upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-10 20:10:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Isolate rollover-algo-csk test

Browse source
This commit is contained in:
Nicki Křížek 2025-06-06 16:49:14 +02:00
parent 8be9a8b52a
commit fdecef5378
16 changed files with 253 additions and 371 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
bin/tests/system/rollover-algo-csk/common.py Symbolic link
View file

@ -0,0 +1 @@
../rollover/common.py

0
bin/tests/system/rollover/ns6/csk1.conf.j2 → bin/tests/system/rollover-algo-csk/ns6/csk1.conf.j2
View file

0
bin/tests/system/rollover/ns6/csk2.conf.j2 → bin/tests/system/rollover-algo-csk/ns6/csk2.conf.j2
View file

1
bin/tests/system/rollover-algo-csk/ns6/named.common.conf.j2 Symbolic link
View file

@ -0,0 +1 @@
../../rollover-dynamic2inline/ns6/named.common.conf.j2

4
bin/tests/system/rollover/ns6/named.conf.j2 → bin/tests/system/rollover-algo-csk/ns6/named.conf.j2
View file

@ -11,14 +11,10 @@
* information regarding copyright ownership.
*/
// NS6
{% set csk_roll = csk_roll | default(False) %}
{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
include "kasp.conf";
include "@_csk_file@";
include "named.common.conf";
zone "step1.csk-algorithm-roll.kasp" {

1
bin/tests/system/rollover-algo-csk/ns6/template.db.in Symbolic link
View file

@ -0,0 +1 @@
../../rollover-dynamic2inline/ns6/template.db.in

4
bin/tests/system/rollover/ns6/setup.sh → bin/tests/system/rollover-algo-csk/setup.sh
View file

@ -12,9 +12,9 @@
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
. ../conf.sh
echo_i "ns6/setup.sh"
cd "ns6"
setup() {
zone="$1"

36
bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_initial.py Normal file
View file

@ -0,0 +1,36 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# pylint: disable=redefined-outer-name,unused-import
import isctest
from common import (
pytestmark,
CDSS,
DURATION,
TIMEDELTA,
ALGOROLL_CONFIG,
)
def test_algoroll_csk_initial(servers):
config = ALGOROLL_CONFIG
policy = "csk-algoroll"
step = {
"zone": "step1.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{-DURATION['P7D']}",
],
"nextev": TIMEDELTA["PT1H"],
}
isctest.kasp.check_rollover_step(servers["ns6"], config, policy, step)

156
bin/tests/system/rollover-algo-csk/tests_rollover_algo_csk_reconfig.py Normal file
View file

@ -0,0 +1,156 @@
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# SPDX-License-Identifier: MPL-2.0
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# pylint: disable=redefined-outer-name,unused-import
import pytest
import isctest
from isctest.kasp import KeyTimingMetadata
from common import (
pytestmark,
alg,
size,
CDSS,
ALGOROLL_CONFIG,
ALGOROLL_IPUB,
ALGOROLL_IPUBC,
ALGOROLL_IRET,
ALGOROLL_IRETKSK,
ALGOROLL_KEYTTLPROP,
ALGOROLL_OFFSETS,
ALGOROLL_OFFVAL,
TIMEDELTA,
)
CONFIG = ALGOROLL_CONFIG
POLICY = "csk-algoroll"
TIME_PASSED = 0 # set in reconfigure() fixture
@pytest.fixture(scope="module", autouse=True)
def reconfigure(servers, templates):
global TIME_PASSED # pylint: disable=global-statement
start_time = KeyTimingMetadata.now()
templates.render("ns6/named.conf", {"csk_roll": True})
servers["ns6"].reconfigure()
# Calculate time passed to correctly check for next key events.
TIME_PASSED = KeyTimingMetadata.now().value - start_time.value
def test_algoroll_csk_reconfig_step1(servers, alg, size):
step = {
"zone": "step1.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing.
f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ALGOROLL_IPUB,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
def test_algoroll_csk_reconfig_step2(servers, alg, size):
step = {
"zone": "step2.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing, but need to stay present
# until the new algorithm chain of trust has been established.
# Thus the expected key states of these keys stay the same.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
],
# Next key event is when all zone signatures are signed with the
# new algorithm. This is the child publication interval, minus
# the publication interval has already passed. Also, prevent
# intermittent false positives on slow platforms by subtracting
# the time passed between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
def test_algoroll_csk_reconfig_step3(servers, alg, size):
step = {
"zone": "step3.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
# The DS can be swapped.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the publication interval of the parent side.
"nextev": ALGOROLL_IRETKSK - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
def test_algoroll_csk_reconfig_step4(servers, alg, size):
step = {
"zone": "step4.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
"nextev": ALGOROLL_KEYTTLPROP,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
def test_algoroll_csk_reconfig_step5(servers, alg, size):
step = {
"zone": "step5.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
# The DNSKEY becomes HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
# minus the time already passed since the UNRETENTIVE state has
# been reached. Prevent intermittent false positives on slow
# platforms by subtracting the number of seconds which passed
# between key creation and invoking 'rndc reconfig'.
"nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
def test_algoroll_csk_reconfig_step6(servers, alg, size):
step = {
"zone": "step6.csk-algorithm-roll.kasp",
"cdss": CDSS,
"keyprops": [
# The zone signatures are now HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default
# loadkeys interval.
"nextev": TIMEDELTA["PT1H"],
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)

73
bin/tests/system/rollover-algo-ksk-zsk/tests_rollover_algo_ksk_zsk_reconfig.py
View file

@ -21,21 +21,16 @@ from common import (
size,
CDSS,
ALGOROLL_CONFIG,
ALGOROLL_IPUB,
ALGOROLL_IPUBC,
ALGOROLL_IRET,
ALGOROLL_IRETKSK,
ALGOROLL_KEYTTLPROP,
ALGOROLL_OFFSETS,
ALGOROLL_OFFVAL,
TIMEDELTA,
)
IPUB = Ipub(ALGOROLL_CONFIG)
IPUBC = IpubC(ALGOROLL_CONFIG, rollover=False)
IRET = Iret(ALGOROLL_CONFIG, rollover=False)
IRETKSK = Iret(ALGOROLL_CONFIG, zsk=False, ksk=True, rollover=False)
KEYTTLPROP = ALGOROLL_CONFIG["dnskey-ttl"] + ALGOROLL_CONFIG["zone-propagation-delay"]
OFFSETS = {}
OFFSETS["step2"] = -int(IPUB.total_seconds())
OFFSETS["step3"] = -int(IRET.total_seconds())
OFFSETS["step4"] = OFFSETS["step3"] - int(IRETKSK.total_seconds())
OFFSETS["step5"] = OFFSETS["step4"] - int(KEYTTLPROP.total_seconds())
OFFSETS["step6"] = OFFSETS["step5"] - int(IRET.total_seconds())
OFFVAL = -DURATION["P7D"]
CONFIG = ALGOROLL_CONFIG
POLICY = "ecdsa256"
TIME_PASSED = 0 # set in reconfigure() fixture
@ -59,14 +54,14 @@ def test_algoroll_ksk_zsk_reconfig_step1(servers, alg, size):
"cdss": CDSS,
"keyprops": [
# The RSASHA keys are outroducing.
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}",
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing.
f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
],
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": IPUB,
"nextev": ALGOROLL_IPUB,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
@ -79,19 +74,19 @@ def test_algoroll_ksk_zsk_reconfig_step2(servers, alg, size):
# The RSASHA keys are outroducing, but need to stay present
# until the new algorithm chain of trust has been established.
# Thus the expected key states of these keys stay the same.
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}",
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{OFFSETS['step2']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step2']}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{ALGOROLL_OFFSETS['step2']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{ALGOROLL_OFFSETS['step2']}",
],
# Next key event is when all zone signatures are signed with the new
# algorithm. This is the max-zone-ttl plus zone propagation delay. But
# the publication interval has already passed. Also, prevent intermittent
# false positives on slow platforms by subtracting the time passed between
# key creation and invoking 'rndc reconfig'.
"nextev": IPUBC - IPUB - TIME_PASSED,
"nextev": ALGOROLL_IPUBC - ALGOROLL_IPUB - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
@ -102,14 +97,14 @@ def test_algoroll_ksk_zsk_reconfig_step3(servers, alg, size):
"cdss": CDSS,
"keyprops": [
# The DS can be swapped.
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{OFFSETS['step3']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step3']}",
f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{ALGOROLL_OFFSETS['step3']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the retire interval.
"nextev": IRETKSK - TIME_PASSED,
"nextev": ALGOROLL_IRETKSK - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
@ -120,14 +115,14 @@ def test_algoroll_ksk_zsk_reconfig_step4(servers, alg, size):
"cdss": CDSS,
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4']}",
f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
"nextev": KEYTTLPROP,
"nextev": ALGOROLL_KEYTTLPROP,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
@ -138,10 +133,10 @@ def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size):
"cdss": CDSS,
"keyprops": [
# The DNSKEY becomes HIDDEN.
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5']}",
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{ALGOROLL_OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
@ -149,7 +144,7 @@ def test_algoroll_ksk_zsk_reconfig_step5(servers, alg, size):
# been reached. Prevent intermittent false positives on slow
# platforms by subtracting the number of seconds which passed
# between key creation and invoking 'rndc reconfig'.
"nextev": IRET - IRETKSK - KEYTTLPROP - TIME_PASSED,
"nextev": ALGOROLL_IRET - ALGOROLL_IRETKSK - ALGOROLL_KEYTTLPROP - TIME_PASSED,
}
isctest.kasp.check_rollover_step(servers["ns6"], CONFIG, POLICY, step)
@ -160,10 +155,10 @@ def test_algoroll_ksk_zsk_reconfig_step6(servers, alg, size):
"cdss": CDSS,
"keyprops": [
# The zone signatures are now HIDDEN.
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6']}",
f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{ALGOROLL_OFFVAL}",
f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{ALGOROLL_OFFVAL}",
f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{ALGOROLL_OFFSETS['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default

