def _kasp_import_keys(self, keydir, bind_keydir, zone_name): # import bind style keys, overwrite existing (shouldn't be a problem) assert(zone_name.endswith(".")) for pkey_path in glob.glob("%s/K*.private" % glob.escape(bind_keydir)): pkey = os.path.basename(pkey_path) m = re.match(r'K(?P<name>[^+]+)\+(?P<algo>\d+)\+(?P<tag>\d+)\.private', pkey) if m and m.group("name") == zone_name.lower(): Keymgr.run_check(keydir, "zone", "key", "import", zone_name, pkey_path)
def _kasp_import_keys(self, keydir, bind_keydir, zone_name): Keymgr.run(keydir, "init") Keymgr.run(keydir, "policy", "set", "default", "manual", "true") # add zone if not exists exitcode, _, _ = Keymgr.run(keydir, "zone", "show", zone_name) if exitcode != 0: Keymgr.run_check(keydir, "zone", "add", zone_name) # retrieve existing keys tags = [] exitcode, stdout, _ = Keymgr.run(keydir, "zone", "key", "list", zone_name) if exitcode != 0: tags = [int(re.search(r'\bkeytag\s+(\d+)\b', x).group(1)) for x in stdout.splitlines()] # import new keys, ignore existing (compare keytag) assert(zone_name.endswith(".")) for pkey_path in glob.glob("%s/K*.private" % glob.escape(bind_keydir)): pkey = os.path.basename(pkey_path) m = re.match(r'K(?P<name>[^+]+)\+(?P<algo>\d+)\+(?P<tag>\d+)\.private', pkey) if m and m.group("name") == zone_name.lower() and int(m.group("tag")) not in tags: Keymgr.run_check(keydir, "zone", "key", "import", zone_name, pkey_path)
slave.flush() # re-sign master and check that the re-sign made nothing master.ctl("zone-sign") after_update25 = master.zones_wait(zones, after_update2, equal=False, greater=True) t.xfr_diff(master, slave, zones, no_rrsig_rdata=True) for zone in zones: slave.zone_verify(zone) if slave.log_search("no such record in zone found") or slave.log_search("fallback to AXFR"): set_err("IXFR ERROR") # update salt with keymgr and see if zone correctly re-NSEC3-d after update for z in zones1: salt = "-" if master.dnssec(z).nsec3_salt_len == 0 else "fe" * master.dnssec(z).nsec3_salt_len Keymgr.run_check(master.confile, z.name, "nsec3-salt", salt) up = master.update(z) up.add("abc." + z.name, 3600, "A", "1.2.3.4") up.send("NOERROR") t.sleep(1) slave.ctl("zone-refresh") t.sleep(3) slave.flush() for z in zones1: slave.zone_wait(z, after_update25[z.name], equal=False, greater=True) slave.zone_verify(z) t.end()
publish=tickf(2), ready=tickf(3), active=tickf(4), retire="+2h", remove="+3h") key_zsk1 = knot.key_gen(ZONE, ksk="false", created="+0", publish="+0", active="+0") # pregenerate keys, exchange KSR, pre-sign it, exchange SKR KSR = knot.keydir + "/ksr" SKR = knot.keydir + "/skr" SKR_BROKEN = SKR + "_broken" Keymgr.run_check(knot.confile, ZONE, "pregenerate", "+" + str(FUTURE)) _, out, _ = Keymgr.run_check(knot.confile, ZONE, "generate-ksr", "+0", "+" + str(FUTURE)) writef(KSR, out) _, out, _ = Keymgr.run_check(signer.confile, ZONE, "sign-ksr", KSR) writef(SKR, out) cripple_skr(SKR, SKR_BROKEN) _, out, _ = Keymgr.run_check(knot.confile, ZONE, "validate-skr", SKR_BROKEN) if out.split()[0] != "error:": set_err("keymgr validate-skr") detail_log(out) Keymgr.run_fail(knot.confile, ZONE, "import-skr", SKR_BROKEN) Keymgr.run_check(knot.confile, ZONE, "import-skr", SKR)
wait_for_rrsig_count(t, knot, "DNSKEY", 2, 3) check_revoked_key(knot) # scenario 2: plan revoked timestamp in the past wait_for_rrsig_count(t, knot, "DNSKEY", 1, 3) knot.key_gen(ZONE, ksk="true", created="+0", publish="+0", ready="+0", active="+0") knot.key_set(ZONE, KSK, retire="+0", revoke="+0", remove="+8s") t.sleep(2) knot.ctl("zone-sign") t.sleep(2) check_revoked_key(knot) # scenario 3: import revoked key from Bind wait_for_rrsig_count(t, knot, "DNSKEY", 1, 6) Keymgr.run_check(knot.confile, ZONE, "import-bind", knot.data_dir + "/Kexample.com.+013+65449.key") knot.ctl("zone-sign") t.sleep(2) check_revoked_key(knot) t.end()
slave.zonefile_load = "none" backup_dir = master.dir + "/backup" slave_bck_dir = slave.dir + "/backup" zone0_expire = 45 # zone zones[0] expiration time in its SOA valgrind_delay = 2 if slave.valgrind else 0 # allow a little time margin under Valgrind valgrind_delay += 2 # even without valgrind, add some tolerance because rounding timestamps to whole seconds multiple times t.start() serials_init = slave.zones_wait(zones) start_time = int(t.uptime()) for z in zones: if master.dnssec(z).enable: Keymgr.run_check(master.confile, z.name, "import-pub", "%s/%skey" % (t.data_dir, z.name)) master.ctl("zone-sign " + z.name) slave.zone_wait(z, serials_init[z.name]) master.ctl("zone-backup +backupdir %s" % backup_dir) slave.ctl("zone-backup %s %s +journal +backupdir %s +nozonefile" % \ (zones[0].name, zones[1].name, slave_bck_dir)) (dnskey1_1, dnskey2_1) = get_dnskeys(master, zones) t.sleep(4) for z in zones: up = master.update(z) up.delete("added.%s" % z.name, "A") up.send()
def key_set(server, zone, key_id, **new_values): cmd = ["zone", "key", "set", zone, key_id] for option, value in new_values.items(): cmd += [option, value] Keymgr.run_check(server.keydir, *cmd)