Error if signatures-refresh is too high
The signatures-refresh should not near the signatures-validity value, to prevent operational instability. Same is true when checking against signatures-validity-dnskey.
This commit is contained in:
Matthijs Mekking
44
bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
Normal file
44
bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
Normal file
@@ -0,0 +1,44 @@
|
||||
/*
|
||||
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
*
|
||||
* SPDX-License-Identifier: MPL-2.0
|
||||
*
|
||||
* This Source Code Form is subject to the terms of the Mozilla Public
|
||||
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
*
|
||||
* See the COPYRIGHT file distributed with this work for additional
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "bad-sigrefresh" {
|
||||
keys {
|
||||
csk lifetime unlimited algorithm 13;
|
||||
};
|
||||
|
||||
signatures-validity P10D;
|
||||
signatures-validity-dnskey P20D;
|
||||
signatures-refresh P9DT1S;
|
||||
};
|
||||
|
||||
dnssec-policy "bad-sigrefresh-dnskey" {
|
||||
keys {
|
||||
csk lifetime unlimited algorithm 13;
|
||||
};
|
||||
|
||||
signatures-validity P20D;
|
||||
signatures-validity-dnskey P10D;
|
||||
signatures-refresh P9DT1S;
|
||||
};
|
||||
|
||||
zone "sigrefresh.example.net" {
|
||||
type primary;
|
||||
file "sigrefresh.example.db";
|
||||
dnssec-policy "bad-sigrefresh";
|
||||
};
|
||||
|
||||
zone "dnskey.example.net" {
|
||||
type primary;
|
||||
file "dnskey.example.db";
|
||||
dnssec-policy "bad-sigrefresh-dnskey";
|
||||
};
|
||||
@@ -528,6 +528,17 @@ grep "dnssec-policy: key with algorithm rsasha1 has invalid key length 511" < ch
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "checking named-checkconf kasp signatures refresh errors ($n)"
|
||||
ret=0
|
||||
$CHECKCONF kasp-bad-signatures-refresh.conf > checkconf.out$n 2>&1 && ret=1
|
||||
grep "dnssec-policy: policy 'bad-sigrefresh' signatures-refresh must be at most 90% of the signatures-validity" < checkconf.out$n > /dev/null || ret=1
|
||||
grep "dnssec-policy: policy 'bad-sigrefresh-dnskey' signatures-refresh must be at most 90% of the signatures-validity-dnskey" < checkconf.out$n > /dev/null || ret=1
|
||||
lines=$(wc -l < "checkconf.out$n")
|
||||
if [ $lines != 2 ]; then ret=1; fi
|
||||
if [ $ret != 0 ]; then echo_i "failed"; fi
|
||||
status=`expr $status + $ret`
|
||||
|
||||
n=`expr $n + 1`
|
||||
echo_i "checking named-checkconf kasp predefined key length ($n)"
|
||||
ret=0
|
||||
|
||||
Reference in New Issue
Block a user