Skip to content
Snippets Groups Projects
Commit cf147ad5 authored by Jan Včelák's avatar Jan Včelák :rocket:
Browse files

DNSSEC: functional tests for KSK and ZSK constraints

parent e4a14806
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
tests-extra/tests/dnssec/dnskey_algorithms/data/generate_keys.sh 0 → 100755
+ 68
0
View file @ cf147ad5
#!/bin/sh
#
# Run this script every 50 years to refresh the keys. :-)
#
set -xe
TIME_PAST="-50y"
TIME_FUTURE="+50y"
keygen()
{
dnssec-keygen -r/dev/urandom $@
}
dir=$(pwd)
keydir=$(mktemp -d)
pushd "$keydir"
#
# valid scenarios
#
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ok
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ok
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_ok
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ok
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_ok
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ok
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_roll_ok
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_roll_ok
keygen -a ECDSAP256SHA256 -P $TIME_FUTURE -A $TIME_PAST rsa_ecdsa_roll_ok
#
# invalid scenarios
#
keygen -a RSASHA256 -b 2048 -P $TIME_FUTURE -A $TIME_FUTURE -f KSK rsa_future_all
keygen -a RSASHA256 -b 1024 -P $TIME_FUTURE -A $TIME_FUTURE rsa_future_all
keygen -a RSASHA512 -b 2048 -P $TIME_FUTURE -A $TIME_PAST -f KSK rsa_future_publish
keygen -a RSASHA256 -b 1024 -P $TIME_FUTURE -A $TIME_PAST rsa_future_publish
keygen -a RSASHA512 -b 2048 -P $TIME_PAST -A $TIME_FUTURE -f KSK rsa_future_active
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_FUTURE rsa_future_active
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_inactive_zsk
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_FUTURE rsa_inactive_zsk
keygen -a RSASHA256 -b 2048 -P $TIME_FUTURE -A $TIME_FUTURE -f KSK rsa_no_zsk
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_no_zsk
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_twice_ksk
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_twice_ksk
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ksk_only
keygen -a RSASHA256 -b 1024 -P $TIME_PAST -A $TIME_PAST rsa_ecdsa_ksk_only
keygen -a ECDSAP256SHA256 -P $TIME_PAST -A $TIME_PAST -f KSK rsa_ecdsa_ksk_only
keygen -a RSASHA256 -b 2048 -P $TIME_PAST -A $TIME_PAST -f KSK rsa256_rsa512
keygen -a RSASHA512 -b 2048 -P $TIME_PAST -A $TIME_PAST rsa256_rsa512
tar czf "$dir/keys.tgz" K*.{key,private}
popd
rm -rf "$keydir"
tests-extra/tests/dnssec/dnskey_algorithms/data/keys.tgz 0 → 100644
+ 0
0
View file @ cf147ad5
File added
tests-extra/tests/dnssec/dnskey_algorithms/test.py 0 → 100644
+ 56
0
View file @ cf147ad5
#!/usr/bin/env python3
"""
Validate ZSK and KSK constrains checks.
"""
import tarfile
import os.path
import dnstest.zonefile
from dnstest.test import Test
TEST_CASES = {
# valid cases
"rsa_ok": True,
"rsa_ecdsa_ok": True,
"rsa_ecdsa_roll_ok": True,
# invalid cases
"rsa_future_all": False,
"rsa_future_publish": False,
"rsa_future_active": False,
"rsa_inactive_zsk": False,
"rsa_no_zsk": False,
"rsa_twice_ksk": False,
"rsa_ecdsa_ksk_only": False,
"rsa256_rsa512": False,
}
t = Test()
knot = t.server("knot")
knot.dnssec_enable = True
# setup keys
keys_archive = os.path.join(t.data_dir, "keys.tgz")
with tarfile.open(keys_archive, "r:*") as tar:
tar.extractall(knot.keydir)
# setup zones
zones = []
for zone_name in TEST_CASES:
zone = dnstest.zonefile.ZoneFile(t.zones_dir)
zone.set_name(zone_name)
zone.gen_file(dnssec=False, nsec3=False, records=5)
zones.append(zone)
t.link(zones, knot)
t.start()
for zone, valid in TEST_CASES.items():
expected_rcode = "NOERROR" if valid else "SERVFAIL"
knot.dig(zone, "SOA").check(rcode=expected_rcode)
t.end()
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment