1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15# shellcheck source=kasp.sh 16SYSTEMTESTTOP=.. 17. "$SYSTEMTESTTOP/conf.sh" 18. "$SYSTEMTESTTOP/kasp.sh" 19 20start_time="$(TZ=UTC date +%s)" 21status=0 22n=0 23 24############################################################################### 25# Utilities # 26############################################################################### 27 28# Call dig with default options. 29dig_with_opts() { 30 31 if [ -n "$TSIG" ]; then 32 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" 33 else 34 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 35 fi 36} 37 38# RNDC. 39rndccmd() { 40 "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" 41} 42 43# Log error and increment failure rate. 44log_error() { 45 echo_i "error: $1" 46 ret=$((ret+1)) 47} 48 49# Default next key event threshold. May be extended by wait periods. 50next_key_event_threshold=100 51 52############################################################################### 53# Tests # 54############################################################################### 55 56# 57# dnssec-keygen 58# 59set_zone "kasp" 60set_policy "kasp" "4" "200" 61set_server "keys" "10.53.0.1" 62 63n=$((n+1)) 64echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" 65ret=0 66$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 67lines=$(wc -l < "keygen.out.$POLICY.test$n") 68test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" 69# Temporarily don't log errors because we are searching multiple files. 70disable_logerror 71 72# Key properties. 73set_keyrole "KEY1" "csk" 74set_keylifetime "KEY1" "31536000" 75set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 76set_keysigning "KEY1" "yes" 77set_zonesigning "KEY1" "yes" 78 79set_keyrole "KEY2" "ksk" 80set_keylifetime "KEY2" "31536000" 81set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 82set_keysigning "KEY2" "yes" 83set_zonesigning "KEY2" "no" 84 85set_keyrole "KEY3" "zsk" 86set_keylifetime "KEY3" "2592000" 87set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" 88set_keysigning "KEY3" "no" 89set_zonesigning "KEY3" "yes" 90 91set_keyrole "KEY4" "zsk" 92set_keylifetime "KEY4" "16070400" 93set_keyalgorithm "KEY4" "8" "RSASHA256" "2000" 94set_keysigning "KEY4" "no" 95set_zonesigning "KEY4" "yes" 96 97lines=$(get_keyids "$DIR" "$ZONE" | wc -l) 98test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" 99 100ids=$(get_keyids "$DIR" "$ZONE") 101for id in $ids; do 102 # There are four key files with the same algorithm. 103 # Check them until a match is found. 104 ret=0 && check_key "KEY1" "$id" 105 test "$ret" -eq 0 && continue 106 107 ret=0 && check_key "KEY2" "$id" 108 test "$ret" -eq 0 && continue 109 110 ret=0 && check_key "KEY3" "$id" 111 test "$ret" -eq 0 && continue 112 113 ret=0 && check_key "KEY4" "$id" 114 115 # If ret is still non-zero, non of the files matched. 116 test "$ret" -eq 0 || echo_i "failed" 117 status=$((status+ret)) 118done 119# Turn error logs on again. 120enable_logerror 121 122n=$((n+1)) 123echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" 124ret=0 125set_zone "kasp" 126set_policy "default" "1" "3600" 127set_server "." "10.53.0.1" 128# Key properties. 129set_keyrole "KEY1" "csk" 130set_keylifetime "KEY1" "0" 131set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 132set_keysigning "KEY1" "yes" 133set_zonesigning "KEY1" "yes" 134 135key_clear "KEY2" 136key_clear "KEY3" 137key_clear "KEY4" 138 139$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 140lines=$(wc -l < "keygen.out.$POLICY.test$n") 141test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" 142ids=$(get_keyids "$DIR" "$ZONE") 143for id in $ids; do 144 check_key "KEY1" "$id" 145 test "$ret" -eq 0 && key_save KEY1 146 check_keytimes 147done 148test "$ret" -eq 0 || echo_i "failed" 149status=$((status+ret)) 150 151# 152# dnssec-settime 153# 154 155# These test builds upon the latest created key with dnssec-keygen and uses the 156# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. 157CMP_FILE="${BASE_FILE}.cmp" 158n=$((n+1)) 159echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" 160ret=0 161cp "$STATE_FILE" "$CMP_FILE" 162$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" 163grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" 164grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" 165$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" 166test "$ret" -eq 0 || echo_i "failed" 167status=$((status+ret)) 168 169n=$((n+1)) 170echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" 171ret=0 172cp "$STATE_FILE" "$CMP_FILE" 173now=$(date +%Y%m%d%H%M%S) 174$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 175set_keystate "KEY1" "GOAL" "omnipresent" 176set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 177set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 178set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 179set_keystate "KEY1" "STATE_DS" "hidden" 180check_key "KEY1" "$id" 181test "$ret" -eq 0 && key_save KEY1 182set_keytime "KEY1" "PUBLISHED" "${now}" 183check_keytimes 184test "$ret" -eq 0 || echo_i "failed" 185status=$((status+ret)) 186 187n=$((n+1)) 188echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" 189ret=0 190cp "$STATE_FILE" "$CMP_FILE" 191$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 192set_keystate "KEY1" "GOAL" "none" 193set_keystate "KEY1" "STATE_DNSKEY" "none" 194set_keystate "KEY1" "STATE_KRRSIG" "none" 195set_keystate "KEY1" "STATE_ZRRSIG" "none" 196set_keystate "KEY1" "STATE_DS" "none" 197check_key "KEY1" "$id" 198test "$ret" -eq 0 && key_save KEY1 199set_keytime "KEY1" "PUBLISHED" "none" 200check_keytimes 201test "$ret" -eq 0 || echo_i "failed" 202status=$((status+ret)) 203 204n=$((n+1)) 205echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" 206ret=0 207cp "$STATE_FILE" "$CMP_FILE" 208now=$(date +%Y%m%d%H%M%S) 209$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 210set_keystate "KEY1" "GOAL" "hidden" 211set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 212set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 213set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 214set_keystate "KEY1" "STATE_DS" "omnipresent" 215check_key "KEY1" "$id" 216test "$ret" -eq 0 && key_save KEY1 217set_keytime "KEY1" "ACTIVE" "${now}" 218check_keytimes 219test "$ret" -eq 0 || echo_i "failed" 220status=$((status+ret)) 221 222# 223# named 224# 225 226# The NSEC record at the apex of the zone and its RRSIG records are 227# added as part of the last step in signing a zone. We wait for the 228# NSEC records to appear before proceeding with a counter to prevent 229# infinite loops if there is an error. 230n=$((n+1)) 231echo_i "waiting for kasp signing changes to take effect ($n)" 232 233_wait_for_done_apexnsec() { 234 while read -r zone 235 do 236 dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 237 grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 238 grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 239 done < ns3/zones 240 241 while read -r zone 242 do 243 dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 244 grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 245 grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 246 done < ns6/zones 247 248 return 0 249} 250retry_quiet 30 _wait_for_done_apexnsec || ret=1 251test "$ret" -eq 0 || echo_i "failed" 252status=$((status+ret)) 253 254next_key_event_threshold=$((next_key_event_threshold+i)) 255 256# 257# Zone: default.kasp. 258# 259set_keytimes_csk_policy() { 260 # The first key is immediately published and activated. 261 created=$(key_get KEY1 CREATED) 262 set_keytime "KEY1" "PUBLISHED" "${created}" 263 set_keytime "KEY1" "ACTIVE" "${created}" 264 # The DS can be published if the DNSKEY and RRSIG records are 265 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 266 # publish-safety (1h) plus zone-propagation-delay (300s) = 267 # 86400 + 3600 + 300 = 90300. 268 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 269 # Key lifetime is unlimited, so not setting RETIRED and REMOVED. 270} 271 272# Check the zone with default kasp policy has loaded and is signed. 273set_zone "default.kasp" 274set_policy "default" "1" "3600" 275set_server "ns3" "10.53.0.3" 276# Key properties. 277set_keyrole "KEY1" "csk" 278set_keylifetime "KEY1" "0" 279set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 280set_keysigning "KEY1" "yes" 281set_zonesigning "KEY1" "yes" 282# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 283set_keystate "KEY1" "GOAL" "omnipresent" 284set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 285set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 286set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 287set_keystate "KEY1" "STATE_DS" "hidden" 288 289check_keys 290check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 291set_keytimes_csk_policy 292check_keytimes 293check_apex 294check_subdomain 295dnssec_verify 296 297# Update zone. 298n=$((n+1)) 299echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 300ret=0 301cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 302rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 303 304update_is_signed() { 305 ip_a=$1 306 ip_d=$2 307 308 if [ "$ip_a" != "-" ]; then 309 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 310 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 311 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1 312 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) 313 test "$lines" -eq 1 || return 1 314 get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 315 fi 316 317 if [ "$ip_d" != "-" ]; then 318 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 319 grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 320 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1 321 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) 322 test "$lines" -eq 1 || return 1 323 get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 324 fi 325} 326 327retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1 328test "$ret" -eq 0 || echo_i "failed" 329status=$((status+ret)) 330 331# Move the private key file, a rekey event should not introduce replacement 332# keys. 333ret=0 334echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)" 335basefile=$(key_get KEY1 BASEFILE) 336mv "${basefile}.private" "${basefile}.offline" 337rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed" 338wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1 339mv "${basefile}.offline" "${basefile}.private" 340test "$ret" -eq 0 || echo_i "failed" 341status=$((status+ret)) 342 343# Nothing has changed. 344check_keys 345check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 346set_keytimes_csk_policy 347check_keytimes 348check_apex 349check_subdomain 350dnssec_verify 351 352# 353# Zone: dynamic.kasp 354# 355set_zone "dynamic.kasp" 356set_dynamic 357set_policy "default" "1" "3600" 358set_server "ns3" "10.53.0.3" 359# Key properties, timings and states same as above. 360check_keys 361check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 362set_keytimes_csk_policy 363check_keytimes 364check_apex 365check_subdomain 366dnssec_verify 367 368# Update zone with nsupdate. 369n=$((n+1)) 370echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 371ret=0 372( 373echo zone ${ZONE} 374echo server 10.53.0.3 "$PORT" 375echo update del "a.${ZONE}" 300 A 10.0.0.1 376echo update add "a.${ZONE}" 300 A 10.0.0.101 377echo update add "d.${ZONE}" 300 A 10.0.0.4 378echo send 379) | $NSUPDATE 380 381retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1 382test "$ret" -eq 0 || echo_i "failed" 383status=$((status+ret)) 384 385# Update zone with nsupdate (reverting the above change). 386n=$((n+1)) 387echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 388ret=0 389( 390echo zone ${ZONE} 391echo server 10.53.0.3 "$PORT" 392echo update add "a.${ZONE}" 300 A 10.0.0.1 393echo update del "a.${ZONE}" 300 A 10.0.0.101 394echo update del "d.${ZONE}" 300 A 10.0.0.4 395echo send 396) | $NSUPDATE 397 398retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1 399test "$ret" -eq 0 || echo_i "failed" 400status=$((status+ret)) 401 402# Update zone with freeze/thaw. 403n=$((n+1)) 404echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)" 405ret=0 406rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 407sleep 1 408echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db" 409rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 410 411retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1 412test "$ret" -eq 0 || echo_i "failed" 413status=$((status+ret)) 414 415# 416# Zone: dynamic-inline-signing.kasp 417# 418set_zone "dynamic-inline-signing.kasp" 419set_dynamic 420set_policy "default" "1" "3600" 421set_server "ns3" "10.53.0.3" 422# Key properties, timings and states same as above. 423check_keys 424check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 425set_keytimes_csk_policy 426check_keytimes 427check_apex 428check_subdomain 429dnssec_verify 430 431# Update zone with freeze/thaw. 432n=$((n+1)) 433echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 434ret=0 435rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 436sleep 1 437cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 438rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 439 440retry_quiet 10 update_is_signed || ret=1 441test "$ret" -eq 0 || echo_i "failed" 442status=$((status+ret)) 443 444# 445# Zone: inline-signing.kasp 446# 447set_zone "inline-signing.kasp" 448set_policy "default" "1" "3600" 449set_server "ns3" "10.53.0.3" 450# Key properties, timings and states same as above. 451check_keys 452check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 453set_keytimes_csk_policy 454check_keytimes 455check_apex 456check_subdomain 457dnssec_verify 458 459# 460# Zone: checkds-ksk.kasp. 461# 462key_clear "KEY1" 463key_clear "KEY2" 464key_clear "KEY3" 465key_clear "KEY4" 466 467set_zone "checkds-ksk.kasp" 468set_policy "checkds-ksk" "2" "303" 469set_server "ns3" "10.53.0.3" 470# Key properties. 471set_keyrole "KEY1" "ksk" 472set_keylifetime "KEY1" "0" 473set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 474set_keysigning "KEY1" "yes" 475set_zonesigning "KEY1" "no" 476 477set_keyrole "KEY2" "zsk" 478set_keylifetime "KEY2" "0" 479set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 480set_keysigning "KEY2" "no" 481set_zonesigning "KEY2" "yes" 482# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 483set_keystate "KEY1" "GOAL" "omnipresent" 484set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 485set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 486set_keystate "KEY1" "STATE_DS" "hidden" 487 488set_keystate "KEY2" "GOAL" "omnipresent" 489set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 490set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 491 492check_keys 493check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 494check_apex 495check_subdomain 496dnssec_verify 497 498basefile=$(key_get KEY1 BASEFILE) 499 500_wait_for_metadata() { 501 _expr=$1 502 _file=$2 503 grep "$_expr" $_file > /dev/null || return 1 504 return 0 505} 506 507n=$((n+1)) 508echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" 509rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" 510retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" 511test "$ret" -eq 0 || echo_i "failed" 512status=$((status+ret)) 513 514n=$((n+1)) 515echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" 516rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" 517retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" 518test "$ret" -eq 0 || echo_i "failed" 519status=$((status+ret)) 520 521# 522# Zone: checkds-doubleksk.kasp. 523# 524key_clear "KEY1" 525key_clear "KEY2" 526key_clear "KEY3" 527key_clear "KEY4" 528 529set_zone "checkds-doubleksk.kasp" 530set_policy "checkds-doubleksk" "3" "303" 531set_server "ns3" "10.53.0.3" 532# Key properties. 533set_keyrole "KEY1" "ksk" 534set_keylifetime "KEY1" "0" 535set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 536set_keysigning "KEY1" "yes" 537set_zonesigning "KEY1" "no" 538 539set_keyrole "KEY2" "ksk" 540set_keylifetime "KEY2" "0" 541set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 542set_keysigning "KEY2" "yes" 543set_zonesigning "KEY2" "no" 544 545set_keyrole "KEY3" "zsk" 546set_keylifetime "KEY3" "0" 547set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 548set_keysigning "KEY3" "no" 549set_zonesigning "KEY3" "yes" 550# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 551set_keystate "KEY1" "GOAL" "omnipresent" 552set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 553set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 554set_keystate "KEY1" "STATE_DS" "hidden" 555 556set_keystate "KEY2" "GOAL" "omnipresent" 557set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 558set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 559set_keystate "KEY2" "STATE_DS" "hidden" 560 561set_keystate "KEY3" "GOAL" "omnipresent" 562set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 563set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 564 565check_keys 566check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 567check_apex 568check_subdomain 569dnssec_verify 570 571basefile1=$(key_get KEY1 BASEFILE) 572basefile2=$(key_get KEY2 BASEFILE) 573 574n=$((n+1)) 575echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" 576rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" 577grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 578grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 579test "$ret" -eq 0 || echo_i "failed" 580status=$((status+ret)) 581 582n=$((n+1)) 583echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" 584rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" 585grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" 586grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" 587test "$ret" -eq 0 || echo_i "failed" 588status=$((status+ret)) 589 590n=$((n+1)) 591echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)" 592rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n 593grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 594grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 595test "$ret" -eq 0 || echo_i "failed" 596status=$((status+ret)) 597 598n=$((n+1)) 599echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)" 600rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n 601grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}" 602grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}" 603test "$ret" -eq 0 || echo_i "failed" 604status=$((status+ret)) 605 606n=$((n+1)) 607echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" 608rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE" 609retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state" 610grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" 611test "$ret" -eq 0 || echo_i "failed" 612status=$((status+ret)) 613 614n=$((n+1)) 615echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" 616rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE" 617grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" 618retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state" 619test "$ret" -eq 0 || echo_i "failed" 620status=$((status+ret)) 621 622# 623# Zone: checkds-csk.kasp. 624# 625key_clear "KEY1" 626key_clear "KEY2" 627key_clear "KEY3" 628key_clear "KEY4" 629 630set_zone "checkds-csk.kasp" 631set_policy "checkds-csk" "1" "303" 632set_server "ns3" "10.53.0.3" 633# Key properties. 634set_keyrole "KEY1" "csk" 635set_keylifetime "KEY1" "0" 636set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 637set_keysigning "KEY1" "yes" 638set_zonesigning "KEY1" "yes" 639# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 640set_keystate "KEY1" "GOAL" "omnipresent" 641set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 642set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 643set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 644set_keystate "KEY1" "STATE_DS" "hidden" 645 646check_keys 647check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 648check_apex 649check_subdomain 650dnssec_verify 651 652basefile=$(key_get KEY1 BASEFILE) 653 654n=$((n+1)) 655echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" 656rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" 657retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state" 658test "$ret" -eq 0 || echo_i "failed" 659status=$((status+ret)) 660 661n=$((n+1)) 662echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" 663rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" 664retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state" 665test "$ret" -eq 0 || echo_i "failed" 666status=$((status+ret)) 667 668# Set keytimes for dnssec-policy with various algorithms. 669# These all use the same time values. 670set_keytimes_algorithm_policy() { 671 # The first KSK is immediately published and activated. 672 created=$(key_get KEY1 CREATED) 673 set_keytime "KEY1" "PUBLISHED" "${created}" 674 set_keytime "KEY1" "ACTIVE" "${created}" 675 # Key was pregenerated. 676 if [ "$1" = "pregenerated" ]; then 677 keyfile=$(key_get KEY1 BASEFILE) 678 grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 679 published=$(awk '{print $3}' < published.test${n}.key1) 680 set_keytime "KEY1" "PUBLISHED" "${published}" 681 set_keytime "KEY1" "ACTIVE" "${published}" 682 fi 683 published=$(key_get KEY1 PUBLISHED) 684 685 # The DS can be published if the DNSKEY and RRSIG records are 686 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 687 # publish-safety (1h) plus zone-propagation-delay (300s) = 688 # 86400 + 3600 + 300 = 90300. 689 set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 690 # Key lifetime is 10 years, 315360000 seconds. 691 set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 692 # The key is removed after the retire time plus DS TTL (1d), 693 # parent propagation delay (1h), and retire safety (1h) = 694 # 86400 + 3600 + 3600 = 93600. 695 retired=$(key_get KEY1 RETIRED) 696 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 697 698 # The first ZSKs are immediately published and activated. 699 created=$(key_get KEY2 CREATED) 700 set_keytime "KEY2" "PUBLISHED" "${created}" 701 set_keytime "KEY2" "ACTIVE" "${created}" 702 # Key was pregenerated. 703 if [ "$1" = "pregenerated" ]; then 704 keyfile=$(key_get KEY2 BASEFILE) 705 grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 706 published=$(awk '{print $3}' < published.test${n}.key2) 707 set_keytime "KEY2" "PUBLISHED" "${published}" 708 set_keytime "KEY2" "ACTIVE" "${published}" 709 fi 710 published=$(key_get KEY2 PUBLISHED) 711 712 # Key lifetime for KSK2 is 5 years, 157680000 seconds. 713 set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 714 # The key is removed after the retire time plus max zone ttl (1d), zone 715 # propagation delay (300s), retire safety (1h), and sign delay 716 # (signature validity minus refresh, 9d) = 717 # 86400 + 300 + 3600 + 777600 = 867900. 718 retired=$(key_get KEY2 RETIRED) 719 set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 720 721 # Second ZSK (KEY3). 722 created=$(key_get KEY3 CREATED) 723 set_keytime "KEY3" "PUBLISHED" "${created}" 724 set_keytime "KEY3" "ACTIVE" "${created}" 725 # Key was pregenerated. 726 if [ "$1" = "pregenerated" ]; then 727 keyfile=$(key_get KEY3 BASEFILE) 728 grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 729 published=$(awk '{print $3}' < published.test${n}.key3) 730 set_keytime "KEY3" "PUBLISHED" "${published}" 731 set_keytime "KEY3" "ACTIVE" "${published}" 732 fi 733 published=$(key_get KEY3 PUBLISHED) 734 735 # Key lifetime for KSK3 is 1 year, 31536000 seconds. 736 set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 737 retired=$(key_get KEY3 RETIRED) 738 set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 739} 740 741# 742# Zone: rsasha1.kasp. 743# 744set_zone "rsasha1.kasp" 745set_policy "rsasha1" "3" "1234" 746set_server "ns3" "10.53.0.3" 747# Key properties. 748key_clear "KEY1" 749set_keyrole "KEY1" "ksk" 750set_keylifetime "KEY1" "315360000" 751set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 752set_keysigning "KEY1" "yes" 753set_zonesigning "KEY1" "no" 754 755key_clear "KEY2" 756set_keyrole "KEY2" "zsk" 757set_keylifetime "KEY2" "157680000" 758set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 759set_keysigning "KEY2" "no" 760set_zonesigning "KEY2" "yes" 761 762key_clear "KEY3" 763set_keyrole "KEY3" "zsk" 764set_keylifetime "KEY3" "31536000" 765set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 766set_keysigning "KEY3" "no" 767set_zonesigning "KEY3" "yes" 768 769# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 770# ZSK: DNSKEY, RRSIG (zsk) published. 771set_keystate "KEY1" "GOAL" "omnipresent" 772set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 773set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 774set_keystate "KEY1" "STATE_DS" "hidden" 775 776set_keystate "KEY2" "GOAL" "omnipresent" 777set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 778set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 779 780set_keystate "KEY3" "GOAL" "omnipresent" 781set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 782set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 783# Three keys only. 784key_clear "KEY4" 785 786check_keys 787check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 788set_keytimes_algorithm_policy 789check_keytimes 790check_apex 791check_subdomain 792dnssec_verify 793 794# 795# Zone: unsigned.kasp. 796# 797set_zone "unsigned.kasp" 798set_policy "none" "0" "0" 799set_server "ns3" "10.53.0.3" 800 801key_clear "KEY1" 802key_clear "KEY2" 803key_clear "KEY3" 804key_clear "KEY4" 805 806check_keys 807check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 808check_apex 809check_subdomain 810# Make sure the zone file is untouched. 811n=$((n+1)) 812echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)" 813ret=0 814diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1 815test "$ret" -eq 0 || echo_i "failed" 816status=$((status+ret)) 817 818# 819# Zone: insecure.kasp. 820# 821set_zone "insecure.kasp" 822set_policy "insecure" "0" "0" 823set_server "ns3" "10.53.0.3" 824 825key_clear "KEY1" 826key_clear "KEY2" 827key_clear "KEY3" 828key_clear "KEY4" 829 830check_keys 831check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 832check_apex 833check_subdomain 834 835# 836# Zone: unlimited.kasp. 837# 838set_zone "unlimited.kasp" 839set_policy "unlimited" "1" "1234" 840set_server "ns3" "10.53.0.3" 841# Key properties. 842set_keyrole "KEY1" "csk" 843set_keylifetime "KEY1" "0" 844set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 845set_keysigning "KEY1" "yes" 846set_zonesigning "KEY1" "yes" 847# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 848set_keystate "KEY1" "GOAL" "omnipresent" 849set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 850set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 851set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 852set_keystate "KEY1" "STATE_DS" "hidden" 853 854check_keys 855check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 856set_keytimes_csk_policy 857check_keytimes 858check_apex 859check_subdomain 860dnssec_verify 861 862# 863# Zone: inherit.kasp. 864# 865set_zone "inherit.kasp" 866set_policy "rsasha1" "3" "1234" 867set_server "ns3" "10.53.0.3" 868 869# Key properties. 870key_clear "KEY1" 871set_keyrole "KEY1" "ksk" 872set_keylifetime "KEY1" "315360000" 873set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 874set_keysigning "KEY1" "yes" 875set_zonesigning "KEY1" "no" 876 877key_clear "KEY2" 878set_keyrole "KEY2" "zsk" 879set_keylifetime "KEY2" "157680000" 880set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 881set_keysigning "KEY2" "no" 882set_zonesigning "KEY2" "yes" 883 884key_clear "KEY3" 885set_keyrole "KEY3" "zsk" 886set_keylifetime "KEY3" "31536000" 887set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 888set_keysigning "KEY3" "no" 889set_zonesigning "KEY3" "yes" 890# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 891# ZSK: DNSKEY, RRSIG (zsk) published. 892set_keystate "KEY1" "GOAL" "omnipresent" 893set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 894set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 895set_keystate "KEY1" "STATE_DS" "hidden" 896 897set_keystate "KEY2" "GOAL" "omnipresent" 898set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 899set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 900 901set_keystate "KEY3" "GOAL" "omnipresent" 902set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 903set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 904# Three keys only. 905key_clear "KEY4" 906 907check_keys 908check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 909set_keytimes_algorithm_policy 910check_keytimes 911check_apex 912check_subdomain 913dnssec_verify 914 915# 916# Zone: dnssec-keygen.kasp. 917# 918set_zone "dnssec-keygen.kasp" 919set_policy "rsasha1" "3" "1234" 920set_server "ns3" "10.53.0.3" 921# Key properties, timings and states same as above. 922 923check_keys 924check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 925set_keytimes_algorithm_policy 926check_keytimes 927check_apex 928check_subdomain 929dnssec_verify 930 931# 932# Zone: some-keys.kasp. 933# 934set_zone "some-keys.kasp" 935set_policy "rsasha1" "3" "1234" 936set_server "ns3" "10.53.0.3" 937# Key properties, timings and states same as above. 938 939check_keys 940check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 941set_keytimes_algorithm_policy "pregenerated" 942check_keytimes 943check_apex 944check_subdomain 945dnssec_verify 946 947# 948# Zone: pregenerated.kasp. 949# 950# There are more pregenerated keys than needed, hence the number of keys is 951# six, not three. 952set_zone "pregenerated.kasp" 953set_policy "rsasha1" "6" "1234" 954set_server "ns3" "10.53.0.3" 955# Key properties, timings and states same as above. 956 957check_keys 958check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 959set_keytimes_algorithm_policy "pregenerated" 960check_keytimes 961check_apex 962check_subdomain 963dnssec_verify 964 965# 966# Zone: rumoured.kasp. 967# 968# There are three keys in rumoured state. 969set_zone "rumoured.kasp" 970set_policy "rsasha1" "3" "1234" 971set_server "ns3" "10.53.0.3" 972# Key properties, timings and states same as above. 973 974check_keys 975check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 976set_keytimes_algorithm_policy 977# Activation date is a day later. 978set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 979set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 980set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 981set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 982set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 983set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 984set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 985set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 986set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 987check_keytimes 988check_apex 989check_subdomain 990dnssec_verify 991 992# 993# Zone: secondary.kasp. 994# 995set_zone "secondary.kasp" 996set_policy "rsasha1" "3" "1234" 997set_server "ns3" "10.53.0.3" 998# Key properties, timings and states same as above. 999 1000check_keys 1001check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1002set_keytimes_algorithm_policy 1003check_keytimes 1004check_apex 1005check_subdomain 1006dnssec_verify 1007 1008# Update zone. 1009n=$((n+1)) 1010echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" 1011ret=0 1012cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db 1013rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 1014 1015_wait_for_done_subdomains() { 1016 ret=0 1017 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 1018 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1019 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1020 check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" 1021 if [ $ret -gt 0 ]; then return $ret; fi 1022 1023 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 1024 grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1025 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1026 check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" 1027 return $ret 1028} 1029retry_quiet 5 _wait_for_done_subdomains || ret=1 1030test "$ret" -eq 0 || echo_i "failed" 1031status=$((status+ret)) 1032 1033# TODO: we might want to test: 1034# - configuring a zone with too many active keys (should trigger retire). 1035# - configuring a zone with keys not matching the policy. 1036 1037# 1038# Zone: rsasha1-nsec3.kasp. 1039# 1040set_zone "rsasha1-nsec3.kasp" 1041set_policy "rsasha1-nsec3" "3" "1234" 1042set_server "ns3" "10.53.0.3" 1043# Key properties. 1044set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" 1045set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" 1046set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" 1047# Key timings and states same as above. 1048 1049check_keys 1050check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1051set_keytimes_algorithm_policy 1052check_keytimes 1053check_apex 1054check_subdomain 1055dnssec_verify 1056 1057# 1058# Zone: rsasha256.kasp. 1059# 1060set_zone "rsasha256.kasp" 1061set_policy "rsasha256" "3" "1234" 1062set_server "ns3" "10.53.0.3" 1063# Key properties. 1064set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1065set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1066set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" 1067# Key timings and states same as above. 1068 1069check_keys 1070check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1071set_keytimes_algorithm_policy 1072check_keytimes 1073check_apex 1074check_subdomain 1075dnssec_verify 1076 1077# 1078# Zone: rsasha512.kasp. 1079# 1080set_zone "rsasha512.kasp" 1081set_policy "rsasha512" "3" "1234" 1082set_server "ns3" "10.53.0.3" 1083# Key properties. 1084set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" 1085set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" 1086set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" 1087# Key timings and states same as above. 1088 1089check_keys 1090check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1091set_keytimes_algorithm_policy 1092check_keytimes 1093check_apex 1094check_subdomain 1095dnssec_verify 1096 1097# 1098# Zone: ecdsa256.kasp. 1099# 1100set_zone "ecdsa256.kasp" 1101set_policy "ecdsa256" "3" "1234" 1102set_server "ns3" "10.53.0.3" 1103# Key properties. 1104set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1105set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 1106set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 1107# Key timings and states same as above. 1108 1109check_keys 1110check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1111set_keytimes_algorithm_policy 1112check_keytimes 1113check_apex 1114check_subdomain 1115dnssec_verify 1116 1117# 1118# Zone: ecdsa512.kasp. 1119# 1120set_zone "ecdsa384.kasp" 1121set_policy "ecdsa384" "3" "1234" 1122set_server "ns3" "10.53.0.3" 1123# Key properties. 1124set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1125set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" 1126set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" 1127# Key timings and states same as above. 1128 1129check_keys 1130check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1131set_keytimes_algorithm_policy 1132check_keytimes 1133check_apex 1134check_subdomain 1135dnssec_verify 1136 1137# 1138# Zone: ed25519.kasp. 1139# 1140if [ -f ed25519-supported.file ]; then 1141 set_zone "ed25519.kasp" 1142 set_policy "ed25519" "3" "1234" 1143 set_server "ns3" "10.53.0.3" 1144 # Key properties. 1145 set_keyalgorithm "KEY1" "15" "ED25519" "256" 1146 set_keyalgorithm "KEY2" "15" "ED25519" "256" 1147 set_keyalgorithm "KEY3" "15" "ED25519" "256" 1148 # Key timings and states same as above. 1149 1150 check_keys 1151 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1152 set_keytimes_algorithm_policy 1153 check_keytimes 1154 check_apex 1155 check_subdomain 1156 dnssec_verify 1157fi 1158 1159# 1160# Zone: ed448.kasp. 1161# 1162if [ -f ed448-supported.file ]; then 1163 set_zone "ed448.kasp" 1164 set_policy "ed448" "3" "1234" 1165 set_server "ns3" "10.53.0.3" 1166 # Key properties. 1167 set_keyalgorithm "KEY1" "16" "ED448" "456" 1168 set_keyalgorithm "KEY2" "16" "ED448" "456" 1169 set_keyalgorithm "KEY3" "16" "ED448" "456" 1170 # Key timings and states same as above. 1171 1172 check_keys 1173 check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1174 set_keytimes_algorithm_policy 1175 check_keytimes 1176 check_apex 1177 check_subdomain 1178 dnssec_verify 1179fi 1180 1181# Set key times for 'autosign' policy. 1182set_keytimes_autosign_policy() { 1183 # The KSK was published six months ago (with settime). 1184 created=$(key_get KEY1 CREATED) 1185 set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 1186 set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 1187 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 1188 # Key lifetime is 2 years, 63072000 seconds. 1189 active=$(key_get KEY1 ACTIVE) 1190 set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 1191 # The key is removed after the retire time plus DS TTL (1d), 1192 # parent propagation delay (1h), retire safety (1h) = 1193 # 86400 + 3600 + 3600 = 93600 1194 retired=$(key_get KEY1 RETIRED) 1195 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1196 1197 # The ZSK was published six months ago (with settime). 1198 created=$(key_get KEY2 CREATED) 1199 set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 1200 set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 1201 # Key lifetime for KSK2 is 1 year, 31536000 seconds. 1202 active=$(key_get KEY2 ACTIVE) 1203 set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 1204 # The key is removed after the retire time plus: 1205 # TTLsig (RRSIG TTL): 1 day (86400 seconds) 1206 # Dprp (propagation delay): 5 minutes (300 seconds) 1207 # retire-safety: 1 hour (3600 seconds) 1208 # Dsgn (sign delay): 7 days (604800 seconds) 1209 # Iret: 695100 seconds. 1210 retired=$(key_get KEY2 RETIRED) 1211 set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 1212} 1213 1214# 1215# Zone: expired-sigs.autosign. 1216# 1217set_zone "expired-sigs.autosign" 1218set_policy "autosign" "2" "300" 1219set_server "ns3" "10.53.0.3" 1220# Key properties. 1221key_clear "KEY1" 1222set_keyrole "KEY1" "ksk" 1223set_keylifetime "KEY1" "63072000" 1224set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1225set_keysigning "KEY1" "yes" 1226set_zonesigning "KEY1" "no" 1227 1228key_clear "KEY2" 1229set_keyrole "KEY2" "zsk" 1230set_keylifetime "KEY2" "31536000" 1231set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1232set_keysigning "KEY2" "no" 1233set_zonesigning "KEY2" "yes" 1234 1235# Both KSK and ZSK stay OMNIPRESENT. 1236set_keystate "KEY1" "GOAL" "omnipresent" 1237set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 1238set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 1239set_keystate "KEY1" "STATE_DS" "omnipresent" 1240 1241set_keystate "KEY2" "GOAL" "omnipresent" 1242set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1243set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1244# Expect only two keys. 1245key_clear "KEY3" 1246key_clear "KEY4" 1247 1248check_keys 1249check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1250set_keytimes_autosign_policy 1251check_keytimes 1252check_apex 1253check_subdomain 1254dnssec_verify 1255 1256# Verify all signatures have been refreshed. 