22
bin/tests/system/rollover/common.py
View file

@ -14,6 +14,8 @@ import os
import pytest
from isctest.kasp import Ipub, IpubC, Iret
pytestmark = pytest.mark.extra_artifacts(
[
"*.axfr*",
@ -84,6 +86,26 @@ ALGOROLL_CONFIG = {
"signatures-validity": TIMEDELTA["P30D"],
"zone-propagation-delay": TIMEDELTA["PT1H"],
}
ALGOROLL_IPUB = Ipub(ALGOROLL_CONFIG)
ALGOROLL_IPUBC = IpubC(ALGOROLL_CONFIG, rollover=False)
ALGOROLL_IRET = Iret(ALGOROLL_CONFIG, rollover=False)
ALGOROLL_IRETKSK = Iret(ALGOROLL_CONFIG, zsk=False, ksk=True, rollover=False)
ALGOROLL_KEYTTLPROP = (
ALGOROLL_CONFIG["dnskey-ttl"] + ALGOROLL_CONFIG["zone-propagation-delay"]
)
ALGOROLL_OFFSETS = {}
ALGOROLL_OFFSETS["step2"] = -int(ALGOROLL_IPUB.total_seconds())
ALGOROLL_OFFSETS["step3"] = -int(ALGOROLL_IRET.total_seconds())
ALGOROLL_OFFSETS["step4"] = ALGOROLL_OFFSETS["step3"] - int(
ALGOROLL_IRETKSK.total_seconds()
)
ALGOROLL_OFFSETS["step5"] = ALGOROLL_OFFSETS["step4"] - int(
ALGOROLL_KEYTTLPROP.total_seconds()
)
ALGOROLL_OFFSETS["step6"] = ALGOROLL_OFFSETS["step5"] - int(
ALGOROLL_IRET.total_seconds()
)
ALGOROLL_OFFVAL = -DURATION["P7D"]
@pytest.fixture

80
bin/tests/system/rollover/ns6/kasp.conf.j2
View file

@ -1,80 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "unsigning" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "rsasha256" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
keys {
ksk lifetime unlimited algorithm rsasha256;
zsk lifetime unlimited algorithm rsasha256;
};
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
zone-propagation-delay 3600;
max-zone-ttl 6h;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
dnssec-policy "ecdsa256" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
keys {
ksk lifetime unlimited algorithm ecdsa256;
zsk lifetime unlimited algorithm ecdsa256;
};
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
zone-propagation-delay 3600;
max-zone-ttl 6h;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
{% if RSASHA1_SUPPORTED == "1" %}
dnssec-policy "rsasha1" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
keys {
ksk lifetime unlimited algorithm rsasha1;
zsk lifetime unlimited algorithm rsasha1;
};
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
zone-propagation-delay 3600;
max-zone-ttl 6h;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
{% endif %}

35
bin/tests/system/rollover/ns6/named.common.conf.j2
View file

@ -1,35 +0,0 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
options {
query-source address 10.53.0.6;
notify-source 10.53.0.6;
transfer-source 10.53.0.6;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.6; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
dnssec-validation no;
};
key rndc_key {
secret "1234abcd8765";
algorithm @DEFAULT_HMAC@;
};
controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};

27
bin/tests/system/rollover/ns6/template.db.in
View file

@ -1,27 +0,0 @@
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; SPDX-License-Identifier: MPL-2.0
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns6
ns6 A 10.53.0.6
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3

4
bin/tests/system/rollover/setup.sh
View file

@ -20,7 +20,3 @@ set -e
cd ns3
$SHELL setup.sh
)
(
cd ns6
$SHELL setup.sh
)

