Commit 052ec16a authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Merge branch 'matthijs-test-keymgr2kasp' into 'main'

Test migrating to dnssec-policy

Closes #2544

See merge request isc-projects/bind9!4758
parents ea26306e d5531df7
......@@ -198,7 +198,7 @@ endif HAVE_PERLMOD_NET_DNS_NAMESERVER
endif HAVE_PERLMOD_NET_DNS
if HAVE_PYTHON
TESTS += kasp tcp pipelined
TESTS += kasp keymgr2kasp tcp pipelined
if HAVE_PYMOD_DNS
TESTS += qmin cookie timeouts
......
......@@ -87,6 +87,7 @@ dnssec
dyndb
filter-aaaa
kasp
keymgr2kasp
legacy
logfileconfig
nzd2nzf
......
This diff is collapsed.
......@@ -12,7 +12,5 @@ ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
ns6 is an authoritative server that tests changes in dnssec-policy.
ns7 is an authoritative server that tests a specific case where zones
using views migrate to dnssec-policy.
ns6 is an authoritative server that tests changes in dnssec-policy (algorithm
rollover).
......@@ -36,45 +36,17 @@ controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* These are zones that migrate to dnssec-policy. */
zone "migrate.kasp" {
type primary;
file "migrate.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-alglen.kasp" {
type primary;
file "migrate-nomatch-alglen.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
/* These zones are going insecure. */
zone "step1.going-insecure.kasp" {
type master;
file "step1.going-insecure.kasp.db";
dnssec-policy "migrate";
dnssec-policy "unsigning";
};
zone "step1.going-insecure-dynamic.kasp" {
type master;
file "step1.going-insecure-dynamic.kasp.db";
dnssec-policy "migrate";
dnssec-policy "unsigning";
allow-update { any; };
};
......
......@@ -35,28 +35,6 @@ controls {
inet 10.53.0.6 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* These are zones that migrate to dnssec-policy. */
zone "migrate.kasp" {
type primary;
file "migrate.kasp.db";
allow-update { any; };
dnssec-policy "migrate";
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
allow-update { any; };
dnssec-policy "migrate-nomatch-algnum";
};
zone "migrate-nomatch-alglen.kasp" {
type primary;
file "migrate-nomatch-alglen.kasp.db";
allow-update { any; };
dnssec-policy "migrate-nomatch-alglen";
};
/* Zones for testing going insecure. */
zone "step1.going-insecure.kasp" {
type master;
......
......@@ -9,6 +9,15 @@
* information regarding copyright ownership.
*/
dnssec-policy "unsigning" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "rsasha1" {
signatures-refresh P5D;
signatures-validity 30d;
......@@ -46,54 +55,3 @@ dnssec-policy "ecdsa256" {
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
dnssec-policy "migrate" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
/*
* This policy tests migration from existing keys with 1024 bits RSASHA1 keys
* to ECDSAP256SHA256 keys.
*/
dnssec-policy "migrate-nomatch-algnum" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime unlimited algorithm ecdsa256;
zsk key-directory lifetime P60D algorithm ecdsa256;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing keys with 1024 bits RSASHA1 keys
* to 2048 bits RSASHA1 keys.
*/
dnssec-policy "migrate-nomatch-alglen" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime unlimited algorithm rsasha1 2048;
zsk key-directory lifetime P60D algorithm rsasha1 2048;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
......@@ -38,54 +38,6 @@ R="RUMOURED"
O="OMNIPRESENT"
U="UNRETENTIVE"
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
setup migrate.kasp
echo "$zone" >> zones
ksktimes="-P now -A now -P sync now"
zsktimes="-P now -A now"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
# ECDSAP256SHA256 keys.
setup migrate-nomatch-algnum.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tsig} -A ${Tsig}"
KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
# dictates 2048 bits RSASHA1 keys.
setup migrate-nomatch-alglen.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tsig} -A ${Tsig}"
KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# The child zones (step1, step2) beneath these zones represent the various
# steps of unsigning a zone.
for zn in going-insecure.kasp going-insecure-dynamic.kasp
......
......@@ -23,7 +23,6 @@ copy_setports ns3/named.conf.in ns3/named.conf
