1. 30 Jul, 2020 1 commit
    • Michal Nowak's avatar
      Drop $SYSTEMTESTTOP from bin/tests/system/ · 093af1c0
      Michal Nowak authored
      The $SYSTEMTESTTOP shell variable if often set to .. in various shell
      scripts inside bin/tests/system/, but most of the time it is only
      used one line later, while sourcing conf.sh. This hardly improves
      code readability.
      
      $SYSTEMTESTTOP is also used for the purpose of referencing
      scripts/files living in bin/tests/system/, but given that the
      variable is always set to a short, relative path, we can drop it and
      replace all of its occurrences with the relative path without adversely
      affecting code readability.
      093af1c0
  2. 02 Jun, 2020 10 commits
    • Matthijs Mekking's avatar
      Test keytimes on CSK rollover · e2334337
      Matthijs Mekking authored
      This improves keytime testing on CSK rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      
      Since an "active key" for ZSK and KSK means something
      different, this makes it tricky to decide when a CSK is
      active. An "active key" intuitively means the key is signing
      so we say a CSK is active when it is creating zone signatures.
      
      This change means a lot of timings for the CSK rollover tests
      need to be adjusted.
      
      The keymgr code needs a slight change on calculating the
      prepublication time: For a KSK we need to include the parent
      registration delay, but for CSK we look at the zone signing
      property and stick with the ZSK prepublication calculation.
      e2334337
    • Matthijs Mekking's avatar
      Test keytimes on KSK rollover · 649d0833
      Matthijs Mekking authored
      This improves keytime testing on KSK rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      649d0833
    • Matthijs Mekking's avatar
      kasp: registration delay adjustments · 50bbbb76
      Matthijs Mekking authored
      Registration delay is not part of the Iret retire interval, thus
      removed from the calculation when setting the Delete time metadata.
      
      Include the registration delay in prepublication time, because
      we need to prepublish the key sooner than just the Ipub
      publication interval.
      50bbbb76
    • Matthijs Mekking's avatar
      Test keytimes on ZSK rollover · e01fcbba
      Matthijs Mekking authored
      This improves keytime testing on ZSK rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      e01fcbba
    • Matthijs Mekking's avatar
      Test keytimes on enable-dnssec case · cf51c87f
      Matthijs Mekking authored
      This improves keytime testing for enabling DNSSEC.  It now
      tests for specific times, and also tests for SyncPublish.
      cf51c87f
    • Matthijs Mekking's avatar
      Start testing keytiming metadata · f8e34b57
      Matthijs Mekking authored
      This commit adds testing keytiming metadata.  In order to facilitate
      this, the kasp system test undergoes a few changes:
      
      1. When finding a key file, rather than only saving the key ID,
         also save the base filename and creation date with `key_save`.
         These can be used later to set expected key times.
      2. Add a test function `set_addkeytime` that takes a key, which
         keytiming to update, a datetime in keytiming format, and a number
         (seconds) to add, and sets the new time in the given keytime
         parameter of the given key.  This is used to set the expected key
         times.
      3. Split `check_keys` in `check_keys` and `check_keytimes`.  First we
         need to find the keyfile before we can check the keytimes.
         We need to retrieve the creation date (and sometimes other
         keytimes) to determine the other expected key times.
      4. Add helper functions to set the expected key times per policy.
         This avoids lots of duplication.
      
      Check for keytimes for the first test cases (all that do not cover
      rollovers).
      f8e34b57
    • Matthijs Mekking's avatar
      Fix some more test output filenames · 8204e31f
      Matthijs Mekking authored
      After removing dnssec-settime calls that set key rollover
      relationship, we can adjust the counts in test output filenames.
      
      Also fix a couple of more wrong counts in output filenames.
      8204e31f
    • Matthijs Mekking's avatar
      Set key rollover relationship without settime · 5a590c47
      Matthijs Mekking authored
      Using dnssec-setttime after dnssec-keygen in the kasp system test
      can lead to off by one second failures, so reduce the usage of
      dnssec-settime in the setup scripts.  This commit deals with
      setting the key rollover relationship (predecessor/successor).
      5a590c47
    • Matthijs Mekking's avatar
      Move setting keytimes from settime to keygen · 637d5f9a
      Matthijs Mekking authored
      In the kasp system test, we are going to set the keytimes on
      dnssec-keygen so we can test them against the key creation time.
      This prevents off by one second in the test, something that can
      happen if you set those times with dnssec-settime after
      dnssec-keygen.
      
