Test incremental signing

.github/workflows/system-tests.yml

@@ -240,3 +240,40 @@ jobs:
     - name: Print log files on any failure in this job
       uses: ./.github/actions/print-logfiles
       if: failure()
+
+  incremental-signing:
+    name: Sign two versions of a zone and verify that the second one has the expected output.
+    runs-on: ${{ matrix.os }}
+    needs: build
+    strategy:
+      matrix:
+        os: [ubuntu-latest]
+        rust: [stable] # see build job
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v4
+    - name: Prepare the system test environment
+      uses: ./.github/actions/prepare-systest-env
+      with:
+        artifact-name: ${{ format('cascade_{0}_{1}_{2}', github.sha, matrix.os, matrix.rust) }}
+    - run: target/debug/cascade --version
+    - name: Setup and start the cascade daemon
+      uses: ./.github/actions/setup-and-start-cascade
+    - name: Add a policy
+      run: |
+        # Based on actions/setup-and-start-cascade/, query the Cascade config
+        # to find the policy directory, at least until we have a better way of
+        # doing this.
+        CASCADE_CONF="${GITHUB_WORKSPACE}/cascade-dir/config.toml"
+        POLICY_DIR=$(grep -E '^policy-dir.*=' ${CASCADE_CONF} | cut -d '=' -f 2 | cut -d '"' -f 2)
+        INCREMENTAL_SIGNING_DIR="${PWD}/integration-tests/incremental-signing"
+        # Copy the new test policy into the Cascade policy directory.
+        cp ${INTEGRATION_TEST_DIR}/policies/*.toml ${POLICY_DIR}/
+        # Tell Cascade to load our new test policy.
+        target/debug/cascade policy reload
+    - name: Run tests
+      run: |
+	integration-tests/tests.sh
+    - name: Print log files on any failure in this job
+      uses: ./.github/actions/print-logfiles
+      if: failure()

integration-tests/incremental-signing/keys/Kexample.+015+02835.key

@@ -0,0 +1 @@
+example. IN DNSKEY 256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=

integration-tests/incremental-signing/keys/Kexample.+015+02835.private

@@ -0,0 +1,3 @@
+Private-key-format: v1.2
+Algorithm: 15 (ED25519)
+PrivateKey: LoWBrHTJZ84e56m6cYfrtsRcTCaA3y33mWsV7CzUnyU=

integration-tests/incremental-signing/policies/nsec.toml

@@ -0,0 +1,89 @@
+# The policy file version.
+#
+# This is the only required option.  All other settings, and their defaults, are
+# associated with this version number.  More versions may be added in the future
+# and Cascade may drop support for older versions over time.
+#
+# - 'v1': This format.
+version = "v1"
+
+
+# How denial-of-existence records are generated.
+[signer.denial]
+
+# The type of denial-of-existence records to generate.
+#
+# Supported options:
+# - 'nsec': Use NSEC records (RFC 4034).
+# - 'nsec3': Use NSEC3 records (RFC 5155).
+type = "nsec"
+
+# How zones are signed.
+#
+# Note that certain records (e.g. DNSKEY and CDS records at the apex of the
+# zone) are signed by the key manager, rather than the zone signer; see the
+# `[key-manager.records]` section for configuring the signing of those records.
+[signer]
+
+# How SOA serial numbers are generated for signed zones.
+#
+# Supported options:
+# - 'keep': use the same serial number as the unsigned zone.
+# - 'counter': increment the serial number every time.
+# - 'unixtime': use the current Unix time, in seconds.
+# - 'date-counter': format the number as '<YYYY><MM><DD><xx>' in decimal.
+#     '<xx>' is a simple counter to allow up to 100 versions per day.
+serial-policy = "keep"
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# An integer value is interpreted as seconds; inception times will be calculated
+# as 'now - offset' at the time of signing.
+signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# An integer value is interpreted as seconds.
+signature-lifetime = 100000000
+
+# The management of DNS records by the key manager.
+# 
+# The key manager generates and signs several records (DNSKEY and CDS).  This
+# section controls its behaviour towards them.
+[key-manager.records]
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# Independent offsets can be set for each type of record.  An integer value is
+# intepreted as seconds; inception times will be calculated as 'now - offset'
+# at the time of signing.
+dnskey.signature-inception-offset = 0
+cds.signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# Independent lifetimes can be set for each type of record.  An integer value is
+# interpreted as seconds.
+dnskey.signature-lifetime = 100000000
+cds.signature-lifetime = 100000000
+

integration-tests/incremental-signing/policies/nsec3-opt-out.toml

@@ -0,0 +1,90 @@
+# The policy file version.
+#
+# This is the only required option.  All other settings, and their defaults, are
+# associated with this version number.  More versions may be added in the future
+# and Cascade may drop support for older versions over time.
+#
+# - 'v1': This format.
+version = "v1"
+
+
+# How denial-of-existence records are generated.
+[signer.denial]
+
+# The type of denial-of-existence records to generate.
+#
+# Supported options:
+# - 'nsec': Use NSEC records (RFC 4034).
+# - 'nsec3': Use NSEC3 records (RFC 5155).
+type = "nsec3"
+opt-out = true
+
+# How zones are signed.
+#
+# Note that certain records (e.g. DNSKEY and CDS records at the apex of the
+# zone) are signed by the key manager, rather than the zone signer; see the
+# `[key-manager.records]` section for configuring the signing of those records.
+[signer]
+
+# How SOA serial numbers are generated for signed zones.
+#
+# Supported options:
+# - 'keep': use the same serial number as the unsigned zone.
+# - 'counter': increment the serial number every time.
+# - 'unixtime': use the current Unix time, in seconds.
+# - 'date-counter': format the number as '<YYYY><MM><DD><xx>' in decimal.
+#     '<xx>' is a simple counter to allow up to 100 versions per day.
+serial-policy = "keep"
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# An integer value is interpreted as seconds; inception times will be calculated
+# as 'now - offset' at the time of signing.
+signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# An integer value is interpreted as seconds.
+signature-lifetime = 100000000
+
+# The management of DNS records by the key manager.
+# 
+# The key manager generates and signs several records (DNSKEY and CDS).  This
+# section controls its behaviour towards them.
+[key-manager.records]
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# Independent offsets can be set for each type of record.  An integer value is
+# intepreted as seconds; inception times will be calculated as 'now - offset'
+# at the time of signing.
+dnskey.signature-inception-offset = 0
+cds.signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# Independent lifetimes can be set for each type of record.  An integer value is
+# interpreted as seconds.
+dnskey.signature-lifetime = 100000000
+cds.signature-lifetime = 100000000
+

