-
Matthijs Mekking authored
This commit adds a lengthy test where the ZSK is rolled but the KSK is offline (except for when the DNSKEY RRset is changed). The specific scenario has the `dnskey-kskonly` configuration option set meaning the DNSKEY RRset should only be signed with the KSK. A new zone `updatecheck-kskonly.secure` is added to test against, that can be dynamically updated, and that can be controlled with rndc to load the DNSSEC keys. There are some pre-checks for this test to make sure everything is fine before the ZSK roll, after the new ZSK is published, and after the old ZSK is deleted. Note there are actually two ZSK rolls in quick succession. When the latest added ZSK becomes active and its predecessor becomes inactive, the KSK is offline. However, the DNSKEY RRset did not change and it has a good signature that is valid for long enough. The expected behavior is that the DNSKEY RRset stays signed with the KSK only (signature does not need to change). However, the test will fail because after reconfiguring the keys for the zone, it wants to add re-sign tasks for the new active keys (in sign_apex). Because the KSK is offline, named determines that the only other active key, the latest ZSK, will be used to resign the DNSKEY RRset, in addition to keeping the RRSIG of the KSK. The question is: Why do we need to resign the DNSKEY RRset immediately when a new key becomes active? This is not required, only once the next resign task is triggered the new active key should replace signatures that are in need of refreshing.
8bc10bcf