Update dnssec system test
The dnssec system test has some tests that use auto-dnssec. Update these tests to make use of dnssec-policy. Remove any 'rndc signing -nsec3param' commands because with dnssec-policy you set the NSEC3 parameters in the configuration. Remove now duplicate tests that checked if CDS and CDNSKEY RRsets are signed with KSK only (the dnssec-dnskey-kskonly option worked in combination with auto-dnssec). Also remove the publish-inactive.example test case because such use cases are no longer supported (only with manual signing). The auto-nsec and auto-nsec3 zones need to use an alternative algorithm because duplicate lines in dnssec-policy/keys are ignored.
This commit is contained in:
Matthijs Mekking
@@ -37,6 +37,42 @@ controls {
|
||||
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
|
||||
};
|
||||
|
||||
dnssec-policy "dnssec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "nsec3" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
nsec3param iterations 0 optout no salt-length 0;
|
||||
};
|
||||
|
||||
dnssec-policy "autonsec" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "autonsec3" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
ksk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @ALTERNATIVE_ALGORITHM@;
|
||||
};
|
||||
|
||||
nsec3param iterations 0 optout no salt-length 0;
|
||||
};
|
||||
|
||||
zone "." {
|
||||
type hint;
|
||||
file "../../common/root.hint";
|
||||
@@ -209,21 +245,21 @@ zone "expired.example" {
|
||||
|
||||
zone "update-nsec3.example" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy nsec3;
|
||||
allow-update { any; };
|
||||
file "update-nsec3.example.db.signed";
|
||||
};
|
||||
|
||||
zone "auto-nsec.example" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy autonsec;
|
||||
allow-update { !0.0.0.0; };
|
||||
file "auto-nsec.example.db.signed";
|
||||
};
|
||||
|
||||
zone "auto-nsec3.example" {
|
||||
type primary;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy autonsec3;
|
||||
allow-update { !0.0.0.0; };
|
||||
file "auto-nsec3.example.db.signed";
|
||||
};
|
||||
@@ -286,15 +322,7 @@ zone "inline.example" {
|
||||
type primary;
|
||||
file "inline.example.db";
|
||||
inline-signing yes;
|
||||
auto-dnssec maintain;
|
||||
};
|
||||
|
||||
zone "publish-inactive.example" {
|
||||
type primary;
|
||||
file "publish-inactive.example.db";
|
||||
auto-dnssec maintain;
|
||||
dnssec-dnskey-kskonly no;
|
||||
update-policy local;
|
||||
dnssec-policy dnssec;
|
||||
};
|
||||
|
||||
zone "future.example" {
|
||||
@@ -389,6 +417,28 @@ zone "rsasha1-1024.example" {
|
||||
file "rsasha1-1024.example.db";
|
||||
};
|
||||
|
||||
dnssec-policy "siginterval1" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
signatures-validity 1d;
|
||||
signatures-refresh 21h;
|
||||
signatures-validity-dnskey 90d;
|
||||
};
|
||||
|
||||
dnssec-policy "siginterval2" {
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
signatures-validity 35d;
|
||||
signatures-refresh 28d;
|
||||
signatures-validity-dnskey 90d;
|
||||
};
|
||||
|
||||
include "siginterval.conf";
|
||||
|
||||
include "trusted.conf";
|
||||
|
||||
@@ -14,8 +14,6 @@
|
||||
zone "siginterval.example" {
|
||||
type primary;
|
||||
allow-update { any; };
|
||||
sig-validity-interval 1 23;
|
||||
dnskey-sig-validity 90;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy siginterval1;
|
||||
file "siginterval.example.db";
|
||||
};
|
||||
|
||||
@@ -14,8 +14,6 @@
|
||||
zone "siginterval.example" {
|
||||
type primary;
|
||||
allow-update { any; };
|
||||
sig-validity-interval 35 28;
|
||||
dnskey-sig-validity 90;
|
||||
auto-dnssec maintain;
|
||||
dnssec-policy siginterval2;
|
||||
file "siginterval.example.db";
|
||||
};
|
||||
|
||||
@@ -419,7 +419,7 @@ cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
|
||||
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A NSEC signed zone that will have auto-dnssec enabled and
|
||||
# A NSEC signed zone that will have dnssec-policy enabled and
|
||||
# extra keys not in the initial signed zone.
|
||||
#
|
||||
zone=auto-nsec.example.
|
||||
@@ -428,13 +428,13 @@ zonefile=auto-nsec.example.db
|
||||
|
||||
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
|
||||
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
|
||||
"$SIGNER" -P -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A NSEC3 signed zone that will have auto-dnssec enabled and
|
||||
# A NSEC3 signed zone that will have dnssec-policy enabled and
|
||||
# extra keys not in the initial signed zone.
|
||||
#
|
||||
zone=auto-nsec3.example.
|
||||
@@ -443,8 +443,8 @@ zonefile=auto-nsec3.example.db
|
||||
|
||||
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" -fk "$zone" > /dev/null
|
||||
"$KEYGEN" -q -a "$ALTERNATIVE_ALGORITHM" -b "$ALTERNATIVE_BITS" "$zone" > /dev/null
|
||||
cat "$infile" "$kskname.key" "$zskname.key" > "$zonefile"
|
||||
"$SIGNER" -P -3 - -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
@@ -569,20 +569,6 @@ zone=inline.example.
|
||||
kskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -fk "$zone")
|
||||
zskname=$("$KEYGEN" -q -3 -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
|
||||
#
|
||||
# publish a new key while deactivating another key at the same time.
|
||||
#
|
||||
zone=publish-inactive.example
|
||||
infile=publish-inactive.example.db.in
|
||||
zonefile=publish-inactive.example.db
|
||||
now=$(date -u +%Y%m%d%H%M%S)
|
||||
kskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
kskname=$("$KEYGEN" -P "$now+90s" -A "$now+3600s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
kskname=$("$KEYGEN" -I "$now+90s" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" -f KSK "$zone")
|
||||
zskname=$("$KEYGEN" -q -a "$DEFAULT_ALGORITHM" -b "$DEFAULT_BITS" "$zone")
|
||||
cp "$infile" "$zonefile"
|
||||
"$SIGNER" -S -o "$zone" "$zonefile" > /dev/null
|
||||
|
||||
#
|
||||
# A zone which will change its sig-validity-interval
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user