From 9018fbb205608229a8e92c3e4a8ec93695ef6e92 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 10 Oct 2022 13:26:47 +0200 Subject: [PATCH 1/8] Test changing from dynamic to inline-signing Add a kasp system test that reconfigures a dnssec-policy zone from maintaining DNSSEC records directly to the zone to using inline-signing. Add a similar test case to the nsec3 system test, testing the same thing but now with NSEC3 in use. --- bin/tests/system/kasp/ns6/named.conf.in | 8 +++ bin/tests/system/kasp/ns6/named2.conf.in | 9 +++ .../kasp/ns6/policies/kasp-fips.conf.in | 4 ++ bin/tests/system/kasp/ns6/setup.sh | 3 + bin/tests/system/kasp/tests.sh | 56 +++++++++++++++++++ bin/tests/system/nsec3/ns3/named.conf.in | 8 +++ bin/tests/system/nsec3/ns3/named2.conf.in | 9 +++ bin/tests/system/nsec3/ns3/setup.sh | 3 +- bin/tests/system/nsec3/tests.sh | 14 +++++ 9 files changed, 113 insertions(+), 1 deletion(-) diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index 7e62fa9dd5..f00594b784 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -38,6 +38,14 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +/* This zone switch from dynamic to inline-signing. */ +zone "dynamic2inline.kasp" { + type primary; + file "dynamic2inline.kasp.db"; + allow-update { any; }; + dnssec-policy "default"; +}; + /* These zones are going insecure. */ zone "step1.going-insecure.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 79fc7768e7..1bb6242b6d 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -37,6 +37,15 @@ controls { inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +/* This zone switch from dynamic to inline-signing. */ +zone "dynamic2inline.kasp" { + type primary; + file "dynamic2inline.kasp.db"; + allow-update { any; }; + inline-signing yes; + dnssec-policy "default"; +}; + /* Zones for testing going insecure. */ zone "step1.going-insecure.kasp" { type primary; diff --git a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in index 683c9ef500..810b91d6ad 100644 --- a/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in +++ b/bin/tests/system/kasp/ns6/policies/kasp-fips.conf.in @@ -20,6 +20,10 @@ dnssec-policy "unsigning" { }; }; +dnssec-policy "nsec3" { + nsec3param iterations 0 optout no salt-length 0; +}; + dnssec-policy "rsasha256" { signatures-refresh P5D; signatures-validity 30d; diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 3f3f193a66..94fc9067c0 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -389,3 +389,6 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # echo "example" >> zones cp example.db.in example.db + +setup "dynamic2inline.kasp" +cp template.db.in $zonefile diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index eefe12e541..834c725c67 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -3540,6 +3540,34 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # TODO (GL #2471). +# Test dynamic zones that switch to inline-signing. +set_zone "dynamic2inline.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# The CSK is rumoured. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing algorithm rollover. # @@ -3807,6 +3835,34 @@ wait_for_done_signing() { status=$((status+ret)) } +# Test dynamic zones that switch to inline-signing. +set_zone "dynamic2inline.kasp" +set_policy "default" "1" "3600" +set_server "ns6" "10.53.0.6" +# Key properties. +key_clear "KEY1" +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +# The CSK is rumoured. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing going insecure. # diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index c94fa5d679..dc885f0066 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -184,3 +184,11 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; + +/* The zone switches from dynamic to inline-signing. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index d9764abcad..26b49ea109 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -193,3 +193,12 @@ zone "nsec3-fails-to-load.