Adjust kasp and keymgr2kasp tests to use TTLsig
Update the kasp and keymgr2kasp system test to use TTLsig in the key timing calculations, deriving it from the expected MAX_TTL. Since the TTL used in most zones is much lower than kasp's max-zone-ttl, most expected key timing metadata needs to be adjusted as well.
This commit is contained in:
committed by
Mark Andrews
parent
229dce4bca
commit
7c3aeb3ceb
@@ -67,6 +67,7 @@ VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0="
|
||||
# PRIVKEY_STAT
|
||||
# PUBKEY_STAT
|
||||
# STATE_STAT
|
||||
# MAX_TTL
|
||||
|
||||
key_key() {
|
||||
echo "${1}__${2}"
|
||||
@@ -133,6 +134,7 @@ key_clear() {
|
||||
key_set "$1" "PRIVKEY_STAT" '0'
|
||||
key_set "$1" "PUBKEY_STAT" '0'
|
||||
key_set "$1" "STATE_STAT" '0'
|
||||
key_set "$1" "MAX_TTL" 'none'
|
||||
}
|
||||
|
||||
# Start clear.
|
||||
@@ -250,6 +252,10 @@ set_keylifetime() {
|
||||
key_set "$1" "EXPECT" "yes"
|
||||
key_set "$1" "LIFETIME" "$2"
|
||||
}
|
||||
set_keymaxttl() {
|
||||
key_set "$1" "EXPECT" "yes"
|
||||
key_set "$1" "MAX_TTL" "$2"
|
||||
}
|
||||
# The algorithm value consists of three parts:
|
||||
# $2: Algorithm (number)
|
||||
# $3: Algorithm (string-format)
|
||||
@@ -493,12 +499,23 @@ check_timingmetadata() {
|
||||
_retired=$(key_get "$1" RETIRED)
|
||||
_revoked=$(key_get "$1" REVOKED)
|
||||
_removed=$(key_get "$1" REMOVED)
|
||||
_maxttl=$(key_get "$1" MAX_TTL)
|
||||
|
||||
# Check timing metadata.
|
||||
n=$((n+1))
|
||||
echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)"
|
||||
ret=0
|
||||
|
||||
if [ "$_maxttl" = "none" ]; then
|
||||
if [ "$_legacy" = "no" ]; then
|
||||
grep "MaxTTL: " "${_state_file}" > /dev/null && _log_error "unexpected maxttl in ${_state_file}"
|
||||
fi
|
||||
else
|
||||
if [ "$_legacy" = "no" ]; then
|
||||
grep "MaxTTL: $_maxttl" "${_state_file}" > /dev/null || _log_error "mismatch maxttl in ${_state_file} (expected ${_maxttl})"
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ "$_published" = "none" ]; then
|
||||
grep "; Publish:" "${_key_file}" > /dev/null && _log_error "unexpected publish comment in ${_key_file}"
|
||||
if [ "$_private" = "yes" ]; then
|
||||
|
||||
@@ -265,13 +265,18 @@ status=$((status+ret))
|
||||
set_keytimes_csk_policy() {
|
||||
# The first key is immediately published and activated.
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keytime "KEY1" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||
# The DS can be published if the DNSKEY and RRSIG records are
|
||||
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus
|
||||
# publish-safety (1h) plus zone-propagation-delay (300s) =
|
||||
# 86400 + 3600 + 300 = 90300.
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
|
||||
# OMNIPRESENT. This happens after max(TTLsig, TTLkey) plus
|
||||
# publish-safety (1h) plus zone-propagation-delay (300s)
|
||||
_ttl=$(key_get KEY1 MAX_TTL)
|
||||
if [ $_ttl -le $DNSKEY_TTL ]; then
|
||||
_ttl=$DNSKEY_TTL
|
||||
fi
|
||||
_syncpub=$((_ttl+3900))
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" "${_syncpub}"
|
||||
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
||||
}
|
||||
|
||||
@@ -513,12 +518,14 @@ set_policy "checkds-ksk" "2" "303"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -583,18 +590,21 @@ set_policy "checkds-doubleksk" "3" "303"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
|
||||
set_keyrole "KEY2" "ksk"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY2" "yes"
|
||||
set_zonesigning "KEY2" "no"
|
||||
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keylifetime "KEY3" "0"
|
||||
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY3" "no"
|
||||
@@ -684,6 +694,7 @@ set_policy "checkds-csk" "1" "303"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -722,6 +733,7 @@ status=$((status+ret))
|
||||
set_keytimes_algorithm_policy() {
|
||||
# The first KSK is immediately published and activated.
|
||||
created=$(key_get KEY1 CREATED)
|
||||
|
||||
set_keytime "KEY1" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||
# Key was pregenerated.
|
||||
@@ -735,10 +747,18 @@ set_keytimes_algorithm_policy() {
|
||||
published=$(key_get KEY1 PUBLISHED)
|
||||
|
||||
# The DS can be published if the DNSKEY and RRSIG records are
|
||||
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus
|
||||
# publish-safety (1h) plus zone-propagation-delay (300s) =
|
||||
# 86400 + 3600 + 300 = 90300.
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
|
||||
# OMNIPRESENT. This happens after max(TTLsig, TTLkey) plus
|
||||
# publish-safety (1h) plus zone-propagation-delay (300s).
|
||||
_ttl=$(key_get KEY1 MAX_TTL)
|
||||
if [ "$_ttl" = "none" ]; then
|
||||
# Default back to 1 day.
|
||||
_ttl=86400
|
||||
fi
|
||||
if [ $_ttl -le $DNSKEY_TTL ]; then
|
||||
_ttl=$DNSKEY_TTL
|
||||
fi
|
||||
_syncpub=$((_ttl+3900))
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" "${_syncpub}"
|
||||
# Key lifetime is 10 years, 315360000 seconds.
|
||||
set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
|
||||
# The key is removed after the retire time plus DS TTL (1d),
|
||||
@@ -763,12 +783,20 @@ set_keytimes_algorithm_policy() {
|
||||
|
||||
# Key lifetime for KSK2 is 5 years, 157680000 seconds.
|
||||
set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
|
||||
# The key is removed after the retire time plus max zone ttl (1d), zone
|
||||
# propagation delay (300s), retire safety (1h), and sign delay
|
||||
# (signature validity minus refresh, 9d) =
|
||||
# 86400 + 300 + 3600 + 777600 = 867900.
|
||||
# The key is removed after the retire time plus maximum zone TTL,
|
||||
# zone propagation delay (300s), retire safety (1h), and sign delay
|
||||
# (signature validity minus refresh, 9d) = TTL + 300 + 3600 + 777600.
|
||||
_Iret=$(key_get KEY2 MAX_TTL)
|
||||
if [ "$_Iret" = "none" ]; then
|
||||
# Default back to 1 day.
|
||||
_Iret=86400
|
||||
fi
|
||||
_Iret=$((_Iret+300))
|
||||
_Iret=$((_Iret+3600))
|
||||
_Iret=$((_Iret+777600))
|
||||
|
||||
retired=$(key_get KEY2 RETIRED)
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${_Iret}"
|
||||
|
||||
# Second ZSK (KEY3).
|
||||
created=$(key_get KEY3 CREATED)
|
||||
@@ -787,7 +815,7 @@ set_keytimes_algorithm_policy() {
|
||||
# Key lifetime for KSK3 is 1 year, 31536000 seconds.
|
||||
set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
|
||||
retired=$(key_get KEY3 RETIRED)
|
||||
set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
|
||||
set_addkeytime "KEY3" "REMOVED" "${retired}" "${_Iret}"
|
||||
}
|
||||
|
||||
#
|
||||
@@ -801,6 +829,7 @@ then
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY1" "315360000"
|
||||
set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -808,6 +837,7 @@ then
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keylifetime "KEY2" "157680000"
|
||||
set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -815,6 +845,7 @@ then
|
||||
|
||||
key_clear "KEY3"
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keylifetime "KEY3" "31536000"
|
||||
set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
|
||||
set_keysigning "KEY3" "no"
|
||||
@@ -924,6 +955,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY1" "315360000"
|
||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -931,6 +963,7 @@ set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keylifetime "KEY2" "157680000"
|
||||
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -938,6 +971,7 @@ set_zonesigning "KEY2" "yes"
|
||||
|
||||
key_clear "KEY3"
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keylifetime "KEY3" "31536000"
|
||||
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
|
||||
set_keysigning "KEY3" "no"
|
||||
@@ -1050,8 +1084,10 @@ dnssec_verify
|
||||
set_zone "secondary.kasp"
|
||||
set_policy "rsasha256" "3" "1234"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
# Key properties, timings and states same as above.
|
||||
|
||||
# Key properties, timings and states same as above, except for max-ttl.
|
||||
set_keymaxttl "KEY1" "none"
|
||||
set_keymaxttl "KEY2" "none"
|
||||
set_keymaxttl "KEY3" "none"
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
set_keytimes_algorithm_policy
|
||||
@@ -1085,6 +1121,11 @@ retry_quiet 5 _wait_for_done_subdomains || ret=1
|
||||
test "$ret" -eq 0 || echo_i "failed"
|
||||
status=$((status+ret))
|
||||
|
||||
# Reset expected max-ttl
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
|
||||
# TODO: we might want to test:
|
||||
# - configuring a zone with too many active keys (should trigger retire).
|
||||
# - configuring a zone with keys not matching the policy.
|
||||
@@ -1240,6 +1281,7 @@ fi
|
||||
set_keytimes_autosign_policy() {
|
||||
# The KSK was published six months ago (with settime).
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
|
||||
set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
|
||||
@@ -1254,19 +1296,27 @@ set_keytimes_autosign_policy() {
|
||||
|
||||
# The ZSK was published six months ago (with settime).
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
|
||||
# Key lifetime for KSK2 is 1 year, 31536000 seconds.
|
||||
active=$(key_get KEY2 ACTIVE)
|
||||
set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
|
||||
# The key is removed after the retire time plus:
|
||||
# TTLsig (RRSIG TTL): 1 day (86400 seconds)
|
||||
# TTLsig: Variable
|
||||
_Iret=$(key_get KEY2 MAX_TTL)
|
||||
if [ "$_Iret" = "none" ]; then
|
||||
# Default back to 1 day.
|
||||
_Iret=86400
|
||||
fi
|
||||
# Dprp (propagation delay): 5 minutes (300 seconds)
|
||||
_Iret=$((_Iret+300))
|
||||
# retire-safety: 1 hour (3600 seconds)
|
||||
_Iret=$((_Iret+3600))
|
||||
# Dsgn (sign delay): 7 days (604800 seconds)
|
||||
# Iret: 695100 seconds.
|
||||
_Iret=$((_Iret+604800))
|
||||
retired=$(key_get KEY2 RETIRED)
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${_Iret}"
|
||||
}
|
||||
|
||||
#
|
||||
@@ -1485,6 +1535,7 @@ set_policy "autosign" "3" "300"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
# The third key is not yet expected to be signing.
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keylifetime "KEY3" "31536000"
|
||||
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY3" "no"
|
||||
@@ -1507,7 +1558,11 @@ set_keytimes_autosign_policy
|
||||
# The old ZSK is retired.
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_keytime "KEY2" "RETIRED" "${created}"
|
||||
set_addkeytime "KEY2" "REMOVED" "${created}" 695100
|
||||
Iret=$(key_get KEY2 MAX_TTL)
|
||||
Iret=$((Iret+300))
|
||||
Iret=$((Iret+3600))
|
||||
Iret=$((Iret+604800))
|
||||
set_addkeytime "KEY2" "REMOVED" "${created}" "${Iret}"
|
||||
# The new ZSK is immediately published.
|
||||
created=$(key_get KEY3 CREATED)
|
||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||
@@ -1523,7 +1578,7 @@ active=$(key_get KEY3 ACTIVE)
|
||||
set_addkeytime "KEY3" "RETIRED" "${active}" 31536000
|
||||
# Iret: 695100 seconds.
|
||||
retired=$(key_get KEY3 RETIRED)
|
||||
set_addkeytime "KEY3" "REMOVED" "${retired}" 695100
|
||||
set_addkeytime "KEY3" "REMOVED" "${retired}" "${Iret}"
|
||||
|
||||
check_keytimes
|
||||
check_apex
|
||||
@@ -1543,6 +1598,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY1" "16070400"
|
||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -1550,6 +1606,7 @@ set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keylifetime "KEY2" "16070400"
|
||||
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -1596,9 +1653,14 @@ set_keytime "KEY1" "PUBLISHED" "${published}"
|
||||
set_keytime "KEY1" "ACTIVE" "${published}"
|
||||
published=$(key_get KEY1 PUBLISHED)
|
||||
# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
|
||||
# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
|
||||
# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
|
||||
# This happens after TTLsig plus publish-safety (1h) plus
|
||||
# zone-propagation-delay (300s).
|
||||
ttl=$(key_get KEY1 MAX_TTL)
|
||||
if [ $ttl -le $DNSKEY_TTL ]; then
|
||||
ttl=$DNSKEY_TTL
|
||||
fi
|
||||
syncpub=$((ttl+3900))
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" $syncpub
|
||||
# Key lifetime is 6 months, 315360000 seconds.
|
||||
set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
|
||||
# The key is removed after the retire time plus DS TTL (1d), parent
|
||||
@@ -1616,11 +1678,15 @@ set_keytime "KEY2" "ACTIVE" "${published}"
|
||||
published=$(key_get KEY2 PUBLISHED)
|
||||
# Key lifetime is 6 months, 315360000 seconds.
|
||||
set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
|
||||
# The key is removed after the retire time plus max zone ttl (1d), zone
|
||||
# The key is removed after the retire time plus max zone ttl, zone
|
||||
# propagation delay (300s), retire safety (1h), and sign delay (signature
|
||||
# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900.
