1. 03 Jun, 2020 13 commits
  2. 02 Jun, 2020 23 commits
    • Matthijs Mekking's avatar
      Merge branch '1845-1846-keyrollover-bugs-v9_16' into 'v9_16' · 9d25d0aa
      Matthijs Mekking authored
      Resolve "kasp: bug in keymgr_key_has_successor()"
      
      See merge request !3622
      9d25d0aa
    • Matthijs Mekking's avatar
      Retire predecessor when creating successor · a17dcccf
      Matthijs Mekking authored
      When creating the successor, the current active key (predecessor)
      should change its goal state to HIDDEN.
      
      Also add two useful debug logs in the keymgr_key_rollover function.
      
      (cherry picked from commit e71d6029)
      a17dcccf
    • Matthijs Mekking's avatar
      If prepub > retire, prepub now · ef1a4a41
      Matthijs Mekking authored
      Catch a case where if the prepublication time of the successor key
      is later than the retire time of the predecessor. If that is the
      case we should prepublish as soon as possible, a.k.a. now.
      
      (cherry picked from commit c08d0f7d)
      ef1a4a41
    • Matthijs Mekking's avatar
      Put new key rollover logic in separate function · b0737b8c
      Matthijs Mekking authored
      The `dns_keymgr_run()` function became quite long, put the logic
      that looks if a new key needs to be created (start a key rollover)
      in a separate function.
      
      (cherry picked from commit bcf81924)
      b0737b8c
    • Matthijs Mekking's avatar
      Fix bug in keymgr_key_has_successor · 168d362b
      Matthijs Mekking authored
      The logic in `keymgr_key_has_successor(key, keyring)` is flawed, it
      returns true if there is any key in the keyring that has a successor,
      while what we really want here is to make sure that the given key
      has a successor in the given keyring.
      
      Rather than relying on `keymgr_key_exists_with_state`, walk the
      list of keys in the keyring and check if the key is a successor of
      the given predecessor key.
      
      (cherry picked from commit 0d578097)
      168d362b
    • Matthijs Mekking's avatar
      Merge branch '1843-print-correct-keytiming-metadata-v9_16' into 'v9_16' · f20420c3
      Matthijs Mekking authored
      Resolve "kasp: Set correct keytimings"
      
      See merge request !3620
      f20420c3
    • Matthijs Mekking's avatar
      Replace date -d with python script · e85c1aa7
      Matthijs Mekking authored
      The usage of 'date -d' in the kasp system test is not portable,
      replace with a python script.  Also remove some leftover
      "set_keytime 'yes'" calls.
      
      (cherry picked from commit 5b3decaf)
      e85c1aa7
    • Matthijs Mekking's avatar
      Add change entry · ba5d122f
      Matthijs Mekking authored
      (cherry picked from commit bcf3c9fe)
      ba5d122f
    • Matthijs Mekking's avatar
      Test keytimes on algorithm rollover · da2daea0
      Matthijs Mekking authored
      This improves keytime testing on algorithm rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      
      (cherry picked from commit 61c1040a)
      da2daea0
    • Matthijs Mekking's avatar
      Test keytimes on policy changes · 327d8bb2
      Matthijs Mekking authored
      This improves keytime testing on reconfiguration of the
      dnssec-policy.
      
      (cherry picked from commit da5e1e3a)
      327d8bb2
    • Matthijs Mekking's avatar
      Test keytimes on CSK rollover · f026332f
      Matthijs Mekking authored
      This improves keytime testing on CSK rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      
      Since an "active key" for ZSK and KSK means something
      different, this makes it tricky to decide when a CSK is
      active. An "active key" intuitively means the key is signing
      so we say a CSK is active when it is creating zone signatures.
      
      This change means a lot of timings for the CSK rollover tests
      need to be adjusted.
      
      The keymgr code needs a slight change on calculating the
      prepublication time: For a KSK we need to include the parent
      registration delay, but for CSK we look at the zone signing
      property and stick with the ZSK prepublication calculation.
      
      (cherry picked from commit e2334337)
      f026332f
    • Matthijs Mekking's avatar
      Test keytimes on KSK rollover · 8e0776d0
      Matthijs Mekking authored
      This improves keytime testing on KSK rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      
      (cherry picked from commit 649d0833)
      8e0776d0
    • Matthijs Mekking's avatar
      kasp: registration delay adjustments · 437ec25c
      Matthijs Mekking authored
      Registration delay is not part of the Iret retire interval, thus
      removed from the calculation when setting the Delete time metadata.
      
      Include the registration delay in prepublication time, because
      we need to prepublish the key sooner than just the Ipub
      publication interval.
      
      (cherry picked from commit 50bbbb76)
      437ec25c
    • Matthijs Mekking's avatar
      Test keytimes on ZSK rollover · 48a265b2
      Matthijs Mekking authored
      This improves keytime testing on ZSK rollover.  It now
      tests for specific times, and also tests for SyncPublish and
      Removed keytimes.
      
      (cherry picked from commit e01fcbba)
      48a265b2
    • Matthijs Mekking's avatar
      Test keytimes on enable-dnssec case · 0e1290c3
      Matthijs Mekking authored
      This improves keytime testing for enabling DNSSEC.  It now
      tests for specific times, and also tests for SyncPublish.
      
      (cherry picked from commit cf51c87f)
      0e1290c3
    • Matthijs Mekking's avatar
      Set SyncPublish on keys · cad5ae16
      Matthijs Mekking authored
      Set the SyncPublish metadata on keys that don't have them yet.
      
      (cherry picked from commit 30cb5c97)
      cad5ae16
    • Matthijs Mekking's avatar
      Start testing keytiming metadata · e036a0a9
      Matthijs Mekking authored
      This commit adds testing keytiming metadata.  In order to facilitate
      this, the kasp system test undergoes a few changes:
      
      1. When finding a key file, rather than only saving the key ID,
         also save the base filename and creation date with `key_save`.
         These can be used later to set expected key times.
      2. Add a test function `set_addkeytime` that takes a key, which
         keytiming to update, a datetime in keytiming format, and a number
         (seconds) to add, and sets the new time in the given keytime
         parameter of the given key.  This is used to set the expected key
         times.
      3. Split `check_keys` in `check_keys` and `check_keytimes`.  First we
         need to find the keyfile before we can check the keytimes.
         We need to retrieve the creation date (and sometimes other
         keytimes) to determine the other expected key times.
      4. Add helper functions to set the expected key times per policy.
         This avoids lots of duplication.
      
      Check for keytimes for the first test cases (all that do not cover
      rollovers).
      
      (cherry picked from commit f8e34b57)
      e036a0a9
    • Matthijs Mekking's avatar
      Stop keeping track of key parameter count · 91d861b9
      Matthijs Mekking authored
      Stop tracking in the comments the number of key parameters in the
      kasp system test, it adds nothing beneficial.
      
      (cherry picked from commit 8483f712)
      91d861b9
    • Matthijs Mekking's avatar
      Fix some more test output filenames · cec9ddd1
      Matthijs Mekking authored
      After removing dnssec-settime calls that set key rollover
      relationship, we can adjust the counts in test output filenames.
      
      Also fix a couple of more wrong counts in output filenames.
      
      (cherry picked from commit 8204e31f)
      cec9ddd1
    • Matthijs Mekking's avatar
      Set key rollover relationship without settime · f4d3a774
      Matthijs Mekking authored
      Using dnssec-setttime after dnssec-keygen in the kasp system test
      can lead to off by one second failures, so reduce the usage of
      dnssec-settime in the setup scripts.  This commit deals with
      setting the key rollover relationship (predecessor/successor).
      
      (cherry picked from commit 5a590c47)
      f4d3a774
    • Matthijs Mekking's avatar
      Move setting keytimes from settime to keygen · 34fd8a05
      Matthijs Mekking authored
      In the kasp system test, we are going to set the keytimes on
      dnssec-keygen so we can test them against the key creation time.
      This prevents off by one second in the test, something that can
      happen if you set those times with dnssec-settime after
      dnssec-keygen.
      
      Also fix some test output filenames.
      
      (cherry picked from commit 637d5f9a)
      34fd8a05
    • Matthijs Mekking's avatar
      Set keytimes appropriately when using kasp · 6879cdca
      Matthijs Mekking authored
      While kasp relies on key states to determine when a key needs to
      be published or be used for signing, the keytimes are used by
      operators to get some expectation of key publication and usage.
      
      Update the code such that these keytimes are set appropriately.
      That means:
      - Print "PublishCDS" and "DeleteCDS" times in the state files.
      - The keymgr sets the "Removed" and "PublishCDS" times and derives
        those from the dnssec-policy.
      - Tweak setting of the "Retired" time, when retiring keys, only
        update the time to now when the retire time is not yet set, or is
        in the future.
      
      This also fixes a bug in "keymgr_transition_time" where we may wait
      too long before zone signatrues become omnipresent or hidden. Not
      only can we skip waiting the sign delay Dsgn if there is no
      predecessor, we can also skip it if there is no successor.
      
      Finally, this commit moves setting the lifetime, reducing two calls
      to one.
      
      (cherry picked from commit 18dc27af)
      6879cdca
    • Matthijs Mekking's avatar
      keygen -k: allow to set times, not genonly · ab8ee0d0
      Matthijs Mekking authored
      For testing purposes mainly, we want to allow set keytimings on
      generated keys, such that we don't have to "keygen/settime" which
      can result in one second off times.
      
      (cherry picked from commit 1c216317)
      ab8ee0d0
  3. 01 Jun, 2020 4 commits