1. 02 Oct, 2020 1 commit
    • Matthijs Mekking's avatar
      Add kasp tests for Ed25519 and Ed448 · 7be18357
      Matthijs Mekking authored
      Use the testcrypto script to see if these algorithms are supported by
      openssl. If so, add the specific configuration to the named.conf file
      and touch a file to indicate support. If the file exists, the
      corresponding setup and tests are performed.
  2. 14 Sep, 2020 1 commit
  3. 07 Aug, 2020 1 commit
    • Matthijs Mekking's avatar
      Adjust kasp tests to use 'checkds' · 38cb43bc
      Matthijs Mekking authored
      With 'checkds' replacing 'parent-registration-delay', the kasp
      test needs the expected times to be adjusted. Also the system test
      needs to call 'rndc dnssec -checkds' to progress the rollovers.
      Since we pretend that the KSK is active as soon as the DS is
      submitted (and parent registration delay is no longer applicable)
      we can simplify the 'csk_rollover_predecessor_keytimes' function
      to take only one "addtime" parameter.
      This commit also slightly changes the 'check_dnssecstatus' function,
      passing the zone as a parameter.
  4. 30 Jun, 2020 1 commit
    • Matthijs Mekking's avatar
      Output rndc dnssec -status · 19ce9ec1
      Matthijs Mekking authored
      Implement the 'rndc dnssec -status' command that will output
      some information about the key states, such as which policy is
      used for the zone, what keys are in use, and when rollover is
      Add loose testing in the kasp system test, the actual times are
      already tested via key file inspection.
  5. 26 Jun, 2020 1 commit
    • Matthijs Mekking's avatar
      kasp tests: fix wait for reconfig done · a47192ed
      Matthijs Mekking authored
      The wait until zones are signed after rndc reconfig is broken
      because the zones are already signed before the reconfig.  Fix
      by having a different way to ensure the signing of the zone is
      complete.  This does require a call to the "wait_for_done_signing"
      function after each "check_keys" call after the ns6 reconfig.
      The "wait_for_done_signing" looks for a (newly added) debug log
      message that named will output if it is done signing with a certain
  6. 02 Jun, 2020 3 commits
    • Matthijs Mekking's avatar
      Replace date -d with python script · 5b3decaf
      Matthijs Mekking authored
      The usage of 'date -d' in the kasp system test is not portable,
      replace with a python script.  Also remove some leftover
      "set_keytime 'yes'" calls.
    • Matthijs Mekking's avatar
      Test keytimes on policy changes · da5e1e3a
      Matthijs Mekking authored
      This improves keytime testing on reconfiguration of the
    • Matthijs Mekking's avatar
      Start testing keytiming metadata · f8e34b57
      Matthijs Mekking authored
      This commit adds testing keytiming metadata.  In order to facilitate
      this, the kasp system test undergoes a few changes:
      1. When finding a key file, rather than only saving the key ID,
         also save the base filename and creation date with `key_save`.
         These can be used later to set expected key times.
      2. Add a test function `set_addkeytime` that takes a key, which
         keytiming to update, a datetime in keytiming format, and a number
         (seconds) to add, and sets the new time in the given keytime
         parameter of the given key.  This is used to set the expected key
      3. Split `check_keys` in `check_keys` and `check_keytimes`.  First we
         need to find the keyfile before we can check the keytimes.
         We need to retrieve the creation date (and sometimes other
         keytimes) to determine the other expected key times.
      4. Add helper functions to set the expected key times per policy.
         This avoids lots of duplication.
      Check for keytimes for the first test cases (all that do not cover
  7. 06 Mar, 2020 2 commits
    • Matthijs Mekking's avatar
      Add additional wait period for algorithm rollover · d1652053
      Matthijs Mekking authored
      We may be checking the algorithm steps too fast: the reconfig
      command may still be in progress. Make sure the zones are signed
      and loaded by digging the NSEC records for these zones.
    • Matthijs Mekking's avatar
      Add algorithm rollover test case · 88ebe958
      Matthijs Mekking authored
      Add a test case for algorithm rollover.  This is triggered by
      changing the dnssec-policy.  A new nameserver ns6 is introduced
      for tests related to dnssec-policy changes.
      This requires a slight change in check_next_key_event to only
      check the last occurrence.  Also, change the debug log message in
      lib/dns/zone.c to deal with checks when no next scheduled key event
      exists (and default to loadkeys interval 3600).
  8. 06 Nov, 2019 4 commits
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
    • Matthijs Mekking's avatar
      Add kasp tests · c9f1ec83
      Matthijs Mekking authored
      Add more tests for kasp:
      - Add tests for different algorithms.
      - Add a test to ensure that an edit in an unsigned zone is
        picked up and properly signed.
      - Add two tests that ensures that a zone gets signed when it is
        configured as so-called 'inline-signing'.  In other words, a
        secondary zone that is configured with a 'dnssec-policy'.  A zone
        that is transferred over AXFR or IXFR will get signed.
      - Add a test to ensure signatures are reused if they are still
        fresh enough.
      - Adds two more tests to verify that expired and unfresh signatures
        will be regenerated.
      - Add tests for various cases with keys already available in the
    • Matthijs Mekking's avatar
      Refactor kasp system test · 7c783ab9
      Matthijs Mekking authored
      A significant refactor of the kasp system test in an attempt to
      make the test script somewhat brief.  When writing a test case,
      you can/should use the functions 'zone_properties',
      'key_properties', and 'key_timings' to set the expected values
      when checking a key with 'check_key'. All these four functions
      can be used to set environment variables that come in handy when
      testing output.
    • Matthijs Mekking's avatar
      dnssec-keygen can create keys given dnssec-policy · 09ac224c
      Matthijs Mekking authored
      This commit adds code for generating keys with dnssec-keygen given
      a specific dnssec-policy.
      The dnssec-policy can be set with a new option '-k'. The '-l'
      option can be used to set a configuration file that contains a
      specific dnssec-policy.
      Because the dnssec-policy dictates how the keys should look like,
      many of the existing dnssec-keygen options cannot be used together
      with '-k'.
      If the dnssec-policy lists multiple keys, dnssec-keygen has now the
      possibility to generate multiple keys at one run.
      Add two tests for creating keys with '-k': One with the default
      policy, one with multiple keys from the configuration.
  9. 23 Feb, 2018 1 commit
  10. 27 Jun, 2016 1 commit
  11. 07 May, 2014 2 commits
  12. 02 Jan, 2013 1 commit
  13. 01 Jan, 2013 1 commit
  14. 29 Jun, 2012 3 commits
  15. 28 Jun, 2012 1 commit
    • Mark Andrews's avatar
      3344. [func] New "dnssec-checkds" command checks a zone to · 1cefb9df
      Mark Andrews authored
                              determine which DS records should be published
                              in the parent zone, or which DLV records should be
                              published in a DLV zone, and queries the DNS to
                              ensure that it exists. (Note: This tool depends
                              on python; it will not be built or installed on
                              systems that do not have a python interpreter.)
                              [RT #28099]
  16. 02 Mar, 2011 1 commit
  17. 01 Mar, 2011 1 commit
  18. 22 Feb, 2011 1 commit
  19. 17 Jun, 2010 1 commit
  20. 18 Jan, 2010 2 commits
  21. 06 Dec, 2009 2 commits
  22. 26 Sep, 2007 1 commit
  23. 19 Jun, 2007 1 commit
  24. 18 Jun, 2007 1 commit
  25. 05 Mar, 2004 1 commit
  26. 09 Jan, 2001 1 commit
  27. 18 Nov, 2000 1 commit
  28. 10 Nov, 2000 1 commit