From fc9dcbf41977e512cff528ed788bacaa2fabcc93 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 9 Feb 2021 14:33:44 +0100 Subject: [PATCH] Test purge-keys option Add some more zones to the kasp system test to test the 'purge-keys' option. Three zones test that the predecessor key files are removed after the purge keys interval, one test checks that the key files are retained if 'purge-keys' is disabled. For that, we change the times to 90 days in the past (the default value for 'purge-keys'). (cherry picked from commit 6333ff15f0356878a34fe7c15d2a7cf9d24cd2d7) --- bin/tests/system/kasp/ns3/named.conf.in | 20 +++ .../system/kasp/ns3/policies/autosign.conf.in | 4 + bin/tests/system/kasp/ns3/setup.sh | 144 ++++++++++++++++++ bin/tests/system/kasp/tests.sh | 63 ++++++++ 4 files changed, 231 insertions(+) diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index cf454d6e9a..28e9c6aee3 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -315,6 +315,11 @@ zone "step5.zsk-prepub.autosign" { file "step5.zsk-prepub.autosign.db"; dnssec-policy "zsk-prepub"; }; +zone "step6.zsk-prepub.autosign" { + type primary; + file "step6.zsk-prepub.autosign.db"; + dnssec-policy "zsk-prepub"; +}; /* * Zones for testing KSK Double-KSK steps. @@ -344,6 +349,11 @@ zone "step5.ksk-doubleksk.autosign" { file "step5.ksk-doubleksk.autosign.db"; dnssec-policy "ksk-doubleksk"; }; +zone "step6.ksk-doubleksk.autosign" { + type primary; + file "step6.ksk-doubleksk.autosign.db"; + dnssec-policy "ksk-doubleksk"; +}; /* * Zones for testing CSK rollover steps. @@ -383,6 +393,11 @@ zone "step7.csk-roll.autosign" { file "step7.csk-roll.autosign.db"; dnssec-policy "csk-roll"; }; +zone "step8.csk-roll.autosign" { + type primary; + file "step8.csk-roll.autosign.db"; + dnssec-policy "csk-roll"; +}; zone "step1.csk-roll2.autosign" { type primary; @@ -414,3 +429,8 @@ zone "step6.csk-roll2.autosign" { file "step6.csk-roll2.autosign.db"; dnssec-policy "csk-roll2"; }; +zone "step7.csk-roll2.autosign" { + type primary; + file "step7.csk-roll2.autosign.db"; + dnssec-policy "csk-roll2"; +}; diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf.in b/bin/tests/system/kasp/ns3/policies/autosign.conf.in index 8276e168d7..261f64d196 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf.in +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf.in @@ -52,6 +52,7 @@ dnssec-policy "zsk-prepub" { dnskey-ttl 3600; publish-safety P1D; retire-safety P2D; + purge-keys PT1H; keys { ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@; @@ -71,6 +72,7 @@ dnssec-policy "ksk-doubleksk" { dnskey-ttl 2h; publish-safety P1D; retire-safety P2D; + purge-keys PT1H; keys { ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@; @@ -93,6 +95,7 @@ dnssec-policy "csk-roll" { dnskey-ttl 1h; publish-safety PT1H; retire-safety 2h; + purge-keys PT1H; keys { csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; @@ -114,6 +117,7 @@ dnssec-policy "csk-roll2" { dnskey-ttl 1h; publish-safety PT1H; retire-safety 1h; + purge-keys 0; keys { csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 9ad2e9bb35..6fbb59f0dd 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -504,6 +504,44 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +# Step 6: +# The predecessor DNSKEY can be purged. +setup step6.zsk-prepub.autosign +# Subtract purge-keys interval from all the times (1h). +# Tact(N) = now - 962h - 1h = now - 963h +# Tret(N) = now - 242h - 1h = now - 243h +# Tdea(N) = now - 49h - 1h = now - 50h +# Trem(N) = now - 1h - 1h = now - 2h +# Tpub(N+1) = now - 268h - 1h = now - 269h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 478h - 1h = now + 477h +# Trem(N+1) = now + 719h - 1h = now + 718h +TactN="now-963h" +TretN="now-243h" +TremN="now-2h" +TdeaN="now-50h" +TpubN1="now-269h" +TactN1="${TretN}" +TretN1="now+477h" +TremN1="now+718h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. +cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + # # The zones at ksk-doubleksk.autosign represent the various steps of a KSK # Double-KSK rollover. @@ -737,6 +775,44 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +# Step 6: +# The predecessor DNSKEY can be purged. +setup step6.ksk-doubleksk.autosign +# Subtract purge-keys interval from all the times (1h). +# Tact(N) = now - 1492h - 1h = now - 1493h +# Tret(N) = now - 52h - 1h = now - 53h +# Trem(N) = now - 2h - 1h = now - 3h +# Tpub(N+1) = now - 79h - 1h = now - 80h +# Tsbm(N+1) = now - 52h - 1h = now - 53h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 1388h - 1h = now + 1387h +# Trem(N+1) = now + 1442h - 1h = now + 1441h +TactN="now-1493h" +TretN="now-53h" +TremN="now-3h" +TpubN1="now-80h" +TsbmN1="now-53h" +TactN1="${TretN}" +TretN1="now+1387h" +TremN1="now+1441h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. +cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" +$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + # # The zones at csk-roll.autosign represent the various steps of a CSK rollover # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). @@ -992,6 +1068,40 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 +# Step 8: +# The predecessor DNSKEY can be purged. +setup step8.csk-roll.autosign +# Subtract purge-keys interval from all the times (1h). +# Tact(N) = now - 5093h - 1h = now - 5094h +# Tret(N) = now - 629h - 1h = now - 630h +# Trem(N) = now - 2h - 1h = now - 3h +# Tpub(N+1) = now - 632h - 1h = now - 633h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 3835h - 1h = now + 3834h +# Trem(N+1) = now + 4462h - 1h = now + 4461h +TactN="now-5094h" +TretN="now-630h" +TremN="now-3h" +TpubN1="now-633h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+3834h" +TremN1="now+4461h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + # # The zones at csk-roll2.autosign represent the various steps of a CSK rollover # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). @@ -1208,3 +1318,37 @@ cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 + +# Step 7: +# The predecessor DNSKEY can be purged, but purge-keys is disabled. +setup step7.csk-roll2.autosign +# Subtract 90 days (default, 2160h) from all the times. +# Tact(N) = now - 4636h - 2160h = now - 6796h +# Tret(N) = now - 172h - 2160h = now - 2332h +# Trem(N) = now - 2h - 2160h = now - 2162h +# Tpub(N+1) = now - 175h - 2160h = now - 2335h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4294h - 2160h = now + 2134h +# Trem(N+1) = now + 4360h - 2160h = now + 2200h +TactN="now-6796h" +TretN="now-2332h" +TremN="now-2162h" +TpubN1="now-2335h" +TsbmN1="${TretN}" +TactN1="${TretN}" +TretN1="now+2134h" +TremN1="now+2200h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. +cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" +private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" +$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index cb3dee2de7..e9cd9185d0 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -3434,6 +3434,22 @@ dnssec_verify # policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds. check_next_key_event 1627200 +# +# Zone: step6.zsk-prepub.autosign. +# +set_zone "step6.zsk-prepub.autosign" +set_policy "zsk-prepub" "2" "3600" +set_server "ns3" "10.53.0.3" +# ZSK (KEY2) DNSKEY is purged. +key_clear "KEY2" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing KSK Double-KSK rollover. # @@ -3679,6 +3695,22 @@ dnssec_verify # 5184000 - 97200 - 180000 - 7200 = 4813200 seconds. check_next_key_event 4899600 +# +# Zone: step6.ksk-doubleksk.autosign. +# +set_zone "step6.ksk-doubleksk.autosign" +set_policy "ksk-doubleksk" "2" "7200" +set_server "ns3" "10.53.0.3" +# KSK (KEY1) DNSKEY is purged. +key_clear "KEY1" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing CSK key rollover (1). # @@ -4009,6 +4041,22 @@ dnssec_verify # Ipub: 3h (10800 seconds) check_next_key_event 13795200 +# +# Zone: step8.csk-roll.autosign. +# +set_zone "step8.csk-roll.autosign" +set_policy "csk-roll" "1" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) is purged. +key_clear "KEY1" + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Testing CSK key rollover (2). # @@ -4298,6 +4346,21 @@ dnssec_verify # Time passed: 175h (630000 seconds) check_next_key_event 15440400 +# +# Zone: step7.csk-roll2.autosign. +# +set_zone "step7.csk-roll2.autosign" +set_policy "csk-roll2" "2" "3600" +set_server "ns3" "10.53.0.3" +# The old CSK (KEY1) could have been purged, but purge-keys is disabled. + +# Various signing policy checks. +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + # # Test #2375: Scheduled rollovers are happening faster than they can finish #