upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-03-11 10:40:56 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests/system/dnssec
History
Matthijs Mekking 4dee3d149c Add test for ZSK rollover while KSK offline 
This commit adds a lengthy test where the ZSK is rolled but the
KSK is offline (except for when the DNSKEY RRset is changed).  The
specific scenario has the `dnskey-kskonly` configuration option set
meaning the DNSKEY RRset should only be signed with the KSK.

A new zone `updatecheck-kskonly.secure` is added to test against,
that can be dynamically updated, and that can be controlled with rndc
to load the DNSSEC keys.

There are some pre-checks for this test to make sure everything is
fine before the ZSK roll, after the new ZSK is published, and after
the old ZSK is deleted.  Note there are actually two ZSK rolls in
quick succession.

When the latest added ZSK becomes active and its predecessor becomes
inactive, the KSK is offline.  However, the DNSKEY RRset did not
change and it has a good signature that is valid for long enough.
The expected behavior is that the DNSKEY RRset stays signed with
the KSK only (signature does not need to change).  However, the
test will fail because after reconfiguring the keys for the zone,
it wants to add re-sign tasks for the new active keys (in sign_apex).
Because the KSK is offline, named determines that the only other
active key, the latest ZSK, will be used to resign the DNSKEY RRset,
in addition to keeping the RRSIG of the KSK.

The question is: Why do we need to resign the DNSKEY RRset
immediately when a new key becomes active?  This is not required,
only once the next resign task is triggered the new active key
should replace signatures that are in need of refreshing.

(cherry picked from commit 8bc10bcf59)
2019-04-12 11:33:06 +02:00
..
ns1 Run the dnssec system tests with set -e enabled 2018-12-10 19:47:32 +01:00
ns2 Add test for ZSK rollover while KSK offline 2019-04-12 11:33:06 +02:00
ns3 test correct occlusion of DNSSEC records 2019-02-28 16:06:38 -08:00
ns4 add a test case 2018-10-04 23:33:18 -07:00
ns5 Run the dnssec system tests with set -e enabled 2018-12-10 19:47:32 +01:00
ns6 add properly-formatted -D options to named.args files 2019-01-28 19:58:24 -08:00
ns7 Run the dnssec system tests with set -e enabled 2018-12-10 19:47:32 +01:00
signer Remove $Id markers, Principal Author and Reviewed tags from the full source tree 2018-05-11 13:17:46 +02:00
clean.sh Add test for ZSK rollover while KSK offline 2019-04-12 11:33:06 +02:00
dnssec_update_test.pl Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
ntadiff.pl Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
prereq.sh Run the dnssec system tests with set -e enabled 2018-12-10 19:47:32 +01:00
README Remove $Id markers, Principal Author and Reviewed tags from the full source tree 2018-05-11 13:17:46 +02:00
setup.sh Run the dnssec system tests with set -e enabled 2018-12-10 19:47:32 +01:00
tests.sh Add test for ZSK rollover while KSK offline 2019-04-12 11:33:06 +02:00

README 

Copyright (C) Internet Systems Consortium, Inc. ("ISC")

See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.

The test setup for the DNSSEC tests has a secure root.

ns1 is the root server.

ns2 and ns3 are authoritative servers for the various test domains.

ns4 is a caching-only server, configured with the correct trusted key
for the root.

ns5 is a caching-only server, configured with the an incorrect trusted
key for the root.  It is used for testing failure cases.

ns6 is a caching-only server configured to use DLV.

ns7 is used for checking non-cacheable answers.