diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 26487cdbc8..d1bf51a79a 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -213,6 +213,7 @@ set_policy() { POLICY=$1 NUM_KEYS=$2 DNSKEY_TTL=$3 + KEYFILE_TTL=${4:-$3} CDS_DELETE="no" } # By default policies are considered to be secure. @@ -329,7 +330,7 @@ check_key() { _alg_numpad=$(printf "%03d" "$_alg_num") _alg_string=$(key_get "$1" ALG_STR) _length=$(key_get "$1" "ALG_LEN") - _dnskey_ttl="$DNSKEY_TTL" + _dnskey_ttl="$KEYFILE_TTL" _lifetime=$(key_get "$1" LIFETIME) _legacy=$(key_get "$1" LEGACY) _private=$(key_get "$1" PRIVATE) @@ -1055,7 +1056,7 @@ _find_dnskey() { _flags="$(key_get $1 FLAGS)" _key_file="$(key_get $1 BASEFILE).key" - awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file" + awk '$1 == "'"$_owner"'" && $2 == "'"$KEYFILE_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file" } # Test DNSKEY query. diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index 8debcd2b51..54ce749d8e 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -287,6 +287,16 @@ zone "expired-sigs.autosign" { dnssec-policy "autosign"; }; +/* + * Zone that has DNSKEY TTL mismatch with the dnssec-policy. + */ +zone "dnskey-ttl-mismatch.autosign" { + type primary; + file "dnskey-ttl-mismatch.autosign.db"; + inline-signing yes; + dnssec-policy "autosign"; +}; + /* * Zone that has valid, fresh signatures. */ diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 41cf379734..3ab2f0da2f 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -198,6 +198,14 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" cp $infile $zonefile $SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 +# The DNSKEY's TTLs do not match the policy. +setup dnskey-ttl-mismatch.autosign +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 $zsktimes $zone 2>keygen.out.$zone.2) +cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" +cp $infile $zonefile +$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 + # These signatures are still good, and can be reused. setup fresh-sigs.autosign T="now-6mo" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 611c7177aa..c3153f8744 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1375,6 +1375,48 @@ check_rrsig_refresh() { check_rrsig_refresh +# +# Zone: dnskey-ttl-mismatch.autosign +# +set_zone "dnskey-ttl-mismatch.autosign" +set_policy "autosign" "2" "300" "30" +set_server "ns3" "10.53.0.3" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "63072000" +set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +key_clear "KEY2" +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "31536000" +set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" + +# Both KSK and ZSK stay OMNIPRESENT. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# Expect only two keys. +key_clear "KEY3" +key_clear "KEY4" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +set_keytimes_autosign_policy +check_keytimes +check_apex +check_subdomain +dnssec_verify + # # Zone: fresh-sigs.autosign. # diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index fc864a437b..7a82ffc932 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -40,6 +40,7 @@ set_zone_policy() { POLICY=$2 NUM_KEYS=$3 DNSKEY_TTL=$4 + KEYFILE_TTL=${5:-$4} } # Set expected NSEC3 parameters: flags ($1), iterations ($2), and # salt length ($3).