1257check_rrsig_refresh() { 1258 # Apex. 1259 _qtypes="DNSKEY SOA NS NSEC" 1260 for _qtype in $_qtypes 1261 do 1262 n=$((n+1)) 1263 echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1264 ret=0 1265 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1266 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1267 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1268 # If this exact RRSIG is also in the zone file it is not refreshed. 1269 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1270 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1271 test "$ret" -eq 0 || echo_i "failed" 1272 status=$((status+ret)) 1273 done 1274 1275 # Below apex. 1276 _labels="a b c ns3" 1277 for _label in $_labels; 1278 do 1279 _qtypes="A NSEC" 1280 for _qtype in $_qtypes 1281 do 1282 n=$((n+1)) 1283 echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1284 ret=0 1285 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1286 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1287 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1288 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1289 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1290 test "$ret" -eq 0 || echo_i "failed" 1291 status=$((status+ret)) 1292 done 1293 done 1294} 1295 1296check_rrsig_refresh 1297 1298# 1299# Zone: fresh-sigs.autosign. 1300# 1301set_zone "fresh-sigs.autosign" 1302set_policy "autosign" "2" "300" 1303set_server "ns3" "10.53.0.3" 1304# Key properties, timings and states same as above. 1305 1306check_keys 1307check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1308set_keytimes_autosign_policy 1309check_keytimes 1310check_apex 1311check_subdomain 1312dnssec_verify 1313 1314# Verify signature reuse. 1315check_rrsig_reuse() { 1316 # Apex. 1317 _qtypes="NS NSEC" 1318 for _qtype in $_qtypes 1319 do 1320 n=$((n+1)) 1321 echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1322 ret=0 1323 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1324 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1325 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1326 # If this exact RRSIG is also in the zone file it is not refreshed. 1327 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1328 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1329 test "$ret" -eq 0 || echo_i "failed" 1330 status=$((status+ret)) 1331 done 1332 1333 # Below apex. 1334 _labels="a b c ns3" 1335 for _label in $_labels; 1336 do 1337 _qtypes="A NSEC" 1338 for _qtype in $_qtypes 1339 do 1340 n=$((n+1)) 1341 echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1342 ret=0 1343 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1344 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1345 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1346 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1347 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1348 test "$ret" -eq 0 || echo_i "failed" 1349 status=$((status+ret)) 1350 done 1351 done 1352} 1353 1354check_rrsig_reuse 1355 1356# 1357# Zone: unfresh-sigs.autosign. 1358# 1359set_zone "unfresh-sigs.autosign" 1360set_policy "autosign" "2" "300" 1361set_server "ns3" "10.53.0.3" 1362# Key properties, timings and states same as above. 1363 1364check_keys 1365check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1366set_keytimes_autosign_policy 1367check_keytimes 1368check_apex 1369check_subdomain 1370dnssec_verify 1371check_rrsig_refresh 1372 1373# 1374# Zone: ksk-missing.autosign. 1375# 1376set_zone "ksk-missing.autosign" 1377set_policy "autosign" "2" "300" 1378set_server "ns3" "10.53.0.3" 1379# Key properties, timings and states same as above. 1380# Skip checking the private file, because it is missing. 1381key_set "KEY1" "PRIVATE" "no" 1382 1383check_keys 1384check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1385check_apex 1386check_subdomain 1387dnssec_verify 1388 1389# Restore the PRIVATE variable. 1390key_set "KEY1" "PRIVATE" "yes" 1391 1392# 1393# Zone: zsk-missing.autosign. 1394# 1395set_zone "zsk-missing.autosign" 1396set_policy "autosign" "2" "300" 1397set_server "ns3" "10.53.0.3" 1398# Key properties, timings and states same as above. 1399# Skip checking the private file, because it is missing. 1400key_set "KEY2" "PRIVATE" "no" 1401 1402check_keys 1403check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1404# For the apex, we expect the SOA to be signed with the KSK because the ZSK is 1405# offline. Temporary treat KEY1 as a zone signing key too. 1406set_keyrole "KEY1" "csk" 1407set_zonesigning "KEY1" "yes" 1408set_zonesigning "KEY2" "no" 1409check_apex 1410set_keyrole "KEY1" "ksk" 1411set_zonesigning "KEY1" "no" 1412set_zonesigning "KEY2" "yes" 1413check_subdomain 1414dnssec_verify 1415 1416# Restore the PRIVATE variable. 1417key_set "KEY2" "PRIVATE" "yes" 1418 1419# 1420# Zone: zsk-retired.autosign. 1421# 1422set_zone "zsk-retired.autosign" 1423set_policy "autosign" "3" "300" 1424set_server "ns3" "10.53.0.3" 1425# The third key is not yet expected to be signing. 1426set_keyrole "KEY3" "zsk" 1427set_keylifetime "KEY3" "31536000" 1428set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1429set_keysigning "KEY3" "no" 1430set_zonesigning "KEY3" "no" 1431# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK 1432# is active. 1433set_keystate "KEY2" "GOAL" "hidden" 1434set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1435set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1436# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, 1437# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. 1438set_keystate "KEY3" "GOAL" "omnipresent" 1439set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 1440set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 1441 1442check_keys 1443check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1444set_keytimes_autosign_policy 1445 1446# The old ZSK is retired. 1447created=$(key_get KEY2 CREATED) 1448set_keytime "KEY2" "RETIRED" "${created}" 1449set_addkeytime "KEY2" "REMOVED" "${created}" 695100 1450# The new ZSK is immediately published. 1451created=$(key_get KEY3 CREATED) 1452set_keytime "KEY3" "PUBLISHED" "${created}" 1453# And becomes active after Ipub: 1454# DNSKEY TTL: 300 seconds 1455# zone-propagation-delay 5 minutes (300 seconds) 1456# publish-safety: 1 hour (3600 seconds) 1457# Ipub: 4200 seconds 1458published=$(key_get KEY3 PUBLISHED) 1459set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 1460# Lzsk: 1 year (31536000 seconds) 1461active=$(key_get KEY3 ACTIVE) 1462set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 1463# Iret: 695100 seconds. 1464retired=$(key_get KEY3 RETIRED) 1465set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 1466 1467check_keytimes 1468check_apex 1469check_subdomain 1470dnssec_verify 1471check_rrsig_refresh 1472 1473# 1474# Zone: legacy-keys.kasp. 1475# 1476set_zone "legacy-keys.kasp" 1477# This zone has two active keys and two old keys left in key directory, so 1478# expect 4 key files. 1479set_policy "migrate-to-dnssec-policy" "4" "1234" 1480set_server "ns3" "10.53.0.3" 1481 1482# Key properties. 1483key_clear "KEY1" 1484set_keyrole "KEY1" "ksk" 1485set_keylifetime "KEY1" "16070400" 1486set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 1487set_keysigning "KEY1" "yes" 1488set_zonesigning "KEY1" "no" 1489 1490key_clear "KEY2" 1491set_keyrole "KEY2" "zsk" 1492set_keylifetime "KEY2" "16070400" 1493set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 1494set_keysigning "KEY2" "no" 1495set_zonesigning "KEY2" "yes" 1496# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 1497# ZSK: DNSKEY, RRSIG (zsk) published. 1498set_keystate "KEY1" "GOAL" "omnipresent" 1499set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1500set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1501set_keystate "KEY1" "STATE_DS" "hidden" 1502 1503set_keystate "KEY2" "GOAL" "omnipresent" 1504set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1505set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1506# Two keys only. 1507key_clear "KEY3" 1508key_clear "KEY4" 1509 1510check_keys 1511check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1512 1513# Make sure the correct legacy keys were used (and not the removed predecessor 1514# keys). 1515n=$((n+1)) 1516echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)" 1517ret=0 1518kskfile=$(cat ns3/legacy-keys.kasp.ksk) 1519basefile=$(key_get KEY1 BASEFILE) 1520echo_i "filename: $basefile (expect $kskfile)" 1521test "$DIR/$kskfile" = "$basefile" || ret=1 1522zskfile=$(cat ns3/legacy-keys.kasp.zsk) 1523basefile=$(key_get KEY2 BASEFILE) 1524echo_i "filename: $basefile (expect $zskfile)" 1525test "$DIR/$zskfile" = "$basefile" || ret=1 1526test "$ret" -eq 0 || echo_i "failed" 1527status=$((status+ret)) 1528 1529# KSK times. 1530created=$(key_get KEY1 CREATED) 1531keyfile=$(key_get KEY1 BASEFILE) 1532grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 1533published=$(awk '{print $3}' < published.test${n}.key1) 1534set_keytime "KEY1" "PUBLISHED" "${published}" 1535set_keytime "KEY1" "ACTIVE" "${published}" 1536published=$(key_get KEY1 PUBLISHED) 1537# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT. 1538# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus 1539# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300. 1540set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 1541# Key lifetime is 6 months, 315360000 seconds. 1542set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 1543# The key is removed after the retire time plus DS TTL (1d), parent 1544# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600. 1545retired=$(key_get KEY1 RETIRED) 1546set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1547 1548# ZSK times. 1549created=$(key_get KEY2 CREATED) 1550keyfile=$(key_get KEY2 BASEFILE) 1551grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 1552published=$(awk '{print $3}' < published.test${n}.key2) 1553set_keytime "KEY2" "PUBLISHED" "${published}" 1554set_keytime "KEY2" "ACTIVE" "${published}" 1555published=$(key_get KEY2 PUBLISHED) 1556# Key lifetime is 6 months, 315360000 seconds. 1557set_addkeytime "KEY2" "RETIRED" "${published}" 16070400 1558# The key is removed after the retire time plus max zone ttl (1d), zone 1559# propagation delay (300s), retire safety (1h), and sign delay (signature 1560# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900. 1561retired=$(key_get KEY2 RETIRED) 1562set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 1563 1564check_keytimes 1565check_apex 1566check_subdomain 1567dnssec_verify 1568 1569# 1570# Test dnssec-policy inheritance. 1571# 1572 1573# These zones should be unsigned: 1574# ns2/unsigned.tld 1575# ns4/none.inherit.signed 1576# ns4/none.override.signed 1577# ns4/inherit.none.signed 1578# ns4/none.none.signed 1579# ns5/inherit.inherit.unsigned 1580# ns5/none.inherit.unsigned 1581# ns5/none.override.unsigned 1582# ns5/inherit.none.unsigned 1583# ns5/none.none.unsigned 1584key_clear "KEY1" 1585key_clear "KEY2" 1586key_clear "KEY3" 1587key_clear "KEY4" 1588 1589set_zone "unsigned.tld" 1590set_policy "none" "0" "0" 1591set_server "ns2" "10.53.0.2" 1592TSIG="" 1593check_keys 1594check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1595check_apex 1596check_subdomain 1597 1598set_zone "none.inherit.signed" 1599set_policy "none" "0" "0" 1600set_server "ns4" "10.53.0.4" 1601TSIG="hmac-sha1:sha1:$SHA1" 1602check_keys 1603check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1604check_apex 1605check_subdomain 1606 1607set_zone "none.override.signed" 1608set_policy "none" "0" "0" 1609set_server "ns4" "10.53.0.4" 1610TSIG="hmac-sha224:sha224:$SHA224" 1611check_keys 1612check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1613check_apex 1614check_subdomain 1615 1616set_zone "inherit.none.signed" 1617set_policy "none" "0" "0" 1618set_server "ns4" "10.53.0.4" 1619TSIG="hmac-sha256:sha256:$SHA256" 1620check_keys 1621check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1622check_apex 1623check_subdomain 1624 1625set_zone "none.none.signed" 1626set_policy "none" "0" "0" 1627set_server "ns4" "10.53.0.4" 1628TSIG="hmac-sha256:sha256:$SHA256" 1629check_keys 1630check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1631check_apex 1632check_subdomain 1633 1634set_zone "inherit.inherit.unsigned" 1635set_policy "none" "0" "0" 1636set_server "ns5" "10.53.0.5" 1637TSIG="hmac-sha1:sha1:$SHA1" 1638check_keys 1639check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1640check_apex 1641check_subdomain 1642 1643set_zone "none.inherit.unsigned" 1644set_policy "none" "0" "0" 1645set_server "ns5" "10.53.0.5" 1646TSIG="hmac-sha1:sha1:$SHA1" 1647check_keys 1648check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1649check_apex 1650check_subdomain 1651 1652set_zone "none.override.unsigned" 1653set_policy "none" "0" "0" 1654set_server "ns5" "10.53.0.5" 1655TSIG="hmac-sha224:sha224:$SHA224" 1656check_keys 1657check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1658check_apex 1659check_subdomain 1660 1661set_zone "inherit.none.unsigned" 1662set_policy "none" "0" "0" 1663set_server "ns5" "10.53.0.5" 1664TSIG="hmac-sha256:sha256:$SHA256" 1665check_keys 1666check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1667check_apex 1668check_subdomain 1669 1670set_zone "none.none.unsigned" 1671set_policy "none" "0" "0" 1672set_server "ns5" "10.53.0.5" 1673TSIG="hmac-sha256:sha256:$SHA256" 1674check_keys 1675check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1676check_apex 1677check_subdomain 1678 1679# These zones should be signed with the default policy: 1680# ns2/signed.tld 1681# ns4/override.inherit.signed 1682# ns4/inherit.override.signed 1683# ns5/override.inherit.signed 1684# ns5/inherit.override.signed 1685set_keyrole "KEY1" "csk" 1686set_keylifetime "KEY1" "0" 1687set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1688set_keysigning "KEY1" "yes" 1689set_zonesigning "KEY1" "yes" 1690 1691set_keystate "KEY1" "GOAL" "omnipresent" 1692set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1693set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1694set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 1695set_keystate "KEY1" "STATE_DS" "hidden" 1696 1697set_zone "signed.tld" 1698set_policy "default" "1" "3600" 1699set_server "ns2" "10.53.0.2" 1700TSIG="" 1701check_keys 1702check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1703set_keytimes_csk_policy 1704check_keytimes 1705check_apex 1706check_subdomain 1707dnssec_verify 1708 1709set_zone "override.inherit.signed" 1710set_policy "default" "1" "3600" 1711set_server "ns4" "10.53.0.4" 1712TSIG="hmac-sha1:sha1:$SHA1" 1713check_keys 1714check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1715set_keytimes_csk_policy 1716check_keytimes 1717check_apex 1718check_subdomain 1719dnssec_verify 1720 1721set_zone "inherit.override.signed" 1722set_policy "default" "1" "3600" 1723set_server "ns4" "10.53.0.4" 1724TSIG="hmac-sha224:sha224:$SHA224" 1725check_keys 1726check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1727set_keytimes_csk_policy 1728check_keytimes 1729check_apex 1730check_subdomain 1731dnssec_verify 1732 1733set_zone "override.inherit.unsigned" 1734set_policy "default" "1" "3600" 1735set_server "ns5" "10.53.0.5" 1736TSIG="hmac-sha1:sha1:$SHA1" 1737check_keys 1738check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1739set_keytimes_csk_policy 1740check_keytimes 1741check_apex 1742check_subdomain 1743dnssec_verify 1744 1745set_zone "inherit.override.unsigned" 1746set_policy "default" "1" "3600" 1747set_server "ns5" "10.53.0.5" 1748TSIG="hmac-sha224:sha224:$SHA224" 1749check_keys 1750check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1751set_keytimes_csk_policy 1752check_keytimes 1753check_apex 1754check_subdomain 1755dnssec_verify 1756 1757# These zones should be signed with the test policy: 1758# ns4/inherit.inherit.signed 1759# ns4/override.override.signed 1760# ns4/override.none.signed 1761# ns5/override.override.unsigned 1762# ns5/override.none.unsigned 1763# ns4/example.net (both views) 1764set_keyrole "KEY1" "csk" 1765set_keylifetime "KEY1" "0" 1766set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1767set_keysigning "KEY1" "yes" 1768set_zonesigning "KEY1" "yes" 1769 1770set_zone "inherit.inherit.signed" 1771set_policy "test" "1" "3600" 1772set_server "ns4" "10.53.0.4" 1773TSIG="hmac-sha1:sha1:$SHA1" 1774wait_for_nsec 1775check_keys 1776check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1777set_keytimes_csk_policy 1778check_keytimes 1779check_apex 1780check_subdomain 1781dnssec_verify 1782 1783set_zone "override.override.signed" 1784set_policy "test" "1" "3600" 1785set_server "ns4" "10.53.0.4" 1786TSIG="hmac-sha224:sha224:$SHA224" 1787wait_for_nsec 1788check_keys 1789check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1790set_keytimes_csk_policy 1791check_keytimes 1792check_apex 1793check_subdomain 1794dnssec_verify 1795 1796set_zone "override.none.signed" 1797set_policy "test" "1" "3600" 1798set_server "ns4" "10.53.0.4" 1799TSIG="hmac-sha256:sha256:$SHA256" 1800wait_for_nsec 1801check_keys 1802check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1803set_keytimes_csk_policy 1804check_keytimes 1805check_apex 1806check_subdomain 1807dnssec_verify 1808 1809set_zone "override.override.unsigned" 1810set_policy "test" "1" "3600" 1811set_server "ns5" "10.53.0.5" 1812TSIG="hmac-sha224:sha224:$SHA224" 1813wait_for_nsec 1814check_keys 1815check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1816set_keytimes_csk_policy 1817check_keytimes 1818check_apex 1819check_subdomain 1820dnssec_verify 1821 1822set_zone "override.none.unsigned" 1823set_policy "test" "1" "3600" 1824set_server "ns5" "10.53.0.5" 1825TSIG="hmac-sha256:sha256:$SHA256" 1826wait_for_nsec 1827check_keys 1828check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1829set_keytimes_csk_policy 1830check_keytimes 1831check_apex 1832check_subdomain 1833dnssec_verify 1834 1835# Test with views. 1836set_zone "example.net" 1837set_server "ns4" "10.53.0.4" 1838TSIG="hmac-sha1:keyforview1:$VIEW1" 1839wait_for_nsec 1840check_keys 1841check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1" 1842set_keytimes_csk_policy 1843check_keytimes 1844check_apex 1845dnssec_verify 1846n=$((n+1)) 1847# check subdomain 1848echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" 1849ret=0 1850dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1851grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1852grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1853check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1854test "$ret" -eq 0 || echo_i "failed" 1855status=$((status+ret)) 1856 1857TSIG="hmac-sha1:keyforview2:$VIEW2" 1858wait_for_nsec 1859check_keys 1860check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" 1861check_apex 1862dnssec_verify 1863n=$((n+1)) 1864# check subdomain 1865echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" 1866ret=0 1867dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1868grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1869grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1870check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1871test "$ret" -eq 0 || echo_i "failed" 1872status=$((status+ret)) 1873 1874TSIG="hmac-sha1:keyforview3:$VIEW3" 1875wait_for_nsec 1876check_keys 1877check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" 1878check_apex 1879dnssec_verify 1880n=$((n+1)) 1881# check subdomain 1882echo_i "check TXT example.net (in-view example2) rrset is signed correctly ($n)" 1883ret=0 1884dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1885grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 1886grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 1887check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1888test "$ret" -eq 0 || echo_i "failed" 1889status=$((status+ret)) 1890 1891# Clear TSIG. 1892TSIG="" 1893 1894# 1895# Testing RFC 8901 Multi-Signer Model 2. 1896# 1897set_zone "multisigner-model2.kasp" 1898set_policy "multisigner-model2" "2" "3600" 1899set_server "ns3" "10.53.0.3" 1900key_clear "KEY1" 1901key_clear "KEY2" 1902key_clear "KEY3" 1903key_clear "KEY4" 1904 1905# Key properties. 1906set_keyrole "KEY1" "ksk" 1907set_keylifetime "KEY1" "0" 1908set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1909set_keysigning "KEY1" "yes" 1910set_zonesigning "KEY1" "no" 1911 1912set_keyrole "KEY2" "zsk" 1913set_keylifetime "KEY2" "0" 1914set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1915set_keysigning "KEY2" "no" 1916set_zonesigning "KEY2" "yes" 1917 1918set_keystate "KEY1" "GOAL" "omnipresent" 1919set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1920set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1921set_keystate "KEY1" "STATE_DS" "hidden" 1922set_keystate "KEY2" "GOAL" "omnipresent" 1923set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1924set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1925 1926check_keys 1927check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1928check_apex 1929check_subdomain 1930dnssec_verify 1931 1932# Check that the ZSKs from the other provider are published. 1933zsks_are_published() { 1934 dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1 1935 # We should have three ZSKs. 1936 lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l) 1937 test "$lines" -eq 3 || return 1 1938 # And one KSK. 1939 lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l) 1940 test "$lines" -eq 1 || return 1 1941} 1942 1943n=$((n+1)) 1944echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)" 1945ret=0 1946( 1947echo zone ${ZONE} 1948echo server 10.53.0.3 "$PORT" 1949echo update add $(cat "${DIR}/${ZONE}.zsk2") 1950echo send 1951) | $NSUPDATE 1952retry_quiet 10 zsks_are_published || ret=1 1953test "$ret" -eq 0 || echo_i "failed" 1954status=$((status+ret)) 1955 1956# 1957# Testing manual rollover. 1958# 1959set_zone "manual-rollover.kasp" 1960set_policy "manual-rollover" "2" "3600" 1961set_server "ns3" "10.53.0.3" 1962key_clear "KEY1" 1963key_clear "KEY2" 1964key_clear "KEY3" 1965key_clear "KEY4" 1966# Key properties. 1967set_keyrole "KEY1" "ksk" 1968set_keylifetime "KEY1" "0" 1969set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1970set_keysigning "KEY1" "yes" 1971set_zonesigning "KEY1" "no" 1972 1973set_keyrole "KEY2" "zsk" 1974set_keylifetime "KEY2" "0" 1975set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 1976set_keysigning "KEY2" "no" 1977set_zonesigning "KEY2" "yes" 1978# During set up everything was set to OMNIPRESENT. 1979set_keystate "KEY1" "GOAL" "omnipresent" 1980set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 1981set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 1982set_keystate "KEY1" "STATE_DS" "omnipresent" 1983 1984set_keystate "KEY2" "GOAL" "omnipresent" 1985set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1986set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1987 1988check_keys 1989check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1990 1991# The first keys were published and activated a day ago. 1992created=$(key_get KEY1 CREATED) 1993set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400 1994set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 1995set_addkeytime "KEY1" "ACTIVE" "${created}" -86400 1996created=$(key_get KEY2 CREATED) 1997set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400 1998set_addkeytime "KEY2" "ACTIVE" "${created}" -86400 1999# Key lifetimes are unlimited, so not setting RETIRED and REMOVED. 2000check_keytimes 2001check_apex 2002check_subdomain 2003dnssec_verify 2004 2005# Schedule KSK rollover in six months (15552000 seconds). 2006active=$(key_get KEY1 ACTIVE) 2007set_addkeytime "KEY1" "RETIRED" "${active}" 15552000 2008retired=$(key_get KEY1 RETIRED) 2009rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE" 2010# Rollover starts in six months, but lifetime is set to six months plus 2011# prepublication duration = 15552000 + 7500 = 15559500 seconds. 2012set_keylifetime "KEY1" "15559500" 2013set_addkeytime "KEY1" "RETIRED" "${active}" 15559500 2014retired=$(key_get KEY1 RETIRED) 2015# Retire interval of this policy is 26h (93600 seconds). 2016set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 2017 2018check_keys 2019check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2020check_keytimes 2021check_apex 2022check_subdomain 2023dnssec_verify 2024 2025# Schedule KSK rollover now. 2026set_policy "manual-rollover" "3" "3600" 2027set_keystate "KEY1" "GOAL" "hidden" 2028# This key was activated one day agao, so lifetime is set to 1d plus 2029# prepublication duration (7500 seconds) = 93900 seconds. 2030set_keylifetime "KEY1" "93900" 2031created=$(key_get KEY1 CREATED) 2032set_keytime "KEY1" "RETIRED" "${created}" 2033rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE" 2034# New key is introduced. 2035set_keyrole "KEY3" "ksk" 2036set_keylifetime "KEY3" "0" 2037set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 2038set_keysigning "KEY3" "yes" 2039set_zonesigning "KEY3" "no" 2040 2041set_keystate "KEY3" "GOAL" "omnipresent" 2042set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2043set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2044set_keystate "KEY3" "STATE_DS" "hidden" 2045 2046check_keys 2047check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2048check_apex 2049check_subdomain 2050dnssec_verify 2051 2052# Schedule ZSK rollover now. 2053set_policy "manual-rollover" "4" "3600" 2054set_keystate "KEY2" "GOAL" "hidden" 2055# This key was activated one day agao, so lifetime is set to 1d plus 2056# prepublication duration (7500 seconds) = 93900 seconds. 2057set_keylifetime "KEY2" "93900" 2058created=$(key_get KEY2 CREATED) 2059set_keytime "KEY2" "RETIRED" "${created}" 2060rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE" 2061# New key is introduced. 2062set_keyrole "KEY4" "zsk" 2063set_keylifetime "KEY4" "0" 2064set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 2065set_keysigning "KEY4" "no" 2066set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY. 2067 2068set_keystate "KEY4" "GOAL" "omnipresent" 2069set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 2070set_keystate "KEY4" "STATE_ZRRSIG" "hidden" 2071 2072check_keys 2073check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2074check_apex 2075check_subdomain 2076dnssec_verify 2077 2078# Try to schedule a ZSK rollover for an inactive key (should fail). 2079n=$((n+1)) 2080echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)" 2081ret=0 2082rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n 2083grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message" 2084test "$ret" -eq 0 || echo_i "failed" 2085status=$((status+ret)) 2086 2087# 2088# Testing DNSSEC introduction. 2089# 2090 2091# 2092# Zone: step1.enable-dnssec.autosign. 2093# 2094set_zone "step1.enable-dnssec.autosign" 2095set_policy "enable-dnssec" "1" "300" 2096set_server "ns3" "10.53.0.3" 2097# Key properties. 2098key_clear "KEY1" 2099set_keyrole "KEY1" "csk" 2100set_keylifetime "KEY1" "0" 2101set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2102set_keysigning "KEY1" "yes" 2103set_zonesigning "KEY1" "yes" 2104# The DNSKEY and signatures are introduced first, the DS remains hidden. 2105set_keystate "KEY1" "GOAL" "omnipresent" 2106set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 2107set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 2108set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 2109set_keystate "KEY1" "STATE_DS" "hidden" 2110# This policy lists only one key (CSK). 2111key_clear "KEY2" 2112key_clear "KEY3" 2113key_clear "KEY4" 2114 2115check_keys 2116check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2117 2118# Set expected key times: 2119# - The first key is immediately published and activated. 2120created=$(key_get KEY1 CREATED) 2121set_keytime "KEY1" "PUBLISHED" "${created}" 2122set_keytime "KEY1" "ACTIVE" "${created}" 2123# - The DS can be published if the DNSKEY and RRSIG records are 2124# OMNIPRESENT. This happens after max-zone-ttl (12h) plus 2125# publish-safety (5m) plus zone-propagation-delay (5m) = 2126# 43200 + 300 + 300 = 43800. 2127set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2128# - Key lifetime is unlimited, so not setting RETIRED and REMOVED. 2129 2130# Various signing policy checks. 2131check_keytimes 2132check_apex 2133check_subdomain 2134dnssec_verify 2135 2136_check_next_key_event() { 2137 _expect=$1 2138 2139 grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1 2140 2141 # Get the latest next key event. 2142 if [ "${DYNAMIC}" = "yes" ]; then 2143 _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1) 2144 else 2145 # inline-signing zone adds "(signed)" 2146 _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) 2147 fi 2148 2149 # The next key event time must within threshold of the 2150 # expected time. 2151 _expectmin=$((_expect-next_key_event_threshold)) 2152 _expectmax=$((_expect+next_key_event_threshold)) 2153 2154 test $_expectmin -le "$_time" || return 1 2155 test $_expectmax -ge "$_time" || return 1 2156 2157 return 0 2158} 2159 2160check_next_key_event() { 2161 n=$((n+1)) 2162 echo_i "check next key event for zone ${ZONE} ($n)" 2163 ret=0 2164 2165 retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})" 2166 test "$ret" -eq 0 || echo_i "failed" 2167 status=$((status+ret)) 2168 2169} 2170 2171# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus 2172# publish safety plus the zone propagation delay: 900 seconds. 2173check_next_key_event 900 2174 2175# 2176# Zone: step2.enable-dnssec.autosign. 2177# 2178set_zone "step2.enable-dnssec.autosign" 2179set_policy "enable-dnssec" "1" "300" 2180set_server "ns3" "10.53.0.3" 2181# The DNSKEY is omnipresent, but the zone signatures not yet. 2182# Thus, the DS remains hidden. 2183set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2184set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2185 2186# Various signing policy checks. 2187check_keys 2188check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2189 2190# Set expected key times: 2191# - The key was published and activated 900 seconds ago (with settime). 2192created=$(key_get KEY1 CREATED) 2193set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 2194set_addkeytime "KEY1" "ACTIVE" "${created}" -900 2195set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2196 2197# Continue signing policy checks. 2198check_keytimes 2199check_apex 2200check_subdomain 2201dnssec_verify 2202 2203# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl 2204# plus zone propagation delay plus retire safety minus the already elapsed 2205# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds 2206check_next_key_event 43800 2207 2208# 2209# Zone: step3.enable-dnssec.autosign. 2210# 2211set_zone "step3.enable-dnssec.autosign" 2212set_policy "enable-dnssec" "1" "300" 2213set_server "ns3" "10.53.0.3" 2214# All signatures should be omnipresent, so the DS can be submitted. 2215set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2216set_keystate "KEY1" "STATE_DS" "rumoured" 2217 2218# Various signing policy checks. 2219check_keys 2220check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2221 2222# Set expected key times: 2223# - The key was published and activated 44700 seconds ago (with settime). 2224created=$(key_get KEY1 CREATED) 2225set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 2226set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 2227set_keytime "KEY1" "SYNCPUBLISH" "${created}" 2228 2229# Continue signing policy checks. 2230check_keytimes 2231check_apex 2232check_subdomain 2233dnssec_verify 2234# Check that CDS publication is logged. 2235check_cdslog "$DIR" "$ZONE" KEY1 2236 2237# The DS can be introduced. We ignore any parent registration delay, so set 2238# the DS publish time to now. 2239rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE" 2240# Next key event is when the DS can move to the OMNIPRESENT state. This occurs 2241# when the parent propagation delay have passed, plus the DS TTL and retire 2242# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds 2243check_next_key_event 12000 2244 2245# 2246# Zone: step4.enable-dnssec.autosign. 2247# 2248set_zone "step4.enable-dnssec.autosign" 2249set_policy "enable-dnssec" "1" "300" 2250set_server "ns3" "10.53.0.3" 2251# The DS is omnipresent. 2252set_keystate "KEY1" "STATE_DS" "omnipresent" 2253 2254# Various signing policy checks. 2255check_keys 2256check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2257 2258# Set expected key times: 2259# - The key was published and activated 56700 seconds ago (with settime). 2260created=$(key_get KEY1 CREATED) 2261set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 2262set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 2263set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 2264 2265# Continue signing policy checks. 2266check_keytimes 2267check_apex 2268check_subdomain 2269dnssec_verify 2270 2271# Next key event is never, the zone dnssec-policy has been established. So we 2272# fall back to the default loadkeys interval. 2273check_next_key_event 3600 2274 2275# 2276# Testing ZSK Pre-Publication rollover. 2277# 2278 2279# Policy parameters. 2280# Lksk: 2 years (63072000 seconds) 2281# Lzsk: 30 days (2592000 seconds) 2282# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) 2283# Iret(KSK): 3d1h (262800 seconds) 2284# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2285# Iret(ZSK): 10d1h (867600 seconds) 2286Lksk=63072000 2287Lzsk=2592000 2288IretKSK=262800 2289IretZSK=867600 2290 2291# 2292# Zone: step1.zsk-prepub.autosign. 2293# 2294set_zone "step1.zsk-prepub.autosign" 2295set_policy "zsk-prepub" "2" "3600" 2296set_server "ns3" "10.53.0.3" 2297 2298set_retired_removed() { 2299 _Lkey=$2 2300 _Iret=$3 2301 2302 _active=$(key_get $1 ACTIVE) 2303 set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" 2304 _retired=$(key_get $1 RETIRED) 2305 set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" 2306} 2307 2308rollover_predecessor_keytimes() { 2309 _addtime=$1 2310 2311 _created=$(key_get KEY1 CREATED) 2312 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2313 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2314 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2315 [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 2316 2317 _created=$(key_get KEY2 CREATED) 2318 set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" 2319 set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" 2320 [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 2321} 2322 2323# Key properties. 2324key_clear "KEY1" 2325set_keyrole "KEY1" "ksk" 2326set_keylifetime "KEY1" "${Lksk}" 2327set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2328set_keysigning "KEY1" "yes" 2329set_zonesigning "KEY1" "no" 2330 2331key_clear "KEY2" 2332set_keyrole "KEY2" "zsk" 2333set_keylifetime "KEY2" "${Lzsk}" 2334set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2335set_keysigning "KEY2" "no" 2336set_zonesigning "KEY2" "yes" 2337# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2338set_keystate "KEY1" "GOAL" "omnipresent" 2339set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2340set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2341set_keystate "KEY1" "STATE_DS" "omnipresent" 2342 2343set_keystate "KEY2" "GOAL" "omnipresent" 2344set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2345set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2346# Initially only two keys. 2347key_clear "KEY3" 2348key_clear "KEY4" 2349 2350# Various signing policy checks. 2351check_keys 2352check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2353# These keys are immediately published and activated. 2354rollover_predecessor_keytimes 0 2355check_keytimes 2356check_apex 2357check_subdomain 2358dnssec_verify 2359 2360# Next key event is when the successor ZSK needs to be published. That is 2361# the ZSK lifetime - prepublication time. The prepublication time is DNSKEY 2362# TTL plus publish safety plus the zone propagation delay. For the 2363# zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds. 2364check_next_key_event 2498400 2365 2366# 2367# Zone: step2.zsk-prepub.autosign. 2368# 2369set_zone "step2.zsk-prepub.autosign" 2370set_policy "zsk-prepub" "3" "3600" 2371set_server "ns3" "10.53.0.3" 2372# New ZSK (KEY3) is prepublished, but not yet signing. 2373key_clear "KEY3" 2374set_keyrole "KEY3" "zsk" 2375set_keylifetime "KEY3" "${Lzsk}" 2376set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2377set_keysigning "KEY3" "no" 2378set_zonesigning "KEY3" "no" 2379# Key states. 2380set_keystate "KEY2" "GOAL" "hidden" 2381set_keystate "KEY3" "GOAL" "omnipresent" 2382set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2383set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 2384 2385# Various signing policy checks. 2386check_keys 2387check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2388 2389# Set expected key times: 2390# - The old keys were activated 694 hours ago (2498400 seconds). 2391rollover_predecessor_keytimes -2498400 2392# - The new ZSK is published now. 2393created=$(key_get KEY3 CREATED) 2394set_keytime "KEY3" "PUBLISHED" "${created}" 2395# - The new ZSK becomes active when the DNSKEY is OMNIPRESENT. 2396# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) 2397# Ipub: 26 hour (93600 seconds). 2398IpubZSK=93600 2399set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" 2400set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2401 2402# Continue signing policy checks. 2403check_keytimes 2404check_apex 2405check_subdomain 2406dnssec_verify 2407 2408# Next key event is when the successor ZSK becomes OMNIPRESENT. That is the 2409# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2410# the zsk-prepub policy, this means: 3600s + 1h + 1d = 93600 seconds. 2411check_next_key_event 93600 2412 2413# 2414# Zone: step3.zsk-prepub.autosign. 2415# 2416set_zone "step3.zsk-prepub.autosign" 2417set_policy "zsk-prepub" "3" "3600" 2418set_server "ns3" "10.53.0.3" 2419# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. 2420# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2421set_zonesigning "KEY2" "no" 2422set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 2423set_zonesigning "KEY3" "yes" 2424set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2425set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 2426 2427# Various signing policy checks. 2428check_keys 2429check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2430 2431# Set expected key times: 2432# - The old keys are activated 30 days ago (2592000 seconds). 2433rollover_predecessor_keytimes -2592000 2434# - The new ZSK is published 26 hours ago (93600 seconds). 2435created=$(key_get KEY3 CREATED) 2436set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 2437set_keytime "KEY3" "ACTIVE" "${created}" 2438set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2439 2440# Continue signing policy checks. 2441check_keytimes 2442check_apex 2443# Subdomain still has good signatures of ZSK (KEY2). 2444# Set expected zone signing on for KEY2 and off for KEY3, 2445# testing whether signatures which are still valid are being reused. 2446set_zonesigning "KEY2" "yes" 2447set_zonesigning "KEY3" "no" 2448check_subdomain 2449# Restore the expected zone signing properties. 2450set_zonesigning "KEY2" "no" 2451set_zonesigning "KEY3" "yes" 2452dnssec_verify 2453 2454# Next key event is when all the RRSIG records have been replaced with 2455# signatures of the new ZSK, in other words when ZRRSIG becomes OMNIPRESENT. 2456# That is Dsgn plus the maximum zone TTL plus the zone propagation delay plus 2457# retire-safety. For the zsk-prepub policy that means: 1w (because 2w validity 2458# and refresh within a week) + 1d + 1h + 2d = 10d1h = 867600 seconds. 2459check_next_key_event 867600 2460 2461# 2462# Zone: step4.zsk-prepub.autosign. 2463# 2464set_zone "step4.zsk-prepub.autosign" 2465set_policy "zsk-prepub" "3" "3600" 2466set_server "ns3" "10.53.0.3" 2467# ZSK (KEY2) DNSKEY is no longer needed. 