Test updating dnssec-policy key lifetime

Check if the key lifetime is updated in the key files. Make sure the inactive and removed timing metadata are adjusted accordingly. (cherry picked from commit 2237895bb4)
2026-05-28 04:34:54 -04:00 · 2024-06-24 11:18:40 +02:00 · 2024-06-24 11:18:40 +02:00 · 55f79b34b6
commit 55f79b34b6
parent 6c0380db8a
5 changed files with 135 additions and 0 deletions
--- a/bin/tests/system/kasp/ns6/named.conf.in
+++ b/bin/tests/system/kasp/ns6/named.conf.in
@ -95,3 +95,27 @@ zone example {
 	inline-signing yes;
 	dnssec-policy modified;
 };
+
+zone longer-lifetime {
+	type primary;
+	file "longer-lifetime.db";
+	dnssec-policy short-lifetime;
+};
+
+zone shorter-lifetime {
+	type primary;
+	file "shorter-lifetime.db";
+	dnssec-policy long-lifetime;
+};
+
+zone limit-lifetime {
+	type primary;
+	file "limit-lifetime.db";
+	dnssec-policy unlimited-lifetime;
+};
+
+zone unlimit-lifetime {
+	type primary;
+	file "unlimit-lifetime.db";
+	dnssec-policy short-lifetime;
+};
--- a/bin/tests/system/kasp/ns6/named2.conf.in
+++ b/bin/tests/system/kasp/ns6/named2.conf.in
@ -183,3 +183,27 @@ zone example {
 	inline-signing yes;
 	dnssec-policy modified;
 };
+
+zone longer-lifetime {
+	type primary;
+	file "longer-lifetime.db";
+	dnssec-policy long-lifetime;
+};
+
+zone shorter-lifetime {
+	type primary;
+	file "shorter-lifetime.db";
+	dnssec-policy short-lifetime;
+};
+
+zone limit-lifetime {
+	type primary;
+	file "limit-lifetime.db";
+	dnssec-policy short-lifetime;
+};
+
+zone unlimit-lifetime {
+	type primary;
+	file "unlimit-lifetime.db";
+	dnssec-policy unlimited-lifetime;
+};
--- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
+++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in
@ -30,6 +30,23 @@ dnssec-policy "modified" {
 	};
 };

+dnssec-policy "unlimited-lifetime" {
+	keys {
+		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+dnssec-policy "short-lifetime" {
+	keys {
+		csk lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "long-lifetime" {
+	keys {
+		csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
 dnssec-policy "rsasha256" {
 	signatures-refresh P5D;
 	signatures-validity 30d;
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@ -29,6 +29,11 @@ R="RUMOURED"
 O="OMNIPRESENT"
 U="UNRETENTIVE"

+for zn in shorter-lifetime longer-lifetime limit-lifetime unlimit-lifetime; do
+  setup $zn
+  cp template.db.in $zonefile
+done
+
 # The child zones (step1, step2) beneath these zones represent the various
 # steps of unsigning a zone.
 for zn in going-insecure.kasp going-insecure-dynamic.kasp; do
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@ -3709,6 +3709,65 @@ check_apex
 check_subdomain
 dnssec_verify

+# Test key lifetime changes
+set_keytimes_lifetime_update() {
+  if [ $1 -eq 0 ]; then
+    set_keytime "KEY1" "RETIRED" "none"
+    set_keytime "KEY1" "REMOVED" "none"
+  else
+    active=$(key_get KEY1 ACTIVE)
+    set_addkeytime "KEY1" "RETIRED" "${active}" $1
+    # The key is removed after the retire time plus max-zone-ttl (1d),
+    # sign delay (9d), zone propagation delay (5m), retire safety (1h) =
+    # 777600 + 86400 + 300 + 3600 = 867900
+    retired=$(key_get KEY1 RETIRED)
+    set_addkeytime "KEY1" "REMOVED" "${retired}" 867900
+  fi
+}
+
+check_key_lifetime() {
+  zone=$1
+  policy=$2
+  lifetime=$3
+
+  set_zone "$zone"
+  set_policy "$policy" "1" "3600"
+  set_server "ns6" "10.53.0.6"
+  # Key properties.
+  key_clear "KEY1"
+  set_keyrole "KEY1" "csk"
+  set_keylifetime "KEY1" "$lifetime"
+  set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
+  set_keysigning "KEY1" "yes"
+  set_zonesigning "KEY1" "yes"
+  key_clear "KEY2"
+  key_clear "KEY3"
+  key_clear "KEY4"
+
+  # The CSK is rumoured.
+  set_keystate "KEY1" "GOAL" "omnipresent"
+  set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+  set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
+  set_keystate "KEY1" "STATE_DS" "hidden"
+  check_keys
+
+  # Key timings.
+  set_keytimes_csk_policy
+  set_keytimes_lifetime_update $lifetime
+
+  # Variuous checks.
+  check_keytimes
+  check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+  check_apex
+  check_subdomain
+  dnssec_verify
+}
+check_key_lifetime "shorter-lifetime" "long-lifetime" "31536000"
+check_key_lifetime "longer-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "limit-lifetime" "unlimited-lifetime" "0"
+check_key_lifetime "unlimit-lifetime" "short-lifetime" "16070400"
+
 #
 # Testing algorithm rollover.
 #
@ -4004,6 +4063,12 @@ check_apex
 check_subdomain
 dnssec_verify

+# Test key lifetime updates.
+check_key_lifetime "shorter-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "longer-lifetime" "long-lifetime" "31536000"
+check_key_lifetime "limit-lifetime" "short-lifetime" "16070400"
+check_key_lifetime "unlimit-lifetime" "unlimited-lifetime" "0"
+
 #
 # Testing going insecure.
 #