[Opendnssec-commits] [keihatsu.kirei.se/svn/dnssec] r3644 - in trunk/OpenDNSSEC/auditor: lib/kasp_auditor test_scripts

Alex Dalitz alexd at nominet.org.uk
Thu Aug 5 12:32:29 CEST 2010


Author: alex
Date: 2010-08-05 12:32:29 +0200 (Thu, 05 Aug 2010)
New Revision: 3644

Modified:
   trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb
   trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb
Log:
Auditor now checks ZSK and KSK lifetimes and num_standby keys per (algorithm, key length) tuple

Modified: trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb	2010-08-05 09:34:03 UTC (rev 3643)
+++ trunk/OpenDNSSEC/auditor/lib/kasp_auditor/key_tracker.rb	2010-08-05 10:32:29 UTC (rev 3644)
@@ -66,6 +66,7 @@
       Status.strings.each {|s| eval "def add_#{s.downcase}_key(key)
                           if (!include_#{s.downcase}_key?key)
                                 new_key = key.clone
+                                new_key.public_key
                                 @#{s.downcase}[new_key]=Time.now.to_i
                           end
           end"}
@@ -73,11 +74,13 @@
       Status.strings.each {|s| eval "def add_#{s.downcase}_key_with_time(key, time)
                           if (!include_#{s.downcase}_key?key)
                                 new_key = key.clone
+                                new_key.public_key
                                 @#{s.downcase}[new_key]=time
                           end
           end"}
       # Set up include_inuse_key?, etc.
       Status.strings.each {|s| eval "def include_#{s.downcase}_key?(key)
+                   key.public_key
                    @#{s.downcase}.each {|k,v|
                       if ((k == key) || (k.key_tag_pre_revoked ==
                               key.key_tag_pre_revoked))
@@ -88,6 +91,7 @@
           end"}
       # Set up delete_inuse_key, etc.
       Status.strings.each {|s| eval "def delete_#{s.downcase}_key(key)
+                                     key.public_key
                                      @#{s.downcase}.delete_if {|k, temp|
              ((k==key) || (k.key_tag_pre_revoked == key.key_tag_pre_revoked))
                                      }
@@ -200,16 +204,16 @@
         return 0
       end
       if s1 < s2 and (s2 - s1) < (2**31)
-          return 1
+        return 1
       end
       if s1 > s2 and (s1 - s2) > (2**31)
-          return 1
+        return 1
       end
       if s1 < s2 and (s2 - s1) > (2**31)
-          return -1
+        return -1
       end
       if s1 > s2 and (s1 - s2) < (2**31)
-          return -1
+        return -1
       end
       return 0
     end
@@ -237,62 +241,42 @@
 