2468# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2469set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 2470set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2471set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" 2472 2473# Various signing policy checks. 2474check_keys 2475check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2476 2477# Set expected key times: 2478# - The old keys are activated 961 hours ago (3459600 seconds). 2479rollover_predecessor_keytimes -3459600 2480# - The new ZSK is published 267 hours ago (961200 seconds). 2481created=$(key_get KEY3 CREATED) 2482set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 2483published=$(key_get KEY3 PUBLISHED) 2484set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2485set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2486 2487# Continue signing policy checks. 2488check_keytimes 2489check_apex 2490check_subdomain 2491dnssec_verify 2492 2493# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2494# DNSKEY TTL plus zone propagation delay. For the zsk-prepub policy this is: 2495# 3600s + 1h = 7200s 2496check_next_key_event 7200 2497 2498# 2499# Zone: step5.zsk-prepub.autosign. 2500# 2501set_zone "step5.zsk-prepub.autosign" 2502set_policy "zsk-prepub" "3" "3600" 2503set_server "ns3" "10.53.0.3" 2504# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. 2505set_keystate "KEY2" "STATE_DNSKEY" "hidden" 2506 2507# Various signing policy checks. 2508check_keys 2509check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2510 2511# Set expected key times: 2512# - The old keys are activated 962 hours ago (3463200 seconds). 2513rollover_predecessor_keytimes -3463200 2514# - The new ZSK is published 268 hours ago (964800 seconds). 2515created=$(key_get KEY3 CREATED) 2516set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 2517published=$(key_get KEY3 PUBLISHED) 2518set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2519set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2520 2521# Continue signing policy checks. 2522check_keytimes 2523check_apex 2524check_subdomain 2525dnssec_verify 2526 2527# Next key event is when the new successor needs to be published. This is the 2528# ZSK lifetime minus Iret minus Ipub minus DNSKEY TTL. For the zsk-prepub 2529# policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds. 2530check_next_key_event 1627200 2531 2532# 2533# Zone: step6.zsk-prepub.autosign. 2534# 2535set_zone "step6.zsk-prepub.autosign" 2536set_policy "zsk-prepub" "2" "3600" 2537set_server "ns3" "10.53.0.3" 2538# ZSK (KEY2) DNSKEY is purged. 2539key_clear "KEY2" 2540 2541# Various signing policy checks. 2542check_keys 2543check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2544check_apex 2545check_subdomain 2546dnssec_verify 2547 2548# 2549# Testing KSK Double-KSK rollover. 2550# 2551 2552# Policy parameters. 2553# Lksk: 60 days (16070400 seconds) 2554# Lzsk: 1 year (31536000 seconds) 2555# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) 2556# Iret(KSK): 50h (180000 seconds) 2557# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2558# Iret(ZSK): 10d1h (867600 seconds) 2559Lksk=5184000 2560Lzsk=31536000 2561IretKSK=180000 2562IretZSK=867600 2563 2564# 2565# Zone: step1.ksk-doubleksk.autosign. 2566# 2567set_zone "step1.ksk-doubleksk.autosign" 2568set_policy "ksk-doubleksk" "2" "7200" 2569set_server "ns3" "10.53.0.3" 2570# Key properties. 2571key_clear "KEY1" 2572set_keyrole "KEY1" "ksk" 2573set_keylifetime "KEY1" "${Lksk}" 2574set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2575set_keysigning "KEY1" "yes" 2576set_zonesigning "KEY1" "no" 2577 2578key_clear "KEY2" 2579set_keyrole "KEY2" "zsk" 2580set_keylifetime "KEY2" "${Lzsk}" 2581set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2582set_keysigning "KEY2" "no" 2583set_zonesigning "KEY2" "yes" 2584# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2585set_keystate "KEY1" "GOAL" "omnipresent" 2586set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2587set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2588set_keystate "KEY1" "STATE_DS" "omnipresent" 2589 2590set_keystate "KEY2" "GOAL" "omnipresent" 2591set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2592set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2593# Initially only two keys. 2594key_clear "KEY3" 2595key_clear "KEY4" 2596 2597# Various signing policy checks. 2598check_keys 2599check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2600# These keys are immediately published and activated. 2601rollover_predecessor_keytimes 0 2602check_keytimes 2603check_apex 2604check_subdomain 2605dnssec_verify 2606 2607# Next key event is when the successor KSK needs to be published. That is 2608# the KSK lifetime - prepublication time. The prepublication time is 2609# DNSKEY TTL plus publish safety plus the zone propagation delay. 2610# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds. 2611check_next_key_event 5086800 2612 2613# 2614# Zone: step2.ksk-doubleksk.autosign. 2615# 2616set_zone "step2.ksk-doubleksk.autosign" 2617set_policy "ksk-doubleksk" "3" "7200" 2618set_server "ns3" "10.53.0.3" 2619# New KSK (KEY3) is prepublished (and signs DNSKEY RRset). 2620key_clear "KEY3" 2621set_keyrole "KEY3" "ksk" 2622set_keylifetime "KEY3" "${Lksk}" 2623set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2624set_keysigning "KEY3" "yes" 2625set_zonesigning "KEY3" "no" 2626# Key states. 2627set_keystate "KEY1" "GOAL" "hidden" 2628set_keystate "KEY3" "GOAL" "omnipresent" 2629set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2630set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2631set_keystate "KEY3" "STATE_DS" "hidden" 2632 2633# Various signing policy checks. 2634check_keys 2635check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2636 2637# Set expected key times: 2638# - The old keys were activated 1413 hours ago (5086800 seconds). 2639rollover_predecessor_keytimes -5086800 2640# - The new KSK is published now. 2641created=$(key_get KEY3 CREATED) 2642set_keytime "KEY3" "PUBLISHED" "${created}" 2643# The new KSK should publish the CDS after the prepublication time. 2644# TTLkey: 2h 2645# DprpC: 1h 2646# publish-safety: 1d 2647# IpubC: 27h (97200 seconds) 2648IpubC=97200 2649set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" 2650set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" 2651set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2652 2653# Continue signing policy checks. 2654check_keytimes 2655check_apex 2656check_subdomain 2657dnssec_verify 2658 2659# Next key event is when the successor KSK becomes OMNIPRESENT. That is the 2660# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2661# the ksk-doubleksk policy, this means: 7200s + 1h + 1d = 97200 seconds. 2662check_next_key_event 97200 2663 2664# 2665# Zone: step3.ksk-doubleksk.autosign. 2666# 2667set_zone "step3.ksk-doubleksk.autosign" 2668set_policy "ksk-doubleksk" "3" "7200" 2669set_server "ns3" "10.53.0.3" 2670 2671# The DNSKEY RRset has become omnipresent. 2672# Check keys before we tell named that we saw the DS has been replaced. 2673set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2674set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 2675# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. 2676set_keystate "KEY1" "STATE_DS" "unretentive" 2677set_keystate "KEY3" "STATE_DS" "rumoured" 2678 2679# Various signing policy checks. 2680check_keys 2681check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2682# Check that CDS publication is logged. 2683check_cdslog "$DIR" "$ZONE" KEY3 2684 2685# Set expected key times: 2686# - The old keys were activated 60 days ago (5184000 seconds). 2687rollover_predecessor_keytimes -5184000 2688# - The new KSK is published 27 hours ago (97200 seconds). 2689created=$(key_get KEY3 CREATED) 2690set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 2691# - The new KSK CDS is published now. 2692set_keytime "KEY3" "SYNCPUBLISH" "${created}" 2693syncpub=$(key_get KEY3 SYNCPUBLISH) 2694set_keytime "KEY3" "ACTIVE" "${syncpub}" 2695set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2696 2697# Continue signing policy checks. 2698check_keytimes 2699check_apex 2700check_subdomain 2701dnssec_verify 2702 2703# We ignore any parent registration delay, so set the DS publish time to now. 2704rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 2705rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" 2706# Next key event is when the predecessor DS has been replaced with the 2707# successor DS and enough time has passed such that the all validators that 2708# have this DS RRset cached only know about the successor DS. This is the 2709# the retire interval, which is the parent propagation delay plus the DS TTL 2710# plus the retire-safety. For the ksk-double-ksk policy this means: 2711# 1h + 3600s + 2d = 2d2h = 180000 seconds. 2712check_next_key_event 180000 2713 2714# 2715# Zone: step4.ksk-doubleksk.autosign. 2716# 2717set_zone "step4.ksk-doubleksk.autosign" 2718set_policy "ksk-doubleksk" "3" "7200" 2719set_server "ns3" "10.53.0.3" 2720# KSK (KEY1) DNSKEY can be removed. 2721set_keysigning "KEY1" "no" 2722set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 2723set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 2724set_keystate "KEY1" "STATE_DS" "hidden" 2725# New KSK (KEY3) DS is now OMNIPRESENT. 2726set_keystate "KEY3" "STATE_DS" "omnipresent" 2727 2728# Various signing policy checks. 2729check_keys 2730check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2731 2732# Set expected key times: 2733# - The old keys were activated 1490 hours ago (5364000 seconds). 2734rollover_predecessor_keytimes -5364000 2735# - The new KSK is published 77 hours ago (277200 seconds). 2736created=$(key_get KEY3 CREATED) 2737set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 2738published=$(key_get KEY3 PUBLISHED) 2739set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2740syncpub=$(key_get KEY3 SYNCPUBLISH) 2741set_keytime "KEY3" "ACTIVE" "${syncpub}" 2742set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2743 2744# Continue signing policy checks. 2745check_keytimes 2746check_apex 2747check_subdomain 2748dnssec_verify 2749 2750# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2751# DNSKEY TTL plus zone propagation delay. For the ksk-doubleksk policy this is: 2752# 7200s + 1h = 10800s 2753check_next_key_event 10800 2754 2755# 2756# Zone: step5.ksk-doubleksk.autosign. 2757# 2758set_zone "step5.ksk-doubleksk.autosign" 2759set_policy "ksk-doubleksk" "3" "7200" 2760set_server "ns3" "10.53.0.3" 2761# KSK (KEY1) DNSKEY is now HIDDEN. 2762set_keystate "KEY1" "STATE_DNSKEY" "hidden" 2763set_keystate "KEY1" "STATE_KRRSIG" "hidden" 2764 2765# Various signing policy checks. 2766check_keys 2767check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2768 2769# Set expected key times: 2770# - The old KSK is activated 1492 hours ago (5371200 seconds). 2771rollover_predecessor_keytimes -5371200 2772# - The new KSK is published 79 hours ago (284400 seconds). 2773created=$(key_get KEY3 CREATED) 2774set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 2775published=$(key_get KEY3 PUBLISHED) 2776set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2777syncpub=$(key_get KEY3 SYNCPUBLISH) 2778set_keytime "KEY3" "ACTIVE" "${syncpub}" 2779set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2780 2781# Various signing policy checks. 2782check_keytimes 2783check_apex 2784check_subdomain 2785dnssec_verify 2786 2787# Next key event is when the new successor needs to be published. This is the 2788# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL. For the 2789# ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h = 2790# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds. 2791check_next_key_event 4899600 2792 2793# 2794# Zone: step6.ksk-doubleksk.autosign. 2795# 2796set_zone "step6.ksk-doubleksk.autosign" 2797set_policy "ksk-doubleksk" "2" "7200" 2798set_server "ns3" "10.53.0.3" 2799# KSK (KEY1) DNSKEY is purged. 2800key_clear "KEY1" 2801 2802# Various signing policy checks. 2803check_keys 2804check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2805check_apex 2806check_subdomain 2807dnssec_verify 2808 2809# 2810# Testing CSK key rollover (1). 2811# 2812 2813# Policy parameters. 2814# Lcsk: 186 days (5184000 seconds) 2815# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) 2816# Iret(KSK): 4h (14400 seconds) 2817# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) 2818# Iret(ZSK): 26d3h (2257200 seconds) 2819Lcsk=16070400 2820IretKSK=14400 2821IretZSK=2257200 2822IretCSK=$IretZSK 2823 2824csk_rollover_predecessor_keytimes() { 2825 _addtime=$1 2826 2827 _created=$(key_get KEY1 CREATED) 2828 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2829 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2830 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2831 [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" 2832} 2833 2834# 2835# Zone: step1.csk-roll.autosign. 2836# 2837set_zone "step1.csk-roll.autosign" 2838set_policy "csk-roll" "1" "3600" 2839set_server "ns3" "10.53.0.3" 2840# Key properties. 2841key_clear "KEY1" 2842set_keyrole "KEY1" "csk" 2843set_keylifetime "KEY1" "${Lcsk}" 2844set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2845set_keysigning "KEY1" "yes" 2846set_zonesigning "KEY1" "yes" 2847# The CSK (KEY1) starts in OMNIPRESENT. 2848set_keystate "KEY1" "GOAL" "omnipresent" 2849set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2850set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2851set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2852set_keystate "KEY1" "STATE_DS" "omnipresent" 2853# Initially only one key. 2854key_clear "KEY2" 2855key_clear "KEY3" 2856key_clear "KEY4" 2857 2858# Various signing policy checks. 2859check_keys 2860check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2861# This key is immediately published and activated. 2862csk_rollover_predecessor_keytimes 0 2863check_keytimes 2864check_apex 2865check_subdomain 2866dnssec_verify 2867 2868# Next key event is when the successor CSK needs to be published. 2869# This is Lcsk - Ipub - Dreg. 2870# Lcsk: 186d (16070400 seconds) 2871# Ipub: 3h (10800 seconds) 2872check_next_key_event 16059600 2873 2874# 2875# Zone: step2.csk-roll.autosign. 2876# 2877set_zone "step2.csk-roll.autosign" 2878set_policy "csk-roll" "2" "3600" 2879set_server "ns3" "10.53.0.3" 2880# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 2881key_clear "KEY2" 2882set_keyrole "KEY2" "csk" 2883set_keylifetime "KEY2" "16070400" 2884set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 2885set_keysigning "KEY2" "yes" 2886set_zonesigning "KEY2" "no" 2887# Key states. 2888set_keystate "KEY1" "GOAL" "hidden" 2889set_keystate "KEY2" "GOAL" "omnipresent" 2890set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 2891set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 2892set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2893set_keystate "KEY2" "STATE_DS" "hidden" 2894 2895# Various signing policy checks. 2896check_keys 2897check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2898 2899# Set expected key times: 2900# - This key was activated 4461 hours ago (16059600 seconds). 2901csk_rollover_predecessor_keytimes -16059600 2902# - The new CSK is published now. 2903created=$(key_get KEY2 CREATED) 2904set_keytime "KEY2" "PUBLISHED" "${created}" 2905# - The new CSK should publish the CDS after the prepublication time. 2906# Ipub: 3 hour (10800 seconds) 2907Ipub="10800" 2908set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 2909set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 2910set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 2911 2912# Continue signing policy checks. 2913check_keytimes 2914check_apex 2915check_subdomain 2916dnssec_verify 2917 2918# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 2919# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2920# the csk-roll policy, this means 3 hours = 10800 seconds. 2921check_next_key_event 10800 2922 2923# 2924# Zone: step3.csk-roll.autosign. 2925# 2926set_zone "step3.csk-roll.autosign" 2927set_policy "csk-roll" "2" "3600" 2928set_server "ns3" "10.53.0.3" 2929# Swap zone signing role. 2930set_zonesigning "KEY1" "no" 2931set_zonesigning "KEY2" "yes" 2932# CSK (KEY1) will be removed, so moving to UNRETENTIVE. 2933set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 2934# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. 2935set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2936set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 2937set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 2938# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 2939set_keystate "KEY1" "STATE_DS" "unretentive" 2940set_keystate "KEY2" "STATE_DS" "rumoured" 2941 2942# Various signing policy checks. 2943check_keys 2944check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 2945# Check that CDS publication is logged. 2946check_cdslog "$DIR" "$ZONE" KEY2 2947 2948# Set expected key times: 2949# - This key was activated 186 days ago (16070400 seconds). 2950csk_rollover_predecessor_keytimes -16070400 2951# - The new CSK is published three hours ago, CDS must be published now. 2952created=$(key_get KEY2 CREATED) 2953set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 2954set_keytime "KEY2" "SYNCPUBLISH" "${created}" 2955# - Also signatures are being introduced now. 2956set_keytime "KEY2" "ACTIVE" "${created}" 2957set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 2958 2959# Continue signing policy checks. 2960check_keytimes 2961check_apex 2962# Subdomain still has good signatures of old CSK (KEY1). 2963# Set expected zone signing on for KEY1 and off for KEY2, 2964# testing whether signatures which are still valid are being reused. 2965set_zonesigning "KEY1" "yes" 2966set_zonesigning "KEY2" "no" 2967check_subdomain 2968# Restore the expected zone signing properties. 2969set_zonesigning "KEY1" "no" 2970set_zonesigning "KEY2" "yes" 2971dnssec_verify 2972 2973# We ignore any parent registration delay, so set the DS publish time to now. 2974rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 2975rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 2976# Next key event is when the predecessor DS has been replaced with the 2977# successor DS and enough time has passed such that the all validators that 2978# have this DS RRset cached only know about the successor DS. This is the 2979# the retire interval, which is the parent propagation delay plus the DS TTL 2980# plus the retire-safety. For the csk-roll policy this means: 2981# 1h + 1h + 2h = 4h = 14400 seconds. 2982check_next_key_event 14400 2983 2984# 2985# Zone: step4.csk-roll.autosign. 2986# 2987set_zone "step4.csk-roll.autosign" 2988set_policy "csk-roll" "2" "3600" 2989set_server "ns3" "10.53.0.3" 2990# The old CSK (KEY1) is no longer signing the DNSKEY RRset. 2991set_keysigning "KEY1" "no" 2992# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public 2993# but can remove the KRRSIG records. 2994set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 2995set_keystate "KEY1" "STATE_DS" "hidden" 2996# The new CSK (KEY2) DS is now OMNIPRESENT. 2997set_keystate "KEY2" "STATE_DS" "omnipresent" 2998 2999# Various signing policy checks. 3000check_keys 3001check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3002 3003# Set expected key times: 3004# - This key was activated 4468 hours ago (16084800 seconds). 3005csk_rollover_predecessor_keytimes -16084800 3006# - The new CSK started signing 4h ago (14400 seconds). 3007created=$(key_get KEY2 CREATED) 3008set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 3009set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 3010syncpub=$(key_get KEY2 SYNCPUBLISH) 3011set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3012set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3013 3014# Continue signing policy checks. 3015check_keytimes 3016check_apex 3017check_subdomain 3018dnssec_verify 3019 3020# Next key event is when the KRRSIG enters the HIDDEN state. This is the 3021# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3022# 1h + 1h = 7200 seconds. 3023check_next_key_event 7200 3024 3025# 3026# Zone: step5.csk-roll.autosign. 3027# 3028set_zone "step5.csk-roll.autosign" 3029set_policy "csk-roll" "2" "3600" 3030set_server "ns3" "10.53.0.3" 3031# The old CSK (KEY1) KRRSIG records are now all hidden. 3032set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3033 3034# Various signing policy checks. 3035check_keys 3036check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3037 3038# Set expected key times: 3039# - This key was activated 4470 hours ago (16092000 seconds). 3040csk_rollover_predecessor_keytimes -16092000 3041# - The new CSK started signing 6h ago (21600 seconds). 3042created=$(key_get KEY2 CREATED) 3043set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 3044set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 3045syncpub=$(key_get KEY2 SYNCPUBLISH) 3046set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3047set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3048 3049# Continue signing policy checks. 3050check_keytimes 3051check_apex 3052check_subdomain 3053dnssec_verify 3054 3055# Next key event is when the DNSKEY can be removed. This is when all ZRRSIG 3056# records have been replaced with signatures of the new CSK. We have 3057# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus 3058# 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in 3059# 26d3h - 4h - 2h = 621h = 2235600 seconds. 3060check_next_key_event 2235600 3061 3062# 3063# Zone: step6.csk-roll.autosign. 3064# 3065set_zone "step6.csk-roll.autosign" 3066set_policy "csk-roll" "2" "3600" 3067set_server "ns3" "10.53.0.3" 3068# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can 3069# be removed). 3070set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3071set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3072# The new CSK (KEY2) is now fully OMNIPRESENT. 3073set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3074 3075# Various signing policy checks. 3076check_keys 3077check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3078 3079# Set expected key times 3080# - This key was activated 5091 hours ago (18327600 seconds). 3081csk_rollover_predecessor_keytimes -18327600 3082# - The new CSK is activated 627 hours ago (2257200 seconds). 3083created=$(key_get KEY2 CREATED) 3084set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 3085set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 3086syncpub=$(key_get KEY2 SYNCPUBLISH) 3087set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3088set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3089 3090# Continue signing policy checks. 3091check_keytimes 3092check_apex 3093check_subdomain 3094dnssec_verify 3095 3096# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3097# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3098# 1h + 1h = 7200 seconds. 3099check_next_key_event 7200 3100 3101# 3102# Zone: step7.csk-roll.autosign. 3103# 3104set_zone "step7.csk-roll.autosign" 3105set_policy "csk-roll" "2" "3600" 3106set_server "ns3" "10.53.0.3" 3107# The old CSK (KEY1) is now completely HIDDEN. 3108set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3109 3110# Various signing policy checks. 3111check_keys 3112check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3113 3114# Set expected key times: 3115# - This key was activated 5093 hours ago (18334800 seconds). 3116csk_rollover_predecessor_keytimes -18334800 3117# - The new CSK is activated 629 hours ago (2264400 seconds). 3118created=$(key_get KEY2 CREATED) 3119set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 3120set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 3121syncpub=$(key_get KEY2 SYNCPUBLISH) 3122set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3123set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3124 3125# Continue signing policy checks. 3126check_keytimes 3127check_apex 3128check_subdomain 3129dnssec_verify 3130 3131# Next key event is when the new successor needs to be published. 3132# This is the Lcsk, minus time passed since the key started signing, 3133# minus the prepublication time. 3134# Lcsk: 186d (16070400 seconds) 3135# Time passed: 629h (2264400 seconds) 3136# Ipub: 3h (10800 seconds) 3137check_next_key_event 13795200 3138 3139# 3140# Zone: step8.csk-roll.autosign. 3141# 3142set_zone "step8.csk-roll.autosign" 3143set_policy "csk-roll" "1" "3600" 3144set_server "ns3" "10.53.0.3" 3145# The old CSK (KEY1) is purged. 3146key_clear "KEY1" 3147 3148# Various signing policy checks. 3149check_keys 3150check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3151check_apex 3152check_subdomain 3153dnssec_verify 3154 3155# 3156# Testing CSK key rollover (2). 3157# 3158 3159# Policy parameters. 3160# Lcsk: 186 days (16070400 seconds) 3161# Dreg: N/A 3162# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h) 3163# Iret(KSK): 170h (61200 seconds) 3164# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) 3165# Iret(ZSK): 38h (136800 seconds) 3166Lcsk=16070400 3167IretKSK=612000 3168IretZSK=136800 3169IretCSK=$IretKSK 3170 3171# 3172# Zone: step1.csk-roll2.autosign. 3173# 3174set_zone "step1.csk-roll2.autosign" 3175set_policy "csk-roll2" "1" "3600" 3176set_server "ns3" "10.53.0.3" 3177# Key properties. 3178key_clear "KEY1" 3179set_keyrole "KEY1" "csk" 3180set_keylifetime "KEY1" "16070400" 3181set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3182set_keysigning "KEY1" "yes" 3183set_zonesigning "KEY1" "yes" 3184# The CSK (KEY1) starts in OMNIPRESENT. 3185set_keystate "KEY1" "GOAL" "omnipresent" 3186set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3187set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3188set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3189set_keystate "KEY1" "STATE_DS" "omnipresent" 3190# Initially only one key. 3191key_clear "KEY2" 3192key_clear "KEY3" 3193key_clear "KEY4" 3194 3195# Various signing policy checks. 3196check_keys 3197check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3198# This key is immediately published and activated. 3199csk_rollover_predecessor_keytimes 0 3200check_keytimes 3201check_apex 3202check_subdomain 3203dnssec_verify 3204 3205# Next key event is when the successor CSK needs to be published. 3206# This is Lcsk - Ipub. 3207# Lcsk: 186d (16070400 seconds) 3208# Ipub: 3h (10800 seconds) 3209# Total: 186d3h (16059600 seconds) 3210check_next_key_event 16059600 3211 3212# 3213# Zone: step2.csk-roll2.autosign. 3214# 3215set_zone "step2.csk-roll2.autosign" 3216set_policy "csk-roll2" "2" "3600" 3217set_server "ns3" "10.53.0.3" 3218# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 3219key_clear "KEY2" 3220set_keyrole "KEY2" "csk" 3221set_keylifetime "KEY2" "16070400" 3222set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3223set_keysigning "KEY2" "yes" 3224set_zonesigning "KEY2" "no" 3225# Key states. 3226set_keystate "KEY1" "GOAL" "hidden" 3227set_keystate "KEY2" "GOAL" "omnipresent" 3228set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 3229set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 3230set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 3231set_keystate "KEY2" "STATE_DS" "hidden" 3232 3233# Various signing policy checks. 3234check_keys 3235check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3236 3237# Set expected key times: 3238# - This key was activated 4461 hours ago (16059600 seconds). 3239csk_rollover_predecessor_keytimes -16059600 3240# - The new CSK is published now. 3241created=$(key_get KEY2 CREATED) 3242set_keytime "KEY2" "PUBLISHED" "${created}" 3243# - The new CSK should publish the CDS after the prepublication time. 3244# - Ipub: 3 hour (10800 seconds) 3245Ipub="10800" 3246set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 3247set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 3248set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3249 3250# Continue signing policy checks. 3251check_apex 3252check_subdomain 3253dnssec_verify 3254 3255# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 3256# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 3257# the csk-roll2 policy, this means 3h hours = 10800 seconds. 3258check_next_key_event 10800 3259 3260# 3261# Zone: step3.csk-roll2.autosign. 3262# 3263set_zone "step3.csk-roll2.autosign" 3264set_policy "csk-roll2" "2" "3600" 3265set_server "ns3" "10.53.0.3" 3266# CSK (KEY1) can be removed, so move to UNRETENTIVE. 3267set_zonesigning "KEY1" "no" 3268set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3269# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. 3270set_zonesigning "KEY2" "yes" 3271set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3272set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3273set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3274# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 3275set_keystate "KEY1" "STATE_DS" "unretentive" 3276set_keystate "KEY2" "STATE_DS" "rumoured" 3277 3278# Various signing policy checks. 3279check_keys 3280check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3281# Check that CDS publication is logged. 3282check_cdslog "$DIR" "$ZONE" KEY2 3283 3284# Set expected key times: 3285# - This key was activated 186 days ago (16070400 seconds). 3286csk_rollover_predecessor_keytimes -16070400 3287# - The new CSK is published three hours ago, CDS must be published now. 3288created=$(key_get KEY2 CREATED) 3289set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3290set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3291# - Also signatures are being introduced now. 3292set_keytime "KEY2" "ACTIVE" "${created}" 3293set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3294 3295# Continue signing policy checks. 3296check_keytimes 3297check_apex 3298# Subdomain still has good signatures of old CSK (KEY1). 3299# Set expected zone signing on for KEY1 and off for KEY2, 3300# testing whether signatures which are still valid are being reused. 3301set_zonesigning "KEY1" "yes" 3302set_zonesigning "KEY2" "no" 3303check_subdomain 3304# Restore the expected zone signing properties. 3305set_zonesigning "KEY1" "no" 3306set_zonesigning "KEY2" "yes" 3307dnssec_verify 3308 3309# We ignore any parent registration delay, so set the DS publish time to now. 3310rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 3311rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 3312# Next key event is when the predecessor ZRRSIG records have been replaced 3313# with that of the successor and enough time has passed such that the all 3314# validators that have such signed RRsets in cache only know about the 3315# successor signatures. This is the retire interval: Dsgn plus the 3316# maximum zone TTL plus the zone propagation delay plus retire-safety. For the 3317# csk-roll2 policy that means: 12h (because 1d validity and refresh within 3318# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds. Prevent intermittent false 3319# positives on slow platforms by subtracting the number of seconds which 3320# passed between key creation and invoking 'rndc dnssec -checkds'. 3321now="$(TZ=UTC date +%s)" 3322time_passed=$((now-start_time)) 3323next_time=$((136800-time_passed)) 3324check_next_key_event $next_time 3325 3326# 3327# Zone: step4.csk-roll2.autosign. 3328# 3329set_zone "step4.csk-roll2.autosign" 3330set_policy "csk-roll2" "2" "3600" 3331set_server "ns3" "10.53.0.3" 3332# The old CSK (KEY1) ZRRSIG is now HIDDEN. 3333set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3334# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. 3335set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3336 3337# Various signing policy checks. 3338check_keys 3339check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3340 3341# Set expected key times: 3342# - This key was activated 4502 hours ago (16207200 seconds). 3343csk_rollover_predecessor_keytimes -16207200 3344# - The new CSK was published 41 hours (147600 seconds) ago. 3345created=$(key_get KEY2 CREATED) 3346set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 3347published=$(key_get KEY2 PUBLISHED) 3348set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3349set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3350set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3351 3352# Continue signing policy checks. 3353check_keytimes 3354check_apex 3355check_subdomain 3356dnssec_verify 3357 3358# Next key event is when the predecessor DS has been replaced with the 3359# successor DS and enough time has passed such that the all validators that 3360# have this DS RRset cached only know about the successor DS. This is the 3361# registration delay plus the retire interval, which is the parent 3362# propagation delay plus the DS TTL plus the retire-safety. For the 3363# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds. 3364# However, 136800 seconds have passed already, so 478800 seconds left. 3365check_next_key_event 475200 3366 3367# 3368# Zone: step5.csk-roll2.autosign. 3369# 3370set_zone "step5.csk-roll2.autosign" 3371set_policy "csk-roll2" "2" "3600" 3372set_server "ns3" "10.53.0.3" 3373# The old CSK (KEY1) DNSKEY can be removed. 3374set_keysigning "KEY1" "no" 3375set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3376set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3377set_keystate "KEY1" "STATE_DS" "hidden" 3378# The new CSK (KEY2) is now fully OMNIPRESENT. 3379set_keystate "KEY2" "STATE_DS" "omnipresent" 3380 3381# Various signing policy checks. 3382check_keys 3383check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3384 3385# Set expected key times: 3386# - This key was activated 4634 hours ago (16682400 seconds). 3387csk_rollover_predecessor_keytimes -16682400 3388# - The new CSK was published 173 hours (622800 seconds) ago. 3389created=$(key_get KEY2 CREATED) 3390set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 3391published=$(key_get KEY2 PUBLISHED) 3392set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3393set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3394set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3395 3396# Continue signing policy checks. 3397check_keytimes 3398check_apex 3399check_subdomain 3400dnssec_verify 3401 3402# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3403# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3404# 1h + 1h = 7200 seconds. 3405check_next_key_event 7200 3406 3407# 3408# Zone: step6.csk-roll2.autosign. 3409# 3410set_zone "step6.csk-roll2.autosign" 3411set_policy "csk-roll2" "2" "3600" 3412set_server "ns3" "10.53.0.3" 3413# The old CSK (KEY1) is now completely HIDDEN. 3414set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3415set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3416 3417# Various signing policy checks. 3418check_keys 3419check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3420 3421# Set expected key times: 3422# - This key was activated 4636 hours ago (16689600 seconds). 3423csk_rollover_predecessor_keytimes -16689600 3424# - The new CSK was published 175 hours (630000 seconds) ago. 3425created=$(key_get KEY2 CREATED) 3426set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 3427published=$(key_get KEY2 PUBLISHED) 3428set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3429set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3430set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3431 3432# Continue signing policy checks. 3433check_keytimes 3434check_apex 3435check_subdomain 3436dnssec_verify 3437 3438# Next key event is when the new successor needs to be published. 3439# This is the Lcsk, minus time passed since the key was published. 3440# Lcsk: 186d (16070400 seconds) 3441# Time passed: 175h (630000 seconds) 3442check_next_key_event 15440400 3443 3444# 3445# Zone: step7.csk-roll2.autosign. 3446# 3447set_zone "step7.csk-roll2.autosign" 3448set_policy "csk-roll2" "2" "3600" 3449set_server "ns3" "10.53.0.3" 3450# The old CSK (KEY1) could have been purged, but purge-keys is disabled. 3451 3452# Various signing policy checks. 3453check_keys 3454check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3455check_apex 3456check_subdomain 3457dnssec_verify 3458 3459# 3460# Test #2375: Scheduled rollovers are happening faster than they can finish 3461# 3462set_zone "step1.three-is-a-crowd.kasp" 3463set_policy "default" "1" "3600" 3464set_server "ns3" "10.53.0.3" 3465# TODO (GL #2471). 3466 3467# 3468# Testing algorithm rollover. 3469# 3470Lksk=0 3471Lzsk=0 3472IretKSK=0 3473IretZSK=0 3474 3475# 3476# Zone: step1.algorithm-roll.kasp 3477# 3478set_zone "step1.algorithm-roll.kasp" 3479set_policy "rsasha1" "2" "3600" 3480set_server "ns6" "10.53.0.6" 3481# Key properties. 3482key_clear "KEY1" 3483set_keyrole "KEY1" "ksk" 3484set_keylifetime "KEY1" "0" 3485set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3486set_keysigning "KEY1" "yes" 3487set_zonesigning "KEY1" "no" 3488 3489key_clear "KEY2" 3490set_keyrole "KEY2" "zsk" 3491set_keylifetime "KEY2" "0" 3492set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 3493set_keysigning "KEY2" "no" 3494set_zonesigning "KEY2" "yes" 3495key_clear "KEY3" 3496key_clear "KEY4" 3497 3498# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 3499set_keystate "KEY1" "GOAL" "omnipresent" 3500set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3501set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3502set_keystate "KEY1" "STATE_DS" "omnipresent" 3503 3504set_keystate "KEY2" "GOAL" "omnipresent" 3505set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3506set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3507 3508# Various signing policy checks. 3509check_keys 3510check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3511# These keys are immediately published and activated. 3512rollover_predecessor_keytimes 0 3513check_keytimes 3514check_apex 3515check_subdomain 3516dnssec_verify 3517 3518# Next key event is when the successor keys need to be published. 3519# Since the lifetime of the keys are unlimited, so default to loadkeys 3520# interval. 3521check_next_key_event 3600 3522 3523# 3524# Zone: step1.csk-algorithm-roll.kasp 3525# 3526set_zone "step1.csk-algorithm-roll.kasp" 3527set_policy "csk-algoroll" "1" "3600" 3528set_server "ns6" "10.53.0.6" 3529# Key properties. 3530key_clear "KEY1" 3531set_keyrole "KEY1" "csk" 3532set_keylifetime "KEY1" "0" 3533set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3534set_keysigning "KEY1" "yes" 3535set_zonesigning "KEY1" "yes" 3536key_clear "KEY2" 3537key_clear "KEY3" 3538key_clear "KEY4" 3539# The CSK (KEY1) starts in OMNIPRESENT. 3540set_keystate "KEY1" "GOAL" "omnipresent" 3541set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3542set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3543set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3544set_keystate "KEY1" "STATE_DS" "omnipresent" 3545 3546# Various signing policy checks. 3547check_keys 3548check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3549# This key is immediately published and activated. 3550Lcsk=0 3551IretCSK=0 3552csk_rollover_predecessor_keytimes 0 3553check_keytimes 3554check_apex 3555check_subdomain 3556dnssec_verify 3557 3558# Next key event is when the successor keys need to be published. 3559# Since the lifetime of the keys are unlimited, so default to loadkeys 3560# interval. 3561check_next_key_event 3600 3562 3563# 3564# Testing going insecure. 3565# 3566 3567# 3568# Zone step1.going-insecure.kasp 3569# 3570set_zone "step1.going-insecure.kasp" 3571set_policy "unsigning" "2" "7200" 3572set_server "ns6" "10.53.0.6" 3573 3574# Policy parameters. 