1#!/bin/sh 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14set -e 15 16# shellcheck source=conf.sh 17. ../conf.sh 18# shellcheck source=kasp.sh 19. ../kasp.sh 20 21start_time="$(TZ=UTC date +%s)" 22status=0 23n=0 24 25############################################################################### 26# Utilities # 27############################################################################### 28 29# Call dig with default options. 30dig_with_opts() { 31 32 if [ -n "$TSIG" ]; then 33 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" 34 else 35 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 36 fi 37} 38 39# Log error and increment failure rate. 40log_error() { 41 echo_i "error: $1" 42 ret=$((ret + 1)) 43} 44 45# Default next key event threshold. May be extended by wait periods. 46next_key_event_threshold=100 47 48############################################################################### 49# Tests # 50############################################################################### 51 52set_retired_removed() { 53 _Lkey=$2 54 _Iret=$3 55 56 _active=$(key_get $1 ACTIVE) 57 set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" 58 _retired=$(key_get $1 RETIRED) 59 set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" 60} 61 62rollover_predecessor_keytimes() { 63 _addtime=$1 64 65 _created=$(key_get KEY1 CREATED) 66 67 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 68 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 69 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 70 [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 71 72 _created=$(key_get KEY2 CREATED) 73 set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" 74 set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" 75 [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 76} 77 78# Policy parameters. 79# Lksk: unlimited 80# Lzsk: unlimited 81Lksk=0 82Lzsk=0 83 84################################################# 85# Test state before switching to dnssec-policy. # 86################################################# 87 88# Set expected key properties for migration tests. 89# $1 $2: Algorithm number and string. 90# $3 $4: KSK and ZSK size. 91init_migration_keys() { 92 key_clear "KEY1" 93 key_set "KEY1" "LEGACY" "yes" 94 set_keyrole "KEY1" "ksk" 95 set_keylifetime "KEY1" "none" 96 set_keyalgorithm "KEY1" "$1" "$2" "$3" 97 set_keysigning "KEY1" "yes" 98 set_zonesigning "KEY1" "no" 99 100 key_clear "KEY2" 101 key_set "KEY2" "LEGACY" "yes" 102 set_keyrole "KEY2" "zsk" 103 set_keylifetime "KEY2" "none" 104 set_keyalgorithm "KEY2" "$1" "$2" "$4" 105 set_keysigning "KEY2" "no" 106 set_zonesigning "KEY2" "yes" 107 108 key_clear "KEY3" 109 key_clear "KEY4" 110} 111 112# Set expected key states for migration tests. 113# $1: Goal 114# $2: States 115init_migration_states() { 116 set_keystate "KEY1" "GOAL" "$1" 117 set_keystate "KEY1" "STATE_DNSKEY" "$2" 118 set_keystate "KEY1" "STATE_KRRSIG" "$2" 119 set_keystate "KEY1" "STATE_DS" "$2" 120 121 set_keystate "KEY2" "GOAL" "$1" 122 set_keystate "KEY2" "STATE_DNSKEY" "$2" 123 set_keystate "KEY2" "STATE_ZRRSIG" "$2" 124} 125 126# 127# Testing a good migration. 128# 129set_zone "migrate.kasp" 130set_policy "none" "2" "7200" 131set_server "ns3" "10.53.0.3" 132 133init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 134init_migration_states "omnipresent" "rumoured" 135 136# Make sure the zone is signed with legacy keys. 137check_keys 138check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 139# These keys are immediately published and activated. 140rollover_predecessor_keytimes 0 141check_keytimes 142check_apex 143check_subdomain 144dnssec_verify 145# Remember legacy key tags. 146_migrate_ksk=$(key_get KEY1 ID) 147_migrate_zsk=$(key_get KEY2 ID) 148 149# 150# Testing a good migration (CSK). 151# 152set_zone "csk.kasp" 153set_policy "none" "1" "7200" 154set_server "ns3" "10.53.0.3" 155 156key_clear "KEY1" 157key_set "KEY1" "LEGACY" "yes" 158set_keyrole "KEY1" "ksk" 159# This key also acts as a ZSK. 160key_set "KEY1" "ZSK" "yes" 161set_keylifetime "KEY1" "none" 162set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 163set_keysigning "KEY1" "yes" 164set_zonesigning "KEY1" "yes" 165 166set_keystate "KEY1" "GOAL" "omnipresent" 167set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 168set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 169set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 170set_keystate "KEY1" "STATE_DS" "rumoured" 171 172key_clear "KEY2" 173key_clear "KEY3" 174key_clear "KEY4" 175 176# Make sure the zone is signed with legacy key. 177check_keys 178check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 179# The key is immediately published and activated. 180_created=$(key_get KEY1 CREATED) 181set_keytime "KEY1" "PUBLISHED" "${_created}" 182set_keytime "KEY1" "SYNCPUBLISH" "${_created}" 183set_keytime "KEY1" "ACTIVE" "${_created}" 184 185check_keytimes 186check_apex 187check_subdomain 188dnssec_verify 189# Remember legacy key tags. 190_migrate_csk=$(key_get KEY1 ID) 191 192# 193# Testing a good migration (CSK, no SEP). 