...
 
Commits (25)
  • Matthijs Mekking's avatar
    Allow DNSSEC records in kasp enabled zone · 53e76f88
    Matthijs Mekking authored
    When signing a zone with dnssec-policy, we don't mind DNSSEC records.
    This is useful for testing purposes, and perhaps it is better to
    signal this behavior with a different configuration option.
    53e76f88
  • Matthijs Mekking's avatar
    arm: Update DNSSEC documentation · da0ae529
    Matthijs Mekking authored
    da0ae529
  • Matthijs Mekking's avatar
    keygen/settime: Write out successor/predecessor · dcf79ce6
    Matthijs Mekking authored
    When creating a successor key, or calculating time for a successor
    key, write out the successor and predecessor metadata to the
    related files.
    dcf79ce6
  • Matthijs Mekking's avatar
    kasp: Expose more key timings · 1f0d6296
    Matthijs Mekking authored
    When doing rollover in a timely manner we need to have access to the
    relevant kasp configured durations.
    
    Most of these are simple get functions, but 'dns_kasp_signdelay'
    will calculate the maximum time that is needed with this policy to
    resign the complete zone (taking into account the refresh interval
    and signature validity).
    
    Introduce parent-propagation-delay, parent-registration-delay,
    parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
    1f0d6296
  • Matthijs Mekking's avatar
    Useful dst_key functions · 314b90df
    Matthijs Mekking authored
    Add a couple of dst_key functions for determining hints that
    consider key states if they are available.
    - dst_key_is_unused:
      A key has no timing metadata set other than Created.
    - dst_key_is_published:
      A key has publish timing metadata <= now, DNSKEY state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_active:
      A key has active timing metadata <= now, RRSIG state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_signing:
      KSK is_signing and is_active means different things than
      for a ZSK. A ZSK is active means it is also signing, but
      a KSK always signs its DNSKEY RRset but is considered
      active if its DS is present (rumoured or omnipresent).
    - dst_key_is_revoked:
      A key has revoke timing metadata <= now.
    - dst_key_is_removed:
      A key has delete timing metadata <= now, DNSKEY state in
      UNRETENTIVE or HIDDEN.
    314b90df
  • Matthijs Mekking's avatar
    Introduce keymgr in named · 7e7aa538
    Matthijs Mekking authored
    Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
    will run a key manager on the matching keys.  This will do a couple
    of things:
    
    1. Create keys when needed (in case of rollover for example)
       according to the set policy.
    
    2. Retire keys that are in excess of the policy.
    
    3. Maintain key states according to "Flexible and Robust Key
       Rollover" [1]. After key manager ran, key files will be saved to
       disk.
    
       [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
    
    KEY GENERATION
    
    Create keys according to DNSSEC policy.  Zones configured with
    'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
    to dnssec-keymgr) if not available.
    
    KEY ROLLOVER
    
    Rather than determining the desired state from timing metadata,
    add a key state goal.  Any keys that are created or picked from the
    key ring and selected to be a successor has its key state goal set
    to OMNIPRESENT (this key wants to be signing!). At the same time,
    a key that is being retired has its key state goal set to HIDDEN.
    
    The keymgr state machine with the three rules will make sure no
    introduction or withdrawal of DNSSEC records happens too soon.
    
    KEY TIMINGS
    
    All timings are based on RFC 7583.
    
    The keymgr will return when the next action is happening so
    that the zone can set the proper rekey event. Prior to this change
    the rekey event will run every hour by default (configurable),
    but with kasp we can determine exactly when we need to run again.
    
    The prepublication time is derived from policy.
    7e7aa538
  • Matthijs Mekking's avatar
    Update zoneconf to use kasp config · 09990672
    Matthijs Mekking authored
    If a zone has a dnssec-policy set, use signature validity,
    dnskey signature validity, and signature refresh from
    dnssec-policy.
    
    Zones configured with 'dnssec-policy' will allow 'named' to create
    DNSSEC keys (similar to dnssec-keymgr) if not available.
    09990672
  • Matthijs Mekking's avatar
    DNSSEC hints use dst_key functions and key states · fcf14b2b
    Matthijs Mekking authored
    Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
    functions and thus if dnssec-policy/KASP is used the key states are
    being considered.
    
    Add a new variable to 'struct dns_dnsseckey' to signal whether this
    key is a zone-signing key (it is no longer true that ksk == !zsk).
    
    Also introduce a hint for revoke.
    
    Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
    to also read the key state file, if available.
    
    Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
    hint for logging.
    
    Also make get_hints() (now dns_dnssec_get_hints()) public so that
    we can use it in the key manager.
    fcf14b2b
  • Matthijs Mekking's avatar
    Adjust signing code to use kasp · c125b721
    Matthijs Mekking authored
    Update the signing code in lib/dns/zone.c and lib/dns/update.c to
    use kasp logic if a dnssec-policy is enabled.
    
    This means zones with dnssec-policy should no longer follow
    'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
    KASP keys configured dictate which RRset gets signed with what key.
    
    Also use the next rekey event from the key manager rather than
    setting it to one hour.
    
    Mark the zone dynamic, as otherwise a zone with dnssec-policy is
    not eligble for automatic DNSSEC maintenance.
    c125b721
  • Matthijs Mekking's avatar
    Refactor kasp system test · 7c783ab9
    Matthijs Mekking authored
    A significant refactor of the kasp system test in an attempt to
    make the test script somewhat brief.  When writing a test case,
    you can/should use the functions 'zone_properties',
    'key_properties', and 'key_timings' to set the expected values
    when checking a key with 'check_key'. All these four functions
    can be used to set environment variables that come in handy when
    testing output.
    7c783ab9
  • Matthijs Mekking's avatar
    Add kasp tests · c9f1ec83
    Matthijs Mekking authored
    Add more tests for kasp:
    
    - Add tests for different algorithms.
    
    - Add a test to ensure that an edit in an unsigned zone is
      picked up and properly signed.
    
    - Add two tests that ensures that a zone gets signed when it is
      configured as so-called 'inline-signing'.  In other words, a
      secondary zone that is configured with a 'dnssec-policy'.  A zone
      that is transferred over AXFR or IXFR will get signed.
    
    - Add a test to ensure signatures are reused if they are still
      fresh enough.
    
    - Adds two more tests to verify that expired and unfresh signatures
      will be regenerated.
    
    - Add tests for various cases with keys already available in the
      key-directory.
    c9f1ec83
  • Matthijs Mekking's avatar
    Test ZSK and KSK rollover · 36c72bf3
    Matthijs Mekking authored
    Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
    
    Includes tests for next key event is scheduled at the right time.
    36c72bf3
  • Matthijs Mekking's avatar
    Use keywords in dnssec-policy keys configuration · 6468ffc3
    Matthijs Mekking authored
    Add keywords 'lifetime' and 'algorithm' to make the key configuration
    more clear.
    6468ffc3
  • Matthijs Mekking's avatar
    Code changes for CSK · 67033bfd
    Matthijs Mekking authored
    Update dns_dnssec_keyactive to differentiate between the roles ZSK
    and KSK.  A key is active if it is signing but that differs per role.
    A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
    a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
    
    This means that a key can be actively signing for one role but not
    the other.  Add checks in inline signing (zone.c and update.c) to
    cover the case where a CSK is active in its KSK role but not the ZSK
    role.
    67033bfd
  • Matthijs Mekking's avatar
    Test CSK rollover · 9fbc8691
    Matthijs Mekking authored
    Test two CSK rollover scenarios, one where the DS is swapped before the zone
    signatures are all replaced, and one where the signatures are replaced sooner
    than the DS is swapped.
    9fbc8691
  • Matthijs Mekking's avatar
    KASP timings all uint32_t · 29e6ec31
    Matthijs Mekking authored
    Get rid of the warnings in the Windows build.
    29e6ec31
  • Matthijs Mekking's avatar
    Add dst_key_copy_metadata function. · 1211c348
    Matthijs Mekking authored
    When updating DNSSEC keys we would like to be able to copy the
    metadata from one key to another.
    1211c348
  • Matthijs Mekking's avatar
    sign_apex() should also consider CDS/CDNSKEY · 2e46dcbb
    Matthijs Mekking authored
    The 'sign_apex()' function has special processing for signing the
    DNSKEY RRset such that it will always be signed with the active
    KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
    should have the same special processing.  The special processing is
    moved into a new function 'tickle_apex_rrset()' and is applied to
    all three RR types (DNSKEY, CDS, CDNSKEY).
    
    In addition, when kasp is involved, update the DNSKEY TTL accordingly
    to what is in the policy.
    2e46dcbb
  • Matthijs Mekking's avatar
    Add tests for CDS/CDNSKEY publication · c3e0ac86
    Matthijs Mekking authored
    The kasp system tests are updated with 'check_cds' calls that will
    verify that the correct CDS and CDNSKEY records are published during
    a rollover and that they are signed with the correct KSK.
    
    This requires a change in 'dnssec.c' to check the kasp key states
    whether the CDS/CDNSKEY of a key should be published or not.  If no
    kasp state exist, fall back to key timings.
    c3e0ac86
  • Matthijs Mekking's avatar
    kasp.c: return parenthesis (style) and REQUIRE · 70da58c8
    Matthijs Mekking authored
    This code was missing a lot of return parenthesis (violating our
    style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
    70da58c8
  • Matthijs Mekking's avatar
    Make kasp opaque · f11ce448
    Matthijs Mekking authored
    f11ce448
  • Mark Andrews's avatar
    Insist that kasp is not linked. · 5eedd365
    Mark Andrews authored
    5eedd365
  • Mark Andrews's avatar
  • Matthijs Mekking's avatar
    dnssec-policy inheritance from options/view · 5f464d15
    Matthijs Mekking authored
    'dnssec-policy' can now also be set on the options and view level and
    a zone that does not set 'dnssec-policy' explicitly will inherit it
    from the view or options level.
    
    This requires a new keyword to be introduced: 'none'.  If set to
    'none' the zone will not be DNSSEC maintained, in other words it will
    stay unsigned.  You can use this to break the inheritance.  Of course
    you can also break the inheritance by referring to a different
    policy.
    
    The keywords 'default' and 'none' are not allowed when configuring
    your own dnssec-policy statement.
    
    Add appropriate tests for checking the configuration (checkconf)
    and add tests to the kasp system test to verify the inheritance
    works.
    