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; + +/* The zone switches from dynamic to inline-signing. */ +zone "nsec3-dynamic-to-inline.kasp" { + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index e2478ac3df..a0dd793236 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -25,7 +25,8 @@ setup() { } for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ - nsec3-to-optout nsec3-from-optout nsec3-dynamic nsec3-dynamic-change + nsec3-to-optout nsec3-from-optout nsec3-dynamic \ + nsec3-dynamic-change nsec3-dynamic-to-inline do setup "${zn}.kasp" done diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 1d9adbc3a2..7317d79060 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -297,6 +297,13 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-dynamic-to-inline.kasp. +set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" @@ -419,6 +426,13 @@ set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 +# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured) +set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "check zone ${ZONE} after reconfig" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. (reconfigured) set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 set_nsec3param "1" "11" "8" From 57ea9e08c67bad6ddea446303772d8aec556208b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 11:11:13 +0200 Subject: [PATCH 2/8] Update kasp system test to work with .signed files We no longer accept copying DNSSEC records from the raw zone to the secure zone, so update the kasp system test that relies on this accordingly. Also add more debugging and store the dnssec-verify results in a file. --- bin/tests/system/checkds/ns9/setup.sh | 6 +- bin/tests/system/kasp.sh | 2 +- bin/tests/system/kasp/clean.sh | 2 +- bin/tests/system/kasp/ns3/setup.sh | 111 +++++++++++++++++--------- bin/tests/system/kasp/ns6/setup.sh | 45 +++++++---- bin/tests/system/kasp/tests.sh | 9 ++- bin/tests/system/keymgr2kasp/clean.sh | 1 + 7 files changed, 117 insertions(+), 59 deletions(-) diff --git a/bin/tests/system/checkds/ns9/setup.sh b/bin/tests/system/checkds/ns9/setup.sh index e5a1253497..0990fa3c6b 100644 --- a/bin/tests/system/checkds/ns9/setup.sh +++ b/bin/tests/system/checkds/ns9/setup.sh @@ -43,7 +43,8 @@ do $SETTIME -s -g $O -k $O $T -r $O $T -z $O $T -d $R $T "$CSK" > settime.out.$zone 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 done # DS Withdrawal. @@ -57,5 +58,6 @@ do $SETTIME -s -g $H -k $O $T -r $O $T -z $O $T -d $U $T "$CSK" > settime.out.$zone 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" - $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 done diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh index 03ff93c4c4..702a239296 100644 --- a/bin/tests/system/kasp.sh +++ b/bin/tests/system/kasp.sh @@ -695,7 +695,7 @@ dnssec_verify() echo_i "dnssec-verify zone ${ZONE} ($n)" ret=0 _dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed" - $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > /dev/null || _log_error "dnssec verify zone $ZONE failed" + $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) } diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 1ed1c80f0d..db264c2810 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -16,7 +16,7 @@ set -e rm -f ./keygen.* rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp rm -rf ./keys/ -rm -f dig.out* rrsig.out.* keyevent.out.* +rm -f dig.out* rrsig.out.* keyevent.out.* verify.out.* zone.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/named-fips.conf rm -f ns*/policies/*.conf diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 84fbb9c170..c0111203c7 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -161,7 +161,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -PS -x -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign @@ -175,7 +176,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are still good, and can be reused. setup fresh-sigs.autosign @@ -189,7 +191,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign @@ -203,7 +206,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # These signatures are still good, but the private KSK is missing. setup ksk-missing.autosign @@ -217,7 +221,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 echo "KSK: yes" >> "${KSK}".state echo "ZSK: no" >> "${KSK}".state echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y @@ -235,7 +240,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 echo "KSK: no" >> "${ZSK}".state echo "ZSK: yes" >> "${ZSK}".state echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y @@ -253,7 +259,8 @@ $SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 $SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 # @@ -286,7 +293,8 @@ CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keyg $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. @@ -302,7 +310,8 @@ CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keyg $SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. @@ -321,7 +330,8 @@ CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keyg $SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 setup step4.enable-dnssec.autosign # @@ -342,7 +352,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to pre-publish the successor ZSK. @@ -381,7 +392,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # After the publication interval has passed the DNSKEY of the successor ZSK @@ -443,7 +455,8 @@ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # After the retire interval has passed the predecessor DNSKEY can be @@ -502,7 +515,8 @@ $SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out. key_successor $ZSK1 $ZSK2 # Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" -$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -540,7 +554,8 @@ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -578,7 +593,8 @@ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at ksk-doubleksk.autosign represent the various steps of a KSK @@ -596,7 +612,8 @@ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. @@ -647,7 +664,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS. @@ -713,7 +731,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS should be swapped now. @@ -773,7 +792,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. @@ -811,7 +831,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The predecessor DNSKEY can be purged. @@ -849,7 +870,8 @@ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-roll.autosign represent the various steps of a CSK rollover @@ -865,7 +887,8 @@ CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.ou $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -892,7 +915,8 @@ CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.ou $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -946,7 +970,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -992,7 +1017,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # After the DS is swapped in step 4, also the KRRSIG records can be removed. @@ -1027,7 +1053,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # After the retire interval has passed the predecessor DNSKEY can be @@ -1070,7 +1097,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1104,7 +1132,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 8: # The predecessor DNSKEY can be purged. @@ -1138,7 +1167,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-roll2.autosign represent the various steps of a CSK rollover @@ -1156,7 +1186,8 @@ CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.o $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to introduce the new CSK. @@ -1183,7 +1214,8 @@ CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.o $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # It is time to submit the DS and to roll signatures. @@ -1237,7 +1269,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the @@ -1284,7 +1317,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # Some time later the DS can be swapped and the old DNSKEY can be removed from @@ -1320,7 +1354,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. @@ -1355,7 +1390,8 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 7: # The predecessor DNSKEY can be purged, but purge-keys is disabled. @@ -1389,4 +1425,5 @@ key_successor $CSK1 $CSK2 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 94fc9067c0..6764f1b9c1 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -45,7 +45,8 @@ do cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # Set up a zone with dnssec-policy that is going insecure. Don't add @@ -66,7 +67,8 @@ do cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" - $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + cp $infile $zonefile + $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 done # This zone is going straight to "none" policy. This is undefined behavior. @@ -78,7 +80,8 @@ CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" -$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK @@ -99,7 +102,8 @@ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$z cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 8 "$KSK" >> "$infile" private_type_record $zone 8 "$ZSK" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -130,7 +134,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -160,7 +165,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -191,7 +197,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -223,7 +230,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -256,7 +264,8 @@ private_type_record $zone 8 "$KSK1" >> "$infile" private_type_record $zone 8 "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" -$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK @@ -273,7 +282,8 @@ CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.ou $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 5 "$CSK" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. @@ -292,7 +302,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 3: # The zone signatures are also OMNIPRESENT. @@ -313,7 +324,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 4: # The DS is swapped and can become OMNIPRESENT. @@ -335,7 +347,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 5: # The DNSKEY is removed long enough to be HIDDEN. @@ -358,7 +371,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. @@ -382,7 +396,8 @@ echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 5 "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" -$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +cp $infile $zonefile +$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 # # Reload testing diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 834c725c67..cfe45fbf29 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1375,9 +1375,10 @@ check_rrsig_reuse() { dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" - # If this exact RRSIG is also in the zone file it is not refreshed. + # If this exact RRSIG is also in the signed zone file it is not refreshed. _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) done @@ -1395,8 +1396,10 @@ check_rrsig_reuse() { dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" + # If this exact RRSIG is also in the signed zone file it is not refreshed. _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") - grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" + $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null + grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) done diff --git a/bin/tests/system/keymgr2kasp/clean.sh b/bin/tests/system/keymgr2kasp/clean.sh index cc4ffe3f8b..1fe2bb946d 100644 --- a/bin/tests/system/keymgr2kasp/clean.sh +++ b/bin/tests/system/keymgr2kasp/clean.sh @@ -30,4 +30,5 @@ rm -f ./python.out.* rm -f ./retired.* rm -f ./rndc.dnssec.* rm -f ./unused.key* +rm -f ./verify.out.* From 4cd8e8e9c34d7bf56a1a51d0c489b8a433076f27 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 11:15:34 +0200 Subject: [PATCH 3/8] Add two more nsec3 system tests Add one more case that tests reconfiguring a zone to turn off inline-signing. It should still be a valid DNSSEC zone and the NSEC3 parameters should not change. Add another test to ensure that you cannot update the zone with a NSEC3 record. --- bin/tests/system/nsec3/clean.sh | 2 +- bin/tests/system/nsec3/ns3/named.conf.in | 18 +++++++++++- bin/tests/system/nsec3/ns3/named2.conf.in | 10 ++++++- bin/tests/system/nsec3/ns3/setup.sh | 3 +- bin/tests/system/nsec3/tests.sh | 35 ++++++++++++++++++++++- 5 files changed, 63 insertions(+), 5 deletions(-) diff --git a/bin/tests/system/nsec3/clean.sh b/bin/tests/system/nsec3/clean.sh index d6b11e749b..7ca6829689 100644 --- a/bin/tests/system/nsec3/clean.sh +++ b/bin/tests/system/nsec3/clean.sh @@ -13,7 +13,7 @@ set -e -rm -f dig.out.* rndc.signing.* verify.out.* +rm -f dig.out.* rndc.signing.* update.out.* verify.out.* rm -f ns*/named.conf ns*/named.memstats ns*/named.run* rm -f ns*/*.jnl ns*/*.jbk ns*/managed-keys.bind rm -f ns*/K*.private ns*/K*.key ns*/K*.state diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index dc885f0066..e21c533610 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -185,10 +185,26 @@ zone "nsec3-fails-to-load.kasp" { allow-update { any; }; }; -/* The zone switches from dynamic to inline-signing. */ +/* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; dnssec-policy "nsec3"; allow-update { any; }; }; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; + +/* Test adding a NSEC3 record to an inline-signing dnssec-policy zone. */ +zone "nsec3-dynamic-update-inline.kasp" { + type primary; + file "nsec3-dynamic-update-inline.kasp.db"; + inline-signing yes; + allow-update { any; }; + dnssec-policy "nsec"; +}; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 26b49ea109..084bba3f0b 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -194,7 +194,7 @@ zone "nsec3-fails-to-load.kasp" { allow-update { any; }; }; -/* The zone switches from dynamic to inline-signing. */ +/* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; @@ -202,3 +202,11 @@ zone "nsec3-dynamic-to-inline.kasp" { dnssec-policy "nsec3"; allow-update { any; }; }; + +zone "nsec3-inline-to-dynamic.kasp" { + type primary; + file "nsec3-inline-to-dynamic.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; +}; diff --git a/bin/tests/system/nsec3/ns3/setup.sh b/bin/tests/system/nsec3/ns3/setup.sh index a0dd793236..68bc2e4511 100644 --- a/bin/tests/system/nsec3/ns3/setup.sh +++ b/bin/tests/system/nsec3/ns3/setup.sh @@ -26,7 +26,8 @@ setup() { for zn in nsec-to-nsec3 nsec3 nsec3-other nsec3-change nsec3-to-nsec \ nsec3-to-optout nsec3-from-optout nsec3-dynamic \ - nsec3-dynamic-change nsec3-dynamic-to-inline + nsec3-dynamic-change nsec3-dynamic-to-inline \ + nsec3-inline-to-dynamic nsec3-dynamic-update-inline do setup "${zn}.kasp" done diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 7317d79060..8c70497149 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -304,6 +304,13 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-inline-to-dynamic.kasp. +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. set_zone_policy "nsec3-to-nsec.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" @@ -332,7 +339,26 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-dynamic-update-inline.kasp. +set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec + +n=$((n+1)) +echo_i "dynamic update dnssec-policy zone ${ZONE} with NSEC3 ($n)" +ret=0 +$NSUPDATE > update.out.$ZONE.test$n 2>&1 << END || ret=1 +server 10.53.0.3 ${PORT} +zone ${ZONE}. +update add 04O18462RI5903H8RDVL0QDT5B528DUJ.${ZONE}. 3600 NSEC3 0 0 0 408A4B2D412A4E95 1JMDDPMTFF8QQLIOINSIG4CR9OTICAOC A RRSIG +send +END +wait_for_log 10 "updating zone '${ZONE}/IN': update failed: explicit NSEC3 updates are not allowed in secure zones (REFUSED)" ns3/named.run || ret=1 +check_nsec + # Reconfig named. +ret=0 echo_i "reconfig dnssec-policy to trigger nsec3 rollovers" copy_setports ns3/named2.conf.in ns3/named.conf rndc_reconfig ns3 10.53.0.3 @@ -426,13 +452,20 @@ set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 -# Zone: nsec3-dynamic-to-inline.kasp. (reconfigured) +# Zone: nsec3-dynamic-to-inline.kasp. (same) set_zone_policy "nsec3-dynamic-to-inline.kasp" "nsec3" 1 3600 set_nsec3param "0" "0" "0" set_key_default_values "KEY1" echo_i "check zone ${ZONE} after reconfig" check_nsec3 +# Zone: nsec3-inline-to-dynamic.kasp. (same) +set_zone_policy "nsec3-inline-to-dynamic.kasp" "nsec3" 1 3600 +set_nsec3param "0" "0" "0" +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec3 + # Zone: nsec3-to-nsec.kasp. (reconfigured) set_zone_policy "nsec3-to-nsec.kasp" "nsec" 1 3600 set_nsec3param "1" "11" "8" From ef1cb9935c579d090ad2ee70376563464e39de6f Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 15:17:53 +0200 Subject: [PATCH 4/8] Add nsec3 system test that transfers in NSEC3 Similar to an attempt to add NSEC through dynamic update, add a test case that tries to add NSEC3 through zone transfer. --- bin/tests/system/nsec3/ns2/named.conf.in | 46 +++++++++++++++++++++++ bin/tests/system/nsec3/ns2/setup.sh | 22 +++++++++++ bin/tests/system/nsec3/ns2/template.db.in | 28 ++++++++++++++ bin/tests/system/nsec3/ns3/named.conf.in | 8 ++++ bin/tests/system/nsec3/setup.sh | 6 ++- bin/tests/system/nsec3/tests.sh | 8 ++++ 6 files changed, 117 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/nsec3/ns2/named.conf.in create mode 100644 bin/tests/system/nsec3/ns2/setup.sh create mode 100644 bin/tests/system/nsec3/ns2/template.db.in diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.in new file mode 100644 index 0000000000..d6caf15615 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/named.conf.in @@ -0,0 +1,46 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS2 + +dnssec-policy "nsec3" { + nsec3param; +}; + +options { + query-source address 10.53.0.2; + notify-source 10.53.0.2; + transfer-source 10.53.0.2; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.2; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm @DEFAULT_HMAC@; +}; + +controls { + inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +zone "nsec3-xfr-inline.kasp" { + type primary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec3"; +}; diff --git a/bin/tests/system/nsec3/ns2/setup.sh b/bin/tests/system/nsec3/ns2/setup.sh new file mode 100644 index 0000000000..1cbe02f9c0 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/setup.sh @@ -0,0 +1,22 @@ +#!/bin/sh -e + +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# SPDX-License-Identifier: MPL-2.0 +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns2/setup.sh" + +zone="nsec3-xfr-inline.kasp" +echo_i "setting up zone: $zone" +zonefile="${zone}.db" +cp template.db.in "$zonefile" diff --git a/bin/tests/system/nsec3/ns2/template.db.in b/bin/tests/system/nsec3/ns2/template.db.in new file mode 100644 index 0000000000..8379c37213 --- /dev/null +++ b/bin/tests/system/nsec3/ns2/template.db.in @@ -0,0 +1,28 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; SPDX-License-Identifier: MPL-2.0 +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, you can obtain one at https://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns2 +ns2 A 10.53.0.2 +ns3 A 10.53.0.3 + +a A 10.0.0.1 +b A 10.0.0.2 +c A 10.0.0.3 + diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index e21c533610..de097744ba 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -208,3 +208,11 @@ zone "nsec3-dynamic-update-inline.kasp" { allow-update { any; }; dnssec-policy "nsec"; }; + +zone "nsec3-xfr-inline.kasp" { + type secondary; + file "nsec3-xfr-inline.kasp.db"; + inline-signing yes; + dnssec-policy "nsec"; + primaries { 10.53.0.2; }; +}; diff --git a/bin/tests/system/nsec3/setup.sh b/bin/tests/system/nsec3/setup.sh index 66320529b7..bdd1ae9a81 100644 --- a/bin/tests/system/nsec3/setup.sh +++ b/bin/tests/system/nsec3/setup.sh @@ -18,8 +18,12 @@ set -e $SHELL clean.sh +copy_setports ns2/named.conf.in ns2/named.conf +( + cd ns2 + $SHELL setup.sh +) copy_setports ns3/named.conf.in ns3/named.conf - ( cd ns3 $SHELL setup.sh diff --git a/bin/tests/system/nsec3/tests.sh b/bin/tests/system/nsec3/tests.sh index 8c70497149..0abbbce71c 100644 --- a/bin/tests/system/nsec3/tests.sh +++ b/bin/tests/system/nsec3/tests.sh @@ -339,6 +339,14 @@ set_key_default_values "KEY1" echo_i "initial check zone ${ZONE}" check_nsec3 +# Zone: nsec3-xfr-inline.kasp. +# This is a secondary zone, where the primary is signed with NSEC3 but +# the dnssec-policy dictates NSEC. +set_zone_policy "nsec3-xfr-inline.kasp" "nsec" 1 3600 +set_key_default_values "KEY1" +echo_i "initial check zone ${ZONE}" +check_nsec + # Zone: nsec3-dynamic-update-inline.kasp. set_zone_policy "nsec3-dynamic-update-inline.kasp" "nsec" 1 3600 set_key_default_values "KEY1" From bc703a12e7adf83ac0cef3624fc846eb2c843dbb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 11:21:35 +0200 Subject: [PATCH 5/8] Remove checks when going to dnssec-policy none The changes in the code have the side effect that the CDNSKEY and CDS records in the secure version of the zone are not reusable and thus are thrashed from the zone. Remove the apex checks for this use case. We only care about that the zone is not immediately goes bogus, but a user really should use the built-in "insecure" policy when unsigning a zone. --- bin/tests/system/kasp/tests.sh | 2 -- 1 file changed, 2 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index cfe45fbf29..ab65dff3ad 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -4033,8 +4033,6 @@ key_clear "KEY4" # Various signing policy checks. check_keys check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -check_apex -check_subdomain dnssec_verify # From 332b98ae49948e26a90f1d6e0a625f6eec568777 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 10 Oct 2022 14:14:43 +0200 Subject: [PATCH 6/8] Don't allow DNSSEC records in the raw zone There was an exception for dnssec-policy that allowed DNSSEC in the unsigned version of the zone. This however causes a crash if the zone switches from dynamic to inline-signing in the case of NSEC3, because we are now trying to add an NSEC3 record to a non-NSEC3 node. This is because BIND expects none of the records in the unsigned version of the zone to be NSEC3. Remove the exception for dnssec-policy when copying non DNSSEC records, but do allow for DNSKEY as this may be a published DNSKEY from a different provider. --- lib/dns/zone.c | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 672d2997bc..cf2fc489c7 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -17169,9 +17169,8 @@ restore_nsec3param(dns_zone_t *zone, dns_db_t *db, dns_dbversion_t *version, } static isc_result_t -copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, - dns_db_t *rawdb, dns_dbiterator_t *dbiterator, - unsigned int *oldserial) { +copy_non_dnssec_records(dns_db_t *db, dns_db_t *version, dns_db_t *rawdb, + dns_dbiterator_t *dbiterator, unsigned int *oldserial) { dns_dbnode_t *rawnode = NULL, *node = NULL; dns_fixedname_t fixed; dns_name_t *name = dns_fixedname_initname(&fixed); @@ -17208,14 +17207,8 @@ copy_non_dnssec_records(dns_zone_t *zone, dns_db_t *db, dns_db_t *version, rdataset.type == dns_rdatatype_dnskey || rdataset.type == dns_rdatatype_nsec3param) { - /* - * Allow DNSSEC records with dnssec-policy. - * WMM: Perhaps add config option for it. - */ - if (dns_zone_getkasp(zone) == NULL) { - dns_rdataset_disassociate(&rdataset); - continue; - } + dns_rdataset_disassociate(&rdataset); + continue; } if (rdataset.type == dns_rdatatype_soa && oldserial != NULL) { result = checkandaddsoa(db, node, version, &rdataset, @@ -17318,8 +17311,8 @@ receive_secure_db(isc_task_t *task, isc_event_t *event) { for (result = dns_dbiterator_first(dbiterator); result == ISC_R_SUCCESS; result = dns_dbiterator_next(dbiterator)) { - result = copy_non_dnssec_records(zone, db, version, rawdb, - dbiterator, oldserialp); + result = copy_non_dnssec_records(db, version, rawdb, dbiterator, + oldserialp); if (result != ISC_R_SUCCESS) { goto failure; } From 4d143f2cc46663e6a7935b3d650c361ed630e03a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 11:07:43 +0200 Subject: [PATCH 7/8] If a zone is not reusable, trigger full sign If after a reconfig a zone is not reusable because inline-signing was turned on/off, trigger a full resign. This is necessary because otherwise the zone maintenance may decide to only apply the changes in the journal, leaving the zone in an inconsistent DNSSEC state. --- bin/named/server.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/bin/named/server.c b/bin/named/server.c index b95d1ee108..b38e00d027 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6501,6 +6501,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, bool zone_is_catz = false; bool zone_maybe_inline = false; bool inline_signing = false; + bool fullsign = false; options = NULL; (void)cfg_map_get(config, "options", &options); @@ -6769,6 +6770,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, if (zone != NULL && !named_zone_reusable(zone, zconfig)) { dns_zone_detach(&zone); + fullsign = true; } if (zone != NULL && (rpz_num != dns_zone_get_rpz_num(zone) || @@ -6903,7 +6905,7 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, * Ensure that zone keys are reloaded on reconfig */ if ((dns_zone_getkeyopts(zone) & DNS_ZONEKEY_MAINTAIN) != 0) { - dns_zone_rekey(zone, false); + dns_zone_rekey(zone, fullsign); } cleanup: From 1cf2f6fe684458afb26482a9b5ad324c57cdf25e Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 11 Oct 2022 12:13:19 +0200 Subject: [PATCH 8/8] Add release note and change for GL #3591 Breaking news. --- CHANGES | 4 ++++ doc/notes/notes-current.rst | 3 +++ 2 files changed, 7 insertions(+) diff --git a/CHANGES b/CHANGES index e7aa4be105..9efded88ab 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6013. [bug] Fix a crash that could happen when you change + a dnssec-policy zone with NSEC3 to start using + inline-signing. [GL #3591] + 6012. [func] Cleanup the dead nodes while pruning the tree. [GL #3641] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 36b1a877fb..5245ef7479 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -63,3 +63,6 @@ Bug Fixes enter into a state where it would not recover without stopping ``named``, manually deleting ``managed-keys.bind`` and ``managed-keys.bind.jnl`` files, and starting ``named`` again. :gl:`#2895` + +- Fixed a crash that happens when you reconfigure a ``dnssec-policy`` + zone that uses NSEC3 to enable ``inline-signing``. :gl:`#3591`