diff --git a/CHANGES b/CHANGES index 66de1c0c14..923e0d1907 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,8 @@ +6211. [func] Remove 'auto-dnssec'. This obsoletes the configuration + options 'dnskey-sig-validity', 'dnssec-dnskey-kskonly', + 'dnssec-update-mode', 'sig-validity-interval', and + 'update-check-ksk'. [GL #3672] + 6210. [func] Don't add signing records for DNSKEY added with dynamic update. The dynamic update DNSSEC management feature was removed with GL #3686. [GL !8070] diff --git a/bin/dnssec/dnssec-signzone.rst b/bin/dnssec/dnssec-signzone.rst index 4eff7aadf5..e6fb455c3d 100644 --- a/bin/dnssec/dnssec-signzone.rst +++ b/bin/dnssec/dnssec-signzone.rst @@ -359,15 +359,12 @@ Options .. option:: -x This option indicates that BIND 9 should only sign the DNSKEY, CDNSKEY, and CDS RRsets with key-signing keys, - and should omit signatures from zone-signing keys. (This is similar to the - ``dnssec-dnskey-kskonly yes;`` zone option in :iscman:`named`.) + and should omit signatures from zone-signing keys. .. option:: -z This option indicates that BIND 9 should ignore the KSK flag on keys when determining what to sign. This causes KSK-flagged keys to sign all records, not just the DNSKEY RRset. - (This is similar to the ``update-check-ksk no;`` zone option in - :iscman:`named`.) .. option:: -3 salt diff --git a/bin/named/config.c b/bin/named/config.c index 7e981f85d1..861c46c03d 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -215,9 +215,7 @@ options {\n\ check-srv-cname warn;\n\ check-wildcard yes;\n\ dialup no;\n\ - dnssec-dnskey-kskonly yes;\n\ dnssec-loadkeys-interval 60;\n\ - dnssec-update-mode maintain;\n\ # forward \n\ # forwarders \n\ # inline-signing no;\n\ @@ -240,12 +238,9 @@ options {\n\ sig-signing-nodes 100;\n\ sig-signing-signatures 10;\n\ sig-signing-type 65534;\n\ - sig-validity-interval 30; /* days */\n\ - dnskey-sig-validity 0; /* default: sig-validity-interval */\n\ transfer-source *;\n\ transfer-source-v6 *;\n\ try-tcp-refresh yes; /* BIND 8 compat */\n\ - update-check-ksk yes;\n\ zero-no-soa-ttl yes;\n\ zone-statistics terse;\n\ };\n\ diff --git a/bin/named/server.c b/bin/named/server.c index 8a6b065708..4ee711c9f2 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -12330,8 +12330,7 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex, keyopts = dns_zone_getkeyopts(zone); /* - * "rndc loadkeys" requires "auto-dnssec maintain" - * or a "dnssec-policy". + * "rndc loadkeys" requires a "dnssec-policy". */ if ((keyopts & DNS_ZONEKEY_ALLOW) == 0) { result = ISC_R_NOPERM; @@ -14455,6 +14454,7 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, unsigned char salt[255]; const char *ptr; size_t n; + bool kasp = false; REQUIRE(text != NULL); @@ -14562,17 +14562,14 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, } if (dns_zone_getkasp(zone) != NULL) { - (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec " - "command instead"); - (void)putnull(text); - goto cleanup; + kasp = true; } if (clear) { CHECK(dns_zone_keydone(zone, keystr)); (void)putstr(text, "request queued"); (void)putnull(text); - } else if (chain) { + } else if (chain && !kasp) { CHECK(dns_zone_setnsec3param( zone, (uint8_t)hash, (uint8_t)flags, iter, (uint8_t)saltlen, salt, true, resalt)); @@ -14629,6 +14626,10 @@ named_server_signing(named_server_t *server, isc_lex_t *lex, if (result == ISC_R_NOMORE) { result = ISC_R_SUCCESS; } + } else if (kasp) { + (void)putstr(text, "zone uses dnssec-policy, use rndc dnssec " + "command instead"); + (void)putnull(text); } cleanup: @@ -15126,10 +15127,8 @@ named_server_zonestatus(named_server_t *server, isc_lex_t *lex, } /* Next resign event */ - if (secure && - (zonetype == dns_zone_primary || - (zonetype == dns_zone_secondary && hasraw)) && - ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_NORESIGN) == 0)) + if (secure && (zonetype == dns_zone_primary || + (zonetype == dns_zone_secondary && hasraw))) { dns_name_t *name; dns_fixedname_t fixed; diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 867be2369c..c12693517f 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -905,7 +905,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_stats_t *rcvquerystats; dns_stats_t *dnssecsignstats; dns_zonestat_level_t statlevel = dns_zonestat_none; - int seconds; dns_ttl_t maxttl = 0; /* unlimited */ dns_zone_t *mayberaw = (raw != NULL) ? raw : zone; bool transferinsecs = ns_server_getoption(named_g_server->sctx, @@ -1547,11 +1546,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, * use inline-signing (raw != NULL). */ if (ztype == dns_zone_primary || raw != NULL) { - const cfg_obj_t *validity, *resign; - bool allow = false, maint = false; - bool sigvalinsecs; - if (use_kasp) { + int seconds; + if (dns_kasp_nsec3(kasp)) { result = dns_zone_setnsec3param( zone, 1, dns_kasp_nsec3flags(kasp), @@ -1563,53 +1560,15 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, zone, 0, 0, 0, 0, NULL, true, false); } INSIST(result == ISC_R_SUCCESS); - } - if (use_kasp) { seconds = (uint32_t)dns_kasp_sigvalidity_dnskey(kasp); - } else { - obj = NULL; - result = named_config_get(maps, "dnskey-sig-validity", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - seconds = cfg_obj_asuint32(obj) * 86400; - } - dns_zone_setkeyvalidityinterval(zone, seconds); + dns_zone_setkeyvalidityinterval(zone, seconds); - if (use_kasp) { seconds = (uint32_t)dns_kasp_sigvalidity(kasp); dns_zone_setsigvalidityinterval(zone, seconds); + seconds = (uint32_t)dns_kasp_sigrefresh(kasp); dns_zone_setsigresigninginterval(zone, seconds); - } else { - obj = NULL; - result = named_config_get(maps, "sig-validity-interval", - &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - - sigvalinsecs = ns_server_getoption( - named_g_server->sctx, NS_SERVER_SIGVALINSECS); - validity = cfg_tuple_get(obj, "validity"); - seconds = cfg_obj_asuint32(validity); - if (!sigvalinsecs) { - seconds *= 86400; - } - dns_zone_setsigvalidityinterval(zone, seconds); - - resign = cfg_tuple_get(obj, "re-sign"); - if (cfg_obj_isvoid(resign)) { - seconds /= 4; - } else if (!sigvalinsecs) { - uint32_t r = cfg_obj_asuint32(resign); - if (seconds > 7 * 86400) { - seconds = r * 86400; - } else { - seconds = r * 3600; - } - } else { - seconds = cfg_obj_asuint32(resign); - } - dns_zone_setsigresigninginterval(zone, seconds); } obj = NULL; @@ -1634,26 +1593,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, INSIST(result == ISC_R_SUCCESS && obj != NULL); dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj)); - obj = NULL; - result = named_config_get(maps, "update-check-ksk", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, - cfg_obj_asboolean(obj)); - /* - * This setting will be ignored if dnssec-policy is used. - * named-checkconf will error if both are configured. - */ - - obj = NULL; - result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj); - INSIST(result == ISC_R_SUCCESS && obj != NULL); - dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY, - cfg_obj_asboolean(obj)); - /* - * This setting will be ignored if dnssec-policy is used. - * named-checkconf will error if both are configured. - */ - obj = NULL; result = named_config_get(maps, "dnssec-loadkeys-interval", &obj); @@ -1661,28 +1600,12 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, CHECK(dns_zone_setrefreshkeyinterval(zone, cfg_obj_asuint32(obj))); - obj = NULL; - result = cfg_map_get(zoptions, "auto-dnssec", &obj); if (kasp != NULL) { bool s2i = (strcmp(dns_kasp_getname(kasp), "insecure") != 0); dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true); dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, !s2i); dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true); - } else if (result == ISC_R_SUCCESS) { - const char *arg = cfg_obj_asstring(obj); - if (strcasecmp(arg, "allow") == 0) { - allow = true; - } else if (strcasecmp(arg, "maintain") == 0) { - allow = maint = true; - } else if (strcasecmp(arg, "off") == 0) { - /* Default */ - } else { - UNREACHABLE(); - } - dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false); - dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); } } @@ -1825,20 +1748,6 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, dns_zone_setoption(mayberaw, DNS_ZONEOPT_IGNORESRVCNAME, ignore); - obj = NULL; - result = cfg_map_get(zoptions, "dnssec-update-mode", &obj); - if (result == ISC_R_SUCCESS) { - const char *arg = cfg_obj_asstring(obj); - if (strcasecmp(arg, "no-resign") == 0) { - dns_zone_setkeyopt(zone, DNS_ZONEKEY_NORESIGN, - true); - } else if (strcasecmp(arg, "maintain") == 0) { - /* Default */ - } else { - UNREACHABLE(); - } - } - obj = NULL; result = named_config_get(maps, "serial-update-method", &obj); INSIST(result == ISC_R_SUCCESS && obj != NULL); diff --git a/bin/rndc/rndc.rst b/bin/rndc/rndc.rst index 97088579f7..db43974a4b 100644 --- a/bin/rndc/rndc.rst +++ b/bin/rndc/rndc.rst @@ -265,10 +265,9 @@ Currently supported commands are: immediately re-signed by the new keys, but is allowed to incrementally re-sign over time. - This command requires that the zone be configured with a ``dnssec-policy``, or - that the ``auto-dnssec`` zone option be set to ``maintain``, and also requires the - zone to be configured to allow dynamic DNS. (See "Dynamic Update Policies" in - the Administrator Reference Manual for more details.) + This command requires that the zone be configured with a ``dnssec-policy``, and + also requires the zone to be configured to allow dynamic DNS. (See "Dynamic + Update Policies" in the Administrator Reference Manual for more details.) .. option:: managed-keys (status | refresh | sync | destroy) [class [view]] @@ -504,11 +503,9 @@ Currently supported commands are: the zone's DNSKEY RRset. If the DNSKEY RRset is changed, then the zone is automatically re-signed with the new key set. - This command requires that the zone be configured with a ``dnssec-policy``, or - that the ``auto-dnssec`` zone option be set to ``allow`` or ``maintain``, - and also requires the zone to be configured to allow dynamic DNS. (See - "Dynamic Update Policies" in the BIND 9 Administrator Reference Manual for more - details.) + This command requires that the zone be configured with a ``dnssec-policy``, and + also requires the zone to be configured to allow dynamic DNS. (See "Dynamic + Update Policies" in the Administrator Reference Manual for more details.) See also :option:`rndc loadkeys`. diff --git a/bin/tests/system/Makefile.am b/bin/tests/system/Makefile.am index 245d02240c..3fa1cd446c 100644 --- a/bin/tests/system/Makefile.am +++ b/bin/tests/system/Makefile.am @@ -104,7 +104,6 @@ TESTS += \ dlzexternal \ dns64 \ dsdigest \ - dupsigs \ dyndb \ ecdsa \ eddsa \ @@ -201,7 +200,7 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER endif HAVE_PERLMOD_NET_DNS if HAVE_PYTHON -TESTS += kasp keymgr2kasp multisigner tcp pipelined +TESTS += kasp multisigner tcp pipelined if HAVE_PYTEST TESTS += checkds dispatch rpzextra shutdown timeouts diff --git a/bin/tests/system/autosign/clean.sh b/bin/tests/system/autosign/clean.sh index 81589d7885..dc379c0ebc 100644 --- a/bin/tests/system/autosign/clean.sh +++ b/bin/tests/system/autosign/clean.sh @@ -11,6 +11,7 @@ # See the COPYRIGHT file distributed with this work for additional # information regarding copyright ownership. +rm -f ./dsset-* rm -f */K* */dsset-* */*.signed */tmp* */*.jnl */*.bk rm -f */core rm -f */example.bk @@ -18,30 +19,34 @@ rm -f */named.conf rm -f */named.memstats rm -f */named.run* rm -f */trusted.conf */private.conf -rm -f activate-now-publish-1day.key -rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key -rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f dig.out.* rm -f digcomp.out.test* +rm -f activate-now-publish-1day.key prepub.key +rm -f active.key inact.key del.key delzsk.key unpub.key standby.key rev.key +rm -f delayksk.key delayzsk.key autoksk.key autozsk.key rm -f noksk-ksk.key nozsk-ksk.key nozsk-zsk.key inaczsk-zsk.key inaczsk-ksk.key rm -f nopriv.key vanishing.key del1.key del2.key +rm -f ns*/inactive/* +rmdir ns*/inactive rm -f ns*/managed-keys.bind* rm -f ns*/named.lock -rm -f ns1/root.db +rm -f ns1/root.db ns1/root.db.1 ns1/root.db.2 ns1/root.db.3 +rm -f ns1/signing.out +rm -f ns2/bar.db +rm -f ns2/child.nsec3.example.db +rm -f ns2/child.optout.example.db rm -f ns2/example.db +rm -f ns2/insecure.secure.example.db rm -f ns2/optout-with-ent.db -rm -f ns2/private.secure.example.db ns2/bar.db +rm -f ns2/private.secure.example.db +rm -f ns2/signing.