Test migrating CSK to dnssec-policy
Add a test case for migrating CSK to dnssec-policy. The keymgr has no way of telling that the key is used as a CSK, but if there is only one key to migrate it is going to assume it must be a CSK.
This commit is contained in:
Matthijs Mekking
@@ -43,6 +43,14 @@ zone "migrate.kasp" {
|
||||
update-check-ksk yes;
|
||||
};
|
||||
|
||||
zone "csk.kasp" {
|
||||
type primary;
|
||||
file "csk.kasp.db";
|
||||
auto-dnssec maintain;
|
||||
allow-update { any; };
|
||||
dnssec-dnskey-kskonly no;
|
||||
};
|
||||
|
||||
zone "rumoured.kasp" {
|
||||
type primary;
|
||||
file "rumoured.kasp.db";
|
||||
|
||||
@@ -42,6 +42,13 @@ zone "migrate.kasp" {
|
||||
dnssec-policy "migrate";
|
||||
};
|
||||
|
||||
zone "csk.kasp" {
|
||||
type primary;
|
||||
file "csk.kasp.db";
|
||||
allow-update { any; };
|
||||
dnssec-policy "default";
|
||||
};
|
||||
|
||||
zone "rumoured.kasp" {
|
||||
type primary;
|
||||
file "rumoured.kasp.db";
|
||||
|
||||
@@ -39,6 +39,17 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
|
||||
|
||||
# Set up a Single-Type Signing Scheme zone with auto-dnssec maintain to
|
||||
# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
|
||||
# configured, meaning the zone is signed with a single CSK.
|
||||
setup csk.kasp
|
||||
echo "$zone" >> zones
|
||||
csktimes="-P now -A now -P sync now"
|
||||
CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2> keygen.out.$zone.1)
|
||||
cat template.db.in "${CSK}.key" > "$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||||
$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
|
||||
|
||||
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
|
||||
# time the existing keys do not match the policy. The existing keys are
|
||||
# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
|
||||
|
||||
@@ -143,6 +143,47 @@ dnssec_verify
|
||||
_migrate_ksk=$(key_get KEY1 ID)
|
||||
_migrate_zsk=$(key_get KEY2 ID)
|
||||
|
||||
#
|
||||
# Testing a good migration (CSK).
|
||||
#
|
||||
set_zone "csk.kasp"
|
||||
set_policy "none" "1" "7200"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
|
||||
key_clear "KEY1"
|
||||
key_set "KEY1" "LEGACY" "yes"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "none"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate "KEY1" "STATE_DS" "rumoured"
|
||||
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Make sure the zone is signed with legacy key.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
# The key is immediately published and activated.
|
||||
_created=$(key_get KEY1 CREATED)
|
||||
set_keytime "KEY1" "PUBLISHED" "${_created}"
|
||||
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${_created}"
|
||||
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
# Remember legacy key tags.
|
||||
_migrate_csk=$(key_get KEY1 ID)
|
||||
|
||||
#
|
||||
# Testing key states derived from key timing metadata (rumoured).
|
||||
#
|
||||
@@ -370,6 +411,56 @@ ret=0
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
#
|
||||
# Testing a good migration (CSK).
|
||||
#
|
||||
set_zone "csk.kasp"
|
||||
set_policy "default" "1" "7200"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
|
||||
key_clear "KEY1"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
|
||||
set_keystate "KEY1" "GOAL" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
|
||||
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
|
||||
set_keystate "KEY1" "STATE_DS" "rumoured"
|
||||
|
||||
key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
wait_for_done_signing
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
|
||||
# The key was immediately published and activated.
|
||||
_created=$(key_get KEY1 CREATED)
|
||||
set_keytime "KEY1" "PUBLISHED" "${_created}"
|
||||
set_keytime "KEY1" "SYNCPUBLISH" "${_created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${_created}"
|
||||
|
||||
# Continue signing policy checks.
|
||||
check_keytimes
|
||||
check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Check key tags, should be the same.
|
||||
n=$((n+1))
|
||||
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)"
|
||||
ret=0
|
||||
[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag"
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
#
|
||||
# Test migration to dnssec-policy, existing keys do not match key algorithm.
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user