From a43bb41909285cb13eba858306fef84bbb326002 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 31 Jul 2020 11:13:53 +0200 Subject: [PATCH] Test 'rndc dnssec -checkds' on multiple zones Make sure the 'checkds' command correctly sets the right key timing metadata and also make sure that it rejects setting the key timing metadata if there are multiple keys with the KSK role and no key identifier is provided. --- bin/tests/system/kasp/ns3/named.conf.in | 21 +++++++ bin/tests/system/kasp/ns3/policies/kasp.conf | 27 ++++++++ bin/tests/system/kasp/ns3/setup.sh | 2 +- bin/tests/system/kasp/tests.sh | 65 +++++++++++--------- 4 files changed, 85 insertions(+), 30 deletions(-) diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index 8a7f3ebd48..ef1fc22fa7 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -45,6 +45,27 @@ zone "default.kasp" { dnssec-policy "default"; }; +/* checkds: Zone with one KSK. */ +zone "checkds-ksk.kasp" { + type primary; + file "checkds-ksk.kasp.db"; + dnssec-policy "checkds-ksk"; +}; + +/* checkds: Zone with two KSKs. */ +zone "checkds-doubleksk.kasp" { + type primary; + file "checkds-doubleksk.kasp.db"; + dnssec-policy "checkds-doubleksk"; +}; + +/* checkds: Zone with one CSK. */ +zone "checkds-csk.kasp" { + type primary; + file "checkds-csk.kasp.db"; + dnssec-policy "checkds-csk"; +}; + /* Key lifetime unlimited. */ zone "unlimited.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns3/policies/kasp.conf b/bin/tests/system/kasp/ns3/policies/kasp.conf index e0ce931d90..81c764c7f2 100644 --- a/bin/tests/system/kasp/ns3/policies/kasp.conf +++ b/bin/tests/system/kasp/ns3/policies/kasp.conf @@ -76,3 +76,30 @@ dnssec-policy "ecdsa384" { zsk key-directory lifetime P1Y algorithm 14 384; }; }; + +dnssec-policy "checkds-ksk" { + dnskey-ttl 303; + + keys { + ksk key-directory lifetime unlimited algorithm 13; + zsk key-directory lifetime unlimited algorithm 13; + }; +}; + +dnssec-policy "checkds-doubleksk" { + dnskey-ttl 303; + + keys { + ksk key-directory lifetime unlimited algorithm 13; + ksk key-directory lifetime unlimited algorithm 13; + zsk key-directory lifetime unlimited algorithm 13; + }; +}; + +dnssec-policy "checkds-csk" { + dnskey-ttl 303; + + keys { + csk key-directory lifetime unlimited algorithm 13; + }; +}; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index f75cd6e53a..c6e62e8b25 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -53,7 +53,7 @@ U="UNRETENTIVE" for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \ dynamic dynamic-inline-signing inline-signing \ - inherit unlimited + checkds-ksk checkds-doubleksk checkds-csk inherit unlimited do setup "${zn}.kasp" cp template.db.in "$zonefile" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 34915ff221..d83017b6ba 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -960,35 +960,6 @@ check_dnssecstatus() { status=$((status+ret)) } -_loadkeys_on() { - _server=$1 - _dir=$2 - _zone=$3 - - nextpart $_dir/named.run > /dev/null - rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n - wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1 -} - -# Tell named that the DS for the key in given zone has been seen in the -# parent (this does not actually has to be true, we just issue the command -# to make named believe it can continue with the rollover). -rndc_checkds() { - _server=$1 - _dir=$2 - _keyid=$3 - _when=$4 - _what=$5 - _zone=$6 - _view=$7 - - echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)" - - rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed" - _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)" -} - - # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. check_signatures() { @@ -1201,6 +1172,42 @@ check_subdomain() { status=$((status+ret)) } +# +# rndc dnssec -checkds +# +_loadkeys_on() { + _server=$1 + _dir=$2 + _zone=$3 + + nextpart $_dir/named.run > /dev/null + rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n + wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1 +} + +# Tell named that the DS for the key in given zone has been seen in the +# parent (this does not actually has to be true, we just issue the command +# to make named believe it can continue with the rollover). +rndc_checkds() { + _server=$1 + _dir=$2 + _keyid=$3 + _when=$4 + _what=$5 + _zone=$6 + _view=$7 + + echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)" + + if [ "${_keyid}" = "-" ]; then + rndccmd $_server dnssec -checkds -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed" + else + rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed" + fi + + _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)" +} + # # Zone: default.kasp. #