3e49223a67
These two configuration options worked in conjunction with 'auto-dnssec' to determine KSK usage, and thus are now obsoleted. However, in the code we keep KSK processing so that when a zone is reconfigured from using 'dnssec-policy' immediately to 'none' (without going through 'insecure'), the zone is not immediately made bogus. Add one more test case for going straight to none, now with a dynamic zone (no inline-signing).
422 lines
20 KiB
Bash
422 lines
20 KiB
Bash
#!/bin/sh -e
|
|
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
# shellcheck source=conf.sh
|
|
. ../../conf.sh
|
|
|
|
echo_i "ns6/setup.sh"
|
|
|
|
setup() {
|
|
zone="$1"
|
|
echo_i "setting up zone: $zone"
|
|
zonefile="${zone}.db"
|
|
infile="${zone}.db.infile"
|
|
}
|
|
|
|
# Make lines shorter by storing key states in environment variables.
|
|
H="HIDDEN"
|
|
R="RUMOURED"
|
|
O="OMNIPRESENT"
|
|
U="UNRETENTIVE"
|
|
|
|
# The child zones (step1, step2) beneath these zones represent the various
|
|
# steps of unsigning a zone.
|
|
for zn in going-insecure.kasp going-insecure-dynamic.kasp
|
|
do
|
|
# Step 1:
|
|
# Set up a zone with dnssec-policy that is going insecure.
|
|
setup step1.$zn
|
|
echo "$zone" >> zones
|
|
T="now-10d"
|
|
ksktimes="-P $T -A $T -P sync $T"
|
|
zsktimes="-P $T -A $T"
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 2:
|
|
# Set up a zone with dnssec-policy that is going insecure. Don't add
|
|
# this zone to the zones file, because this zone is no longer expected
|
|
# to be fully signed.
|
|
setup step2.$zn
|
|
# The DS was withdrawn from the parent zone 26 hours ago.
|
|
Trem="now-26h"
|
|
ksktimes="-P $T -A $T -P sync $T"
|
|
zsktimes="-P $T -A $T"
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${KSK}.state"
|
|
echo "Lifetime: 5184000" >> "${ZSK}.state"
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
done
|
|
|
|
# This zone is going straight to "none" policy. This is undefined behavior.
|
|
setup step1.going-straight-to-none.kasp
|
|
echo "$zone" >> zones
|
|
TactN="now"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
|
CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
|
|
$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
|
cat template.db.in "${CSK}.key" > "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# This zone is going straight to "none" policy. This is undefined behavior.
|
|
setup step1.going-straight-to-none-dynamic.kasp
|
|
echo "$zone" >> zones
|
|
TactN="now"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
|
CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
|
|
$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
|
cat template.db.in "${CSK}.key" > "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
#
|
|
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
|
|
# algorithm rollover.
|
|
#
|
|
|
|
# Step 1:
|
|
# Introduce the first key. This will immediately be active.
|
|
setup step1.algorithm-roll.kasp
|
|
echo "$zone" >> zones
|
|
TactN="now"
|
|
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
|
|
zsktimes="-P ${TactN} -A ${TactN}"
|
|
KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
|
|
private_type_record $zone 8 "$KSK" >> "$infile"
|
|
private_type_record $zone 8 "$ZSK" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 2:
|
|
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
|
setup step2.algorithm-roll.kasp
|
|
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
|
TactN="now-3h"
|
|
TpubN1="now-3h"
|
|
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
|
|
# now - 3h + 6h + 1h + 1h = now + 5h
|
|
TsbmN1="now+5h"
|
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
|
|
zsk1times="-P ${TactN} -A ${TactN} -I now"
|
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
|
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
|
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
|
|
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
|
|
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
|
|
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
|
|
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
|
|
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
|
|
$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${KSK1}.state"
|
|
echo "Lifetime: 0" >> "${ZSK1}.state"
|
|
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
|
|
private_type_record $zone 8 "$KSK1" >> "$infile"
|
|
private_type_record $zone 8 "$ZSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 3:
|
|
# The zone signatures are also OMNIPRESENT.
|
|
setup step3.algorithm-roll.kasp
|
|
# The time passed since the new algorithm keys have been introduced is 9 hours.
|
|
TactN="now-9h"
|
|
TretN="now-6h"
|
|
TpubN1="now-9h"
|
|
TsbmN1="now-1h"
|
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
|
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
|
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
|
|
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
|
|
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
|
|
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
|
|
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${KSK1}.state"
|
|
echo "Lifetime: 0" >> "${ZSK1}.state"
|
|
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
|
|
private_type_record $zone 8 "$KSK1" >> "$infile"
|
|
private_type_record $zone 8 "$ZSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 4:
|
|
# The DS is swapped and can become OMNIPRESENT.
|
|
setup step4.algorithm-roll.kasp
|
|
# The time passed since the DS has been swapped is 29 hours.
|
|
TactN="now-38h"
|
|
TretN="now-35h"
|
|
TpubN1="now-38h"
|
|
TsbmN1="now-30h"
|
|
TactN1="now-29h"
|
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
|
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
|
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
|
|
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
|
|
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
|
|
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
|
|
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${KSK1}.state"
|
|
echo "Lifetime: 0" >> "${ZSK1}.state"
|
|
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
|
|
private_type_record $zone 8 "$KSK1" >> "$infile"
|
|
private_type_record $zone 8 "$ZSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 5:
|
|
# The DNSKEY is removed long enough to be HIDDEN.
|
|
setup step5.algorithm-roll.kasp
|
|
# The time passed since the DNSKEY has been removed is 2 hours.
|
|
TactN="now-40h"
|
|
TretN="now-37h"
|
|
TremN="now-2h"
|
|
TpubN1="now-40h"
|
|
TsbmN1="now-32h"
|
|
TactN1="now-31h"
|
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
|
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
|
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
|
|
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
|
|
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
|
|
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
|
|
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${KSK1}.state"
|
|
echo "Lifetime: 0" >> "${ZSK1}.state"
|
|
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
|
|
private_type_record $zone 8 "$KSK1" >> "$infile"
|
|
private_type_record $zone 8 "$ZSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 6:
|
|
# The RRSIGs have been removed long enough to be HIDDEN.
|
|
setup step6.algorithm-roll.kasp
|
|
# Additional time passed: 7h.
|
|
TactN="now-47h"
|
|
TretN="now-44h"
|
|
TremN="now-7h"
|
|
TpubN1="now-47h"
|
|
TsbmN1="now-39h"
|
|
TactN1="now-38h"
|
|
TdeaN="now-9h"
|
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
|
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
|
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
|
|
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
|
|
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
|
|
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
|
|
$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
|
|
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${KSK1}.state"
|
|
echo "Lifetime: 0" >> "${ZSK1}.state"
|
|
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
|
|
private_type_record $zone 8 "$KSK1" >> "$infile"
|
|
private_type_record $zone 8 "$ZSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
#
|
|
# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
|
|
# algorithm rollover.
|
|
#
|
|
|
|
# Step 1:
|
|
# Introduce the first key. This will immediately be active.
|
|
setup step1.csk-algorithm-roll.kasp
|
|
echo "$zone" >> zones
|
|
TactN="now"
|
|
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
|
|
CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
|
|
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
|
|
cat template.db.in "${CSK}.key" > "$infile"
|
|
private_type_record $zone 5 "$CSK" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 2:
|
|
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
|
setup step2.csk-algorithm-roll.kasp
|
|
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
|
TactN="now-3h"
|
|
TpubN1="now-3h"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
|
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
|
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
|
|
CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${CSK1}.state"
|
|
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
|
private_type_record $zone 5 "$CSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 3:
|
|
# The zone signatures are also OMNIPRESENT.
|
|
setup step3.csk-algorithm-roll.kasp
|
|
# The time passed since the new algorithm keys have been introduced is 9 hours.
|
|
TactN="now-9h"
|
|
TretN="now-6h"
|
|
TpubN1="now-9h"
|
|
TactN1="now-6h"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
|
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
|
|
CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${CSK1}.state"
|
|
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
|
private_type_record $zone 5 "$CSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 4:
|
|
# The DS is swapped and can become OMNIPRESENT.
|
|
setup step4.csk-algorithm-roll.kasp
|
|
# The time passed since the DS has been swapped is 29 hours.
|
|
TactN="now-38h"
|
|
TretN="now-35h"
|
|
TpubN1="now-38h"
|
|
TactN1="now-35h"
|
|
TsubN1="now-29h"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
|
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
|
|
CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${CSK1}.state"
|
|
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
|
private_type_record $zone 5 "$CSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 5:
|
|
# The DNSKEY is removed long enough to be HIDDEN.
|
|
setup step5.csk-algorithm-roll.kasp
|
|
# The time passed since the DNSKEY has been removed is 2 hours.
|
|
TactN="now-40h"
|
|
TretN="now-37h"
|
|
TremN="now-2h"
|
|
TpubN1="now-40h"
|
|
TactN1="now-37h"
|
|
TsubN1="now-31h"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
|
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
|
|
CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${CSK1}.state"
|
|
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
|
private_type_record $zone 5 "$CSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
# Step 6:
|
|
# The RRSIGs have been removed long enough to be HIDDEN.
|
|
setup step6.csk-algorithm-roll.kasp
|
|
# Additional time passed: 7h.
|
|
TactN="now-47h"
|
|
TretN="now-44h"
|
|
TdeaN="now-9h"
|
|
TremN="now-7h"
|
|
TpubN1="now-47h"
|
|
TactN1="now-44h"
|
|
TsubN1="now-38h"
|
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
|
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
|
|
CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
|
|
$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
|
|
# Fake lifetime of old algorithm keys.
|
|
echo "Lifetime: 0" >> "${CSK1}.state"
|
|
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
|
|
private_type_record $zone 5 "$CSK1" >> "$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
|
|
|
|
#
|
|
# Reload testing
|
|
#
|
|
echo "example" >> zones
|
|
cp example.db.in example.db
|
|
|
|
setup "dynamic2inline.kasp"
|
|
cp template.db.in $zonefile
|