[master] dnssec-keymgr

4349.   [contrib]       kasp2policy: A python script to create a DNSSEC
                        policy file from an OpenDNSSEC KASP XML file.

4348.	[func]		dnssec-keymgr: A new python-based DNSSEC key
			management utility, which reads a policy definition
			file and can create or update DNSSEC keys as needed
			to ensure that a zone's keys match policy, roll over
			correctly on schedule, etc.  Thanks to Sebastian
			Castro for assistance in development. [RT #39211]

bin/python/isc/tests/test-policies/01-keysize.pol

@@ -0,0 +1,41 @@
+policy keysize_rsa {
+        algorithm rsasha1;
+        coverage 1y;
+        roll-period zsk 3mo;
+        pre-publish zsk 2w;
+        post-publish zsk 2w;
+        roll-period ksk 1y;
+        pre-publish ksk 1mo;
+        post-publish ksk 2mo;
+        keyttl 1h;
+        key-size ksk 2048;
+        key-size zsk 1024;
+};
+
+policy keysize_dsa {
+        algorithm dsa;
+        coverage 1y;
+        key-size ksk 2048;
+        key-size zsk 1024;
+};
+
+zone good_rsa.test {
+        policy keysize_rsa;
+};
+
+zone bad_rsa.test {
+        policy keysize_rsa;
+        key-size ksk 511;
+};
+
+zone good_dsa.test {
+        policy keysize_dsa;
+        key-size ksk 1024;
+        key-size zsk 768;
+};
+
+zone bad_dsa.test {
+        policy keysize_dsa;
+        key-size ksk 1024;
+        key-size zsk 769;
+};

bin/python/isc/tests/test-policies/02-prepublish.pol

@@ -0,0 +1,31 @@
+policy prepublish_rsa {
+        algorithm rsasha1;
+        coverage 1y;
+        roll-period zsk 3mo;
+        pre-publish zsk 2w;
+        post-publish zsk 2w;
+        roll-period ksk 1y;
+        pre-publish ksk 1mo;
+        post-publish ksk 2mo;
+        keyttl 1h;
+        key-size ksk 2048;
+        key-size zsk 1024;
+};
+
+// Policy that defines a pre-publish period lower than the rollover period
+zone good_prepublish.test {
+        policy prepublish_rsa;
+        coverage 6mo;
+        roll-period ksk 4mo;
+        pre-publish ksk 1mo;
+};
+
+// Policy that defines a pre-publish period equal to the rollover period
+zone bad_prepublish.test {
+        policy prepublish_rsa;
+        coverage 6mo;
+        roll-period ksk 4mo;
+        pre-publish ksk 4mo;
+};
+
+

bin/python/isc/tests/test-policies/03-postpublish.pol

@@ -0,0 +1,31 @@
+policy postpublish_rsa {
+        algorithm rsasha1;
+        coverage 1y;
+        roll-period zsk 3mo;
+        pre-publish zsk 2w;
+        post-publish zsk 2w;
+        roll-period ksk 1y;
+        pre-publish ksk 1mo;
+        post-publish ksk 2mo;
+        keyttl 1h;
+        key-size ksk 2048;
+        key-size zsk 1024;
+};
+
+// Policy that defines a post-publish period lower than the rollover period
+zone good_postpublish.test {
+        policy postpublish_rsa;
+        coverage 6mo;
+        roll-period ksk 4mo;
+        pre-publish ksk 1mo;
+};
+
+// Policy that defines a post-publish period equal to the rollover period
+zone bad_postpublish.test {
+        policy postpublish_rsa;
+        coverage 6mo;
+        roll-period ksk 4mo;
+        pre-publish ksk 4mo;
+};
+
+

bin/python/isc/tests/test-policies/04-combined-pre-post.pol

@@ -0,0 +1,55 @@
+policy combined_pre_post_rsa {
+        algorithm rsasha1;
+        coverage 1y;
+        roll-period zsk 3mo;
+        pre-publish zsk 2w;
+        post-publish zsk 2w;
+        roll-period ksk 1y;
+        pre-publish ksk 1mo;
+        post-publish ksk 2mo;
+        keyttl 1h;
+        key-size ksk 2048;
+        key-size zsk 1024;
+};
+
+// Policy that defines a combined pre-publish and post-publish period lower
+// than the rollover period
+zone good_combined_pre_post_ksk.test {
+        policy combined_pre_post_rsa;
+        coverage 6mo;
+        roll-period ksk 4mo;
+        pre-publish ksk 1mo;
+        post-publish ksk 1mo;
+};
+
+// Policy that defines a combined pre-publish and post-publish period higher
+// than the rollover period
+zone bad_combined_pre_post_ksk.test {
+        policy combined_pre_post_rsa;
+        coverage 6mo;
+        roll-period ksk 4mo;
+        pre-publish ksk 2mo;
+        post-publish ksk 2mo;
+};
+
+// Policy that defines a combined pre-publish and post-publish period lower
+// than the rollover period
+zone good_combined_pre_post_zsk.test {
+        policy combined_pre_post_rsa;
+        coverage 1y;
+        roll-period zsk 3mo;
+        pre-publish zsk 1mo;
+        post-publish zsk 1mo;
+};
+
+// Policy that defines a combined pre-publish and post-publish period higher
+// than the rollover period
+zone bad_combined_pre_post_zsk.test {
+        policy combined_pre_post_rsa;
+        coverage 1y;
+        roll-period zsk 3mo;
+        pre-publish zsk 2mo;
+        post-publish zsk 2mo;
+};
+
+