diff --git a/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in index d43b62953c..0dae201728 100644 --- a/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in +++ b/bin/tests/system/keymgr2kasp/ns3/kasp.conf.in @@ -63,15 +63,15 @@ dnssec-policy "migrate-nomatch-algnum" { }; /* - * This policy tests migration from existing keys with 1024 bits RSASHA1 keys - * to 2048 bits RSASHA1 keys. + * This policy tests migration from existing keys with 2048 bits RSASHA256 keys + * to 3072 bits RSASHA256 keys. */ dnssec-policy "migrate-nomatch-alglen" { dnskey-ttl 300; keys { - ksk key-directory lifetime unlimited algorithm rsasha1 2048; - zsk key-directory lifetime P60D algorithm rsasha1 2048; + ksk key-directory lifetime unlimited algorithm rsasha256 3072; + zsk key-directory lifetime P60D algorithm rsasha256 3072; }; // Together 12h diff --git a/bin/tests/system/keymgr2kasp/ns3/setup.sh b/bin/tests/system/keymgr2kasp/ns3/setup.sh index 4378a46b4c..6c1d0a5dcc 100644 --- a/bin/tests/system/keymgr2kasp/ns3/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns3/setup.sh @@ -62,7 +62,7 @@ $SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are -# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates +# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates # ECDSAP256SHA256 keys. setup migrate-nomatch-algnum.kasp echo "$zone" >> zones @@ -71,8 +71,8 @@ Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -80,8 +80,8 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this # time the existing keys do not match the policy. The existing keys are -# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that -# dictates 2048 bits RSASHA1 keys. +# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that +# dictates 3072 bits RSASHA256 keys. setup migrate-nomatch-alglen.kasp echo "$zone" >> zones Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT @@ -89,8 +89,8 @@ Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" zsktimes="-P ${Tkey} -A ${Tsig}" -KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" diff --git a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in index 606b14cd0a..538aedcbe2 100644 --- a/bin/tests/system/keymgr2kasp/ns4/named2.conf.in +++ b/bin/tests/system/keymgr2kasp/ns4/named2.conf.in @@ -37,7 +37,7 @@ controls { dnssec-policy "rsasha256" { keys { - zsk key-directory lifetime P3M algorithm 8 1024; + zsk key-directory lifetime P3M algorithm 8 2048; ksk key-directory lifetime P1Y algorithm 8 2048; }; diff --git a/bin/tests/system/keymgr2kasp/ns4/setup.sh b/bin/tests/system/keymgr2kasp/ns4/setup.sh index b23344c4cb..63121a0627 100644 --- a/bin/tests/system/keymgr2kasp/ns4/setup.sh +++ b/bin/tests/system/keymgr2kasp/ns4/setup.sh @@ -33,7 +33,7 @@ echo "$zone" >> zones ksktimes="-P -186d -A -186d -P sync -186d" zsktimes="-P -186d -A -186d" KSK=$($KEYGEN -a $algo -L 300 -b 2048 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a $algo -L 300 -b 1024 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $algo -L 300 -b 2048 $zsktimes $zone 2> keygen.out.$zone.2) echo_i "setting up zone $zone (external)" view="ext" diff --git a/bin/tests/system/keymgr2kasp/tests.sh b/bin/tests/system/keymgr2kasp/tests.sh index 705054f542..62b58a7d78 100644 --- a/bin/tests/system/keymgr2kasp/tests.sh +++ b/bin/tests/system/keymgr2kasp/tests.sh @@ -278,7 +278,7 @@ set_zone "migrate-nomatch-algnum.kasp" set_policy "none" "2" "300" set_server "ns3" "10.53.0.3" -init_migration_keys "5" "RSASHA1" "2048" "1024" +init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "omnipresent" # Make sure the zone is signed with legacy keys. @@ -315,7 +315,7 @@ set_zone "migrate-nomatch-alglen.kasp" set_policy "none" "2" "300" set_server "ns3" "10.53.0.3" -init_migration_keys "5" "RSASHA1" "1024" "1024" +init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "omnipresent" # Make sure the zone is signed with legacy keys. @@ -567,7 +567,7 @@ set_policy "migrate-nomatch-algnum" "4" "300" set_server "ns3" "10.53.0.3" # The legacy keys need to be retired, but otherwise stay present until the # new keys are omnipresent, and can be used to construct a chain of trust. -init_migration_keys "5" "RSASHA1" "2048" "1024" +init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" @@ -683,20 +683,20 @@ set_server "ns3" "10.53.0.3" # The legacy keys need to be retired, but otherwise stay present until the # new keys are omnipresent, and can be used to construct a chain of trust. -init_migration_keys "5" "RSASHA1" "1024" "1024" +init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "hidden" "omnipresent" key_set "KEY1" "LEGACY" "no" key_set "KEY2" "LEGACY" "no" set_keyrole "KEY3" "ksk" set_keylifetime "KEY3" "0" -set_keyalgorithm "KEY3" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY3" "8" "RSASHA256" "3072" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" set_keyrole "KEY4" "zsk" set_keylifetime "KEY4" "5184000" -set_keyalgorithm "KEY4" "5" "RSASHA1" "2048" +set_keyalgorithm "KEY4" "8" "RSASHA256" "3072" set_keysigning "KEY4" "no" # This key is considered to be prepublished, so it is not yet signing. set_zonesigning "KEY4" "no" @@ -956,7 +956,7 @@ set_policy "rsasha256" "2" "300" set_server "ns4" "10.53.0.4" init_view_migration set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keyalgorithm "KEY2" "8" "RSASHA256" "1024" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" TSIG="$DEFAULT_HMAC:external:$VIEW1" wait_for_nsec # Make sure the zone is signed with legacy keys. @@ -986,7 +986,7 @@ set_policy "rsasha256" "2" "300" set_server "ns4" "10.53.0.4" init_view_migration set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" -set_keyalgorithm "KEY2" "8" "RSASHA256" "1024" +set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" TSIG="$DEFAULT_HMAC:internal:$VIEW2" wait_for_nsec # Make sure the zone is signed with legacy keys. @@ -1026,7 +1026,7 @@ echo_i "${time_passed} seconds passed between start of tests and reconfig" set_zone "view-rsasha256.kasp" set_policy "rsasha256" "3" "300" set_server "ns4" "10.53.0.4" -init_migration_keys "8" "RSASHA256" "2048" "1024" +init_migration_keys "8" "RSASHA256" "2048" "2048" init_migration_states "omnipresent" "rumoured" # Key properties, timings and metadata should be the same as legacy keys above. # However, because the keys have a lifetime, kasp will set the retired time. @@ -1045,7 +1045,7 @@ set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY3" "GOAL" "omnipresent" set_keyrole "KEY3" "zsk" set_keylifetime "KEY3" "8035200" -set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" +set_keyalgorithm "KEY3" "8" "RSASHA256" "2048" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" # not yet set_keystate "KEY3" "STATE_DNSKEY" "rumoured"