      Also fix some test output filenames.
      637d5f9a
    • Matthijs Mekking's avatar
      keygen -k: allow to set times, not genonly · 1c216317
      Matthijs Mekking authored
      For testing purposes mainly, we want to allow set keytimings on
      generated keys, such that we don't have to "keygen/settime" which
      can result in one second off times.
      1c216317
  3. 16 Apr, 2020 1 commit
    • Matthijs Mekking's avatar
      dnssec-policy: to sign inline or not · 644f0d95
      Matthijs Mekking authored
      When dnssec-policy was introduced, it implicitly set inline-signing.
      But DNSSEC maintenance required either inline-signing to be enabled,
      or a dynamic zone.  In other words, not in all cases you want to
      DNSSEC maintain your zone with inline-signing.
      
      Change the behavior and determine whether inline-signing is
      required: if the zone is dynamic, don't use inline-signing,
      otherwise implicitly set it.
      
      You can also explicitly set inline-signing to yes with dnssec-policy,
      the restriction that both inline-signing and dnssec-policy cannot
      be set at the same time is now lifted.
      
      However, 'inline-signing no;' on a non-dynamic zone with a
      dnssec-policy is not possible.
      644f0d95
  4. 06 Mar, 2020 1 commit
  5. 21 Feb, 2020 1 commit
  6. 07 Feb, 2020 2 commits
  7. 06 Feb, 2020 1 commit
    • Matthijs Mekking's avatar
      Fix kasp bug new KSK on restart [#1593] · b378d037
      Matthijs Mekking authored
      When you do a restart or reconfig of named, or rndc loadkeys, this
      triggers the key manager to run.  The key manager will check if new
      keys need to be created. If there is an active key, and key rollover
      is scheduled far enough away, no new key needs to be created.
      
      However, there was a bug that when you just start to sign your zone,
      it takes a while before the KSK becomes an active key. An active KSK
      has its DS submitted or published, but before the key manager allows
      that, the DNSKEY needs to be omnipresent. If you restart named
      or rndc loadkeys in quick succession when you just started to sign
      your zone, new keys will be created because the KSK is not yet
      considered active.
      
      Fix is to check for introducing as well as active keys. These keys
      all have in common that their goal is to become omnipresent.
      b378d037
  8. 07 Nov, 2019 2 commits
  9. 06 Nov, 2019 4 commits
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      policy.
      
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      works.
      
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
      5f464d15
    • Matthijs Mekking's avatar
      Test CSK rollover · 9fbc8691
      Matthijs Mekking authored
      Test two CSK rollover scenarios, one where the DS is swapped before the zone
      signatures are all replaced, and one where the signatures are replaced sooner
      than the DS is swapped.
      9fbc8691
    • Matthijs Mekking's avatar
      Test ZSK and KSK rollover · 36c72bf3
      Matthijs Mekking authored
      Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
      
      Includes tests for next key event is scheduled at the right time.
      36c72bf3
    • Matthijs Mekking's avatar
      Add kasp tests · c9f1ec83
      Matthijs Mekking authored
      Add more tests for kasp:
      
      - Add tests for different algorithms.
      
      - Add a test to ensure that an edit in an unsigned zone is
        picked up and properly signed.
      
      - Add two tests that ensures that a zone gets signed when it is
        configured as so-called 'inline-signing'.  In other words, a
        secondary zone that is configured with a 'dnssec-policy'.  A zone
        that is transferred over AXFR or IXFR will get signed.
      
      - Add a test to ensure signatures are reused if they are still
        fresh enough.
      
      - Adds two more tests to verify that expired and unfresh signatures
        will be regenerated.
      
      - Add tests for various cases with keys already available in the
        key-directory.
      c9f1ec83