Commit c40c1ebc authored by Matthijs Mekking's avatar Matthijs Mekking 🏡
Browse files

Test keymgr2kasp state from timing metadata

Add two test zones that migrate to dnssec-policy. Test if the key
states are set accordingly given the timing metadata.

The rumoured.kasp zone has its Publish/Active/SyncPublish times set
not too long ago so the key states should be set to RUMOURED. The
omnipresent.kasp zone has its Publish/Active/SyncPublish times set
long enough to set the key states to OMNIPRESENT.

Slightly change the init_migration_keys function to set the
key lifetime to "none" (legacy keys don't have lifetime). Then in the
test case set the expected key lifetime explicitly.
parent f6fa2542
......@@ -18,6 +18,27 @@ dnssec-policy "migrate" {
};
};
dnssec-policy "timing-metadata" {
dnskey-ttl 300;
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
keys {
ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
// Together 12h
zone-propagation-delay 3600;
max-zone-ttl 11h;
// Together 3h
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
/*
* This policy tests migration from existing keys with 1024 bits RSASHA1 keys
* to ECDSAP256SHA256 keys.
......
......@@ -43,6 +43,24 @@ zone "migrate.kasp" {
update-check-ksk yes;
};
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "omnipresent.kasp" {
type primary;
file "omnipresent.kasp.db";
auto-dnssec maintain;
allow-update { any; };
dnssec-dnskey-kskonly yes;
update-check-ksk yes;
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
......
......@@ -42,6 +42,20 @@ zone "migrate.kasp" {
dnssec-policy "migrate";
};
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
allow-update { any; };
dnssec-policy "timing-metadata";
};
zone "omnipresent.kasp" {
type primary;
file "omnipresent.kasp.db";
allow-update { any; };
dnssec-policy "timing-metadata";
};
zone "migrate-nomatch-algnum.kasp" {
type primary;
file "migrate-nomatch-algnum.kasp.db";
......
......@@ -85,3 +85,37 @@ cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 5 "$KSK" >> "$infile"
private_type_record $zone 5 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
#
# Set up zones to test time metadata correctly sets state.
#
# Key states expected to be rumoured after migration.
setup rumoured.kasp
echo "$zone" >> zones
Tds="now-2h"
Tkey="now-300s"
Tsig="now-11h"
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Key states expected to be omnipresent after migration.
setup omnipresent.kasp
echo "$zone" >> zones
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
Tkey="now-3900s" # DNSKEY TTL + propagation delay
Tsig="now-12h" # Zone's maximum TTL + propagation delay
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
zsktimes="-P ${Tkey} -A ${Tsig}"
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
......@@ -89,7 +89,7 @@ init_migration_keys() {
key_clear "KEY1"
key_set "KEY1" "LEGACY" "yes"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
set_keylifetime "KEY1" "none"
set_keyalgorithm "KEY1" "$1" "$2" "$3"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
......@@ -97,7 +97,7 @@ init_migration_keys() {
key_clear "KEY2"
key_set "KEY2" "LEGACY" "yes"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "5184000"
set_keylifetime "KEY2" "none"
set_keyalgorithm "KEY2" "$1" "$2" "$4"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
......@@ -143,6 +143,46 @@ dnssec_verify
_migrate_ksk=$(key_get KEY1 ID)
_migrate_zsk=$(key_get KEY2 ID)
#
# Testing key states derived from key timing metadata (rumoured).
#
set_zone "rumoured.kasp"
set_policy "none" "2" "300"
set_server "ns3" "10.53.0.3"
init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
init_migration_states "omnipresent" "rumoured"
# Make sure the zone is signed with legacy keys.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_apex
check_subdomain
dnssec_verify
# Remember legacy key tags.
_rumoured_ksk=$(key_get KEY1 ID)
_rumoured_zsk=$(key_get KEY2 ID)
#
# Testing key states derived from key timing metadata (omnipresent).
#
set_zone "omnipresent.kasp"
set_policy "none" "2" "300"
set_server "ns3" "10.53.0.3"
init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
init_migration_states "omnipresent" "omnipresent"
# Make sure the zone is signed with legacy keys.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_apex
check_subdomain
dnssec_verify
# Remember legacy key tags.
_omnipresent_ksk=$(key_get KEY1 ID)
_omnipresent_zsk=$(key_get KEY2 ID)
#
# Testing migration with unmatched existing keys (different algorithm).
#
......@@ -290,8 +330,10 @@ set_server "ns3" "10.53.0.3"
# However, because the zsk has a lifetime, kasp will set the retired time.
init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
init_migration_states "omnipresent" "rumoured"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
set_keylifetime "KEY1" "${Lksk}"
set_keylifetime "KEY2" "${Lzsk}"
# Various signing policy checks.
check_keys
......@@ -337,13 +379,9 @@ set_server "ns3" "10.53.0.3"
# The legacy keys need to be retired, but otherwise stay present until the
# new keys are omnipresent, and can be used to construct a chain of trust.
init_migration_keys "5" "RSASHA1" "2048" "1024"
init_migration_states "omnipresent" "omnipresent"
key_set "KEY1" "LEGACY" "no"
set_keystate "KEY1" "GOAL" "hidden"
key_set "KEY2" "LEGACY" "no"
set_keystate "KEY2" "GOAL" "hidden"
init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
set_keyrole "KEY3" "ksk"
set_keylifetime "KEY3" "0"
......@@ -457,13 +495,9 @@ set_server "ns3" "10.53.0.3"
# The legacy keys need to be retired, but otherwise stay present until the
# new keys are omnipresent, and can be used to construct a chain of trust.
init_migration_keys "5" "RSASHA1" "1024" "1024"
init_migration_states "omnipresent" "omnipresent"
key_set "KEY1" "LEGACY" "no"
set_keystate "KEY1" "GOAL" "hidden"
key_set "KEY2" "LEGACY" "no"
set_keystate "KEY2" "GOAL" "hidden"
init_migration_states "hidden" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
set_keyrole "KEY3" "ksk"
set_keylifetime "KEY3" "0"
......@@ -565,8 +599,126 @@ echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing key
ret=0
[ $_migratenomatch_alglen_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_migratenomatch_alglen_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
########################################################
# Testing key states derived from key timing metadata. #
########################################################
# Policy parameters.
# KSK has lifetime of 60 days (5184000 seconds).
# The KSK is removed after Iret = DprpP + TTLds + retire-safety =
# 4h = 14400 seconds.
Lksk=5184000
IretKSK=14400
# ZSK has lifetime of 60 days (5184000 seconds).
# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety =
# 181h = 651600 seconds.
Lzsk=5184000
IretZSK=651600
#
# Testing rumoured state.
#
set_zone "rumoured.kasp"
set_policy "timing-metadata" "2" "300"
set_server "ns3" "10.53.0.3"
# Key properties, timings and metadata should be the same as legacy keys above.
init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
init_migration_states "omnipresent" "rumoured"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
set_keylifetime "KEY1" "${Lksk}"
set_keylifetime "KEY2" "${Lzsk}"
# Various signing policy checks.
check_keys
wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
#
# Tds="now-2h" (7200)
# Tkey="now-300s" (300)
# Tsig="now-11h" (39600)
created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
set_addkeytime "KEY1" "ACTIVE" "${created}" -300
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
check_apex
check_subdomain
dnssec_verify
# Check key tags, should be the same.
n=$((n+1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_rumoured_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_rumoured_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
#
# Testing omnipresent state.
#
set_zone "omnipresent.kasp"
set_policy "timing-metadata" "2" "300"
set_server "ns3" "10.53.0.3"
# Key properties, timings and metadata should be the same as legacy keys above.
init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
init_migration_states "omnipresent" "omnipresent"
key_set "KEY1" "LEGACY" "no"
key_set "KEY2" "LEGACY" "no"
set_keylifetime "KEY1" "${Lksk}"
set_keylifetime "KEY2" "${Lzsk}"
# Various signing policy checks.
check_keys
wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
#
# Tds="now-3h" (10800)
# Tkey="now-3900s" (3900)
# Tsig="now-12h" (43200)
created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
check_keytimes
check_apex
check_subdomain
dnssec_verify
# Check key tags, should be the same.
n=$((n+1))
echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)"
ret=0
[ $_omnipresent_ksk = $(key_get KEY1 ID) ] || log_error "mismatch ksk tag"
[ $_omnipresent_zsk = $(key_get KEY2 ID) ] || log_error "mismatch zsk tag"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
######################################
# Testing good migration with views. #
######################################
......@@ -685,9 +837,8 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig"
set_zone "view-rsasha256.kasp"
set_policy "rsasha256" "3" "300"
set_server "ns4" "10.53.0.4"
init_migration_match
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "1024"
init_migration_keys "8" "RSASHA256" "2048" "1024"
init_migration_states "omnipresent" "rumoured"
# Key properties, timings and metadata should be the same as legacy keys above.
# However, because the keys have a lifetime, kasp will set the retired time.
key_set "KEY1" "LEGACY" "no"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment