def _kasp_import_keys(self, keydir, bind_keydir, zone_name):
# import bind style keys, overwrite existing (shouldn't be a problem)
assert(zone_name.endswith("."))
for pkey_path in glob.glob("%s/K*.private" % glob.escape(bind_keydir)):
pkey = os.path.basename(pkey_path)
m = re.match(r'K(?P<name>[^+]+)\+(?P<algo>\d+)\+(?P<tag>\d+)\.private', pkey)
if m and m.group("name") == zone_name.lower():
Keymgr.run_check(keydir, "zone", "key", "import", zone_name, pkey_path)
def _kasp_import_keys(self, keydir, bind_keydir, zone_name):
Keymgr.run(keydir, "init")
Keymgr.run(keydir, "policy", "set", "default", "manual", "true")
# add zone if not exists
exitcode, _, _ = Keymgr.run(keydir, "zone", "show", zone_name)
if exitcode != 0:
Keymgr.run_check(keydir, "zone", "add", zone_name)
# retrieve existing keys
tags = []
exitcode, stdout, _ = Keymgr.run(keydir, "zone", "key", "list", zone_name)
if exitcode != 0:
tags = [int(re.search(r'\bkeytag\s+(\d+)\b', x).group(1)) for x in stdout.splitlines()]
# import new keys, ignore existing (compare keytag)
assert(zone_name.endswith("."))
for pkey_path in glob.glob("%s/K*.private" % glob.escape(bind_keydir)):
pkey = os.path.basename(pkey_path)
m = re.match(r'K(?P<name>[^+]+)\+(?P<algo>\d+)\+(?P<tag>\d+)\.private', pkey)
if m and m.group("name") == zone_name.lower() and int(m.group("tag")) not in tags:
Keymgr.run_check(keydir, "zone", "key", "import", zone_name, pkey_path)
slave.flush()
# re-sign master and check that the re-sign made nothing
master.ctl("zone-sign")
after_update25 = master.zones_wait(zones, after_update2, equal=False, greater=True)
t.xfr_diff(master, slave, zones, no_rrsig_rdata=True)
for zone in zones:
slave.zone_verify(zone)
if slave.log_search("no such record in zone found") or slave.log_search("fallback to AXFR"):
set_err("IXFR ERROR")
# update salt with keymgr and see if zone correctly re-NSEC3-d after update
for z in zones1:
salt = "-" if master.dnssec(z).nsec3_salt_len == 0 else "fe" * master.dnssec(z).nsec3_salt_len
Keymgr.run_check(master.confile, z.name, "nsec3-salt", salt)
up = master.update(z)
up.add("abc." + z.name, 3600, "A", "1.2.3.4")
up.send("NOERROR")
t.sleep(1)
slave.ctl("zone-refresh")
t.sleep(3)
slave.flush()
for z in zones1:
slave.zone_wait(z, after_update25[z.name], equal=False, greater=True)
slave.zone_verify(z)
t.end()
publish=tickf(2),
ready=tickf(3),
active=tickf(4),
retire="+2h",
remove="+3h")
key_zsk1 = knot.key_gen(ZONE,
ksk="false",
created="+0",
publish="+0",
active="+0")
# pregenerate keys, exchange KSR, pre-sign it, exchange SKR
KSR = knot.keydir + "/ksr"
SKR = knot.keydir + "/skr"
SKR_BROKEN = SKR + "_broken"
Keymgr.run_check(knot.confile, ZONE, "pregenerate", "+" + str(FUTURE))
_, out, _ = Keymgr.run_check(knot.confile, ZONE, "generate-ksr", "+0",
"+" + str(FUTURE))
writef(KSR, out)
_, out, _ = Keymgr.run_check(signer.confile, ZONE, "sign-ksr", KSR)
writef(SKR, out)
cripple_skr(SKR, SKR_BROKEN)
_, out, _ = Keymgr.run_check(knot.confile, ZONE, "validate-skr", SKR_BROKEN)
if out.split()[0] != "error:":
set_err("keymgr validate-skr")
detail_log(out)
Keymgr.run_fail(knot.confile, ZONE, "import-skr", SKR_BROKEN)
Keymgr.run_check(knot.confile, ZONE, "import-skr", SKR)
wait_for_rrsig_count(t, knot, "DNSKEY", 2, 3)
check_revoked_key(knot)
# scenario 2: plan revoked timestamp in the past
wait_for_rrsig_count(t, knot, "DNSKEY", 1, 3)
knot.key_gen(ZONE,
ksk="true",
created="+0",
publish="+0",
ready="+0",
active="+0")
knot.key_set(ZONE, KSK, retire="+0", revoke="+0", remove="+8s")
t.sleep(2)
knot.ctl("zone-sign")
t.sleep(2)
check_revoked_key(knot)
# scenario 3: import revoked key from Bind
wait_for_rrsig_count(t, knot, "DNSKEY", 1, 6)
Keymgr.run_check(knot.confile, ZONE, "import-bind",
knot.data_dir + "/Kexample.com.+013+65449.key")
knot.ctl("zone-sign")
t.sleep(2)
check_revoked_key(knot)
t.end()
slave.zonefile_load = "none"
backup_dir = master.dir + "/backup"
slave_bck_dir = slave.dir + "/backup"
zone0_expire = 45 # zone zones[0] expiration time in its SOA
valgrind_delay = 2 if slave.valgrind else 0 # allow a little time margin under Valgrind
valgrind_delay += 2 # even without valgrind, add some tolerance because rounding timestamps to whole seconds multiple times
t.start()
serials_init = slave.zones_wait(zones)
start_time = int(t.uptime())
for z in zones:
if master.dnssec(z).enable:
Keymgr.run_check(master.confile, z.name, "import-pub",
"%s/%skey" % (t.data_dir, z.name))
master.ctl("zone-sign " + z.name)
slave.zone_wait(z, serials_init[z.name])
master.ctl("zone-backup +backupdir %s" % backup_dir)
slave.ctl("zone-backup %s %s +journal +backupdir %s +nozonefile" % \
(zones[0].name, zones[1].name, slave_bck_dir))
(dnskey1_1, dnskey2_1) = get_dnskeys(master, zones)
t.sleep(4)
for z in zones:
up = master.update(z)
up.delete("added.%s" % z.name, "A")
up.send()
def key_set(server, zone, key_id, **new_values):
cmd = ["zone", "key", "set", zone, key_id]
for option, value in new_values.items():
cmd += [option, value]
Keymgr.run_check(server.keydir, *cmd)