[master] allow CDS/CDNSKEY records to be signed with only KSK

4721. [func] 'dnssec-signzone -x' and 'dnssec-dnskey-kskonly' options now apply to CDNSKEY and DS records as well as DNSKEY. Thanks to Tony Finch. [RT #45689]
2017-09-12 23:09:48 -07:00
parent e930487ce7
commit 20502f35dd
15 changed files with 183 additions and 31 deletions
--- a/bin/tests/system/dnssec/ns2/named.conf
+++ b/bin/tests/system/dnssec/ns2/named.conf
@@ -102,6 +102,11 @@ zone "cds.secure" {
 	file "cds.secure.db.signed";
 };

+zone "cds-x.secure" {
+	type master;
+	file "cds-x.secure.db.signed";
+};
+
 zone "cds-update.secure" {
 	type master;
 	file "cds-update.secure.db.signed";
@@ -120,6 +125,11 @@ zone "cdnskey.secure" {
 	file "cdnskey.secure.db.signed";
 };

+zone "cdnskey-x.secure" {
+	type master;
+	file "cdnskey-x.secure.db.signed";
+};
+
 zone "cdnskey-update.secure" {
 	type master;
 	file "cdnskey-update.secure.db.signed";
--- a/bin/tests/system/dnssec/ns2/sign.sh
+++ b/bin/tests/system/dnssec/ns2/sign.sh
@@ -194,6 +194,16 @@ $DSFROMKEY -C $key1.key > $key1.cds
 cat $infile $key1.key $key2.key $key1.cds >$zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null

+zone=cds-x.secure
+infile=cds.secure.db.in
+zonefile=cds-x.secure.db
+key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key3=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+$DSFROMKEY -C $key2.key > $key2.cds
+cat $infile $key1.key $key3.key $key2.cds >$zonefile
+$SIGNER -P -g -x -r $RANDFILE -o $zone $zonefile > /dev/null
+
 zone=cds-update.secure
 infile=cds-update.secure.db.in
 zonefile=cds-update.secure.db
@@ -219,6 +229,16 @@ sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
 cat $infile $key1.key $key2.key $key1.cds >$zonefile
 $SIGNER -P -g -r $RANDFILE -o $zone $zonefile > /dev/null

+zone=cdnskey-x.secure
+infile=cdnskey.secure.db.in
+zonefile=cdnskey-x.secure.db
+key1=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key2=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone -fk $zone`
+key3=`$KEYGEN -q -r $RANDFILE -a RSASHA1 -b 1024 -n zone $zone`
+sed 's/DNSKEY/CDNSKEY/' $key1.key > $key1.cds
+cat $infile $key2.key $key3.key $key1.cds >$zonefile
+$SIGNER -P -g -x -r $RANDFILE -o $zone $zonefile > /dev/null
+
 zone=cdnskey-update.secure
 infile=cdnskey-update.secure.db.in
 zonefile=cdnskey-update.secure.db