mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 10:10:06 +00:00
Prepare rollover system tests for manual-mode
For the algorithm, CSK, KSK, ZSK rollovers, enabling DNSSEC and going insecure, add new zones to be tested in manual-mode.
This commit is contained in:
Matthijs Mekking
parent
a0dc0434e5
commit
02460a009f
@ -11,7 +11,27 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-algoroll" {
|
||||
dnssec-policy "csk-algoroll-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
csk lifetime unlimited algorithm rsasha256;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-algoroll-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -11,7 +11,27 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-algoroll" {
|
||||
dnssec-policy "csk-algoroll-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-algoroll-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -13,44 +13,47 @@
|
||||
|
||||
{% set csk_roll = csk_roll | default(False) %}
|
||||
{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
|
||||
{% set zones = ["kasp", "manual"] %}
|
||||
|
||||
include "@_csk_file@";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.csk-algorithm-roll.kasp" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step1.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step1.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
{% if csk_roll %}
|
||||
zone "step2.csk-algorithm-roll.kasp" {
|
||||
zone "step2.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step2.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step2.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step3.csk-algorithm-roll.kasp" {
|
||||
zone "step3.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step3.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step3.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step4.csk-algorithm-roll.kasp" {
|
||||
zone "step4.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step4.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step4.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step5.csk-algorithm-roll.kasp" {
|
||||
zone "step5.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step5.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step5.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step6.csk-algorithm-roll.kasp" {
|
||||
zone "step6.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step6.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step6.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
@ -30,18 +30,19 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
|
||||
# The zones at csk-algorithm-roll.$tld represent the various steps of a CSK
|
||||
# algorithm rollover.
|
||||
#
|
||||
|
||||
for tld in kasp manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-algorithm-roll.kasp
|
||||
setup step1.csk-algorithm-roll.$tld
|
||||
echo "$zone" >>zones
|
||||
TactN="now-7d"
|
||||
TsbmN="now-161h"
|
||||
csktimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK" >>"$infile"
|
||||
@ -50,15 +51,15 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
||||
|
||||
# Step 2:
|
||||
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
||||
setup step2.csk-algorithm-roll.kasp
|
||||
setup step2.csk-algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||
TpubN1="now-3h"
|
||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
|
||||
TsbmN1="now+4h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I now"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
@ -71,14 +72,14 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
||||
|
||||
# Step 3:
|
||||
# The zone signatures are also OMNIPRESENT.
|
||||
setup step3.csk-algorithm-roll.kasp
|
||||
setup step3.csk-algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||
TpubN1="now-7h"
|
||||
TsbmN1="now"
|
||||
ckstimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
@ -91,14 +92,14 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
||||
|
||||
# Step 4:
|
||||
# The DS is swapped and can become OMNIPRESENT.
|
||||
setup step4.csk-algorithm-roll.kasp
|
||||
setup step4.csk-algorithm-roll.$tld
|
||||
# The time passed since the DS has been swapped is 3 hours.
|
||||
TpubN1="now-10h"
|
||||
TsbmN1="now-3h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
@ -111,14 +112,14 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
||||
|
||||
# Step 5:
|
||||
# The DNSKEY is removed long enough to be HIDDEN.
|
||||
setup step5.csk-algorithm-roll.kasp
|
||||
setup step5.csk-algorithm-roll.$tld
|
||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||
TpubN1="now-12h"