180
bin/tests/system/rollover/tests_rollover.py
View file

@ -1122,183 +1122,3 @@ def test_rollover_csk_roll2(servers):
for step in steps:
isctest.kasp.check_rollover_step(server, config, policy, step)
def test_rollover_policy_changes(servers, templates):
server = servers["ns6"]
cdss = ["CDNSKEY", "CDS (SHA-256)"]
alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
size = os.environ["DEFAULT_BITS"]
default_config = {
"dnskey-ttl": timedelta(hours=1),
"ds-ttl": timedelta(days=1),
"max-zone-ttl": timedelta(days=1),
"parent-propagation-delay": timedelta(hours=1),
"publish-safety": timedelta(hours=1),
"purge-keys": timedelta(days=90),
"retire-safety": timedelta(hours=1),
"signatures-refresh": timedelta(days=5),
"signatures-validity": timedelta(days=14),
"zone-propagation-delay": timedelta(seconds=300),
}
unsigning_config = default_config.copy()
unsigning_config["dnskey-ttl"] = timedelta(seconds=7200)
algoroll_config = {
"dnskey-ttl": timedelta(hours=1),
"ds-ttl": timedelta(seconds=7200),
"max-zone-ttl": timedelta(hours=6),
"parent-propagation-delay": timedelta(hours=1),
"publish-safety": timedelta(hours=1),
"purge-keys": timedelta(days=90),
"retire-safety": timedelta(hours=2),
"signatures-refresh": timedelta(days=5),
"signatures-validity": timedelta(days=30),
"zone-propagation-delay": timedelta(seconds=3600),
}
start_time = KeyTimingMetadata.now()
# Test algorithm rollover (CSK).
isctest.log.info("check algorithm rollover csk")
step = {
"zone": "step1.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
],
"nextev": timedelta(hours=1),
}
steps.append(step)
for step in steps:
isctest.kasp.check_rollover_step(server, step["config"], step["policy"], step)
# Reconfigure, changing DNSSEC policies and other configuration options,
# triggering algorithm rollovers and other dnssec-policy changes.
templates.render("ns6/named.conf", {"csk_roll": True})
server.rndc("reconfig")
# Calculate time passed to correctly check for next key events.
now = KeyTimingMetadata.now()
time_passed = now.value - start_time.value
# Test algorithm rollover (CSK) (after reconfig).
isctest.log.info("check algorithm rollover csk (after reconfig)")
offsets = {}
offsets["step2"] = -int(ipub.total_seconds())
offsets["step3"] = -int(iret.total_seconds())
offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds())
offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds())
offsets["step6"] = offsets["step5"] - int(iret.total_seconds())
algo_steps = [
{
# Step 1.
"zone": "step1.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
# The RSASHA keys are outroducing.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
# The ECDSAP256SHA256 keys are introducing.
f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
],
# Next key event is when the ecdsa256 keys have been propagated.
"nextev": ipub,
},
{
# Step 2.
"zone": "step2.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
# The RSASHA keys are outroducing, but need to stay present
# until the new algorithm chain of trust has been established.
# Thus the expected key states of these keys stay the same.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
# omnipresent, but the zone signatures are not.
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{offsets['step2']}",
],
# Next key event is when all zone signatures are signed with the
# new algorithm. This is the child publication interval, minus
# the publication interval has already passed. Also, prevent
# intermittent false positives on slow platforms by subtracting
# the time passed between key creation and invoking 'rndc reconfig'.
"nextev": ipubc - ipub - time_passed,
},
{
# Step 3.
"zone": "step3.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
# The DS can be swapped.
f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{offval}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step3']}",
],
# Next key event is when the DS becomes OMNIPRESENT. This happens
# after the publication interval of the parent side.
"nextev": iretKSK - time_passed,
},
{
# Step 4.
"zone": "step4.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
# The old DS is HIDDEN, we can remove the old algorithm records.
f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{offval}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step4']}",
],
# Next key event is when the old DNSKEY becomes HIDDEN.
# This happens after the DNSKEY TTL plus zone propagation delay.
"nextev": keyttlprop,
},
{
# Step 5.
"zone": "step5.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
# The DNSKEY becomes HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{offval}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step5']}",
],
# Next key event is when the RSASHA signatures become HIDDEN.
# This happens after the max-zone-ttl plus zone propagation delay
# minus the time already passed since the UNRETENTIVE state has
# been reached. Prevent intermittent false positives on slow
# platforms by subtracting the number of seconds which passed
# between key creation and invoking 'rndc reconfig'.
"nextev": iret - iretKSK - keyttlprop - time_passed,
},
{
# Step 6.
"zone": "step6.csk-algorithm-roll.kasp",
"cdss": cdss,
"config": algoroll_config,
"policy": "csk-algoroll",
"keyprops": [
# The zone signatures are now HIDDEN.
f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offval}",
f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step6']}",
],
# Next key event is never since we established the policy and the
# keys have an unlimited lifetime. Fallback to the default
# loadkeys interval.
"nextev": timedelta(hours=1),
},
]
steps = steps + algo_steps
for step in steps:
isctest.kasp.check_rollover_step(server, step["config"], step["policy"], step)