Merge branch '1749-rndc-dnssec-rollover' into 'main'

Resolve "rndc trigger rollover"

Closes #1749

See merge request isc-projects/bind9!4004

CHANGES

+5515.	[func]		Add 'rndc dnssec -rollover' command to trigger a
+			manual rollover for a specific key. [GL #1749]
+
 5514.	[bug]		Fix KASP expected key size for Ed25519 and Ed448.
 			[GL #2171]
 

bin/named/server.c

@@ -14595,10 +14595,14 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 	dns_kasp_t *kasp = NULL;
 	dns_dnsseckeylist_t keys;
 	dns_dnsseckey_t *key;
-	char *ptr;
+	char *ptr, *zonetext = NULL;
 	const char *msg = NULL;
 	/* variables for -checkds */
-	bool checkds = false, dspublish = false, use_keyid = false;
+	bool checkds = false, dspublish = false;
+	/* variables for -rollover */
+	bool rollover = false;
+	/* variables for -key */
+	bool use_keyid = false;
 	dns_keytag_t keyid = 0;
 	uint8_t algorithm = 0;
 	/* variables for -status */
@@ -14629,9 +14633,15 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 
 	if (strcasecmp(ptr, "-status") == 0) {
 		status = true;
+	} else if (strcasecmp(ptr, "-rollover") == 0) {
+		rollover = true;
 	} else if (strcasecmp(ptr, "-checkds") == 0) {
 		checkds = true;
+	} else {
+		CHECK(DNS_R_SYNTAX);
+	}
 
+	if (rollover || checkds) {
 		/* Check for options */
 		for (;;) {
 			ptr = next_token(lex, text);
@@ -14678,7 +14688,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 			} else if (ptr[0] == '-') {
 				msg = "Unknown option";
 				CHECK(DNS_R_SYNTAX);
-			} else {
+			} else if (checkds) {
 				/*
 				 * No arguments provided, so we must be
 				 * parsing "published|withdrawn".
@@ -14688,20 +14698,29 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 				} else if (strcasecmp(ptr, "withdrawn") != 0) {
 					CHECK(DNS_R_SYNTAX);
 				}
+			} else if (rollover) {
+				/*
+				 * No arguments provided, so we must be
+				 * parsing the zone.
+				 */
+				zonetext = ptr;
 			}
 			break;
 		}
 
+		if (rollover && !use_keyid) {
+			msg = "Key id is required when scheduling rollover";
+			CHECK(DNS_R_SYNTAX);
+		}
+
 		if (algorithm > 0 && !use_keyid) {
 			msg = "Key id is required when setting algorithm";
 			CHECK(DNS_R_SYNTAX);
 		}
-	} else {
-		CHECK(DNS_R_SYNTAX);
 	}
 
 	/* Get zone. */
-	CHECK(zone_from_args(server, lex, NULL, &zone, NULL, text, false));
+	CHECK(zone_from_args(server, lex, zonetext, &zone, NULL, text, false));
 	if (zone == NULL) {
 		msg = "Zone not found";
 		CHECK(ISC_R_UNEXPECTEDEND);
@@ -14747,14 +14766,15 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 		char whenbuf[80];
 		isc_time_set(&timewhen, when, 0);
 		isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
+		isc_result_t ret;
 
 		LOCK(&kasp->lock);
 		if (use_keyid) {
-			result = dns_keymgr_checkds_id(kasp, &keys, dir, when,
-						       dspublish, keyid,
+			result = dns_keymgr_checkds_id(kasp, &keys, dir, now,
+						       when, dspublish, keyid,
 						       (unsigned int)algorithm);
 		} else {
-			result = dns_keymgr_checkds(kasp, &keys, dir, when,
+			result = dns_keymgr_checkds(kasp, &keys, dir, now, when,
 						    dspublish);
 		}
 		UNLOCK(&kasp->lock);
@@ -14777,16 +14797,54 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
 			CHECK(putstr(text, "since "));
 			CHECK(putstr(text, whenbuf));
 			break;
-		case ISC_R_NOTFOUND:
-			CHECK(putstr(text, "No matching KSK found"));
-			break;
-		case ISC_R_FAILURE:
+		case DNS_R_TOOMANYKEYS:
 			CHECK(putstr(text,
-				     "Error: multiple possible KSKs found, "
+				     "Error: multiple possible keys found, "
 				     "retry command with -key id"));
 			break;
 		default:
-			CHECK(putstr(text, "Error executing checkds command"));
+			ret = result;
+			CHECK(putstr(text,
+				     "Error executing checkds command: "));
+			CHECK(putstr(text, isc_result_totext(ret)));
+			break;
+		}
+	} else if (rollover) {
+		/*
+		 * Manually rollover a key.
+		 */
+		char whenbuf[80];
+		isc_time_set(&timewhen, when, 0);
+		isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
+		isc_result_t ret;
+
+		LOCK(&kasp->lock);
+		result = dns_keymgr_rollover(kasp, &keys, dir, now, when, keyid,
+					     (unsigned int)algorithm);
+		UNLOCK(&kasp->lock);
+
+		switch (result) {
+		case ISC_R_SUCCESS:
+			if (use_keyid) {
+				char tagbuf[6];
+				snprintf(tagbuf, sizeof(tagbuf), "%u", keyid);
+				CHECK(putstr(text, "Key "));
+				CHECK(putstr(text, tagbuf));
+				CHECK(putstr(text, ": "));
+			}
+			CHECK(putstr(text, "Rollover scheduled on "));
+			CHECK(putstr(text, whenbuf));
+			break;
+		case DNS_R_TOOMANYKEYS:
+			CHECK(putstr(text,
+				     "Error: multiple possible keys found, "
+				     "retry command with -alg algorithm"));
+			break;
+		default:
+			ret = result;
+			CHECK(putstr(text,
+				     "Error executing rollover command: "));
+			CHECK(putstr(text, isc_result_totext(ret)));
 			break;
 		}
 	}

bin/rndc/rndc.c

@@ -111,12 +111,15 @@ command is one of the following:\n\
 		Add zone to given view. Requires allow-new-zones option.\n\
   delzone [-clean] zone [class [view]]\n\
 		Removes zone from given view.\n\
-  dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
+  dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
 		Mark the DS record for the KSK of the given zone as seen\n\
 		in the parent.  If the zone has multiple KSKs, select a\n\
 		specific key by providing the keytag with -key id and\n\
 		optionally the key's algorithm with -alg algorithm.\n\
 		Requires the zone to have a dnssec-policy.\n\
+  dnssec -rollover -key id [-alg algorithm] [-when time] zone [class [view]]\n\
+		Rollover key with id of the given zone. Requires the zone\n\
+		to have a dnssec-policy.\n\
   dnssec -status zone [class [view]]\n\
 		Show the DNSSEC signing state for the specified zone.\n\
 		Requires the zone to have a dnssec-policy.\n\

bin/rndc/rndc.rst

@@ -161,13 +161,19 @@ Currently supported commands are:
 
    See also ``rndc addzone`` and ``rndc modzone``.
 
-``dnssec`` ( **-status** | **-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )) *zone* [*class* [*view*]]
+``dnssec`` ( **-status** |
+             **-rollover** **-key** id [**-alg** *algorithm*] [**-when** *time*] |
+             **-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )
+           ) *zone* [*class* [*view*]]
    This command allows you to interact with the "dnssec-policy" of a given
    zone.
 
    ``rndc dnssec -status`` show the DNSSEC signing state for the specified
    zone.
 
+   ``rndc dnssec -rollover`` allows you to schedule key rollover for a
+   specific key (overriding the original key lifetime).
+
    ``rndc dnssec -checkds`` will let ``named`` know that the DS for the given
    key has been seen published into or withdrawn from the parent.  This is
    required in order to complete a KSK rollover.  If the ``-key id`` argument

bin/tests/system/kasp/clean.sh

@@ -16,6 +16,7 @@ rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
 rm -rf ./keys/
 rm -f dig.out* rrsig.out.* keyevent.out.*
 rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/policies/*.conf
 rm -f ns*/*.jnl ns*/*.jbk
 rm -f ns*/K*.private ns*/K*.key ns*/K*.state
 rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed

bin/tests/system/kasp/ns3/named.conf.in

@@ -73,6 +73,13 @@ zone "unlimited.kasp" {
 	dnssec-policy "unlimited";
 };
 
+/* Manual rollover. */
+zone "manual-rollover.kasp" {
+	type primary;
+	file "manual-rollover.kasp.db";
+	dnssec-policy "manual-rollover";
+};
+
 /* A master zone with dnssec-policy, no keys created. */
 zone "rsasha1.kasp" {
 	type primary;

bin/tests/system/kasp/ns3/policies/autosign.conf → bin/tests/system/kasp/ns3/policies/autosign.conf.in

