From 91a686c031c492050f3339c6b85591185d46367c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 30 Sep 2020 09:53:19 +0200 Subject: [PATCH 1/7] Add kasp tests for Ed25519 and Ed448 Use the testcrypto script to see if these algorithms are supported by openssl. If so, add the specific configuration to the named.conf file and touch a file to indicate support. If the file exists, the corresponding setup and tests are performed. (cherry picked from commit 7be1835795d4c0710a8e61dd7775d7e10d0aa877) --- bin/tests/system/kasp/clean.sh | 1 + bin/tests/system/kasp/ns3/ed25519.conf | 15 +++++++++ bin/tests/system/kasp/ns3/ed448.conf | 15 +++++++++ bin/tests/system/kasp/ns3/setup.sh | 12 +++++++ bin/tests/system/kasp/setup.sh | 8 +++++ bin/tests/system/kasp/tests.sh | 44 +++++++++++++++++++++++++- 6 files changed, 94 insertions(+), 1 deletion(-) create mode 100644 bin/tests/system/kasp/ns3/ed25519.conf create mode 100644 bin/tests/system/kasp/ns3/ed448.conf diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 7ab6c79130..ce556893bd 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -26,3 +26,4 @@ rm -f ns*/zones ns*/*.db.infile rm -f *.created published.test* retired.test* rm -f rndc.dnssec.*.out.* rm -f python.out.* +rm -f *-supported.file diff --git a/bin/tests/system/kasp/ns3/ed25519.conf b/bin/tests/system/kasp/ns3/ed25519.conf new file mode 100644 index 0000000000..89380e14cd --- /dev/null +++ b/bin/tests/system/kasp/ns3/ed25519.conf @@ -0,0 +1,15 @@ +dnssec-policy "ed25519" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 15; + zsk key-directory lifetime P5Y algorithm 15; + zsk key-directory lifetime P1Y algorithm 15 256; + }; +}; + +zone "ed25519.kasp" { + type primary; + file "ed25519.kasp.db"; + dnssec-policy "ed25519"; +}; diff --git a/bin/tests/system/kasp/ns3/ed448.conf b/bin/tests/system/kasp/ns3/ed448.conf new file mode 100644 index 0000000000..379f02c93a --- /dev/null +++ b/bin/tests/system/kasp/ns3/ed448.conf @@ -0,0 +1,15 @@ +dnssec-policy "ed448" { + dnskey-ttl 1234; + + keys { + ksk key-directory lifetime P10Y algorithm 16; + zsk key-directory lifetime P5Y algorithm 16; + zsk key-directory lifetime P1Y algorithm 16 456; + }; +}; + +zone "ed448.kasp" { + type primary; + file "ed448.kasp.db"; + dnssec-policy "ed448"; +}; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 09c63707c4..19be29fe82 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -59,6 +59,18 @@ do cp template.db.in "$zonefile" done +if [ -f ../ed25519-supported.file ]; then + setup "ed25519.kasp" + cp template.db.in "$zonefile" + cat ed25519.conf >> named.conf +fi + +if [ -f ../ed448-supported.file ]; then + setup "ed448.kasp" + cp template.db.in "$zonefile" + cat ed448.conf >> named.conf +fi + # Set up zone that stays unsigned. zone="unsigned.kasp" echo_i "setting up zone: $zone" diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 0517f7a720..9c693bfde0 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -24,6 +24,14 @@ copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf +if $SHELL ../testcrypto.sh ed25519; then + echo "yes" > ed25519-supported.file +fi + +if $SHELL ../testcrypto.sh ed448; then + echo "yes" > ed448-supported.file +fi + # Setup zones ( cd ns2 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 85fd360f42..796e6cd742 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2042,7 +2042,49 @@ check_apex check_subdomain dnssec_verify -# TODO: ED25519 and ED448. +# +# Zone: ed25519.kasp. +# +if [ -f ed25519-supported.file ]; then + set_zone "ed25519.kasp" + set_policy "ed25519" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "15" "ED25519" "256" + set_keyalgorithm "KEY2" "15" "ED25519" "256" + set_keyalgorithm "KEY3" "15" "ED25519" "256" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi + +# +# Zone: ed448.kasp. +# +if [ -f ed448-supported.file ]; then + set_zone "ed448.kasp" + set_policy "ed448" "3" "1234" + set_server "ns3" "10.53.0.3" + # Key properties. + set_keyalgorithm "KEY1" "16" "ED448" "456" + set_keyalgorithm "KEY2" "16" "ED448" "456" + set_keyalgorithm "KEY3" "16" "ED448" "456" + # Key timings and states same as above. + + check_keys + check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + set_keytimes_algorithm_policy + check_keytimes + check_apex + check_subdomain + dnssec_verify +fi # Set key times for 'autosign' policy. set_keytimes_autosign_policy() { From a63dad13da829900187c3c5bb05444fbca237dad Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 30 Sep 2020 09:57:45 +0200 Subject: [PATCH 2/7] Fix Ed25519 and Ed448 in dnssec-policy keymgr The kasp code had bad implicit size values for the cryptographic algorithms Ed25519 and Ed448. When creating keys they would never match the dnssec-policy, leading to new attempts to create keys. These algorithms were previously not yet added to the system tests, due to lack of availability on some systems. (cherry picked from commit 0e207392ec61ae7d215bcf58ad9e1a510a971aba) --- lib/dns/kasp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 28f908c653..fb945ddbbf 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -414,10 +414,10 @@ dns_kasp_key_size(dns_kasp_key_t *key) { size = 384; break; case DNS_KEYALG_ED25519: - size = 32; + size = 256; break; case DNS_KEYALG_ED448: - size = 57; + size = 456; break; default: /* unsupported */ From 795139a60c9db7a0184dbc23b365cd0d3acdb3f4 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 30 Sep 2020 10:03:43 +0200 Subject: [PATCH 3/7] Add change and note for #2171 This is a bug that needs to be noted. (cherry picked from commit d6d41e96a30cd82fe7fef01bd92b20ef83c0487d) --- CHANGES | 3 +++ doc/notes/notes-current.rst | 4 ++++ 2 files changed, 7 insertions(+) diff --git a/CHANGES b/CHANGES index e31b82669b..d225a965e7 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5514. [bug] Fix KASP expected key size for Ed25519 and Ed448. + [GL #2171] + 5513. [doc] The ARM section describing the "rrset-order" statement was rewritten to make it unambiguous and up-to-date with the source code. [GL #2139] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 144ed226d3..8d52a8440b 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -53,3 +53,7 @@ Bug Fixes - `named` would exit with assertion failure REQUIRE(msg->state == (-1)) in message.c due to a possible data race. [GL #2124] + +- `named` would start continous rollovers for policies that algorithms + Ed25519 or Ed448 due to a mismatch in created key size and expected key size. + [GL #2171] From d31297c9f8b9ff331ef3c83889af6b96c6086de8 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 30 Sep 2020 10:04:27 +0200 Subject: [PATCH 4/7] Minor fix in kasp system test The 'wait_for_nsec' does not need to add TSIG because it calls 'dig_with_opts' and that already checks for TSIG. (cherry picked from commit 43c6806779eaf0b155e2e37357a2a639ed018404) --- bin/tests/system/kasp/tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 796e6cd742..501419aa81 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -610,7 +610,7 @@ dnssec_verify() # Wait for the zone to be signed. # The apex NSEC record indicates that it is signed. _wait_for_nsec() { - dig_with_opts "@${SERVER}" -y "$TSIG" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1 + dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1 grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1 grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1 return 0 From 0e07dbe263a8f86d5f70d9b21c8a08956cd81832 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 30 Sep 2020 10:06:37 +0200 Subject: [PATCH 5/7] Test migration to dnssec-policy with views This test case is unrelated to the fix for #2171 but was added to reproduce the problem. (cherry picked from commit 621093fe6943e49fa7c3fcd94bc95f33e4cbc51e) --- bin/tests/system/kasp/README | 3 + bin/tests/system/kasp/ns7/named.conf.in | 70 ++++++ bin/tests/system/kasp/ns7/named2.conf.in | 81 +++++++ bin/tests/system/kasp/ns7/setup.sh | 54 +++++ bin/tests/system/kasp/ns7/template.ext.db.in | 22 ++ bin/tests/system/kasp/ns7/template.int.db.in | 22 ++ bin/tests/system/kasp/setup.sh | 5 + bin/tests/system/kasp/tests.sh | 226 +++++++++++++++++++ util/copyrights | 1 + 9 files changed, 484 insertions(+) create mode 100644 bin/tests/system/kasp/ns7/named.conf.in create mode 100644 bin/tests/system/kasp/ns7/named2.conf.in create mode 100644 bin/tests/system/kasp/ns7/setup.sh create mode 100644 bin/tests/system/kasp/ns7/template.ext.db.in create mode 100644 bin/tests/system/kasp/ns7/template.int.db.in diff --git a/bin/tests/system/kasp/README b/bin/tests/system/kasp/README index 23a7c8da34..48d5132dce 100644 --- a/bin/tests/system/kasp/README +++ b/bin/tests/system/kasp/README @@ -13,3 +13,6 @@ ns3 is an authoritative server for the various test domains. ns4 and ns5 are authoritative servers for various test domains related to views. ns6 is an authoritative server that tests changes in dnssec-policy. + +ns7 is an authoritative server that tests a specific case where zones +using views migrate to dnssec-policy. diff --git a/bin/tests/system/kasp/ns7/named.conf.in b/bin/tests/system/kasp/ns7/named.conf.in new file mode 100644 index 0000000000..7a371218e5 --- /dev/null +++ b/bin/tests/system/kasp/ns7/named.conf.in @@ -0,0 +1,70 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key "external" { + algorithm "hmac-sha1"; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "internal" { + algorithm "hmac-sha1"; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +view "ext" { + match-clients { key "external"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.ext.db"; + auto-dnssec maintain; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + }; +}; + +view "int" { + match-clients { key "internal"; }; + + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.int.db"; + auto-dnssec maintain; + inline-signing yes; + dnssec-dnskey-kskonly yes; + update-check-ksk yes; + }; +}; diff --git a/bin/tests/system/kasp/ns7/named2.conf.in b/bin/tests/system/kasp/ns7/named2.conf.in new file mode 100644 index 0000000000..5215b7388d --- /dev/null +++ b/bin/tests/system/kasp/ns7/named2.conf.in @@ -0,0 +1,81 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +// NS7 + +options { + query-source address 10.53.0.7; + notify-source 10.53.0.7; + transfer-source 10.53.0.7; + port @PORT@; + pid-file "named.pid"; + listen-on { 10.53.0.7; }; + listen-on-v6 { none; }; + allow-transfer { any; }; + recursion no; + key-directory "."; +}; + +key rndc_key { + secret "1234abcd8765"; + algorithm hmac-sha256; +}; + +controls { + inet 10.53.0.7 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; +}; + +key "external" { + algorithm "hmac-sha1"; + secret "YPfMoAk6h+3iN8MDRQC004iSNHY="; +}; + +key "internal" { + algorithm "hmac-sha1"; + secret "4xILSZQnuO1UKubXHkYUsvBRPu8="; +}; + +dnssec-policy "rsasha256" { + keys { + zsk key-directory lifetime P3M algorithm 8 1024; + ksk key-directory lifetime P1Y algorithm 8 2048; + }; + + dnskey-ttl 6h; + publish-safety 1h; + retire-safety 1h; + + signatures-refresh 5d; + signatures-validity 14d; + signatures-validity-dnskey 14d; + + max-zone-ttl 1d; + zone-propagation-delay 300; + + parent-ds-ttl 86400; + parent-propagation-delay 3h; +}; + +view "external-view" { + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.ext.db"; + dnssec-policy "rsasha256"; + }; +}; + +view "internal-view" { + zone "view-rsasha256.kasp" { + type master; + file "view-rsasha256.kasp.int.db"; + dnssec-policy "rsasha256"; + }; +}; diff --git a/bin/tests/system/kasp/ns7/setup.sh b/bin/tests/system/kasp/ns7/setup.sh new file mode 100644 index 0000000000..75f245b4d5 --- /dev/null +++ b/bin/tests/system/kasp/ns7/setup.sh @@ -0,0 +1,54 @@ +#!/bin/sh -e +# +# Copyright (C) Internet Systems Consortium, Inc. ("ISC") +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, you can obtain one at https://mozilla.org/MPL/2.0/. +# +# See the COPYRIGHT file distributed with this work for additional +# information regarding copyright ownership. + +# shellcheck source=conf.sh +. ../../conf.sh + +echo_i "ns7/setup.sh" + +private_type_record() { + _zone=$1 + _algorithm=$2 + _keyfile=$3 + + _id=$(keyfile_to_key_id "$_keyfile") + + printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" +} + +# Make lines shorter by storing key states in environment variables. +H="HIDDEN" +R="RUMOURED" +O="OMNIPRESENT" +U="UNRETENTIVE" + +zone="view-rsasha256.kasp" +algo="RSASHA256" +num="8" +echo "$zone" >> zones + +# Set up zones in views with auto-dnssec maintain to migrate to dnssec-policy. +# The keys for these zones are in use long enough that they should start a +# rollover for the ZSK (P3M), but not long enough to initiate a KSK rollover (P1Y). +ksktimes="-P -186d -A -186d -P sync -186d" +zsktimes="-P -186d -A -186d" +KSK=$($KEYGEN -a $algo -L 21600 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a $algo -L 21600 -b 1024 $zsktimes $zone 2> keygen.out.