integration-tests/incremental-signing/policies/nsec3.toml

@@ -0,0 +1,90 @@
+# The policy file version.
+#
+# This is the only required option.  All other settings, and their defaults, are
+# associated with this version number.  More versions may be added in the future
+# and Cascade may drop support for older versions over time.
+#
+# - 'v1': This format.
+version = "v1"
+
+
+# How denial-of-existence records are generated.
+[signer.denial]
+
+# The type of denial-of-existence records to generate.
+#
+# Supported options:
+# - 'nsec': Use NSEC records (RFC 4034).
+# - 'nsec3': Use NSEC3 records (RFC 5155).
+type = "nsec3"
+opt-out = false
+
+# How zones are signed.
+#
+# Note that certain records (e.g. DNSKEY and CDS records at the apex of the
+# zone) are signed by the key manager, rather than the zone signer; see the
+# `[key-manager.records]` section for configuring the signing of those records.
+[signer]
+
+# How SOA serial numbers are generated for signed zones.
+#
+# Supported options:
+# - 'keep': use the same serial number as the unsigned zone.
+# - 'counter': increment the serial number every time.
+# - 'unixtime': use the current Unix time, in seconds.
+# - 'date-counter': format the number as '<YYYY><MM><DD><xx>' in decimal.
+#     '<xx>' is a simple counter to allow up to 100 versions per day.
+serial-policy = "keep"
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# An integer value is interpreted as seconds; inception times will be calculated
+# as 'now - offset' at the time of signing.
+signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# An integer value is interpreted as seconds.
+signature-lifetime = 100000000
+
+# The management of DNS records by the key manager.
+# 
+# The key manager generates and signs several records (DNSKEY and CDS).  This
+# section controls its behaviour towards them.
+[key-manager.records]
+
+# The offset for generated signature inceptions.
+#
+# Record signatures have a fixed inception time, from when they are considered
+# valid.  An imprecise computer clock could cause signatures to be considered
+# invalid, because their inception point appears to be some time in the future.
+# To prevent such cases, this setting allows the inception time to be offset
+# into the past.
+#
+# Independent offsets can be set for each type of record.  An integer value is
+# intepreted as seconds; inception times will be calculated as 'now - offset'
+# at the time of signing.
+dnskey.signature-inception-offset = 0
+cds.signature-inception-offset = 0
+
+# The lifetime of generated signatures.
+#
+# Record signatures have a fixed lifetime, after which they are considered
+# invalid.  To keep the zone valid, the signatures should be regenerated before
+# they expire; see 'signature-remain-time' to control regeneration time.
+#
+# Independent lifetimes can be set for each type of record.  An integer value is
+# interpreted as seconds.
+dnskey.signature-lifetime = 100000000
+cds.signature-lifetime = 100000000
+

integration-tests/incremental-signing/reference-output/incremental-signing-test1-input2.zone.nsec.signed.sorted