* rm -f ns3/*.nzd ns3/*.nzd-lock ns3/*.nzf rm -f ns3/*.nzf rm -f ns3/autonsec3.example.db -rm -f ns3/cdnskey-delete.example.db -rm -f ns3/cds-delete.example.db +rm -f ns3/delay.example.db ns3/delay.example.1 ns3/delay.example.2 rm -f ns3/delzsk.example.db rm -f ns3/dname-at-apex-nsec3.example.db -rm -f ns3/inacksk2.example.db -rm -f ns3/inacksk3.example.db rm -f ns3/inaczsk2.example.db -rm -f ns3/inaczsk3.example.db rm -f ns3/jitter.nsec3.example.db rm -f ns3/kg.out ns3/s.out ns3/st.out rm -f ns3/kskonly.example.db @@ -53,7 +58,7 @@ rm -f ns3/nsec3-to-nsec.example.db rm -f ns3/nsec3.example.db rm -f ns3/nsec3.nsec3.example.db rm -f ns3/nsec3.optout.example.db -rm -f ns3/oldsigs.example.db +rm -f ns3/oldsigs.example.db ns3/oldsigs.example.db.bak rm -f ns3/optout.example.db rm -f ns3/optout.nsec3.example.db rm -f ns3/optout.optout.example.db @@ -68,5 +73,5 @@ rm -f ns3/sync.example.db rm -f ns3/ttl*.db rm -f nsupdate.out rm -f settime.out.* -rm -f signing.out.* +rm -f signing.* rm -f sync.key diff --git a/bin/tests/system/autosign/ns1/keygen.sh b/bin/tests/system/autosign/ns1/keygen.sh index 6b969c3178..bc4836e876 100644 --- a/bin/tests/system/autosign/ns1/keygen.sh +++ b/bin/tests/system/autosign/ns1/keygen.sh @@ -31,8 +31,8 @@ zskactnowpub1d=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -A now -P +1d $zone) zsknopriv=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q $zone) rm $zsknopriv.private -ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now+15s -fk $zone) -kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now+15s -fk $zone) +ksksby=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -P now -A now -fk $zone) +kskrev=$($KEYGEN -3 -a ${DEFAULT_ALGORITHM} -q -R now -fk $zone) keyfile_to_static_ds $ksksby > trusted.conf cp trusted.conf ../ns2/trusted.conf @@ -51,3 +51,5 @@ echo $zsknopriv > ../nopriv.key echo $zsksby > ../standby.key echo $zskactnowpub1d > ../activate-now-publish-1day.key $REVOKE -R $kskrev > ../rev.key + +$SIGNER -S -o . -O full root.db > signing.out 2>&1 diff --git a/bin/tests/system/autosign/ns1/named.conf.in b/bin/tests/system/autosign/ns1/named.conf.in index 2a5548349f..6421482595 100644 --- a/bin/tests/system/autosign/ns1/named.conf.in +++ b/bin/tests/system/autosign/ns1/named.conf.in @@ -37,12 +37,10 @@ controls { zone "." { type primary; - file "root.db"; + file "root.db.signed"; allow-transfer { any; }; - allow-query { any; }; allow-update { any; }; - auto-dnssec maintain; - dnssec-dnskey-kskonly no; + allow-query { any; }; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns2/child.nsec3.example.db b/bin/tests/system/autosign/ns2/child.nsec3.example.db.in similarity index 100% rename from bin/tests/system/autosign/ns2/child.nsec3.example.db rename to bin/tests/system/autosign/ns2/child.nsec3.example.db.in diff --git a/bin/tests/system/autosign/ns2/child.optout.example.db b/bin/tests/system/autosign/ns2/child.optout.example.db.in similarity index 100% rename from bin/tests/system/autosign/ns2/child.optout.example.db rename to bin/tests/system/autosign/ns2/child.optout.example.db.in diff --git a/bin/tests/system/autosign/ns2/insecure.secure.example.db b/bin/tests/system/autosign/ns2/insecure.secure.example.db.in similarity index 100% rename from bin/tests/system/autosign/ns2/insecure.secure.example.db rename to bin/tests/system/autosign/ns2/insecure.secure.example.db.in diff --git a/bin/tests/system/autosign/ns2/keygen.sh b/bin/tests/system/autosign/ns2/keygen.sh index 8061adb6a5..f9aa3bcdf1 100644 --- a/bin/tests/system/autosign/ns2/keygen.sh +++ b/bin/tests/system/autosign/ns2/keygen.sh @@ -40,7 +40,7 @@ ksk=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) $KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null keyfile_to_static_ds $ksk > private.conf cp private.conf ../ns4/private.conf -$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > /dev/null +$SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > signing.privsec.out 2>&1 # Extract saved keys for the revoke-to-duplicate-key test zone=bar @@ -54,6 +54,7 @@ do done $KEYGEN -a ECDSAP256SHA256 -q $zone > /dev/null $DSFROMKEY Kbar.+013+60101.key > dsset-bar. +$SIGNER -S -o bar. -O full $zonefile > signing.bar.out 2>&1 # a zone with empty non-terminals. zone=optout-with-ent @@ -62,3 +63,8 @@ infile=optout-with-ent.db.in cat $infile > $zonefile kskname=$($KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q -fk $zone) $KEYGEN -a ${DEFAULT_ALGORITHM} -3 -q $zone > /dev/null + +# Copy zone input files +cp child.nsec3.example.db.in child.nsec3.example.db +cp child.optout.example.db.in child.optout.example.db +cp insecure.secure.example.db.in insecure.secure.example.db diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index c155a3bb7d..caf2ab83de 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -36,6 +36,40 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "autosign" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "private" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 2; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "optout" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 1 optout yes salt-length 0; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -47,18 +81,16 @@ zone "example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; sig-signing-type 65280; }; zone "bar" { type primary; - file "bar.db"; + file "bar.db.signed"; allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; - dnssec-dnskey-kskonly yes; }; zone "private.secure.example" { @@ -67,7 +99,7 @@ zone "private.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy private; }; zone "insecure.secure.example" { @@ -76,7 +108,7 @@ zone "insecure.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "child.nsec3.example" { @@ -85,7 +117,7 @@ zone "child.nsec3.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "child.optout.example" { @@ -94,7 +126,7 @@ zone "child.optout.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "optout-with-ent" { @@ -103,7 +135,7 @@ zone "optout-with-ent" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in b/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in deleted file mode 100644 index 3083a79f7d..0000000000 --- a/bin/tests/system/autosign/ns3/cdnskey-delete.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/cds-delete.example.db.in b/bin/tests/system/autosign/ns3/cds-delete.example.db.in deleted file mode 100644 index 3083a79f7d..0000000000 --- a/bin/tests/system/autosign/ns3/cds-delete.example.db.in +++ /dev/null @@ -1,28 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, You can obtain one at http://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 2009102722 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -z A 10.0.0.26 -a.a.a.a.a.a.a.a.a.a.e A 10.0.0.27 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/delay.example.db b/bin/tests/system/autosign/ns3/delay.example.db.in similarity index 100% rename from bin/tests/system/autosign/ns3/delay.example.db rename to bin/tests/system/autosign/ns3/delay.example.db.in diff --git a/bin/tests/system/autosign/ns3/inacksk2.example.db.in b/bin/tests/system/autosign/ns3/inacksk2.example.db.in deleted file mode 100644 index 1376922f0a..0000000000 --- a/bin/tests/system/autosign/ns3/inacksk2.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/inacksk3.example.db.in b/bin/tests/system/autosign/ns3/inacksk3.example.db.in deleted file mode 100644 index 1376922f0a..0000000000 --- a/bin/tests/system/autosign/ns3/inacksk3.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in b/bin/tests/system/autosign/ns3/inaczsk3.example.db.in deleted file mode 100644 index 1376922f0a..0000000000 --- a/bin/tests/system/autosign/ns3/inaczsk3.example.db.in +++ /dev/null @@ -1,26 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 300 ; 5 minutes -@ IN SOA mname1. . ( - 1 ; serial - 20 ; refresh (20 seconds) - 20 ; retry (20 seconds) - 1814400 ; expire (3 weeks) - 3600 ; minimum (1 hour) - ) - NS ns -ns A 10.53.0.3 - -a A 10.0.0.1 -b A 10.0.0.2 -d A 10.0.0.4 -x CNAME a diff --git a/bin/tests/system/autosign/ns3/keygen.sh b/bin/tests/system/autosign/ns3/keygen.sh index 89c7672354..fac4fc5811 100644 --- a/bin/tests/system/autosign/ns3/keygen.sh +++ b/bin/tests/system/autosign/ns3/keygen.sh @@ -29,6 +29,8 @@ setup () { n=$((${n:-0} + 1)) } +mkdir inactive + setup secure.example cp $infile $zonefile ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out @@ -181,7 +183,8 @@ do done $KEYGEN -q -a $DEFAULT_ALGORITHM -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM $zone > kg.out 2>&1 || dumpit kg.out -$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +$SIGNER -PS -x -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out +cp $zonefile.signed $zonefile.bak mv $zonefile.signed $zonefile # @@ -198,7 +201,8 @@ $SIGNER -S -3 beef -A -o $zone -f $zonefile $infile > s.out || dumpit s.out setup prepub.example infile="prepub.example.db.in" $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out +zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone 2> kg.out) || dumpit kg.out +echo $zsk > ../prepub.key $SIGNER -S -3 beef -o $zone -f $zonefile $infile > s.out || dumpit s.out # @@ -237,6 +241,7 @@ ksk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.o echo $ksk > ../delayksk.key zsk=$($KEYGEN -G -q -a $DEFAULT_ALGORITHM -3 $zone 2> kg.out) || dumpit kg.out echo $zsk > ../delayzsk.key +cp delay.example.db.in delay.example.db # # A zone with signatures that are already expired, and the private KSK @@ -274,7 +279,7 @@ echo $zsk > ../inaczsk-zsk.key $SETTIME -I now $zsk > st.out 2>&1 || dumpit st.out # -# A zone that is set to 'auto-dnssec maintain' during a reconfig +# A zone that is set to 'dnssec-policy' during a reconfig # setup reconf.example cp secure.example.db.in $zonefile @@ -282,7 +287,7 @@ $KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone > kg.out 2>&1 || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out # -# A zone which generates CDS and CDNSEY RRsets automatically +# A zone which generates CDS and CDNSEY RRsets automatically (with an additional CSK) # setup sync.example cp $infile $zonefile @@ -292,7 +297,7 @@ $DSFROMKEY $ksk.key > dsset-${zone}. echo ns3/$ksk > ../sync.key # -# A zone that generates CDS and CDNSKEY and uses dnssec-dnskey-kskonly +# A zone that generates CDS and CDNSKEY automatically # setup kskonly.example cp $infile $zonefile @@ -300,15 +305,6 @@ ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk -P sync now $zone 2> kg.out) || du $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. -# -# A zone that has a published inactive key that is autosigned. -# -setup inacksk2.example -cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -Pnow -A now+3600 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. - # # A zone that has a published inactive key that is autosigned. # @@ -318,26 +314,6 @@ ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. -# -# A zone that starts with a active KSK + ZSK and a inactive ZSK. -# -setup inacksk3.example -cp $infile $zonefile -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 -fk $zone > kg.out 2>&1 || dumpit kg.out -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. - -# -# A zone that starts with a active KSK + ZSK and a inactive ZSK. -# -setup inaczsk3.example -cp $infile $zonefile -ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -P now -A now+3600 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. - # # A zone that starts with an active KSK + ZSK and an inactive ZSK, with the # latter getting deleted during the test. @@ -347,6 +323,9 @@ cp $infile $zonefile ksk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -a $DEFAULT_ALGORITHM -3 -q $zone > kg.out 2>&1 || dumpit kg.out zsk=$($KEYGEN -a $DEFAULT_ALGORITHM -3 -q -I now-1w $zone 2>kg.out) || dumpit kg.out +cat $zsk.key >> $zonefile +mv $zsk.key inactive/ +mv $zsk.private inactive/ echo $zsk > ../delzsk.key # @@ -357,22 +336,3 @@ cp $infile $zonefile ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out $KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out $DSFROMKEY $ksk.key > dsset-${zone}. - -# -# Check that dynamically added CDS (DELETE) is kept in the zone after signing. -# -setup cds-delete.example -cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. - -# -# Check that dynamically added CDNSKEY (DELETE) is kept in the zone after -# signing. -# -setup cdnskey-delete.example -cp $infile $zonefile -ksk=$($KEYGEN -q -a $DEFAULT_ALGORITHM -3 -fk $zone 2> kg.out) || dumpit kg.out -$KEYGEN -q -a $DEFAULT_ALGORITHM -3 $zone > kg.out 2>&1 || dumpit kg.out -$DSFROMKEY $ksk.key > dsset-${zone}. diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index d529440ad8..7111515be5 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -40,6 +40,86 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +# The default +dnssec-policy "autosign" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +# Additional CSK +dnssec-policy "sync" { + keys { + csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +# NSEC3 +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +# NSEC3 opt-out +dnssec-policy "optout" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout yes salt-length 0; +}; + +# Jitter +dnssec-policy "jitter" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity P10D; + signatures-validity-dnskey P10D; + signatures-refresh P2D; +}; + +# Jitter, NSEC3 +dnssec-policy "jitter-nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; + + signatures-validity P10D; + signatures-validity-dnskey P10D; + signatures-refresh P2D; + +}; + +# RSASHA256 +dnssec-policy "rsasha256" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA256 2048; + zsk key-directory lifetime unlimited algorithm RSASHA256 2048; + }; +}; + +# RSASHA512 +dnssec-policy "rsasha512" { + keys { + ksk key-directory lifetime unlimited algorithm RSASHA512 2048; + zsk key-directory lifetime unlimited algorithm RSASHA512 2048; + }; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -61,48 +141,48 @@ zone "secure.example" { type primary; file "secure.