Commit 67b001b1 authored by Mark Andrews's avatar Mark Andrews Committed by Evan Hunt

introducing keymgr need to preserve functionality

(cherry picked from commit 083b730e)
(cherry picked from commit 15b42407)
parent fdbece68
Pipeline #8949 passed with stages
in 10 minutes and 44 seconds
5140. [bug] Don't immediately mark existing keys as inactive and
deleted when running dnssec-keymgr for the first
time. [GL #117]
5139. [bug] If possible, don't use forwarders when priming.
This ensures we can get root server IP addresses
from priming query response glue, which may not
......
......@@ -77,15 +77,39 @@ class keyseries:
a = key.activate()
if not p or p > now:
key.setpublish(now)
p = now
if not a or a > now:
key.setactivate(now)
a = now
i = key.inactive()
if not rp:
key.setinactive(None, **kwargs)
key.setdelete(None, **kwargs)
elif not i or a + rp != i:
if not i and a + rp > now + prepub:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
elif not i:
key.setinactive(now + prepub, **kwargs)
key.setdelete(now + prepub + postpub, **kwargs)
elif a + rp > i:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
elif a + rp > now + prepub:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
else:
key.setinactive(now + prepub, **kwargs)
key.setdelete(now + prepub + postpub, **kwargs)
else:
key.setinactive(a + rp, **kwargs)
key.setdelete(a + rp + postpub, **kwargs)
d = key.delete()
if not d or i + postpub > now:
key.setdelete(i + postpub, **kwargs)
elif not d:
key.setdelete(now + postpub, **kwargs)
elif d < i + postpub:
key.setdelete(i + postpub, **kwargs)
if policy.keyttl != key.ttl:
key.setttl(policy.keyttl)
......
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
This directory has a key set which is valid, but which was published
and activated more than one rollover period ago. dnssec-keymgr should
not mark the keys as already being inactive and deleted.
kargs="-c policy.conf example.com"
kmatch=""
kret=0
cargs="-d 1w -m 2w example.com"
cmatch="4,Publish
4,Activate
2,Inactive
2,Delete"
cret=0
warn=0
error=0
ok=2
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
now=`$PERL -e 'print time()."\n";'`
for keyfile in K*.key; do
inactive=`$SETTIME -upI $keyfile | awk '{print $2}'`
if [ "$inactive" = UNSET ]; then
continue
elif [ "$inactive" -lt "$now" ]; then
echo_d "inactive date is in the past"
ret=1
fi
done
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
policy default {
policy global;
algorithm nsec3rsasha1;
pre-publish zsk 2w;
roll-period zsk 6mo;
coverage 364d;
};
......@@ -11,5 +11,7 @@
rm -f */K*.key
rm -f */K*.private
rm -f Kexample.com.*.key
rm -f Kexample.com.*.private
rm -f coverage.* keymgr.*
rm -f policy.out
......@@ -214,3 +214,13 @@ rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -3fk example.com`
zsk1=`$KEYGEN -K $dir -3 example.com`
$SETTIME -K $dir -I now+2mo -D now+3mo $zsk1 > /dev/null
# Test 19: Key has been published/active a long time
dir=19-old-keys
echo_i "set up $dir"
rm -f $dir/K*.key
rm -f $dir/K*.private
ksk1=`$KEYGEN -K $dir -a rsasha1 -3fk example.com`
zsk1=`$KEYGEN -K $dir -a rsasha1 -3 example.com`
$SETTIME -K $dir -P now-2y -A now-2y $ksk1 > /dev/null
$SETTIME -K $dir -P now-2y -A now-2y $zsk1 > /dev/null
......@@ -16,13 +16,19 @@ status=0
n=1
matchall () {
match_result=ok
file=$1
echo "$2" | while read matchline; do
grep "$matchline" $file > /dev/null 2>&1 || {
echo "FAIL"
return
while IFS="," read expect matchline; do
[ -z "$matchline" ] && continue
matches=`grep "$matchline" $file | wc -l`
[ "$matches" -ne "$expect" ] && {
echo "'$matchline': expected $expect found $matches"
return 1
}
done
done << EOF
$2
EOF
return 0
}
echo_i "checking for DNSSEC key coverage issues"
......@@ -51,11 +57,8 @@ for dir in [0-9][0-9]-*; do
ret=1
fi
found=`matchall keymgr.$n "$kmatch"`
if [ "$found" = "FAIL" ]; then
echo "no match on '$kmatch'"
ret=1
fi
# check for matches in keymgr output
matchall keymgr.$n "$kmatch" || ret=1
# now check coverage
$COVERAGE -K $dir $cargs > coverage.$n 2>&1
......@@ -87,10 +90,13 @@ for dir in [0-9][0-9]-*; do
ret=1
fi
found=`matchall coverage.$n "$cmatch"`
if [ "$found" = "FAIL" ]; then
echo "no match on '$cmatch'"
ret=1
# check for matches in coverage output
matchall coverage.$n "$cmatch" || ret=1
if [ -f $dir/extra.sh ]; then
cd $dir
. ./extra.sh
cd ..
fi
n=`expr $n + 1`
......
......@@ -1553,6 +1553,10 @@
./bin/tests/system/keymgr/18-nonstd-prepub/README TXT.BRIEF 2016,2018,2019
./bin/tests/system/keymgr/18-nonstd-prepub/expect X 2016,2018,2019
./bin/tests/system/keymgr/18-nonstd-prepub/policy.conf CONF-C 2016,2018,2019
./bin/tests/system/keymgr/19-old-keys/README TXT.BRIEF 2019
./bin/tests/system/keymgr/19-old-keys/expect X 2019
./bin/tests/system/keymgr/19-old-keys/extra.sh SH 2019
./bin/tests/system/keymgr/19-old-keys/policy.conf CONF-C 2019
./bin/tests/system/keymgr/clean.sh SH 2016,2018,2019
./bin/tests/system/keymgr/policy.conf CONF-C 2016,2018,2019
./bin/tests/system/keymgr/policy.good X 2016,2018,2019
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment