upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/bin/tests
History
Matthijs Mekking 7f43520893 Test migration to dnssec-policy, retire old keys 
Migrating from 'auto-dnssec maintain;' to dnssec-policy did not
work properly, mainly because the legacy keys were initialized
badly.  Earlier commit deals with migration where existing keys
match the policy.  This commit deals with migration where existing
keys do not match the policy.  In that case, named must not
immediately delete the existing keys, but gracefully roll to the
dnssec-policy.

However, named did remove the existing keys immediately.  This is
because the legacy key states were initialized badly.  Because
those keys had their states initialized to HIDDEN or RUMOURED, the
keymgr decides that they can be removed (because only when the key
has its states in OMNIPRESENT it can be used safely).

The original thought to initialize key states to HIDDEN (and
RUMOURED to deal with existing keys) was to ensure that those keys
will go through the required propagation time before the keymgr
decides they can be used safely.  However, those keys are already
in the zone for a long time and making the key states represent
otherwise is dangerous: keys may be pulled out of the zone while
in fact they are required to establish the chain of trust.

Fix initializing key states for existing keys by looking more closely
at the time metadata.  Add TTL and propagation delays to the time
metadata and see if the DNSSEC records have been propagated.
Initialize the state to OMNIPRESENT if so, otherwise initialize to
RUMOURED.  If the time metadata is in the future, or does not exist,
keep initializing the state to HIDDEN.

The added test makes sure that new keys matching the policy are
introduced, but existing keys are kept in the zone until the new
keys have been propagated.
2020-04-03 08:29:22 +02:00
..
bigtest update file headers 2018-03-15 18:33:13 -07:00
optional Fix 'Dereference of null pointer' from scan-build-10 2020-03-25 17:33:22 +01:00
pkcs11 Add ZLIB_LIBS to ISCLIBS 2020-02-28 15:22:29 +01:00
startperf Remove $Id markers, Principal Author and Reviewed tags from the full source tree 2018-05-11 13:17:46 +02:00
system Test migration to dnssec-policy, retire old keys 2020-04-03 08:29:22 +02:00
testdata/wire move all optional tests from bin/tests to bin/tests/optional 2018-03-09 14:12:47 -08:00
win32 Make VS solution upgrading unnecessary 2019-09-26 15:11:15 +02:00
.gitignore Remove genrandom command and all usage of specific random files throughout the system test suite 2018-05-16 09:54:35 +02:00
cfg_test.c Refactor the isc_log API so it cannot fail on memory failures 2020-03-18 09:05:59 +01:00
fromhex.pl Update license headers to not include years in copyright in all applicable files 2018-02-23 10:12:02 +01:00
headerdep_test.sh.in Remove $Id markers, Principal Author and Reviewed tags from the full source tree 2018-05-11 13:17:46 +02:00
Makefile.in Improve the backtrace to print symbols when backtrace_symbols() is available 2020-03-11 20:32:21 +01:00
makejournal.c Refactor the isc_log API so it cannot fail on memory failures 2020-03-18 09:05:59 +01:00
named.conf update documentation 2019-06-05 07:49:57 -07:00
prepare-softhsm2.sh Fix "pkcs11" system test 2020-03-04 16:06:31 +00:00
wire_test.c Reformat using the new rules 2020-02-14 09:31:05 +01:00