Add a multi-signer where the key tag range changes

bin/tests/system/kasp.sh

@@ -92,6 +92,7 @@ key_stat() {
 key_save() {
   # Save key id.
   key_set "$1" ID "$KEY_ID"
+  key_set "$1" RID "$KEY_RID"
   # Save base filename.
   key_set "$1" BASEFILE "$BASE_FILE"
   # Save creation date.
@@ -107,6 +108,7 @@ key_save() {
 # This will update either the KEY1, KEY2, or KEY3 array.
 key_clear() {
   key_set "$1" "ID" 'no'
+  key_set "$1" "RID" 'no'
   key_set "$1" "IDPAD" 'no'
   key_set "$1" "EXPECT" 'no'
   key_set "$1" "ROLE" 'none'
@@ -407,6 +409,9 @@ check_key() {
   [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing"
   [ "$ret" -eq 0 ] || return 0
 
+  # Retrieve revoked key id
+  KEY_RID=$($REVOKE -R ${BASE_FILE})
+
   # Retrieve creation date.
   grep "; Created:" "$KEY_FILE" >"${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE"
   KEY_CREATED=$(awk '{print $3}' <"${ZONE}.${KEY_ID}.${_alg_num}.created")

bin/tests/system/kasp/ns3/named-fips.conf.in

@@ -219,6 +219,17 @@ zone "multisigner-model2.kasp" {
 	allow-update { any; };
 };
 
+/*
+ * A zone that starts with keys that have tags that are
+ * outside of the desired multi-signer key tag range.
+ */
+zone "single-to-multisigner.kasp" {
+	type primary;
+	file "single-to-multisigner.kasp.db";
+	dnssec-policy "multisigner-model2";
+	allow-update { any; };
+};
+
 /*
  * Different algorithms.
  */

bin/tests/system/kasp/ns3/setup.sh

@@ -184,6 +184,17 @@ cat template.db.in "${CSK}.key" >"$infile"
 cp $infile $zonefile
 $SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
 
+# We are changing an existing single-signed zone to multi-signed
+# zone where the key tags do not match the dnssec-policy key tag range
+setup single-to-multisigner.kasp
+T="now-1d"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -M 0:32767 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}" $infile >signer.out.$zone.1 2>&1
+
 # These signatures are set to expire long in the past, update immediately.
 setup expired-sigs.autosign
 T="now-6mo"

bin/tests/system/kasp/tests.sh

@@ -2154,6 +2154,86 @@ retry_quiet 10 zsks_are_published || ret=1
 test "$ret" -eq 0 || echo_i "failed"
 status=$((status + ret))
 
+#
+# A zone transitioning from single-signed to multi-signed.
+# We should have the old omnipresent keys outside of the
+# desired key range and the new keys in the desired key range
+# KEY1 and KEY2 are the new keys. KEY3 and KEY4 are the old keys.
+#
+set_zone "single-to-multisigner.kasp"
+set_policy "multisigner-model2" "4" "3600"
+set_server "ns3" "10.53.0.3"
+key_clear "KEY1"
+key_clear "KEY2"
+key_clear "KEY3"
+key_clear "KEY4"
+
+# Key properties.
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
+
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "no" # waiting for DNSKEY to be omnipresent
+
+set_keyrole "KEY3" "ksk"
+set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
+
+set_keyrole "KEY4" "zsk"
+set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
+
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "hidden"
+
+set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "hidden" # waiting for DNSKEY to be omnipresent
+
+set_keystate "KEY3" "GOAL" "hidden"
+set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "omnipresent"
+
+set_keystate "KEY4" "GOAL" "hidden"
+set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+check_apex
+check_subdomain
+dnssec_verify
+
+# KEY1 tag range 32768 65535
+# KEY2 tag range 32768 65535
+# KEY3 tag range 0 32767
+# KEY4 tag range 0 32767
+n=$((n + 1))
+echo_i "check that the key IDs are in the expected ranges ($n)"
+ret=0
+test $(key_get KEY1 ID) -ge 32768 -a $(key_get KEY1 ID) -le 65535 || ret=1
+test $(key_get KEY2 ID) -ge 32768 -a $(key_get KEY2 ID) -le 65535 || ret=1
+test $(key_get KEY3 ID) -ge 0 -a $(key_get KEY3 ID) -le 32767 || ret=1
+test $(key_get KEY4 ID) -ge 0 -a $(key_get KEY4 ID) -le 32767 || ret=1
+
+test $(key_get KEY1 RID) -ge 32768 -a $(key_get KEY1 RID) -le 65535 || ret=1
+test $(key_get KEY2 RID) -ge 32768 -a $(key_get KEY2 RID) -le 65535 || ret=1
+test $(key_get KEY3 RID) -ge 0 -a $(key_get KEY3 RID) -le 32767 || ret=1
+test $(key_get KEY4 RID) -ge 0 -a $(key_get KEY4 RID) -le 32767 || ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
+
 #
 # Testing manual rollover.
 #