@@ -0,0 +1,61 @@
+aaaa.modify.example.	3600	IN	AAAA	2001:db8::1
+aaaa.modify.example.	3600	IN	NSEC	cname.modify.example. AAAA RRSIG NSEC
+aaaa.modify.example.	3600	IN	RRSIG	AAAA 15 3 3600 20231114221320 20200913122640 2835 example. jaZ0iZ+CHYF7t3u7f/68WqZONY1H3hoVVWSD9U9ndoY3s6t7ZjkdORnXAD9YqpG4BDfscrTE2p8TterfZD92BQ==
+aaaa.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. Bm313NSOrs6KJjWcuC3P2mlNFH6kU79EawtfXZXZXtzD3RiEOVCTuz6+tTv5TQaHKy1W1DsC+3aVf6vyhCNWCQ==
+aaaa.modify.not-auth.example.	3600	IN	AAAA	2001:db8::1
+a.modify.example.	3600	IN	A	192.0.2.1
+a.modify.example.	3600	IN	NSEC	aaaa.modify.example. A RRSIG NSEC
+a.modify.example.	3600	IN	RRSIG	A 15 3 3600 20231114221320 20200913122640 2835 example. zzi8zBAaudH4nHnprPexIKkVt0qdMLMxN9NEk1Uh1Um90BAJORqjyrYN8fXVpLqsOLZ1pJicFLKA5XzWrk1PBw==
+a.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. uDI67iOmDtDYexjvoJrraLKJgPa2HwdU6fjILT4tb1sQb8fyrDTqeE6Nbl47BCXdKTcOdBpwfUytF0VY7uvTCA==
+a.modify.not-auth.example.	3600	IN	A	192.0.2.1
+cname.modify.example.	3600	IN	CNAME	cname-target2.example.
+cname.modify.example.	3600	IN	NSEC	dname.modify.example. CNAME RRSIG NSEC
+cname.modify.example.	3600	IN	RRSIG	CNAME 15 3 3600 20231114221320 20200913122640 2835 example. RzMYCLMv2cVDZClmC18R7LhZ+0pMGNCyY7RNUCmQimafyadS2QyOoYKb3G5i4n6Yi74eu8ZBoMS5xp9WSANEDA==
+cname.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. SJxhqphIXPOHAdii3FkmaOrC9e5mXoMTTHSMtvMNpAOaLEx55nnbOdiit7RjCVbtNr2eIuKSbGPjZEhYqEErCQ==
+cname.modify.not-auth.example.	3600	IN	CNAME	cname-target2.example.
+delegation1.example.	3600	IN	DS	12345 13 253 00
+delegation1.example.	3600	IN	NSEC	ent2nt.example. NS DS RRSIG NSEC
+delegation1.example.	3600	IN	NS	ns.example.
+delegation1.example.	3600	IN	RRSIG	DS 15 2 3600 20231114221320 20200913122640 2835 example. EJcI7l72ZEAO6Kp5IwDkKtWuwqxeS6IIg9M6+Jb3MamNM1pSd12VgMkI6ItB321fqEjbVnrh2VEzwxiRMh3BBA==
+delegation1.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. lUXU9BPtqvegBHnMUGUK0944a/qaRETsgObPcOSsnHoJFqxkPvymHTtvDOtbvJx/0HsL8YbUW+FqV1Xr849UAw==
+dname.modify.example.	3600	IN	DNAME	dname-target2.example.
+dname.modify.example.	3600	IN	NSEC	txt.modify.example. DNAME RRSIG NSEC
+dname.modify.example.	3600	IN	RRSIG	DNAME 15 3 3600 20231114221320 20200913122640 2835 example. wBvJ3qKVTjKuTydVTEmnPv47IQ9Gs4JF8y1U0/qJ90pODlfkAUnQDDqDkDv7ZMZbV2mhPJgBH7R+MSUtPSV6Ag==
+dname.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. LxhaKg+u4m3K8RMy8hId1bjX7KijmJUvUxiYRvxZJPpzQwAuA1w21906GZbKOylPwI57WbCMGScPHUYS2XgIAw==
+dname.modify.not-auth.example.	3600	IN	DNAME	dname-target2.example.
+ds.new-ent.example.	3600	IN	DS	12345 13 253 01
+ds.new-ent.example.	3600	IN	NSEC	txt.new-ent.example. NS DS RRSIG NSEC
+ds.new-ent.example.	3600	IN	NS	ns.example.
+ds.new-ent.example.	3600	IN	RRSIG	DS 15 3 3600 20231114221320 20200913122640 2835 example. ugnXumZ3uVN+dwmm93XRrQxwIwtBEedWzG7ShGRgpUcHVzeQr9DYIW+tEqx8Nf06nBBMx22hhiFS8wH1midHBA==
+ds.new-ent.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. dGWRBV9W82JSg0bWojQy0E+Xv6hdXXlBtwsh+42CrexUzgfiWsnhYfpsDiobecviSjvgWHMp8IceQx4QIJ6mBA==
+ent2nt.example.	3600	IN	NSEC	txt.ent2nt.example. TXT RRSIG NSEC
+ent2nt.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. 2VvXz7I83iZ71oBSxX3RwjfL4vZCdFBkOYcRRozGaSvSqJobGlUrgfNQ7gm1xls1lKf8cZ+Dw6VIR9NunaykBQ==
+ent2nt.example.	3600	IN	RRSIG	TXT 15 2 3600 20231114221320 20200913122640 2835 example. mUuqtmkeyjB15acdOBT+kmjg3g/a2KSoSOkKKLiQXPiA6wZV9dfmdMYAv0X8ywFIcJlMWO5Jk9T4abqJFfHjBw==
+ent2nt.example.	3600	IN	TXT	"was ENT, now NT"
+ent2nt.not-auth.example.	3600	IN	TXT	"was ENT, now NT"
+example.	3600	IN	DNSKEY	256 3 15 BnnbKMXdvQp2v+tzyvO/HxQGY8iYcJsWD4MN6fnr84Q=
+example.	3600	IN	NSEC	delegation1.example. SOA TXT RRSIG NSEC DNSKEY
+example.	3600	IN	RRSIG	DNSKEY 15 1 3600 20231114221320 20200913122640 2835 example. RMn96put9kteW8DjunEY3o0J7+MZlrC/zXVBU0h0gpFwjz9mrqo/1EvQUSO6faKaNLD2uhiJ9mg91Z1AQSq4AQ==
+example.	3600	IN	RRSIG	NSEC 15 1 3600 20231114221320 20200913122640 2835 example. K9SQkuBggZKN4WDIgIiO0owwsVyvXjZIkvUUEpJE9vlf6L0RWeMAixbg4y1N60KWailvoTWfqgbW3FDESc5lBw==
+example.	3600	IN	RRSIG	SOA 15 1 3600 20231114221320 20200913122640 2835 example. bBmNKlKLUZIRG8VveJE3bONbEq7DWywLm2wG2bRxLTTWXvX7IfLbb1RFogxT7fH0BIeyBde1azsA+/nAjUBiDg==
+example.	3600	IN	RRSIG	TXT 15 1 3600 20231114221320 20200913122640 2835 example. j8c6wYn06sejbNlk30spLVazOBmp7Xxawl2R8BbVnFtUt5p8/KTXz/7aNYqxjvO+MO+ZV/c9bZx0QAB2VwCRAA==
+example.	3600	IN	SOA	ns.example. hostmaster.example. 23456 3600 3600 86400 3600
+example.	3600	IN	TXT	"New apex record"
+not-auth.example.	3600	IN	NSEC	example. NS RRSIG NSEC
+not-auth.example.	3600	IN	NS	ns.example.
+not-auth.example.	3600	IN	RRSIG	NSEC 15 2 3600 20231114221320 20200913122640 2835 example. tvTt+23SrsOGLbr9h1RHMs+GNAD5VrX0eEiYL6qJpsypwoSQ2yz2WOKhE13CJkUw/EddSxrBaRzBBMQBveLFDA==
+txt.ent2nt.example.	3600	IN	NSEC	a.modify.example. TXT RRSIG NSEC
+txt.ent2nt.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. duq6f2MPCxNU1PPy83bBPj/pERJubhNKUwfpqRSO4IKES48z7EnWWbQGsHyfCy73EwhlKVIEaFpE6Z8g9KRCDw==
+txt.ent2nt.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. T4aySP1d7bSYFIWyJ8ic+877Ad34Zntpqgtqqm8QZH7+VHdONArMK87K6mizPoHF9IcjS0SgTylLOMyIZr9MBw==
+txt.ent2nt.example.	3600	IN	TXT	"ENT to become NT"
+txt.ent2nt.not-auth.example.	3600	IN	TXT	"ENT to become NT"
+txt.modify.example.	3600	IN	NSEC	ds.new-ent.example. TXT RRSIG NSEC
+txt.modify.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. ye7ELxyT+p0SnWVP3byYfNQHIEtwft77QVJr02kugMKJpRtHhayzaihSUyTTdaWRaTVGLDwcTyasrAuKETW5AA==
+txt.modify.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. uYIaNtjsI7txYRPu8RWHfAZLMXMJ9xr302HJN9F3ZzxCkJAGa0cFcwc0eJXtu0TtkvPQtFrDrMw3Skq6cdr2Aw==
+txt.modify.example.	3600	IN	TXT	"Modified zone"
+txt.modify.not-auth.example.	3600	IN	TXT	"Modified zone"
+txt.new-ent.example.	3600	IN	NSEC	not-auth.example. TXT RRSIG NSEC
+txt.new-ent.example.	3600	IN	RRSIG	NSEC 15 3 3600 20231114221320 20200913122640 2835 example. O3OcofwcSM6xHus78+PcB2585oq84JhLQJymAcqknAHP+SNRYjtQJ+ycO9KdkpFvuncd2OAzBgxNKqWJdznUDw==
+txt.new-ent.example.	3600	IN	RRSIG	TXT 15 3 3600 20231114221320 20200913122640 2835 example. TMF0sKLrrfW/3ZQW0sCWIiWBUOe9B2tvlw7C9SzQ7YiJQNj730l84gm+xpBx+gM62iFBcdZBshAXboYEqzySDA==
+txt.new-ent.example.	3600	IN	TXT	"New authoritative ENT"
+txt.new-ent.not-auth.example.	3600	IN	TXT	"New not authoritative ENT"