The keyword 'unlimited' can be used instead of PT0S which means the
same but is more comprehensible for users.
Also fix some redundant "none" parameters in the kasp test.
When you do a restart or reconfig of named, or rndc loadkeys, this
triggers the key manager to run. The key manager will check if new
keys need to be created. If there is an active key, and key rollover
is scheduled far enough away, no new key needs to be created.
However, there was a bug that when you just start to sign your zone,
it takes a while before the KSK becomes an active key. An active KSK
has its DS submitted or published, but before the key manager allows
that, the DNSKEY needs to be omnipresent. If you restart named
or rndc loadkeys in quick succession when you just started to sign
your zone, new keys will be created because the KSK is not yet
considered active.
Fix is to check for introducing as well as active keys. These keys
all have in common that their goal is to become omnipresent.
'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.
This requires a new keyword to be introduced: 'none'. If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned. You can use this to break the inheritance. Of course
you can also break the inheritance by referring to a different
policy.
The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.
Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.
Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).
Test two CSK rollover scenarios, one where the DS is swapped before the zone
signatures are all replaced, and one where the signatures are replaced sooner
than the DS is swapped.
Add more tests for kasp:
- Add tests for different algorithms.
- Add a test to ensure that an edit in an unsigned zone is
picked up and properly signed.
- Add two tests that ensures that a zone gets signed when it is
configured as so-called 'inline-signing'. In other words, a
secondary zone that is configured with a 'dnssec-policy'. A zone
that is transferred over AXFR or IXFR will get signed.
- Add a test to ensure signatures are reused if they are still
fresh enough.
- Adds two more tests to verify that expired and unfresh signatures
will be regenerated.
- Add tests for various cases with keys already available in the
key-directory.