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
copy_setports ns7/named.conf.in ns7/named.conf
if $SHELL ../testcrypto.sh ed25519; then
echo "yes" > ed25519-supported.file
......@@ -61,7 +60,3 @@ copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
cd ns6
$SHELL setup.sh
)
(
cd ns7
$SHELL setup.sh
)
This diff is collapsed.
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or https://isc.org/copyright.html for terms.
The test setup for migrating to KASP tests.
ns3 is an authoritative server for the various test domains.
ns4 is an authoritative server that tests a specific case where zones
using views migrate to dnssec-policy.
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/named.conf ns*/kasp.conf
rm -f ns*/named.memstats ns*/named.run
rm -f ns*/keygen.out* ns*/signer.out*
rm -f ns*/zones
rm -f ns*/dsset-*
rm -f ns*/*.db ns*/*.db.jnl ns*/*.db.jbk
rm -f ns*/*.db.signed* ns*/*.db.infile
rm -f ns*/managed-keys.bind*
rm -f ns*/*.mkeys*
rm -f ./*.created
rm -f ./created.key-*
rm -f ./dig.out*
rm -f ./python.out.*
rm -f ./retired.*
rm -f ./rndc.dnssec.*
rm -f ./unused.key*
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
dnssec-policy "migrate" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "timing-metadata" {
dnskey-ttl 300;
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
keys {
ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing keys with 1024 bits RSASHA1 keys
* to ECDSAP256SHA256 keys.
*/
dnssec-policy "migrate-nomatch-algnum" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime unlimited algorithm ecdsa256;
zsk key-directory lifetime P60D algorithm ecdsa256;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing keys with 1024 bits RSASHA1 keys
* to 2048 bits RSASHA1 keys.
*/
dnssec-policy "migrate-nomatch-alglen" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime unlimited algorithm rsasha1 2048;
zsk key-directory lifetime P60D algorithm rsasha1 2048;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
key-directory ".";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* These are zones that migrate to dnssec-policy. */
zone "migrate.kasp" {
type primary;
file "migrate.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "omnipresent.kasp" {
type primary;
file "omnipresent.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-alglen.kasp" {
type primary;
file "migrate-nomatch-alglen.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
include "kasp.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* These are zones that migrate to dnssec-policy. */
zone "migrate.kasp" {
type primary;
file "migrate.kasp.db";
allow-update { any; };
dnssec-policy "migrate";
};
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
allow-update { any; };
dnssec-policy "timing-metadata";
};
zone "omnipresent.kasp" {
type primary;
file "omnipresent.kasp.db";
allow-update { any; };
dnssec-policy "timing-metadata";
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
allow-update { any; };
dnssec-policy "migrate-nomatch-algnum";
};
zone "migrate-nomatch-alglen.kasp" {
type primary;
file "migrate-nomatch-alglen.kasp.db";
allow-update { any; };
dnssec-policy "migrate-nomatch-alglen";
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. ../../conf.sh
echo_i "ns3/setup.sh"
setup() {
zone="$1"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
}
private_type_record() {
_zone=$1
_algorithm=$2
_keyfile=$3
_id=$(keyfile_to_key_id "$_keyfile")
printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id"
}
# Make lines shorter by storing key states in environment variables.
H="HIDDEN"
R="RUMOURED"
O="OMNIPRESENT"
U="UNRETENTIVE"
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
setup migrate.kasp
echo "$zone" >> zones
ksktimes="-P now -A now -P sync now"
zsktimes="-P now -A now"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates
# ECDSAP256SHA256 keys.
setup migrate-nomatch-algnum.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
# time the existing keys do not match the policy. The existing keys are
# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that
# dictates 2048 bits RSASHA1 keys.
setup migrate-nomatch-alglen.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5