    Edit the kasp system test such that it can deal with unsigned zones
    and views (so setting a TSIG on the query).
    5f464d15
  • Matthijs Mekking's avatar
    Fix checkconf test · bae0edbf
    Matthijs Mekking authored
    bae0edbf
......@@ -767,6 +767,19 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv)
fatal("cannot generate a null key due to possible key ID "
"collision");
if (ctx->predecessor != NULL && prevkey != NULL) {
dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
ret = dst_key_tofile(prevkey, ctx->options, ctx->directory);
if (ret != ISC_R_SUCCESS) {
char keystr[DST_KEY_FORMATSIZE];
dst_key_format(prevkey, keystr, sizeof(keystr));
fatal("failed to update predecessor %s: %s\n", keystr,
isc_result_totext(ret));
}
}
ret = dst_key_tofile(key, ctx->options, ctx->directory);
if (ret != ISC_R_SUCCESS) {
char keystr[DST_KEY_FORMATSIZE];
......@@ -1174,7 +1187,7 @@ main(int argc, char **argv) {
fatal("failed to load dnssec-policy '%s'",
ctx.policy);
}
if (ISC_LIST_EMPTY(kasp->keys)) {
if (ISC_LIST_EMPTY(dns_kasp_keys(kasp))) {
fatal("dnssec-policy '%s' has no keys "
"configured", ctx.policy);
}
......@@ -1182,7 +1195,7 @@ main(int argc, char **argv) {
ctx.ttl = dns_kasp_dnskeyttl(kasp);
ctx.setttl = true;
kaspkey = ISC_LIST_HEAD(kasp->keys);
kaspkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
while (kaspkey != NULL) {
ctx.use_nsec3 = false;
......
......@@ -715,6 +715,11 @@ main(int argc, char **argv) {
if (setttl)
dst_key_setttl(key, ttl);
if (predecessor != NULL && prevkey != NULL) {
dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
}
/*
* No metadata changes were made but we're forcing an upgrade
* to the new format anyway: use "-P now -A now" as the default
......@@ -816,6 +821,9 @@ main(int argc, char **argv) {
if (changed) {
writekey(key, directory, write_state);
if (predecessor != NULL && prevkey != NULL) {
writekey(prevkey, directory, write_state);
}
}
if (prevkey != NULL)
......
......@@ -2717,7 +2717,7 @@ build_final_keylist(void) {
* Update keylist with information from from the key repository.
*/
dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
&diff, ignore_kskflag, mctx, report);
&diff, mctx, report);
/*
* Update keylist with sync records.
......
......@@ -58,6 +58,7 @@ options {\n\
"\
# deallocate-on-exit <obsolete>;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 4096;\n\
# fake-iquery <obsolete>;\n"
......
......@@ -1015,12 +1015,17 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>ttlval</replaceable>;
keys { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;
publish-safety <replaceable>duration</replaceable>;
retire-safety <replaceable>duration</replaceable>;
signatures-refresh <replaceable>duration</replaceable>;
signatures-validity <replaceable>duration</replaceable>;
signatures-validity-dnskey <replaceable>duration</replaceable>;
zone-max-ttl <replaceable>duration</replaceable>;
zone-propagation-delay <replaceable>duration</replaceable>;
};
</literallayout>
</refsection>
......
......@@ -6257,8 +6257,11 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
strcasecmp(ztypestr, "master") == 0 ||
strcasecmp(ztypestr, "secondary") == 0 ||
strcasecmp(ztypestr, "slave") == 0) &&
cfg_map_get(zoptions, "inline-signing", &signing) == ISC_R_SUCCESS &&
cfg_obj_asboolean(signing))
((cfg_map_get(zoptions, "inline-signing", &signing) ==
ISC_R_SUCCESS && cfg_obj_asboolean(signing)) ||
(cfg_map_get(zoptions, "dnssec-policy", &signing) ==
ISC_R_SUCCESS && signing != NULL &&
strcmp(cfg_obj_asstring(signing), "none") != 0)))
{
dns_zone_getraw(zone, &raw);
if (raw == NULL) {
......
......@@ -1197,18 +1197,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
ztype != dns_zone_redirect) {
obj = NULL;
result = cfg_map_get(zoptions, "dnssec-policy", &obj);
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
result = dns_kasplist_find(kasplist, kaspname, &kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not found ",
kaspname);
RETERR(result);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not "
"found ", kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
}
dns_zone_setkasp(zone, kasp);
}
obj = NULL;
......@@ -1500,38 +1503,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false;
bool sigvalinsecs;
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
} else {
obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
} else {
seconds *= 3600;
}
} else {
seconds = cfg_obj_asuint32(resign) * 3600;
seconds = cfg_obj_asuint32(resign);
}
} else {
seconds = cfg_obj_asuint32(resign);
dns_zone_setsigresigninginterval(zone, seconds);
}
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "key-directory", &obj);
......@@ -1560,12 +1577,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
......@@ -1576,7 +1601,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (result == ISC_R_SUCCESS) {
if (dns_zone_getkasp(zone) != NULL) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) {
allow = true;
......@@ -1589,6 +1618,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_UNREACHABLE();
}
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
}
}
......
......@@ -443,7 +443,8 @@
allowed to incrementally re-sign over time.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option
be set to <literal>maintain</literal>,
and also requires the zone to be configured to
......@@ -849,7 +850,8 @@
re-signed with the new key set.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option be set
to <literal>allow</literal> or
<literal>maintain</literal>,
......
......@@ -9,12 +9,14 @@
* information regarding copyright ownership.
*/
options {
dnssec-policy "notatzonelevel";
// Using the keyword 'default' is not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "default";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "none";
};
......@@ -17,9 +17,9 @@
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory P1Y 13 256;
zsk key-directory P30D 13;
csk key-directory P30D 8 2048;
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
......@@ -37,11 +37,20 @@ options {
};
zone "example1" {
type master;
dnssec-policy "test";
file "example1.db";
};
zone "example2" {
type master;
dnssec-policy "default";
file "example2.db";
dnssec-policy "test";
};
zone "example3" {
type master;
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
type master;
file "example4.db";
dnssec-policy "none";
};
......@@ -14,6 +14,24 @@
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
100;
......@@ -60,6 +78,7 @@ options {
validate-except {
"corp";
};
dnssec-policy "test";
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
......@@ -140,6 +159,28 @@ view "third" {
};
};
};
view "fourth" {
zone "dnssec-test" {
type master;
file "dnssec-test.db";
dnssec-policy "test";
};
zone "dnssec-default" {
type master;
file "dnssec-default.db";
dnssec-policy "default";
};
zone "dnssec-inherit" {
type master;
file "dnssec-inherit.db";
};
zone "dnssec-none" {
type master;
file "dnssec-none.db";
dnssec-policy "none";
};
dnssec-policy "default";
};
view "chaos" chaos {
zone "hostname.bind" chaos {
type master;
......
......@@ -8,4 +8,8 @@ clone IN third in-view first
dnssec IN third master
p IN third primary
s IN third secondary
dnssec-test IN fourth master
dnssec-default IN fourth master
dnssec-inherit IN fourth master
dnssec-none IN fourth master
hostname.bind chaos chaos master
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The test setup for the KASP tests.
ns1 is reserved for the root server.
ns2 is running primary service for ns3.
ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
......@@ -13,5 +13,14 @@ set -e
rm -f ./keygen.*
rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
rm -f ./keys/K*
rmdir ./keys/
rm -rf ./keys/
rm -f dig.out* rrsig.out.* keyevent.out.*
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
rm -f ns*/managed-keys.bind
rm -f ns*/*.mkeys
# NS3 specific
rm -f ns3/zones ns3/*.db.infile
......@@ -17,9 +17,9 @@ dnssec-policy "kasp" {
dnskey-ttl 200;
keys {
csk key-directory P1Y 13;
ksk key-directory P1Y 8;
zsk key-directory P30D 8 1024;
zsk key-directory P6M 8 2000;
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P30D algorithm 8 1024;
zsk key-directory lifetime P6M algorithm 8 2000;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "none";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Inherit dnssec-policy (which is none) */
zone "unsigned.tld" {
type master;
file "unsigned.tld.db";
};
/* Override dnssec-policy */
zone "signed.tld" {
type master;
dnssec-policy "default";
file "signed.tld.db";
};
/* Primary service for ns3 */
zone "secondary.kasp" {
type master;
file "secondary.kasp.db";
allow-transfer { 10.53.0.3; };
notify yes;
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
2 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.11
b A 10.0.0.2
c A 10.0.0.3
d A 10.0.0.4
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns2/setup.sh"
zone="secondary.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
zone="signed.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
zone="unsigned.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
include "policies/kasp.conf";
include "policies/autosign.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "rsasha1";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Zones that are getting initially signed */
/* The default case: No keys created, using default policy. */
zone "default.kasp" {
type master;
file "default.kasp.db";
dnssec-policy "default";
};
/* A master zone with dnssec-policy, no keys created. */
zone "rsasha1.kasp" {
type master;
file "rsasha1.kasp.db";
dnssec-policy "rsasha1";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type master;
file "inherit.kasp.db";
};
/* A zone that overrides dnssec-policy. */
zone "unsigned.kasp" {
type master;
file "unsigned.kasp.db";
dnssec-policy "none";
};
/* A master zone with dnssec-policy but keys already created. */
zone "dnssec-keygen.kasp" {
type master;
file "dnssec-keygen.kasp.db";
dnssec-policy "rsasha1";
};
/* A secondary zone with dnssec-policy. */
zone "secondary.kasp" {
type secondary;
masters { 10.53.0.2; };
file "secondary.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy but some keys already created.
*/
zone "some-keys.kasp" {
type master;
file "some-keys.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy but some keys already in use.
*/
zone "legacy-keys.kasp" {
type master;
file "legacy-keys.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy with (too) many keys pregenerated.
*/
zone "pregenerated.kasp" {
type master;
file "pregenerated.kasp.db";
dnssec-policy "rsasha1";
};
/*
* Different algorithms.
*/
zone "rsasha1-nsec3.kasp" {
type master;
file "rsasha1-nsec3.kasp.db";
dnssec-policy "rsasha1-nsec3";
};
zone "rsasha256.kasp" {
type master;
file "rsasha256.kasp.db";
dnssec-policy "rsasha256";
};
zone "rsasha512.kasp" {
type master;
file "rsasha512.kasp.db";
dnssec-policy "rsasha512";
};
zone "ecdsa256.kasp" {
type master;
file "ecdsa256.kasp.db";
dnssec-policy "ecdsa256";
};
zone "ecdsa384.kasp" {
type master;
file "ecdsa384.kasp.db";
dnssec-policy "ecdsa384";
};
/*
* Zones in different signing states.
*/
/*
* Zone that has expired signatures.
*/
zone "expired-sigs.autosign" {
type master;
file "expired-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has valid, fresh signatures.
*/
zone "fresh-sigs.autosign" {
type master;
file "fresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has unfresh signatures.
*/
zone "unfresh-sigs.autosign" {
type master;
file "unfresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has missing private ZSK.
*/
zone "zsk-missing.autosign" {
type master;
file "zsk-missing.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has inactive ZSK.
*/
zone "zsk-retired.autosign" {
type master;
file "zsk-retired.autosign.db";
dnssec-policy "autosign";
};
/*
* Zones for testing ZSK Pre-Publication steps.
*/
zone "step1.zsk-prepub.autosign" {
type master;
file "step1.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step2.zsk-prepub.autosign" {
type master;
file "step2.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step3.zsk-prepub.autosign" {
type master;
file "step3.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step4.zsk-prepub.autosign" {
type master;
file "step4.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step5.zsk-prepub.autosign" {
type master;
file "step5.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
/*
* Zones for testing KSK Double-KSK steps.
*/
zone "step1.ksk-doubleksk.autosign" {
type master;
file "step1.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step2.ksk-doubleksk.autosign" {
type master;
file "step2.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step3.ksk-doubleksk.autosign" {
type master;
file "step3.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step4.ksk-doubleksk.autosign" {
type master;
file "step4.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step5.ksk-doubleksk.autosign" {
type master;
file "step5.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
zone "step6.ksk-doubleksk.autosign" {
type master;
file "step6.ksk-doubleksk.autosign.db";
dnssec-policy "ksk-doubleksk";
};
/*
* Zones for testing CSK rollover steps.
*/
zone "step1.csk-roll.autosign" {
type master;
