnipresent" +set_keytime "KEY1" "ACTIVE" "yes" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "omnipresent" check_key "KEY1" "$id" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -667,10 +670,14 @@ set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # The first key is immediately published and activated. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" n=$((n+1)) echo_i "check key is created for zone ${ZONE} ($n)" @@ -755,6 +762,7 @@ set_zone "rsasha1.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "315360000" set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" @@ -789,9 +797,19 @@ set_keytime "KEY3" "ACTIVE" "yes" set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. -key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" -key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none" -key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" +# Three keys only. key_clear "KEY4" # Check keys for a configured zone. This verifies: @@ -1128,11 +1146,15 @@ set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # The first key is immediately published and activated. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "none" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. -key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" check_keys check_apex @@ -1147,6 +1169,7 @@ set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "315360000" set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" @@ -1181,9 +1204,19 @@ set_keytime "KEY3" "ACTIVE" "yes" set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. -key_states "KEY1" "omnipresent" "rumoured" "none" "rumoured" "hidden" -key_states "KEY2" "omnipresent" "rumoured" "rumoured" "none" "none" -key_states "KEY3" "omnipresent" "rumoured" "rumoured" "none" "none" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" +# Three keys only. key_clear "KEY4" check_keys @@ -1402,6 +1435,7 @@ set_zone "expired-sigs.autosign" set_policy "autosign" "2" "300" set_server "ns3" "10.53.0.3" # Key properties. +key_clear "KEY1" set_keyrole "KEY1" "ksk" set_keylifetime "KEY1" "63072000" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" @@ -1423,8 +1457,14 @@ set_keytime "KEY2" "PUBLISHED" "yes" set_keytime "KEY2" "ACTIVE" "yes" set_keytime "KEY2" "RETIRED" "yes" # Both KSK and ZSK stay OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Expect only two keys. key_clear "KEY3" key_clear "KEY4" @@ -1567,15 +1607,19 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" # Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. -key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, # the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. -key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" # # Test dnssec-policy inheritance. @@ -1689,11 +1733,15 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "none" -key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" set_zone "signed.tld" set_policy "default" "1" "3600" @@ -1818,10 +1866,14 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. -key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" # This policy lists only one key (CSK). key_clear "KEY2" key_clear "KEY3" @@ -1865,8 +1917,10 @@ check_next_key_event 900 set_zone "step2.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" -# The DNSKEY and signatures are introduced first, the DS remains hidden. -key_states "KEY1" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden" +# The DNSKEY is omnipresent, but the zone signatures not yet. +# Thus, the DS remains hidden. +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" check_keys check_apex @@ -1885,7 +1939,8 @@ set_zone "step3.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # The DS can be introduced. -key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "rumoured" check_keys check_apex @@ -1904,7 +1959,7 @@ set_zone "step4.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" # The DS is omnipresent. -key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys check_apex @@ -1948,8 +2003,14 @@ set_keytime "KEY2" "PUBLISHED" "yes" set_keytime "KEY2" "ACTIVE" "yes" set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Initially only two keys. key_clear "KEY3" key_clear "KEY4" @@ -1979,11 +2040,13 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" # Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" # Key states. -key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys check_apex @@ -2004,9 +2067,11 @@ set_server "ns3" "10.53.0.3" # ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. # New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. set_zonesigning "KEY2" "no" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" set_zonesigning "KEY3" "yes" -key_states "KEY2" "hidden" "omnipresent" "unretentive" "none" "none" -key_states "KEY3" "omnipresent" "omnipresent" "rumoured" "none" "none" +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" check_keys check_apex @@ -2036,8 +2101,9 @@ set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY2) DNSKEY is no longer needed. # ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. -key_states "KEY2" "hidden" "unretentive" "hidden" "none" "none" -key_states "KEY3" "omnipresent" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" +set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" check_keys check_apex @@ -2056,8 +2122,8 @@ set_zone "step5.