9c40cf0566
Add this test scenario for a bug fixed a while ago. When a third key is introduced while the previous rollover hasn't finished yet, the keymgr could decide to remove the first two keys, because it was not checking for an indirect dependency on the keys. In other words, the previous bug behavior was that the first two keys were removed from the zone too soon. This test case checks that all three keys stay in the zone, and no keys are removed premature after another new key has been introduced.
1471 lines
61 KiB
Bash
1471 lines
61 KiB
Bash
#!/bin/sh -e
|
||
|
||
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
||
#
|
||
# SPDX-License-Identifier: MPL-2.0
|
||
#
|
||
# This Source Code Form is subject to the terms of the Mozilla Public
|
||
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
||
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
||
#
|
||
# See the COPYRIGHT file distributed with this work for additional
|
||
# information regarding copyright ownership.
|
||
|
||
# shellcheck source=conf.sh
|
||
. ../../conf.sh
|
||
|
||
echo_i "ns3/setup.sh"
|
||
|
||
setup() {
|
||
zone="$1"
|
||
echo_i "setting up zone: $zone"
|
||
zonefile="${zone}.db"
|
||
infile="${zone}.db.infile"
|
||
echo "$zone" >> zones
|
||
}
|
||
|
||
# Set in the key state files the Predecessor/Successor fields.
|
||
# Key $1 is the predecessor of key $2.
|
||
key_successor() {
|
||
id1=$(keyfile_to_key_id "$1")
|
||
id2=$(keyfile_to_key_id "$2")
|
||
echo "Predecessor: ${id1}" >> "${2}.state"
|
||
echo "Successor: ${id2}" >> "${1}.state"
|
||
}
|
||
|
||
# Make lines shorter by storing key states in environment variables.
|
||
H="HIDDEN"
|
||
R="RUMOURED"
|
||
O="OMNIPRESENT"
|
||
U="UNRETENTIVE"
|
||
|
||
#
|
||
# Set up zones that will be initially signed.
|
||
#
|
||
for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
|
||
rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
|
||
dynamic dynamic-inline-signing inline-signing \
|
||
checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
|
||
manual-rollover multisigner-model2
|
||
do
|
||
setup "${zn}.kasp"
|
||
cp template.db.in "$zonefile"
|
||
done
|
||
|
||
#
|
||
# Set up RSASHA1 based zones
|
||
#
|
||
for zn in rsasha1 rsasha1-nsec3
|
||
do
|
||
if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
|
||
then
|
||
setup "${zn}.kasp"
|
||
cp template.db.in "$zonefile"
|
||
else
|
||
# don't add to zones.
|
||
echo_i "setting up zone: ${zn}.kasp"
|
||
cp template.db.in "${zn}.kasp.db"
|
||
fi
|
||
done
|
||
|
||
if [ -f ../ed25519-supported.file ]; then
|
||
setup "ed25519.kasp"
|
||
cp template.db.in "$zonefile"
|
||
cat ed25519.conf >> named.conf
|
||
fi
|
||
|
||
if [ -f ../ed448-supported.file ]; then
|
||
setup "ed448.kasp"
|
||
cp template.db.in "$zonefile"
|
||
cat ed448.conf >> named.conf
|
||
fi
|
||
|
||
# Set up zones that stay unsigned.
|
||
for zn in unsigned insecure max-zone-ttl
|
||
do
|
||
zone="${zn}.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
zonefile="${zone}.db"
|
||
infile="${zone}.db.infile"
|
||
cp template.db.in $infile
|
||
cp template.db.in $zonefile
|
||
done
|
||
|
||
# Some of these zones already have keys.
|
||
zone="dnssec-keygen.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
|
||
|
||
zone="some-keys.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
|
||
$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
|
||
|
||
zone="legacy-keys.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
|
||
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
|
||
echo $ZSK > legacy-keys.kasp.zsk
|
||
echo $KSK > legacy-keys.kasp.ksk
|
||
# Predecessor keys:
|
||
Tact="now-9mo"
|
||
Tret="now-3mo"
|
||
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
|
||
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
|
||
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1
|
||
|
||
zone="pregenerated.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
|
||
$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
|
||
|
||
zone="multisigner-model2.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
# Import the ZSK sets of the other providers into their DNSKEY RRset.
|
||
ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1)
|
||
ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2)
|
||
# ZSK1 will be added to the unsigned zonefile.
|
||
cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db"
|
||
cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1"
|
||
rm -f "../${ZSK1}.*"
|
||
# ZSK2 will be used with a Dynamic Update.
|
||
cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2"
|
||
rm -f "../${ZSK2}.*"
|
||
|
||
zone="rumoured.kasp"
|
||
echo_i "setting up zone: $zone"
|
||
Tpub="now"
|
||
Tact="now+1d"
|
||
keytimes="-P ${Tpub} -A ${Tact}"
|
||
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
|
||
ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
|
||
ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1
|
||
|
||
#
|
||
# Set up zones that are already signed.
|
||
#
|
||
|
||
# Zone to test manual rollover.
|
||
setup manual-rollover.kasp
|
||
T="now-1d"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# These signatures are set to expire long in the past, update immediately.
|
||
setup expired-sigs.autosign
|
||
T="now-6mo"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# These signatures are still good, and can be reused.
|
||
setup fresh-sigs.autosign
|
||
T="now-6mo"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# These signatures are still good, but not fresh enough, update immediately.
|
||
setup unfresh-sigs.autosign
|
||
T="now-6mo"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# These signatures are still good, but the private KSK is missing.
|
||
setup ksk-missing.autosign
|
||
T="now-6mo"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
echo "KSK: yes" >> "${KSK}".state
|
||
echo "ZSK: no" >> "${KSK}".state
|
||
echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y
|
||
rm -f "${KSK}".private
|
||
|
||
# These signatures are still good, but the private ZSK is missing.
|
||
setup zsk-missing.autosign
|
||
T="now-6mo"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
echo "KSK: no" >> "${ZSK}".state
|
||
echo "ZSK: yes" >> "${ZSK}".state
|
||
echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y
|
||
rm -f "${ZSK}".private
|
||
|
||
# These signatures are already expired, and the private ZSK is retired.
|
||
setup zsk-retired.autosign
|
||
T="now-6mo"
|
||
ksktimes="-P $T -A $T -P sync $T"
|
||
zsktimes="-P $T -A $T -I now"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1
|
||
|
||
#
|
||
# The zones at enable-dnssec.autosign represent the various steps of the
|
||
# initial signing of a zone.
|
||
#
|
||
|
||
# Step 1:
|
||
# This is an unsigned zone and named should perform the initial steps of
|
||
# introducing the DNSSEC records in the right order.
|
||
setup step1.enable-dnssec.autosign
|
||
cp template.db.in $zonefile
|
||
|
||
# Step 2:
|
||
# The DNSKEY has been published long enough to become OMNIPRESENT.
|
||
setup step2.enable-dnssec.autosign
|
||
# DNSKEY TTL: 300 seconds
|
||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||
# publish-safety: 5 minutes (300 seconds)
|
||
# Total: 900 seconds
|
||
TpubN="now-900s"
|
||
# RRSIG TTL: 12 hour (43200 seconds)
|
||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||
# retire-safety: 20 minutes (1200 seconds)
|
||
# Already passed time: -900 seconds
|
||
# Total: 43800 seconds
|
||
TsbmN="now+43800s"
|
||
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
||
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 3:
|
||
# The zone signatures have been published long enough to become OMNIPRESENT.
|
||
setup step3.enable-dnssec.autosign
|
||
# Passed time since publications: 43800 + 900 = 44700 seconds.
|
||
TpubN="now-44700s"
|
||
# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
|
||
TcotN="now-43800s"
|
||
# We can submit the DS now.
|
||
TsbmN="now"
|
||
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
||
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 4:
|
||
# The DS has been submitted long enough ago to become OMNIPRESENT.
|
||
setup step4.enable-dnssec.autosign
|
||
# DS TTL: 2 hour (7200 seconds)
|
||
# parent-propagation-delay: 1 hour (3600 seconds)
|
||
# retire-safety: 20 minutes (1200 seconds)
|
||
# Total aditional time: 12000 seconds
|
||
# 44700 + 12000 = 56700
|
||
TpubN="now-56700s"
|
||
# 43800 + 12000 = 55800
|
||
TcotN="now-55800s"
|
||
TsbmN="now-12000s"
|
||
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
||
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
setup step4.enable-dnssec.autosign
|
||
|
||
#
|
||
# The zones at zsk-prepub.autosign represent the various steps of a ZSK
|
||
# Pre-Publication rollover.
|
||
#
|
||
|
||
# Step 1:
|
||
# Introduce the first key. This will immediately be active.
|
||
setup step1.zsk-prepub.autosign
|
||
TactN="now"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 2:
|
||
# It is time to pre-publish the successor ZSK.
|
||
setup step2.zsk-prepub.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||
# Ipub = Dprp + TTLkey (+publish-safety)
|
||
#
|
||
# |3| |4| |5| |6|
|
||
# | | | |
|
||
# Key N |<-------Lzsk------>|
|
||
# | | | |
|
||
# Key N+1 | |<-Ipub->|<-->|
|
||
# | | | |
|
||
# Key N Tact
|
||
# Key N+1 Tpub Trdy Tact
|
||
#
|
||
# Tnow
|
||
#
|
||
# Lzsk: 30d
|
||
# Dprp: 1h
|
||
# TTLkey: 1h
|
||
# publish-safety: 1d
|
||
# Ipub: 26h
|
||
#
|
||
# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d
|
||
# = now + 26h - 30d = now − 694h
|
||
TactN="now-694h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 3:
|
||
# After the publication interval has passed the DNSKEY of the successor ZSK
|
||
# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
|
||
setup step3.zsk-prepub.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||
# Tret(N) = Tact(N+1) = Tact(N) + Lzsk
|
||
# Trem(N) = Tret(N) + Iret
|
||
# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
|
||
#
|
||
# |3| |4| |5| |6| |7| |8|
|
||
# | | | | | |
|
||
# Key N |<-------Lzsk------>|<-Iret->|<--->|
|
||
# | | | | | |
|
||
# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - -
|
||
# | | | | | |
|
||
# Key N Tact Tret Tdea Trem
|
||
# Key N+1 Tpub Trdy Tact
|
||
#
|
||
# Tnow
|
||
#
|
||
# Lzsk: 30d
|
||
# Ipub: 26h
|
||
# Dsgn: 1w
|
||
# Dprp: 1h
|
||
# TTLsig: 1d
|
||
# retire-safety: 2d
|
||
# Iret: 10d1h = 241h
|
||
#
|
||
# Tact(N) = Tnow - Lzsk = now - 30d
|
||
# Tret(N) = now
|
||
# Trem(N) = Tnow + Iret = now + 241h
|
||
# Tpub(N+1) = Tnow - Ipub = now - 26h
|
||
# Tret(N+1) = Tnow + Lzsk = now + 30d
|
||
# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h
|
||
# = now + 961h
|
||
TactN="now-30d"
|
||
TretN="now"
|
||
TremN="now+241h"
|
||
TpubN1="now-26h"
|
||
TactN1="now"
|
||
TretN1="now+30d"
|
||
TremN1="now+961h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $ZSK1 $ZSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 4:
|
||
# After the retire interval has passed the predecessor DNSKEY can be
|
||
# removed from the zone.
|
||
setup step4.zsk-prepub.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tret(N) = Tact(N) + Lzsk
|
||
# Tdea(N) = Tret(N) + Iret
|
||
#
|
||
# |3| |4| |5| |6| |7| |8|
|
||
# | | | | | |
|
||
# Key N |<-------Lzsk------>|<-Iret->|<--->|
|
||
# | | | | | |
|
||
# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - -
|
||
# | | | | | |
|
||
# Key N Tact Tret Tdea Trem
|
||
# Key N+1 Tpub Trdy Tact
|
||
#
|
||
# Tnow
|
||
#
|
||
# Lzsk: 30d
|
||
# Ipub: 26h
|
||
# Iret: 241h
|
||
#
|
||
# Tact(N) = Tnow - Iret - Lzsk
|
||
# = now - 241h - 30d = now - 241h - 720h
|
||
# = now - 961h
|
||
# Tret(N) = Tnow - Iret = now - 241h
|
||
# Trem(N) = Tnow
|
||
# Tpub(N+1) = Tnow - Iret - Ipub
|
||
# = now - 241h - 26h
|
||
# = now - 267h
|
||
# Tact(N+1) = Tnow - Iret = Tret(N)
|
||
# Tret(N+1) = Tnow - Iret + Lzsk
|
||
# = now - 241h + 30d = now - 241h + 720h
|
||
# = now + 479h
|
||
# Trem(N+1) = Tnow + Lzsk = now + 30d
|
||
TactN="now-961h"
|
||
TretN="now-241h"
|
||
TremN="now"
|
||
TpubN1="now-267h"
|
||
TactN1="${TretN}"
|
||
TretN1="now+479h"
|
||
TremN1="now+30d"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $ZSK1 $ZSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 5:
|
||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||
setup step5.zsk-prepub.autosign
|
||
# Subtract DNSKEY TTL from all the times (1h).
|
||
# Tact(N) = now - 961h - 1h = now - 962h
|
||
# Tret(N) = now - 241h - 1h = now - 242h
|
||
# Tdea(N) = now - 2d - 1h = now - 49h
|
||
# Trem(N) = now - 1h
|
||
# Tpub(N+1) = now - 267h - 1h = now - 268h
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 479h - 1h = now + 478h
|
||
# Trem(N+1) = now + 30d - 1h = now + 719h
|
||
TactN="now-962h"
|
||
TretN="now-242h"
|
||
TremN="now-1h"
|
||
TdeaN="now-49h"
|
||
TpubN1="now-268h"
|
||
TactN1="${TretN}"
|
||
TretN1="now+478h"
|
||
TremN1="now+719h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $ZSK1 $ZSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 6:
|
||
# The predecessor DNSKEY can be purged.
|
||
setup step6.zsk-prepub.autosign
|
||
# Subtract purge-keys interval from all the times (1h).
|
||
# Tact(N) = now - 962h - 1h = now - 963h
|
||
# Tret(N) = now - 242h - 1h = now - 243h
|
||
# Tdea(N) = now - 49h - 1h = now - 50h
|
||
# Trem(N) = now - 1h - 1h = now - 2h
|
||
# Tpub(N+1) = now - 268h - 1h = now - 269h
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 478h - 1h = now + 477h
|
||
# Trem(N+1) = now + 719h - 1h = now + 718h
|
||
TactN="now-963h"
|
||
TretN="now-243h"
|
||
TremN="now-2h"
|
||
TdeaN="now-50h"
|
||
TpubN1="now-269h"
|
||
TactN1="${TretN}"
|
||
TretN1="now+477h"
|
||
TremN1="now+718h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $ZSK1 $ZSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
#
|
||
# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
|
||
# Double-KSK rollover.
|
||
#
|
||
|
||
# Step 1:
|
||
# Introduce the first key. This will immediately be active.
|
||
setup step1.ksk-doubleksk.autosign
|
||
TactN="now"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 2:
|
||
# It is time to submit the introduce the new KSK.
|
||
setup step2.ksk-doubleksk.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
|
||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||
#
|
||
# |1| |2| |3| |4|
|
||
# | | | |
|
||
# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - -
|
||
# | | | |
|
||
# Key N+1 | | | |
|
||
# | | | |
|
||
# Key N Tpub Trdy Tsbm Tact
|
||
# Key N+1
|
||
#
|
||
# (continued ...)
|
||
#
|
||
# |5| |6| |7| |8| |9| |10|
|
||
# | | | | | |
|
||
# Key N - - --------------Lksk------->|<-Iret->|<----->|
|
||
# | | | | | |
|
||
# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
|
||
# | | | | | |
|
||
# Key N Tret Tdea Trem
|
||
# Key N+1 Tpub Trdy Tsbm Tact
|
||
#
|
||
# Tnow
|
||
#
|
||
# Lksk: 60d
|
||
# Dreg: 1d
|
||
# DprpC: 1h
|
||
# TTLkey: 2h
|
||
# publish-safety: 1d
|
||
# IpubC: 27h
|
||
#
|
||
# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h
|
||
# = now - 1440h + 27h = now - 1413h
|
||
TactN="now-1413h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
|
||
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 3:
|
||
# It is time to submit the DS.
|
||
setup step3.ksk-doubleksk.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tsbm(N+1) >= Trdy(N+1)
|
||
# Tact(N+1) = Tsbm(N+1) + Dreg
|
||
# Iret = DprpP + TTLds (+retire-safety)
|
||
#
|
||
# |5| |6| |7| |8| |9| |10|
|
||
# | | | | | |
|
||
# Key N - - --------------Lksk------->|<-Iret->|<----->|
|
||
# | | | | | |
|
||
# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
|
||
# | | | | | |
|
||
# Key N Tret Tdea Trem
|
||
# Key N+1 Tpub Trdy Tsbm Tact
|
||
#
|
||
# Tnow
|
||
#
|
||
# Lksk: 60d
|
||
# Dreg: N/A
|
||
# DprpP: 1h
|
||
# TTLds: 1h
|
||
# retire-safety: 2d
|
||
# Iret: 50h
|
||
# DprpC: 1h
|
||
# TTLkey: 2h
|
||
# publish-safety: 1d
|
||
# IpubC: 27h
|
||
#
|
||
# Tact(N) = Tnow + Lksk = now - 60d = now - 60d
|
||
# Tret(N) = now
|
||
# Trem(N) = Tnow + Iret = now + 50h
|
||
# Tpub(N+1) = Tnow - IpubC = now - 27h
|
||
# Tsbm(N+1) = now
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow + Lksk = now + 60d
|
||
# Trem(N+1) = Tnow + Lksk + Iret = now + 60d + 50h
|
||
# = now + 1440h + 50h = 1490h
|
||
TactN="now-60d"
|
||
TretN="now"
|
||
TremN="now+50h"
|
||
TpubN1="now-27h"
|
||
TsbmN1="now"
|
||
TactN1="${TretN}"
|
||
TretN1="now+60d"
|
||
TremN1="now+1490h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $KSK1 $KSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 4:
|
||
# The DS should be swapped now.
|
||
setup step4.ksk-doubleksk.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tret(N) = Tsbm(N+1)
|
||
# Tdea(N) = Tret(N) + Iret
|
||
# Tact(N+1) = Tret(N)
|
||
#
|
||
# |5| |6| |7| |8| |9| |10|
|
||
# | | | | | |
|
||
# Key N - - --------------Lksk------->|<-Iret->|<----->|
|
||
# | | | | | |
|
||
# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
|
||
# | | | | | |
|
||
# Key N Tret Tdea Trem
|
||
# Key N+1 Tpub Trdy Tsbm Tact
|
||
#
|
||
# Tnow
|
||
#
|
||
# Lksk: 60d
|
||
# Dreg: N/A
|
||
# Iret: 50h
|
||
#
|
||
# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h
|
||
# = now - 1440h - 50h = now - 1490h
|
||
# Tret(N) = Tnow - Iret = now - 50h
|
||
# Trem(N) = Tnow
|
||
# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h
|
||
# = now - 77h
|
||
# Tsbm(N+1) = Tnow - Iret = now - 50h
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h
|
||
# Trem(N+1) = Tnow + Lksk = now + 60d
|
||
TactN="now-1490h"
|
||
TretN="now-50h"
|
||
TremN="now"
|
||
TpubN1="now-77h"
|
||
TsbmN1="now-50h"
|
||
TactN1="${TretN}"
|
||
TretN1="now+1390h"
|
||
TremN1="now+60d"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $KSK1 $KSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 5:
|
||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||
setup step5.ksk-doubleksk.autosign
|
||
# Subtract DNSKEY TTL from all the times (2h).
|
||
# Tact(N) = now - 1490h - 2h = now - 1492h
|
||
# Tret(N) = now - 50h - 2h = now - 52h
|
||
# Trem(N) = now - 2h
|
||
# Tpub(N+1) = now - 77h - 2h = now - 79h
|
||
# Tsbm(N+1) = now - 50h - 2h = now - 52h
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 1390h - 2h = now + 1388h
|
||
# Trem(N+1) = now + 60d - 2h = now + 1442h
|
||
TactN="now-1492h"
|
||
TretN="now-52h"
|
||
TremN="now-2h"
|
||
TpubN1="now-79h"
|
||
TsbmN1="now-52h"
|
||
TactN1="${TretN}"
|
||
TretN1="now+1388h"
|
||
TremN1="now+1442h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $KSK1 $KSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 6:
|
||
# The predecessor DNSKEY can be purged.
|
||
setup step6.ksk-doubleksk.autosign
|
||
# Subtract purge-keys interval from all the times (1h).
|
||
# Tact(N) = now - 1492h - 1h = now - 1493h
|
||
# Tret(N) = now - 52h - 1h = now - 53h
|
||
# Trem(N) = now - 2h - 1h = now - 3h
|
||
# Tpub(N+1) = now - 79h - 1h = now - 80h
|
||
# Tsbm(N+1) = now - 52h - 1h = now - 53h
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 1388h - 1h = now + 1387h
|
||
# Trem(N+1) = now + 1442h - 1h = now + 1441h
|
||
TactN="now-1493h"
|
||
TretN="now-53h"
|
||
TremN="now-3h"
|
||
TpubN1="now-80h"
|
||
TsbmN1="now-53h"
|
||
TactN1="${TretN}"
|
||
TretN1="now+1387h"
|
||
TremN1="now+1441h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $KSK1 $KSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
#
|
||
# The zones at csk-roll.autosign represent the various steps of a CSK rollover
|
||
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
|
||
#
|
||
|
||
# Step 1:
|
||
# Introduce the first key. This will immediately be active.
|
||
setup step1.csk-roll.autosign
|
||
TactN="now"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
|
||
CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 2:
|
||
# It is time to introduce the new CSK.
|
||
setup step2.csk-roll.autosign
|
||
# According to RFC 7583:
|
||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||
# Ipub = IpubC
|
||
# Lcsk = Lksk = Lzsk
|
||
#
|
||
# Lcsk: 6mo (186d, 4464h)
|
||
# Dreg: N/A
|
||
# DprpC: 1h
|
||
# TTLkey: 1h
|
||
# publish-safety: 1h
|
||
# Ipub: 3h
|
||
#
|
||
# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h
|
||
# = now - 4464h + 3h = now - 4461h
|
||
TactN="now-4461h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
|
||
CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 3:
|
||
# It is time to submit the DS and to roll signatures.
|
||
setup step3.csk-roll.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tsbm(N+1) >= Trdy(N+1)
|
||
# KSK: Tact(N+1) = Tsbm(N+1)
|
||
# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
|
||
# KSK: Iret = DprpP + TTLds (+retire-safety)
|
||
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
|
||
#
|
||
# Lcsk: 186d
|
||
# Dprp: 1h
|
||
# DprpP: 1h
|
||
# Dreg: N/A
|
||
# Dsgn: 25d
|
||
# TTLds: 1h
|
||
# TTLsig: 1d
|
||
# retire-safety: 2h
|
||
# Iret: 4h
|
||
# IretZ: 26d3h
|
||
# Ipub: 3h
|
||
#
|
||
# Tact(N) = Tnow - Lcsk = now - 186d
|
||
# Tret(N) = now
|
||
# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h
|
||
# Tpub(N+1) = Tnow - Ipub = now - 3h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d
|
||
# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h =
|
||
# = now + 5091h
|
||
TactN="now-186d"
|
||
TretN="now"
|
||
TremN="now+627h"
|
||
TpubN1="now-3h"
|
||
TsbmN1="now"
|
||
TactN1="${TretN}"
|
||
TretN1="now+186d"
|
||
TremN1="now+5091h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 4:
|
||
# Some time later all the ZRRSIG records should be from the new CSK, and the
|
||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ
|
||
# (which is 26d3h). The DS is swapped after Iret (which is 4h).
|
||
# In other words, the DS is swapped before all zone signatures are replaced.
|
||
setup step4.csk-roll.autosign
|
||
# According to RFC 7583:
|
||
# Trem(N) = Tret(N) - Iret + IretZ
|
||
# Tnow = Tsbm(N+1) + Iret
|
||
#
|
||
# Lcsk: 186d
|
||
# Iret: 4h
|
||
# IretZ: 26d3h
|
||
#
|
||
# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h
|
||
# Tret(N) = Tnow - Iret = now - 4h = now - 4h
|
||
# Trem(N) = Tnow - Iret + IretZ = now - 4h + 26d3h
|
||
# = now + 623h
|
||
# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h
|
||
# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
|
||
# = now + 5087h
|
||
TactN="now-4468h"
|
||
TretN="now-4h"
|
||
TremN="now+623h"
|
||
TpubN1="now-7h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+4460h"
|
||
TremN1="now+5087h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 5:
|
||
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
|
||
# At this time these have all become hidden.
|
||
setup step5.csk-roll.autosign
|
||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||
# Tact(N) = now - 4468h - 2h = now - 4470h
|
||
# Tret(N) = now - 4h - 2h = now - 6h
|
||
# Trem(N) = now + 623h - 2h = now + 621h
|
||
# Tpub(N+1) = now - 7h - 2h = now - 9h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 4460h - 2h = now + 4458h
|
||
# Trem(N+1) = now + 5087h - 2h = now + 5085h
|
||
TactN="now-4470h"
|
||
TretN="now-6h"
|
||
TremN="now+621h"
|
||
TpubN1="now-9h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+4458h"
|
||
TremN1="now+5085h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 6:
|
||
# After the retire interval has passed the predecessor DNSKEY can be
|
||
# removed from the zone.
|
||
setup step6.csk-roll.autosign
|
||
# According to RFC 7583:
|
||
# Trem(N) = Tret(N) + IretZ
|
||
# Tret(N) = Tact(N) + Lcsk
|
||
#
|
||
# Lcsk: 186d
|
||
# Iret: 4h
|
||
# IretZ: 26d3h
|
||
#
|
||
# Tact(N) = Tnow - IretZ - Lcsk = now - 627h - 186d
|
||
# = now - 627h - 4464h = now - 5091h
|
||
# Tret(N) = Tnow - IretZ = now - 627h
|
||
# Trem(N) = Tnow
|
||
# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h
|
||
# Trem(N+1) = Tnow + Lcsk = now + 186d
|
||
TactN="now-5091h"
|
||
TretN="now-627h"
|
||
TremN="now"
|
||
TpubN1="now-630h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+3837h"
|
||
TremN1="now+186d"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 7:
|
||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||
setup step7.csk-roll.autosign
|
||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||
# Tact(N) = now - 5091h - 2h = now - 5093h
|
||
# Tret(N) = now - 627h - 2h = now - 629h
|
||
# Trem(N) = now - 2h
|
||
# Tpub(N+1) = now - 630h - 2h = now - 632h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 3837h - 2h = now + 3835h
|
||
# Trem(N+1) = now + 186d - 2h = now + 4462h
|
||
TactN="now-5093h"
|
||
TretN="now-629h"
|
||
TremN="now-2h"
|
||
TpubN1="now-632h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+3835h"
|
||
TremN1="now+4462h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 8:
|
||
# The predecessor DNSKEY can be purged.
|
||
setup step8.csk-roll.autosign
|
||
# Subtract purge-keys interval from all the times (1h).
|
||
# Tact(N) = now - 5093h - 1h = now - 5094h
|
||
# Tret(N) = now - 629h - 1h = now - 630h
|
||
# Trem(N) = now - 2h - 1h = now - 3h
|
||
# Tpub(N+1) = now - 632h - 1h = now - 633h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 3835h - 1h = now + 3834h
|
||
# Trem(N+1) = now + 4462h - 1h = now + 4461h
|
||
TactN="now-5094h"
|
||
TretN="now-630h"
|
||
TremN="now-3h"
|
||
TpubN1="now-633h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+3834h"
|
||
TremN1="now+4461h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
#
|
||
# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
|
||
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
|
||
# This scenario differs from the above one because the zone signatures (ZRRSIG)
|
||
# are replaced with the new key sooner than the DS is swapped.
|
||
#
|
||
|
||
# Step 1:
|
||
# Introduce the first key. This will immediately be active.
|
||
setup step1.csk-roll2.autosign
|
||
TactN="now"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
|
||
CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 2:
|
||
# It is time to introduce the new CSK.
|
||
setup step2.csk-roll2.autosign
|
||
# According to RFC 7583:
|
||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||
# Ipub = IpubC
|
||
# Lcsk = Lksk = Lzsk
|
||
#
|
||
# Lcsk: 6mo (186d, 4464h)
|
||
# Dreg: N/A
|
||
# DprpC: 1h
|
||
# TTLkey: 1h
|
||
# publish-safety: 1h
|
||
# Ipub: 3h
|
||
#
|
||
# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h
|
||
# = now - 4464h + 3h = now - 4461h
|
||
TactN="now-4461h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
|
||
CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
||
cat template.db.in "${CSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 3:
|
||
# It is time to submit the DS and to roll signatures.
|
||
setup step3.csk-roll2.autosign
|
||
# According to RFC 7583:
|
||
#
|
||
# Tsbm(N+1) >= Trdy(N+1)
|
||
# KSK: Tact(N+1) = Tsbm(N+1)
|
||
# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
|
||
# KSK: Iret = DprpP + TTLds (+retire-safety)
|
||
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
|
||
#
|
||
# Lcsk: 186d
|
||
# Dprp: 1h
|
||
# DprpP: 1w
|
||
# Dreg: N/A
|
||
# Dsgn: 12h
|
||
# TTLds: 1h
|
||
# TTLsig: 1d
|
||
# retire-safety: 1h
|
||
# Iret: 170h
|
||
# IretZ: 38h
|
||
# Ipub: 3h
|
||
#
|
||
# Tact(N) = Tnow - Lcsk = now - 186d
|
||
# Tret(N) = now
|
||
# Trem(N) = Tnow + Iret = now + 170h
|
||
# Tpub(N+1) = Tnow - Ipub = now - 3h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow + Lcsk = now + 186d
|
||
# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h =
|
||
# = now + 4464h + 170h = now + 4634h
|
||
TactN="now-186d"
|
||
TretN="now"
|
||
TremN="now+170h"
|
||
TpubN1="now-3h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+186d"
|
||
TremN1="now+4634h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 4:
|
||
# Some time later all the ZRRSIG records should be from the new CSK, and the
|
||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
|
||
# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
|
||
# signatures are replaced before the DS is swapped.
|
||
setup step4.csk-roll2.autosign
|
||
# According to RFC 7583:
|
||
# Trem(N) = Tret(N) + IretZ
|
||
#
|
||
# Lcsk: 186d
|
||
# Dreg: N/A
|
||
# Iret: 170h
|
||
# IretZ: 38h
|
||
#
|
||
# Tact(N) = Tnow - IretZ = Lcsk = now - 38h - 186d
|
||
# = now - 38h - 4464h = now - 4502h
|
||
# Tret(N) = Tnow - IretZ = now - 38h
|
||
# Trem(N) = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h
|
||
# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d
|
||
# = now + 4426h
|
||
# Trem(N+1) = Tnow - IretZ + Lcsk + Iret
|
||
# = now + 4426h + 3h = now + 4429h
|
||
TactN="now-4502h"
|
||
TretN="now-38h"
|
||
TremN="now+132h"
|
||
TpubN1="now-41h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+4426h"
|
||
TremN1="now+4429h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 5:
|
||
# Some time later the DS can be swapped and the old DNSKEY can be removed from
|
||
# the zone.
|
||
setup step5.csk-roll2.autosign
|
||
# Subtract Iret (170h) - IretZ (38h) = 132h.
|
||
#
|
||
# Tact(N) = now - 4502h - 132h = now - 4634h
|
||
# Tret(N) = now - 38h - 132h = now - 170h
|
||
# Trem(N) = now + 132h - 132h = now
|
||
# Tpub(N+1) = now - 41h - 132h = now - 173h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 4426h - 132h = now + 4294h
|
||
# Trem(N+1) = now + 4492h - 132h = now + 4360h
|
||
TactN="now-4634h"
|
||
TretN="now-170h"
|
||
TremN="now"
|
||
TpubN1="now-173h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+4294h"
|
||
TremN1="now+4360h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 6:
|
||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||
setup step6.csk-roll2.autosign
|
||
# Subtract DNSKEY TTL plus zone propagation delay (2h).
|
||
#
|
||
# Tact(N) = now - 4634h - 2h = now - 4636h
|
||
# Tret(N) = now - 170h - 2h = now - 172h
|
||
# Trem(N) = now - 2h
|
||
# Tpub(N+1) = now - 173h - 2h = now - 175h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 4294h - 2h = now + 4292h
|
||
# Trem(N+1) = now + 4360h - 2h = now + 4358h
|
||
TactN="now-4636h"
|
||
TretN="now-172h"
|
||
TremN="now-2h"
|
||
TpubN1="now-175h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+4292h"
|
||
TremN1="now+4358h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Step 7:
|
||
# The predecessor DNSKEY can be purged, but purge-keys is disabled.
|
||
setup step7.csk-roll2.autosign
|
||
# Subtract 90 days (default, 2160h) from all the times.
|
||
# Tact(N) = now - 4636h - 2160h = now - 6796h
|
||
# Tret(N) = now - 172h - 2160h = now - 2332h
|
||
# Trem(N) = now - 2h - 2160h = now - 2162h
|
||
# Tpub(N+1) = now - 175h - 2160h = now - 2335h
|
||
# Tsbm(N+1) = Tret(N)
|
||
# Tact(N+1) = Tret(N)
|
||
# Tret(N+1) = now + 4294h - 2160h = now + 2134h
|
||
# Trem(N+1) = now + 4360h - 2160h = now + 2200h
|
||
TactN="now-6796h"
|
||
TretN="now-2332h"
|
||
TremN="now-2162h"
|
||
TpubN1="now-2335h"
|
||
TsbmN1="${TretN}"
|
||
TactN1="${TretN}"
|
||
TretN1="now+2134h"
|
||
TremN1="now+2200h"
|
||
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
|
||
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
|
||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $CSK1 $CSK2
|
||
# Sign zone.
|
||
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
||
|
||
# Test #2375, the "three is a crowd" bug, where a new key is introduced but the
|
||
# previous rollover has not finished yet. In other words, we have a key KEY2
|
||
# that is the successor of key KEY1, and we introduce a new key KEY3 that is
|
||
# the successor of key KEY2:
|
||
#
|
||
# KEY1 < KEY2 < KEY3.
|
||
#
|
||
# The expected behavior is that all three keys remain in the zone, and not
|
||
# the bug behavior where KEY2 is removed and immediately replaced with KEY3.
|
||
#
|
||
# Set up a zone that has a KSK (KEY1) and have the successor key (KEY2)
|
||
# published as well.
|
||
setup three-is-a-crowd.kasp
|
||
# These times are the same as step3.ksk-doubleksk.autosign.
|
||
TactN="now-60d"
|
||
TretN="now"
|
||
TremN="now+50h"
|
||
TpubN1="now-27h"
|
||
TsbmN1="now"
|
||
TactN1="${TretN}"
|
||
TretN1="now+60d"
|
||
TremN1="now+1490h"
|
||
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
|
||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
|
||
zsktimes="-P ${TactN} -A ${TactN}"
|
||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
|
||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
|
||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
|
||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
|
||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
|
||
# Set key rollover relationship.
|
||
key_successor $KSK1 $KSK2
|
||
# Sign zone.
|
||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
||
cp $infile $zonefile
|
||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|