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "insecure.example" { type primary; file "insecure.example.db"; + dnssec-policy none; }; zone "nsec3.example" { type primary; file "nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "autonsec3.example" { type primary; file "autonsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "optout.nsec3.example" { type primary; file "optout.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "nsec3.nsec3.example" { type primary; file "nsec3.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "jitter.nsec3.example" { type primary; file "jitter.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; - sig-validity-interval 10 2; + dnssec-policy jitter-nsec3; sig-signing-nodes 1000; sig-signing-signatures 100; }; @@ -111,71 +191,70 @@ zone "secure.nsec3.example" { type primary; file "secure.nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "optout.example" { type primary; file "optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "secure.optout.example" { type primary; file "secure.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "nsec3.optout.example" { type primary; file "nsec3.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "optout.optout.example" { type primary; file "optout.optout.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy optout; }; zone "rsasha256.example" { type primary; file "rsasha256.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy rsasha256; }; zone "rsasha512.example" { type primary; file "rsasha512.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy rsasha512; }; zone "nsec-only.example" { type primary; file "nsec-only.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "oldsigs.example" { type primary; file "oldsigs.example.db"; allow-update { any; }; - auto-dnssec maintain; - sig-validity-interval 10 2; + dnssec-policy jitter; sig-signing-nodes 1000; sig-signing-signatures 100; }; @@ -184,137 +263,96 @@ zone "prepub.example" { type primary; file "prepub.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "ttl1.example" { type primary; file "ttl1.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "ttl2.example" { type primary; file "ttl2.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "ttl3.example" { type primary; file "ttl3.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "ttl4.example" { type primary; file "ttl4.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "delay.example" { type primary; file "delay.example.db"; - allow-update { any; }; - auto-dnssec maintain; }; zone "nozsk.example" { type primary; file "nozsk.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "inaczsk.example" { type primary; file "inaczsk.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "noksk.example" { type primary; file "noksk.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "sync.example" { type primary; file "sync.example.db"; allow-update { any; }; - dnssec-dnskey-kskonly no; - auto-dnssec maintain; + dnssec-policy sync; }; zone "kskonly.example" { type primary; file "kskonly.example.db"; allow-update { any; }; - dnssec-dnskey-kskonly yes; - auto-dnssec maintain; -}; - -zone "inacksk2.example" { - type primary; - file "inacksk2.example.db"; - allow-update { any; }; - dnssec-dnskey-kskonly yes; - auto-dnssec maintain; -}; - -zone "inacksk3.example" { - type primary; - file "inacksk3.example.db"; - allow-update { any; }; - dnssec-dnskey-kskonly yes; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "inaczsk2.example" { type primary; file "inaczsk2.example.db"; allow-update { any; }; - auto-dnssec maintain; -}; - -zone "inaczsk3.example" { - type primary; - file "inaczsk3.example.db"; - allow-update { any; }; - auto-dnssec maintain; + dnssec-policy autosign; }; zone "delzsk.example." { type primary; file "delzsk.example.db"; allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; zone "dname-at-apex-nsec3.example" { type primary; file "dname-at-apex-nsec3.example.db"; allow-update { any; }; - auto-dnssec maintain; -}; - -zone "cds-delete.example" { - type primary; - file "cds-delete.example.db"; - allow-update { any; }; - auto-dnssec maintain; -}; - -zone "cdnskey-delete.example" { - type primary; - file "cdnskey-delete.example.db"; - allow-update { any; }; - auto-dnssec maintain; + dnssec-policy nsec3; }; include "trusted.conf"; diff --git a/bin/tests/system/autosign/tests.sh b/bin/tests/system/autosign/tests.sh index 40136edafd..604943cf40 100755 --- a/bin/tests/system/autosign/tests.sh +++ b/bin/tests/system/autosign/tests.sh @@ -91,7 +91,7 @@ checkjitter () { _count=0 # Check if we have at least 4 days - # This number has been tuned for `sig-validity-interval 10 2`, as + # This number has been tuned for `signatures-validity 10d; signatures-refresh 2d`, as # 1 signature expiration dates should be spread out across at most 8 (10-2) days # 2. we remove first and last day to remove frequency outlier, we are left with 6 (8-2) days # 3. we subtract two more days to allow test pass on day boundaries, etc. leaving us with 4 (6-2) @@ -155,23 +155,22 @@ do # # Wait for the root DNSKEY RRset to be fully signed. # - $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n || ret=1 - grep "ANSWER: 10," dig.out.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS . @10.53.0.1 dnskey > dig.out.ns1.test$n.dnskey || ret=1 + grep "ANSWER: 11," dig.out.ns1.test$n.dnskey > /dev/null || ret=1 for z in . do - $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n || ret=1 - grep "NS SOA" dig.out.ns1.test$n > /dev/null || ret=1 + $DIG $DIGOPTS $z @10.53.0.1 nsec > dig.out.ns1.test$n.nsec || ret=1 + grep "NS SOA" dig.out.ns1.test$n.nsec > /dev/null || ret=1 done - for z in bar. example. private.secure.example. optout-with-ent. + for z in bar. example. # skip NSEC3 signed zones do - $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n || ret=1 - grep "NS SOA" dig.out.ns2.test$n > /dev/null || ret=1 + $DIG $DIGOPTS $z @10.53.0.2 nsec > dig.out.ns2.test$n.$z || ret=1 + grep "NS SOA" dig.out.ns2.test$n.$z > /dev/null || ret=1 done - for z in bar. example. inacksk2.example. inacksk3.example \ - inaczsk2.example. inaczsk3.example noksk.example nozsk.example + for z in bar. example. inaczsk2.example. noksk.example nozsk.example do - $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n || ret=1 - grep "NS SOA" dig.out.ns3.test$n > /dev/null || ret=1 + $DIG $DIGOPTS $z @10.53.0.3 nsec > dig.out.ns3.test$n.$z || ret=1 + grep "NS SOA" dig.out.ns3.test$n.$z > /dev/null || ret=1 done i=$((i + 1)) if [ $ret = 0 ]; then break; fi @@ -179,12 +178,9 @@ do sleep 2 done n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "done"; fi +if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "Convert optout-with-ent from nsec to nsec3" -($RNDCCMD 10.53.0.2 signing -nsec3param 1 1 1 - optout-with-ent 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 - echo_i "Initial counts of RRSIG expiry fields values for auto signed zones" for z in . do @@ -196,7 +192,7 @@ do echo_i zone $z $DIG $DIGOPTS $z @10.53.0.2 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i done -for z in inacksk2.example. inacksk3.example inaczsk2.example. inaczsk3.example +for z in inaczsk2.example. do echo_i zone $z $DIG $DIGOPTS $z @10.53.0.3 axfr | awk '$4 == "RRSIG" {print $9}' | sort | uniq -c | cat_i @@ -205,107 +201,6 @@ done # Set logfile offset for wait_for_log usage. nextpartreset ns3/named.run -# -# Check that DNSKEY is initially signed with a KSK and not a ZSK. -# -echo_i "check that zone with active and inactive KSK and active ZSK is properly" -echo_ic "resigned after the active KSK is deleted - stage 1: Verify that DNSKEY" -echo_ic "is initially signed with a KSK and not a ZSK. ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n - -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}') -grep "DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 " dig.out.ns3.test$n > /dev/null || ret=1 - -pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 - -count=$(awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 1 || ret=1 - -count=$(awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 3 || ret=1 - -awk='$4 == "RRSIG" && $5 == "DNSKEY" { printf "%05u\n", $11 }' -id=$(awk "${awk}" dig.out.ns3.test$n) - -keyfile=$(printf "ns3/Kinacksk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 -($RNDCCMD 10.53.0.3 loadkeys inacksk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 - -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -# -# Check that zone is initially signed with a ZSK and not a KSK. -# -echo_i "check that zone with active and inactive ZSK and active KSK is properly" -echo_ic "resigned after the active ZSK is deleted - stage 1: Verify that zone" -echo_ic "is initially signed with a ZSK and not a KSK. ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 " dig.out.ns3.test$n > /dev/null || ret=1 -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null && ret=1 -count=$(awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "CNAME" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 1 || ret=1 -count=$(awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 3 || ret=1 -id=$(awk '$4 == "RRSIG" && $5 == "CNAME" { printf "%05u\n", $11 }' dig.out.ns3.test$n) - -keyfile=$(printf "ns3/Kinaczsk3.example.+%03u+%s" "${DEFAULT_ALGORITHM_NUMBER}" "${id}") -$SETTIME -D now+5 "${keyfile}" > settime.out.test$n || ret=1 -($RNDCCMD 10.53.0.3 loadkeys inaczsk3.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "resetting nsec3param via rndc signing ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -clear all autonsec3.example. > /dev/null 2>&1 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef autonsec3.example. > /dev/null 2>&1 -for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $RNDCCMD 10.53.0.3 signing -list autonsec3.example. > signing.out.test$n 2>&1 - grep "Pending NSEC3 chain 1 1 10 BEEF" signing.out.test$n > /dev/null || ret=1 - num=$(grep "Pending " signing.out.test$n | wc -l) - [ $num -eq 1 ] || ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 -done -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "setting nsec3param via rndc signing ($n)" -ret=0 -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 beef optout.example. 2>&1 -for i in 0 1 2 3 4 5 6 7 8 9; do - ret=0 - $DIG $DIGOPTS @10.53.0.3 nsec3param optout.example > dig.out.ns3.test$n - # Note that the Opt-Out flag is not used in NSEC3PARAM and is set to zero. - grep "NSEC3PARAM.*1.*0.*10.*BEEF" dig.out.ns3.test$n > /dev/null || ret=1 - [ $ret -eq 0 ] && break - echo_i "waiting ... ($i)" - sleep 2 -done -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "signing preset nsec3 zone" zsk=$(cat autozsk.key) ksk=$(cat autoksk.key) @@ -890,7 +785,7 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "checking that deactivated key does not sign records ($n)" +echo_i "checking that deactivated key does not sign records ($n)" ret=0 id=$(keyfile_to_key_id "$(cat inact.key)") $DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 @@ -932,10 +827,9 @@ ret=0 $DIG $DIGOPTS +short soa prepub.