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" # ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. -set_keytime "KEY2" "REMOVED" "yes" -key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" +set_keytime "KEY2" "REMOVED" "yes" +set_keystate "KEY2" "STATE_DNSKEY" "hidden" # ZSK (KEY3) remains actively signing, staying in OMNIPRESENT. check_keys @@ -2103,8 +2169,14 @@ set_keytime "KEY2" "PUBLISHED" "yes" set_keytime "KEY2" "ACTIVE" "yes" set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # Initially only two keys. key_clear "KEY3" key_clear "KEY4" @@ -2135,11 +2207,14 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" # Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keytime "KEY3" "RETIRED" "yes" # Key states. -key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" check_keys check_apex @@ -2158,9 +2233,13 @@ set_zone "step3.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DS will be removed, so it is UNRETENTIVE. -key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DS" "unretentive" # New KSK (KEY3) has its DS submitted. -key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "rumoured" +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY3" "STATE_DS" "rumoured" + check_keys check_apex check_subdomain @@ -2183,9 +2262,11 @@ set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" -key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # New KSK (KEY3) DS is now OMNIPRESENT. -key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" +set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys check_apex @@ -2204,7 +2285,8 @@ set_zone "step5.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" # KSK (KEY1) DNSKEY is now HIDDEN. -key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys check_apex @@ -2235,11 +2317,15 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" @@ -2271,11 +2357,15 @@ set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" # Key timings. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" # Key states. -key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" check_keys check_apex @@ -2297,10 +2387,15 @@ set_server "ns3" "10.53.0.3" set_zonesigning "KEY1" "no" set_zonesigning "KEY2" "yes" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. -key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "unretentive" # New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG # are in RUMOURED state. -key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "rumoured" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY2" "STATE_DS" "rumoured" check_keys check_apex @@ -2333,9 +2428,10 @@ set_server "ns3" "10.53.0.3" set_keysigning "KEY1" "no" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. -key_states "KEY1" "hidden" "omnipresent" "unretentive" "unretentive" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # The new CSK (KEY2) DS is now OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys check_apex @@ -2354,7 +2450,7 @@ set_zone "step5.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) KRRSIG records are now all hidden. -key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys check_apex @@ -2374,10 +2470,12 @@ check_next_key_event 2149200 set_zone "step6.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" -# The old CSK (KEY1) ZRRSIG records are now all hidden. -key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden" +# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can +# be removed). +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_ZRRSIG" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys check_apex @@ -2396,9 +2494,7 @@ set_zone "step7.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. -key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" -# The new CSK (KEY2) is now fully OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "hidden" check_keys check_apex @@ -2429,11 +2525,15 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" # Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # Initially only one key. key_clear "KEY2" key_clear "KEY3" @@ -2465,11 +2565,15 @@ set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" # Key timings. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" # Key states. -key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" +set_keystate "KEY2" "STATE_DS" "hidden" check_keys check_apex @@ -2487,14 +2591,18 @@ check_next_key_event 10800 set_zone "step3.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" -# Swap zone signing role. -set_zonesigning "KEY1" "no" -set_zonesigning "KEY2" "yes" # CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. -key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive" +set_zonesigning "KEY1" "no" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "unretentive" # New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG # are in RUMOURED state. -key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "rumoured" +set_zonesigning "KEY2" "yes" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY2" "STATE_DS" "rumoured" check_keys check_apex @@ -2525,9 +2633,10 @@ set_zone "step4.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) ZRRSIG is now HIDDEN. -key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive" +set_keystate "KEY1" "STATE_ZRRSIG" "hidden" # The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + check_keys check_apex check_subdomain @@ -2550,9 +2659,11 @@ set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) DNSKEY can be removed. set_keysigning "KEY1" "no" -key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # The new CSK (KEY2) is now fully OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys check_apex @@ -2571,9 +2682,8 @@ set_zone "step6.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is now completely HIDDEN. -key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" -# The new CSK (KEY2) is now fully OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys check_apex @@ -2616,8 +2726,14 @@ set_keytime "KEY1" "ACTIVE" "yes" set_keytime "KEY2" "PUBLISHED" "yes" set_keytime "KEY2" "ACTIVE" "yes" # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys check_apex @@ -2646,10 +2762,14 @@ key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" # Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" # The CSK (KEY1) starts in OMNIPRESENT. -key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys check_apex @@ -2711,6 +2831,7 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" + key_clear "KEY2" set_keyrole "KEY2" "zsk" set_keylifetime "KEY2" "0" @@ -2724,6 +2845,7 @@ set_keylifetime "KEY3" "0" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" + key_clear "KEY4" set_keyrole "KEY4" "zsk" set_keylifetime "KEY4" "0" @@ -2731,21 +2853,33 @@ set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" -key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "omnipresent" -key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keytime "KEY2" "RETIRED" "yes" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" # The ECDSAP256SHA256 keys are introducing. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" -key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden" -key_states "KEY4" "omnipresent" "rumoured" "rumoured" "none" "none" +set_keytime "KEY3" "PUBLISHED" "yes" +set_keytime "KEY3" "ACTIVE" "yes" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_KRRSIG" "rumoured" +set_keystate "KEY3" "STATE_DS" "hidden" + +set_keytime "KEY4" "PUBLISHED" "yes" +set_keytime "KEY4" "ACTIVE" "yes" +set_keystate "KEY4" "GOAL" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys check_apex @@ -2769,8 +2903,9 @@ set_server "ns6" "10.53.0.6" # # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, # but the zone signatures are not. -key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "hidden" -key_states "KEY4" "omnipresent" "omnipresent" "rumoured" "none" "none" +set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" check_keys check_apex @@ -2791,11 +2926,11 @@ set_zone "step3.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The RSAHSHA1 keys are outroducing, and it is time to swap the DS. -key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive" +set_keystate "KEY1" "STATE_DS" "unretentive" # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures # are now omnipresent, so the DS can be introduced. -key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "rumoured" -key_states "KEY4" "omnipresent" "omnipresent" "omnipresent" "none" "none" +set_keystate "KEY3" "STATE_DS" "rumoured" +set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" check_keys check_apex @@ -2815,11 +2950,16 @@ set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. set_keysigning "KEY1" "no" -key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" + set_zonesigning "KEY2" "no" -key_states "KEY2" "hidden" "unretentive" "unretentive" "none" "none" +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "unretentive" +set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" # The ECDSAP256SHA256 DS is now OMNIPRESENT. -key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent" +set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys check_apex @@ -2837,8 +2977,9 @@ set_zone "step5.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" # The DNSKEY becomes HIDDEN. -key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden" -key_states "KEY2" "hidden" "hidden" "unretentive" "none" "none" +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys check_apex @@ -2857,8 +2998,8 @@ check_next_key_event 25200 set_zone "step6.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" -# The zone signatures should now also be HIDDEN. -key_states "KEY2" "hidden" "hidden" "hidden" "none" "none" +# The old zone signatures (KEY2) should now also be HIDDEN. +set_keystate "KEY2" "STATE_ZRRSIG" "hidden" check_keys check_apex @@ -2896,14 +3037,22 @@ set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The RSAHSHA1 key is outroducing. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" -key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keytime "KEY1" "PUBLISHED" "yes" +set_keytime "KEY1" "ACTIVE" "yes" +set_keytime "KEY1" "RETIRED" "yes" +set_keystate "KEY1" "GOAL" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" # The ECDSAP256SHA256 key is introducing. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -key_states "KEY2" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden" +set_keytime "KEY2" "PUBLISHED" "yes" +set_keytime "KEY2" "ACTIVE" "yes" +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY2" "STATE_DS" "hidden" check_keys check_apex @@ -2927,7 +3076,8 @@ set_server "ns6" "10.53.0.6" # # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, # but the zone signatures are not. -key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" check_keys check_apex @@ -2948,10 +3098,11 @@ set_zone "step3.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The RSAHSHA1 key is outroducing, and it is time to swap the DS. -key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "unretentive" +set_keystate "KEY1" "STATE_DS" "unretentive" # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures # are now omnipresent, so the DS can be introduced. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +set_keystate "KEY2" "STATE_DS" "rumoured" check_keys check_apex @@ -2972,9 +3123,12 @@ set_server "ns6" "10.53.0.6" # The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. set_keysigning "KEY1" "no" set_zonesigning "KEY1" "no" -key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "unretentive" +set_keystate "KEY1" "STATE_KRRSIG" "unretentive" +set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" +set_keystate "KEY1" "STATE_DS" "hidden" # The ECDSAP256SHA256 DS is now OMNIPRESENT. -key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent" +set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys check_apex @@ -2992,7 +3146,8 @@ set_zone "step5.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The DNSKEY becomes HIDDEN. -key_states "KEY1" "hidden" "hidden" "unretentive" "hidden" "hidden" +set_keystate "KEY1" "STATE_DNSKEY" "hidden" +set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys check_apex @@ -3012,7 +3167,7 @@ set_zone "step6.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The zone signatures should now also be HIDDEN. -key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden" +set_keystate "KEY1" "STATE_ZRRSIG" "hidden" check_keys check_apex From 7e54dd74f9af3cdd42cc37d550e339e81eeaf001 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 9 Mar 2020 10:37:35 +0100 Subject: [PATCH 5/6] More consistent spacing and comments Some comments started with a lowercased letter. Capitalized them to be more consistent with the rest of the comments. Add some newlines between `set_*` calls and check calls, also to be more consistent with the other test cases. --- bin/tests/system/kasp/tests.sh | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index dd28ddc77c..0b5c8d0dfe 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1144,7 +1144,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" - # The first key is immediately published and activated. set_keytime "KEY1" "PUBLISHED" "yes" set_keytime "KEY1" "ACTIVE" "yes" @@ -1230,7 +1229,7 @@ dnssec_verify set_zone "dnssec-keygen.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" -# key properties, timings and states same as above. +# Key properties, timings and states same as above. check_keys check_apex @@ -1243,7 +1242,7 @@ dnssec_verify set_zone "some-keys.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" -# key properties, timings and states same as above. +# Key properties, timings and states same as above. check_keys check_apex @@ -1256,7 +1255,7 @@ dnssec_verify set_zone "legacy-keys.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" -# key properties, timings and states same as above. +# Key properties, timings and states same as above. check_keys check_apex @@ -1271,7 +1270,7 @@ dnssec_verify set_zone "pregenerated.kasp" set_policy "rsasha1" "6" "1234" set_server "ns3" "10.53.0.3" -# key properties, timings and states same as above. +# Key properties, timings and states same as above. check_keys check_apex @@ -1285,7 +1284,7 @@ dnssec_verify set_zone "rumoured.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" -# key properties, timings and states same as above. +# Key properties, timings and states same as above. check_keys check_apex @@ -1298,7 +1297,7 @@ dnssec_verify set_zone "secondary.kasp" set_policy "rsasha1" "3" "1234" set_server "ns3" "10.53.0.3" -# key properties, timings and states same as above. +# Key properties, timings and states same as above. check_keys check_apex From 2e4b55de858a38c420b369d737c040d75db1b2e2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 9 Mar 2020 10:38:58 +0100 Subject: [PATCH 6/6] Add check calls to kasp zsk-retired test The test case for zsk-retired was missing the actual checks. Add them and fix the set_policy call to expect three keys. --- bin/tests/system/kasp/tests.sh | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 0b5c8d0dfe..30b82679a3 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1597,7 +1597,7 @@ set_server "ns3" "10.53.0.3" # Zone: zsk-retired.autosign. # set_zone "zsk-retired.autosign" -set_policy "autosign" "2" "300" +set_policy "autosign" "3" "300" set_server "ns3" "10.53.0.3" # The third key is not yet expected to be signing. set_keyrole "KEY3" "zsk" @@ -1620,6 +1620,12 @@ set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" +check_keys +check_apex +check_subdomain +dnssec_verify +check_rrsig_refresh + # # Test dnssec-policy inheritance. #