|
||||
# validity minus refresh, 9d) = TTLsig + 300 + 3600 + 777600 = 867900.
|
||||
Iret=$(key_get KEY1 MAX_TTL)
|
||||
Iret=$((Iret+300))
|
||||
Iret=$((Iret+3600))
|
||||
Iret=$((Iret+777600))
|
||||
retired=$(key_get KEY2 RETIRED)
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${Iret}"
|
||||
|
||||
check_keytimes
|
||||
check_apex
|
||||
@@ -1989,12 +2055,14 @@ key_clear "KEY4"
|
||||
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "3600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "3600"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -2050,12 +2118,14 @@ key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "3600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "3600"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -2094,10 +2164,11 @@ retired=$(key_get KEY1 RETIRED)
|
||||
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE"
|
||||
# Rollover starts in six months, but lifetime is set to six months plus
|
||||
# prepublication duration = 15552000 + 7500 = 15559500 seconds.
|
||||
set_keymaxttl "KEY1" "3600"
|
||||
set_keylifetime "KEY1" "15559500"
|
||||
set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
|
||||
set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
|
||||
retired=$(key_get KEY1 RETIRED)
|
||||
# Retire interval of this policy is 26h (93600 seconds).
|
||||
# Retire interval of this policy is 26h (93600 seconds). REALLY?
|
||||
set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
|
||||
|
||||
check_keys
|
||||
@@ -2112,12 +2183,14 @@ set_policy "manual-rollover" "3" "3600"
|
||||
set_keystate "KEY1" "GOAL" "hidden"
|
||||
# This key was activated one day ago, so lifetime is set to 1d plus
|
||||
# prepublication duration (7500 seconds) = 93900 seconds.
|
||||
set_keymaxttl "KEY1" "3600"
|
||||
set_keylifetime "KEY1" "93900"
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_keytime "KEY1" "RETIRED" "${created}"
|
||||
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE"
|
||||
# New key is introduced.
|
||||
set_keyrole "KEY3" "ksk"
|
||||
set_keymaxttl "KEY3" "3600"
|
||||
set_keylifetime "KEY3" "0"
|
||||
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY3" "yes"
|
||||
@@ -2139,12 +2212,14 @@ set_policy "manual-rollover" "4" "3600"
|
||||
set_keystate "KEY2" "GOAL" "hidden"
|
||||
# This key was activated one day ago, so lifetime is set to 1d plus
|
||||
# prepublication duration (7500 seconds) = 93900 seconds.
|
||||
set_keymaxttl "KEY2" "3600"
|
||||
set_keylifetime "KEY2" "93900"
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_keytime "KEY2" "RETIRED" "${created}"
|
||||
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
|
||||
# New key is introduced.
|
||||
set_keyrole "KEY4" "zsk"
|
||||
set_keymaxttl "KEY4" "3600"
|
||||
set_keylifetime "KEY4" "0"
|
||||
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY4" "no"
|
||||
@@ -2182,6 +2257,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "43200"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -2206,10 +2282,11 @@ created=$(key_get KEY1 CREATED)
|
||||
set_keytime "KEY1" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||
# - The DS can be published if the DNSKEY and RRSIG records are
|
||||
# OMNIPRESENT. This happens after max-zone-ttl (12h) plus
|
||||
# publish-safety (5m) plus zone-propagation-delay (5m) =
|
||||
# 43200 + 300 + 300 = 43800.
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
|
||||
# OMNIPRESENT. This happens after plus publish-safety (5m)
|
||||
# plus zone-propagation-delay (5m).
|
||||
syncpub=$(key_get KEY1 MAX_TTL)
|
||||
syncpub=$((syncpub+600))
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" $syncpub
|
||||
# - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
||||
|
||||
# Various signing policy checks.
|
||||
@@ -2285,7 +2362,7 @@ check_apex
|
||||
check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
|
||||
# Next key event is when the zone signatures become OMNIPRESENT: TTLsig
|
||||
# plus zone propagation delay plus retire safety minus the already elapsed
|
||||
# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds
|
||||
check_next_key_event 43800
|
||||
@@ -2361,18 +2438,6 @@ check_next_key_event 3600
|
||||
# Testing ZSK Pre-Publication rollover.
|
||||
#
|
||||
|
||||
# Policy parameters.
|
||||
# Lksk: 2 years (63072000 seconds)
|
||||
# Lzsk: 30 days (2592000 seconds)
|
||||
# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d)
|
||||
# Iret(KSK): 3d1h (262800 seconds)
|
||||
# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
|
||||
# Iret(ZSK): 10d1h (867600 seconds)
|
||||
Lksk=63072000
|
||||
Lzsk=2592000
|
||||
IretKSK=262800
|
||||
IretZSK=867600
|
||||
|
||||
#
|
||||
# Zone: step1.zsk-prepub.autosign.
|
||||
#
|
||||
@@ -2405,9 +2470,16 @@ rollover_predecessor_keytimes() {
|
||||
[ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
|
||||
}
|
||||
|
||||
# Key lifetimes:
|
||||
# Lksk: 2 years (63072000 seconds)
|
||||
# Lzsk: 30 days (2592000 seconds)
|
||||
Lksk=63072000
|
||||
Lzsk=2592000
|
||||
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "${Lksk}"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -2415,6 +2487,7 @@ set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "86400"
|
||||
set_keylifetime "KEY2" "${Lzsk}"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -2432,6 +2505,16 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Calculate retire intervals:
|
||||
# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d)
|
||||
# Iret(KSK): 3d1h (262800 seconds)
|
||||
IretKSK=262800
|
||||
# Iret(ZSK): TTLsig + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
IretZSK=$((IretZSK+604800))
|
||||
IretZSK=$((IretZSK+172800))
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
@@ -2457,6 +2540,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# New ZSK (KEY3) is prepublished, but not yet signing.
