Update dnssec system test
The dnssec system test has some tests that use auto-dnssec. Update these tests to make use of dnssec-policy. Remove any 'rndc signing -nsec3param' commands because with dnssec-policy you set the NSEC3 parameters in the configuration. Remove now duplicate tests that checked if CDS and CDNSKEY RRsets are signed with KSK only (the dnssec-dnskey-kskonly option worked in combination with auto-dnssec). Also remove the publish-inactive.example test case because such use cases are no longer supported (only with manual signing). The auto-nsec and auto-nsec3 zones need to use an alternative algorithm because duplicate lines in dnssec-policy/keys are ignored.
This commit is contained in:
Matthijs Mekking
@@ -1,14 +0,0 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 3600
|
||||
@ SOA ns2.example. . 1 3600 1200 86400 1200
|
||||
@ NS ns2.example.
|
||||
@@ -1,14 +0,0 @@
|
||||
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||||
;
|
||||
; SPDX-License-Identifier: MPL-2.0
|
||||
;
|
||||
; This Source Code Form is subject to the terms of the Mozilla Public
|
||||
; License, v. 2.0. If a copy of the MPL was not distributed with this
|
||||
; file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||||
;
|
||||
; See the COPYRIGHT file distributed with this work for additional
|
||||
; information regarding copyright ownership.
|
||||
|
||||
$TTL 3600
|
||||
@ SOA ns2.example. . 1 3600 1200 86400 1200
|
||||
@ NS ns2.example.
|
||||
@@ -37,6 +37,35 @@ controls {
|
||||
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
dnssec-policy "dnssec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "kskonly" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
signatures-validity 10d;
|
||||
signatures-validity-dnskey 40d;
|
||||
};
|
||||
|
||||
dnssec-policy "not-enough-hours-in-day" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
/* validity 500 days, resign in 449 days */
|
||||
signatures-validity-dnskey 500d;
|
||||
signatures-validity 500d;
|
||||
signatures-refresh 449d;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
@@ -119,23 +148,14 @@ zone "cds-x.secure" {
|
||||
|
||||
zone "cds-update.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cds-update.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cds-kskonly.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly yes;
|
||||
file "cds-kskonly.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cds-auto.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cds-auto.secure.db.signed";
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy dnssec;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
@@ -151,35 +171,21 @@ zone "cdnskey-x.secure" {
|
||||
|
||||
zone "cdnskey-update.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cdnskey-update.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cdnskey-kskonly.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly yes;
|
||||
file "cdnskey-kskonly.secure.db.signed";
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "cdnskey-auto.secure" {
|
||||
type primary;
|
||||
dnssec-dnskey-kskonly no;
|
||||
file "cdnskey-auto.secure.db.signed";
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy dnssec;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
zone "updatecheck-kskonly.secure" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
key-directory ".";
|
||||
dnssec-dnskey-kskonly yes;
|
||||
update-check-ksk yes;
|
||||
sig-validity-interval 10;
|
||||
dnskey-sig-validity 40;
|
||||
file "updatecheck-kskonly.secure.db.signed";
|
||||
dnssec-policy kskonly;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
@@ -191,9 +197,7 @@ zone "corp" {
|
||||
zone "hours-vs-days" {
|
||||
type primary;
|
||||
file "hours-vs-days.db.signed";
|
||||
auto-dnssec maintain;
|
||||
/* validity 500 days, resign in 499 days */
|
||||
sig-validity-interval 500 499;
|
||||
dnssec-policy not-enough-hours-in-day;
|
||||
allow-update { any; };
|
||||
};
|
||||
|
||||
|
||||
@@ -233,15 +233,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cds-kskonly.secure
|
||||
infile=cds-kskonly.secure.db.in
|
||||
zonefile=cds-kskonly.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
keyfile_to_key_id "$key1" > cds-kskonly.secure.id
|
||||
keyfile_to_key_id "$key1" > cds-update.secure.id
|
||||
|
||||
zone=cds-auto.secure
|
||||
infile=cds-auto.secure.db.in
|
||||
@@ -277,15 +269,7 @@ key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
|
||||
zone=cdnskey-kskonly.secure
|
||||
infile=cdnskey-kskonly.secure.db.in
|
||||
zonefile=cdnskey-kskonly.secure.db
|
||||
key1=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone -f KSK "$zone")
|
||||
key2=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -n zone "$zone")
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
"$SIGNER" -g -o "$zone" "$zonefile" > /dev/null 2>&1
|
||||
keyfile_to_key_id "$key1" > cdnskey-kskonly.secure.id
|
||||
keyfile_to_key_id "$key1" > cdnskey-update.secure.id
|
||||
|
||||
zone=cdnskey-auto.secure
|
||||
infile=cdnskey-auto.secure.db.in
|
||||
@@ -305,11 +289,11 @@ keyfile_to_key_id "$key1" > $zone.ksk.id
|
||||
keyfile_to_key_id "$key2" > $zone.zsk.id
|
||||
echo "${key1}" > $zone.ksk.key
|
||||
echo "${key2}" > $zone.zsk.key
|
||||
# Add CDS and CDNSKEY records
|
||||
sed 's/DNSKEY/CDNSKEY/' "$key1.key" > "$key1.cdnskey"
|
||||
"$DSFROMKEY" -C "$key1.key" > "$key1.cds"
|
||||
cat "$infile" "$key1.key" "$key2.key" "$key1.cdnskey" "$key1.cds" > "$zonefile"
|
||||
# Don't sign, let auto-dnssec maintain do it.
|
||||
# Make sure dnssec-policy adds CDS and CDNSKEY records
|
||||
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -r OMNIPRESENT now -d RUMOURED now $key1 > settime.out.$zone.ksk 2>&1
|
||||
$SETTIME -s -g OMNIPRESENT -k OMNIPRESENT now -z OMNIPRESENT now $key2 > settime.out.$zone.zsk 2>&1
|
||||
# Don't sign, let dnssec-policy maintain do it.
|
||||
cat "$infile" "$key1.key" "$key2.key" > "$zonefile"
|
||||
mv $zonefile "$zonefile.signed"
|
||||
|
||||
zone=hours-vs-days
|
||||
|
||||
Reference in New Issue
Block a user