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 oldserial=$(cat dig.out.ns3.test$n | awk '$0 !~ /SOA/ {print $3}') oldinception=$(cat dig.out.ns3.test$n | awk '/SOA/ {print $6}' | sort -u) - -$KEYGEN -a $DEFAULT_ALGORITHM -3 -q -K ns3 -P 0 -A +6d -I +38d -D +45d prepub.example > /dev/null - -($RNDCCMD 10.53.0.3 sign prepub.example 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +id=$(keyfile_to_key_id "$(cat prepub.key)") +echo_i "prepublish key for ZSK $id" +($RNDCCMD 10.53.0.3 dnssec -rollover -key $id prepub.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 newserial=$oldserial try=0 while [ $oldserial -eq $newserial -a $try -lt 42 ] @@ -955,30 +849,31 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "preparing to test key change corner cases" -echo_i "removing a private key file" -file="ns1/$(cat vanishing.key).private" -rm -f $file - echo_i "preparing ZSK roll" starttime=$($PERL -e 'print time(), "\n";') oldfile=$(cat active.key) oldid=$(keyfile_to_key_id "$(cat active.key)") newfile=$(cat standby.key) newid=$(keyfile_to_key_id "$(cat standby.key)") -$SETTIME -K ns1 -I now+2s -D now+25 $oldfile > settime.out.test$n.1 || ret=1 +$SETTIME -K ns1 -I now -D now+25 $oldfile > settime.out.test$n.1 || ret=1 $SETTIME -K ns1 -i 0 -S $oldfile $newfile > settime.out.test$n.2 || ret=1 # note previous zone serial number oldserial=$($DIG $DIGOPTS +short soa . @10.53.0.1 | awk '{print $3}') -($RNDCCMD 10.53.0.1 loadkeys . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +cp ns1/root.db.signed ns1/root.db.1 +$SIGNER -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db.1 > signing.root.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 sleep 4 echo_i "revoking key to duplicated key ID" $SETTIME -R now -K ns2 Kbar.+013+59973.key > settime.out.test$n.3 || ret=1 -($RNDCCMD 10.53.0.2 loadkeys bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.2 freeze bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 +cp ns2/bar.db.signed ns2/bar.db +$SIGNER -S -o bar. -O full -K ns2 ns2/bar.db > signing.bar.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.2 thaw bar. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 echo_i "waiting for changes to take effect" sleep 5 @@ -1002,7 +897,6 @@ status=$((status + ret)) echo_i "checking that signing records have been marked as complete ($n)" ret=0 -checkprivate bar 10.53.0.2 || ret=1 checkprivate example 10.53.0.2 0 type65280 || ret=1 # sig-signing-type 65280 checkprivate private.secure.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate nsec3.example 10.53.0.3 || ret=1 @@ -1017,7 +911,7 @@ checkprivate oldsigs.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate optout.example 10.53.0.3 || ret=1 checkprivate optout.nsec3.example 10.53.0.3 || ret=1 checkprivate optout.optout.example 10.53.0.3 || ret=1 -checkprivate prepub.example 10.53.0.3 1 || ret=1 # expecting incomplete +checkprivate prepub.example 10.53.0.3 2 || ret=1 # pre-signed checkprivate rsasha256.example 10.53.0.3 || ret=1 checkprivate rsasha512.example 10.53.0.3 || ret=1 checkprivate secure.example 10.53.0.3 || ret=1 @@ -1032,14 +926,17 @@ status=$((status + ret)) echo_i "forcing full sign ($n)" ret=0 -($RNDCCMD 10.53.0.1 sign . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +cp ns1/root.db.signed ns1/root.db.2 +$SIGNER -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db > signing.root.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi echo_i "waiting for change to take effect" sleep 5 -echo_i "checking former standby key has now signed fully ($n)" +echo_i "checking former standby key $newid has now signed fully ($n)" ret=0 $DIG $DIGOPTS txt . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $newid "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 @@ -1055,6 +952,11 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) +echo_i "preparing to test key change corner cases" +echo_i "removing a private key file" +file="ns1/$(cat vanishing.key).private" +rm -f $file + echo_i "checking delayed key publication/activation ($n)" ret=0 zsk=$(cat delayzsk.key) @@ -1075,30 +977,32 @@ echo_i "checking scheduled key publication, not activation ($n)" ret=0 # Ensure initial zone is loaded. wait_for_notifies "delay.example" "ns3" || ret=1 -$SETTIME -K ns3 -P now+3s -A none $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -P now+3s -A none $ksk > settime.out.test$n.ksk || ret=1 -($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 -echo_i "waiting for changes to take effect" -sleep 3 -wait_for_notifies "delay.example" "ns3" || ret=1 - -$DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || ret=1 -# DNSKEY expected: -awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || ret=1 -# RRSIG not expected: -awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && ret=1 +$SETTIME -K ns3 -P now -A none $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -P now -A none $ksk > settime.out.test$n.ksk || ret=1 +cp ns3/delay.example.db ns3/delay.example.1 +# This will create a non valid DNSSEC zone, disable post-sign verification +$SIGNER -P -S -o delay.example. -O full -N increment -K ns3 -f ns3/delay.example.db ns3/delay.example.1 > signing.delay.out.$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.3 reload delay.example | sed 's/^/ns3 /' | cat_i) || ret=1 +check_has_dnskey() { + $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.test$n || return 1 + # DNSKEY expected: + awk 'BEGIN {r=1} $4=="DNSKEY" {r=0} END {exit r}' dig.out.ns3.test$n || return 1 + # RRSIG not expected: + awk 'BEGIN {r=1} $4=="RRSIG" {r=0} END {exit r}' dig.out.ns3.test$n && return 1 + return 0 +} +retry_quiet 5 check_has_dnskey || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) echo_i "checking scheduled key activation ($n)" ret=0 -$SETTIME -K ns3 -A now+3s $zsk > settime.out.test$n.zsk || ret=1 -$SETTIME -K ns3 -A now+3s $ksk > settime.out.test$n.ksk || ret=1 -($RNDCCMD 10.53.0.3 loadkeys delay.example. 2>&1 | sed 's/^/ns2 /' | cat_i) || ret=1 -echo_i "waiting for changes to take effect" -sleep 3 -wait_for_log_re 10 "add delay\.example\..*NSEC.a\.delay\.example\. NS SOA RRSIG NSEC DNSKEY" ns3/named.run +$SETTIME -K ns3 -A now $zsk > settime.out.test$n.zsk || ret=1 +$SETTIME -K ns3 -A now $ksk > settime.out.test$n.ksk || ret=1 +cp ns3/delay.example.db ns3/delay.example.2 +$SIGNER -S -o delay.example. -O full -N increment -K ns3 -f ns3/delay.example.db ns3/delay.example.2 > signing.delay.out.$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.3 reload delay.example | sed 's/^/ns3 /' | cat_i) || ret=1 check_is_signed() { $DIG $DIGOPTS +noall +answer dnskey delay.example. @10.53.0.3 > dig.out.ns3.1.test$n || return 1 # DNSKEY expected: @@ -1126,19 +1030,24 @@ now=$($PERL -e 'print time(), "\n";') sleep=$((starttime + 29 - now)) case $sleep in -*|0);; -*) echo_i "waiting for timer to have activated"; sleep $sleep;; +*) echo_i "waiting $sleep seconds for timer to have activated"; sleep $sleep;; esac ret=0 +($RNDCCMD 10.53.0.1 freeze . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 +cp ns1/root.db.signed ns1/root.db.3 +$SIGNER -v 3 -S -o . -O full -K ns1 -f ns1/root.db.signed ns1/root.db.3 > signing.root.out$n 2>&1 || ret=1 +($RNDCCMD 10.53.0.1 thaw . 2>&1 | sed 's/^/ns1 /' | cat_i) || ret=1 $DIG $DIGOPTS +multi dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep '; key id = '"$oldid"'$' dig.out.ns1.test$n > /dev/null && ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "checking private key file removal caused no immediate harm ($n)" +id=$(keyfile_to_key_id "$(cat vanishing.key)") +echo_i "checking private key file $id removal caused no immediate harm ($n)" ret=0 id=$(keyfile_to_key_id "$(cat vanishing.key)") -$DIG $DIGOPTS dnskey . @10.53.0.1 > dig.out.ns1.test$n || ret=1 +$DIG $DIGOPTS soa . @10.53.0.1 > dig.out.ns1.test$n || ret=1 grep 'RRSIG.*'" $id "'\. ' dig.out.ns1.test$n > /dev/null || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi @@ -1168,52 +1077,6 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -# this confirms that key events are never scheduled more than -# 'dnssec-loadkeys-interval' minutes in the future, and that the -# event scheduled is within 10 seconds of expected interval. -check_interval () { - awk '/next key event/ {print $2 ":" $9}' $1/named.run | - sed -e 's/\.//g' -e 's/:0\{1,4\}/:/g' | - awk -F: ' - { - x = ($6+ $5*60000 + $4*3600000) - ($3+ $2*60000 + $1*3600000); - # abs(x) < 1000 ms treat as 'now' - if (x < 1000 && x > -1000) - x = 0; - # convert to seconds - x = x/1000; - # handle end of day roll over - if (x < 0) - x = x + 24*3600; - # handle log timestamp being a few milliseconds later - if (x != int(x)) - x = int(x + 1); - if (int(x) > int(interval)) - exit (1); - } - END { if (int(x) > int(interval) || int(x) < int(interval-10)) exit(1) }' interval=$2 || return $? - return 0 -} - -echo_i "checking automatic key reloading interval ($n)" -ret=0 -check_interval ns1 3600 || ret=1 -check_interval ns2 1800 || ret=1 -check_interval ns3 600 || ret=1 -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking for key reloading loops ($n)" -ret=0 -# every key event should schedule a successor, so these should be equal -rekey_calls=$(grep "reconfiguring zone keys" ns*/named.run | wc -l) -rekey_events=$(grep "next key event" ns*/named.run | wc -l) -[ "$rekey_calls" = "$rekey_events" ] || ret=1 -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "forcing full sign with unreadable keys ($n)" ret=0 chmod 0 ns1/K.+*+*.key ns1/K.+*+*.private || ret=1 @@ -1224,14 +1087,14 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "test turning on auto-dnssec during reconfig ($n)" +echo_i "test turning on dnssec-policy during reconfig ($n)" ret=0 -# first create a zone that doesn't have auto-dnssec +# first create a zone that doesn't have dnssec-policy ($RNDCCMD 10.53.0.3 addzone reconf.example '{ type primary; file "reconf.example.db"; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rekey_calls=$(grep "zone reconf.example.*next key event" ns3/named.run | wc -l) [ "$rekey_calls" -eq 0 ] || ret=1 -# ...then we add auto-dnssec and reconfigure -($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; auto-dnssec maintain; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 +# ...then we add dnssec-policy and reconfigure +($RNDCCMD 10.53.0.3 modzone reconf.example '{ type primary; file "reconf.example.db"; allow-update { any; }; dnssec-policy default; };' 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 rndc_reconfig ns3 10.53.0.3 for i in 0 1 2 3 4 5 6 7 8 9; do lret=0 @@ -1256,7 +1119,7 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "test 'dnssec-dnskey-kskonly no' affects DNSKEY/CDS/CDNSKEY ($n)" +echo_i "test 'csk' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 sync.example dnskey > dig.out.ns3.dnskeytest$n $DIG $DIGOPTS @10.53.0.3 sync.example cdnskey > dig.out.ns3.cdnskeytest$n @@ -1271,7 +1134,7 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "test 'dnssec-dnskey-kskonly yes' affects DNSKEY/CDS/CDNSKEY ($n)" +echo_i "test 'ksk' affects DNSKEY/CDS/CDNSKEY ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 kskonly.example dnskey > dig.out.ns3.dnskeytest$n $DIG $DIGOPTS @10.53.0.3 kskonly.example cdnskey > dig.out.ns3.cdnskeytest$n @@ -1286,22 +1149,24 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" -$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 -($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 - -echo_i "checking that the CDS and CDNSKEY are deleted ($n)" -ret=0 -ensure_cds_and_cdnskey_are_deleted() { - $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 - $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 - awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 -} -retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) +# XXXWMM Replace this test with dnssec-policy equivalent once we have +# implemented 'cdnskey "only-during-rollovers";'. +#echo_i "setting CDS and CDNSKEY deletion times and calling 'rndc loadkeys'" +#$SETTIME -D sync now $(cat sync.key) > settime.out.test$n || ret=1 +#($RNDCCMD 10.53.0.3 loadkeys sync.example | sed 's/^/ns3 /' | cat_i) || ret=1 +# +#echo_i "checking that the CDS and CDNSKEY are deleted ($n)" +#ret=0 +#ensure_cds_and_cdnskey_are_deleted() { +# $DIG $DIGOPTS @10.53.0.3 sync.example. CDS > dig.out.ns3.cdstest$n || return 1 +# awk '$1 == "sync.example." && $4 == "CDS" { exit 1; }' dig.out.ns3.cdstest$n || return 1 +# $DIG $DIGOPTS @10.53.0.3 sync.example. CDNSKEY > dig.out.ns3.cdnskeytest$n || return 1 +# awk '$1 == "sync.example." && $4 == "CDNSKEY" { exit 1; }' dig.out.ns3.cdnskeytest$n || return 1 +#} +#retry 10 ensure_cds_and_cdnskey_are_deleted || ret=1 +#n=$((n + 1)) +#if [ $ret != 0 ]; then echo_i "failed"; fi +#status=$((status + ret)) echo_i "check that dnssec-settime -p Dsync works ($n)" ret=0 @@ -1319,24 +1184,6 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "check that zone with inactive KSK and active ZSK is properly autosigned ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inacksk2.example > dig.out.ns3.test$n - -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk2.example | awk '{ print $4}' ) -pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 - -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inacksk2.example | awk '{ print $4}' ) -pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${kskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null && ret=1 - -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "check that zone with inactive ZSK and active KSK is properly autosigned ($n)" ret=0 $DIG $DIGOPTS @10.53.0.3 axfr inaczsk2.example > dig.out.ns3.test$n @@ -1345,101 +1192,27 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -# -# Check that DNSKEY is now signed with the ZSK. -# -echo_i "check that zone with active and inactive KSK and active ZSK is properly" -echo_ic "resigned after the active KSK is deleted - stage 2: Verify that DNSKEY" -echo_ic "is now signed with the ZSK. ($n)" -ret=0 - -$DIG $DIGOPTS @10.53.0.3 axfr inacksk3.example > dig.out.ns3.test$n - -zskid=$(awk '$4 == "DNSKEY" && $5 == 256 { print }' dig.out.ns3.test$n | - $DSFROMKEY -A -2 -f - inacksk3.example | awk '{ print $4}' ) -pattern="DNSKEY ${DEFAULT_ALGORITHM_NUMBER} 2 [0-9]* [0-9]* [0-9]* ${zskid} " -grep "${pattern}" dig.out.ns3.test$n > /dev/null || ret=1 - -count=$(awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 1 || ret=1 - -count=$(awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 2 || ret=1 - -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -# -# Check that zone is now signed with the KSK. -# -echo_i "check that zone with active and inactive ZSK and active KSK is properly" -echo_ic "resigned after the active ZSK is deleted - stage 2: Verify that zone" -echo_ic "is now signed with the KSK. ($n)" -ret=0 -$DIG $DIGOPTS @10.53.0.3 axfr inaczsk3.example > dig.out.ns3.test$n -kskid=$(awk '$4 == "DNSKEY" && $5 == 257 { print }' dig.out.ns3.test$n | - $DSFROMKEY -2 -f - inaczsk3.example | awk '{ print $4}' ) -grep "CNAME ${DEFAULT_ALGORITHM_NUMBER} 3 [0-9]* [0-9]* [0-9]* ${kskid} " dig.out.ns3.test$n > /dev/null || ret=1 -count=$(awk 'BEGIN { count = 0 } - $4 == "RRSIG" && $5 == "CNAME" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 1 || ret=1 -count=$(awk 'BEGIN { count = 0 } - $4 == "DNSKEY" { count++ } - END {print count}' dig.out.ns3.test$n) -test $count -eq 2 || ret=1 -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - echo_i "checking for out-of-zone NSEC3 records after ZSK removal ($n)" ret=0 -# Switch the zone over to NSEC3 and wait until the transition is complete. -$RNDCCMD 10.53.0.3 signing -nsec3param 1 1 10 12345678 delzsk.example. > signing.out.1.test$n 2>&1 || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $DIG $DIGOPTS delzsk.example NSEC3PARAM @10.53.0.3 > dig.out.ns3.1.test$n 2>&1 || ret=1 - { grep "NSEC3PARAM.*12345678" dig.out.ns3.1.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -eq 0 ]; then - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.2.test$n 2>&1 - { grep "Creating NSEC3 chain " signing.out.2.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - _ret=0 - break - fi - fi - sleep 1 -done -if [ $_ret -ne 0 ]; then - echo_i "timed out waiting for NSEC3 chain creation" - ret=1 -fi -# Mark the inactive ZSK as pending removal. -file="ns3/$(cat delzsk.key).key" -$SETTIME -D now-1h $file > settime.out.test$n || ret=1 -# Trigger removal of the inactive ZSK and wait until its completion. -($RNDCCMD 10.53.0.3 loadkeys delzsk.example 2>&1 | sed 's/^/ns3 /' | cat_i) || ret=1 -for i in 0 1 2 3 4 5 6 7 8 9; do - _ret=1 - $RNDCCMD 10.53.0.3 signing -list delzsk.example > signing.out.3.test$n 2>&1 - { grep "Signing " signing.out.3.test$n > /dev/null 2>&1; rc=$?; } || true - if [ $rc -ne 0 ]; then - if [ $(grep "Done signing " signing.out.3.test$n | wc -l) -eq 2 ]; then - _ret=0 - break - fi - fi - sleep 1 -done -if [ $_ret -ne 0 ]; then +# Delete the ZSK +file="ns3/inactive/$(cat delzsk.key).key" +$NSUPDATE > nsupdate.out.test$n 2>&1 < dig.out.ns3.test$n || return 1 + grep '; key id = '"$oldid"'$' dig.out.ns3.test$n > /dev/null && return 1 + return 0 +} +retry_quiet 5 zsk_is_gone || ret=1 +if [ $ret -ne 0 ]; then echo_i "timed out waiting for key removal" - ret=1 fi + # Check whether key removal caused NSEC3 records to be erroneously created for # glue records due to a secure delegation already being signed by the active key # (i.e. a key other than the one being removed but using the same algorithm). @@ -1455,7 +1228,7 @@ n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "check that DNAME at apex with NSEC3 is correctly signed (auto-dnssec maintain) ($n)" +echo_i "check that DNAME at apex with NSEC3 is correctly signed (dnssec-policy) ($n)" ret=0 $DIG $DIGOPTS txt dname-at-apex-nsec3.example @10.53.0.3 > dig.out.ns3.test$n || ret=1 grep "RRSIG NSEC3 ${DEFAULT_ALGORITHM_NUMBER} 3 600" dig.out.ns3.test$n > /dev/null || ret=1 @@ -1475,111 +1248,54 @@ status=$((status + ret)) echo_i "checking key maintenance events were logged correctly ($n)" ret=0 -pub=$(grep "DNSKEY .* is now published" ns1/named.run | wc -l) -[ "$pub" -eq 6 ] || ret=1 -act=$(grep "DNSKEY .* is now active" ns1/named.run | wc -l) -[ "$act" -eq 5 ] || ret=1 -rev=$(grep "DNSKEY .* is now revoked" ns1/named.run | wc -l) -[ "$rev" -eq 1 ] || ret=1 -inac=$(grep "DNSKEY .* is now inactive" ns1/named.run | wc -l) -[ "$inac" -eq 1 ] || ret=1 -del=$(grep "DNSKEY .* is now deleted" ns1/named.run | wc -l) -[ "$del" -eq 1 ] || ret=1 +pub=$(grep "DNSKEY .* is now published" ns2/named.run | grep -v "CDNSKEY" | wc -l) +[ "$pub" -eq 10 ] || ret=1 +act=$(grep "DNSKEY .* is now active" ns2/named.run | wc -l) +[ "$act" -eq 10 ] || ret=1 +rev=$(grep "DNSKEY .* is now revoked" ns2/named.run | wc -l) +[ "$rev" -eq 0 ] || ret=1 +inac=$(grep "DNSKEY .* is now inactive" ns2/named.run | wc -l) +[ "$inac" -eq 0 ] || ret=1 +del=$(grep "DNSKEY .* is now deleted" ns2/named.run | wc -l) +[ "$del" -eq 0 ] || ret=1 +pub=$(grep "DNSKEY .* is now published" ns3/named.run | grep -v "CDNSKEY" | wc -l) +act=$(grep "DNSKEY .* is now active" ns3/named.run | wc -l) +if $SHELL ../testcrypto.sh -q RSASHA1 +then + # Include two log lines for nsec-only zone. + [ "$pub" -eq 53 ] || ret=1 + [ "$act" -eq 53 ] || ret=1 +else + [ "$pub" -eq 51 ] || ret=1 + [ "$act" -eq 51 ] || ret=1 +fi +rev=$(grep "DNSKEY .* is now revoked" ns3/named.run | wc -l) +[ "$rev" -eq 0 ] || ret=1 +inac=$(grep "DNSKEY .* is now inactive" ns3/named.run | wc -l) +[ "$inac" -eq 0 ] || ret=1 +del=$(grep "DNSKEY .* is now deleted" ns3/named.run | wc -l) +[ "$del" -eq 3 ] || ret=1 n=$((n + 1)) if [ $ret != 0 ]; then echo_i "failed"; fi status=$((status + ret)) -echo_i "checking that CDS (DELETE) persists after zone sign ($n)" -echo_i "update add cds-delete.example. CDS 0 0 00" -ret=0 -$NSUPDATE > nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 -) -_cdnskey_delete_nx() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 -} - -echo_i "query cds-delete.example. CDS" -retry_quiet 10 _cds_delete cds-delete.example. || ret=1 -echo_i "query cds-delete.example. CDNSKEY" -retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 - -echo_i "sign cds-delete.example." -nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cds-delete.example > /dev/null 2>&1 || ret=1 -wait_for_log 10 "zone cds-delete.example/IN: next key event" ns3/named.run -# The CDS (DELETE) record should still be here. -echo_i "query cds-delete.example. CDS" -retry_quiet 1 _cds_delete cds-delete.example. || ret=1 -# The CDNSKEY (DELETE) record should still not be added. -echo_i "query cds-delete.example. CDNSKEY" -retry_quiet 1 _cdnskey_delete_nx cds-delete.example. || ret=1 - -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "checking that CDNSKEY (DELETE) persists after zone sign ($n)" -echo_i "update add cdnskey-delete.example. CDNSKEY 0 3 0 AA==" -ret=0 -$NSUPDATE > nsupdate.out 2>&1 < dig.out.ns3.test$n || return 1 - grep "CDS.*0.*0.*0.*00" dig.out.ns3.test$n > /dev/null 2>&1 && return 1 - return 0 -) -_cdnskey_delete() { - $DIG $DIGOPTS +noall +answer $1 cdnskey @10.53.0.3 > dig.out.ns3.test$n || return 1 - grep "CDNSKEY.*0.*3.*0.*AA==" dig.out.ns3.test$n > /dev/null 2>&1 || return 1 - return 0 -} - -echo_i "query cdnskey-delete.example. CDNSKEY" -retry_quiet 10 _cdnskey_delete cdnskey-delete.example. || ret=1 -echo_i "query cdnskey-delete.example. CDS" -retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 - -echo_i "sign cdsnskey-delete.example." -nextpart ns3/named.run >/dev/null -$RNDCCMD 10.53.0.3 sign cdnskey-delete.example > /dev/null 2>&1 || ret=1 -wait_for_log 10 "zone cdnskey-delete.example/IN: next key event" ns3/named.run -# The CDNSKEY (DELETE) record should still be here. -echo_i "query cdnskey-delete.example. CDNSKEY" -retry_quiet 1 _cdnskey_delete cdnskey-delete.example. || ret=1 -# The CDS (DELETE) record should still not be added. -echo_i "query cdnskey-delete.example. CDS" -retry_quiet 1 _cds_delete_nx cdnskey-delete.example. || ret=1 - -n=$((n + 1)) -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - -echo_i "check removal of ENT NSEC3 records when opt out delegations are removed ($n)" -ret=0 +echo_i "check removal of ENT NSEC3 records when opt out delegations are removed" zone=optout-with-ent hash=JTR8R6AVFULU0DQH9I6HNN2KUK5956EL + # check that NSEC3 for ENT is present +echo_i "check ENT NSEC3 is initially present" +ret=0 $DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.pre.ns2.test$n grep "status: NOERROR" dig.out.pre.ns2.test$n >/dev/null || ret=1 grep "ANSWER: 0, AUTHORITY: 4, " dig.out.pre.ns2.test$n > /dev/null || ret=1 grep "^${hash}.${zone}." dig.out.pre.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check ENT NSEC3 is still present after removing one of two delegations ($n)" +ret=0 # remove first delegation of two delegations, NSEC3 for ENT should remain. ( echo zone $zone @@ -1593,6 +1309,12 @@ $DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.mid.ns2.test$n grep "status: NOERROR" dig.out.mid.ns2.test$n >/dev/null || ret=1 grep "ANSWER: 0, AUTHORITY: 4, " dig.out.mid.ns2.test$n > /dev/null || ret=1 grep "^${hash}.${zone}." dig.out.mid.ns2.test$n > /dev/null || ret=1 +n=$((n+1)) +if [ "$ret" -ne 0 ]; then echo_i "failed"; fi +status=$((status+ret)) + +echo_i "check ENT NSEC3 is gone after removing the second delegation ($n)" +ret=0 # remove second delegation of two delegations, NSEC3 for ENT should be deleted. ( echo zone $zone @@ -1600,7 +1322,8 @@ echo server 10.53.0.2 "$PORT" echo update del sub2.ent.$zone NS echo send ) | $NSUPDATE -# check that NSEC3 for ENT is gone present +# check that NSEC3 for ENT is gone +echo_i "check ENT NSEC3 is gone for zone $zone hash $hash" $DIG $DIGOPTS @10.53.0.2 a "ent.${zone}" > dig.out.post.ns2.test$n grep "status: NXDOMAIN" dig.out.post.ns2.test$n >/dev/null || ret=1 grep "ANSWER: 0, AUTHORITY: 4, " dig.out.post.ns2.test$n > /dev/null || ret=1 diff --git a/bin/tests/system/checkconf/bad-dnssec.conf b/bin/tests/system/checkconf/bad-dnssec.conf index 3dbd0f3056..b6974eb86c 100644 --- a/bin/tests/system/checkconf/bad-dnssec.conf +++ b/bin/tests/system/checkconf/bad-dnssec.conf @@ -15,8 +15,6 @@ zone not-inline { type secondary; primaries { 127.0.0.1; }; inline-signing no; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; dnssec-loadkeys-interval 10; }; @@ -25,7 +23,5 @@ zone inline { type secondary; primaries { 127.0.0.1; }; inline-signing yes; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; dnssec-loadkeys-interval 10; }; diff --git a/bin/tests/system/checkconf/bad-kasp2.conf b/bin/tests/system/checkconf/bad-kasp2.conf deleted file mode 100644 index 2e88964dff..0000000000 --- a/bin/tests/system/checkconf/bad-kasp2.conf +++ /dev/null @@ -1,24 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -include "good-kasp.conf"; - -// Bad zone configuration because this has dnssec-policy and other DNSSEC sign -// configuration options (auto-dnssec). -zone "example.net" { - type primary; - file "example.db"; - dnssec-policy "test"; - auto-dnssec maintain; - allow-update { any; }; -}; diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf index f7859d1937..76435bc6e6 100644 --- a/bin/tests/system/checkconf/bad-noddns.conf +++ b/bin/tests/system/checkconf/bad-noddns.conf @@ -14,6 +14,6 @@ zone example { type primary; file "example.db"; - auto-dnssec maintain; + dnssec-policy default; allow-update { none; }; }; diff --git a/bin/tests/system/checkconf/bad-sig-validity.conf b/bin/tests/system/checkconf/bad-sig-validity.conf deleted file mode 100644 index 1744ebafe4..0000000000 --- a/bin/tests/system/checkconf/bad-sig-validity.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - sig-validity-interval 5000; -}; diff --git a/bin/tests/system/checkconf/dnssec.1 b/bin/tests/system/checkconf/dnssec.1 deleted file mode 100644 index a466ac4071..0000000000 --- a/bin/tests/system/checkconf/dnssec.1 +++ /dev/null @@ -1,27 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -view view1 { - match-clients { any; }; - dnssec-validation yes; -}; - -view view2 { - match-clients { none; }; - dnssec-validation auto; -}; - -view view3 { - match-clients { none; }; - auto-dnssec maintain; -}; diff --git a/bin/tests/system/checkconf/dnssec.2 b/bin/tests/system/checkconf/dnssec.2 deleted file mode 100644 index 0f6a8afdd2..0000000000 --- a/bin/tests/system/checkconf/dnssec.2 +++ /dev/null @@ -1,34 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -view view1 { - match-clients { any; }; -}; - -view view2 { - match-clients { none; }; -}; - -view view3 { - match-clients { none; }; - dnssec-validation auto; -}; - -view view4 { - match-clients { none; }; -}; - -view view5 { - match-clients { none; }; - auto-dnssec off; -}; diff --git a/bin/tests/system/checkconf/dnssec.3 b/bin/tests/system/checkconf/dnssec.3 deleted file mode 100644 index 53e5d9158e..0000000000 --- a/bin/tests/system/checkconf/dnssec.3 +++ /dev/null @@ -1,18 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -zone "test" { - type primary; - file "test.db"; - auto-dnssec maintain; -}; diff --git a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf b/bin/tests/system/checkconf/good-dnskey-validity-zero.conf deleted file mode 100644 index 5da41b869e..0000000000 --- a/bin/tests/system/checkconf/good-dnskey-validity-zero.conf +++ /dev/null @@ -1,16 +0,0 @@ -/* - * Copyright (C) Internet Systems Consortium, Inc. ("ISC") - * - * SPDX-License-Identifier: MPL-2.0 - * - * This Source Code Form is subject to the terms of the Mozilla Public - * License, v. 2.0. If a copy of the MPL was not distributed with this - * file, you can obtain one at https://mozilla.org/MPL/2.0/. - * - * See the COPYRIGHT file distributed with this work for additional - * information regarding copyright ownership. - */ - -options { - dnskey-sig-validity 0; /* 0 is disabled */ -}; diff --git a/bin/tests/system/checkconf/inline-bad.conf b/bin/tests/system/checkconf/inline-bad.conf index 17dcb6bdf3..4662e5a900 100644 --- a/bin/tests/system/checkconf/inline-bad.conf +++ b/bin/tests/system/checkconf/inline-bad.conf @@ -17,7 +17,7 @@ primaries "publicSecondaries" {127.0.0.1;}; zone "example.net" { type secondary; key-directory "/var/lib/bind/example.net"; - auto-dnssec maintain; + dnssec-policy default; inline-signing yes; primaries { stealthPrimaries; }; notify explicit; diff --git a/bin/tests/system/checkconf/inline-good.conf b/bin/tests/system/checkconf/inline-good.conf index f588bcdd81..88c403c2db 100644 --- a/bin/tests/system/checkconf/inline-good.conf +++ b/bin/tests/system/checkconf/inline-good.conf @@ -18,7 +18,7 @@ zone "example.net" { type secondary; file "/var/cache/bind/example.net.db"; key-directory "/var/lib/bind/example.net"; - auto-dnssec maintain; + dnssec-policy default; inline-signing yes; primaries { stealthPrimaries; }; notify explicit; diff --git a/bin/tests/system/checkconf/inline-no.conf b/bin/tests/system/checkconf/inline-no.conf index f6dbc5ac75..af7c14130f 100644 --- a/bin/tests/system/checkconf/inline-no.conf +++ b/bin/tests/system/checkconf/inline-no.conf @@ -17,7 +17,7 @@ primaries "publicSecondaries" {127.0.0.1;}; zone "example.net" { type secondary; key-directory "/var/lib/bind/example.net"; - auto-dnssec maintain; + dnssec-policy default; inline-signing no; primaries { stealthPrimaries; }; notify explicit; diff --git a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf index 57dd6adfe0..6e2f8c7606 100644 --- a/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf +++ b/bin/tests/system/checkconf/kasp-and-other-dnssec-options.conf @@ -17,11 +17,5 @@ zone "nsec3.net" { type primary; file "nsec3.db"; dnssec-policy "test"; - auto-dnssec maintain; - dnskey-sig-validity 3600; - dnssec-dnskey-kskonly yes; - dnssec-update-mode maintain; inline-signing no; - sig-validity-interval 3600; - update-check-ksk yes; }; diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh index 12243b86ef..f21746f0e1 100644 --- a/bin/tests/system/checkconf/tests.sh +++ b/bin/tests/system/checkconf/tests.sh @@ -142,23 +142,6 @@ warnings=$(grep "'notify' is disabled" < checkconf.out$n | wc -l) if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) -n=$((n + 1)) -echo_i "checking named-checkconf dnssec warnings ($n)" -ret=0 -# dnssec.1: auto-dnssec warning -$CHECKCONF dnssec.1 > checkconf.out$n.1 2>&1 && ret=1 -grep 'auto-dnssec may only be ' < checkconf.out$n.1 > /dev/null || ret=1 -# dnssec.2: should have no warnings (other than deprecation warning) -$CHECKCONF dnssec.2 > checkconf.out$n.2 2>&1 || ret=1 -grep "option 'auto-dnssec' is deprecated" < checkconf.out$n.2 > /dev/null || ret=1 -lines=$(wc -l < "checkconf.out$n.2") -if [ $lines != 1 ]; then ret=1; fi -# dnssec.3: should have specific deprecation warning -$CHECKCONF dnssec.3 > checkconf.out$n.3 2>&1 && ret=1 -grep "'auto-dnssec' option is deprecated and will be removed in BIND 9\.19" < checkconf.out$n.3 > /dev/null || ret=1 -if [ $ret != 0 ]; then echo_i "failed"; fi -status=$((status + ret)) - n=$((n + 1)) echo_i "checking named-checkconf deprecate warnings ($n)" ret=0 @@ -235,15 +218,9 @@ status=$((status + ret)) n=$((n + 1)) echo_i "checking options allowed in inline-signing secondaries ($n)" ret=0 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.1 2>&1 && ret=1 -l=$(grep "dnssec-dnskey-kskonly.*requires inline" < checkconf.out$n.1 | wc -l) -[ $l -eq 1 ] || ret=1 $CHECKCONF bad-dnssec.conf > checkconf.out$n.2 2>&1 && ret=1 l=$(grep "dnssec-loadkeys-interval.*requires inline" < checkconf.out$n.2 | wc -l) [ $l -eq 1 ] || ret=1 -$CHECKCONF bad-dnssec.conf > checkconf.out$n.3 2>&1 && ret=1 -l=$(grep "update-check-ksk.*requires inline" < checkconf.out$n.3 | wc -l) -[ $l -eq 1 ] || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) @@ -507,12 +484,6 @@ echo_i "checking named-checkconf kasp errors ($n)" ret=0 $CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1 && ret=1 grep "'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'" < checkconf.out$n > /dev/null || ret=1 -grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 -grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1 if [ $ret -ne 0 ]; then echo_i "failed"; fi status=$((status + ret)) diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index 696f6c2454..83cf726aa3 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -42,7 +42,6 @@ export LANG=C PARALLEL_COMMON=" rpzrecurse serve-stale -dupsigs acl additional addzone diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index bb1cfd8f36..44fe4cd308 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -109,7 +109,6 @@ enginepkcs11 filter-aaaa kasp keyfromlabel -keymgr2kasp legacy logfileconfig multisigner diff --git a/bin/tests/system/conftest.py b/bin/tests/system/conftest.py index 31ad1174e9..f8c7e9c9e5 100644 --- a/bin/tests/system/conftest.py +++ b/bin/tests/system/conftest.py @@ -96,7 +96,6 @@ else: PORTS_PER_TEST = 20 PRIORITY_TESTS = [ # Tests that are scheduled first. Speeds up parallel execution. - "dupsigs/", "rpz/", "rpzrecurse/", "serve-stale/", diff --git a/bin/tests/system/dnssec/clean.sh b/bin/tests/system/dnssec/clean.sh index 1610bd9504..c245688c79 100644 --- a/bin/tests/system/dnssec/clean.sh +++ b/bin/tests/system/dnssec/clean.sh @@ -13,7 +13,7 @@ set -e -rm -f ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed +rm -f ./K* ./*/K* ./*/keyset-* ./*/dsset-* ./*/signedkey-* ./*/*.signed rm -f ./*/example.bk rm -f ./*/named.conf rm -f ./*/named.memstats @@ -31,7 +31,6 @@ rm -f ./dnssectools.out* rm -f ./dsfromkey.out.* rm -f ./keygen.err rm -f ./named.secroots.test* -rm -f ./nosign.before rm -f ./ns*/*.nta rm -f ./ns*/managed-keys.bind ./ns*/managed-keys.bind.jnl ./ns*/*.mkeys* rm -f ./ns*/named.lock @@ -40,18 +39,17 @@ rm -f ./ns1/root.db ./ns2/example.db ./ns2/managed.db ./ns2/trusted.db rm -f ./ns1/trusted.keys rm -f ./ns2/algroll.db rm -f ./ns2/badparam.db ./ns2/badparam.db.bad -rm -f ./ns2/cdnskey-kskonly.secure.db -rm -f ./ns2/cdnskey-kskonly.secure.id rm -f ./ns2/cdnskey-update.secure.db +rm -f ./ns2/cdnskey-update.secure.id rm -f ./ns2/cdnskey-x.secure.db rm -f ./ns2/cdnskey.secure.db rm -f ./ns2/cds-auto.secure.db ./ns2/cds-auto.secure.db.jnl -rm -f ./ns2/cds-kskonly.secure.db -rm -f ./ns2/cds-kskonly.secure.id rm -f ./ns2/cds-update.secure.db ./ns2/cds-update.secure.db.jnl +rm -f ./ns2/cds-update.secure.id rm -f ./ns2/cds.secure.db ./ns2/cds-x.secure.db rm -f ./ns2/in-addr.arpa.db rm -f ./ns2/nsec3chain-test.db +rm -f ./ns2/settime.out.* rm -f ./ns2/single-nsec3.db rm -f ./ns2/too-many-iterations.db rm -f ./ns2/updatecheck-kskonly.secure.* @@ -69,7 +67,7 @@ rm -f ./ns3/dnskey-unsupported.example.db rm -f ./ns3/dnskey-unsupported.example.db.tmp rm -f ./ns3/dynamic.example.db ./ns3/dynamic.example.db.signed.jnl rm -f ./ns3/expired.example.db ./ns3/update-nsec3.example.db -rm -f ./ns3/expiring.example.db ./ns3/nosign.example.db +rm -f ./ns3/expiring.example.db rm -f ./ns3/future.example.db ./ns3/trusted-future.key rm -f ./ns3/inline.example.db.signed rm -f ./ns3/kskonly.example.db @@ -82,7 +80,6 @@ rm -f ./ns3/occluded.example.db rm -f ./ns3/optout-unknown.example.db ./ns3/optout.example.db rm -f ./ns3/optout.nsec3.example.db rm -f ./ns3/optout.optout.example.db -rm -f ./ns3/publish-inactive.example.db rm -f ./ns3/revkey.example.db rm -f ./ns3/rsasha1-1024.example.tmp rm -f ./ns3/rsasha1.example.tmp diff --git a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cdnskey-kskonly.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in b/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in deleted file mode 100644 index aa3aaabfaf..0000000000 --- a/bin/tests/system/dnssec/ns2/cds-kskonly.secure.db.in +++ /dev/null @@ -1,14 +0,0 @@ -; Copyright (C) Internet Systems Consortium, Inc. ("ISC") -; -; SPDX-License-Identifier: MPL-2.0 -; -; This Source Code Form is subject to the terms of the Mozilla Public -; License, v. 2.0. If a copy of the MPL was not distributed with this -; file, you can obtain one at https://mozilla.org/MPL/2.0/. -; -; See the COPYRIGHT file distributed with this work for additional -; information regarding copyright ownership. - -$TTL 3600 -@ SOA ns2.example. . 1 3600 1200 86400 1200 -@ NS ns2.example. diff --git a/bin/tests/system/dnssec/ns2/named.conf.in b/bin/tests/system/dnssec/ns2/named.conf.in index 94928c1f1d..92cc03d8fc 100644 --- a/bin/tests/system/dnssec/ns2/named.conf.in +++ b/bin/tests/system/dnssec/ns2/named.conf.in @@ -37,6 +37,35 @@ controls { inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "dnssec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "kskonly" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 10d; + signatures-validity-dnskey 40d; +}; + +dnssec-policy "not-enough-hours-in-day" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + /* validity 500 days, resign in 449 days */ + signatures-validity-dnskey 500d; + signatures-validity 500d; + signatures-refresh 449d; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -119,23 +148,14 @@ zone "cds-x.secure" { zone "cds-update.secure" { type primary; - dnssec-dnskey-kskonly no; file "cds-update.secure.db.signed"; allow-update { any; }; }; -zone "cds-kskonly.secure" { - type primary; - dnssec-dnskey-kskonly yes; - file "cds-kskonly.secure.db.signed"; - allow-update { any; }; -}; - zone "cds-auto.secure" { type primary; - dnssec-dnskey-kskonly no; file "cds-auto.secure.db.signed"; - auto-dnssec maintain; + dnssec-policy dnssec; allow-update { any; }; }; @@ -151,35 +171,21 @@ zone "cdnskey-x.secure" { zone "cdnskey-update.secure" { type primary; - dnssec-dnskey-kskonly no; file "cdnskey-update.secure.db.signed"; allow-update { any; }; }; -zone "cdnskey-kskonly.secure" { - type primary; - dnssec-dnskey-kskonly yes; - file "cdnskey-kskonly.secure.db.signed"; - allow-update { any; }; -}; - zone "cdnskey-auto.secure" { type primary; - dnssec-dnskey-kskonly no; file "cdnskey-auto.secure.db.signed"; - auto-dnssec maintain; + dnssec-policy dnssec; allow-update { any; }; }; zone "updatecheck-kskonly.secure" { type primary; - auto-dnssec maintain; - key-directory "."; - dnssec-dnskey-kskonly yes; - update-check-ksk yes; - sig-validity-interval 10; - dnskey-sig-validity 40; file "updatecheck-kskonly.secure.db.signed"; + dnssec-policy kskonly; allow-update { any; }; }; @@ -191,9 +197,7 @@ zone "corp" { zone "hours-vs-days" { type primary; file "hours-vs-days.db.signed"; - auto-dnssec maintain; - /* validity 500 days, resign in 499 days */ - sig-validity-interval 500 499; + dnssec-policy not-enough-hours-in-day; allow-update { any; }; }; diff --git a/bin/tests/system/dnssec/ns2/sign.sh b/bin/tests/system/dnssec/ns2/sign.sh index 87a5896d76..70203db01c 100644 --- a/bin/tests/system/dnssec/ns2/sign.sh +++ b/bin/tests/system/dnssec/ns2/sign.sh @@ -233,15 +233,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 - -zone=cds-kskonly.secure -infile=cds-kskonly.secure.db.in -zonefile=cds-kskonly.secure.db -key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cds-kskonly.secure.id +keyfile_to_key_id "$key1" > cds-update.secure.id zone=cds-auto.secure infile=cds-auto.secure.db.in @@ -277,15 +269,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$ key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") cat "$infile" "$key1.key" "$key2.key" > "$zonefile" "$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 - -zone=cdnskey-kskonly.secure -infile=cdnskey-kskonly.secure.db.in -zonefile=cdnskey-kskonly.secure.db -key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone") -key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone") -cat "$infile" "$key1.key" "$key2.key" > "$zonefile" -"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1 -keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id +keyfile_to_key_id "$key1" > cdnskey-update.secure.id zone=cdnskey-auto.secure infile=cdnskey-auto.secure.db.in @@ -305,11 +289,11 @@ keyfile_to_key_id "$key1" > $zone.ksk.id keyfile_to_key_id "$key2" > $zone.zsk.id echo "${key1}" > $zone.ksk.key echo "${key2}" > $zone.zsk.key -# Add CDS and CDNSKEY records -sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey" -"$DSFROMKEY" -C "$key1.key" > "$key1.cds" -cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile" -# Don't sign, let auto-dnssec maintain do it. +# Make sure dnssec-policy adds CDS and CDNSKEY records +$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1 +$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1 +# Don't sign, let dnssec-policy maintain do it. +cat "$infile" "$key1.key" "$key2.key" > "$zonefile" mv $zonefile "$zonefile.signed" zone=hours-vs-days diff --git a/bin/tests/system/dnssec/ns3/named.conf.in b/bin/tests/system/dnssec/ns3/named.conf.in index fbcb8d865f..ee4b766d9f 100644 --- a/bin/tests/system/dnssec/ns3/named.conf.in +++ b/bin/tests/system/dnssec/ns3/named.conf.in @@ -37,6 +37,42 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "dnssec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; +}; + +dnssec-policy "nsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + +dnssec-policy "autonsec" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; +}; + +dnssec-policy "autonsec3" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@; + }; + + nsec3param iterations 0 optout no salt-length 0; +}; + zone "." { type hint; file "../../common/root.hint"; @@ -209,21 +245,21 @@ zone "expired.example" { zone "update-nsec3.example" { type primary; - auto-dnssec maintain; + dnssec-policy nsec3; allow-update { any; }; file "update-nsec3.example.db.signed"; }; zone "auto-nsec.example" { type primary; - auto-dnssec maintain; + dnssec-policy autonsec; allow-update { !0.0.0.0; }; file "auto-nsec.example.db.signed"; }; zone "auto-nsec3.example" { type primary; - auto-dnssec maintain; + dnssec-policy autonsec3; allow-update { !0.0.0.0; }; file "auto-nsec3.example.db.signed"; }; @@ -265,13 +301,6 @@ zone "expiring.example" { file "expiring.example.db.signed"; }; -zone "nosign.example" { - type primary; - allow-update { any; }; - dnssec-update-mode no-resign; - file "nosign.example.db.signed"; -}; - zone "upper.example" { type primary; file "upper.example.db.signed"; @@ -286,15 +315,7 @@ zone "inline.example" { type primary; file "inline.example.db"; inline-signing yes; - auto-dnssec maintain; -}; - -zone "publish-inactive.example" { - type primary; - file "publish-inactive.example.db"; - auto-dnssec maintain; - dnssec-dnskey-kskonly no; - update-policy local; + dnssec-policy dnssec; }; zone "future.example" { @@ -389,6 +410,28 @@ zone "rsasha1-1024.example" { file "rsasha1-1024.example.db"; }; +dnssec-policy "siginterval1" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 1d; + signatures-refresh 21h; + signatures-validity-dnskey 90d; +}; + +dnssec-policy "siginterval2" { + keys { + ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; + }; + + signatures-validity 35d; + signatures-refresh 28d; + signatures-validity-dnskey 90d; +}; + include "siginterval.conf"; include "trusted.conf"; diff --git a/bin/tests/system/dnssec/ns3/siginterval1.conf b/bin/tests/system/dnssec/ns3/siginterval1.conf index 4674cf381f..1d82f680d1 100644 --- a/bin/tests/system/dnssec/ns3/siginterval1.conf +++ b/bin/tests/system/dnssec/ns3/siginterval1.conf @@ -14,8 +14,6 @@ zone "siginterval.example" { type primary; allow-update { any; }; - sig-validity-interval 1 23; - dnskey-sig-validity 90; - auto-dnssec maintain; + dnssec-policy siginterval1; file "siginterval.example.db"; }; diff --git a/bin/tests/system/dnssec/ns3/siginterval2.conf b/bin/tests/system/dnssec/ns3/siginterval2.conf index 46a20077d8..fa9c6267fe 100644 --- a/bin/tests/system/dnssec/ns3/siginterval2.conf +++ b/bin/tests/system/dnssec/ns3/siginterval2.conf @@ -14,8 +14,6 @@ zone "siginterval.example" { type primary; allow-update { any; }; - sig-validity-interval 35 28; - dnskey-sig-validity 90; - auto-dnssec maintain; + dnssec-policy siginterval2; file "siginterval.example.db"; }; diff --git a/bin/tests/system/dnssec/ns3/sign.sh b/bin/tests/system/dnssec/ns3/sign.sh index 701cd97ba3..89fbe25b7f 100644 --- a/bin/tests/system/dnssec/ns3/sign.sh +++ b/bin/tests/system/dnssec/ns3/sign.sh @@ -419,7 +419,7 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null # -# A NSEC signed zone that will have auto-dnssec enabled and +# A NSEC signed zone that will have dnssec-policy enabled and # extra keys not in the initial signed zone. # zone=auto-nsec.example. @@ -428,13 +428,13 @@ zonefile=auto-nsec.example.db kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -o "$zone" "$zonefile" > /dev/null # -# A NSEC3 signed zone that will have auto-dnssec enabled and +# A NSEC3 signed zone that will have dnssec-policy enabled and # extra keys not in the initial signed zone. # zone=auto-nsec3.example. @@ -443,8 +443,8 @@ zonefile=auto-nsec3.example.db kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone") -zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null +"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile" "$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null @@ -545,23 +545,6 @@ zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone" cp "$infile" "$zonefile" "$SIGNER" -P -S -o "$zone" "$zonefile" > /dev/null -# -# Zone with signatures about to expire, and dynamic, but configured -# not to resign with 'auto-resign no;' -# -zone="nosign.example." -infile="nosign.example.db.in" -zonefile="nosign.example.db" -signedfile="nosign.example.db.signed" -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -cp "$infile" "$zonefile" -"$SIGNER" -S -e "now+1mi" -o "$zone" "$zonefile" > /dev/null -# preserve a normalized copy of the NS RRSIG for comparison later -$CHECKZONE -D nosign.example nosign.example.db.signed 2>/dev/null | \ - awk '$4 == "RRSIG" && $5 == "NS" {$2 = ""; print}' | \ - sed 's/[ ][ ]*/ /g'> ../nosign.before - # # An inline signing zone # @@ -570,21 +553,7 @@ kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone" zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") # -# publish a new key while deactivating another key at the same time. -# -zone=publish-inactive.example -infile=publish-inactive.example.db.in -zonefile=publish-inactive.example.db -now=$(date -u +%Y%m%d%H%M%S) -kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone") -zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone") -cp "$infile" "$zonefile" -"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null - -# -# A zone which will change its sig-validity-interval +# A zone which will change its signatures-validity # zone=siginterval.example infile=siginterval.example.db.in diff --git a/bin/tests/system/dnssec/tests.sh b/bin/tests/system/dnssec/tests.sh index 33f9a4c490..5c1cbe616c 100644 --- a/bin/tests/system/dnssec/tests.sh +++ b/bin/tests/system/dnssec/tests.sh @@ -2763,7 +2763,6 @@ status=$((status+ret)) echo_i "checking that the NSEC3 record for the apex is properly signed when a DNSKEY is added via UPDATE ($n)" ret=0 ( -cd ns3 || exit 1 kskname=$($KEYGEN -q -3 -a $DEFAULT_ALGORITHM -fk update-nsec3.example) ( echo zone update-nsec3.example @@ -2780,7 +2779,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that the NSEC record is properly generated when DNSKEY are added via auto-dnssec ($n)" +echo_i "checking that the NSEC record is properly generated when DNSKEY are added by dnssec-policy ($n)" ret=0 dig_with_opts +dnssec a auto-nsec.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -2790,7 +2789,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added via auto-dnssec ($n)" +echo_i "checking that the NSEC3 record is properly generated when DNSKEY are added by dnssec-policy ($n)" ret=0 dig_with_opts +dnssec a auto-nsec3.example. @10.53.0.4 > dig.out.ns4.test$n || ret=1 grep "NOERROR" dig.out.ns4.test$n > /dev/null || ret=1 @@ -2842,121 +2841,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that 'rndc signing -nsec3param' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param none' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param none > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0 0' without additional arguments is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param 1 0 0 -' without zone is handled ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - > /dev/null 2>&1 && ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works with salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 ffff inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "FFFF" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" = "FFFF" ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works without salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 - inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - if [ "$salt" = "-" ]; then - break; - fi - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" = "-" ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' works with 'auto' as salt ($n)" -ret=0 -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "-" ] && break - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" != "-" ] || ret=1 -[ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that 'rndc signing -nsec3param' with 'auto' as salt again generates a different salt ($n)" -ret=0 -oldsalt=$salt -rndccmd 10.53.0.3 signing -nsec3param 1 0 0 auto inline.example > /dev/null 2>&1 || ret=1 -rndccmd 10.53.0.3 status > /dev/null || ret=1 -for i in 1 2 3 4 5 6 7 8 9 10 ; do - salt=$(dig_with_opts +nodnssec +short nsec3param inline.example. @10.53.0.3 | awk '{print $4}') - [ -n "$salt" ] && [ "$salt" != "$oldsalt" ] && break - echo_i "sleeping ...." - sleep 1 -done; -[ "$salt" != "$oldsalt" ] || ret=1 -[ "${#salt}" -eq 16 ] || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "check rndc signing -list output ($n)" ret=0 { rndccmd 10.53.0.3 signing -list dynamic.example > signing.out.dynamic.example; } 2>&1 @@ -3085,48 +2969,6 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "testing new records are signed with 'no-resign' ($n)" -ret=0 -( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add new.nosign.example 300 in txt "hi there" -echo send -) | $NSUPDATE -sleep 1 -dig_with_answeropts +nottlid txt new.nosign.example @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -grep RRSIG dig.out.ns3.test$n > /dev/null 2>&1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "testing expiring records aren't resigned with 'no-resign' ($n)" -ret=0 -dig_with_answeropts +nottlid nosign.example ns @10.53.0.3 | \ - grep RRSIG | sed 's/[ ][ ]*/ /g' > dig.out.ns3.test$n 2>&1 -# the NS RRSIG should not be changed -diff nosign.before dig.out.ns3.test$n > /dev/null|| ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "testing updates fail with no private key ($n)" -ret=0 -rm -f ns3/Knosign.example.*.private -( -echo zone nosign.example -echo server 10.53.0.3 "$PORT" -echo update add fail.nosign.example 300 in txt "reject me" -echo send -) | $NSUPDATE > /dev/null 2>&1 && ret=1 -dig_with_answeropts +nottlid fail.nosign.example txt @10.53.0.3 \ - > dig.out.ns3.test$n 2>&1 -[ -s dig.out.ns3.test$n ] && ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - echo_i "testing legacy upper case signer name validation ($n)" ret=0 $DIG +tcp +noadd +noauth +dnssec -p "$PORT" soa upper.example @10.53.0.4 \ @@ -3398,26 +3240,7 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check simultaneous inactivation and publishing of dnskeys removes inactive signature ($n)" -ret=0 -cnt=0 -while : -do -dig_with_opts publish-inactive.example @10.53.0.3 dnskey > dig.out.ns3.test$n -keys=$(awk '$5 == 257 { print; }' dig.out.ns3.test$n | wc -l) -test "$keys" -gt 2 && break -cnt=$((cnt+1)) -test "$cnt" -gt 120 && break -sleep 1 -done -test "$keys" -gt 2 || ret=1 -sigs=$(grep -c RRSIG dig.out.ns3.test$n || true) -n=$((n+1)) -test "$sigs" -eq 2 || ret=1 -if test "$ret" -ne 0 ; then echo_i "failed"; fi -status=$((status+ret)) - -echo_i "check that increasing the sig-validity-interval resigning triggers re-signing ($n)" +echo_i "check that increasing the signatures-validity resigning triggers re-signing ($n)" ret=0 before=$($DIG axfr siginterval.example -p "$PORT" @10.53.0.3 | grep RRSIG.SOA) cp ns3/siginterval2.conf ns3/siginterval.conf @@ -3434,7 +3257,7 @@ if test "$before" = "$after" ; then echo_i "failed"; ret=1; fi status=$((status+ret)) if [ -x "$PYTHON" ]; then - echo_i "check dnskey-sig-validity sets longer expiry for DNSKEY ($n)" + echo_i "check signatures-validity-dnskey sets longer expiry for DNSKEY ($n)" ret=0 rndccmd 10.53.0.3 sign siginterval.example 2>&1 | sed 's/^/ns3 /' | cat_i # convert expiry date to a comma-separated list of integers python can @@ -3641,11 +3464,11 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS records are signed using KSK by with dnssec-auto ($n)" +echo_i "check that CDS records are signed using KSK by with dnssec-policy ($n)" ret=0 dig_with_opts +noall +answer @10.53.0.2 cds cds-auto.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3668,8 +3491,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS records are signed using KSK when added by nsupdate ($n)" +echo_i "check that CDS records are signed only using KSK when added by nsupdate ($n)" ret=0 +keyid=$(cat ns2/cds-update.secure.id) ( echo zone cds-update.secure echo server 10.53.0.2 "$PORT" @@ -3683,30 +3507,6 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that CDS records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cds-kskonly.secure.id) -( -echo zone cds-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo send -dig_with_opts +noall +answer @10.53.0.2 dnskey cds-kskonly.secure | -grep "DNSKEY.257" | -$DSFROMKEY -12 -C -f - -T 1 cds-kskonly.secure | -sed "s/^/update add /" -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 @@ -3716,18 +3516,17 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDS deletion records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" +echo_i "check that CDS deletion records are signed only using KSK when added by nsupdate ($n)" ret=0 -keyid=$(cat ns2/cds-kskonly.secure.id) +keyid=$(cat ns2/cds-update.secure.id) ( -echo zone cds-kskonly.secure +echo zone cds-update.secure echo server 10.53.0.2 "$PORT" -echo update delete cds-kskonly.secure CDS -echo update add cds-kskonly.secure 0 CDS 0 0 0 00 +echo update delete cds-update.secure CDS +echo update add cds-update.secure 0 CDS 0 0 0 00 echo send ) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cds cds-kskonly.secure > dig.out.test$n +dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDS" && $11 == id {print}' dig.out.test$n | wc -l) @@ -3771,7 +3570,7 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cds cds-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDS" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDS" {print}' dig.out.test$n | wc -l) test "$lines" -eq 4 || ret=1 n=$((n+1)) @@ -3820,7 +3619,7 @@ echo_i "check that CDNSKEY records are signed using KSK by with dnssec-auto ($n) ret=0 dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-auto.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -3892,8 +3691,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDNSKEY records are signed using KSK when added by nsupdate ($n)" +echo_i "check that CDNSKEY records are signed using KSK only when added by nsupdate ($n)" ret=0 +keyid=$(cat ns2/cdnskey-update.secure.id) ( echo zone cdnskey-update.secure echo server 10.53.0.2 "$PORT" @@ -3904,27 +3704,6 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) - -echo_i "check that CDNSKEY records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-kskonly.secure.id) -( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -dig_with_opts +noall +answer @10.53.0.2 dnskey cdnskey-kskonly.secure | -sed -n -e "s/^/update add /" -e 's/DNSKEY.257/CDNSKEY 257/p' -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) test "$lines" -eq 1 || ret=1 @@ -3934,29 +3713,8 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "check that CDNSKEY deletion records are signed only using KSK when added by" -echo_ic "nsupdate when dnssec-dnskey-kskonly is yes ($n)" -ret=0 -keyid=$(cat ns2/cdnskey-kskonly.secure.id) -( -echo zone cdnskey-kskonly.secure -echo server 10.53.0.2 "$PORT" -echo update delete cdnskey-kskonly.secure CDNSKEY -echo update add cdnskey-kskonly.secure 0 CDNSKEY 0 3 0 AA== -echo send -) | $NSUPDATE -dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-kskonly.secure > dig.out.test$n -lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk -v id="${keyid}" '$4 == "RRSIG" && $5 == "CDNSKEY" && $11 == id {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 1 || ret=1 -lines=$(awk '$4 == "CDNSKEY" && $5 == "0" && $6 == "3" && $7 == "0" && $8 == "AA==" {print}' dig.out.test$n | wc -l) -test "${lines:-10}" -eq 1 || ret=1 -n=$((n+1)) -test "$ret" -eq 0 || echo_i "failed" -status=$((status+ret)) +echo_i "status: $status" +exit $status echo_i "checking initialization with a revoked managed key ($n)" ret=0 @@ -3983,7 +3741,7 @@ echo send ) | $NSUPDATE dig_with_opts +noall +answer @10.53.0.2 cdnskey cdnskey-update.secure > dig.out.test$n lines=$(awk '$4 == "RRSIG" && $5 == "CDNSKEY" {print}' dig.out.test$n | wc -l) -test "$lines" -eq 2 || ret=1 +test "$lines" -eq 1 || ret=1 lines=$(awk '$4 == "CDNSKEY" {print}' dig.out.test$n | wc -l) test "$lines" -eq 2 || ret=1 n=$((n+1)) @@ -4312,7 +4070,7 @@ get_keys_which_signed() { # Basic checks to make sure everything is fine before the KSK is made offline. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4324,7 +4082,7 @@ do status=$((status+ret)) done -echo_i "checking SOA RRset is signed with ZSK only (update-check-ksk and dnssec-ksk-only) ($n)" +echo_i "checking SOA RRset is signed with ZSK only ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 soa $zone > dig.out.test$n lines=$(get_keys_which_signed "SOA" dig.out.test$n | wc -l) @@ -4339,10 +4097,9 @@ status=$((status+ret)) zsk2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -K ns2 -n zone "$zone") keyfile_to_key_id "$zsk2" > ns2/$zone.zsk.id2 ZSK_ID2=$(cat ns2/$zone.zsk.id2) - -echo_i "load new ZSK $ZSK_ID2 for $zone ($n)" ret=0 -dnssec_loadkeys_on 2 $zone || ret=1 +echo_i "prepublish new ZSK $ZSK_ID2 for $zone ($n)" +rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4351,7 +4108,7 @@ status=$((status+ret)) echo_i "make ZSK $ZSK_ID inactive and make new ZSK $ZSK_ID2 active for zone $zone ($n)" ret=0 $SETTIME -I now -K ns2 $ZSK > /dev/null -$SETTIME -A now -K ns2 $zsk2 > /dev/null +$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk2 > /dev/null dnssec_loadkeys_on 2 $zone || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -4374,7 +4131,7 @@ echo send # Redo the tests now that the zone is updated and the KSK is offline. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, KSK offline (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, KSK offline ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4389,7 +4146,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, KSK offline (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID2 only, KSK offline ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4414,10 +4171,10 @@ ZSK_ID3=$(cat ns2/$zone.zsk.id3) # Schedule the new ZSK (ZSK3) to become active. echo_i "delete old ZSK $ZSK_ID schedule ZSK $ZSK_ID2 inactive and new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -D now -K ns2 $ZSK > /dev/null +$SETTIME -s -k UNRETENTIVE -z HIDDEN -D now -K ns2 $ZSK > /dev/null $SETTIME -I +3600 -K ns2 $zsk2 > /dev/null $SETTIME -A +3600 -K ns2 $zsk3 > /dev/null -dnssec_loadkeys_on 2 $zone || ret=1 +rndccmd 10.53.0.2 dnssec -rollover -key $ZSK_ID2 $zone 2>&1 | sed 's/^/ns2 /' | cat_i n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -4439,7 +4196,7 @@ echo send # Redo the tests now that the ZSK roll has deleted the old key. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, old ZSK deleted ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4455,7 +4212,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, old ZSK deleted (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with ZSK $ZSK_ID2 only, old ZSK deleted ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4471,8 +4228,9 @@ done # Make the new ZSK (ZSK3) active. echo_i "make new ZSK $ZSK_ID3 active for zone $zone ($n)" -$SETTIME -I +1 -K ns2 $zsk2 > /dev/null -$SETTIME -A +1 -K ns2 $zsk3 > /dev/null +$SETTIME -I now -K ns2 $zsk2 > /dev/null +$SETTIME -s -k OMNIPRESENT now -A now -K ns2 $zsk3 > /dev/null + dnssec_loadkeys_on 2 $zone || ret=1 n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" @@ -4506,7 +4264,7 @@ status=$((status+ret)) # Redo the tests one more time. for qtype in "DNSKEY" "CDNSKEY" "CDS" do - echo_i "checking $qtype RRset is signed with KSK only, new ZSK active (update-check-ksk, dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with KSK only, new ZSK active ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4522,7 +4280,7 @@ done for qtype in "SOA" "TXT" do - echo_i "checking $qtype RRset is signed with ZSK only, new ZSK active (update-check-ksk and dnssec-ksk-only) ($n)" + echo_i "checking $qtype RRset is signed with new ZSK $ZSK_ID3 only, new ZSK active ($n)" ret=0 dig_with_opts $SECTIONS @10.53.0.2 $qtype $zone > dig.out.test$n lines=$(get_keys_which_signed $qtype dig.out.test$n | wc -l) @@ -4545,9 +4303,9 @@ n=$((n+1)) test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) -echo_i "checking sig-validity-interval second field hours vs days ($n)" +echo_i "checking signatures-validity second field hours vs days ($n)" ret=0 -# zone configured with 'sig-validity-interval 500 499;' +# zone configured with 'signatures-validity 500 499;' # 499 days in the future w/ a 20 minute runtime to now allowance min=$(TZ=UTC $PERL -e '@lt=localtime(time() + 499*3600*24 - 20*60); printf "%.4d%0.2d%0.2d%0.2d%0.2d%0.2d\n",$lt[5]+1900,$lt[4]+1,$lt[3],$lt[2],$lt[1],$lt[0];') dig_with_opts @10.53.0.2 hours-vs-days AXFR > dig.out.ns2.test$n diff --git a/bin/tests/system/dupsigs/check_journal.pl b/bin/tests/system/dupsigs/check_journal.pl deleted file mode 100644 index 074743205c..0000000000 --- a/bin/tests/system/dupsigs/check_journal.pl +++ /dev/null @@ -1,206 +0,0 @@ -#!/usr/bin/env perl - -# Copyright (C) Internet Systems Consortium, Inc. ("ISC") -# -# SPDX-License-Identifier: MPL-2.0 -# -# This Source Code Form is subject to the terms of the Mozilla Public -# License, v. 2.0. If a copy of the MPL was not distributed with this -# file, you can obtain one at https://mozilla.org/MPL/2.0/. -# -# See the COPYRIGHT file distributed with this work for additional -# information regarding copyright ownership. - -use strict; -use warnings; - -sub process_changeset; - -my @changeset; - -while( my $line = <> ) { - chomp $line; - - if( $line =~ /^(?add|del) (?