|
||||
key_clear "KEY3"
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keymaxttl "KEY3" "86400"
|
||||
set_keylifetime "KEY3" "${Lzsk}"
|
||||
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY3" "no"
|
||||
@@ -2634,17 +2718,11 @@ dnssec_verify
|
||||
# Testing KSK Double-KSK rollover.
|
||||
#
|
||||
|
||||
# Policy parameters.
|
||||
# Lksk: 60 days (16070400 seconds)
|
||||
# Key lifetimes:
|
||||
# Lksk: 60 days (5184000 seconds)
|
||||
# Lzsk: 1 year (31536000 seconds)
|
||||
# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d)
|
||||
# Iret(KSK): 50h (180000 seconds)
|
||||
# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
|
||||
# Iret(ZSK): 10d1h (867600 seconds)
|
||||
Lksk=5184000
|
||||
Lzsk=31536000
|
||||
IretKSK=180000
|
||||
IretZSK=867600
|
||||
|
||||
#
|
||||
# Zone: step1.ksk-doubleksk.autosign.
|
||||
@@ -2656,6 +2734,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "${Lksk}"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -2663,6 +2742,7 @@ set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "86400"
|
||||
set_keylifetime "KEY2" "${Lzsk}"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -2680,6 +2760,16 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Calculate retire intervals:
|
||||
# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d)
|
||||
# Iret(KSK): 50h (180000 seconds)
|
||||
IretKSK=180000
|
||||
# Iret(ZSK): TTLsig + Dprp (1h) + Dsgn (1w) + retire-safety (2d)
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
IretZSK=$((IretZSK+604800))
|
||||
IretZSK=$((IretZSK+172800))
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
@@ -2706,6 +2796,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
|
||||
key_clear "KEY3"
|
||||
set_keyrole "KEY3" "ksk"
|
||||
set_keymaxttl "KEY3" "86400"
|
||||
set_keylifetime "KEY3" "${Lksk}"
|
||||
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY3" "yes"
|
||||
@@ -2901,16 +2992,9 @@ dnssec_verify
|
||||
# Testing CSK key rollover (1).
|
||||
#
|
||||
|
||||
# Policy parameters.
|
||||
# Lcsk: 186 days (5184000 seconds)
|
||||
# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h)
|
||||
# Iret(KSK): 4h (14400 seconds)
|
||||
# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h)
|
||||
# Iret(ZSK): 26d3h (2257200 seconds)
|
||||
# Key lifetime:
|
||||
# Lcsk: 186 days (16070400 seconds)
|
||||
Lcsk=16070400
|
||||
IretKSK=14400
|
||||
IretZSK=2257200
|
||||
IretCSK=$IretZSK
|
||||
|
||||
csk_rollover_predecessor_keytimes() {
|
||||
_addtime=$1
|
||||
@@ -2933,6 +3017,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "${Lcsk}"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -2948,6 +3033,17 @@ key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Calculate retire interval:
|
||||
# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h)
|
||||
# Iret(KSK): 4h (14400 seconds)
|
||||
IretKSK=14400
|
||||
# Iret(ZSK): TTLsig + Dprp (1h) + Dsgn (25d) + retire-safety (2h)
|
||||
IretZSK=$(key_get KEY1 MAX_TTL)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
IretZSK=$((IretZSK+2160000))
|
||||
IretZSK=$((IretZSK+7200))
|
||||
IretCSK=$IretZSK
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
@@ -2975,6 +3071,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "csk"
|
||||
set_keymaxttl "KEY2" "86400"
|
||||
set_keylifetime "KEY2" "16070400"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "yes"
|
||||
@@ -3263,17 +3360,9 @@ dnssec_verify
|
||||
# Testing CSK key rollover (2).
|
||||
#
|
||||
|
||||
# Policy parameters.
|
||||
# Key lifetime:
|
||||
# Lcsk: 186 days (16070400 seconds)
|
||||
# Dreg: N/A
|
||||
# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h)
|
||||
# Iret(KSK): 170h (61200 seconds)
|
||||
# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h)
|
||||
# Iret(ZSK): 38h (136800 seconds)
|
||||
Lcsk=16070400
|
||||
IretKSK=612000
|
||||
IretZSK=136800
|
||||
IretCSK=$IretKSK
|
||||
|
||||
#
|
||||
# Zone: step1.csk-roll2.autosign.
|
||||
@@ -3285,6 +3374,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "16070400"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -3300,6 +3390,18 @@ key_clear "KEY2"
|
||||
key_clear "KEY3"
|
||||
key_clear "KEY4"
|
||||
|
||||
# Calculate retire interval:
|
||||
# Dreg: N/A
|
||||
# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h)
|
||||
# Iret(KSK): 170h (61200 seconds)
|
||||
IretKSK=612000
|
||||
# Iret(ZSK): TTLsig + Dprp (1h) + Dsgn (12h) + retire-safety (1h)
|
||||
IretZSK=$(key_get KEY1 MAX_TTL)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
IretZSK=$((IretZSK+43200))
|
||||
IretZSK=$((IretZSK+3600))
|
||||
IretCSK=$IretKSK
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
@@ -3327,6 +3429,7 @@ set_server "ns3" "10.53.0.3"
|
||||
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "csk"
|
||||
set_keymaxttl "KEY2" "86400"
|
||||
set_keylifetime "KEY2" "16070400"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "yes"
|
||||
@@ -3656,6 +3759,7 @@ set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -3694,6 +3798,7 @@ set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "21600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -3701,6 +3806,7 @@ set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "21600"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -3742,6 +3848,7 @@ set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "21600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -3784,21 +3891,16 @@ set_zone "step1.going-insecure.kasp"
|
||||
set_policy "unsigning" "2" "7200"
|
||||
set_server "ns6" "10.53.0.6"
|
||||
|
||||
# Policy parameters.
|
||||
# Key lifetimes:
|
||||
# Lksk: 0
|
||||
# Lzsk: 60 days (5184000 seconds)
|
||||
# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h)
|
||||
# Iret(KSK): 1d2h (93600 seconds)
|
||||
# Iret(ZSK): RRSIG TTL (1d) + Dprp (5m) + Dsgn (9d) + retire-safety (1h)
|
||||
# Iret(ZSK): 10d1h5m (867900 seconds)
|
||||
Lksk=0
|
||||
Lzsk=5184000
|
||||
IretKSK=93600
|
||||
IretZSK=867900
|
||||
|
||||
init_migration_insecure() {
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "7200"
|
||||
set_keylifetime "KEY1" "${Lksk}"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -3811,6 +3913,7 @@ init_migration_insecure() {
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "7200"
|
||||
set_keylifetime "KEY2" "${Lzsk}"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -3825,6 +3928,16 @@ init_migration_insecure() {
|
||||
}
|
||||
init_migration_insecure
|
||||
|
||||
# Calculate retire intervals:
|
||||
# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (1h)
|
||||
# Iret(KSK): 1d2h (93600 seconds)
|
||||
IretKSK=93600
|
||||
# Iret(ZSK): TTLsig + Dprp (5m) + Dsgn (9d) + retire-safety (1h)
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
IretZSK=$((IretZSK+300))
|
||||
IretZSK=$((IretZSK+777600))
|
||||
IretZSK=$((IretZSK+3600))
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
@@ -3865,6 +3978,7 @@ set_policy "default" "1" "3600"
|
||||
set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "3600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -3951,6 +4065,7 @@ set_server "ns6" "10.53.0.6"
|
||||
# Key properties.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -4121,6 +4236,7 @@ set_server "ns6" "10.53.0.6"
|
||||
|
||||
# Key properties.
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "86400"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -4145,7 +4261,7 @@ dnssec_verify
|
||||
# Testing KSK/ZSK algorithm rollover.
|
||||
#
|
||||
|
||||
# Policy parameters.
|
||||
# Key lifetimes:
|
||||
# Lksk: unlimited
|
||||
# Lzsk: unlimited
|
||||
Lksk=0
|
||||
@@ -4160,6 +4276,7 @@ set_server "ns6" "10.53.0.6"
|
||||
# Old RSASHA1 keys.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keymaxttl "KEY1" "21600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -4167,6 +4284,7 @@ set_zonesigning "KEY1" "no"
|
||||
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keymaxttl "KEY2" "21600"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY2" "no"
|
||||
@@ -4174,6 +4292,7 @@ set_zonesigning "KEY2" "yes"
|
||||
# New ECDSAP256SHA256 keys.
|
||||
key_clear "KEY3"
|
||||
set_keyrole "KEY3" "ksk"
|
||||
set_keymaxttl "KEY3" "21600"
|
||||
set_keylifetime "KEY3" "0"
|
||||
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY3" "yes"
|
||||
@@ -4181,6 +4300,7 @@ set_zonesigning "KEY3" "no"
|
||||
|
||||
key_clear "KEY4"
|
||||
set_keyrole "KEY4" "zsk"
|
||||
set_keymaxttl "KEY4" "21600"
|
||||
set_keylifetime "KEY4" "0"
|
||||
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY4" "no"
|
||||
@@ -4230,23 +4350,26 @@ retired=$(awk '{print $3}' < retired.test${n}.zsk)
|
||||
set_keytime "KEY2" "RETIRED" "${retired}"
|
||||
# - The key is removed after the retire interval:
|
||||
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
|
||||
# TTLsig: 6h (21600 seconds)
|
||||
# TTLsig: Variable
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
# Dsgn: 25d (2160000 seconds)
|
||||
IretZSK=$((IretZSK+2160000))
|
||||
# retire-safety: 2h (7200 seconds)
|
||||
# IretZSK: 25d9h (2192400 seconds)
|
||||
IretZSK=2192400
|
||||
IretZSK=$((IretZSK+7200))
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||
# - The new KSK is published and activated.
|
||||
created=$(key_get KEY3 CREATED)
|
||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY3" "ACTIVE" "${created}"
|
||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
||||
# TTLsig: 6h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
Ipub=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
Ipub=$((Ipub+3600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# Ipub: 8h (28800 seconds)
|
||||
Ipub=28800
|
||||
Ipub=$((Ipub+3600))
|
||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||
# - The new ZSK is published and activated.
|
||||
created=$(key_get KEY4 CREATED)
|
||||
@@ -4314,10 +4437,10 @@ check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Next key event is when all zone signatures are signed with the new
|
||||
# algorithm. This is the max-zone-ttl plus zone propagation delay
|
||||
# plus retire safety: 6h + 1h + 2h. But three hours have already passed
|
||||
# algorithm. This is the TTLsig (6h) plus zone propagation delay (1h)
|
||||
# plus retire safety (2h). But three hours have already passed
|
||||
# (the time it took to make the DNSKEY omnipresent), so the next event
|
||||
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
|
||||
# should be scheduled in 6 hours: 21600 seconds. Prevent intermittent
|
||||
# false positives on slow platforms by subtracting the number of seconds
|
||||
# which passed between key creation and invoking 'rndc reconfig'.
|
||||
next_time=$((21600-time_passed))
|
||||
@@ -4488,8 +4611,8 @@ check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
|
||||
# after the max-zone-ttl plus zone propagation delay plus retire safety
|
||||
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
|
||||
# after the TTLsig (6h) plus zone propagation delay (1h) plus retire safety
|
||||
# (2h) minus the time already passed since the UNRETENTIVE state has
|
||||
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
|
||||
# false positives on slow platforms by subtracting the number of seconds
|
||||
# which passed between key creation and invoking 'rndc reconfig'.
|
||||
@@ -4549,7 +4672,7 @@ check_next_key_event 3600
|
||||
# Testing CSK algorithm rollover.
|
||||
#
|
||||
|
||||
# Policy parameters.
|
||||
# Key lifetime:
|
||||
# Lcsk: unlimited
|
||||
Lcksk=0
|
||||
|
||||
@@ -4562,6 +4685,7 @@ set_server "ns6" "10.53.0.6"
|
||||
# Old RSASHA1 key.
|
||||
key_clear "KEY1"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keymaxttl "KEY1" "21600"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY1" "yes"
|
||||
@@ -4569,6 +4693,7 @@ set_zonesigning "KEY1" "yes"
|
||||
# New ECDSAP256SHA256 key.
|
||||
key_clear "KEY2"
|
||||
set_keyrole "KEY2" "csk"
|
||||
set_keymaxttl "KEY2" "21600"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY2" "yes"
|
||||
@@ -4601,24 +4726,27 @@ grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
|
||||
retired=$(awk '{print $3}' < retired.test${n}.ksk)
|
||||
set_keytime "KEY1" "RETIRED" "${retired}"
|
||||
# - The key is removed after the retire interval:
|
||||
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
|
||||
# TTLsig: 6h (21600 seconds)
|
||||
# IretCSK = TTLsig + Dprp + Dsgn + retire-safety
|
||||
# TTLsig: Variable
|
||||
IretCSK=$(key_get KEY1 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
IretCSK=$((IretCSK+3600))
|
||||
# Dsgn: 25d (2160000 seconds)
|
||||
IretCSK=$((IretCSK+2160000))
|
||||
# retire-safety: 2h (7200 seconds)
|
||||
# IretZSK: 25d9h (2192400 seconds)
|
||||
IretCSK=2192400
|
||||
IretCSK=$((IretCSK+7200))
|
||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
||||
# - The new CSK is published and activated.
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_keytime "KEY2" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY2" "ACTIVE" "${created}"
|
||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
||||
# TTLsig: 6h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
Ipub=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
Ipub=$((Ipub+3600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# Ipub: 8h (28800 seconds)
|
||||
Ipub=28800
|
||||
Ipub=$((Ipub+3600))
|
||||
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||
|
||||
# Continue signing policy checks.
|
||||
@@ -4673,8 +4801,8 @@ check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Next key event is when all zone signatures are signed with the new
|
||||
# algorithm. This is the max-zone-ttl plus zone propagation delay
|
||||
# plus retire safety: 6h + 1h + 2h. But three hours have already passed
|
||||
# algorithm. This is the TTLsig (6h) plus zone propagation delay (1h)
|
||||
# plus retire safety (2h). But three hours have already passed
|
||||
# (the time it took to make the DNSKEY omnipresent), so the next event
|
||||
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
|
||||
# false positives on slow platforms by subtracting the number of seconds
|
||||
@@ -4815,8 +4943,8 @@ check_subdomain
|
||||
dnssec_verify
|
||||
|
||||
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
|
||||
# after the max-zone-ttl plus zone propagation delay plus retire safety
|
||||
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
|
||||
# after the TTLsig (6h) plus zone propagation delay (1h) plus retire safety
|
||||
# (2h) minus the time already passed since the UNRETENTIVE state has
|
||||
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
|
||||
# false positives on slow platforms by subtracting the number of seconds
|
||||
# which passed between key creation and invoking 'rndc reconfig'.
|
||||
|
||||
@@ -122,7 +122,7 @@ setup rumoured.kasp
|
||||
echo "$zone" >> zones
|
||||
Tds="now-2h"
|
||||
Tkey="now-300s"
|
||||
Tsig="now-11h"
|
||||
Tsig="now-300s" # less than maximum zone ttl
|
||||
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
|
||||
zsktimes="-P ${Tkey} -A ${Tsig}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||||
@@ -137,7 +137,7 @@ setup omnipresent.kasp
|
||||
echo "$zone" >> zones
|
||||
Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT
|
||||
Tkey="now-3900s" # DNSKEY TTL + propagation delay
|
||||
Tsig="now-12h" # Zone's maximum TTL + propagation delay
|
||||
Tsig="now-3900s" # Zone's maximum TTL + propagation delay
|
||||
ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
|
||||
zsktimes="-P ${Tkey} -A ${Tsig}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||||
|
||||
@@ -92,6 +92,7 @@ init_migration_keys() {
|
||||
key_set "KEY1" "LEGACY" "yes"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keylifetime "KEY1" "none"
|
||||
set_keymaxttl "KEY1" "none"
|
||||
set_keyalgorithm "KEY1" "$1" "$2" "$3"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
@@ -100,6 +101,7 @@ init_migration_keys() {
|
||||
key_set "KEY2" "LEGACY" "yes"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keylifetime "KEY2" "none"
|
||||
set_keymaxttl "KEY2" "none"
|
||||
set_keyalgorithm "KEY2" "$1" "$2" "$4"
|
||||
set_keysigning "KEY2" "no"
|
||||
set_zonesigning "KEY2" "yes"
|
||||
@@ -440,9 +442,7 @@ wait_for_done_signing() {
|
||||
|
||||
# Policy parameters.
|
||||
# ZSK now has lifetime of 60 days (5184000 seconds).
|
||||
# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
Lzsk=5184000
|
||||
IretZSK=781800
|
||||
|
||||
#
|
||||
# Testing good migration.
|
||||
@@ -458,23 +458,28 @@ init_migration_states "omnipresent" "rumoured"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keylifetime "KEY1" "${Lksk}"
|
||||
set_keymaxttl "KEY1" 7200
|
||||
set_keylifetime "KEY2" "${Lzsk}"
|
||||
set_keymaxttl "KEY2" 7200
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
wait_for_done_signing
|
||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
|
||||
# Set expected key times:
|
||||
rollover_predecessor_keytimes 0
|
||||
# Policy parameters.
|
||||
# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
# TTLsig: Variable
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 5m (300 seconds)
|
||||
IretZSK=$((IretZSK+300))
|
||||
# Dsgn: 9d (777600 seconds)
|
||||
IretZSK=$((IretZSK+777600))
|
||||
# retire-safety: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
|
||||
# - Key now has lifetime of 60 days (5184000 seconds).
|
||||
# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
# TTLsig: 5m (300 seconds)
|
||||
# Dprp: 5m (300 seconds)
|
||||
# Dsgn: 9d (777600 seconds)
|
||||
# retire-safety: 1h (3600 seconds)
|
||||
# IretZSK: 9d70m (781800 seconds)
|
||||
# Set expected key times.
|
||||
rollover_predecessor_keytimes 0
|
||||
active=$(key_get KEY2 ACTIVE)
|
||||
set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}"
|
||||
retired=$(key_get KEY2 RETIRED)
|
||||
@@ -506,6 +511,7 @@ key_clear "KEY1"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
set_keyrole "KEY1" "csk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keymaxttl "KEY1" "7200"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
@@ -557,6 +563,7 @@ key_set "KEY1" "LEGACY" "no"
|
||||
set_keyrole "KEY1" "csk"
|
||||
key_set "KEY1" "FLAGS" "256"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keymaxttl "KEY1" "7200"
|
||||
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "yes"
|
||||
@@ -602,21 +609,27 @@ status=$((status+ret))
|
||||
set_zone "migrate-nomatch-algnum.kasp"
|
||||
set_policy "migrate-nomatch-algnum" "4" "300"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
Lksk=0
|
||||
Lzsk=5184000
|
||||
# The legacy keys need to be retired, but otherwise stay present until the
|
||||
# new keys are omnipresent, and can be used to construct a chain of trust.
|
||||
init_migration_keys "8" "RSASHA256" "2048" "2048"
|
||||
init_migration_states "hidden" "omnipresent"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
|
||||
set_keyrole "KEY3" "ksk"
|
||||
set_keylifetime "KEY3" "0"
|
||||
set_keylifetime "KEY3" "${Lksk}"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY3" "yes"
|
||||
set_zonesigning "KEY3" "no"
|
||||
|
||||
set_keyrole "KEY4" "zsk"
|
||||
set_keylifetime "KEY4" "5184000"
|
||||
set_keylifetime "KEY4" "${Lzsk}"
|
||||
set_keymaxttl "KEY4" "300"
|
||||
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
|
||||
set_keysigning "KEY4" "no"
|
||||
set_zonesigning "KEY4" "yes"
|
||||
@@ -659,15 +672,6 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||
# - ZSK must be retired since it no longer matches the policy.
|
||||
# P: now-3900s
|
||||
# A: now-12h
|
||||
# - The key is removed after the retire interval:
|
||||
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
# TTLsig: 11h (39600 seconds)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
# Dsgn: 9d (777600 seconds)
|
||||
# retire-safety: 1h (3600 seconds)
|
||||
# IretZSK: 9d13h (824400 seconds)
|
||||
IretZSK=824400
|
||||
Lzsk=5184000
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
|
||||
@@ -675,17 +679,28 @@ keyfile=$(key_get KEY2 BASEFILE)
|
||||
grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
|
||||
retired=$(awk '{print $3}' < retired.test${n}.zsk)
|
||||
set_keytime "KEY2" "RETIRED" "${retired}"
|
||||
# - The key is removed after the retire interval:
|
||||
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
# TTLsig: Variable
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
# Dsgn: 9d (777600 seconds)
|
||||
IretZSK=$((IretZSK+777600))
|
||||
# retire-safety: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||
# - The new KSK is immediately published and activated.
|
||||
created=$(key_get KEY3 CREATED)
|
||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY3" "ACTIVE" "${created}"
|
||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
||||
# TTLsig: 11h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
Ipub=$(key_get KEY3 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
Ipub=$((Ipub+3600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# Ipub: 13h (46800 seconds)
|
||||
Ipub=46800
|
||||
Ipub=$((Ipub+3600))
|
||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||
# - The ZSK is immediately published and activated.
|
||||
created=$(key_get KEY4 CREATED)
|
||||
@@ -717,6 +732,8 @@ status=$((status+ret))
|
||||
set_zone "migrate-nomatch-alglen.kasp"
|
||||
set_policy "migrate-nomatch-alglen" "4" "300"
|
||||
set_server "ns3" "10.53.0.3"
|
||||
Lksk=0
|
||||
Lzsk=5184000
|
||||
|
||||
# The legacy keys need to be retired, but otherwise stay present until the
|
||||
# new keys are omnipresent, and can be used to construct a chain of trust.
|
||||
@@ -724,15 +741,19 @@ init_migration_keys "8" "RSASHA256" "2048" "2048"
|
||||
init_migration_states "hidden" "omnipresent"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
|
||||
set_keyrole "KEY3" "ksk"
|
||||
set_keylifetime "KEY3" "0"
|
||||
set_keylifetime "KEY3" "${Lksk}"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
|
||||
set_keysigning "KEY3" "yes"
|
||||
set_zonesigning "KEY3" "no"
|
||||
|
||||
set_keyrole "KEY4" "zsk"
|
||||
set_keylifetime "KEY4" "5184000"
|
||||
set_keylifetime "KEY4" "${Lzsk}"
|
||||
set_keymaxttl "KEY4" "300"
|
||||
set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
|
||||
set_keysigning "KEY4" "no"
|
||||
# This key is considered to be prepublished, so it is not yet signing.
|
||||
@@ -778,13 +799,14 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||
# A: now-12h
|
||||
# - The key is removed after the retire interval:
|
||||
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
# TTLsig: 11h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
# Dsgn: 9d (777600 seconds)
|
||||
IretZSK=$((IretZSK+777600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# IretZSK: 9d13h (824400 seconds)
|
||||
IretZSK=824400
|
||||
Lzsk=5184000
|
||||
IretZSK=$((IretZSK+3600))
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
|
||||
@@ -798,11 +820,12 @@ created=$(key_get KEY3 CREATED)
|
||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY3" "ACTIVE" "${created}"
|
||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
||||
# TTLsig: 11h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
Ipub=$(key_get KEY3 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
Ipub=$((Ipub+3600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# Ipub: 13h (46800 seconds)
|
||||
Ipub=46800
|
||||
Ipub=$((Ipub+3600))
|
||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||
# - The ZSK is immediately published and activated.
|
||||
created=$(key_get KEY4 CREATED)
|
||||
@@ -841,9 +864,14 @@ init_migration_keys "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_B
|
||||
init_migration_states "hidden" "omnipresent"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
Lksk=0
|
||||
Lzsk=5184000
|
||||
|
||||
set_keyrole "KEY3" "csk"
|
||||
set_keylifetime "KEY3" "0"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
|
||||
set_keysigning "KEY3" "yes"
|
||||
set_zonesigning "KEY3" "no"
|
||||
@@ -886,13 +914,14 @@ set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||
# A: now-12h
|
||||
# - The key is removed after the retire interval:
|
||||
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
# TTLsig: 11h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
# Dsgn: 9d (777600 seconds)
|
||||
IretZSK=$((IretZSK+777600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# IretZSK: 9d13h (824400 seconds)
|
||||
IretZSK=824400
|
||||
Lzsk=5184000
|
||||
IretZSK=$((IretZSK+3600))
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
|
||||
@@ -906,11 +935,12 @@ created=$(key_get KEY3 CREATED)
|
||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||
set_keytime "KEY3" "ACTIVE" "${created}"
|
||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
||||
# TTLsig: 11h (39600 seconds)
|
||||
# TTLsig: Variable
|
||||
Ipub=$(key_get KEY3 MAX_TTL)
|
||||
# Dprp: 1h (3600 seconds)
|
||||
Ipub=$((Ipub+3600))
|
||||
# publish-safety: 1h (3600 seconds)
|
||||
# Ipub: 13h (46800 seconds)
|
||||
Ipub=46800
|
||||
Ipub=$((Ipub+3600))
|
||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||
|
||||
# Continue signing policy checks.
|
||||
@@ -934,15 +964,9 @@ status=$((status+ret))
|
||||
|
||||
# Policy parameters.
|
||||
# KSK has lifetime of 60 days (5184000 seconds).
|
||||
# The KSK is removed after Iret = DprpP + TTLds + retire-safety =
|
||||
# 4h = 14400 seconds.
|
||||
Lksk=5184000
|
||||
IretKSK=14400
|
||||
# ZSK has lifetime of 60 days (5184000 seconds).
|
||||
# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety =
|
||||
# 181h = 651600 seconds.
|
||||
Lzsk=5184000
|
||||
IretZSK=651600
|
||||
|
||||
#
|
||||
# Testing rumoured state.
|
||||
@@ -957,7 +981,18 @@ init_migration_states "omnipresent" "rumoured"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keylifetime "KEY1" "${Lksk}"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY2" "${Lzsk}"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
|
||||
# The KSK is removed after Iret = DprpP + TTLds + retire-safety =
|
||||
# 4h = 14400 seconds.
|
||||
IretKSK=14400
|
||||
# The ZSK is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety.
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
IretZSK=$((IretZSK+604800)) # Dsgn: 1w
|
||||
IretZSK=$((IretZSK+3600))
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
@@ -968,7 +1003,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
#
|
||||
# Tds="now-2h" (7200)
|
||||
# Tkey="now-300s" (300)
|
||||
# Tsig="now-11h" (39600)
|
||||
# Tsig="now-300s" (300)
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_addkeytime "KEY1" "PUBLISHED" "${created}" -300
|
||||
set_addkeytime "KEY1" "ACTIVE" "${created}" -300
|
||||
@@ -976,7 +1011,7 @@ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -7200
|
||||
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -300
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -39600
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -300
|
||||
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
|
||||
|
||||
# Continue signing policy checks.
|
||||
@@ -1007,7 +1042,9 @@ init_migration_states "omnipresent" "omnipresent"
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keylifetime "KEY1" "${Lksk}"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keylifetime "KEY2" "${Lzsk}"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
|
||||
# Various signing policy checks.
|
||||
check_keys
|
||||
@@ -1018,15 +1055,15 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||
#
|
||||
# Tds="now-3h" (10800)
|
||||
# Tkey="now-3900s" (3900)
|
||||
# Tsig="now-12h" (43200)
|
||||
# Tsig="now-3900s" (3900)
|
||||
created=$(key_get KEY1 CREATED)
|
||||
set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900
|
||||
set_addkeytime "KEY1" "ACTIVE" "${created}" -3900
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
|
||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -10800
|
||||
set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
|
||||
created=$(key_get KEY2 CREATED)
|
||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -3900
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -43200
|
||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -3900
|
||||
set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
|
||||
|
||||
# Continue signing policy checks.
|
||||
@@ -1053,6 +1090,7 @@ init_view_migration() {
|
||||
key_set "KEY1" "LEGACY" "yes"
|
||||
set_keyrole "KEY1" "ksk"
|
||||
set_keylifetime "KEY1" "0"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keysigning "KEY1" "yes"
|
||||
set_zonesigning "KEY1" "no"
|
||||
|
||||
@@ -1060,6 +1098,7 @@ init_view_migration() {
|
||||
key_set "KEY2" "LEGACY" "yes"
|
||||
set_keyrole "KEY2" "zsk"
|
||||
set_keylifetime "KEY2" "0"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keysigning "KEY2" "no"
|
||||
set_zonesigning "KEY2" "yes"
|
||||
|
||||
@@ -1169,12 +1208,14 @@ init_migration_states "omnipresent" "rumoured"
|
||||
# However, because the keys have a lifetime, kasp will set the retired time.
|
||||
key_set "KEY1" "LEGACY" "no"
|
||||
set_keylifetime "KEY1" "31536000"
|
||||
set_keymaxttl "KEY1" "300"
|
||||
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
|
||||
set_keystate "KEY1" "STATE_DS" "omnipresent"
|
||||
|
||||
key_set "KEY2" "LEGACY" "no"
|
||||
set_keylifetime "KEY2" "8035200"
|
||||
set_keymaxttl "KEY2" "300"
|
||||
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
|
||||
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
|
||||
# The ZSK needs to be replaced.
|
||||
@@ -1182,6 +1223,7 @@ set_keystate "KEY2" "GOAL" "hidden"
|
||||
set_keystate "KEY3" "GOAL" "omnipresent"
|
||||
set_keyrole "KEY3" "zsk"
|
||||
set_keylifetime "KEY3" "8035200"
|
||||
set_keymaxttl "KEY3" "300"
|
||||
set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
|
||||
set_keysigning "KEY3" "no"
|
||||
set_zonesigning "KEY3" "no" # not yet
|
||||
@@ -1216,13 +1258,16 @@ set_keytime "KEY2" "ACTIVE" "${published}"
|
||||
active=$(key_get KEY2 ACTIVE)
|
||||
set_addkeytime "KEY2" "RETIRED" "${active}" "8035200"
|
||||
# Retire interval:
|
||||
# Sign delay: 9d (14-5)
|
||||
# Max zone TTL: 1d
|
||||
# Retire safety: 1h
|
||||
# Zone propagation delay: 300s
|
||||
# Total: 867900 seconds
|
||||
# Max zone TTL: Variable
|
||||
IretZSK=$(key_get KEY2 MAX_TTL)
|
||||
# Sign delay: 9d (14-5) (777600 seconds)
|
||||
IretZSK=$((IretZSK+777600))
|
||||
# Retire safety: 1h (3600 seconds)
|
||||
IretZSK=$((IretZSK+3600))
|
||||
# Zone propagation delay: 300 seconds
|
||||
IretZSK=$((IretZSK+300))
|
||||
retired=$(key_get KEY2 RETIRED)
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "867900"
|
||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||
|
||||
created=$(key_get KEY3 CREATED)
|
||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||
@@ -1236,13 +1281,16 @@ set_addkeytime "KEY3" "ACTIVE" "${created}" "4200"
|
||||
active=$(key_get KEY3 ACTIVE)
|
||||
set_addkeytime "KEY3" "RETIRED" "${active}" "8035200"
|
||||
# Retire interval:
|
||||
# Sign delay: 9d (14-5)
|
||||
# Max zone TTL: 1d
|
||||
# Retire safety: 1h
|
||||
# Zone propagation delay: 300s
|
||||
# Total: 867900 seconds
|
||||
# Max zone TTL: Variable
|
||||
Ipub=$(key_get KEY3 MAX_TTL)
|
||||
# Sign delay: 9d (14-5) (777600 seconds)
|
||||
Ipub=$((Ipub+777600))
|
||||
# Retire safety: 1h (3600 seconds)
|
||||
Ipub=$((Ipub+3600))
|
||||
# Zone propagation delay: 300 seconds
|
||||
Ipub=$((Ipub+300))
|
||||
retired=$(key_get KEY3 RETIRED)
|
||||
set_addkeytime "KEY3" "REMOVED" "${retired}" "867900"
|
||||
set_addkeytime "KEY3" "REMOVED" "${retired}" "${Ipub}"
|
||||
|
||||
# Continue signing policy checks.
|
||||
check_keytimes
|
||||
|
||||
Reference in New Issue
Block a user