$zone.2) + +echo_i "setting up zone $zone (external)" +view="ext" +zonefile="${zone}.${view}.db" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" + +echo_i "setting up zone $zone (internal)" +view="int" +zonefile="${zone}.${view}.db" +cat template.$view.db.in "${KSK}.key" "${ZSK}.key" > "$zonefile" diff --git a/bin/tests/system/kasp/ns7/template.ext.db.in b/bin/tests/system/kasp/ns7/template.ext.db.in new file mode 100644 index 0000000000..a4c962c663 --- /dev/null +++ b/bin/tests/system/kasp/ns7/template.ext.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns7 +ns7 A 10.53.0.7 + +view TXT "external" diff --git a/bin/tests/system/kasp/ns7/template.int.db.in b/bin/tests/system/kasp/ns7/template.int.db.in new file mode 100644 index 0000000000..7f859c280d --- /dev/null +++ b/bin/tests/system/kasp/ns7/template.int.db.in @@ -0,0 +1,22 @@ +; Copyright (C) Internet Systems Consortium, Inc. ("ISC") +; +; This Source Code Form is subject to the terms of the Mozilla Public +; License, v. 2.0. If a copy of the MPL was not distributed with this +; file, You can obtain one at http://mozilla.org/MPL/2.0/. +; +; See the COPYRIGHT file distributed with this work for additional +; information regarding copyright ownership. + +$TTL 300 +@ IN SOA mname1. . ( + 1 ; serial + 20 ; refresh (20 seconds) + 20 ; retry (20 seconds) + 1814400 ; expire (3 weeks) + 3600 ; minimum (1 hour) + ) + + NS ns7 +ns7 A 10.53.0.7 + +view TXT "internal" diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh index 9c693bfde0..67e8b6d9a7 100644 --- a/bin/tests/system/kasp/setup.sh +++ b/bin/tests/system/kasp/setup.sh @@ -23,6 +23,7 @@ copy_setports ns3/named.conf.in ns3/named.conf copy_setports ns4/named.conf.in ns4/named.conf copy_setports ns5/named.conf.in ns5/named.conf copy_setports ns6/named.conf.in ns6/named.conf +copy_setports ns7/named.conf.in ns7/named.conf if $SHELL ../testcrypto.sh ed25519; then echo "yes" > ed25519-supported.file @@ -53,3 +54,7 @@ fi cd ns6 $SHELL setup.sh ) +( + cd ns7 + $SHELL setup.sh +) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 501419aa81..8c9580f2cd 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -128,6 +128,7 @@ key_clear "KEY4" # Call dig with default options. dig_with_opts() { + if [ -n "$TSIG" ]; then "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" else @@ -5272,5 +5273,230 @@ dnssec_verify # an unlimited lifetime. Fallback to the default loadkeys interval. check_next_key_event 3600 +# +# Testing good migration with views. +# +init_view_migration() { + key_clear "KEY1" + key_set "KEY1" "LEGACY" "yes" + set_keyrole "KEY1" "ksk" + set_keylifetime "KEY1" "0" + set_keysigning "KEY1" "yes" + set_zonesigning "KEY1" "no" + + key_clear "KEY2" + key_set "KEY2" "LEGACY" "yes" + set_keyrole "KEY2" "zsk" + set_keylifetime "KEY2" "0" + set_keysigning "KEY2" "no" + set_zonesigning "KEY2" "yes" + + key_clear "KEY3" + key_clear "KEY4" + + set_keystate "KEY1" "GOAL" "omnipresent" + set_keystate "KEY1" "STATE_DNSKEY" "rumoured" + set_keystate "KEY1" "STATE_KRRSIG" "rumoured" + set_keystate "KEY1" "STATE_DS" "rumoured" + + set_keystate "KEY2" "GOAL" "omnipresent" + set_keystate "KEY2" "STATE_DNSKEY" "rumoured" + set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" +} + +set_keytimes_view_migration() { + # Key is six months in use. + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 + set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 + set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 +} + +# Zone view.rsasha256.kasp (external) +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "2" "21600" +set_server "ns7" "10.53.0.7" +init_view_migration +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "1024" +TSIG="hmac-sha1:external:$VIEW1" +wait_for_nsec +# Make sure the zone is signed with legacy keys. +check_keys +set_keytimes_view_migration +check_keytimes +dnssec_verify + +n=$((n+1)) +# check subdomain +echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remember legacy key tags. +_migrate_ext8_ksk=$(key_get KEY1 ID) +_migrate_ext8_zsk=$(key_get KEY2 ID) + +# Zone view.rsasha256.kasp (internal) +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "2" "21600" +set_server "ns7" "10.53.0.7" +init_view_migration +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "1024" +TSIG="hmac-sha1:internal:$VIEW2" +wait_for_nsec +# Make sure the zone is signed with legacy keys. +check_keys +set_keytimes_view_migration +check_keytimes +dnssec_verify + +n=$((n+1)) +# check subdomain +echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" +ret=0 +dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" +grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" +grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" +check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# Remember legacy key tags. +_migrate_int8_ksk=$(key_get KEY1 ID) +_migrate_int8_zsk=$(key_get KEY2 ID) + +# Reconfig dnssec-policy. +echo_i "reconfig to switch to dnssec-policy" +copy_setports ns7/named2.conf.in ns7/named.conf +rndc_reconfig ns7 10.53.0.7 + +# Calculate time passed to correctly check for next key events. +now="$(TZ=UTC date +%s)" +time_passed=$((now-start_time)) +echo_i "${time_passed} seconds passed between start of tests and reconfig" + +# +# Testing migration (RSASHA256, views). +# +set_zone "view-rsasha256.kasp" +set_policy "rsasha256" "3" "21600" +set_server "ns7" "10.53.0.7" +init_migration_match +set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" +set_keyalgorithm "KEY2" "8" "RSASHA256" "1024" +# Key properties, timings and metadata should be the same as legacy keys above. +# However, because the keys have a lifetime, kasp will set the retired time. +key_set "KEY1" "LEGACY" "no" +set_keylifetime "KEY1" "31536000" +set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" +set_keystate "KEY1" "STATE_DS" "omnipresent" + +key_set "KEY2" "LEGACY" "no" +set_keylifetime "KEY2" "8035200" +set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" +set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" +# The ZSK needs to be replaced. +set_keystate "KEY2" "GOAL" "hidden" +set_keystate "KEY3" "GOAL" "omnipresent" +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "8035200" +set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "no" # not yet +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "hidden" + +# Various signing policy checks (external). +TSIG="hmac-sha1:external:$VIEW1" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "external-view" +set_keytimes_view_migration + +# Set expected key times: +published=$(key_get KEY1 PUBLISHED) +set_keytime "KEY1" "ACTIVE" "${published}" +set_keytime "KEY1" "SYNCPUBLISH" "${published}" +# Lifetime: 1 year (8035200 seconds) +active=$(key_get KEY1 ACTIVE) +set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" +# Retire interval: +# DS TTL: 1d +# Parent zone propagation: 3h +# Retire safety: 1h +# Total: 100800 seconds +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "100800" + +published=$(key_get KEY2 PUBLISHED) +set_keytime "KEY2" "ACTIVE" "${published}" +# Lifetime: 3 months (8035200 seconds) +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "8035200" +# Retire interval: +# Sign delay: 9d (14-5) +# Max zone TTL: 1d +# Retire safety: 1h +# Zone propagation delay: 300s +# Total: 867900 seconds +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" + +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# Publication interval: +# DNSKEY TTL: 6h +# Publish safety: 1h +# Zone propagation delay: 300s +# Total: 25500 seconds +set_addkeytime "KEY3" "ACTIVE" "${created}" "25500" +# Lifetime: 3 months (8035200 seconds) +active=$(key_get KEY3 ACTIVE) +set_addkeytime "KEY3" "RETIRED" "${active}" "8035200" +# Retire interval: +# Sign delay: 9d (14-5) +# Max zone TTL: 1d +# Retire safety: 1h +# Zone propagation delay: 300s +# Total: 867900 seconds +retired=$(key_get KEY3 RETIRED) +set_addkeytime "KEY3" "REMOVED" "${retired}" "867900" + +# Continue signing policy checks. +check_keytimes +check_apex +dnssec_verify + +# Various signing policy checks (external). +TSIG="hmac-sha1:internal:$VIEW2" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "internal-view" +set_keytimes_view_migration +check_keytimes +check_apex +dnssec_verify + +# Check key tags, should be the same. +n=$((n+1)) +echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" +ret=0 +[ $_migrate_ext8_ksk == $_migrate_int8_ksk ] || log_error "mismatch ksk tag" +[ $_migrate_ext8_zsk == $_migrate_int8_zsk ] || log_error "mismatch zsk tag" +[ $_migrate_ext8_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" +[ $_migrate_ext8_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" +status=$((status+ret)) + echo_i "exit status: $status" [ $status -eq 0 ] || exit 1 diff --git a/util/copyrights b/util/copyrights index 091bac5a11..b69620c0bd 100644 --- a/util/copyrights +++ b/util/copyrights @@ -637,6 +637,7 @@ ./bin/tests/system/kasp/ns4/setup.sh SH 2019,2020 ./bin/tests/system/kasp/ns5/setup.sh SH 2019,2020 ./bin/tests/system/kasp/ns6/setup.sh SH 2020 +./bin/tests/system/kasp/ns7/setup.sh SH 2020 ./bin/tests/system/kasp/setup.sh SH 2019,2020 ./bin/tests/system/kasp/tests.sh SH 2019,2020 ./bin/tests/system/keepalive/clean.sh SH 2017,2018,2019,2020 From 456925d6ec1c3dfb266954f520c3ee0b42378092 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 1 Oct 2020 11:05:01 +0200 Subject: [PATCH 6/7] Fix kasp min key size bug The minimal size for RSASHA1, RSASHA256 is 512, but due to bad assignment it was set to 1024. (cherry picked from commit 7c555254fe97825c4bfeaa08aa6d349c6fd2c636) --- lib/dns/kasp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index fb945ddbbf..68ec3a9651 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -394,7 +394,7 @@ dns_kasp_key_size(dns_kasp_key_t *key) { case DNS_KEYALG_NSEC3RSASHA1: case DNS_KEYALG_RSASHA256: case DNS_KEYALG_RSASHA512: - min = DNS_KEYALG_RSASHA512 ? 1024 : 512; + min = (key->algorithm == DNS_KEYALG_RSASHA512) ? 1024 : 512; if (key->length > -1) { size = (unsigned int)key->length; if (size < min) { From 1b69a49c6e9b21958f415ebf0b4cee4ea2db8e03 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 1 Oct 2020 11:07:05 +0200 Subject: [PATCH 7/7] Fix a timing issue in kasp system test Sometimes, not all keys have been created in time before 'check_keys' is called. Run a 'retry_quiet' on checking the number of keys before continuing checking the key data. (cherry picked from commit af3b01497602d943ad399d8f6274d27a76d7751b) --- bin/tests/system/kasp/tests.sh | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 8c9580f2cd..cfc4f74523 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -833,23 +833,30 @@ status=$((status+ret)) next_key_event_threshold=$((next_key_event_threshold+i)) +check_numkeys() { + _numkeys=$(get_keyids "$1" "$2" | wc -l) + test "$_numkeys" -eq "$NUM_KEYS" || return 1 + return 0 +} + # Check keys for a configured zone. This verifies: # 1. The right number of keys exist in the key pool ($1). # 2. The right number of keys is active. Checks KEY1, KEY2, KEY3, and KEY4. # # It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly. # Found key identifiers are stored in the right key array. -check_keys() -{ +check_keys() { n=$((n+1)) echo_i "check keys are created for zone ${ZONE} ($n)" ret=0 echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" - _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) - test "$_numkeys" -eq "$NUM_KEYS" || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)" - test "$ret" -eq 0 || echo_i "failed" - status=$((status+ret)) + retry_quiet 10 check_numkeys "$DIR" "$ZONE" "$NUM_KEYS" || ret=1 + if [ $ret -ne 0 ]; then + _numkeys=$(get_keyids "$1" "$2" | wc -l) + log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)" + status=$((status+ret)) + fi # Temporarily don't log errors because we are searching multiple files. _log=0