diff --git a/bin/tests/system/kasp/ns1/named.conf.j2 b/bin/tests/system/kasp/ns1/named.conf.j2 new file mode 100644 index 0000000000..4280a2829c --- /dev/null +++ b/bin/tests/system/kasp/ns1/named.conf.j2 @@ -0,0 +1,21 @@ +// NS1 + +options { + query-source address 10.53.0.1; + notify-source 10.53.0.1; + transfer-source 10.53.0.1; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.1; }; + listen-on-v6 { none; }; + recursion no; + notify yes; + allow-transfer { any; }; +}; + +zone "." { + type primary; + file "root.db"; + dnssec-policy default; + checkds yes; +}; diff --git a/bin/tests/system/kasp/ns1/root.db.j2 b/bin/tests/system/kasp/ns1/root.db.j2 new file mode 100644 index 0000000000..709558ab2b --- /dev/null +++ b/bin/tests/system/kasp/ns1/root.db.j2 @@ -0,0 +1,10 @@ +$TTL 300 +. IN SOA . a.root.servers.nil. ( + 2000042100 ; serial + 600 ; refresh + 600 ; retry + 1200 ; expire + 600 ; minimum + ) +. NS a.root-servers.nil. +a.root-servers.nil. A 10.53.0.1 diff --git a/bin/tests/system/kasp/ns1/setup.sh b/bin/tests/system/kasp/ns1/setup.sh new file mode 100644 index 0000000000..f1b8eaa5bb --- /dev/null +++ b/bin/tests/system/kasp/ns1/setup.sh @@ -0,0 +1,31 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns1/setup.sh" + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +O="OMNIPRESENT" + +zone="." +echo_i "setting up zone: $zone" +Tpub="now-30d" +Tact="now-1d" +keytimes="-P ${Tpub} -A ${Tact}" +CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 $keytimes $zone 2>keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $Tpub -r $O $Tpub -d $H $Tact -z $O $Tpub "$CSK" >settime.out.$zone.1 2>&1 +echo "KSK: yes" >>"${CSK}".state +echo "ZSK: yes" >>"${CSK}".state diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 2b8cf6b4d8..acf6052a89 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -20,6 +20,10 @@ mkdir keys mkdir ns3/keys # Setup zones +( + cd ns1 + $SHELL setup.sh +) ( cd ns2 $SHELL setup.sh diff --git a/bin/tests/system/kasp/tests_kasp.py b/bin/tests/system/kasp/tests_kasp.py index fdc80adc01..7abfed33b2 100644 --- a/bin/tests/system/kasp/tests_kasp.py +++ b/bin/tests/system/kasp/tests_kasp.py @@ -80,6 +80,7 @@ pytestmark = pytest.mark.extra_artifacts( "ns*/signer.out.*", "ns*/zones", "ns*/policies/*.conf", + "ns1/managed-keys.*", "ns3/legacy-keys.*", "ns3/dynamic-signed-inline-signing.kasp.db.signed.signed", "ns4/purgekeys.conf", @@ -87,6 +88,18 @@ pytestmark = pytest.mark.extra_artifacts( ] ) +default_config = { + "dnskey-ttl": timedelta(hours=1), + "ds-ttl": timedelta(days=1), + "max-zone-ttl": timedelta(days=1), + "parent-propagation-delay": timedelta(hours=1), + "publish-safety": timedelta(hours=1), + "purge-keys": timedelta(days=90), + "retire-safety": timedelta(hours=1), + "signatures-refresh": timedelta(days=5), + "signatures-validity": timedelta(days=14), + "zone-propagation-delay": timedelta(minutes=5), +} kasp_config = { "dnskey-ttl": timedelta(seconds=1234), @@ -1768,3 +1781,28 @@ def test_kasp_manual_mode(ns3, default_algorithm): isctest.kasp.check_keys(zone, keys, expected) check_all(ns3, zone, policy, ksks, zsks, manual_mode=True) isctest.kasp.check_dnssec_verify(ns3, zone) + + +def test_root_case(ns1): + keydir = ns1.identifier + + # Get test parameters. + zone = "" + policy = "default" + ttl = 3600 + + isctest.kasp.wait_keymgr_done(ns1, ".") + + # Test case. + isctest.log.info(f"check root zone with policy {policy}") + + # First make sure the zone is signed. + isctest.kasp.check_dnssec_verify(ns1, zone) + + # Check key properties. DS is expected to go to rumoured, so checkds kicks in. + keyprops = [ + "csk 0 13 256 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured", + ] + expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=keyprops) + keys = isctest.kasp.keydir_to_keylist(zone, keydir) + isctest.kasp.check_keys(zone, keys, expected)