@@ -18,8 +18,8 @@ dnssec-policy "autosign" {
 	dnskey-ttl 300;
 
 	keys {
-		ksk key-directory lifetime P2Y algorithm 13;
-		zsk key-directory lifetime P1Y algorithm 13;
+		ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
 	};
 };
 
@@ -39,7 +39,7 @@ dnssec-policy "enable-dnssec" {
 	parent-ds-ttl 2h;
 
 	keys {
-		csk lifetime unlimited algorithm 13;
+		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
 	};
 };
 
@@ -54,8 +54,8 @@ dnssec-policy "zsk-prepub" {
 	retire-safety P2D;
 
 	keys {
-		ksk key-directory lifetime P2Y  algorithm 13;
-		zsk key-directory lifetime P30D algorithm 13;
+		ksk key-directory lifetime P2Y  algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
 	};
 
 	zone-propagation-delay PT1H;
@@ -73,8 +73,8 @@ dnssec-policy "ksk-doubleksk" {
 	retire-safety P2D;
 
 	keys {
-		ksk key-directory lifetime P60D algorithm 13;
-		zsk key-directory lifetime P1Y  algorithm 13;
+		ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P1Y  algorithm @DEFAULT_ALGORITHM@;
 	};
 
 	zone-propagation-delay PT1H;
@@ -95,7 +95,7 @@ dnssec-policy "csk-roll" {
 	retire-safety 2h;
 
 	keys {
-		csk key-directory lifetime P6M algorithm 13;
+		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
 	};
 
 	zone-propagation-delay 1h;
@@ -116,7 +116,7 @@ dnssec-policy "csk-roll2" {
 	retire-safety 1h;
 
 	keys {
-		csk key-directory lifetime P6M algorithm 13;
+		csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
 	};
 
 	zone-propagation-delay PT1H;

bin/tests/system/kasp/ns3/policies/kasp.conf → bin/tests/system/kasp/ns3/policies/kasp.conf.in

@@ -13,7 +13,16 @@ dnssec-policy "unlimited" {
 	dnskey-ttl 1234;
 
 	keys {
-		csk key-directory lifetime unlimited algorithm 13;
+		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+	};
+};
+
+dnssec-policy "manual-rollover" {
+	dnskey-ttl 3600;
+
+	keys {
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
 
@@ -81,8 +90,8 @@ dnssec-policy "checkds-ksk" {
 	dnskey-ttl 303;
 
 	keys {
-		ksk key-directory lifetime unlimited algorithm 13;
-		zsk key-directory lifetime unlimited algorithm 13;
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
 
@@ -90,9 +99,9 @@ dnssec-policy "checkds-doubleksk" {
 	dnskey-ttl 303;
 
 	keys {
-		ksk key-directory lifetime unlimited algorithm 13;
-		ksk key-directory lifetime unlimited algorithm 13;
-		zsk key-directory lifetime unlimited algorithm 13;
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };
 
@@ -100,6 +109,6 @@ dnssec-policy "checkds-csk" {
 	dnskey-ttl 303;
 
 	keys {
-		csk key-directory lifetime unlimited algorithm 13;
+		csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 };

bin/tests/system/kasp/ns6/policies/csk2.conf → bin/tests/system/kasp/ns6/policies/csk2.conf.in

@@ -15,7 +15,7 @@ dnssec-policy "csk-algoroll" {
 	signatures-validity-dnskey 30d;
 
 	keys {
-		csk lifetime unlimited algorithm 13;
+		csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
 	};
 
 	dnskey-ttl 1h;

bin/tests/system/kasp/ns6/policies/kasp.conf → bin/tests/system/kasp/ns6/policies/kasp.conf.in

@@ -51,8 +51,8 @@ dnssec-policy "migrate" {
 	dnskey-ttl 7200;
 
 	keys {
-		ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256;
-		zsk key-directory lifetime P60D algorithm ECDSAP256SHA256;
+		ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+		zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
 	};
 };
 

bin/tests/system/kasp/ns6/setup.sh

@@ -43,11 +43,11 @@ setup migrate.kasp
 echo "$zone" >> zones
 ksktimes="-P now -A now -P sync now"
 zsktimes="-P now -A now"
-KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 13 "$KSK" >> "$infile"
-private_type_record $zone 13 "$ZSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
@@ -120,10 +120,10 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I now"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I now"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
@@ -134,8 +134,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
 private_type_record $zone 5  "$KSK1" >> "$infile"
 private_type_record $zone 5  "$ZSK1" >> "$infile"
-private_type_record $zone 13 "$KSK2" >> "$infile"
-private_type_record $zone 13 "$ZSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 3:
@@ -150,10 +150,10 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $O $TactN  -z $O $TactN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
@@ -164,8 +164,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
 private_type_record $zone 5  "$KSK1" >> "$infile"
 private_type_record $zone 5  "$ZSK1" >> "$infile"
-private_type_record $zone 13 "$KSK2" >> "$infile"
-private_type_record $zone 13 "$ZSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 4:
@@ -181,10 +181,10 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $O $TactN  -z $O $TactN                              "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
@@ -195,8 +195,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
 private_type_record $zone 5  "$KSK1" >> "$infile"
 private_type_record $zone 5  "$ZSK1" >> "$infile"
-private_type_record $zone 13 "$KSK2" >> "$infile"
-private_type_record $zone 13 "$ZSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 5:
@@ -213,10 +213,10 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $U $TremN  -z $U $TremN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
@@ -227,8 +227,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
 private_type_record $zone 5  "$KSK1" >> "$infile"
 private_type_record $zone 5  "$ZSK1" >> "$infile"
-private_type_record $zone 13 "$KSK2" >> "$infile"
-private_type_record $zone 13 "$ZSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 6:
@@ -246,10 +246,10 @@ ksk1times="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}"
 zsk1times="-P ${TactN}  -A ${TactN}                    -I ${TretN}"
 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
 zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1         -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1         -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
+KSK1=$($KEYGEN -a RSASHA1            -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA1            -L 3600        $zsk1times $zone 2> keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600        $zsk2times $zone 2> keygen.out.$zone.4)
 $SETTIME -s -g $H -k $H $TremN  -r $U $TdeaN  -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
 $SETTIME -s -g $H -k $H $TremN  -z $U $TdeaN                "$ZSK1" > settime.out.$zone.2 2>&1
 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
@@ -260,8 +260,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
 private_type_record $zone 5  "$KSK1" >> "$infile"
 private_type_record $zone 5  "$ZSK1" >> "$infile"
-private_type_record $zone 13 "$KSK2" >> "$infile"
-private_type_record $zone 13 "$ZSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 #
@@ -297,7 +297,7 @@ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone 5  "$CSK1" >> "$infile"
-private_type_record $zone 13 "$CSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 3:
@@ -318,7 +318,7 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone 5  "$CSK1" >> "$infile"
-private_type_record $zone 13 "$CSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 4:
@@ -340,7 +340,7 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone 5  "$CSK1" >> "$infile"
-private_type_record $zone 13 "$CSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 5:
@@ -363,7 +363,7 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN  "$CSK2
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone 5  "$CSK1" >> "$infile"
-private_type_record $zone 13 "$CSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
 
 # Step 6:
@@ -387,5 +387,5 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2
 echo "Lifetime: 0" >> "${CSK1}.state"
 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
 private_type_record $zone 5  "$CSK1" >> "$infile"
-private_type_record $zone 13 "$CSK2" >> "$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

bin/tests/system/kasp/setup.sh

@@ -33,6 +33,13 @@ if $SHELL ../testcrypto.sh ed448; then
 	echo "yes" > ed448-supported.file
 fi
 
+copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
+copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
+
+copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
+copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
+copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
+
 # Setup zones
 (
 	cd ns2

bin/tests/system/kasp/tests.sh

@@ -1201,7 +1201,7 @@ check_cdslog() {
 }
 
 #
-# rndc dnssec -checkds
+# Utility to call after 'rndc dnssec -checkds|-rollover'.
 #
 _loadkeys_on() {
 	_server=$1
@@ -1236,10 +1236,42 @@ rndc_checkds() {
 		_whencmd="-when ${_when}"
 	fi
 
-	echo_i "calling checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+	n=$((n+1))
+	echo_i "calling rndc dnssec -checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
+	ret=0
+
 	rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (${_keycmd} ${_whencmd} ${_what} zone ${_zone} failed"
 
 	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
+}
+
+# Tell named to schedule a key rollover.
+rndc_rollover() {
+	_server=$1
+	_dir=$2
+	_keyid=$3
+	_when=$4
+	_zone=$5
+	_view=$6
+
+	_whencmd=""
+	if [ "${_when}" != "now" ]; then
+		_whencmd="-when ${_when}"
+	fi
+
+	n=$((n+1))
+	echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
+	ret=0
+
+	rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
+
+	_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
+
+	test "$ret" -eq 0 || echo_i "failed"
+	status=$((status+ret))
 }
 
 #
@@ -2655,6 +2687,137 @@ status=$((status+ret))
 # Clear TSIG.