|
||||
TsbmN1="now-5h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
@ -131,14 +132,14 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
||||
|
||||
# Step 6:
|
||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||
setup step6.csk-algorithm-roll.kasp
|
||||
setup step6.csk-algorithm-roll.$tld
|
||||
# Additional time passed: 7h.
|
||||
TpubN1="now-19h"
|
||||
TsbmN1="now-12h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
@ -148,3 +149,4 @@ private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,10 @@
|
||||
|
||||
# pylint: disable=redefined-outer-name,unused-import
|
||||
|
||||
import pytest
|
||||
|
||||
import isctest
|
||||
from isctest.util import param
|
||||
from rollover.common import (
|
||||
pytestmark,
|
||||
CDSS,
|
||||
@ -21,10 +24,16 @@ from rollover.common import (
|
||||
)
|
||||
|
||||
|
||||
def test_algoroll_csk_initial(ns6):
|
||||
@pytest.mark.parametrize(
|
||||
"tld, policy",
|
||||
[
|
||||
param("kasp", "csk-algoroll"),
|
||||
param("manual", "csk-algoroll-manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_initial(ns6, tld, policy):
|
||||
config = ALGOROLL_CONFIG
|
||||
policy = "csk-algoroll"
|
||||
zone = "step1.csk-algorithm-roll.kasp"
|
||||
zone = f"step1.csk-algorithm-roll.{tld}"
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns6, zone)
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "rsasha256" {
|
||||
dnssec-policy "rsasha256-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
@ -30,7 +30,49 @@ dnssec-policy "rsasha256" {
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "ecdsa256" {
|
||||
dnssec-policy "rsasha256-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
ksk lifetime unlimited algorithm rsasha256;
|
||||
zsk lifetime unlimited algorithm rsasha256;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "ecdsa256-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
ksk lifetime unlimited algorithm ecdsa256;
|
||||
zsk lifetime unlimited algorithm ecdsa256;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "ecdsa256-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -13,44 +13,48 @@
|
||||
|
||||
{% set alg_roll = alg_roll | default(False) %}
|
||||
{% set policy = "rsasha256" if not alg_roll else "ecdsa256" %}
|
||||
{% set zones = ["kasp", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.algorithm-roll.kasp" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step1.algorithm-roll.kasp.db";
|
||||
dnssec-policy @policy@;
|
||||
file "step1.algorithm-roll.@tld@.db";
|
||||
dnssec-policy @policy@-@tld@;
|
||||
};
|
||||
|
||||
{% if alg_roll %}
|
||||
zone "step2.algorithm-roll.kasp" {
|
||||
zone "step2.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step2.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step2.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step3.algorithm-roll.kasp" {
|
||||
zone "step3.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step3.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step3.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step4.algorithm-roll.kasp" {
|
||||
zone "step4.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step4.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step4.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step5.algorithm-roll.kasp" {
|
||||
zone "step5.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step5.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step5.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step6.algorithm-roll.kasp" {
|
||||
zone "step6.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step6.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step6.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
@ -30,13 +30,14 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
|
||||
# The zones at algorithm-roll.$tld represent the various steps of a ZSK/KSK
|
||||
# algorithm rollover.
|
||||
#
|
||||
|
||||
for tld in kasp manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.algorithm-roll.kasp
|
||||
setup step1.algorithm-roll.$tld
|
||||
echo "$zone" >>zones
|
||||
TactN="now-7d"
|
||||
TsbmN="now-161h"
|
||||
@ -54,7 +55,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 2:
|
||||
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
||||
setup step2.algorithm-roll.kasp
|
||||
setup step2.algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||
TpubN1="now-3h"
|
||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
|
||||
@ -84,7 +85,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 3:
|
||||
# The zone signatures are also OMNIPRESENT.
|
||||
setup step3.algorithm-roll.kasp
|
||||
setup step3.algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||
TpubN1="now-7h"
|
||||
TsbmN1="now"
|
||||
@ -113,7 +114,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 4:
|
||||
# The DS is swapped and can become OMNIPRESENT.
|
||||
setup step4.algorithm-roll.kasp
|
||||
setup step4.algorithm-roll.$tld
|
||||
# The time passed since the DS has been swapped is 3 hours.
|
||||
TpubN1="now-10h"
|
||||
TsbmN1="now-3h"
|
||||
@ -142,7 +143,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 5:
|
||||
# The DNSKEY is removed long enough to be HIDDEN.
|
||||
setup step5.algorithm-roll.kasp
|
||||
setup step5.algorithm-roll.$tld
|
||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||
TpubN1="now-12h"
|
||||
TsbmN1="now-5h"
|
||||
@ -171,7 +172,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 6:
|
||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||
setup step6.algorithm-roll.kasp
|
||||
setup step6.algorithm-roll.$tld
|
||||
# Additional time passed: 7h.
|
||||
TpubN1="now-19h"
|
||||
TsbmN1="now-12h"
|
||||
@ -197,3 +198,4 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,10 @@
|
||||
|
||||
# pylint: disable=unused-import
|
||||
|
||||
import pytest
|
||||
|
||||
import isctest
|
||||
from isctest.util import param
|
||||
from rollover.common import (
|
||||
pytestmark,
|
||||
CDSS,
|
||||
@ -21,10 +24,17 @@ from rollover.common import (
|
||||
)
|
||||
|
||||
|
||||
def test_algoroll_ksk_zsk_initial(ns6):
|
||||
@pytest.mark.parametrize(
|
||||
"tld",
|
||||
[
|
||||
param("kasp"),
|
||||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_initial(ns6, tld):
|
||||
config = ALGOROLL_CONFIG
|
||||
policy = "rsasha256"
|
||||
zone = "step1.algorithm-roll.kasp"
|
||||
policy = f"rsasha256-{tld}"
|
||||
zone = f"step1.algorithm-roll.{tld}"
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns6, zone)
|
||||
|
||||
|
||||
@ -11,7 +11,31 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-roll1" {
|
||||
dnssec-policy "csk-roll1-autosign" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
purge-keys PT1H;
|
||||
|
||||
cds-digest-types { "sha-384"; }; // use a different digest type for testing purposes
|
||||
keys {
|
||||
csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay 1h;
|
||||
max-zone-ttl P1D;
|
||||
|
||||
parent-ds-ttl 1h;
|
||||
parent-propagation-delay 1h;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-roll1-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -11,46 +11,51 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.csk-roll1.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step1.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step1.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step2.csk-roll1.autosign" {
|
||||
zone "step2.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step2.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step2.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step3.csk-roll1.autosign" {
|
||||
zone "step3.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step3.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step3.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step4.csk-roll1.autosign" {
|
||||
zone "step4.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step4.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step4.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step5.csk-roll1.autosign" {
|
||||
zone "step5.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step5.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step5.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step6.csk-roll1.autosign" {
|
||||
zone "step6.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step6.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step6.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step7.csk-roll1.autosign" {
|
||||
zone "step7.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step7.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step7.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step8.csk-roll1.autosign" {
|
||||
zone "step8.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step8.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step8.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
|
||||
{% endfor %}
|
||||
|
||||
@ -40,16 +40,17 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at csk-roll1.autosign represent the various steps of a CSK rollover
|
||||
# The zones at csk-roll1.$tld represent the various steps of a CSK rollover
|
||||
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
|
||||
#
|
||||
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-roll1.autosign
|
||||
setup step1.csk-roll1.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
@ -58,7 +59,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
|
||||
# Step 2:
|
||||
# It is time to introduce the new CSK.
|
||||
setup step2.csk-roll1.autosign
|
||||
setup step2.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
@ -77,7 +78,7 @@ setup step2.csk-roll1.autosign
|
||||
# = now - 4464h + 3h = now - 4461h
|
||||
TactN="now-4461h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
@ -86,7 +87,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
|
||||
# Step 3:
|
||||
# It is time to submit the DS and to roll signatures.
|
||||
setup step3.csk-roll1.autosign
|
||||
setup step3.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
#
|
||||
# Tsbm(N+1) >= Trdy(N+1)
|
||||
@ -126,8 +127,8 @@ TretN1="now+186d"
|
||||
TremN1="now+5091h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -144,7 +145,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ
|
||||
# (which is 26d3h). The DS is swapped after Iret (which is 4h).
|
||||
# In other words, the DS is swapped before all zone signatures are replaced.
|
||||
setup step4.csk-roll1.autosign
|
||||
setup step4.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) - Iret + IretZ
|
||||
# now = Tsbm(N+1) + Iret
|
||||
@ -172,8 +173,8 @@ TretN1="now+4460h"
|
||||
TremN1="now+5087h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -z $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -z $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -188,7 +189,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
# Step 5:
|
||||
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
|
||||
# At this time these have all become hidden.
|
||||
setup step5.csk-roll1.autosign
|
||||
setup step5.csk-roll1.$tld
|
||||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||||
TpubN="now-4470h"
|
||||
TactN="now-4445h"
|
||||
@ -200,8 +201,8 @@ TretN1="now+4458h"
|
||||
TremN1="now+5085h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -216,7 +217,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
# Step 6:
|
||||
# After the retire interval has passed the predecessor DNSKEY can be
|
||||
# removed from the zone.
|
||||
setup step6.csk-roll1.autosign
|
||||
setup step6.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) + IretZ
|
||||
# Tret(N) = Tact(N) + Lcsk
|
||||
@ -244,8 +245,8 @@ TretN1="now+3837h"
|
||||
TremN1="now+186d"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -259,7 +260,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
|
||||
# Step 7:
|
||||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||||
setup step7.csk-roll1.autosign
|
||||
setup step7.csk-roll1.$tld
|
||||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||||
TpubN="now-5093h"
|
||||
TactN="now-5068h"
|
||||
@ -271,8 +272,8 @@ TretN1="now+3835h"
|
||||
TremN1="now+4462h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -286,7 +287,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -
|
||||
|
||||
# Step 8:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step8.csk-roll1.autosign
|
||||
setup step8.csk-roll1.$tld
|
||||
TpubN="now-5094h"
|
||||
TactN="now-5069h"
|
||||
TretN="now-630h"
|
||||
@ -298,8 +299,8 @@ TremN1="now+4461h"
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -310,3 +311,4 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,31 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-roll2" {
|
||||
dnssec-policy "csk-roll2-autosign" {
|
||||
signatures-refresh 12h;
|
||||
signatures-validity P1D;
|
||||
signatures-validity-dnskey P1D;
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 1h;
|
||||
purge-keys 0;
|
||||
|
||||
cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
|
||||
keys {
|
||||
csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay PT1H;
|
||||
max-zone-ttl 1d;
|
||||
|
||||
parent-ds-ttl PT1H;
|
||||
parent-propagation-delay P1W;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-roll2-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh 12h;
|
||||
signatures-validity P1D;
|
||||
signatures-validity-dnskey P1D;
|
||||
|
||||
@ -11,41 +11,46 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.csk-roll2.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step1.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step1.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step2.csk-roll2.autosign" {
|
||||
zone "step2.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step2.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step2.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step3.csk-roll2.autosign" {
|
||||
zone "step3.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step3.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step3.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step4.csk-roll2.autosign" {
|
||||
zone "step4.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step4.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step4.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step5.csk-roll2.autosign" {
|
||||
zone "step5.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step5.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step5.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step6.csk-roll2.autosign" {
|
||||
zone "step6.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step6.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step6.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step7.csk-roll2.autosign" {
|
||||
zone "step7.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step7.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step7.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
|
||||
{% endfor %}
|
||||
|
||||
@ -40,18 +40,19 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
|
||||
# The zones at csk-roll2.$tld represent the various steps of a CSK rollover
|
||||
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
|
||||
# This scenario differs from the csk-roll1 one because the zone signatures (ZRRSIG)
|
||||
# are replaced with the new key sooner than the DS is swapped.
|
||||
#
|
||||
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-roll2.autosign
|
||||
setup step1.csk-roll2.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
@ -60,7 +61,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $z
|
||||
|
||||
# Step 2:
|
||||
# It is time to introduce the new CSK.
|
||||
setup step2.csk-roll2.autosign
|
||||
setup step2.csk-roll2.$tld
|
||||
# According to RFC 7583:
|
||||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
@ -79,7 +80,7 @@ setup step2.csk-roll2.autosign
|
||||
# = now - 4464h + 3h = now - 4461h
|
||||
TactN="now-4461h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
@ -88,7 +89,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $z
|
||||
|
||||
# Step 3:
|
||||
# It is time to submit the DS and to roll signatures.
|
||||
setup step3.csk-roll2.autosign
|
||||
setup step3.csk-roll2.$tld
|
||||
# According to RFC 7583:
|
||||
#
|
||||
# Tsbm(N+1) >= Trdy(N+1)
|
||||
@ -128,8 +129,8 @@ TretN1="now+186d"
|
||||
TremN1="now+4634h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -146,7 +147,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $z
|
||||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
|
||||
# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
|
||||
# signatures are replaced before the DS is swapped.
|
||||
setup step4.csk-roll2.autosign
|
||||
setup step4.csk-roll2.$tld
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) + IretZ
|
||||
#
|
||||
@ -176,8 +177,8 @@ TretN1="now+4426h"
|
||||
TremN1="now+4429h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -192,7 +193,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $z
|
||||
# Step 5:
|
||||
# Some time later the DS can be swapped and the old DNSKEY can be removed from
|
||||
# the zone.
|
||||
setup step5.csk-roll2.autosign
|
||||
setup step5.csk-roll2.$tld
|
||||
# Subtract Iret (170h) - IretZ (38h) = 132h.
|
||||
#
|
||||
# Tpub(N) = now - 4502h - 132h = now - 4634h
|
||||
@ -213,8 +214,8 @@ TretN1="now+4294h"
|
||||
TremN1="now+4360h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -228,7 +229,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $z
|
||||
|
||||
# Step 6:
|
||||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||||
setup step6.csk-roll2.autosign
|
||||
setup step6.csk-roll2.$tld
|
||||
# Subtract DNSKEY TTL plus zone propagation delay (2h).
|
||||
#
|
||||
# Tpub(N) = now - 4634h - 2h = now - 4636h
|
||||
@ -249,8 +250,8 @@ TretN1="now+4292h"
|
||||
TremN1="now+4358h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -264,7 +265,7 @@ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $z
|
||||
|
||||
# Step 7:
|
||||
# The predecessor DNSKEY can be purged, but purge-keys is disabled.
|
||||
setup step7.csk-roll2.autosign
|
||||
setup step7.csk-roll2.$tld
|
||||
# Subtract 90 days (default, 2160h) from all the times.
|
||||
#
|
||||
# Tpub(N) = now - 4636h - 2160h = now - 6796h
|
||||
@ -285,8 +286,8 @@ TretN1="now+2132h"
|
||||
TremN1="now+2198h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
@ -297,3 +298,4 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,28 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "enable-dnssec" {
|
||||
dnssec-policy "enable-dnssec-autosign" {
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
dnskey-ttl 300;
|
||||
max-zone-ttl PT12H;
|
||||
zone-propagation-delay PT5M;
|
||||
retire-safety PT20M;
|
||||
publish-safety PT5M;
|
||||
|
||||
parent-propagation-delay 1h;
|
||||
parent-ds-ttl 2h;
|
||||
|
||||
keys {
|
||||
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "enable-dnssec-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
@ -11,26 +11,31 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.enable-dnssec.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step1.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step1.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
zone "step2.enable-dnssec.autosign" {
|
||||
zone "step2.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step2.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step2.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
zone "step3.enable-dnssec.autosign" {
|
||||
zone "step3.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step3.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step3.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
zone "step4.enable-dnssec.autosign" {
|
||||
zone "step4.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step4.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step4.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
|
||||
{% endfor %}
|
||||
|
||||
@ -40,26 +40,27 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at enable-dnssec.autosign represent the various steps of the
|
||||
# The zones at enable-dnssec.$tld represent the various steps of the
|
||||
# initial signing of a zone.
|
||||
#
|
||||
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# This is an unsigned zone and named should perform the initial steps of
|
||||
# introducing the DNSSEC records in the right order.
|
||||
setup step1.enable-dnssec.autosign
|
||||
setup step1.enable-dnssec.$tld
|
||||
cp template.db.in $zonefile
|
||||
|
||||
# Step 2:
|
||||
# The DNSKEY has been published long enough to become OMNIPRESENT.
|
||||
setup step2.enable-dnssec.autosign
|
||||
setup step2.enable-dnssec.$tld
|
||||
# DNSKEY TTL: 300 seconds
|
||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||
# publish-safety: 5 minutes (300 seconds)
|
||||
# Total: 900 seconds
|
||||
TpubN="now-900s"
|
||||
keytimes="-P ${TpubN} -A ${TpubN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
@ -68,14 +69,14 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
|
||||
|
||||
# Step 3:
|
||||
# The zone signatures have been published long enough to become OMNIPRESENT.
|
||||
setup step3.enable-dnssec.autosign
|
||||
setup step3.enable-dnssec.$tld
|
||||
# Passed time since publication:
|
||||
# max-zone-ttl: 12 hours (43200 seconds)
|
||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||
TpubN="now-43500s"
|
||||
# We can submit the DS now.
|
||||
keytimes="-P ${TpubN} -A ${TpubN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
@ -84,7 +85,7 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
|
||||
|
||||
# Step 4:
|
||||
# The DS has been submitted long enough ago to become OMNIPRESENT.
|
||||
setup step4.enable-dnssec.autosign
|
||||
setup step4.enable-dnssec.$tld
|
||||
# DS TTL: 2 hour (7200 seconds)
|
||||
# parent-propagation-delay: 1 hour (3600 seconds)
|
||||
# Total aditional time: 10800 seconds
|
||||
@ -92,9 +93,10 @@ setup step4.enable-dnssec.autosign
|
||||
TpubN="now-54300s"
|
||||
TsbmN="now-10800s"
|
||||
keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -19,5 +19,5 @@ zone "three-is-a-crowd.kasp" {
|
||||
file "three-is-a-crowd.kasp.db";
|
||||
inline-signing yes;
|
||||
/* Use same policy as KSK rollover test zones. */
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
dnssec-policy "ksk-doubleksk-autosign";
|
||||
};
|
||||
|
||||
@ -27,7 +27,7 @@ from rollover.common import (
|
||||
|
||||
|
||||
CDSS = ["CDS (SHA-256)"]
|
||||
POLICY = "ksk-doubleksk"
|
||||
POLICY = "ksk-doubleksk-autosign"
|
||||
OFFSET1 = -int(timedelta(days=60).total_seconds())
|
||||
OFFSET2 = -int(timedelta(hours=27).total_seconds())
|
||||
TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds())
|
||||
|
||||
@ -11,7 +11,32 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "ksk-doubleksk" {
|
||||
dnssec-policy "ksk-doubleksk-autosign" {
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
dnskey-ttl 2h;
|
||||
publish-safety P1D;
|
||||
retire-safety P2D;
|
||||
purge-keys PT1H;
|
||||
|
||||
cdnskey no;
|
||||
keys {
|
||||
ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay PT1H;
|
||||
max-zone-ttl 1d;
|
||||
|
||||
parent-ds-ttl 3600;
|
||||
parent-propagation-delay PT1H;
|
||||
};
|
||||
|
||||
dnssec-policy "ksk-doubleksk-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
@ -11,36 +11,40 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.ksk-doubleksk.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step1.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step1.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step2.ksk-doubleksk.autosign" {
|
||||
zone "step2.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step2.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step2.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step3.ksk-doubleksk.autosign" {
|
||||
zone "step3.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step3.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step3.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step4.ksk-doubleksk.autosign" {
|
||||
zone "step4.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step4.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step4.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step5.ksk-doubleksk.autosign" {
|
||||
zone "step5.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step5.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step5.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step6.ksk-doubleksk.autosign" {
|
||||
zone "step6.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step6.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step6.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