     # run the checks on the new zone data
     def run_checks(soa_ttl)
-      # @TODO@ If !@config.audit_tag_present then only run checks on keys in use too long.
       # We also need to perform the auditing checks against the config
       # Checks to be performed :
-      #   a) Warn if number of prepublished KSKs < KSK:Standby
-      # @TODO@ THIS IS WRONG - LOOK UP STANDBY PER KEY!!!
-      ksk_min_standby = 999999999999
-      ksk_min_lifetime = 999999999999
-      @config.keys.ksks().length.times {|i|
-        if (@config.keys.ksks()[i].standby < ksk_min_standby)
-          ksk_min_standby = @config.keys.ksks()[i].standby
-        end
-        if (@config.keys.ksks()[i].lifetime < ksk_min_lifetime)
-          ksk_min_lifetime = @config.keys.ksks()[i].lifetime
-        end
-      }
-
-      prepublished_ksk_count = @cache.prepublished.keys.select {|k|
-        k.zone_key? && k.sep_key?
-      }.length
-      # Enforcer no longer publishes standby KSKs
-#      if (prepublished_ksk_count < ksk_min_standby)
-#        msg = "Not enough prepublished KSKs! Should be #{ksk_min_standby} but have #{prepublished_ksk_count}"
-#        @parent.log(LOG_WARNING, msg)
-#      end
       #   b) Warn if number of prepublished ZSKs < ZSK:Standby
-      # @TODO@ THIS IS WRONG - LOOK UP STANDBY PER KEY!!!
-      zsk_min_standby = 999999999999
-      zsk_min_lifetime = 999999999999
-      @config.keys.zsks().length.times {|i|
-        if (@config.keys.zsks()[i].standby < zsk_min_standby)
-          zsk_min_standby = @config.keys.zsks()[i].standby
+      # Do this by [alg, alg_length] - so only select those keys which match the config
+      @config.keys.zsks.each {|zsk|
+        prepublished_zsk_count = @cache.prepublished.keys.select {|k|
+          k.zone_key? && !k.sep_key? && (k.algorithm == zsk.algorithm) &&
+            (k.key_length == zsk.alg_length)
+        }.length
+        if (prepublished_zsk_count < zsk.standby)
+          msg = "Not enough prepublished ZSKs! Should be #{zsk.standby} but have #{prepublished_zsk_count}"
+          @parent.log(LOG_WARNING, msg)
         end
-        if (@config.keys.zsks()[i].lifetime < zsk_min_lifetime)
-          zsk_min_lifetime = @config.keys.zsks()[i].lifetime
-        end
       }
-      prepublished_zsk_count = @cache.prepublished.keys.select {|k|
-        k.zone_key? && !k.sep_key?
-      }.length
-      if (prepublished_zsk_count < zsk_min_standby)
-        msg = "Not enough prepublished ZSKs! Should be #{zsk_min_standby} but have #{prepublished_zsk_count}"
-        @parent.log(LOG_WARNING, msg)
-      end
       @cache.inuse.each {|key, timestamp|
         if (key.zone_key? && !key.sep_key?)
           #   d) Warn if ZSK inuse longer than ZSK:Lifetime + Enforcer:Interval
-          # @TODO@ But which ZSK to use?
-          lifetime = zsk_min_lifetime + @enforcer_interval # @TODO@ @config.keys.ksks()[0].lifetime + Enforcer->Interval
+          # Get the ZSK lifetime for this type of key from the config
+          zsks = @config.keys.zsks.select{|zsk|
+            (zsk.algorithm == key.algorithm) &&
+              (zsk.alg_length == key.key_length)}
+          next if (zsks.length == 0)
+          zsk_lifetime = (zsks[0]).lifetime
+          lifetime = zsk_lifetime + @enforcer_interval 
           if timestamp < (Time.now.to_i - lifetime)
             msg = "ZSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
             @parent.log(LOG_WARNING, msg)
           end
         else
           #   c) Warn if KSK inuse longer than KSK:Lifetime + Enforcer:Interval
-          # @TODO@ But which ZSK to use?
-          lifetime = ksk_min_lifetime + @enforcer_interval # @TODO@ @config.keys.ksks()[0].lifetime + Enforcer->Interval
+          # Get the KSK lifetime for this type of key from the config
+          ksks = @config.keys.ksks.select{|ksk| (ksk.algorithm == key.algorithm) &&
+              (ksk.alg_length == key.key_length)}
+          next if (ksks.length == 0)
+          ksk_lifetime = ksks[0].lifetime
+          lifetime = ksk_lifetime + @enforcer_interval 
           if timestamp < (Time.now.to_i - lifetime)
             msg = "KSK #{key.key_tag} in use too long - should be max #{lifetime} seconds but has been #{Time.now.to_i-timestamp} seconds"
             @parent.log(LOG_WARNING, msg)
@@ -312,7 +296,7 @@
         # Just load the cache from disk again - then we could compare the two
         old_cache = load_tracker_cache(false)
         @cache.inuse.keys.each {|new_inuse_key|
-          next if old_cache.inuse.keys.include?new_inuse_key
+          next if old_cache.include_inuse_key?new_inuse_key
           next if (new_inuse_key.sep_key?) # KSKs aren't prepublished any more
           old_key_timestamp = old_cache.include_prepublished_key?new_inuse_key
           if (!old_key_timestamp)
@@ -362,10 +346,10 @@
         end
       }
       keys_used.each {|key|
-        #        print "Adding inuse key #{key}\n"
         # Now find the key with that tag
         keys.each {|k|
           if (key == k.key_tag)
+            # print "Taking inuse key #{key} and removing from prepublished\n"
             @cache.add_inuse_key(k)
             @cache.delete_prepublished_key(k)
           end