194# 195set_zone "csk-nosep.kasp" 196set_policy "none" "1" "7200" 197set_server "ns3" "10.53.0.3" 198 199key_clear "KEY1" 200key_set "KEY1" "LEGACY" "yes" 201set_keyrole "KEY1" "zsk" 202# Despite the missing SEP bit, this key also acts as a KSK. 203key_set "KEY1" "KSK" "yes" 204set_keylifetime "KEY1" "none" 205set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 206set_keysigning "KEY1" "yes" 207set_zonesigning "KEY1" "yes" 208 209set_keystate "KEY1" "GOAL" "omnipresent" 210set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 211set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 212set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 213set_keystate "KEY1" "STATE_DS" "rumoured" 214 215key_clear "KEY2" 216key_clear "KEY3" 217key_clear "KEY4" 218 219# Make sure the zone is signed with legacy key. 220check_keys 221check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 222# The key is immediately published and activated. 223_created=$(key_get KEY1 CREATED) 224set_keytime "KEY1" "PUBLISHED" "${_created}" 225set_keytime "KEY1" "SYNCPUBLISH" "${_created}" 226set_keytime "KEY1" "ACTIVE" "${_created}" 227 228check_keytimes 229check_apex 230check_subdomain 231dnssec_verify 232# Remember legacy key tags. 233_migrate_csk_nosep=$(key_get KEY1 ID) 234 235# 236# Testing key states derived from key timing metadata (rumoured). 237# 238set_zone "rumoured.kasp" 239set_policy "none" "2" "300" 240set_server "ns3" "10.53.0.3" 241 242init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 243init_migration_states "omnipresent" "rumoured" 244 245# Make sure the zone is signed with legacy keys. 246check_keys 247check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 248check_apex 249check_subdomain 250dnssec_verify 251# Remember legacy key tags. 252_rumoured_ksk=$(key_get KEY1 ID) 253_rumoured_zsk=$(key_get KEY2 ID) 254 255# 256# Testing key states derived from key timing metadata (omnipresent). 257# 258set_zone "omnipresent.kasp" 259set_policy "none" "2" "300" 260set_server "ns3" "10.53.0.3" 261 262init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 263init_migration_states "omnipresent" "omnipresent" 264 265# Make sure the zone is signed with legacy keys. 266check_keys 267check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 268check_apex 269check_subdomain 270dnssec_verify 271# Remember legacy key tags. 272_omnipresent_ksk=$(key_get KEY1 ID) 273_omnipresent_zsk=$(key_get KEY2 ID) 274 275# 276# Testing migration with unmatched existing keys (different algorithm). 277# 278set_zone "migrate-nomatch-algnum.kasp" 279set_policy "none" "2" "300" 280set_server "ns3" "10.53.0.3" 281 282init_migration_keys "8" "RSASHA256" "2048" "2048" 283init_migration_states "omnipresent" "omnipresent" 284 285# Make sure the zone is signed with legacy keys. 286check_keys 287check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 288 289# The KSK is immediately published and activated. 290# -P : now-3900s 291# -P sync: now-3h 292# -A : now-3900s 293created=$(key_get KEY1 CREATED) 294set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 295set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 296set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 297# The ZSK is immediately published and activated. 298# -P: now-3900s 299# -A: now-12h 300created=$(key_get KEY2 CREATED) 301set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 302set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 303check_keytimes 304check_apex 305check_subdomain 306dnssec_verify 307 308# Remember legacy key tags. 309_migratenomatch_algnum_ksk=$(key_get KEY1 ID) 310_migratenomatch_algnum_zsk=$(key_get KEY2 ID) 311 312# 313# Testing migration with unmatched existing keys (different length). 314# 315set_zone "migrate-nomatch-alglen.kasp" 316set_policy "none" "2" "300" 317set_server "ns3" "10.53.0.3" 318 319init_migration_keys "8" "RSASHA256" "2048" "2048" 320init_migration_states "omnipresent" "omnipresent" 321 322# Make sure the zone is signed with legacy keys. 323check_keys 324check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 325 326# Set expected key times: 327# - The KSK is immediately published and activated. 328# P : now-3900s 329# P sync: now-3h 330# A : now-3900s 331created=$(key_get KEY1 CREATED) 332set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 333set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 334set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 335# - The ZSK is immediately published and activated. 336# P: now-3900s 337# A: now-12h 338created=$(key_get KEY2 CREATED) 339set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 340set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 341check_keytimes 342check_apex 343check_subdomain 344dnssec_verify 345 346# Remember legacy key tags. 347_migratenomatch_alglen_ksk=$(key_get KEY1 ID) 348_migratenomatch_alglen_zsk=$(key_get KEY2 ID) 349 350# 351# Testing migration with unmatched existing keys (different roles KSK/ZSK -> CSK). 352# 353set_zone "migrate-nomatch-kzc.kasp" 354set_policy "none" "2" "300" 355set_server "ns3" "10.53.0.3" 356 357init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 358init_migration_states "omnipresent" "omnipresent" 359 360# Make sure the zone is signed with legacy keys. 361check_keys 362check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 363 364# Set expected key times: 365# - The KSK is immediately published and activated. 366# P : now-3900s 367# P sync: now-3h 368# A : now-3900s 369created=$(key_get KEY1 CREATED) 370set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 371set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 372set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 373# - The ZSK is immediately published and activated. 374# P: now-3900s 375# A: now-12h 376created=$(key_get KEY2 CREATED) 377set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 378set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 379check_keytimes 380check_apex 381check_subdomain 382dnssec_verify 383 384# Remember legacy key tags. 385_migratenomatch_kzc_ksk=$(key_get KEY1 ID) 386_migratenomatch_kzc_zsk=$(key_get KEY2 ID) 387 388############# 389# Reconfig. # 390############# 391echo_i "reconfig (migration to dnssec-policy)" 392copy_setports ns3/named2.conf.in ns3/named.conf 393rndc_reconfig ns3 10.53.0.3 394 395# Calculate time passed to correctly check for next key events. 396now="$(TZ=UTC date +%s)" 397time_passed=$((now - start_time)) 398echo_i "${time_passed} seconds passed between start of tests and reconfig" 399 400# Wait until we have seen "zone_rekey done:" message for this key. 401_wait_for_done_signing() { 402 _zone=$1 403 404 _ksk=$(key_get $2 KSK) 405 _zsk=$(key_get $2 ZSK) 406 if [ "$_ksk" = "yes" ]; then 407 _role="KSK" 408 _expect_type=EXPECT_KRRSIG 409 elif [ "$_zsk" = "yes" ]; then 410 _role="ZSK" 411 _expect_type=EXPECT_ZRRSIG 412 fi 413 414 if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then 415 _keyid=$(key_get $2 ID) 416 _keyalg=$(key_get $2 ALG_STR) 417 echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" 418 grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1 419 fi 420 421 return 0 422} 423wait_for_done_signing() { 424 n=$((n + 1)) 425 echo_i "wait for zone ${ZONE} is done signing ($n)" 426 ret=0 427 428 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 429 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 430 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 431 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 432 433 test "$ret" -eq 0 || echo_i "failed" 434 status=$((status + ret)) 435} 436 437################################################ 438# Test state after switching to dnssec-policy. # 439################################################ 440 441# Policy parameters. 442# ZSK now has lifetime of 60 days (5184000 seconds). 443# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. 444Lzsk=5184000 445IretZSK=867900 446 447# 448# Testing good migration. 449# 450set_zone "migrate.kasp" 451set_policy "migrate" "2" "7200" 452set_server "ns3" "10.53.0.3" 453 454# Key properties, timings and metadata should be the same as legacy keys above. 455# However, because the zsk has a lifetime, kasp will set the retired time. 456init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 457init_migration_states "omnipresent" "rumoured" 458key_set "KEY1" "LEGACY" "no" 459key_set "KEY2" "LEGACY" "no" 460set_keylifetime "KEY1" "${Lksk}" 461set_keylifetime "KEY2" "${Lzsk}" 462 463# Various signing policy checks. 464check_keys 465wait_for_done_signing 466check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 467 468# Set expected key times: 469rollover_predecessor_keytimes 0 470 471# - Key now has lifetime of 60 days (5184000 seconds). 472# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. 473# TTLsig: 1d (86400 seconds) 474# Dprp: 5m (300 seconds) 475# Dsgn: 9d (777600 seconds) 476# retire-safety: 1h (3600 seconds) 477# IretZSK: 10d65m (867900 seconds) 478active=$(key_get KEY2 ACTIVE) 479set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" 480retired=$(key_get KEY2 RETIRED) 481set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 482 483# Continue signing policy checks. 484check_keytimes 485check_apex 486check_subdomain 487dnssec_verify 488 489# Check key tags, should be the same. 490n=$((n + 1)) 491echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" 492ret=0 493[ $_migrate_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 494[ $_migrate_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 495test "$ret" -eq 0 || echo_i "failed" 496status=$((status + ret)) 497 498# 499# Testing a good migration (CSK). 500# 501set_zone "csk.kasp" 502set_policy "default" "1" "7200" 503set_server "ns3" "10.53.0.3" 504 505key_clear "KEY1" 506key_set "KEY1" "LEGACY" "no" 507set_keyrole "KEY1" "csk" 508set_keylifetime "KEY1" "0" 509set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 510set_keysigning "KEY1" "yes" 511set_zonesigning "KEY1" "yes" 512 513set_keystate "KEY1" "GOAL" "omnipresent" 514set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 515set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 516set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 517set_keystate "KEY1" "STATE_DS" "rumoured" 518 519key_clear "KEY2" 520key_clear "KEY3" 521key_clear "KEY4" 522 523# Various signing policy checks. 524check_keys 525wait_for_done_signing 526check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 527 528# The key was immediately published and activated. 529_created=$(key_get KEY1 CREATED) 530set_keytime "KEY1" "PUBLISHED" "${_created}" 531set_keytime "KEY1" "SYNCPUBLISH" "${_created}" 532set_keytime "KEY1" "ACTIVE" "${_created}" 533 534# Continue signing policy checks. 535check_keytimes 536check_apex 537check_subdomain 538dnssec_verify 539 540# Check key tags, should be the same. 541n=$((n + 1)) 542echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" 543ret=0 544[ $_migrate_csk = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" 545test "$ret" -eq 0 || echo_i "failed" 546status=$((status + ret)) 547 548# 549# Testing a good migration (CSK, no SEP). 550# 551set_zone "csk-nosep.kasp" 552set_policy "default" "1" "7200" 553set_server "ns3" "10.53.0.3" 554 555key_clear "KEY1" 556key_set "KEY1" "LEGACY" "no" 557set_keyrole "KEY1" "csk" 558key_set "KEY1" "FLAGS" "256" 559set_keylifetime "KEY1" "0" 560set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 561set_keysigning "KEY1" "yes" 562set_zonesigning "KEY1" "yes" 563 564set_keystate "KEY1" "GOAL" "omnipresent" 565set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 566set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 567set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 568set_keystate "KEY1" "STATE_DS" "rumoured" 569 570key_clear "KEY2" 571key_clear "KEY3" 572key_clear "KEY4" 573 574# Various signing policy checks. 575check_keys 576wait_for_done_signing 577check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 578 579# The key was immediately published and activated. 580_created=$(key_get KEY1 CREATED) 581set_keytime "KEY1" "PUBLISHED" "${_created}" 582set_keytime "KEY1" "SYNCPUBLISH" "${_created}" 583set_keytime "KEY1" "ACTIVE" "${_created}" 584 585# Continue signing policy checks. 586check_keytimes 587check_apex 588check_subdomain 589dnssec_verify 590 591# Check key tags, should be the same. 592n=$((n + 1)) 593echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same key ($n)" 594ret=0 595[ $_migrate_csk_nosep = $(key_get KEY1 ID) ] || log_error "mismatch csk tag" 596test "$ret" -eq 0 || echo_i "failed" 597status=$((status + ret)) 598 599# 600# Test migration to dnssec-policy, existing keys do not match key algorithm. 601# 602set_zone "migrate-nomatch-algnum.kasp" 603set_policy "migrate-nomatch-algnum" "4" "300" 604set_server "ns3" "10.53.0.3" 605# The legacy keys need to be retired, but otherwise stay present until the 606# new keys are omnipresent, and can be used to construct a chain of trust. 607init_migration_keys "8" "RSASHA256" "2048" "2048" 608init_migration_states "hidden" "omnipresent" 609key_set "KEY1" "LEGACY" "no" 610key_set "KEY2" "LEGACY" "no" 611 612set_keyrole "KEY3" "ksk" 613set_keylifetime "KEY3" "0" 614set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 615set_keysigning "KEY3" "yes" 616set_zonesigning "KEY3" "no" 617 618set_keyrole "KEY4" "zsk" 619set_keylifetime "KEY4" "5184000" 620set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 621set_keysigning "KEY4" "no" 622set_zonesigning "KEY4" "yes" 623 624set_keystate "KEY3" "GOAL" "omnipresent" 625set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 626set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 627set_keystate "KEY3" "STATE_DS" "hidden" 628 629set_keystate "KEY4" "GOAL" "omnipresent" 630set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 631set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" 632 633# Various signing policy checks. 634check_keys 635wait_for_done_signing 636check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 637 638# Set expected key times: 639# - KSK must be retired since it no longer matches the policy. 640# P : now-3900s 641# P sync: now-3h 642# A : now-3900s 643# - The key is removed after the retire interval: 644# IretKSK = TTLds + DprpP + retire_safety. 645# TTLds: 2h (7200 seconds) 646# Dprp: 1h (3600 seconds) 647# retire-safety: 1h (3600 seconds) 648# IretKSK: 4h (14400 seconds) 649IretKSK=14400 650created=$(key_get KEY1 CREATED) 651set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 652set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 653set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 654keyfile=$(key_get KEY1 BASEFILE) 655grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk 656retired=$(awk '{print $3}' <retired.test${n}.ksk) 657set_keytime "KEY1" "RETIRED" "${retired}" 658set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 659# - ZSK must be retired since it no longer matches the policy. 660# P: now-3900s 661# A: now-12h 662# - The key is removed after the retire interval: 663# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. 664# TTLsig: 11h (39600 seconds) 665# Dprp: 1h (3600 seconds) 666# Dsgn: 9d (777600 seconds) 667# retire-safety: 1h (3600 seconds) 668# IretZSK: 9d13h (824400 seconds) 669IretZSK=824400 670Lzsk=5184000 671created=$(key_get KEY2 CREATED) 672set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 673set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 674keyfile=$(key_get KEY2 BASEFILE) 675grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk 676retired=$(awk '{print $3}' <retired.test${n}.zsk) 677set_keytime "KEY2" "RETIRED" "${retired}" 678set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 679# - The new KSK is immediately published and activated. 680created=$(key_get KEY3 CREATED) 681set_keytime "KEY3" "PUBLISHED" "${created}" 682set_keytime "KEY3" "ACTIVE" "${created}" 683# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 684# TTLsig: 11h (39600 seconds) 685# Dprp: 1h (3600 seconds) 686# publish-safety: 1h (3600 seconds) 687# Ipub: 13h (46800 seconds) 688Ipub=46800 689set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 690# - The ZSK is immediately published and activated. 691created=$(key_get KEY4 CREATED) 692set_keytime "KEY4" "PUBLISHED" "${created}" 693set_keytime "KEY4" "ACTIVE" "${created}" 694active=$(key_get KEY4 ACTIVE) 695set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" 696retired=$(key_get KEY4 RETIRED) 697set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" 698 699# Continue signing policy checks. 700check_keytimes 701check_apex 702check_subdomain 703dnssec_verify 704 705# Check key tags, should be the same. 706n=$((n + 1)) 707echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" 708ret=0 709[ $_migratenomatch_algnum_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 710[ $_migratenomatch_algnum_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 711test "$ret" -eq 0 || echo_i "failed" 712status=$((status + ret)) 713 714# 715# Test migration to dnssec-policy, existing keys do not match key length. 716# 717set_zone "migrate-nomatch-alglen.kasp" 718set_policy "migrate-nomatch-alglen" "4" "300" 719set_server "ns3" "10.53.0.3" 720 721# The legacy keys need to be retired, but otherwise stay present until the 722# new keys are omnipresent, and can be used to construct a chain of trust. 723init_migration_keys "8" "RSASHA256" "2048" "2048" 724init_migration_states "hidden" "omnipresent" 725key_set "KEY1" "LEGACY" "no" 726key_set "KEY2" "LEGACY" "no" 727 728set_keyrole "KEY3" "ksk" 729set_keylifetime "KEY3" "0" 730set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" 731set_keysigning "KEY3" "yes" 732set_zonesigning "KEY3" "no" 733 734set_keyrole "KEY4" "zsk" 735set_keylifetime "KEY4" "5184000" 736set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" 737set_keysigning "KEY4" "no" 738# This key is considered to be prepublished, so it is not yet signing. 739set_zonesigning "KEY4" "no" 740 741set_keystate "KEY3" "GOAL" "omnipresent" 742set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 743set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 744set_keystate "KEY3" "STATE_DS" "hidden" 745 746set_keystate "KEY4" "GOAL" "omnipresent" 747set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 748set_keystate "KEY4" "STATE_ZRRSIG" "hidden" 749 750# Various signing policy checks. 751check_keys 752wait_for_done_signing 753check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 754 755# Set expected key times: 756# - KSK must be retired since it no longer matches the policy. 757# P : now-3900s 758# P sync: now-3h 759# A : now-3900s 760# - The key is removed after the retire interval: 761# IretKSK = TTLds + DprpP + retire_safety. 762# TTLds: 2h (7200 seconds) 763# Dprp: 1h (3600 seconds) 764# retire-safety: 1h (3600 seconds) 765# IretKSK: 4h (14400 seconds) 766IretKSK=14400 767created=$(key_get KEY1 CREATED) 768set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 769set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 770set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 771keyfile=$(key_get KEY1 BASEFILE) 772grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk 773retired=$(awk '{print $3}' <retired.test${n}.ksk) 774set_keytime "KEY1" "RETIRED" "${retired}" 775set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 776# - ZSK must be retired since it no longer matches the policy. 777# P: now-3900s 778# A: now-12h 779# - The key is removed after the retire interval: 780# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. 781# TTLsig: 11h (39600 seconds) 782# Dprp: 1h (3600 seconds) 783# Dsgn: 9d (777600 seconds) 784# publish-safety: 1h (3600 seconds) 785# IretZSK: 9d13h (824400 seconds) 786IretZSK=824400 787Lzsk=5184000 788created=$(key_get KEY2 CREATED) 789set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 790set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 791keyfile=$(key_get KEY2 BASEFILE) 792grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk 793retired=$(awk '{print $3}' <retired.test${n}.zsk) 794set_keytime "KEY2" "RETIRED" "${retired}" 795set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 796# - The new KSK is immediately published and activated. 797created=$(key_get KEY3 CREATED) 798set_keytime "KEY3" "PUBLISHED" "${created}" 799set_keytime "KEY3" "ACTIVE" "${created}" 800# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 801# TTLsig: 11h (39600 seconds) 802# Dprp: 1h (3600 seconds) 803# publish-safety: 1h (3600 seconds) 804# Ipub: 13h (46800 seconds) 805Ipub=46800 806set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 807# - The ZSK is immediately published and activated. 808created=$(key_get KEY4 CREATED) 809set_keytime "KEY4" "PUBLISHED" "${created}" 810set_keytime "KEY4" "ACTIVE" "${created}" 811active=$(key_get KEY4 ACTIVE) 812set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" 813retired=$(key_get KEY4 RETIRED) 814set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" 815 816# Continue signing policy checks. 817check_keytimes 818check_apex 819check_subdomain 820dnssec_verify 821 822# Check key tags, should be the same. 823n=$((n + 1)) 824echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" 825ret=0 826[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 827[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 828test "$ret" -eq 0 || echo_i "failed" 829status=$((status + ret)) 830 831# 832# Test migration to dnssec-policy, existing keys do not match role (KSK/ZSK -> CSK). 833# 834set_zone "migrate-nomatch-kzc.kasp" 835set_policy "migrate-nomatch-kzc" "3" "300" 836set_server "ns3" "10.53.0.3" 837 838# The legacy keys need to be retired, but otherwise stay present until the 839# new keys are omnipresent, and can be used to construct a chain of trust. 840init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 841init_migration_states "hidden" "omnipresent" 842key_set "KEY1" "LEGACY" "no" 843key_set "KEY2" "LEGACY" "no" 844 845set_keyrole "KEY3" "csk" 846set_keylifetime "KEY3" "0" 847set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" 848set_keysigning "KEY3" "yes" 849set_zonesigning "KEY3" "no" 850 851set_keystate "KEY3" "GOAL" "omnipresent" 852set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 853set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 854# This key is considered to be prepublished, so it is not yet signing. 855set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 856set_keystate "KEY3" "STATE_DS" "hidden" 857 858# Various signing policy checks. 859check_keys 860wait_for_done_signing 861check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 862 863# Set expected key times: 864# - KSK must be retired since it no longer matches the policy. 865# P : now-3900s 866# P sync: now-3h 867# A : now-3900s 868# - The key is removed after the retire interval: 869# IretKSK = TTLds + DprpP + retire_safety. 870# TTLds: 2h (7200 seconds) 871# Dprp: 1h (3600 seconds) 872# retire-safety: 1h (3600 seconds) 873# IretKSK: 4h (14400 seconds) 874IretKSK=14400 875created=$(key_get KEY1 CREATED) 876set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 877set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 878set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 879keyfile=$(key_get KEY1 BASEFILE) 880grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk 881retired=$(awk '{print $3}' <retired.test${n}.ksk) 882set_keytime "KEY1" "RETIRED" "${retired}" 883set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 884# - ZSK must be retired since it no longer matches the policy. 885# P: now-3900s 886# A: now-12h 887# - The key is removed after the retire interval: 888# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. 889# TTLsig: 11h (39600 seconds) 890# Dprp: 1h (3600 seconds) 891# Dsgn: 9d (777600 seconds) 892# publish-safety: 1h (3600 seconds) 893# IretZSK: 9d13h (824400 seconds) 894IretZSK=824400 895Lzsk=5184000 896created=$(key_get KEY2 CREATED) 897set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 898set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 899keyfile=$(key_get KEY2 BASEFILE) 900grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk 901retired=$(awk '{print $3}' <retired.test${n}.zsk) 902set_keytime "KEY2" "RETIRED" "${retired}" 903set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 904# - The new KSK is immediately published and activated. 905created=$(key_get KEY3 CREATED) 906set_keytime "KEY3" "PUBLISHED" "${created}" 907set_keytime "KEY3" "ACTIVE" "${created}" 908# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. 909# TTLsig: 11h (39600 seconds) 910# Dprp: 1h (3600 seconds) 911# publish-safety: 1h (3600 seconds) 912# Ipub: 13h (46800 seconds) 913Ipub=46800 914set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 915 916# Continue signing policy checks. 917check_keytimes 918check_apex 919check_subdomain 920dnssec_verify 921 922# Check key tags, should be the same. 923n=$((n + 1)) 924echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" 925ret=0 926[ $_migratenomatch_kzc_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 927[ $_migratenomatch_kzc_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 928test "$ret" -eq 0 || echo_i "failed" 929status=$((status + ret)) 930 931######################################################## 932# Testing key states derived from key timing metadata. # 933######################################################## 934 935# Policy parameters. 936# KSK has lifetime of 60 days (5184000 seconds). 937# The KSK is removed after Iret = DprpP + TTLds + retire-safety = 938# 4h = 14400 seconds. 939Lksk=5184000 940IretKSK=14400 941# ZSK has lifetime of 60 days (5184000 seconds). 942# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety = 943# 181h = 651600 seconds. 944Lzsk=5184000 945IretZSK=651600 946 947# 948# Testing rumoured state. 949# 950set_zone "rumoured.kasp" 951set_policy "timing-metadata" "2" "300" 952set_server "ns3" "10.53.0.3" 953 954# Key properties, timings and metadata should be the same as legacy keys above. 955init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 956init_migration_states "omnipresent" "rumoured" 957key_set "KEY1" "LEGACY" "no" 958key_set "KEY2" "LEGACY" "no" 959set_keylifetime "KEY1" "${Lksk}" 960set_keylifetime "KEY2" "${Lzsk}" 961 962# Various signing policy checks. 963check_keys 964wait_for_done_signing 965check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 966 967# Set expected key times: 968# 969# Tds="now-2h" (7200) 970# Tkey="now-300s" (300) 971# Tsig="now-11h" (39600) 972created=$(key_get KEY1 CREATED) 973set_addkeytime "KEY1" "PUBLISHED" "${created}" -300 974set_addkeytime "KEY1" "ACTIVE" "${created}" -300 975set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200 976set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 977created=$(key_get KEY2 CREATED) 978set_addkeytime "KEY2" "PUBLISHED" "${created}" -300 979set_addkeytime "KEY2" "ACTIVE" "${created}" -39600 980set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 981 982# Continue signing policy checks. 983check_keytimes 984check_apex 985check_subdomain 986dnssec_verify 987 988# Check key tags, should be the same. 989n=$((n + 1)) 990echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" 991ret=0 992[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 993[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 994test "$ret" -eq 0 || echo_i "failed" 995status=$((status + ret)) 996 997# 998# Testing omnipresent state. 999# 1000set_zone "omnipresent.kasp" 1001set_policy "timing-metadata" "2" "300" 1002set_server "ns3" "10.53.0.3" 1003 1004# Key properties, timings and metadata should be the same as legacy keys above. 1005init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS" 1006init_migration_states "omnipresent" "omnipresent" 1007key_set "KEY1" "LEGACY" "no" 1008key_set "KEY2" "LEGACY" "no" 1009set_keylifetime "KEY1" "${Lksk}" 1010set_keylifetime "KEY2" "${Lzsk}" 1011 1012# Various signing policy checks. 1013check_keys 1014wait_for_done_signing 1015check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" 1016 1017# Set expected key times: 1018# 1019# Tds="now-3h" (10800) 1020# Tkey="now-3900s" (3900) 1021# Tsig="now-12h" (43200) 1022created=$(key_get KEY1 CREATED) 1023set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 1024set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 1025set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800 1026set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 1027created=$(key_get KEY2 CREATED) 1028set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900 1029set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 1030set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 1031 1032# Continue signing policy checks. 1033check_keytimes 1034check_apex 1035check_subdomain 1036dnssec_verify 1037 1038# Check key tags, should be the same. 1039n=$((n + 1)) 1040echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" 1041ret=0 1042[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 1043[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 1044test "$ret" -eq 0 || echo_i "failed" 1045status=$((status + ret)) 1046 1047###################################### 1048# Testing good migration with views. # 1049###################################### 1050init_view_migration() { 1051 key_clear "KEY1" 1052 key_set "KEY1" "LEGACY" "yes" 1053 set_keyrole "KEY1" "ksk" 1054 set_keylifetime "KEY1" "0" 1055 set_keysigning "KEY1" "yes" 1056 set_zonesigning "KEY1" "no" 1057 1058 key_clear "KEY2" 1059 key_set "KEY2" "LEGACY" "yes" 1060 set_keyrole "KEY2" "zsk" 1061 set_keylifetime "KEY2" "0" 1062 set_keysigning "KEY2" "no" 1063 set_zonesigning "KEY2" "yes" 1064 1065 key_clear "KEY3" 1066 key_clear "KEY4" 1067 1068 set_keystate "KEY1" "GOAL" "omnipresent" 1069 set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1070 set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1071 set_keystate "KEY1" "STATE_DS" "rumoured" 1072 1073 set_keystate "KEY2" "GOAL" "omnipresent" 1074 set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1075 set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1076} 1077 1078set_keytimes_view_migration() { 1079 # Key is six months in use. 1080 created=$(key_get KEY1 CREATED) 1081 set_addkeytime "KEY1" "PUBLISHED" "${created}" -16070400 1082 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -16070400 1083 set_addkeytime "KEY1" "ACTIVE" "${created}" -16070400 1084 created=$(key_get KEY2 CREATED) 1085 set_addkeytime "KEY2" "PUBLISHED" "${created}" -16070400 1086 set_addkeytime "KEY2" "ACTIVE" "${created}" -16070400 1087} 1088 1089# Zone view.rsasha256.kasp (external) 1090set_zone "view-rsasha256.kasp" 1091set_policy "rsasha256" "2" "300" 1092set_server "ns4" "10.53.0.4" 1093init_view_migration 1094set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1095set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1096TSIG="$DEFAULT_HMAC:external:$VIEW1" 1097wait_for_nsec 1098# Make sure the zone is signed with legacy keys. 1099check_keys 1100set_keytimes_view_migration 1101check_keytimes 1102dnssec_verify 1103 1104n=$((n + 1)) 1105# check subdomain 1106echo_i "check TXT $ZONE (view ext) rrset is signed correctly ($n)" 1107ret=0 1108dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1109grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" 1110grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*external" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" 1111check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1112test "$ret" -eq 0 || echo_i "failed" 1113status=$((status + ret)) 1114 1115# Remember legacy key tags. 1116_migrate_ext8_ksk=$(key_get KEY1 ID) 1117_migrate_ext8_zsk=$(key_get KEY2 ID) 1118 1119# Zone view.rsasha256.kasp (internal) 1120set_zone "view-rsasha256.kasp" 1121set_policy "rsasha256" "2" "300" 1122set_server "ns4" "10.53.0.4" 1123init_view_migration 1124set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1125set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1126TSIG="$DEFAULT_HMAC:internal:$VIEW2" 1127wait_for_nsec 1128# Make sure the zone is signed with legacy keys. 1129check_keys 1130set_keytimes_view_migration 1131check_keytimes 1132dnssec_verify 1133 1134n=$((n + 1)) 1135# check subdomain 1136echo_i "check TXT $ZONE (view int) rrset is signed correctly ($n)" 1137ret=0 1138dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 1139grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response" 1140grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*internal" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response" 1141check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 1142test "$ret" -eq 0 || echo_i "failed" 1143status=$((status + ret)) 1144 1145# Remember legacy key tags. 1146_migrate_int8_ksk=$(key_get KEY1 ID) 1147_migrate_int8_zsk=$(key_get KEY2 ID) 1148 1149# Reconfig dnssec-policy. 