mirror of
https://github.com/isc-projects/bind9.git
synced 2026-05-23 10:37:43 -04:00
Make default_algorithm accessible through a fixture and method
Importing pytest fixture trips up static analysis tools, so move default_algorithm to conftest.py and use it instead of os.environ accesses in various system tests. For use outside test function, use Algorithm.default().
This commit is contained in:
Štěpán Balážik
parent
2b9c5ccd77
commit
ef21b77912
35 changed files with 379 additions and 433 deletions
|
|
@ -233,6 +233,11 @@ def control_port():
|
|||
return int(os.environ["CONTROLPORT"])
|
||||
|
||||
|
||||
@pytest.fixture(scope="module")
|
||||
def default_algorithm():
|
||||
return isctest.vars.algorithms.Algorithm.default()
|
||||
|
||||
|
||||
@pytest.fixture(scope="module")
|
||||
def system_test_name(request):
|
||||
"""Name of the system test directory."""
|
||||
|
|
|
|||
|
|
@ -136,12 +136,12 @@ def test_expiring_rrsig(ns3):
|
|||
assert sigs
|
||||
|
||||
|
||||
def test_apex_signing():
|
||||
def test_apex_signing(default_algorithm):
|
||||
# check that DNAME at apex with NSEC3 is correctly signed
|
||||
msg = isctest.query.create("dname-at-apex-nsec3.example.", "TXT")
|
||||
res = isctest.query.tcp(msg, "10.53.0.3")
|
||||
sigs = [str(a) for a in res.authority if a.rdtype == rdatatype.RRSIG]
|
||||
alg = os.environ.get("DEFAULT_ALGORITHM_NUMBER")
|
||||
alg = default_algorithm.number
|
||||
assert any(f"NSEC3 {alg} 3 600" in a for a in sigs)
|
||||
|
||||
|
||||
|
|
@ -171,7 +171,7 @@ def test_occluded_data():
|
|||
isctest.check.rr_count_eq(res.answer, 4) # A+RRSIG, NSEC+RRSIG
|
||||
|
||||
|
||||
def test_update_signing():
|
||||
def test_update_signing(default_algorithm):
|
||||
# minimal update test: add and delete a single record
|
||||
up = update.UpdateMessage("dynamic.example.")
|
||||
up.add("a.dynamic.example.", 300, "A", "73.80.65.49")
|
||||
|
|
@ -191,7 +191,7 @@ def test_update_signing():
|
|||
# check that the NSEC3 record for the apex is properly signed
|
||||
# when a DNSKEY is added via UPDATE
|
||||
key = keygen(
|
||||
"-Kns3", "-q3fk", "-a", os.environ["DEFAULT_ALGORITHM"], "update-nsec3.example."
|
||||
"-Kns3", "-q3fk", "-a", default_algorithm.name, "update-nsec3.example."
|
||||
)
|
||||
|
||||
with open(f"ns3/{key}.key", "r", encoding="utf-8") as f:
|
||||
|
|
@ -416,7 +416,7 @@ def test_zonestatus_signing(ns3):
|
|||
assert when < sigs[0].expiration
|
||||
|
||||
|
||||
def test_offline_ksk_signing(ns2):
|
||||
def test_offline_ksk_signing(ns2, default_algorithm):
|
||||
def getfrom(file):
|
||||
with open(file, encoding="utf-8") as f:
|
||||
return f.read().strip()
|
||||
|
|
@ -498,9 +498,9 @@ def test_offline_ksk_signing(ns2):
|
|||
"-Pnone",
|
||||
"-Anone",
|
||||
"-a",
|
||||
os.environ["DEFAULT_ALGORITHM"],
|
||||
default_algorithm.name,
|
||||
"-b",
|
||||
os.environ["DEFAULT_BITS"],
|
||||
f"{default_algorithm.bits}",
|
||||
zone,
|
||||
)
|
||||
zsk_2_id = getkeyid(zsk_2)
|
||||
|
|
@ -557,9 +557,9 @@ def test_offline_ksk_signing(ns2):
|
|||
"-Pnone",
|
||||
"-Anone",
|
||||
"-a",
|
||||
os.environ["DEFAULT_ALGORITHM"],
|
||||
default_algorithm.name,
|
||||
"-b",
|
||||
os.environ["DEFAULT_BITS"],
|
||||
f"{default_algorithm.bits}",
|
||||
zone,
|
||||
)
|
||||
zsk_3_id = getkeyid(zsk_3)
|
||||
|
|
|
|||
|
|
@ -11,7 +11,6 @@
|
|||
|
||||
from re import compile as Re
|
||||
|
||||
import os
|
||||
import shutil
|
||||
import time
|
||||
|
||||
|
|
@ -123,7 +122,7 @@ def test_adflag():
|
|||
isctest.check.noadflag(res2)
|
||||
|
||||
|
||||
def test_secure_root(ns4):
|
||||
def test_secure_root(ns4, default_algorithm):
|
||||
# check that a query for a secure root validates
|
||||
msg = isctest.query.create(".", "KEY")
|
||||
res = isctest.query.tcp(msg, "10.53.0.4")
|
||||
|
|
@ -132,9 +131,8 @@ def test_secure_root(ns4):
|
|||
|
||||
# check that "rndc secroots" dumps the trusted keys
|
||||
key = int(getfrom("ns1/managed.key.id"))
|
||||
alg = os.environ["DEFAULT_ALGORITHM"]
|
||||
response = ns4.rndc("secroots -")
|
||||
assert f"./{alg}/{key} ; static" in response.out
|
||||
assert f"./{default_algorithm.name}/{key} ; static" in response.out
|
||||
assert len(response.out.splitlines()) == 10
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -29,7 +29,7 @@ def getfrom(file):
|
|||
return f.read().strip()
|
||||
|
||||
|
||||
def test_secure_root_managed(ns4):
|
||||
def test_secure_root_managed(ns4, default_algorithm):
|
||||
# check that a query for a secure root validates
|
||||
msg = isctest.query.create(".", "KEY")
|
||||
res = isctest.query.tcp(msg, "10.53.0.4")
|
||||
|
|
@ -38,9 +38,8 @@ def test_secure_root_managed(ns4):
|
|||
|
||||
# check that "rndc secroots" dumps the trusted keys
|
||||
key = int(getfrom("ns1/managed.key.id"))
|
||||
alg = os.environ["DEFAULT_ALGORITHM"]
|
||||
response = ns4.rndc("secroots -")
|
||||
assert f"./{alg}/{key} ; managed" in response.out
|
||||
assert f"./{default_algorithm.name}/{key} ; managed" in response.out
|
||||
assert len(response.out.splitlines()) == 10
|
||||
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@
|
|||
|
||||
from re import compile as Re
|
||||
|
||||
import os
|
||||
|
||||
import isctest
|
||||
|
||||
|
||||
|
|
@ -50,10 +48,9 @@ def test_validator_logging(ns4):
|
|||
watcher.wait_for_line(pattern)
|
||||
|
||||
|
||||
def test_secure_roots(ns4):
|
||||
def test_secure_roots(ns4, default_algorithm):
|
||||
# check that "rndc secroots" dumps the trusted keys with multiple views
|
||||
key = int(getfrom("ns1/managed.key.id"))
|
||||
alg = os.environ["DEFAULT_ALGORITHM"]
|
||||
response = ns4.rndc("secroots -")
|
||||
assert f"./{alg}/{key} ; static" in response.out
|
||||
assert f"./{default_algorithm.name}/{key} ; static" in response.out
|
||||
assert len(response.out.splitlines()) == 17
|
||||
|
|
|
|||
|
|
@ -61,6 +61,15 @@ class Algorithm(NamedTuple):
|
|||
dst: int
|
||||
bits: int
|
||||
|
||||
@classmethod
|
||||
def default(cls):
|
||||
return cls(
|
||||
os.environ["DEFAULT_ALGORITHM"],
|
||||
int(os.environ["DEFAULT_ALGORITHM_NUMBER"]),
|
||||
int(os.environ["DEFAULT_ALGORITHM_DST_NUMBER"]),
|
||||
int(os.environ["DEFAULT_BITS"]),
|
||||
)
|
||||
|
||||
|
||||
class AlgorithmSet(NamedTuple):
|
||||
"""Collection of DEFAULT, ALTERNATIVE and DISABLED algorithms"""
|
||||
|
|
|
|||
|
|
@ -22,7 +22,7 @@ import pytest
|
|||
|
||||
from isctest.kasp import KeyProperties, KeyTimingMetadata, SettimeOptions
|
||||
from isctest.util import param
|
||||
from isctest.vars.algorithms import ECDSAP256SHA256, ECDSAP384SHA384
|
||||
from isctest.vars.algorithms import ECDSAP256SHA256, ECDSAP384SHA384, Algorithm
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
|
@ -129,10 +129,10 @@ KASP_INHERIT_TSIG_SECRET = {
|
|||
}
|
||||
|
||||
|
||||
def autosign_properties(alg, size):
|
||||
def autosign_properties(algorithm: Algorithm):
|
||||
return [
|
||||
f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P1Y']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk {lifetime['P2Y']} {algorithm.number} {algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P1Y']} {algorithm.number} {algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
]
|
||||
|
||||
|
||||
|
|
@ -353,9 +353,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"policy": "autosign",
|
||||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": autosign_properties(
|
||||
os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
|
||||
),
|
||||
"key-properties": autosign_properties(Algorithm.default()),
|
||||
},
|
||||
id="dnskey-ttl-mismatch.autosign",
|
||||
),
|
||||
|
|
@ -365,9 +363,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"policy": "autosign",
|
||||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": autosign_properties(
|
||||
os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
|
||||
),
|
||||
"key-properties": autosign_properties(Algorithm.default()),
|
||||
"additional-tests": [
|
||||
{
|
||||
"callback": cb_rrsig_refresh,
|
||||
|
|
@ -383,9 +379,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"policy": "autosign",
|
||||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": autosign_properties(
|
||||
os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
|
||||
),
|
||||
"key-properties": autosign_properties(Algorithm.default()),
|
||||
"additional-tests": [
|
||||
{
|
||||
"callback": cb_rrsig_reuse,
|
||||
|
|
@ -401,9 +395,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"policy": "autosign",
|
||||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": autosign_properties(
|
||||
os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
|
||||
),
|
||||
"key-properties": autosign_properties(Algorithm.default()),
|
||||
"additional-tests": [
|
||||
{
|
||||
"callback": cb_rrsig_refresh,
|
||||
|
|
@ -419,9 +411,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"policy": "autosign",
|
||||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": autosign_properties(
|
||||
os.environ["DEFAULT_ALGORITHM_NUMBER"], os.environ["DEFAULT_BITS"]
|
||||
),
|
||||
"key-properties": autosign_properties(Algorithm.default()),
|
||||
"additional-tests": [
|
||||
{
|
||||
"callback": cb_remove_keyfiles,
|
||||
|
|
@ -438,8 +428,8 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": [
|
||||
f"ksk 63072000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent missing",
|
||||
f"zsk 31536000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk 63072000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent missing",
|
||||
f"zsk 31536000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
],
|
||||
},
|
||||
id="ksk-missing.autosign",
|
||||
|
|
@ -451,8 +441,8 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"config": autosign_config,
|
||||
"offset": -timedelta(days=30 * 6),
|
||||
"key-properties": [
|
||||
f"ksk 63072000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk 31536000 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent missing",
|
||||
f"ksk 63072000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk 31536000 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent missing",
|
||||
],
|
||||
},
|
||||
id="zsk-missing.autosign",
|
||||
|
|
@ -511,8 +501,8 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
},
|
||||
"key-directories": ["{keydir}/ksk", "{keydir}/zsk"],
|
||||
"key-properties": [
|
||||
f"ksk unlimited {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk unlimited {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
],
|
||||
},
|
||||
id="keystore.kasp",
|
||||
|
|
@ -613,7 +603,7 @@ def cb_remove_keyfiles(params, ksks=None, zsks=None):
|
|||
"policy": "unlimited",
|
||||
"config": kasp_config,
|
||||
"key-properties": [
|
||||
f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="unlimited.kasp",
|
||||
|
|
@ -1096,18 +1086,16 @@ def test_kasp_dynamic(ns3):
|
|||
assert f"zone_resigninc: zone {zone}/IN (unsigned): enter" not in "ns3/named.run"
|
||||
|
||||
|
||||
def test_kasp_checkds(ns3):
|
||||
def test_kasp_checkds(ns3, default_algorithm):
|
||||
def wait_for_metadata():
|
||||
return isctest.util.file_contents_contain(ksk.statefile, metadata)
|
||||
|
||||
# Zone: checkds-ksk.kasp.
|
||||
zone = "checkds-ksk.kasp"
|
||||
policy = "checkds-ksk"
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
policy_keys = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
]
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -1140,19 +1128,17 @@ def test_kasp_checkds(ns3):
|
|||
isctest.kasp.check_keys(zone, keys, expected)
|
||||
|
||||
|
||||
def test_kasp_checkds_doubleksk(ns3):
|
||||
def test_kasp_checkds_doubleksk(ns3, default_algorithm):
|
||||
def wait_for_metadata():
|
||||
return isctest.util.file_contents_contain(ksk.statefile, metadata)
|
||||
|
||||
# Zone: checkds-doubleksk.kasp.
|
||||
zone = "checkds-doubleksk.kasp"
|
||||
policy = "checkds-doubleksk"
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
policy_keys = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
]
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -1214,17 +1200,15 @@ def test_kasp_checkds_doubleksk(ns3):
|
|||
isctest.kasp.check_keys(zone, keys, expected)
|
||||
|
||||
|
||||
def test_kasp_checkds_csk(ns3):
|
||||
def test_kasp_checkds_csk(ns3, default_algorithm):
|
||||
def wait_for_metadata():
|
||||
return isctest.util.file_contents_contain(ksk.statefile, metadata)
|
||||
|
||||
# Zone: checkds-csk.kasp.
|
||||
zone = "checkds-csk.kasp"
|
||||
policy = "checkds-csk"
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
policy_keys = [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
]
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -1461,7 +1445,7 @@ def test_kasp_dnssec_keygen():
|
|||
isctest.kasp.check_keytimes(keys, expected)
|
||||
|
||||
|
||||
def test_kasp_zsk_retired(ns3):
|
||||
def test_kasp_zsk_retired(ns3, default_algorithm):
|
||||
config = {
|
||||
"dnskey-ttl": timedelta(seconds=300),
|
||||
"ds-ttl": timedelta(days=1),
|
||||
|
|
@ -1476,14 +1460,12 @@ def test_kasp_zsk_retired(ns3):
|
|||
|
||||
zone = "zsk-retired.autosign"
|
||||
policy = "autosign"
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
key_properties = [
|
||||
f"ksk 63072000 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"ksk 63072000 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
# zsk predecessor
|
||||
f"zsk 31536000 {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"zsk 31536000 {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
# zsk successor
|
||||
f"zsk 31536000 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
|
||||
f"zsk 31536000 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden",
|
||||
]
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -1682,18 +1664,16 @@ def test_kasp_reload_restart(ns6):
|
|||
isctest.run.retry_with_timeout(check_soa_ttl, timeout=10)
|
||||
|
||||
|
||||
def test_kasp_manual_mode(ns3):
|
||||
def test_kasp_manual_mode(ns3, default_algorithm):
|
||||
|
||||
keydir = ns3.identifier
|
||||
zone = "keyfiles-missing.manual"
|
||||
policy = "manual"
|
||||
ttl = int(autosign_config["dnskey-ttl"].total_seconds())
|
||||
offset = -timedelta(days=30 * 6)
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
keyprops = [
|
||||
f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P2M']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk {lifetime['P2Y']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P2M']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
]
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -1768,9 +1748,9 @@ def test_kasp_manual_mode(ns3):
|
|||
|
||||
# Check keys again, make sure the rollover has started.
|
||||
keyprops = [
|
||||
f"ksk {lifetime['P2Y']} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P2M']} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"zsk {lifetime['P2M']} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
|
||||
f"ksk {lifetime['P2Y']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P2M']} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"zsk {lifetime['P2M']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl=ttl, keys=keyprops)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, keydir)
|
||||
|
|
|
|||
|
|
@ -19,6 +19,7 @@ import time
|
|||
import pytest
|
||||
|
||||
from isctest.kasp import KeyTimingMetadata
|
||||
from isctest.vars.algorithms import Algorithm
|
||||
|
||||
import isctest
|
||||
|
||||
|
|
@ -112,12 +113,17 @@ def ksr(zone, policy, action, options="", raise_on_exception=True, to_file=""):
|
|||
def check_keys(
|
||||
keys,
|
||||
lifetime,
|
||||
alg=os.environ["DEFAULT_ALGORITHM_DST_NUMBER"],
|
||||
size=os.environ["DEFAULT_BITS"],
|
||||
alg=None,
|
||||
size=None,
|
||||
offset=0,
|
||||
with_state=False,
|
||||
):
|
||||
# Check keys that were created.
|
||||
if alg is None:
|
||||
alg = Algorithm.default().dst
|
||||
if size is None:
|
||||
size = Algorithm.default().bits
|
||||
|
||||
num = 0
|
||||
|
||||
now = KeyTimingMetadata.now()
|
||||
|
|
|
|||
|
|
@ -15,6 +15,8 @@ import os
|
|||
|
||||
import pytest
|
||||
|
||||
from isctest.vars.algorithms import Algorithm
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
||||
|
|
@ -134,8 +136,8 @@ lifetime = {
|
|||
"config": standard_config,
|
||||
"offset": 0,
|
||||
"key-properties": [
|
||||
f"ksk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
|
||||
f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
|
||||
f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
],
|
||||
},
|
||||
id="migrate.kasp",
|
||||
|
|
@ -149,7 +151,7 @@ lifetime = {
|
|||
"config": default_config,
|
||||
"offset": 0,
|
||||
"key-properties": [
|
||||
f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
|
||||
],
|
||||
},
|
||||
id="csk.kasp",
|
||||
|
|
@ -163,7 +165,7 @@ lifetime = {
|
|||
"config": default_config,
|
||||
"offset": 0,
|
||||
"key-properties": [
|
||||
f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:rumoured",
|
||||
],
|
||||
},
|
||||
id="csk-nosep.kasp",
|
||||
|
|
@ -177,8 +179,8 @@ lifetime = {
|
|||
"config": timing_config,
|
||||
"offset": -timedelta(seconds=300),
|
||||
"key-properties": [
|
||||
f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
|
||||
f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:rumoured",
|
||||
f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
],
|
||||
},
|
||||
id="rumoured.kasp",
|
||||
|
|
@ -192,8 +194,8 @@ lifetime = {
|
|||
"config": timing_config,
|
||||
"offset": -timedelta(seconds=3900),
|
||||
"key-properties": [
|
||||
f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
],
|
||||
},
|
||||
id="omnipresent.kasp",
|
||||
|
|
@ -207,8 +209,8 @@ lifetime = {
|
|||
"config": timing_config,
|
||||
"offset": -timedelta(hours=12),
|
||||
"key-properties": [
|
||||
f"ksk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured",
|
||||
f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured",
|
||||
f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
],
|
||||
},
|
||||
id="no-syncpublish.kasp",
|
||||
|
|
@ -224,8 +226,8 @@ lifetime = {
|
|||
"key-properties": [
|
||||
"ksk - 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
"zsk - 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk {lifetime['P60D']} {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk {lifetime['P60D']} {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
],
|
||||
},
|
||||
id="migrate-nomatch-algnum.kasp",
|
||||
|
|
@ -257,10 +259,10 @@ lifetime = {
|
|||
"config": migrate_config,
|
||||
"offset": -timedelta(seconds=3900),
|
||||
"key-properties": [
|
||||
f"ksk - {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk - {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk - {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk - {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
# This key is considered to be prepublished, so it is not yet signing, nor is the DS introduced.
|
||||
f"csk 0 {os.environ['DEFAULT_ALGORITHM_NUMBER']} {os.environ['DEFAULT_BITS']} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden",
|
||||
],
|
||||
},
|
||||
id="migrate-nomatch-kzc.kasp",
|
||||
|
|
|
|||
|
|
@ -49,8 +49,6 @@ pytestmark = pytest.mark.extra_artifacts(
|
|||
]
|
||||
)
|
||||
|
||||
ALGORITHM = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
SIZE = os.environ["DEFAULT_BITS"]
|
||||
CONFIG = {
|
||||
"dnskey-ttl": timedelta(hours=1),
|
||||
"ds-ttl": timedelta(days=1),
|
||||
|
|
@ -506,11 +504,11 @@ def check_remove_cds(
|
|||
check_dnssec(server, zone, keys, expected)
|
||||
|
||||
|
||||
def test_multisigner(ns2, ns3, ns4):
|
||||
def test_multisigner(ns2, ns3, ns4, default_algorithm):
|
||||
zone = "model2.multisigner"
|
||||
keyprops = [
|
||||
f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
]
|
||||
|
||||
# First make sure the zone is properly signed.
|
||||
|
|
@ -550,7 +548,7 @@ def test_multisigner(ns2, ns3, ns4):
|
|||
check_dnssec(ns4, zone, keys4, expected4)
|
||||
|
||||
# Add DNSKEY to RRset.
|
||||
newprops = [f"zsk unlimited {ALGORITHM} {SIZE}"]
|
||||
newprops = [f"zsk unlimited {default_algorithm.number} {default_algorithm.bits}"]
|
||||
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
|
||||
extra[0].private = False
|
||||
extra[0].legacy = True
|
||||
|
|
@ -565,7 +563,7 @@ def test_multisigner(ns2, ns3, ns4):
|
|||
check_no_dnssec_in_journal(ns4, zone)
|
||||
|
||||
# Add CDNSKEY RRset.
|
||||
newprops = [f"ksk unlimited {ALGORITHM} {SIZE}"]
|
||||
newprops = [f"ksk unlimited {default_algorithm.number} {default_algorithm.bits}"]
|
||||
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
|
||||
extra[0].private = False
|
||||
extra[0].legacy = True
|
||||
|
|
@ -613,11 +611,11 @@ def test_multisigner_bad_dsync(ns3, ns4):
|
|||
)
|
||||
|
||||
|
||||
def test_multisigner_secondary(ns2, ns3, ns4, ns5):
|
||||
def test_multisigner_secondary(ns2, ns3, ns4, ns5, default_algorithm):
|
||||
zone = "model2.secondary"
|
||||
keyprops = [
|
||||
f"ksk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
]
|
||||
|
||||
# First make sure the zone is properly signed.
|
||||
|
|
@ -658,7 +656,7 @@ def test_multisigner_secondary(ns2, ns3, ns4, ns5):
|
|||
check_dnssec(ns4, zone, keys4, expected4)
|
||||
|
||||
# Add DNSKEY to RRset.
|
||||
newprops = [f"zsk unlimited {ALGORITHM} {SIZE}"]
|
||||
newprops = [f"zsk unlimited {default_algorithm.number} {default_algorithm.bits}"]
|
||||
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
|
||||
extra[0].private = False
|
||||
extra[0].legacy = True
|
||||
|
|
@ -675,7 +673,7 @@ def test_multisigner_secondary(ns2, ns3, ns4, ns5):
|
|||
check_no_dnssec_in_journal(ns4, zone)
|
||||
|
||||
# Add CDNSKEY RRset.
|
||||
newprops = [f"ksk unlimited {ALGORITHM} {SIZE}"]
|
||||
newprops = [f"ksk unlimited {default_algorithm.number} {default_algorithm.bits}"]
|
||||
extra = isctest.kasp.policy_to_properties(ttl=TTL, keys=newprops)
|
||||
extra[0].private = False
|
||||
extra[0].legacy = True
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@
|
|||
|
||||
from datetime import timedelta
|
||||
|
||||
import os
|
||||
|
||||
import dns
|
||||
import pytest
|
||||
|
||||
|
|
@ -39,9 +37,6 @@ pytestmark = pytest.mark.extra_artifacts(
|
|||
]
|
||||
)
|
||||
|
||||
ALGORITHM = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
SIZE = os.environ["DEFAULT_BITS"]
|
||||
|
||||
default_config = {
|
||||
"dnskey-ttl": timedelta(hours=1),
|
||||
"ds-ttl": timedelta(days=1),
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ import dns
|
|||
import dns.update
|
||||
import pytest
|
||||
|
||||
from isctest.vars.algorithms import RSASHA1
|
||||
from nsec3.common import ALGORITHM, SIZE, check_nsec3_case, default_config, pytestmark
|
||||
from isctest.vars.algorithms import RSASHA1, Algorithm
|
||||
from nsec3.common import check_nsec3_case, default_config, pytestmark
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
|
@ -95,7 +95,7 @@ def test_nsec3_case(ns3):
|
|||
"salt-length": 8,
|
||||
},
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
}
|
||||
zone = params["zone"]
|
||||
|
|
|
|||
|
|
@ -17,8 +17,8 @@ import dns
|
|||
import dns.update
|
||||
import pytest
|
||||
|
||||
from isctest.vars.algorithms import RSASHA1
|
||||
from nsec3.common import ALGORITHM, SIZE, check_nsec3_case, default_config, pytestmark
|
||||
from isctest.vars.algorithms import RSASHA1, Algorithm
|
||||
from nsec3.common import check_nsec3_case, default_config, pytestmark
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
|
@ -65,7 +65,7 @@ def bootstrap():
|
|||
"zone": "nsec-to-nsec3.kasp",
|
||||
"policy": "nsec",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec-to-nsec3.kasp",
|
||||
|
|
@ -99,10 +99,10 @@ def bootstrap():
|
|||
"zone": "nsec3-xfr-inline.kasp",
|
||||
"policy": "nsec",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
"external-keys": [
|
||||
f"csk 0 {ALGORITHM} {SIZE}",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits}",
|
||||
],
|
||||
"external-keydir": "ns2",
|
||||
},
|
||||
|
|
@ -113,7 +113,7 @@ def bootstrap():
|
|||
"zone": "nsec3-dynamic-update-inline.kasp",
|
||||
"policy": "nsec",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic-update-inline.kasp",
|
||||
|
|
@ -156,7 +156,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-to-rsasha1.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
],
|
||||
},
|
||||
id="nsec3-to-rsasha1.kasp",
|
||||
|
|
@ -167,7 +167,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-to-rsasha1-ds.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
],
|
||||
},
|
||||
id="nsec3-to-rsasha1-ds.kasp",
|
||||
|
|
@ -178,7 +178,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3.kasp",
|
||||
|
|
@ -188,7 +188,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-dynamic.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic.kasp",
|
||||
|
|
@ -198,7 +198,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-change.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-change.kasp",
|
||||
|
|
@ -208,7 +208,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-dynamic-change.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic-change.kasp",
|
||||
|
|
@ -218,7 +218,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-dynamic-to-inline.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic-to-inline.kasp",
|
||||
|
|
@ -228,7 +228,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-inline-to-dynamic.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-inline-to-dynamic.kasp",
|
||||
|
|
@ -238,7 +238,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-to-nsec.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-to-nsec.kasp",
|
||||
|
|
@ -248,7 +248,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-to-optout.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-to-optout.kasp",
|
||||
|
|
@ -262,7 +262,7 @@ def test_nsec_case(ns3, params):
|
|||
"salt-length": 0,
|
||||
},
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-from-optout.kasp",
|
||||
|
|
@ -276,7 +276,7 @@ def test_nsec_case(ns3, params):
|
|||
"salt-length": 8,
|
||||
},
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-other.kasp",
|
||||
|
|
|
|||
|
|
@ -19,8 +19,8 @@ import dns
|
|||
import dns.update
|
||||
import pytest
|
||||
|
||||
from isctest.vars.algorithms import RSASHA1
|
||||
from nsec3.common import ALGORITHM, SIZE, check_nsec3_case, default_config, pytestmark
|
||||
from isctest.vars.algorithms import RSASHA1, Algorithm
|
||||
from nsec3.common import check_nsec3_case, default_config, pytestmark
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
|
@ -92,7 +92,7 @@ def after_servers_start(ns3, templates):
|
|||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="rsasha1-to-nsec3.kasp",
|
||||
|
|
@ -104,7 +104,7 @@ def after_servers_start(ns3, templates):
|
|||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {RSASHA1.number} 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="rsasha1-to-nsec3-wait.kasp",
|
||||
|
|
@ -115,7 +115,7 @@ def after_servers_start(ns3, templates):
|
|||
"zone": "nsec3-to-rsasha1.kasp",
|
||||
"policy": "rsasha1",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
|
|
@ -127,7 +127,7 @@ def after_servers_start(ns3, templates):
|
|||
"zone": "nsec3-to-rsasha1-ds.kasp",
|
||||
"policy": "rsasha1",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent",
|
||||
f"csk 0 {RSASHA1.number} 2048 goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
|
|
@ -139,7 +139,7 @@ def after_servers_start(ns3, templates):
|
|||
"zone": "nsec3-to-nsec.kasp",
|
||||
"policy": "nsec",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-to-nsec.kasp",
|
||||
|
|
@ -164,7 +164,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec-to-nsec3.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec-to-nsec3.kasp",
|
||||
|
|
@ -174,7 +174,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3.kasp",
|
||||
|
|
@ -184,7 +184,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-dynamic.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic.kasp",
|
||||
|
|
@ -198,7 +198,7 @@ def test_nsec_case(ns3, params):
|
|||
"salt-length": 8,
|
||||
},
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic-change.kasp",
|
||||
|
|
@ -208,7 +208,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-dynamic-to-inline.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-dynamic-to-inline.kasp",
|
||||
|
|
@ -218,7 +218,7 @@ def test_nsec_case(ns3, params):
|
|||
"zone": "nsec3-inline-to-dynamic.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-inline-to-dynamic.kasp",
|
||||
|
|
@ -235,7 +235,7 @@ def test_nsec_case(ns3, params):
|
|||
# "salt-length": 0,
|
||||
# },
|
||||
# "key-properties": [
|
||||
# f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
# f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
# ],
|
||||
# },
|
||||
# id="nsec3-to-optout.kasp",
|
||||
|
|
@ -248,7 +248,7 @@ def test_nsec_case(ns3, params):
|
|||
# "zone": "nsec3-from-optout.kasp",
|
||||
# "policy": "optout",
|
||||
# "key-properties": [
|
||||
# f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
# f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
# ],
|
||||
# },
|
||||
# id="nsec3-from-optout.kasp",
|
||||
|
|
@ -262,7 +262,7 @@ def test_nsec_case(ns3, params):
|
|||
"salt-length": 8,
|
||||
},
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-other.kasp",
|
||||
|
|
@ -286,7 +286,7 @@ def test_nsec3_ent(ns3, templates):
|
|||
"zone": "nsec3-ent.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ import time
|
|||
import dns
|
||||
import pytest
|
||||
|
||||
from nsec3.common import ALGORITHM, SIZE, check_nsec3_case
|
||||
from nsec3.common import check_nsec3_case
|
||||
|
||||
import isctest
|
||||
|
||||
|
|
@ -34,13 +34,13 @@ def bootstrap():
|
|||
}
|
||||
|
||||
|
||||
def test_nsec3_case(ns3):
|
||||
def test_nsec3_case(ns3, default_algorithm):
|
||||
# Get test parameters.
|
||||
params = {
|
||||
"zone": "nsec3-fails-to-load.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
}
|
||||
zone = params["zone"]
|
||||
|
|
|
|||
|
|
@ -17,14 +17,8 @@ import dns
|
|||
import dns.update
|
||||
import pytest
|
||||
|
||||
from nsec3.common import (
|
||||
ALGORITHM,
|
||||
SIZE,
|
||||
check_nsec3_case,
|
||||
check_nsec3param,
|
||||
default_config,
|
||||
pytestmark,
|
||||
)
|
||||
from isctest.vars.algorithms import Algorithm
|
||||
from nsec3.common import check_nsec3_case, check_nsec3param, default_config, pytestmark
|
||||
|
||||
import isctest
|
||||
import isctest.mark
|
||||
|
|
@ -75,7 +69,7 @@ def perform_nsec3_tests(server, params):
|
|||
"zone": "nsec3.kasp",
|
||||
"policy": "nsec3",
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3.kasp",
|
||||
|
|
@ -89,7 +83,7 @@ def perform_nsec3_tests(server, params):
|
|||
"salt-length": 8,
|
||||
},
|
||||
"key-properties": [
|
||||
f"csk 0 {ALGORITHM} {SIZE} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {Algorithm.default().number} {Algorithm.default().bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
},
|
||||
id="nsec3-other.kasp",
|
||||
|
|
|
|||
|
|
@ -27,9 +27,7 @@ from rollover.common import (
|
|||
CDSS,
|
||||
DURATION,
|
||||
TIMEDELTA,
|
||||
alg,
|
||||
pytestmark,
|
||||
size,
|
||||
)
|
||||
from rollover.setup import configure_algo_csk, configure_root, configure_tld
|
||||
|
||||
|
|
@ -87,7 +85,7 @@ def after_servers_start(ns3, templates):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_reconfig_step1(tld, ns3, alg, size):
|
||||
def test_algoroll_csk_reconfig_step1(tld, ns3, default_algorithm):
|
||||
zone = f"step1.csk-algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -128,7 +126,7 @@ def test_algoroll_csk_reconfig_step1(tld, ns3, alg, size):
|
|||
# The RSASHA keys are outroducing.
|
||||
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
# The ECDSAP256SHA256 keys are introducing.
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
# Next key event is when the ecdsa256 keys have been propagated.
|
||||
"nextev": ALGOROLL_IPUB,
|
||||
|
|
@ -145,7 +143,7 @@ def test_algoroll_csk_reconfig_step1(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_reconfig_step2(tld, ns3, alg, size):
|
||||
def test_algoroll_csk_reconfig_step2(tld, ns3, default_algorithm):
|
||||
zone = f"step2.csk-algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -163,7 +161,7 @@ def test_algoroll_csk_reconfig_step2(tld, ns3, alg, size):
|
|||
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
|
||||
# omnipresent, but the zone signatures are not.
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
|
||||
],
|
||||
# Next key event is when all zone signatures are signed with the
|
||||
# new algorithm. This is the child publication interval, minus
|
||||
|
|
@ -184,7 +182,7 @@ def test_algoroll_csk_reconfig_step2(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_reconfig_step3(tld, ns3, alg, size):
|
||||
def test_algoroll_csk_reconfig_step3(tld, ns3, default_algorithm):
|
||||
zone = f"step3.csk-algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -197,7 +195,7 @@ def test_algoroll_csk_reconfig_step3(tld, ns3, alg, size):
|
|||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -237,7 +235,7 @@ def test_algoroll_csk_reconfig_step3(tld, ns3, alg, size):
|
|||
"keyprops": [
|
||||
# The DS can be swapped.
|
||||
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
],
|
||||
# Next key event is when the DS becomes OMNIPRESENT. This happens
|
||||
# after the publication interval of the parent side.
|
||||
|
|
@ -258,7 +256,7 @@ def test_algoroll_csk_reconfig_step3(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_reconfig_step4(tld, ns3, alg, size):
|
||||
def test_algoroll_csk_reconfig_step4(tld, ns3, default_algorithm):
|
||||
zone = f"step4.csk-algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -271,7 +269,7 @@ def test_algoroll_csk_reconfig_step4(tld, ns3, alg, size):
|
|||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -297,7 +295,7 @@ def test_algoroll_csk_reconfig_step4(tld, ns3, alg, size):
|
|||
"keyprops": [
|
||||
# The old DS is HIDDEN, we can remove the old algorithm records.
|
||||
f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
],
|
||||
# Next key event is when the old DNSKEY becomes HIDDEN.
|
||||
# This happens after the DNSKEY TTL plus zone propagation delay.
|
||||
|
|
@ -315,7 +313,7 @@ def test_algoroll_csk_reconfig_step4(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_reconfig_step5(tld, ns3, alg, size):
|
||||
def test_algoroll_csk_reconfig_step5(tld, ns3, default_algorithm):
|
||||
zone = f"step5.csk-algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -329,7 +327,7 @@ def test_algoroll_csk_reconfig_step5(tld, ns3, alg, size):
|
|||
"keyprops": [
|
||||
# The DNSKEY becomes HIDDEN.
|
||||
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
|
||||
],
|
||||
# Next key event is when the RSASHA signatures become HIDDEN.
|
||||
# This happens after the max-zone-ttl plus zone propagation delay
|
||||
|
|
@ -351,7 +349,7 @@ def test_algoroll_csk_reconfig_step5(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_reconfig_step6(tld, ns3, alg, size):
|
||||
def test_algoroll_csk_reconfig_step6(tld, ns3, default_algorithm):
|
||||
zone = f"step6.csk-algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -365,7 +363,7 @@ def test_algoroll_csk_reconfig_step6(tld, ns3, alg, size):
|
|||
"keyprops": [
|
||||
# The zone signatures are now HIDDEN.
|
||||
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
|
||||
],
|
||||
# Next key event is never since we established the policy and the
|
||||
# keys have an unlimited lifetime. Fallback to the default
|
||||
|
|
|
|||
|
|
@ -27,9 +27,7 @@ from rollover.common import (
|
|||
CDSS,
|
||||
DURATION,
|
||||
TIMEDELTA,
|
||||
alg,
|
||||
pytestmark,
|
||||
size,
|
||||
)
|
||||
from rollover.setup import configure_algo_ksk_zsk, configure_root, configure_tld
|
||||
|
||||
|
|
@ -85,7 +83,7 @@ def after_servers_start(ns3, templates):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, alg, size):
|
||||
def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, default_algorithm):
|
||||
zone = f"step1.algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -130,8 +128,8 @@ def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, alg, size):
|
|||
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
# The ECDSAP256SHA256 keys are introducing.
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
|
||||
],
|
||||
# Next key event is when the ecdsa256 keys have been propagated.
|
||||
"nextev": ALGOROLL_IPUB,
|
||||
|
|
@ -148,7 +146,7 @@ def test_algoroll_ksk_zsk_reconfig_step1(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, alg, size):
|
||||
def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, default_algorithm):
|
||||
zone = f"step2.algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -167,8 +165,8 @@ def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, alg, size):
|
|||
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
|
||||
# omnipresent, but the zone signatures are not.
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}",
|
||||
],
|
||||
# Next key event is when all zone signatures are signed with the new
|
||||
# algorithm. This is the max-zone-ttl plus zone propagation delay. But
|
||||
|
|
@ -189,7 +187,7 @@ def test_algoroll_ksk_zsk_reconfig_step2(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, alg, size):
|
||||
def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, default_algorithm):
|
||||
zone = f"step3.algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -203,8 +201,8 @@ def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, alg, size):
|
|||
"keyprops": [
|
||||
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -245,8 +243,8 @@ def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, alg, size):
|
|||
# The DS can be swapped.
|
||||
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
|
||||
],
|
||||
# Next key event is when the DS becomes OMNIPRESENT. This happens
|
||||
# after the retire interval.
|
||||
|
|
@ -267,7 +265,7 @@ def test_algoroll_ksk_zsk_reconfig_step3(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, alg, size):
|
||||
def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, default_algorithm):
|
||||
zone = f"step4.algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -281,8 +279,8 @@ def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, alg, size):
|
|||
"keyprops": [
|
||||
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -312,8 +310,8 @@ def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, alg, size):
|
|||
# The old DS is HIDDEN, we can remove the old algorithm records.
|
||||
f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
|
||||
],
|
||||
# Next key event is when the old DNSKEY becomes HIDDEN.
|
||||
# This happens after the DNSKEY TTL plus zone propagation delay.
|
||||
|
|
@ -331,7 +329,7 @@ def test_algoroll_ksk_zsk_reconfig_step4(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, alg, size):
|
||||
def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, default_algorithm):
|
||||
zone = f"step5.algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -346,8 +344,8 @@ def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, alg, size):
|
|||
# The DNSKEY becomes HIDDEN.
|
||||
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
|
||||
],
|
||||
# Next key event is when the RSASHA signatures become HIDDEN.
|
||||
# This happens after the max-zone-ttl plus zone propagation delay
|
||||
|
|
@ -371,7 +369,7 @@ def test_algoroll_ksk_zsk_reconfig_step5(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_reconfig_step6(tld, ns3, alg, size):
|
||||
def test_algoroll_ksk_zsk_reconfig_step6(tld, ns3, default_algorithm):
|
||||
zone = f"step6.algorithm-roll.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -386,8 +384,8 @@ def test_algoroll_ksk_zsk_reconfig_step6(tld, ns3, alg, size):
|
|||
# The zone signatures are now HIDDEN.
|
||||
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{ALGOROLL_OFFVAL}",
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
|
||||
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
|
||||
f"zsk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
|
||||
],
|
||||
# Next key event is never since we established the policy and the
|
||||
# keys have an unlimited lifetime. Fallback to the default
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ import pytest
|
|||
|
||||
from isctest.kasp import Ipub, Iret
|
||||
from isctest.util import param
|
||||
from rollover.common import TIMEDELTA, alg, pytestmark, size
|
||||
from rollover.common import TIMEDELTA, pytestmark
|
||||
from rollover.setup import configure_cskroll1, configure_root, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -92,7 +92,7 @@ def bootstrap():
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step1(tld, ns3, alg, size):
|
||||
def test_csk_roll1_step1(tld, ns3, default_algorithm):
|
||||
zone = f"step1.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -106,7 +106,7 @@ def test_csk_roll1_step1(tld, ns3, alg, size):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
],
|
||||
# Next key event is when the successor CSK needs to be published
|
||||
# minus time already elapsed. This is Lcsk - Ipub + Dreg (we ignore
|
||||
|
|
@ -125,7 +125,7 @@ def test_csk_roll1_step1(tld, ns3, alg, size):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step2(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step2(tld, ns3, default_algorithm):
|
||||
zone = f"step2.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -137,7 +137,7 @@ def test_csk_roll1_step2(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -166,8 +166,8 @@ def test_csk_roll1_step2(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the successor CSK becomes OMNIPRESENT.
|
||||
|
|
@ -185,7 +185,7 @@ def test_csk_roll1_step2(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step3(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step3(tld, ns3, default_algorithm):
|
||||
zone = f"step3.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -197,8 +197,8 @@ def test_csk_roll1_step3(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
"manual-mode": True,
|
||||
|
|
@ -249,8 +249,8 @@ def test_csk_roll1_step3(tld, alg, size, ns3):
|
|||
# CSK1 ds: omnipresent -> unretentive
|
||||
# CSK2 ds: hidden -> rumoured
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the predecessor DS has been replaced with
|
||||
|
|
@ -277,7 +277,7 @@ def test_csk_roll1_step3(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step4(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step4(tld, ns3, default_algorithm):
|
||||
zone = f"step4.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -289,8 +289,8 @@ def test_csk_roll1_step4(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
"manual-mode": True,
|
||||
|
|
@ -322,8 +322,8 @@ def test_csk_roll1_step4(tld, alg, size, ns3):
|
|||
# CSK1 ds: unretentive -> hidden
|
||||
# CSK2 ds: rumoured -> omnipresent
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:unretentive zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:unretentive zrrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the KRRSIG enters the HIDDEN state.
|
||||
|
|
@ -344,7 +344,7 @@ def test_csk_roll1_step4(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step5(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step5(tld, ns3, default_algorithm):
|
||||
zone = f"step5.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -358,8 +358,8 @@ def test_csk_roll1_step5(tld, alg, size, ns3):
|
|||
# The predecessor KRRSIG records are now all hidden.
|
||||
# CSK1 krrsig: unretentive -> hidden
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:hidden zrrsig:unretentive ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:hidden zrrsig:unretentive ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the DNSKEY can be removed. This is when
|
||||
|
|
@ -379,7 +379,7 @@ def test_csk_roll1_step5(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step6(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step6(tld, ns3, default_algorithm):
|
||||
zone = f"step6.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -397,8 +397,8 @@ def test_csk_roll1_step6(tld, alg, size, ns3):
|
|||
# CSK1 zrrsig: unretentive -> hidden
|
||||
# CSK2 zrrsig: rumoured -> omnipresent
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the DNSKEY enters the HIDDEN state.
|
||||
|
|
@ -417,7 +417,7 @@ def test_csk_roll1_step6(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step7(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step7(tld, ns3, default_algorithm):
|
||||
zone = f"step7.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -430,8 +430,8 @@ def test_csk_roll1_step7(tld, alg, size, ns3):
|
|||
"cdss": CDSS,
|
||||
# The predecessor CSK is now completely HIDDEN.
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the new successor needs to be published.
|
||||
|
|
@ -451,7 +451,7 @@ def test_csk_roll1_step7(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll1_step8(tld, alg, size, ns3):
|
||||
def test_csk_roll1_step8(tld, ns3, default_algorithm):
|
||||
zone = f"step8.csk-roll1.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -463,7 +463,7 @@ def test_csk_roll1_step8(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step8-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step8-s']}",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ import pytest
|
|||
|
||||
from isctest.kasp import Ipub, Iret
|
||||
from isctest.util import param
|
||||
from rollover.common import TIMEDELTA, alg, pytestmark, size
|
||||
from rollover.common import TIMEDELTA, pytestmark
|
||||
from rollover.setup import configure_cskroll2, configure_root, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -95,7 +95,7 @@ def bootstrap():
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step1(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step1(tld, ns3, default_algorithm):
|
||||
zone = f"step1.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -109,7 +109,7 @@ def test_csk_roll2_step1(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
],
|
||||
# Next key event is when the successor CSK needs to be published
|
||||
# minus time already elapsed. This is Lcsk - Ipub + Dreg (we ignore
|
||||
|
|
@ -128,7 +128,7 @@ def test_csk_roll2_step1(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step2(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step2(tld, ns3, default_algorithm):
|
||||
zone = f"step2.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -140,7 +140,7 @@ def test_csk_roll2_step2(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -169,8 +169,8 @@ def test_csk_roll2_step2(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the successor CSK becomes OMNIPRESENT.
|
||||
|
|
@ -188,7 +188,7 @@ def test_csk_roll2_step2(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step3(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step3(tld, ns3, default_algorithm):
|
||||
zone = f"step3.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -200,8 +200,8 @@ def test_csk_roll2_step3(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
"manual-mode": True,
|
||||
|
|
@ -252,8 +252,8 @@ def test_csk_roll2_step3(tld, alg, size, ns3):
|
|||
# CSK1 ds: omnipresent -> unretentive
|
||||
# CSK2 ds: hidden -> rumoured
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the predecessor DS has been replaced with
|
||||
|
|
@ -280,7 +280,7 @@ def test_csk_roll2_step3(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step4(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step4(tld, ns3, default_algorithm):
|
||||
zone = f"step4.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -296,8 +296,8 @@ def test_csk_roll2_step4(tld, alg, size, ns3):
|
|||
# CSK1 zrrsig: unretentive -> hidden
|
||||
# CSK2 zrrsig: rumoured -> omnipresent
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:unretentive offset:{OFFSETS['step4-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step4-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:unretentive offset:{OFFSETS['step4-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the predecessor DS has been replaced with
|
||||
|
|
@ -321,7 +321,7 @@ def test_csk_roll2_step4(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step5(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step5(tld, ns3, default_algorithm):
|
||||
zone = f"step5.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -333,8 +333,8 @@ def test_csk_roll2_step5(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
"manual-mode": True,
|
||||
|
|
@ -367,8 +367,8 @@ def test_csk_roll2_step5(tld, alg, size, ns3):
|
|||
# The successor key is now fully OMNIPRESENT.
|
||||
# CSK2 ds: rumoured -> omnipresent
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the DNSKEY enters the HIDDEN state.
|
||||
|
|
@ -387,7 +387,7 @@ def test_csk_roll2_step5(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step6(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step6(tld, ns3, default_algorithm):
|
||||
zone = f"step6.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -402,8 +402,8 @@ def test_csk_roll2_step6(tld, alg, size, ns3):
|
|||
# CSK1 dnskey: unretentive -> hidden
|
||||
# CSK1 krrsig: unretentive -> hidden
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
# Next key event is when the new successor needs to be published.
|
||||
|
|
@ -424,7 +424,7 @@ def test_csk_roll2_step6(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_csk_roll2_step7(tld, alg, size, ns3):
|
||||
def test_csk_roll2_step7(tld, ns3, default_algorithm):
|
||||
zone = f"step7.csk-roll2.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -437,8 +437,8 @@ def test_csk_roll2_step7(tld, alg, size, ns3):
|
|||
"cdss": CDSS,
|
||||
# The predecessor CSK is now completely HIDDEN.
|
||||
"keyprops": [
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
|
||||
f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
|
||||
f"csk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
"nextev": None,
|
||||
|
|
|
|||
|
|
@ -11,12 +11,12 @@
|
|||
|
||||
# pylint: disable=redefined-outer-name,unused-import
|
||||
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, alg, pytestmark, size
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, pytestmark
|
||||
|
||||
import isctest
|
||||
|
||||
|
||||
def test_dynamic2inline(alg, size, ns3, templates):
|
||||
def test_dynamic2inline(ns3, default_algorithm, templates):
|
||||
config = DEFAULT_CONFIG
|
||||
policy = "default"
|
||||
zone = "dynamic2inline.kasp"
|
||||
|
|
@ -27,7 +27,7 @@ def test_dynamic2inline(alg, size, ns3, templates):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -15,7 +15,7 @@ import pytest
|
|||
|
||||
from isctest.kasp import Ipub, IpubC, Iret
|
||||
from isctest.util import param
|
||||
from rollover.common import CDSS, TIMEDELTA, alg, pytestmark, size
|
||||
from rollover.common import CDSS, TIMEDELTA, pytestmark
|
||||
from rollover.setup import configure_enable_dnssec, configure_root, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -74,7 +74,7 @@ def bootstrap():
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
|
||||
def test_rollover_enable_dnssec_step1(tld, default_algorithm, ns3):
|
||||
zone = f"step1.enable-dnssec.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -105,7 +105,7 @@ def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden offset:{OFFSETS['step1']}",
|
||||
],
|
||||
# Next key event is when the DNSKEY RRset becomes OMNIPRESENT,
|
||||
# after the publication interval.
|
||||
|
|
@ -123,7 +123,7 @@ def test_rollover_enable_dnssec_step1(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
|
||||
def test_rollover_enable_dnssec_step2(tld, default_algorithm, ns3):
|
||||
zone = f"step2.enable-dnssec.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -139,7 +139,7 @@ def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
|
|||
# dnskey: rumoured -> omnipresent
|
||||
# krrsig: rumoured -> omnipresent
|
||||
"keyprops": [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{OFFSETS['step2']}",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{OFFSETS['step2']}",
|
||||
],
|
||||
# Next key event is when the zone signatures become OMNIPRESENT,
|
||||
# Minus the time already elapsed.
|
||||
|
|
@ -157,7 +157,7 @@ def test_rollover_enable_dnssec_step2(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
|
||||
def test_rollover_enable_dnssec_step3(tld, default_algorithm, ns3):
|
||||
zone = f"step3.enable-dnssec.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -169,7 +169,7 @@ def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{OFFSETS['step3']}",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:hidden offset:{OFFSETS['step3']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -195,7 +195,7 @@ def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
|
|||
# zrrsig: rumoured -> omnipresent
|
||||
# ds: hidden -> rumoured
|
||||
"keyprops": [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}",
|
||||
],
|
||||
# Next key event is when the DS can move to the OMNIPRESENT state.
|
||||
# This is after the retire interval.
|
||||
|
|
@ -216,7 +216,7 @@ def test_rollover_enable_dnssec_step3(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_rollover_enable_dnssec_step4(tld, alg, size, ns3):
|
||||
def test_rollover_enable_dnssec_step4(tld, default_algorithm, ns3):
|
||||
zone = f"step4.enable-dnssec.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -230,7 +230,7 @@ def test_rollover_enable_dnssec_step4(tld, alg, size, ns3):
|
|||
# DS has been published long enough.
|
||||
# ds: rumoured -> omnipresent
|
||||
"keyprops": [
|
||||
f"csk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}",
|
||||
f"csk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}",
|
||||
],
|
||||
# Next key event is never, the zone dnssec-policy has been
|
||||
# established. So we fall back to the default loadkeys interval.
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
import pytest
|
||||
|
||||
from rollover.common import CDSS, DURATION, UNSIGNING_CONFIG, alg, pytestmark, size
|
||||
from rollover.common import CDSS, DURATION, UNSIGNING_CONFIG, pytestmark
|
||||
from rollover.setup import configure_going_insecure, configure_root, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -43,7 +43,7 @@ def bootstrap():
|
|||
"going-insecure-dynamic.kasp",
|
||||
],
|
||||
)
|
||||
def test_going_insecure_initial(zone, ns3, alg, size):
|
||||
def test_going_insecure_initial(zone, ns3, default_algorithm):
|
||||
config = UNSIGNING_CONFIG
|
||||
policy = "unsigning"
|
||||
zone = f"step1.{zone}"
|
||||
|
|
@ -54,8 +54,8 @@ def test_going_insecure_initial(zone, ns3, alg, size):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
|
||||
f"zsk {DURATION['P60D']} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
|
||||
f"zsk {DURATION['P60D']} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,15 +13,7 @@
|
|||
|
||||
import pytest
|
||||
|
||||
from rollover.common import (
|
||||
CDSS,
|
||||
DEFAULT_CONFIG,
|
||||
DURATION,
|
||||
UNSIGNING_CONFIG,
|
||||
alg,
|
||||
pytestmark,
|
||||
size,
|
||||
)
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, UNSIGNING_CONFIG, pytestmark
|
||||
from rollover.setup import configure_going_insecure, configure_root, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -57,7 +49,7 @@ def after_servers_start(ns3, templates):
|
|||
"going-insecure-dynamic.kasp",
|
||||
],
|
||||
)
|
||||
def test_going_insecure_reconfig_step1(zone, alg, size, ns3):
|
||||
def test_going_insecure_reconfig_step1(zone, ns3, default_algorithm):
|
||||
config = DEFAULT_CONFIG
|
||||
policy = "insecure"
|
||||
szone = f"step1.{zone}"
|
||||
|
|
@ -70,8 +62,8 @@ def test_going_insecure_reconfig_step1(zone, alg, size, ns3):
|
|||
"zone": szone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"ksk 0 {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}",
|
||||
f"zsk {DURATION['P60D']} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{-DURATION['P10D']}",
|
||||
f"zsk {DURATION['P60D']} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{-DURATION['P10D']}",
|
||||
],
|
||||
# Next key event is when the DS becomes HIDDEN. This
|
||||
# happens after the# parent propagation delay plus DS TTL.
|
||||
|
|
@ -100,7 +92,7 @@ def test_going_insecure_reconfig_step1(zone, alg, size, ns3):
|
|||
"going-insecure-dynamic.kasp",
|
||||
],
|
||||
)
|
||||
def test_going_insecure_reconfig_step2(zone, alg, size, ns3):
|
||||
def test_going_insecure_reconfig_step2(zone, ns3, default_algorithm):
|
||||
config = DEFAULT_CONFIG
|
||||
policy = "insecure"
|
||||
zone = f"step2.{zone}"
|
||||
|
|
@ -114,8 +106,8 @@ def test_going_insecure_reconfig_step2(zone, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"ksk 0 {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{-DURATION['P10D']}",
|
||||
f"zsk {DURATION['P60D']} {alg} {size} goal:hidden dnskey:unretentive zrrsig:unretentive offset:{-DURATION['P10D']}",
|
||||
f"ksk 0 {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{-DURATION['P10D']}",
|
||||
f"zsk {DURATION['P60D']} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive zrrsig:unretentive offset:{-DURATION['P10D']}",
|
||||
],
|
||||
# Next key event is when the DNSKEY becomes HIDDEN.
|
||||
# This happens after the propagation delay, plus DNSKEY TTL.
|
||||
|
|
|
|||
|
|
@ -19,9 +19,7 @@ from rollover.common import (
|
|||
KSK_IPUB,
|
||||
KSK_IRET,
|
||||
KSK_LIFETIME_POLICY,
|
||||
alg,
|
||||
pytestmark,
|
||||
size,
|
||||
)
|
||||
from rollover.setup import configure_ksk_3crowd, configure_root, configure_tld
|
||||
|
||||
|
|
@ -51,7 +49,7 @@ def bootstrap():
|
|||
return data
|
||||
|
||||
|
||||
def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
|
||||
def test_rollover_ksk_three_is_a_crowd(ns3, default_algorithm):
|
||||
"""Test #2375: Scheduled rollovers are happening faster than they can finish."""
|
||||
zone = "three-is-a-crowd.kasp"
|
||||
|
||||
|
|
@ -61,9 +59,9 @@ def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
|
||||
],
|
||||
"keyrelationships": [0, 1],
|
||||
}
|
||||
|
|
@ -84,10 +82,10 @@ def test_rollover_ksk_three_is_a_crowd(alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSET1}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSET2}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:0",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSET1}",
|
||||
],
|
||||
"check-keytimes": False, # checked manually with modified values
|
||||
}
|
||||
|
|
|
|||
|
|
@ -25,9 +25,7 @@ from rollover.common import (
|
|||
KSK_LIFETIME,
|
||||
KSK_LIFETIME_POLICY,
|
||||
TIMEDELTA,
|
||||
alg,
|
||||
pytestmark,
|
||||
size,
|
||||
)
|
||||
from rollover.setup import configure_ksk_doubleksk, configure_root, configure_tld
|
||||
|
||||
|
|
@ -80,7 +78,7 @@ def bootstrap():
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_ksk_doubleksk_step1(tld, alg, size, ns3):
|
||||
def test_ksk_doubleksk_step1(tld, ns3, default_algorithm):
|
||||
zone = f"step1.ksk-doubleksk.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -94,8 +92,8 @@ def test_ksk_doubleksk_step1(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
],
|
||||
# Next key event is when the successor KSK needs to be published.
|
||||
# That is the KSK lifetime - prepublication time (minus time
|
||||
|
|
@ -114,7 +112,7 @@ def test_ksk_doubleksk_step1(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_ksk_doubleksk_step2(tld, alg, size, ns3):
|
||||
def test_ksk_doubleksk_step2(tld, ns3, default_algorithm):
|
||||
zone = f"step2.ksk-doubleksk.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -126,8 +124,8 @@ def test_ksk_doubleksk_step2(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -155,9 +153,9 @@ def test_ksk_doubleksk_step2(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:{OFFSETS['step2-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden offset:{OFFSETS['step2-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# Next key event is when the successor KSK becomes OMNIPRESENT.
|
||||
|
|
@ -175,7 +173,7 @@ def test_ksk_doubleksk_step2(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_ksk_doubleksk_step3(tld, alg, size, ns3):
|
||||
def test_ksk_doubleksk_step3(tld, ns3, default_algorithm):
|
||||
zone = f"step3.ksk-doubleksk.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -187,9 +185,9 @@ def test_ksk_doubleksk_step3(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step3-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
"manual-mode": True,
|
||||
|
|
@ -234,9 +232,9 @@ def test_ksk_doubleksk_step3(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# Next key event is when the predecessor DS has been replaced with
|
||||
|
|
@ -260,7 +258,7 @@ def test_ksk_doubleksk_step3(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_ksk_doubleksk_step4(tld, alg, size, ns3):
|
||||
def test_ksk_doubleksk_step4(tld, ns3, default_algorithm):
|
||||
zone = f"step4.ksk-doubleksk.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -272,9 +270,9 @@ def test_ksk_doubleksk_step4(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
"manual-mode": True,
|
||||
|
|
@ -307,9 +305,9 @@ def test_ksk_doubleksk_step4(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# Next key event is when the DNSKEY enters the HIDDEN state.
|
||||
|
|
@ -328,7 +326,7 @@ def test_ksk_doubleksk_step4(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_ksk_doubleksk_step5(tld, alg, size, ns3):
|
||||
def test_ksk_doubleksk_step5(tld, ns3, default_algorithm):
|
||||
zone = f"step5.ksk-doubleksk.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -344,9 +342,9 @@ def test_ksk_doubleksk_step5(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# Next key event is when the new successor needs to be published.
|
||||
|
|
@ -367,7 +365,7 @@ def test_ksk_doubleksk_step5(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_ksk_doubleksk_step6(tld, alg, size, ns3):
|
||||
def test_ksk_doubleksk_step6(tld, ns3, default_algorithm):
|
||||
zone = f"step6.ksk-doubleksk.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -380,8 +378,8 @@ def test_ksk_doubleksk_step6(tld, alg, size, ns3):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-p']}",
|
||||
f"ksk {KSK_LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
import pytest
|
||||
|
||||
from isctest.util import param
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
|
||||
|
||||
import isctest
|
||||
|
||||
|
|
@ -28,7 +28,7 @@ import isctest
|
|||
param("unlimit-lifetime", "short-lifetime", "P6M"),
|
||||
],
|
||||
)
|
||||
def test_lifetime_initial(zone, policy, lifetime, alg, size, ns3):
|
||||
def test_lifetime_initial(zone, policy, lifetime, ns3, default_algorithm):
|
||||
config = DEFAULT_CONFIG
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, f"{zone}.kasp")
|
||||
|
|
@ -37,7 +37,7 @@ def test_lifetime_initial(zone, policy, lifetime, alg, size, ns3):
|
|||
"zone": f"{zone}.kasp",
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {DURATION[lifetime]} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk {DURATION[lifetime]} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -14,7 +14,7 @@
|
|||
import pytest
|
||||
|
||||
from isctest.util import param
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
|
||||
|
||||
import isctest
|
||||
|
||||
|
|
@ -43,7 +43,7 @@ def after_servers_start(ns3, templates):
|
|||
param("unlimit-lifetime", "unlimited-lifetime", 0),
|
||||
],
|
||||
)
|
||||
def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns3):
|
||||
def test_lifetime_reconfig(zone, policy, lifetime, ns3, default_algorithm):
|
||||
config = DEFAULT_CONFIG
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, f"{zone}.kasp", reconfig=True)
|
||||
|
|
@ -52,7 +52,7 @@ def test_lifetime_reconfig(zone, policy, lifetime, alg, size, ns3):
|
|||
"zone": f"{zone}.kasp",
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk {DURATION[lifetime]} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
f"csk {DURATION[lifetime]} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ import pytest
|
|||
|
||||
from isctest.kasp import Iret, SettimeOptions
|
||||
from isctest.run import EnvCmd
|
||||
from rollover.common import alg, pytestmark, size
|
||||
from rollover.common import pytestmark
|
||||
from rollover.setup import fake_lifetime, render_and_sign_zone, setkeytimes
|
||||
|
||||
import isctest
|
||||
|
|
@ -96,7 +96,7 @@ def bootstrap():
|
|||
return {}
|
||||
|
||||
|
||||
def test_rollover_multisigner(ns3, alg, size):
|
||||
def test_rollover_multisigner(ns3, default_algorithm):
|
||||
policy = "multisigner-model2"
|
||||
config = {
|
||||
"dnskey-ttl": timedelta(hours=1),
|
||||
|
|
@ -118,7 +118,7 @@ def test_rollover_multisigner(ns3, alg, size):
|
|||
keygen_command = [
|
||||
os.environ.get("KEYGEN"),
|
||||
"-a",
|
||||
alg,
|
||||
default_algorithm.name,
|
||||
"-L",
|
||||
"3600",
|
||||
"-M",
|
||||
|
|
@ -135,12 +135,14 @@ def test_rollover_multisigner(ns3, alg, size):
|
|||
isctest.kasp.check_dnssec_verify(ns3, zone)
|
||||
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured tag-range:32768-65535",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:rumoured tag-range:32768-65535",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
|
||||
newprops = [f"zsk unlimited {alg} {size} tag-range:0-32767"]
|
||||
newprops = [
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} tag-range:0-32767"
|
||||
]
|
||||
expected2 = isctest.kasp.policy_to_properties(ttl, newprops)
|
||||
expected2[0].private = False
|
||||
expected2[0].legacy = True
|
||||
|
|
@ -164,7 +166,9 @@ def test_rollover_multisigner(ns3, alg, size):
|
|||
# Update zone with ZSK from another provider for zone.
|
||||
out = keygen(zone)
|
||||
newkeys = isctest.kasp.keystr_to_keylist(out)
|
||||
newprops = [f"zsk unlimited {alg} {size} tag-range:0-32767"]
|
||||
newprops = [
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} tag-range:0-32767"
|
||||
]
|
||||
expected2 = isctest.kasp.policy_to_properties(ttl, newprops)
|
||||
expected2[0].private = False
|
||||
expected2[0].legacy = True
|
||||
|
|
@ -211,10 +215,10 @@ def test_rollover_multisigner(ns3, alg, size):
|
|||
isctest.kasp.check_dnssec_verify(ns3, zone)
|
||||
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden tag-range:32768-65535",
|
||||
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent tag-range:0-32767 offset:{offval}",
|
||||
f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent tag-range:0-32767 offset:{offval}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden tag-range:32768-65535",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden tag-range:32768-65535",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent tag-range:0-32767 offset:{offval}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent tag-range:0-32767 offset:{offval}",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
import pytest
|
||||
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
|
||||
from rollover.setup import configure_root, configure_straight2none, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -43,7 +43,7 @@ def bootstrap():
|
|||
"going-straight-to-none-dynamic.kasp",
|
||||
],
|
||||
)
|
||||
def test_straight2none_initial(zone, ns3, alg, size):
|
||||
def test_straight2none_initial(zone, ns3, default_algorithm):
|
||||
config = DEFAULT_CONFIG
|
||||
policy = "default"
|
||||
|
||||
|
|
@ -53,7 +53,7 @@ def test_straight2none_initial(zone, ns3, alg, size):
|
|||
"zone": zone,
|
||||
"cdss": CDSS,
|
||||
"keyprops": [
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@
|
|||
|
||||
import pytest
|
||||
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, alg, pytestmark, size
|
||||
from rollover.common import CDSS, DEFAULT_CONFIG, DURATION, pytestmark
|
||||
from rollover.setup import configure_root, configure_straight2none, configure_tld
|
||||
|
||||
import isctest
|
||||
|
|
@ -52,7 +52,7 @@ def after_servers_start(ns3, templates):
|
|||
"going-straight-to-none-dynamic.kasp",
|
||||
],
|
||||
)
|
||||
def test_straight2none_reconfig(zone, ns3, alg, size):
|
||||
def test_straight2none_reconfig(zone, ns3, default_algorithm):
|
||||
config = DEFAULT_CONFIG
|
||||
policy = None
|
||||
|
||||
|
|
@ -62,7 +62,7 @@ def test_straight2none_reconfig(zone, ns3, alg, size):
|
|||
# These zones will go bogus after signatures expire, but
|
||||
# remain validly signed for now.
|
||||
"keyprops": [
|
||||
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
|
||||
f"csk 0 {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P10D']}",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -17,7 +17,7 @@ import pytest
|
|||
|
||||
from isctest.kasp import Ipub, Iret
|
||||
from isctest.util import param
|
||||
from rollover.common import TIMEDELTA, alg, pytestmark, size
|
||||
from rollover.common import TIMEDELTA, pytestmark
|
||||
from rollover.setup import configure_root, configure_tld, configure_zsk_prepub
|
||||
|
||||
import isctest
|
||||
|
|
@ -85,7 +85,7 @@ def bootstrap():
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_zsk_prepub_step1(tld, alg, size, ns3):
|
||||
def test_zsk_prepub_step1(tld, ns3, default_algorithm):
|
||||
zone = f"step1.zsk-prepub.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -98,8 +98,8 @@ def test_zsk_prepub_step1(tld, alg, size, ns3):
|
|||
# Introduce the first key. This will immediately be active.
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
|
||||
],
|
||||
# Next key event is when the successor ZSK needs to be published.
|
||||
# That is the ZSK lifetime - prepublication time (minus time
|
||||
|
|
@ -118,7 +118,7 @@ def test_zsk_prepub_step1(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_zsk_prepub_step2(tld, alg, size, ns3):
|
||||
def test_zsk_prepub_step2(tld, ns3, default_algorithm):
|
||||
zone = f"step2.zsk-prepub.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -129,8 +129,8 @@ def test_zsk_prepub_step2(tld, alg, size, ns3):
|
|||
step = {
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
],
|
||||
"manual-mode": True,
|
||||
"nextev": None,
|
||||
|
|
@ -156,9 +156,9 @@ def test_zsk_prepub_step2(tld, alg, size, ns3):
|
|||
# zsk2 dnskey: hidden -> rumoured
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{OFFSETS['step2-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{OFFSETS['step2-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# next key event is when the successor zsk becomes omnipresent.
|
||||
|
|
@ -177,7 +177,7 @@ def test_zsk_prepub_step2(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_zsk_prepub_step3(tld, alg, size, ns3):
|
||||
def test_zsk_prepub_step3(tld, ns3, default_algorithm):
|
||||
zone = f"step3.zsk-prepub.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -188,9 +188,9 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
|
|||
step = {
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step3-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
"manual-mode": True,
|
||||
|
|
@ -232,9 +232,9 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
|
|||
# zsk2 zrrsig: hidden -> rumoured
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step3-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step3-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# next key event is when all the rrsig records have been replaced
|
||||
|
|
@ -266,7 +266,7 @@ def test_zsk_prepub_step3(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_zsk_prepub_step4(tld, alg, size, ns3):
|
||||
def test_zsk_prepub_step4(tld, ns3, default_algorithm):
|
||||
zone = f"step4.zsk-prepub.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -277,9 +277,9 @@ def test_zsk_prepub_step4(tld, alg, size, ns3):
|
|||
step = {
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
"manual-mode": True,
|
||||
|
|
@ -308,9 +308,9 @@ def test_zsk_prepub_step4(tld, alg, size, ns3):
|
|||
# zsk2 zrrsig: rumoured -> omnipresent
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# next key event is when the dnskey enters the hidden state.
|
||||
|
|
@ -329,7 +329,7 @@ def test_zsk_prepub_step4(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_zsk_prepub_step5(tld, alg, size, ns3):
|
||||
def test_zsk_prepub_step5(tld, ns3, default_algorithm):
|
||||
zone = f"step5.zsk-prepub.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -342,9 +342,9 @@ def test_zsk_prepub_step5(tld, alg, size, ns3):
|
|||
# zsk1 dnskey: unretentive -> hidden
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-s']}",
|
||||
],
|
||||
"keyrelationships": [1, 2],
|
||||
# next key event is when the new successor needs to be published.
|
||||
|
|
@ -366,7 +366,7 @@ def test_zsk_prepub_step5(tld, alg, size, ns3):
|
|||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_zsk_prepub_step6(tld, alg, size, ns3):
|
||||
def test_zsk_prepub_step6(tld, ns3, default_algorithm):
|
||||
zone = f"step6.zsk-prepub.{tld}"
|
||||
policy = f"{POLICY}-{tld}"
|
||||
|
||||
|
|
@ -378,8 +378,8 @@ def test_zsk_prepub_step6(tld, alg, size, ns3):
|
|||
# predecessor zsk is now purged.
|
||||
"zone": zone,
|
||||
"keyprops": [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}",
|
||||
f"zsk {LIFETIME_POLICY} {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}",
|
||||
],
|
||||
"nextev": None,
|
||||
}
|
||||
|
|
|
|||
|
|
@ -11,12 +11,9 @@
|
|||
|
||||
from datetime import timedelta
|
||||
|
||||
import os
|
||||
|
||||
import pytest
|
||||
|
||||
from isctest.kasp import Ipub, IpubC, Iret
|
||||
from isctest.vars.algorithms import Algorithm
|
||||
|
||||
pytestmark = pytest.mark.extra_artifacts(
|
||||
[
|
||||
|
|
@ -131,22 +128,3 @@ KSK_IPUB = Ipub(KSK_CONFIG)
|
|||
KSK_IPUBC = IpubC(KSK_CONFIG)
|
||||
KSK_IRET = Iret(KSK_CONFIG, zsk=False, ksk=True)
|
||||
KSK_KEYTTLPROP = KSK_CONFIG["dnskey-ttl"] + KSK_CONFIG["zone-propagation-delay"]
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def alg():
|
||||
return os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
|
||||
|
||||
@pytest.fixture
|
||||
def size():
|
||||
return os.environ["DEFAULT_BITS"]
|
||||
|
||||
|
||||
def default_algorithm():
|
||||
return Algorithm(
|
||||
os.environ["DEFAULT_ALGORITHM"],
|
||||
int(os.environ["DEFAULT_ALGORITHM_NUMBER"]),
|
||||
int(os.environ["DEFAULT_ALGORITHM_DST_NUMBER"]),
|
||||
int(os.environ["DEFAULT_BITS"]),
|
||||
)
|
||||
|
|
|
|||
|
|
@ -16,14 +16,14 @@ import shutil
|
|||
from isctest.kasp import SettimeOptions, private_type_record
|
||||
from isctest.run import EnvCmd
|
||||
from isctest.template import Nameserver, TrustAnchor, Zone
|
||||
from rollover.common import default_algorithm
|
||||
from isctest.vars.algorithms import Algorithm
|
||||
|
||||
import isctest
|
||||
|
||||
|
||||
def configure_tld(zonename: str, delegations: List[Zone]) -> Zone:
|
||||
templates = isctest.template.TemplateEngine(".")
|
||||
alg = default_algorithm()
|
||||
alg = Algorithm.default()
|
||||
keygen = EnvCmd("KEYGEN", f"-q -a {alg.number} -b {alg.bits} -L 3600")
|
||||
signer = EnvCmd("SIGNER", "-S -g")
|
||||
|
||||
|
|
@ -57,7 +57,7 @@ def configure_tld(zonename: str, delegations: List[Zone]) -> Zone:
|
|||
|
||||
def configure_root(delegations: List[Zone]) -> TrustAnchor:
|
||||
templates = isctest.template.TemplateEngine(".")
|
||||
alg = default_algorithm()
|
||||
alg = Algorithm.default()
|
||||
keygen = EnvCmd("KEYGEN", f"-q -a {alg.number} -b {alg.bits} -L 3600")
|
||||
signer = EnvCmd("SIGNER", "-S -g")
|
||||
|
||||
|
|
|
|||
|
|
@ -11,8 +11,6 @@
|
|||
|
||||
from datetime import timedelta
|
||||
|
||||
import os
|
||||
|
||||
from isctest.kasp import (
|
||||
Ipub,
|
||||
Iret,
|
||||
|
|
@ -22,7 +20,7 @@ from isctest.kasp import (
|
|||
)
|
||||
from isctest.run import EnvCmd
|
||||
from isctest.template import Nameserver, Zone
|
||||
from rollover.common import default_algorithm
|
||||
from isctest.vars.algorithms import Algorithm
|
||||
from rollover.setup import configure_root, configure_tld, setkeytimes
|
||||
|
||||
import isctest
|
||||
|
|
@ -30,8 +28,11 @@ import isctest
|
|||
|
||||
def setup_zone(zone, ksk_time, ksk_timings, zsk_time, zsk_timings) -> Zone:
|
||||
templates = isctest.template.TemplateEngine(".")
|
||||
alg = default_algorithm()
|
||||
keygen = EnvCmd("KEYGEN", f"-q -a {alg.number} -b {alg.bits} -L 3600")
|
||||
default_algorithm = Algorithm.default()
|
||||
keygen = EnvCmd(
|
||||
"KEYGEN",
|
||||
f"-q -a {default_algorithm.number} -b {default_algorithm.bits} -L 3600",
|
||||
)
|
||||
signer = EnvCmd("SIGNER", "-S -g")
|
||||
|
||||
isctest.log.info(f"setup {zone}")
|
||||
|
|
@ -125,10 +126,8 @@ CONFIG = {
|
|||
POLICY = "manual-rollover"
|
||||
|
||||
|
||||
def test_rollover_manual(ns3):
|
||||
def test_rollover_manual(ns3, default_algorithm):
|
||||
ttl = int(CONFIG["dnskey-ttl"].total_seconds())
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
zone = "manual-rollover.kasp"
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -136,8 +135,8 @@ def test_rollover_manual(ns3):
|
|||
isctest.kasp.check_dnssec_verify(ns3, zone)
|
||||
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
|
||||
|
|
@ -184,9 +183,9 @@ def test_rollover_manual(ns3):
|
|||
isctest.kasp.check_dnssec_verify(ns3, zone)
|
||||
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
|
||||
|
|
@ -226,10 +225,10 @@ def test_rollover_manual(ns3):
|
|||
isctest.kasp.check_dnssec_verify(ns3, zone)
|
||||
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:omnipresent",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
|
||||
|
|
@ -250,10 +249,8 @@ def test_rollover_manual(ns3):
|
|||
assert "key is not actively signing" in response.out
|
||||
|
||||
|
||||
def test_rollover_manual_zrrsig_rumoured(ns3):
|
||||
def test_rollover_manual_zrrsig_rumoured(ns3, default_algorithm):
|
||||
ttl = int(CONFIG["dnskey-ttl"].total_seconds())
|
||||
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
|
||||
size = os.environ["DEFAULT_BITS"]
|
||||
zone = "manual-rollover-zrrsig-rumoured.kasp"
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns3, zone)
|
||||
|
|
@ -263,8 +260,8 @@ def test_rollover_manual_zrrsig_rumoured(ns3):
|
|||
koffset = -int(timedelta(days=7).total_seconds())
|
||||
zoffset = -int(timedelta(hours=2).total_seconds())
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
|
||||
|
|
@ -292,10 +289,10 @@ def test_rollover_manual_zrrsig_rumoured(ns3):
|
|||
isctest.kasp.check_dnssec_verify(ns3, zone)
|
||||
|
||||
key_properties = [
|
||||
f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
|
||||
f"ksk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{koffset}",
|
||||
# Predecessor DNSKEY must stay until successor ZSK is fully omnipresent.
|
||||
f"zsk unlimited {alg} {size} goal:hidden dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
|
||||
f"zsk unlimited {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:0",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:hidden dnskey:omnipresent zrrsig:rumoured offset:{zoffset}",
|
||||
f"zsk unlimited {default_algorithm.number} {default_algorithm.bits} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:0",
|
||||
]
|
||||
expected = isctest.kasp.policy_to_properties(ttl, key_properties)
|
||||
keys = isctest.kasp.keydir_to_keylist(zone, ns3.identifier)
|
||||
|
|
|
|||
Loading…
Reference in a new issue