Modified: trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb
===================================================================
--- trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb	2010-08-05 09:34:03 UTC (rev 3643)
+++ trunk/OpenDNSSEC/auditor/test_scripts/auditor_test.rb	2010-08-05 10:32:29 UTC (rev 3644)
@@ -420,12 +420,13 @@
     expected_strings=[
       # Not enough pre-published ZSK
       "Not enough prepublished ZSKs! Should be 2 but have 0",
+      "Not enough prepublished ZSKs! Should be 2 but have 1",
       # Not enough pre-published KSK
       #      "Not enough prepublished KSKs! Should be 2 but have 0",
       # KSK too long in use
       "KSK 51902 in use too long - should be max 1 seconds but has been",
       # ZSK too long in use
-      "ZSK 51901 in use too long - should be max 1 seconds but has been",
+      "ZSK 52925 in use too long - should be max 1 seconds but has been",
       # SOA serial checking
       "SOA serial has decreased - used to be 101 but is now 100",
       "Key (56013) has gone straight to active use without a prepublished phase"
@@ -455,7 +456,7 @@
         :algorithm => 5, :key => "AAAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
     key1 = RR.create({:name => "example.com.", :type => Types::DNSKEY,
         :protocol => 3, :flags => RR::DNSKEY::ZONE_KEY, :algorithm => 5,
-        :key => "AAAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
+        :key => "BAAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
     key2 = RR.create({:name => "example.com.", :type => Types::DNSKEY,
         :protocol => 3, :flags => RR::DNSKEY::ZONE_KEY, :algorithm => 5,
         :key => "EBAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
@@ -467,10 +468,7 @@
         :key => "BEAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
     keynot5011 = RR.create({:name => "example.com.", :type => Types::DNSKEY,
         :protocol => 3, :flags => RR::DNSKEY::ZONE_KEY, :algorithm => 5,
-        :key => "BEAAAAOhdFlVHeivG77Zos6htgLyIkBOn18ujX4Q7Xs6U7SDQdi6FBE5 OQ8754ppfuF3Lg1ywNLHQ5bjibquSG7TuCT6DWL3kw+hESYmWTeEev9K RnxqTA+FVIfhJaPjMh7y+AsX39b8KVQ32IYdttOiz30sMhHHPBvL4dLC 4eCQXwUbinHRWSnKpKDXwuaUUtQkPqkEc4rEy/cZ3ld408vMlcc73OcK t+ttJeyQR1dJ0LoYHvH0WBzIWg3jUPmz/hSWrZ+V2n0TISQz0qdVGzhJ vahGvRstNk4pWG1MjwVgCvnc18+QiEV4leVU7B4XjM9dRpIMzJvLaq+B d8CxiWvjpSu/"})
-    sep_key = RR.create({:name => "example.com.", :type => Types::DNSKEY,
-        :protocol => 3, :flags => RR::DNSKEY::ZONE_KEY, :algorithm => 5,
-        :key => "AAAAAAOlWEB+fCWSlxbuwvXf1zt2r6XqvuedrKVWzL+vRj+wy5tQyszg V9wwn+Re2xvlgn66fZs6j6sWylioJF9X5mlpWFkH6QU17CyMvWOMJY94 x/pXY1zjxx7WLUq46raOozQ+bOd2Zn2LzEJ0Sh9T8HXDwVVwsKjSaSx+ 7X5YSVMe3Q=="})
+        :key => "BBAAAAOhdFlVHeivG77Zos6htgLyIkBOn18ujX4Q7Xs6U7SDQdi6FBE5 OQ8754ppfuF3Lg1ywNLHQ5bjibquSG7TuCT6DWL3kw+hESYmWTeEev9K RnxqTA+FVIfhJaPjMh7y+AsX39b8KVQ32IYdttOiz30sMhHHPBvL4dLC 4eCQXwUbinHRWSnKpKDXwuaUUtQkPqkEc4rEy/cZ3ld408vMlcc73OcK t+ttJeyQR1dJ0LoYHvH0WBzIWg3jUPmz/hSWrZ+V2n0TISQz0qdVGzhJ vahGvRstNk4pWG1MjwVgCvnc18+QiEV4leVU7B4XjM9dRpIMzJvLaq+B d8CxiWvjpSu/"})
 
     # Now load the (empty) cache for the zone, and fill it with data about a
     # fake audit in progress.
@@ -482,25 +480,34 @@
     ksk = FakeAnykey.new
     ksk.standby = 2
     ksk.lifetime = 1
+    ksk.algorithm = 5
+    ksk.alg_length = 1040
     zsk = FakeAnykey.new
     zsk.standby = 2
     zsk.lifetime = 1
+    zsk.algorithm = 5
+    zsk.alg_length = 1024
     keys.zsks.push(zsk)
     keys.ksks.push(ksk)
     config.keys = keys
     config.audit_tag_present = true
 
     checker = KASPAuditor::KeyTracker.new("test/tmp", "example.com.", syslog, config, 0)
+    key_cache = checker.load_tracker_cache
     assert(checker.cache.inuse.length == 0)
     assert(checker.cache.retired.length == 0)
     assert(checker.cache.prepublished.length == 0)
 
+    checker = KASPAuditor::KeyTracker.new("test/tmp", "example.com.", syslog, config, 0)
+    key_cache = checker.load_tracker_cache
     checker.process_key_data([ksk_key1, key1, keynot5011, key3],
       [ksk_key1.key_tag, keynot5011.key_tag], 100, 1)
     assert(checker.cache.inuse.length == 2)
     assert(checker.cache.retired.length == 0)
     assert(checker.cache.prepublished.length == 2)
 
+    checker = KASPAuditor::KeyTracker.new("test/tmp", "example.com.", syslog, config, 0)
+    key_cache = checker.load_tracker_cache
     checker.process_key_data([ksk_key1, key1, keynot5011, key5011],
       [key1.key_tag, ksk_key1.key_tag, key5011.key_tag], 101, 1)
     assert(checker.cache.inuse.length == 3)
@@ -511,6 +518,8 @@
     # are emitted
     sleep(2.1)
     key5011.revoked = true
+    checker = KASPAuditor::KeyTracker.new("test/tmp", "example.com.", syslog, config, 0)
+    key_cache = checker.load_tracker_cache
     checker.process_key_data([ksk_key1, key2, key5011, key1],
       [ksk_key1.key_tag, key2.key_tag, key1.key_tag], 100, 1)
     assert(checker.cache.retired.length == 1)




More information about the Opendnssec-commits mailing list