@ -40,13 +40,14 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
|
||||
# The zones at ksk-doubleksk.$tld represent the various steps of a KSK
|
||||
# Double-KSK rollover.
|
||||
#
|
||||
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.ksk-doubleksk.autosign
|
||||
setup step1.ksk-doubleksk.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
@ -59,7 +60,7 @@ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefil
|
||||
|
||||
# Step 2:
|
||||
# It is time to submit the introduce the new KSK.
|
||||
setup step2.ksk-doubleksk.autosign
|
||||
setup step2.ksk-doubleksk.$tld
|
||||
# Lksk: 60d
|
||||
# Dreg: n/a
|
||||
# DprpC: 1h
|
||||
@ -89,7 +90,7 @@ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefil
|
||||
|
||||
# Step 3:
|
||||
# It is time to submit the DS.
|
||||
setup step3.ksk-doubleksk.autosign
|
||||
setup step3.ksk-doubleksk.$tld
|
||||
# According to RFC 7583:
|
||||
# Iret = DprpP + TTLds (+retire-safety)
|
||||
#
|
||||
@ -132,7 +133,7 @@ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefil
|
||||
|
||||
# Step 4:
|
||||
# The DS should be swapped now.
|
||||
setup step4.ksk-doubleksk.autosign
|
||||
setup step4.ksk-doubleksk.$tld
|
||||
# Tpub(N) = now - Lksk - Iret = now - 60d - 50h
|
||||
# = now - 1440h - 50h = now - 1490h
|
||||
# Tact(N) = now - 1490h + 27h = now - 1463h
|
||||
@ -172,7 +173,7 @@ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefil
|
||||
|
||||
# Step 5:
|
||||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||||
setup step5.ksk-doubleksk.autosign
|
||||
setup step5.ksk-doubleksk.$tld
|
||||
# Subtract DNSKEY TTL + zone-propagation-delay from all the times (3h).
|
||||
# Tpub(N) = now - 1490h - 3h = now - 1493h
|
||||
# Tact(N) = now - 1463h - 3h = now - 1466h
|
||||
@ -211,7 +212,7 @@ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefil
|
||||
|
||||
# Step 6:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step6.ksk-doubleksk.autosign
|
||||
setup step6.ksk-doubleksk.$tld
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
TpubN="now-1494h"
|
||||
TactN="now-1467h"
|
||||
@ -239,3 +240,4 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -30,7 +30,7 @@ from rollover.common import (
|
||||
|
||||
|
||||
CDSS = ["CDS (SHA-256)"]
|
||||
POLICY = "ksk-doubleksk"
|
||||
POLICY = "ksk-doubleksk-autosign"
|
||||
OFFSETS = {}
|
||||
OFFSETS["step1-p"] = -int(TIMEDELTA["P7D"].total_seconds())
|
||||
OFFSETS["step2-p"] = -int(KSK_LIFETIME.total_seconds() - KSK_IPUBC.total_seconds())
|
||||
|
||||
@ -11,7 +11,28 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "zsk-prepub" {
|
||||
dnssec-policy "zsk-prepub-autosign" {
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
dnskey-ttl 3600;
|
||||
publish-safety P1D;
|
||||
retire-safety P2D;
|
||||
purge-keys PT1H;
|
||||
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay PT1H;
|
||||
max-zone-ttl 1d;
|
||||
};
|
||||
|
||||
dnssec-policy "zsk-prepub-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
@ -11,36 +11,40 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.zsk-prepub.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step1.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step1.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step2.zsk-prepub.autosign" {
|
||||
zone "step2.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step2.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step2.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step3.zsk-prepub.autosign" {
|
||||
zone "step3.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step3.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step3.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step4.zsk-prepub.autosign" {
|
||||
zone "step4.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step4.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step4.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step5.zsk-prepub.autosign" {
|
||||
zone "step5.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step5.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step5.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step6.zsk-prepub.autosign" {
|
||||
zone "step6.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step6.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step6.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
@ -40,13 +40,14 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at zsk-prepub.autosign represent the various steps of a ZSK
|
||||
# The zones at zsk-prepub.$tld represent the various steps of a ZSK
|
||||
# Pre-Publication rollover.
|
||||
#
|
||||
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.zsk-prepub.autosign
|
||||
setup step1.zsk-prepub.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
@ -61,7 +62,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 2:
|
||||
# It is time to pre-publish the successor ZSK.
|
||||
setup step2.zsk-prepub.autosign
|
||||
setup step2.zsk-prepub.$tld
|
||||
# According to RFC 7583:
|
||||
# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
|
||||
# = now + 26h - 30d = now − 694h
|
||||
@ -80,7 +81,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
# Step 3:
|
||||
# After the publication interval has passed the DNSKEY of the successor ZSK
|
||||
# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
|
||||
setup step3.zsk-prepub.autosign
|
||||
setup step3.zsk-prepub.$tld
|
||||
# According to RFC 7583:
|
||||
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# Tact(N+1) = Tact(N) + Lzsk
|
||||
@ -116,7 +117,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
# Step 4:
|
||||
# After the retire interval has passed the predecessor DNSKEY can be
|
||||
# removed from the zone.
|
||||
setup step4.zsk-prepub.autosign
|
||||
setup step4.zsk-prepub.$tld
|
||||
# Lzsk: 30d
|
||||
# Ipub: 26h
|
||||
# Dsgn: 1w
|
||||
@ -157,7 +158,7 @@ $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $inf
|
||||
|
||||
# Step 5:
|
||||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||||
setup step5.zsk-prepub.autosign
|
||||
setup step5.zsk-prepub.$tld
|
||||
# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
|
||||
# Tact(N) = now - 961h - 2h = now - 963h
|
||||
# Tpub(N+1) = now - 267h - 2h = now - 269h
|
||||
@ -189,7 +190,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
||||
|
||||
# Step 6:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step6.zsk-prepub.autosign
|
||||
setup step6.zsk-prepub.$tld
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
TactN="now-964h"
|
||||
TremN="now-3h"
|
||||
@ -214,3 +215,4 @@ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -34,7 +34,7 @@ CONFIG = {
|
||||
"signatures-validity": TIMEDELTA["P14D"],
|
||||
"zone-propagation-delay": TIMEDELTA["PT1H"],
|
||||
}
|
||||
POLICY = "zsk-prepub"
|
||||
POLICY = "zsk-prepub-autosign"
|
||||
ZSK_LIFETIME = TIMEDELTA["P30D"]
|
||||
LIFETIME_POLICY = int(ZSK_LIFETIME.total_seconds())
|
||||
IPUB = Ipub(CONFIG)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user