1150echo_i "reconfig to switch to dnssec-policy" 1151copy_setports ns4/named2.conf.in ns4/named.conf 1152rndc_reconfig ns4 10.53.0.4 1153 1154# Calculate time passed to correctly check for next key events. 1155now="$(TZ=UTC date +%s)" 1156time_passed=$((now - start_time)) 1157echo_i "${time_passed} seconds passed between start of tests and reconfig" 1158 1159# 1160# Testing migration (RSASHA256, views). 1161# 1162set_zone "view-rsasha256.kasp" 1163set_policy "rsasha256" "3" "300" 1164set_server "ns4" "10.53.0.4" 1165init_migration_keys "8" "RSASHA256" "2048" "2048" 1166init_migration_states "omnipresent" "rumoured" 1167# Key properties, timings and metadata should be the same as legacy keys above. 1168# However, because the keys have a lifetime, kasp will set the retired time. 1169key_set "KEY1" "LEGACY" "no" 1170set_keylifetime "KEY1" "31536000" 1171set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 1172set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 1173set_keystate "KEY1" "STATE_DS" "omnipresent" 1174 1175key_set "KEY2" "LEGACY" "no" 1176set_keylifetime "KEY2" "8035200" 1177set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1178set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1179# The ZSK needs to be replaced. 1180set_keystate "KEY2" "GOAL" "hidden" 1181set_keystate "KEY3" "GOAL" "omnipresent" 1182set_keyrole "KEY3" "zsk" 1183set_keylifetime "KEY3" "8035200" 1184set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" 1185set_keysigning "KEY3" "no" 1186set_zonesigning "KEY3" "no" # not yet 1187set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 1188set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 1189 1190# Various signing policy checks (external). 1191TSIG="$DEFAULT_HMAC:external:$VIEW1" 1192check_keys 1193wait_for_done_signing 1194check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "ext" 1195set_keytimes_view_migration 1196 1197# Set expected key times: 1198published=$(key_get KEY1 PUBLISHED) 1199set_keytime "KEY1" "ACTIVE" "${published}" 1200set_keytime "KEY1" "SYNCPUBLISH" "${published}" 1201# Lifetime: 1 year (8035200 seconds) 1202active=$(key_get KEY1 ACTIVE) 1203set_addkeytime "KEY1" "RETIRED" "${active}" "31536000" 1204# Retire interval: 1205# DS TTL: 1d 1206# Parent zone propagation: 3h 1207# Retire safety: 1h 1208# Total: 100800 seconds 1209retired=$(key_get KEY1 RETIRED) 1210set_addkeytime "KEY1" "REMOVED" "${retired}" "100800" 1211 1212published=$(key_get KEY2 PUBLISHED) 1213set_keytime "KEY2" "ACTIVE" "${published}" 1214# Lifetime: 3 months (8035200 seconds) 1215active=$(key_get KEY2 ACTIVE) 1216set_addkeytime "KEY2" "RETIRED" "${active}" "8035200" 1217# Retire interval: 1218# Sign delay: 9d (14-5) 1219# Max zone TTL: 1d 1220# Retire safety: 1h 1221# Zone propagation delay: 300s 1222# Total: 867900 seconds 1223retired=$(key_get KEY2 RETIRED) 1224set_addkeytime "KEY2" "REMOVED" "${retired}" "867900" 1225 1226created=$(key_get KEY3 CREATED) 1227set_keytime "KEY3" "PUBLISHED" "${created}" 1228# Publication interval: 1229# DNSKEY TTL: 300s 1230# Publish safety: 1h 1231# Zone propagation delay: 300s 1232# Total: 4200 seconds 1233set_addkeytime "KEY3" "ACTIVE" "${created}" "4200" 1234# Lifetime: 3 months (8035200 seconds) 1235active=$(key_get KEY3 ACTIVE) 1236set_addkeytime "KEY3" "RETIRED" "${active}" "8035200" 1237# Retire interval: 1238# Sign delay: 9d (14-5) 1239# Max zone TTL: 1d 1240# Retire safety: 1h 1241# Zone propagation delay: 300s 1242# Total: 867900 seconds 1243retired=$(key_get KEY3 RETIRED) 1244set_addkeytime "KEY3" "REMOVED" "${retired}" "867900" 1245 1246# Continue signing policy checks. 1247check_keytimes 1248check_apex 1249dnssec_verify 1250 1251# Various signing policy checks (internal). 1252TSIG="$DEFAULT_HMAC:internal:$VIEW2" 1253check_keys 1254wait_for_done_signing 1255check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "int" 1256set_keytimes_view_migration 1257check_keytimes 1258check_apex 1259dnssec_verify 1260 1261# Check key tags, should be the same. 1262n=$((n + 1)) 1263echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" 1264ret=0 1265[ $_migrate_ext8_ksk = $_migrate_int8_ksk ] || log_error "mismatch ksk tag" 1266[ $_migrate_ext8_zsk = $_migrate_int8_zsk ] || log_error "mismatch zsk tag" 1267[ $_migrate_ext8_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 1268[ $_migrate_ext8_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 1269test "$ret" -eq 0 || echo_i "failed" 1270status=$((status + ret)) 1271 1272echo_i "exit status: $status" 1273[ $status -eq 0 ] || exit 1 1274