file "step1.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step2.csk-roll.autosign" {
type master;
file "step2.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step3.csk-roll.autosign" {
type master;
file "step3.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step4.csk-roll.autosign" {
type master;
file "step4.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step5.csk-roll.autosign" {
type master;
file "step5.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step6.csk-roll.autosign" {
type master;
file "step6.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step7.csk-roll.autosign" {
type master;
file "step7.csk-roll.autosign.db";
dnssec-policy "csk-roll";
};
zone "step1.csk-roll2.autosign" {
type master;
file "step1.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step2.csk-roll2.autosign" {
type master;
file "step2.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step3.csk-roll2.autosign" {
type master;
file "step3.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step4.csk-roll2.autosign" {
type master;
file "step4.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step5.csk-roll2.autosign" {
type master;
file "step5.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
zone "step6.csk-roll2.autosign" {
type master;
file "step6.csk-roll2.autosign.db";
dnssec-policy "csk-roll2";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "autosign" {
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
dnskey-ttl 300;
keys {
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
};
};
dnssec-policy "zsk-prepub" {
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
dnskey-ttl 3600;
publish-safety P1D;
retire-safety P2D;
keys {
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P30D algorithm 13;
};
zone-propagation-delay PT1H;
zone-max-ttl 1d;
};
dnssec-policy "ksk-doubleksk" {
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
dnskey-ttl 2h;
publish-safety P1D;
retire-safety P2D;
keys {
ksk key-directory lifetime P60D algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
};
zone-propagation-delay PT1H;
zone-max-ttl 1d;
parent-ds-ttl 3600;
parent-registration-delay P1D;
parent-propagation-delay PT1H;
};
dnssec-policy "csk-roll" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 2h;
keys {
csk key-directory lifetime P6M algorithm 13;
};
zone-propagation-delay 1h;
zone-max-ttl P1D;
parent-ds-ttl 1h;
parent-registration-delay 1d;
parent-propagation-delay 1h;
};
dnssec-policy "csk-roll2" {
signatures-refresh 12h;
signatures-validity P1D;
signatures-validity-dnskey P1D;
dnskey-ttl 1h;
publish-safety PT1H;
retire-safety 1h;
keys {
csk key-directory lifetime P6M algorithm 13;
};
zone-propagation-delay PT1H;
zone-max-ttl 1d;
parent-ds-ttl PT1H;
parent-registration-delay P1W;
parent-propagation-delay PT1H;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "rsasha1" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 5;
zsk key-directory lifetime P5Y algorithm 5;
zsk key-directory lifetime P1Y algorithm 5 2000;
};
};
dnssec-policy "rsasha1-nsec3" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 7;
zsk key-directory lifetime P5Y algorithm 7;
zsk key-directory lifetime P1Y algorithm 7 2000;
};
};
dnssec-policy "rsasha256" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 8;
zsk key-directory lifetime P5Y algorithm 8;
zsk key-directory lifetime P1Y algorithm 8 2000;
};
};
dnssec-policy "rsasha512" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 10;
zsk key-directory lifetime P5Y algorithm 10;
zsk key-directory lifetime P1Y algorithm 10 2000;
};
};
dnssec-policy "ecdsa256" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 13;
zsk key-directory lifetime P5Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13 256;
};
};
dnssec-policy "ecdsa384" {
dnskey-ttl 1234;
keys {
ksk key-directory lifetime P10Y algorithm 14;
zsk key-directory lifetime P5Y algorithm 14;
zsk key-directory lifetime P1Y algorithm 14 384;
};
};
This diff is collapsed.
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
2 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns3
ns3 A 10.53.0.3
a A 10.0.0.11
b A 10.0.0.2
c A 10.0.0.3
d A 10.0.0.4
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
key "sha1" {
algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
};
key "sha224" {
algorithm "hmac-sha224";
secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
};
key "sha256" {
algorithm "hmac-sha256";
secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
};
dnssec-policy "test" {
keys {
csk key-directory lifetime 0 algorithm 14;
};
};
options {
query-source address 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
dnssec-policy "test";
};
view "inherit" {
match-clients { key "sha1"; };
/* Inherit dnssec-policy 'test' */
zone "inherit.inherit.signed" {
type master;
file "inherit.inherit.signed.db";
};
/* Override dnssec-policy */
zone "override.inherit.signed" {
type master;
dnssec-policy "default";
file "override.inherit.signed.db";
};
/* Unset dnssec-policy */
zone "none.inherit.signed" {
type master;
dnssec-policy "none";
file "none.inherit.signed.db";
};
};
view "override" {
match-clients { key "sha224"; };
dnssec-policy "default";
/* Inherit dnssec-policy 'test' */
zone "inherit.override.signed" {
type master;
file "inherit.override.signed.db";
};
/* Override dnssec-policy */
zone "override.override.signed" {
type master;
dnssec-policy "test";
file "override.override.signed.db";
};
/* Unset dnssec-policy */
zone "none.override.signed" {
type master;
dnssec-policy "none";
file "none.override.signed.db";
};
};
view "none" {
match-clients { key "sha256"; };
dnssec-policy "none";
/* Inherit dnssec-policy 'none' */
zone "inherit.none.signed" {
type master;
file "inherit.none.signed.db";
};
/* Override dnssec-policy */
zone "override.none.signed" {
type master;
dnssec-policy "test";
file "override.none.signed.db";
};
/* Unset dnssec-policy */
zone "none.none.signed" {
type master;
dnssec-policy "none";
file "none.none.signed.db";
};
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns4/setup.sh"
#
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
inherit.override override.override none.override \
inherit.none override.none none.none
do
zone="$zn.signed"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
cp template.db.in $zonefile
done
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns4
ns4 A 10.53.0.4
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS5
key "sha1" {
algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
};
key "sha224" {
algorithm "hmac-sha224";
secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
};
key "sha256" {
algorithm "hmac-sha256";
secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
};
dnssec-policy "test" {
keys {
csk key-directory lifetime 0 algorithm 14;
};
};
options {
query-source address 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
dnssec-policy "none";
};
view "inherit" {
match-clients { key "sha1"; };
/* Inherit dnssec-policy 'none' */
zone "inherit.inherit.unsigned" {
type master;
file "inherit.inherit.unsigned.db";
};
/* Override dnssec-policy */
zone "override.inherit.unsigned" {
type master;
dnssec-policy "default";
file "override.inherit.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.inherit.unsigned" {
type master;
dnssec-policy "none";
file "none.inherit.unsigned.db";
};
};
view "override" {
match-clients { key "sha224"; };
dnssec-policy "default";
/* Inherit dnssec-policy 'default' */
zone "inherit.override.unsigned" {
type master;
file "inherit.override.unsigned.db";
};
/* Override dnssec-policy */
zone "override.override.unsigned" {
type master;
dnssec-policy "test";
file "override.override.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.override.unsigned" {
type master;
dnssec-policy "none";
file "none.override.unsigned.db";
};
};
view "none" {
match-clients { key "sha256"; };
dnssec-policy "none";
/* Inherit dnssec-policy 'none' */
zone "inherit.none.unsigned" {
type master;
file "inherit.none.unsigned.db";
};
/* Override dnssec-policy */
zone "override.none.unsigned" {
type master;
dnssec-policy "test";
file "override.none.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.none.unsigned" {
type master;
dnssec-policy "none";
file "none.none.unsigned.db";
};
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns5/setup.sh"
#
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
inherit.override override.override none.override \
inherit.none override.none none.none
do
zone="$zn.unsigned"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
cp template.db.in $zonefile
done
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns5
ns5 A 10.53.0.5
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
......@@ -17,3 +17,26 @@ set -e
$SHELL clean.sh
mkdir keys
copy_setports ns2/named.conf.in ns2/named.conf
copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
# Setup zones