kasp: registration delay adjustments

Registration delay is not part of the Iret retire interval, thus removed from the calculation when setting the Delete time metadata. Include the registration delay in prepublication time, because we need to prepublish the key sooner than just the Ipub publication interval. (cherry picked from commit 50bbbb76a8)
2020-05-04 12:30:40 +02:00
parent 48a265b2c7
commit 437ec25c0c
3 changed files with 33 additions and 25 deletions
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -1298,11 +1298,11 @@ set_keytimes_algorithm_policy() {
 	set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
 	# Key lifetime is 10 years, 315360000 seconds.
 	set_addkeytime "KEY1" "RETIRED"     "${published}" 315360000
-	# The key is removed after the retire time plus DS TTL (1d), parent
-	# registration delay (1d), parent propagation delay (1h),
-	# and retire safety (1h) = 86400 + 86400 + 3600 + 3600 = 180000.
+	# The key is removed after the retire time plus DS TTL (1d),
+	# parent propagation delay (1h), and retire safety (1h) =
+	# 86400 + 3600 + 3600 = 93600.
 	retired=$(key_get KEY1 RETIRED)
-	set_addkeytime "KEY1" "REMOVED"     "${retired}"   180000
+	set_addkeytime "KEY1" "REMOVED"     "${retired}"   93600

 	# The first ZSKs are immediately published and activated.
 	created=$(key_get KEY2 CREATED)
@@ -1739,11 +1739,11 @@ set_keytimes_autosign_policy() {
 	# Key lifetime is 2 years, 63072000 seconds.
 	active=$(key_get KEY1 ACTIVE)
 	set_addkeytime "KEY1" "RETIRED"     "${active}"  63072000
-	# The key is removed after the retire time plus DS TTL (1d), parent
-	# registration delay (1d), propagation delay (1h), retire safety (1h) =
-	# 86400 + 86400 + 3600 + 3600 = 180000
+	# The key is removed after the retire time plus DS TTL (1d),
+	# parent propagation delay (1h), retire safety (1h) =
+	# 86400 + 3600 + 3600 = 93600
 	retired=$(key_get KEY1 RETIRED)
-	set_addkeytime "KEY1" "REMOVED"     "${retired}" 180000
+	set_addkeytime "KEY1" "REMOVED"     "${retired}" 93600

 	# The ZSK was published six months ago (with settime).
 	created=$(key_get KEY2 CREATED)
@@ -2429,22 +2429,24 @@ check_next_key_event 3600
 # Testing ZSK Pre-Publication rollover.
 #

+# Policy parameters.
+# Lksk:      2 years (63072000 seconds)
+# Lzsk:      30 days (2592000 seconds)
+# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d)
+# Iret(KSK): 3d1h (262800 seconds)
+# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
+# Iret(ZSK): 10d1h (867600 seconds)
+Lksk=63072000
+Lzsk=2592000
+IretKSK=262800
+IretZSK=867600
+
 #
 # Zone: step1.zsk-prepub.autosign.
 #
 set_zone "step1.zsk-prepub.autosign"
 set_policy "zsk-prepub" "2" "3600"
 set_server "ns3" "10.53.0.3"
-# Policy parameters.
-# Lksk:      2 years (63072000 seconds)
-# Lzsk:      30 days (2592000 seconds)
-# Iret(KSK): DS TTL (1d) + Dreg (1d) + DprpP (1h) + retire-safety (2d)
-# Iret(KSK): 4d1h (349200 seconds)
-# Iret(ZSK): 10d1h (867600 seconds).
-Lksk=63072000
-Lzsk=2592000
-IretKSK=349200
-IretZSK=867600

 set_retired_removed() {
 	_Lkey=$2
@@ -2456,7 +2458,7 @@ set_retired_removed() {
 	set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
 }

-zsk_prepub_predecessor_keytimes() {
+rollover_predecessor_keytimes() {
 	_addtime=$1

 	_created=$(key_get KEY1 CREATED)
@@ -2501,7 +2503,7 @@ key_clear "KEY4"
 check_keys

 # These keys are immediately published and activated.
-zsk_prepub_predecessor_keytimes 0
+rollover_predecessor_keytimes 0
 check_keytimes

 check_apex
@@ -2535,7 +2537,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
 check_keys

 # The old keys were activated 694 hours ago (2498400 seconds).
-zsk_prepub_predecessor_keytimes -2498400
+rollover_predecessor_keytimes -2498400
 # The new ZSK is published now.
 created=$(key_get KEY3 CREATED)
 set_keytime "KEY3" "PUBLISHED" "${created}"
@@ -2574,7 +2576,7 @@ set_keystate     "KEY3" "STATE_ZRRSIG" "rumoured"
 check_keys

 # The old keys are activated 30 days ago (2592000 seconds).
-zsk_prepub_predecessor_keytimes -2592000
+rollover_predecessor_keytimes -2592000
 # The new ZSK is published 26 hours ago (93600 seconds).
 created=$(key_get KEY3 CREATED)
 set_addkeytime "KEY3" "PUBLISHED"   "${created}" -93600
@@ -2616,7 +2618,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent"
 check_keys

 # The old keys are activated 961 hours ago (3459600 seconds).
-zsk_prepub_predecessor_keytimes -3459600
+rollover_predecessor_keytimes -3459600
 # The new ZSK is published 267 hours ago (961200 seconds).
 created=$(key_get KEY3 CREATED)
 set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -961200
@@ -2646,7 +2648,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "hidden"
 check_keys

 # The old keys are activated 962 hours ago (3463200 seconds).
-zsk_prepub_predecessor_keytimes -3463200
+rollover_predecessor_keytimes -3463200
 # The new ZSK is published 268 hours ago (964800 seconds).
 created=$(key_get KEY3 CREATED)
 set_addkeytime "KEY3" "PUBLISHED"   "${created}"   -964800