3575# Lksk: 0 3576# Lzsk: 60 days (5184000 seconds) 3577# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h) 3578# Iret(KSK): 1d2h (93600 seconds) 3579# Iret(ZSK): RRSIG TTL (1d) + Dprp (5m) + Dsgn (9d) + retire-safety (1h) 3580# Iret(ZSK): 10d1h5m (867900 seconds) 3581Lksk=0 3582Lzsk=5184000 3583IretKSK=93600 3584IretZSK=867900 3585 3586init_migration_insecure() { 3587 key_clear "KEY1" 3588 set_keyrole "KEY1" "ksk" 3589 set_keylifetime "KEY1" "${Lksk}" 3590 set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3591 set_keysigning "KEY1" "yes" 3592 set_zonesigning "KEY1" "no" 3593 3594 set_keystate "KEY1" "GOAL" "omnipresent" 3595 set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3596 set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3597 set_keystate "KEY1" "STATE_DS" "omnipresent" 3598 3599 key_clear "KEY2" 3600 set_keyrole "KEY2" "zsk" 3601 set_keylifetime "KEY2" "${Lzsk}" 3602 set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 3603 set_keysigning "KEY2" "no" 3604 set_zonesigning "KEY2" "yes" 3605 3606 set_keystate "KEY2" "GOAL" "omnipresent" 3607 set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3608 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3609 3610 key_clear "KEY3" 3611 key_clear "KEY4" 3612} 3613init_migration_insecure 3614 3615# Various signing policy checks. 3616check_keys 3617check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3618 3619# We have set the timing metadata to now - 10 days (864000 seconds). 3620rollover_predecessor_keytimes -864000 3621check_keytimes 3622check_apex 3623check_subdomain 3624dnssec_verify 3625 3626# 3627# Zone step1.going-insecure-dynamic.kasp 3628# 3629 3630set_zone "step1.going-insecure-dynamic.kasp" 3631set_dynamic 3632set_policy "unsigning" "2" "7200" 3633set_server "ns6" "10.53.0.6" 3634init_migration_insecure 3635 3636# Various signing policy checks. 3637check_keys 3638check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3639 3640# We have set the timing metadata to now - 10 days (864000 seconds). 3641rollover_predecessor_keytimes -864000 3642check_keytimes 3643check_apex 3644check_subdomain 3645dnssec_verify 3646 3647# 3648# Zone step1.going-straight-to-none.kasp 3649# 3650set_zone "step1.going-straight-to-none.kasp" 3651set_policy "default" "1" "3600" 3652set_server "ns6" "10.53.0.6" 3653# Key properties. 3654set_keyrole "KEY1" "csk" 3655set_keylifetime "KEY1" "0" 3656set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3657set_keysigning "KEY1" "yes" 3658set_zonesigning "KEY1" "yes" 3659# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 3660set_keystate "KEY1" "GOAL" "omnipresent" 3661set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3662set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3663set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3664set_keystate "KEY1" "STATE_DS" "omnipresent" 3665# This policy only has one key. 3666key_clear "KEY2" 3667key_clear "KEY3" 3668key_clear "KEY4" 3669 3670check_keys 3671check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3672 3673# The first key is immediately published and activated. 3674created=$(key_get KEY1 CREATED) 3675set_keytime "KEY1" "PUBLISHED" "${created}" 3676set_keytime "KEY1" "ACTIVE" "${created}" 3677set_keytime "KEY1" "SYNCPUBLISH" "${created}" 3678# Key lifetime is unlimited, so not setting RETIRED and REMOVED. 3679check_keytimes 3680 3681check_apex 3682check_subdomain 3683dnssec_verify 3684 3685# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy 3686# changes). 3687echo_i "reconfig dnssec-policy to trigger algorithm rollover" 3688copy_setports ns6/named2.conf.in ns6/named.conf 3689rndc_reconfig ns6 10.53.0.6 3690 3691# Calculate time passed to correctly check for next key events. 3692now="$(TZ=UTC date +%s)" 3693time_passed=$((now-start_time)) 3694echo_i "${time_passed} seconds passed between start of tests and reconfig" 3695 3696# Wait until we have seen "zone_rekey done:" message for this key. 3697_wait_for_done_signing() { 3698 _zone=$1 3699 3700 _ksk=$(key_get $2 KSK) 3701 _zsk=$(key_get $2 ZSK) 3702 if [ "$_ksk" = "yes" ]; then 3703 _role="KSK" 3704 _expect_type=EXPECT_KRRSIG 3705 elif [ "$_zsk" = "yes" ]; then 3706 _role="ZSK" 3707 _expect_type=EXPECT_ZRRSIG 3708 fi 3709 3710 if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then 3711 _keyid=$(key_get $2 ID) 3712 _keyalg=$(key_get $2 ALG_STR) 3713 echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" 3714 grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 3715 fi 3716 3717 return 0 3718} 3719 3720wait_for_done_signing() { 3721 n=$((n+1)) 3722 echo_i "wait for zone ${ZONE} is done signing ($n)" 3723 ret=0 3724 3725 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 3726 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 3727 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 3728 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 3729 3730 test "$ret" -eq 0 || echo_i "failed" 3731 status=$((status+ret)) 3732} 3733 3734# 3735# Testing going insecure. 3736# 3737 3738# 3739# Zone: step1.going-insecure.kasp 3740# 3741set_zone "step1.going-insecure.kasp" 3742set_policy "insecure" "2" "7200" 3743set_server "ns6" "10.53.0.6" 3744# Expect a CDS/CDNSKEY Delete Record. 3745set_cdsdelete 3746 3747# Key goal states should be HIDDEN. 3748init_migration_insecure 3749set_keystate "KEY1" "GOAL" "hidden" 3750set_keystate "KEY2" "GOAL" "hidden" 3751# The DS may be removed if we are going insecure. 3752set_keystate "KEY1" "STATE_DS" "unretentive" 3753 3754# Various signing policy checks. 3755check_keys 3756wait_for_done_signing 3757check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3758check_apex 3759check_subdomain 3760dnssec_verify 3761 3762# Tell named that the DS has been removed. 3763rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" 3764wait_for_done_signing 3765check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3766check_apex 3767check_subdomain 3768dnssec_verify 3769 3770# Next key event is when the DS becomes HIDDEN. This happens after the 3771# parent propagation delay, retire safety delay, and DS TTL: 3772# 1h + 1h + 1d = 26h = 93600 seconds. 3773check_next_key_event 93600 3774 3775# 3776# Zone: step2.going-insecure.kasp 3777# 3778set_zone "step2.going-insecure.kasp" 3779set_policy "insecure" "2" "7200" 3780set_server "ns6" "10.53.0.6" 3781 3782# The DS is long enough removed from the zone to be considered HIDDEN. 3783# This means the DNSKEY and the KSK signatures can be removed. 3784set_keystate "KEY1" "STATE_DS" "hidden" 3785set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3786set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3787set_keysigning "KEY1" "no" 3788 3789set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 3790set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 3791set_zonesigning "KEY2" "no" 3792 3793# Various signing policy checks. 3794check_keys 3795check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3796check_apex 3797check_subdomain 3798 3799# Next key event is when the DNSKEY becomes HIDDEN. This happens after the 3800# propagation delay, plus DNSKEY TTL: 3801# 5m + 2h = 125m = 7500 seconds. 3802check_next_key_event 7500 3803 3804# 3805# Zone: step1.going-insecure-dynamic.kasp 3806# 3807set_zone "step1.going-insecure-dynamic.kasp" 3808set_dynamic 3809set_policy "insecure" "2" "7200" 3810set_server "ns6" "10.53.0.6" 3811# Expect a CDS/CDNSKEY Delete Record. 3812set_cdsdelete 3813 3814# Key goal states should be HIDDEN. 3815init_migration_insecure 3816set_keystate "KEY1" "GOAL" "hidden" 3817set_keystate "KEY2" "GOAL" "hidden" 3818# The DS may be removed if we are going insecure. 3819set_keystate "KEY1" "STATE_DS" "unretentive" 3820 3821# Various signing policy checks. 3822check_keys 3823wait_for_done_signing 3824check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3825check_apex 3826check_subdomain 3827dnssec_verify 3828 3829# Tell named that the DS has been removed. 3830rndc_checkds "$SERVER" "$DIR" "KEY1" "now" "withdrawn" "$ZONE" 3831wait_for_done_signing 3832check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3833check_apex 3834check_subdomain 3835dnssec_verify 3836 3837# Next key event is when the DS becomes HIDDEN. This happens after the 3838# parent propagation delay, retire safety delay, and DS TTL: 3839# 1h + 1h + 1d = 26h = 93600 seconds. 3840check_next_key_event 93600 3841 3842# 3843# Zone: step2.going-insecure-dynamic.kasp 3844# 3845set_zone "step2.going-insecure-dynamic.kasp" 3846set_dynamic 3847set_policy "insecure" "2" "7200" 3848set_server "ns6" "10.53.0.6" 3849 3850# The DS is long enough removed from the zone to be considered HIDDEN. 3851# This means the DNSKEY and the KSK signatures can be removed. 3852set_keystate "KEY1" "STATE_DS" "hidden" 3853set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3854set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3855set_keysigning "KEY1" "no" 3856 3857set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 3858set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 3859set_zonesigning "KEY2" "no" 3860 3861# Various signing policy checks. 3862check_keys 3863check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3864check_apex 3865check_subdomain 3866 3867# Next key event is when the DNSKEY becomes HIDDEN. This happens after the 3868# propagation delay, plus DNSKEY TTL: 3869# 5m + 2h = 125m = 7500 seconds. 3870check_next_key_event 7500 3871 3872# 3873# Zone: step1.going-straight-to-none.kasp 3874# 3875set_zone "step1.going-straight-to-none.kasp" 3876set_policy "none" "1" "3600" 3877set_server "ns6" "10.53.0.6" 3878 3879# The zone will go bogus after signatures expire, but remains validly signed for now. 3880 3881# Key properties. 3882set_keyrole "KEY1" "csk" 3883set_keylifetime "KEY1" "0" 3884set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3885set_keysigning "KEY1" "yes" 3886set_zonesigning "KEY1" "yes" 3887# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 3888set_keystate "KEY1" "GOAL" "omnipresent" 3889set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3890set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3891set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3892set_keystate "KEY1" "STATE_DS" "omnipresent" 3893# This policy only has one key. 3894key_clear "KEY2" 3895key_clear "KEY3" 3896key_clear "KEY4" 3897 3898# Various signing policy checks. 3899check_keys 3900check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3901check_apex 3902check_subdomain 3903dnssec_verify 3904 3905# 3906# Testing KSK/ZSK algorithm rollover. 3907# 3908 3909# Policy parameters. 3910# Lksk: unlimited 3911# Lzsk: unlimited 3912Lksk=0 3913Lzsk=0 3914 3915# 3916# Zone: step1.algorithm-roll.kasp 3917# 3918set_zone "step1.algorithm-roll.kasp" 3919set_policy "ecdsa256" "4" "3600" 3920set_server "ns6" "10.53.0.6" 3921# Old RSASHA1 keys. 3922key_clear "KEY1" 3923set_keyrole "KEY1" "ksk" 3924set_keylifetime "KEY1" "0" 3925set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3926set_keysigning "KEY1" "yes" 3927set_zonesigning "KEY1" "no" 3928 3929key_clear "KEY2" 3930set_keyrole "KEY2" "zsk" 3931set_keylifetime "KEY2" "0" 3932set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 3933set_keysigning "KEY2" "no" 3934set_zonesigning "KEY2" "yes" 3935# New ECDSAP256SHA256 keys. 3936key_clear "KEY3" 3937set_keyrole "KEY3" "ksk" 3938set_keylifetime "KEY3" "0" 3939set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 3940set_keysigning "KEY3" "yes" 3941set_zonesigning "KEY3" "no" 3942 3943key_clear "KEY4" 3944set_keyrole "KEY4" "zsk" 3945set_keylifetime "KEY4" "0" 3946set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 3947set_keysigning "KEY4" "no" 3948set_zonesigning "KEY4" "yes" 3949# The RSAHSHA1 keys are outroducing. 3950set_keystate "KEY1" "GOAL" "hidden" 3951set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3952set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3953set_keystate "KEY1" "STATE_DS" "omnipresent" 3954set_keystate "KEY2" "GOAL" "hidden" 3955set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3956set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3957# The ECDSAP256SHA256 keys are introducing. 3958set_keystate "KEY3" "GOAL" "omnipresent" 3959set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 3960set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 3961set_keystate "KEY3" "STATE_DS" "hidden" 3962set_keystate "KEY4" "GOAL" "omnipresent" 3963set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 3964set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" 3965 3966# Various signing policy checks. 3967check_keys 3968wait_for_done_signing 3969check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 3970 3971# Set expected key times: 3972# - The old keys are published and activated. 3973rollover_predecessor_keytimes 0 3974# - KSK must be retired since it no longer matches the policy. 3975keyfile=$(key_get KEY1 BASEFILE) 3976grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 3977retired=$(awk '{print $3}' < retired.test${n}.ksk) 3978set_keytime "KEY1" "RETIRED" "${retired}" 3979# - The key is removed after the retire interval: 3980# IretKSK = TTLds + DprpP + retire-safety 3981# TTLds: 2h (7200 seconds) 3982# DprpP: 1h (3600 seconds) 3983# retire-safety: 2h (7200 seconds) 3984# IretKSK: 5h (18000 seconds) 3985IretKSK=18000 3986set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 3987# - ZSK must be retired since it no longer matches the policy. 3988keyfile=$(key_get KEY2 BASEFILE) 3989grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk 3990retired=$(awk '{print $3}' < retired.test${n}.zsk) 3991set_keytime "KEY2" "RETIRED" "${retired}" 3992# - The key is removed after the retire interval: 3993# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 3994# TTLsig: 6h (21600 seconds) 3995# Dprp: 1h (3600 seconds) 3996# Dsgn: 25d (2160000 seconds) 3997# retire-safety: 2h (7200 seconds) 3998# IretZSK: 25d9h (2192400 seconds) 3999IretZSK=2192400 4000set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4001# - The new KSK is published and activated. 4002created=$(key_get KEY3 CREATED) 4003set_keytime "KEY3" "PUBLISHED" "${created}" 4004set_keytime "KEY3" "ACTIVE" "${created}" 4005# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 4006# TTLsig: 6h (39600 seconds) 4007# Dprp: 1h (3600 seconds) 4008# publish-safety: 1h (3600 seconds) 4009# Ipub: 8h (28800 seconds) 4010Ipub=28800 4011set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 4012# - The new ZSK is published and activated. 4013created=$(key_get KEY4 CREATED) 4014set_keytime "KEY4" "PUBLISHED" "${created}" 4015set_keytime "KEY4" "ACTIVE" "${created}" 4016 4017# Continue signing policy checks. 4018check_keytimes 4019check_apex 4020check_subdomain 4021dnssec_verify 4022 4023# Next key event is when the ecdsa256 keys have been propagated. 4024# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4025# 3 times an hour: 10800 seconds. 4026check_next_key_event 10800 4027 4028# 4029# Zone: step2.algorithm-roll.kasp 4030# 4031set_zone "step2.algorithm-roll.kasp" 4032set_policy "ecdsa256" "4" "3600" 4033set_server "ns6" "10.53.0.6" 4034# The RSAHSHA1 keys are outroducing, but need to stay present until the new 4035# algorithm chain of trust has been established. Thus the properties, timings 4036# and states of the KEY1 and KEY2 are the same as above. 4037 4038# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4039# but the zone signatures are not. 4040set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 4041set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 4042set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" 4043 4044# Various signing policy checks. 4045check_keys 4046wait_for_done_signing 4047check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4048 4049# Set expected key times: 4050# - The old keys were activated three hours ago (10800 seconds). 4051rollover_predecessor_keytimes -10800 4052# - KSK must be retired since it no longer matches the policy. 4053created=$(key_get KEY1 CREATED) 4054set_keytime "KEY1" "RETIRED" "${created}" 4055set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" 4056# - ZSK must be retired since it no longer matches the policy. 4057created=$(key_get KEY2 CREATED) 4058set_keytime "KEY2" "RETIRED" "${created}" 4059set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" 4060# - The new keys are published 3 hours ago. 4061created=$(key_get KEY3 CREATED) 4062set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 4063set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 4064published=$(key_get KEY3 PUBLISHED) 4065set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" 4066 4067created=$(key_get KEY4 CREATED) 4068set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 4069set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 4070 4071# Continue signing policy checks. 4072check_keytimes 4073check_apex 4074check_subdomain 4075dnssec_verify 4076 4077# Next key event is when all zone signatures are signed with the new 4078# algorithm. This is the max-zone-ttl plus zone propagation delay 4079# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4080# (the time it took to make the DNSKEY omnipresent), so the next event 4081# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4082# false positives on slow platforms by subtracting the number of seconds 4083# which passed between key creation and invoking 'rndc reconfig'. 4084next_time=$((21600-time_passed)) 4085check_next_key_event $next_time 4086 4087# 4088# Zone: step3.algorithm-roll.kasp 4089# 4090set_zone "step3.algorithm-roll.kasp" 4091set_policy "ecdsa256" "4" "3600" 4092set_server "ns6" "10.53.0.6" 4093# The ECDSAP256SHA256 keys are introducing. 4094set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" 4095# The DS can be swapped. 4096set_keystate "KEY1" "STATE_DS" "unretentive" 4097set_keystate "KEY3" "STATE_DS" "rumoured" 4098 4099# Various signing policy checks. 4100check_keys 4101wait_for_done_signing 4102check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4103# Check that CDS publication is logged. 4104check_cdslog "$DIR" "$ZONE" KEY3 4105 4106# Set expected key times: 4107# - The old keys were activated 9 hours ago (32400 seconds). 4108rollover_predecessor_keytimes -32400 4109# - And retired 6 hours ago (21600 seconds). 4110created=$(key_get KEY1 CREATED) 4111set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4112retired=$(key_get KEY1 RETIRED) 4113set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4114 4115created=$(key_get KEY2 CREATED) 4116set_addkeytime "KEY2" "RETIRED" "${created}" -21600 4117retired=$(key_get KEY2 RETIRED) 4118set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4119# - The new keys are published 9 hours ago. 4120created=$(key_get KEY3 CREATED) 4121set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 4122set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 4123published=$(key_get KEY3 PUBLISHED) 4124set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4125 4126created=$(key_get KEY4 CREATED) 4127set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 4128set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 4129 4130# Continue signing policy checks. 4131check_keytimes 4132check_apex 4133check_subdomain 4134dnssec_verify 4135 4136# Tell named we "saw" the parent swap the DS and see if the next key event is 4137# scheduled at the correct time. 4138rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 4139rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" 4140# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4141# parent propagation delay, retire safety delay, and DS TTL: 4142# 1h + 2h + 2h = 5h = 18000 seconds. 4143check_next_key_event 18000 4144 4145# 4146# Zone: step4.algorithm-roll.kasp 4147# 4148set_zone "step4.algorithm-roll.kasp" 4149set_policy "ecdsa256" "4" "3600" 4150set_server "ns6" "10.53.0.6" 4151# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4152set_keysigning "KEY1" "no" 4153set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4154set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4155set_keystate "KEY1" "STATE_DS" "hidden" 4156 4157set_zonesigning "KEY2" "no" 4158set_keystate "KEY2" "GOAL" "hidden" 4159set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 4160set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 4161# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4162set_keystate "KEY3" "STATE_DS" "omnipresent" 4163 4164# Various signing policy checks. 4165check_keys 4166wait_for_done_signing 4167check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4168 4169# Set expected key times: 4170# - The old keys were activated 38 hours ago (136800 seconds). 4171rollover_predecessor_keytimes -136800 4172# - And retired 35 hours ago (126000 seconds). 4173created=$(key_get KEY1 CREATED) 4174set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4175retired=$(key_get KEY1 RETIRED) 4176set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4177 4178created=$(key_get KEY2 CREATED) 4179set_addkeytime "KEY2" "RETIRED" "${created}" -126000 4180retired=$(key_get KEY2 RETIRED) 4181set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4182 4183# - The new keys are published 38 hours ago. 4184created=$(key_get KEY3 CREATED) 4185set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 4186set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 4187published=$(key_get KEY3 PUBLISHED) 4188set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4189 4190created=$(key_get KEY4 CREATED) 4191set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 4192set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 4193 4194# Continue signing policy checks. 4195check_keytimes 4196check_apex 4197check_subdomain 4198dnssec_verify 4199 4200# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4201# DNSKEY TTL plus zone propagation delay (2h). 4202check_next_key_event 7200 4203 4204# 4205# Zone: step5.algorithm-roll.kasp 4206# 4207set_zone "step5.algorithm-roll.kasp" 4208set_policy "ecdsa256" "4" "3600" 4209set_server "ns6" "10.53.0.6" 4210# The DNSKEY becomes HIDDEN. 4211set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4212set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4213set_keystate "KEY2" "STATE_DNSKEY" "hidden" 4214 4215# Various signing policy checks. 4216check_keys 4217wait_for_done_signing 4218check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4219 4220# Set expected key times: 4221# - The old keys were activated 40 hours ago (144000 seconds) 4222rollover_predecessor_keytimes -144000 4223# - And retired 37 hours ago (133200 seconds). 4224created=$(key_get KEY1 CREATED) 4225set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4226retired=$(key_get KEY1 RETIRED) 4227set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4228 4229created=$(key_get KEY2 CREATED) 4230set_addkeytime "KEY2" "RETIRED" "${created}" -133200 4231retired=$(key_get KEY2 RETIRED) 4232set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4233 4234# The new keys are published 40 hours ago. 4235created=$(key_get KEY3 CREATED) 4236set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 4237set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 4238published=$(key_get KEY3 PUBLISHED) 4239set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4240 4241created=$(key_get KEY4 CREATED) 4242set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 4243set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 4244 4245# Continue signing policy checks. 4246check_keytimes 4247check_apex 4248check_subdomain 4249dnssec_verify 4250 4251# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4252# after the max-zone-ttl plus zone propagation delay plus retire safety 4253# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4254# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4255# false positives on slow platforms by subtracting the number of seconds 4256# which passed between key creation and invoking 'rndc reconfig'. 4257next_time=$((25200-time_passed)) 4258check_next_key_event $next_time 4259 4260# 4261# Zone: step6.algorithm-roll.kasp 4262# 4263set_zone "step6.algorithm-roll.kasp" 4264set_policy "ecdsa256" "4" "3600" 4265set_server "ns6" "10.53.0.6" 4266# The old zone signatures (KEY2) should now also be HIDDEN. 4267set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 4268 4269# Various signing policy checks. 4270check_keys 4271wait_for_done_signing 4272check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4273 4274# Set expected key times: 4275# - The old keys were activated 47 hours ago (169200 seconds) 4276rollover_predecessor_keytimes -169200 4277# - And retired 44 hours ago (158400 seconds). 4278created=$(key_get KEY1 CREATED) 4279set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4280retired=$(key_get KEY1 RETIRED) 4281set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4282 4283created=$(key_get KEY2 CREATED) 4284set_addkeytime "KEY2" "RETIRED" "${created}" -158400 4285retired=$(key_get KEY2 RETIRED) 4286set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4287 4288# The new keys are published 47 hours ago. 4289created=$(key_get KEY3 CREATED) 4290set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 4291set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 4292published=$(key_get KEY3 PUBLISHED) 4293set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4294 4295created=$(key_get KEY4 CREATED) 4296set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 4297set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 4298 4299# Continue signing policy checks. 4300check_keytimes 4301check_apex 4302check_subdomain 4303dnssec_verify 4304 4305# Next key event is never since we established the policy and the keys have 4306# an unlimited lifetime. Fallback to the default loadkeys interval. 4307check_next_key_event 3600 4308 4309# 4310# Testing CSK algorithm rollover. 4311# 4312 4313# Policy parameters. 4314# Lcsk: unlimited 4315Lcksk=0 4316 4317# 4318# Zone: step1.csk-algorithm-roll.kasp 4319# 4320set_zone "step1.csk-algorithm-roll.kasp" 4321set_policy "csk-algoroll" "2" "3600" 4322set_server "ns6" "10.53.0.6" 4323# Old RSASHA1 key. 4324key_clear "KEY1" 4325set_keyrole "KEY1" "csk" 4326set_keylifetime "KEY1" "0" 4327set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 4328set_keysigning "KEY1" "yes" 4329set_zonesigning "KEY1" "yes" 4330# New ECDSAP256SHA256 key. 4331key_clear "KEY2" 4332set_keyrole "KEY2" "csk" 4333set_keylifetime "KEY2" "0" 4334set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 4335set_keysigning "KEY2" "yes" 4336set_zonesigning "KEY2" "yes" 4337key_clear "KEY3" 4338key_clear "KEY4" 4339# The RSAHSHA1 key is outroducing. 4340set_keystate "KEY1" "GOAL" "hidden" 4341set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4342set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4343set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 4344set_keystate "KEY1" "STATE_DS" "omnipresent" 4345# The ECDSAP256SHA256 key is introducing. 4346set_keystate "KEY2" "GOAL" "omnipresent" 4347set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 4348set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 4349set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 4350set_keystate "KEY2" "STATE_DS" "hidden" 4351 4352# Various signing policy checks. 4353check_keys 4354wait_for_done_signing 4355check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4356 4357# Set expected key times: 4358# - CSK must be retired since it no longer matches the policy. 4359csk_rollover_predecessor_keytimes 0 4360keyfile=$(key_get KEY1 BASEFILE) 4361grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4362retired=$(awk '{print $3}' < retired.test${n}.ksk) 4363set_keytime "KEY1" "RETIRED" "${retired}" 4364# - The key is removed after the retire interval: 4365# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4366# TTLsig: 6h (21600 seconds) 4367# Dprp: 1h (3600 seconds) 4368# Dsgn: 25d (2160000 seconds) 4369# retire-safety: 2h (7200 seconds) 4370# IretZSK: 25d9h (2192400 seconds) 4371IretCSK=2192400 4372set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4373# - The new CSK is published and activated. 4374created=$(key_get KEY2 CREATED) 4375set_keytime "KEY2" "PUBLISHED" "${created}" 4376set_keytime "KEY2" "ACTIVE" "${created}" 4377# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 4378# TTLsig: 6h (39600 seconds) 4379# Dprp: 1h (3600 seconds) 4380# publish-safety: 1h (3600 seconds) 4381# Ipub: 8h (28800 seconds) 4382Ipub=28800 4383set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 4384 4385# Continue signing policy checks. 4386check_keytimes 4387check_apex 4388check_subdomain 4389dnssec_verify 4390 4391# Next key event is when the new key has been propagated. 4392# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4393# 3 times an hour: 10800 seconds. 4394check_next_key_event 10800 4395 4396# 4397# Zone: step2.csk-algorithm-roll.kasp 4398# 4399set_zone "step2.csk-algorithm-roll.kasp" 4400set_policy "csk-algoroll" "2" "3600" 4401set_server "ns6" "10.53.0.6" 4402# The RSAHSHA1 key is outroducing, but need to stay present until the new 4403# algorithm chain of trust has been established. Thus the properties, timings 4404# and states of KEY1 is the same as above. 4405# 4406# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4407# but the zone signatures are not. 4408set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4409set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 4410 4411# Various signing policy checks. 4412check_keys 4413wait_for_done_signing 4414check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4415 4416# Set expected key times: 4417# - The old key was activated three hours ago (10800 seconds). 4418csk_rollover_predecessor_keytimes -10800 4419# - CSK must be retired since it no longer matches the policy. 4420created=$(key_get KEY1 CREATED) 4421set_keytime "KEY1" "RETIRED" "${created}" 4422set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" 4423# - The new key was published 3 hours ago. 4424created=$(key_get KEY2 CREATED) 4425set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 4426set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 4427published=$(key_get KEY2 PUBLISHED) 4428set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4429 4430# Continue signing policy checks. 4431check_keytimes 4432check_apex 4433check_subdomain 4434dnssec_verify 4435 4436# Next key event is when all zone signatures are signed with the new 4437# algorithm. This is the max-zone-ttl plus zone propagation delay 4438# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4439# (the time it took to make the DNSKEY omnipresent), so the next event 4440# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4441# false positives on slow platforms by subtracting the number of seconds 4442# which passed between key creation and invoking 'rndc reconfig'. 4443next_time=$((21600-time_passed)) 4444check_next_key_event $next_time 4445 4446# 4447# Zone: step3.csk-algorithm-roll.kasp 4448# 4449set_zone "step3.csk-algorithm-roll.kasp" 4450set_policy "csk-algoroll" "2" "3600" 4451set_server "ns6" "10.53.0.6" 4452# The RSAHSHA1 key is outroducing, and it is time to swap the DS. 4453# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures 4454# are now omnipresent, so the DS can be introduced. 4455set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4456# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. 4457set_keystate "KEY1" "STATE_DS" "unretentive" 4458set_keystate "KEY2" "STATE_DS" "rumoured" 4459 4460# Various signing policy checks. 4461check_keys 4462wait_for_done_signing 4463check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4464# Check that CDS publication is logged. 4465check_cdslog "$DIR" "$ZONE" KEY2 4466 4467# Set expected key times: 4468# - The old key was activated 9 hours ago (32400 seconds). 4469csk_rollover_predecessor_keytimes -32400 4470# - And was retired 6 hours ago (21600 seconds). 4471created=$(key_get KEY1 CREATED) 4472set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4473retired=$(key_get KEY1 RETIRED) 4474set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4475# - The new key was published 9 hours ago. 4476created=$(key_get KEY2 CREATED) 4477set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 4478set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 4479published=$(key_get KEY2 PUBLISHED) 4480set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4481 4482# Continue signing policy checks. 4483check_keytimes 4484check_apex 4485check_subdomain 4486dnssec_verify 4487 4488# We ignore any parent registration delay, so set the DS publish time to now. 4489rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" 4490rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" 4491# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4492# parent propagation delay, retire safety delay, and DS TTL: 4493# 1h + 2h + 2h = 5h = 18000 seconds. 4494check_next_key_event 18000 4495 4496# 4497# Zone: step4.csk-algorithm-roll.kasp 4498# 4499set_zone "step4.csk-algorithm-roll.kasp" 4500set_policy "csk-algoroll" "2" "3600" 4501set_server "ns6" "10.53.0.6" 4502# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4503set_keysigning "KEY1" "no" 4504set_zonesigning "KEY1" "no" 4505set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4506set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4507set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 4508set_keystate "KEY1" "STATE_DS" "hidden" 4509# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4510set_keystate "KEY2" "STATE_DS" "omnipresent" 4511 4512# Various signing policy checks. 4513check_keys 4514wait_for_done_signing 4515check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4516 4517# Set expected key times: 4518# - The old key was activated 38 hours ago (136800 seconds) 4519csk_rollover_predecessor_keytimes -136800 4520# - And retired 35 hours ago (126000 seconds). 4521created=$(key_get KEY1 CREATED) 4522set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4523retired=$(key_get KEY1 RETIRED) 4524set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4525# - The new key was published 38 hours ago. 4526created=$(key_get KEY2 CREATED) 4527set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 4528set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 4529published=$(key_get KEY2 PUBLISHED) 4530set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4531 4532# Continue signing policy checks. 4533check_keytimes 4534check_apex 4535check_subdomain 4536dnssec_verify 4537 4538# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4539# DNSKEY TTL plus zone propagation delay (2h). 4540check_next_key_event 7200 4541 4542# 4543# Zone: step5.csk-algorithm-roll.kasp 4544# 4545set_zone "step5.csk-algorithm-roll.kasp" 4546set_policy "csk-algoroll" "2" "3600" 4547set_server "ns6" "10.53.0.6" 4548# The DNSKEY becomes HIDDEN. 4549set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4550set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4551 4552# Various signing policy checks. 4553check_keys 4554wait_for_done_signing 4555check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4556 4557# Set expected key times: 4558# - The old key was activated 40 hours ago (144000 seconds) 4559csk_rollover_predecessor_keytimes -144000 4560# - And retired 37 hours ago (133200 seconds). 4561created=$(key_get KEY1 CREATED) 4562set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4563retired=$(key_get KEY1 RETIRED) 4564set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4565# - The new key was published 40 hours ago. 4566created=$(key_get KEY2 CREATED) 4567set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 4568set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 4569published=$(key_get KEY2 PUBLISHED) 4570set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4571 4572# Continue signing policy checks. 4573check_keytimes 4574check_apex 4575check_subdomain 4576dnssec_verify 4577 4578# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4579# after the max-zone-ttl plus zone propagation delay plus retire safety 4580# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4581# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4582# false positives on slow platforms by subtracting the number of seconds 4583# which passed between key creation and invoking 'rndc reconfig'. 4584next_time=$((25200-time_passed)) 4585check_next_key_event $next_time 4586 4587# 4588# Zone: step6.csk-algorithm-roll.kasp 4589# 4590set_zone "step6.csk-algorithm-roll.kasp" 4591set_policy "csk-algoroll" "2" "3600" 4592set_server "ns6" "10.53.0.6" 4593# The zone signatures should now also be HIDDEN. 4594set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 4595 4596# Various signing policy checks. 4597check_keys 4598wait_for_done_signing 4599check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 4600 4601# Set expected key times: 4602# - The old keys were activated 47 hours ago (169200 seconds) 4603csk_rollover_predecessor_keytimes -169200 4604# - And retired 44 hours ago (158400 seconds). 4605created=$(key_get KEY1 CREATED) 4606set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4607retired=$(key_get KEY1 RETIRED) 4608set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4609# - The new key was published 47 hours ago. 4610created=$(key_get KEY2 CREATED) 4611set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 4612set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 4613published=$(key_get KEY2 PUBLISHED) 4614set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4615 4616# Continue signing policy checks. 4617check_keytimes 4618check_apex 4619check_subdomain 4620dnssec_verify 4621 4622# Next key event is never since we established the policy and the keys have 4623# an unlimited lifetime. Fallback to the default loadkeys interval. 4624check_next_key_event 3600 4625 4626echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)" 4627TSIG= 4628ret=0 4629dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 4630cp ns6/example2.db.in ns6/example.db || ret=1 4631nextpart ns6/named.run > /dev/null 4632rndccmd 10.53.0.6 reload || ret=1 4633wait_for_log 3 "all zones loaded" ns6/named.run 4634sleep 1 4635dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || ret=1 4636soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) 4637soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) 4638ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) 4639ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) 4640test ${soa1:-1000} -lt ${soa2:-0} || ret=1 4641test ${ttl1:-0} -eq 300 || ret=1 4642test ${ttl2:-0} -eq 300 || ret=1 4643test "$ret" -eq 0 || echo_i "failed" 4644status=$((status+ret)) 4645n=$((n+1)) 4646 4647echo_i "Check that restart with zone changes and deleted journal works ($n)" 4648TSIG= 4649ret=0 4650dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1 4651stop_server --use-rndc --port ${CONTROLPORT} kasp ns6 4652# TTL of all records change from 300 to 400 4653cp ns6/example3.db.in ns6/example.db || ret=1 4654rm ns6/example.db.jnl 4655nextpart ns6/named.run > /dev/null 4656start_server --noclean --restart --port ${PORT} kasp ns6 4657wait_for_log 3 "all zones loaded" ns6/named.run 4658sleep 1 4659dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || ret=1 4660soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1) 4661soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2) 4662ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1) 4663ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2) 4664test ${soa1:-1000} -lt ${soa2:-0} || ret=1 4665test ${ttl1:-0} -eq 300 || ret=1 4666test ${ttl2:-0} -eq 400 || ret=1 4667test "$ret" -eq 0 || echo_i "failed" 4668status=$((status+ret)) 4669n=$((n+1)) 4670 4671echo_i "exit status: $status" 4672[ $status -eq 0 ] || exit 1 4673