add keyusage test

05686add · Filip Široký · Filip Siroky · 088b1803 · 05686add · 05686add
Commit 05686add authored 8 years ago by Filip Široký Committed by Filip Siroky 8 years ago
--- a/tests-extra/tests/dnssec/keyusage/data/keys/keys/712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2.pem
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keys/712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2.pem
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAybrKa545nAsfsu9m
+RYuyTg0WmUquP2MIwHCCRFHBTX7x9oxuj78yXtCZghZjm+GSl698kMBwm0V/2JbG
+pApgDwIDAQABAkB1bfzDZNnYUkljmiSIu2dSNCBBn82LLJU9oMDUEFtcRk7gdyS2
+taDBh6eCZVUsGErDg4kCHIQdrFjD0MuouXIBAiEA6NqaRS0mkuHiO2J+4XTCRzMV
+w3Bu+K88BfqFIkDQKoECIQDdyCx66rvJ8YApy7Tt86hM/chNjFg+j4ZknxM3RF2i
+jwIgFmJNSjEY8C2+ra6+O7YZpvaGNQ9t24Ic5wY6HhzU5gECIQDRcLIguf/xa3E/
+BzKr7Agp/Rfls/25xsyBxX/eF1/dnQIhAI+z7XQNd/cZUD1TwdziKBuWBDcYp/qH
+DmKe/7Xh+MZJ
+-----END PRIVATE KEY-----
--- a/tests-extra/tests/dnssec/keyusage/data/keys/keys/7a3500c7feac3fd99f09a208a83b97f7455fa3e0.pem
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keys/7a3500c7feac3fd99f09a208a83b97f7455fa3e0.pem
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAu9eosHX/Ag8J0r71
+lT9tzQeWbEZRAOZY8w+zC4hqTvtAZeE9SsB+ppoNM8bvdaxLVQNIIKKqOxsteOZY
+xMFicQIDAQABAkEAtXq84oeNsRqAXhjaQbB/T8gV31PsLNdfdq1jSTAprVVOmHSk
+CfKq30FOdIXnlLum2kypxejpdHGocI1rqZLzBQIhAOoPNuh/k3NeEau2VZt9dENN
+JL4ByVpMG2gMjiucHl57AiEAzXNc16CmvEfQ/i3JhEhbb1I8o7QGsOk9v8MP/DEz
+pQMCIF8EcCjwaX6DKK9JpPUrd8A+l/TeqswSa2nQ9wIzLYzzAiEAzBl4+DV+rrjh
+pEE0WpfPTe3yk+Z6ZzGuyFwt+ymd1qUCIBzE561e4uE5tyPB46ybM/029/GFa89z
+0D1ZBKVF7AWi
+-----END PRIVATE KEY-----
--- a/tests-extra/tests/dnssec/keyusage/data/keys/keys/f3b8db9d60fb412d0363dd0c0ac2ea72dc212777.pem
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keys/f3b8db9d60fb412d0363dd0c0ac2ea72dc212777.pem
+-----BEGIN PRIVATE KEY-----
+MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAoQok0evOsKK3EI3P
+JrUUyheN9zAQUYQtrVK8kUdgyqy+RoW2mSMG8aw5/bjbreU/+wg0O1xmps9ndn9U
+cz+PewIDAQABAkAyHD7y12acjjVawFXKXKSYchXp6hnZ08CG42zr5AMZbYLkhhN5
+9OWULkZ0dLrwOOw/ruhQSpOc9kjrWge2yLpZAiEA0gsSz0cU8A0xQ88aQbHOi3eZ
+EXvtoj0LecrbIy+ACI8CIQDERkhiroFvauc2rAMsfsVECmFjzyacpmYxts1KjKPI
+VQIhAMBICNkdzkoPGalkvzmip10/iC3cUGd0ELxW+xMT2dZ7AiEAqGnOLq6h7aKD
+JsxOJN3aEln92xCihwPY6It8d51Z48kCIGHjbq6UmCZUrhOSHm1Xm8m80XA662aR
+w+ZLnqtUjM4N
+-----END PRIVATE KEY-----
--- a/tests-extra/tests/dnssec/keyusage/data/keys/keyusage.json
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/keyusage.json
+[
+  {
+    "key_id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
+    "zones": [
+      "example.com", "records"
+    ]
+  },
+  {
+    "key_id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
+    "zones": [
+      "example.com", "records"
+    ]
+  }
+]
--- a/tests-extra/tests/dnssec/keyusage/data/keys/zone_example.com.json
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/zone_example.com.json
+{
+  "keys": [
+    {
+      "id": "7a3500c7feac3fd99f09a208a83b97f7455fa3e0",
+      "keytag": 58041,
+      "algorithm": 7,
+      "public_key": "AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrAfqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=",
+      "ksk": true,
+      "publish": "1970-01-01T00:00:01+0000",
+      "active": "1970-01-01T00:00:01+0000"
+    },
+    {
+      "id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
+      "keytag": 29654,
+      "algorithm": 7,
+      "public_key": "AwEAAaEKJNHrzrCitxCNzya1FMoXjfcwEFGELa1SvJFHYMqsvkaFtpkjBvGsOf24263lP/sINDtcZqbPZ3Z/VHM/j3s=",
+      "ksk": false,
+      "publish": "1970-01-01T00:00:01+0000",
+      "active": "1970-01-01T00:00:01+0000"
+    },
+    {
+      "id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
+      "keytag": 55574,
+      "algorithm": 7,
+      "public_key": "AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=",
+      "ksk": false,
+      "publish": "2040-01-01T00:00:00+0000",
+      "active": "2040-01-01T00:00:00+0000"
+    }
+  ]
+}
--- a/tests-extra/tests/dnssec/keyusage/data/keys/zone_records.json
+++ b/tests-extra/tests/dnssec/keyusage/data/keys/zone_records.json
+{
+  "keys": [
+    {
+      "id": "7a3500c7feac3fd99f09a208a83b97f7455fa3e0",
+      "keytag": 58041,
+      "algorithm": 7,
+      "public_key": "AwEAAbvXqLB1/wIPCdK+9ZU/bc0HlmxGUQDmWPMPswuIak77QGXhPUrAfqaaDTPG73WsS1UDSCCiqjsbLXjmWMTBYnE=",
+      "ksk": true,
+      "publish": "1970-01-01T00:00:01+0000",
+      "active": "1970-01-01T00:00:01+0000"
+    },
+    {
+      "id": "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777",
+      "keytag": 29654,
+      "algorithm": 7,
+      "public_key": "AwEAAaEKJNHrzrCitxCNzya1FMoXjfcwEFGELa1SvJFHYMqsvkaFtpkjBvGsOf24263lP/sINDtcZqbPZ3Z/VHM/j3s=",
+      "ksk": false,
+      "publish": "1970-01-01T00:00:01+0000",
+      "active": "1970-01-01T00:00:01+0000"
+    },
+    {
+      "id": "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2",
+      "keytag": 55574,
+      "algorithm": 7,
+      "public_key": "AwEAAcm6ymueOZwLH7LvZkWLsk4NFplKrj9jCMBwgkRRwU1+8faMbo+/Ml7QmYIWY5vhkpevfJDAcJtFf9iWxqQKYA8=",
+      "ksk": false,
+      "publish": "2040-01-01T00:00:00+0000",
+      "active": "2040-01-01T00:00:00+0000"
+    }
+  ]
+}
--- a/tests-extra/tests/dnssec/keyusage/test.py
+++ b/tests-extra/tests/dnssec/keyusage/test.py
+#!/usr/bin/env python3
+
+'''Check if dnssec keys in use are protected from being removed automatically.'''
+
+import collections
+import os
+import shutil
+import datetime
+import time
+import subprocess
+
+from dnstest.utils import *
+from dnstest.keys import Keymgr
+from dnstest.test import Test
+
+def key_set(server, zone, key_id, **new_values):
+    cmd = ["zone", "key", "set", zone, key_id]
+    for option, value in new_values.items():
+        cmd += [option, value]
+    Keymgr.run_check(server.keydir, *cmd)
+
+t = Test()
+
+knot = t.server("knot")
+zone1 = t.zone("example.com.")
+zone2 = t.zone("records.")
+zones = zone1 + zone2;
+t.link(zones, knot)
+
+shutil.copytree(os.path.join(t.data_dir, "keys"), knot.keydir)
+
+# policy parameters
+key_ttl = 10
+zone1_delay = 0
+zone2_delay = 10
+# policy
+knot.dnssec(zone1).enable = True
+knot.dnssec(zone2).enable = True
+knot.dnssec(zone1).dnskey_ttl = key_ttl
+knot.dnssec(zone2).dnskey_ttl = key_ttl
+knot.dnssec(zone1).zsk_lifetime = 10
+knot.dnssec(zone2).zsk_lifetime = 10
+knot.dnssec(zone1).propagation_delay = zone1_delay
+knot.dnssec(zone2).propagation_delay = zone2_delay
+knot.dnssec(zone1).rrsig_lifetime = 10
+knot.dnssec(zone2).rrsig_lifetime = 10
+knot.dnssec(zone1).rrsig_refresh = 5
+knot.dnssec(zone2).rrsig_refresh = 5
+knot.dnssec(zone1).alg = "rsasha1-nsec3-sha1"
+knot.dnssec(zone2).alg = "rsasha1-nsec3-sha1"
+
+# parameters
+zonename1 = zone1[0].name
+zonename2 = zone2[0].name
+
+KSK = "7a3500c7feac3fd99f09a208a83b97f7455fa3e0"
+ACTIVE = "f3b8db9d60fb412d0363dd0c0ac2ea72dc212777"
+PUBLISHED = "712d0d0d57fa0aa006b5e20cd84e23941e5f3ab2"
+
+time = str(round(time.time()) - 10)
+
+#ksk
+key_set(knot, zonename1, KSK, publish=time, active=time)
+key_set(knot, zonename2, KSK, publish=time, active=time)
+#zsk - active
+key_set(knot, zonename1, ACTIVE, publish=time, active=time)
+key_set(knot, zonename2, ACTIVE, publish=time, active=time)
+#zsk - published
+key_set(knot, zonename1, PUBLISHED, publish=time)
+key_set(knot, zonename2, PUBLISHED, publish=time)
+
+# time to rollover - dnskey_ttl + propagation delay
+zone1_time = key_ttl + zone1_delay
+zone2_time = key_ttl + zone2_delay - zone1_time
+
+t.start()
+t.sleep(zone1_time)
+# Key is used by ZONE2 - was key deleted?
+if not os.path.exists(os.path.join(knot.keydir, 'keys', ACTIVE + ".pem")):
+    set_err("MISSING KEY")
+    check_log("ERROR: Key in use deleted")
+
+if not os.path.exists(os.path.join(knot.keydir, 'keys', PUBLISHED + ".pem")):
+    set_err("NEXT KEY")
+    check_log("ERROR: Published key was deleted")
+
+t.sleep(zone2_time)
+# key is not used anymore - was key deleted?
+if os.path.exists(os.path.join(knot.keydir, 'keys', ACTIVE + ".pem")):
+    set_err("REDUNDANT KEY")
+    check_log("ERROR: Retired key was not deleted")
+
+if not os.path.exists(os.path.join(knot.keydir, 'keys', PUBLISHED + ".pem")):
+    set_err("NEXT KEY")
+    check_log("ERROR: Published key was deleted")
+
+t.end()
--- a/tests-extra/tools/dnstest/server.py
+++ b/tests-extra/tools/dnstest/server.py
@@ -41,12 +41,15 @@ class ZoneDnssec(object):
        self.alg = None
        self.ksk_size = None
        self.zsk_size = None
+        self.dnskey_ttl = None
+        self.zsk_lifetime = None
+        self.propagation_delay = None
+        self.rrsig_lifetime = None
+        self.rrsig_refresh = None
        self.nsec3 = None
        self.nsec3_iters = None
        self.nsec3_salt_lifetime = None
        self.nsec3_salt_len = None
-        self.rrsig_lifetime = None
-        self.rrsig_refresh = None

 class Zone(object):
    '''DNS zone description'''
@@ -1042,12 +1045,15 @@ class Knot(Server):
            self._str(s, "algorithm", z.dnssec.alg)
            self._str(s, "ksk_size", z.dnssec.ksk_size)
            self._str(s, "zsk_size", z.dnssec.zsk_size)
+            self._str(s, "dnskey-ttl", z.dnssec.dnskey_ttl)
+            self._str(s, "zsk-lifetime", z.dnssec.zsk_lifetime)
+            self._str(s, "propagation-delay", z.dnssec.propagation_delay)
+            self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
+            self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
            self._bool(s, "nsec3", z.dnssec.nsec3)
            self._str(s, "nsec3-iterations", z.dnssec.nsec3_iters)
            self._str(s, "nsec3-salt-lifetime", z.dnssec.nsec3_salt_lifetime)
            self._str(s, "nsec3-salt-length", z.dnssec.nsec3_salt_len)
-            self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
-            self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
        s.end()

        s.begin("template")