mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 10:10:06 +00:00
Prepare rollover system tests for manual-mode
For the algorithm, CSK, KSK, ZSK rollovers, enabling DNSSEC and going insecure, add new zones to be tested in manual-mode.
This commit is contained in:
Matthijs Mekking
parent
a0dc0434e5
commit
02460a009f
@ -11,7 +11,27 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-algoroll" {
|
||||
dnssec-policy "csk-algoroll-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
csk lifetime unlimited algorithm rsasha256;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-algoroll-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -11,7 +11,27 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-algoroll" {
|
||||
dnssec-policy "csk-algoroll-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-algoroll-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -13,44 +13,47 @@
|
||||
|
||||
{% set csk_roll = csk_roll | default(False) %}
|
||||
{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
|
||||
{% set zones = ["kasp", "manual"] %}
|
||||
|
||||
include "@_csk_file@";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.csk-algorithm-roll.kasp" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step1.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step1.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
{% if csk_roll %}
|
||||
zone "step2.csk-algorithm-roll.kasp" {
|
||||
zone "step2.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step2.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step2.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step3.csk-algorithm-roll.kasp" {
|
||||
zone "step3.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step3.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step3.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step4.csk-algorithm-roll.kasp" {
|
||||
zone "step4.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step4.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step4.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step5.csk-algorithm-roll.kasp" {
|
||||
zone "step5.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step5.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step5.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
|
||||
zone "step6.csk-algorithm-roll.kasp" {
|
||||
zone "step6.csk-algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step6.csk-algorithm-roll.kasp.db";
|
||||
dnssec-policy "csk-algoroll";
|
||||
file "step6.csk-algorithm-roll.@tld@.db";
|
||||
dnssec-policy "csk-algoroll-@tld@";
|
||||
};
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
@ -30,121 +30,123 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
|
||||
# The zones at csk-algorithm-roll.$tld represent the various steps of a CSK
|
||||
# algorithm rollover.
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-algorithm-roll.kasp
|
||||
echo "$zone" >>zones
|
||||
TactN="now-7d"
|
||||
TsbmN="now-161h"
|
||||
csktimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
for tld in kasp manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-algorithm-roll.$tld
|
||||
echo "$zone" >>zones
|
||||
TactN="now-7d"
|
||||
TsbmN="now-161h"
|
||||
csktimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 2:
|
||||
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
||||
setup step2.csk-algorithm-roll.kasp
|
||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||
TpubN1="now-3h"
|
||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
|
||||
TsbmN1="now+4h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I now"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
||||
setup step2.csk-algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||
TpubN1="now-3h"
|
||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
|
||||
TsbmN1="now+4h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I now"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# The zone signatures are also OMNIPRESENT.
|
||||
setup step3.csk-algorithm-roll.kasp
|
||||
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||
TpubN1="now-7h"
|
||||
TsbmN1="now"
|
||||
ckstimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# The zone signatures are also OMNIPRESENT.
|
||||
setup step3.csk-algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||
TpubN1="now-7h"
|
||||
TsbmN1="now"
|
||||
ckstimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# The DS is swapped and can become OMNIPRESENT.
|
||||
setup step4.csk-algorithm-roll.kasp
|
||||
# The time passed since the DS has been swapped is 3 hours.
|
||||
TpubN1="now-10h"
|
||||
TsbmN1="now-3h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# The DS is swapped and can become OMNIPRESENT.
|
||||
setup step4.csk-algorithm-roll.$tld
|
||||
# The time passed since the DS has been swapped is 3 hours.
|
||||
TpubN1="now-10h"
|
||||
TsbmN1="now-3h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 5:
|
||||
# The DNSKEY is removed long enough to be HIDDEN.
|
||||
setup step5.csk-algorithm-roll.kasp
|
||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||
TpubN1="now-12h"
|
||||
TsbmN1="now-5h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 5:
|
||||
# The DNSKEY is removed long enough to be HIDDEN.
|
||||
setup step5.csk-algorithm-roll.$tld
|
||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||
TpubN1="now-12h"
|
||||
TsbmN1="now-5h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 6:
|
||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||
setup step6.csk-algorithm-roll.kasp
|
||||
# Additional time passed: 7h.
|
||||
TpubN1="now-19h"
|
||||
TsbmN1="now-12h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 6:
|
||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||
setup step6.csk-algorithm-roll.$tld
|
||||
# Additional time passed: 7h.
|
||||
TpubN1="now-19h"
|
||||
TsbmN1="now-12h"
|
||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${CSK1}.state"
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone 5 "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,10 @@
|
||||
|
||||
# pylint: disable=redefined-outer-name,unused-import
|
||||
|
||||
import pytest
|
||||
|
||||
import isctest
|
||||
from isctest.util import param
|
||||
from rollover.common import (
|
||||
pytestmark,
|
||||
CDSS,
|
||||
@ -21,10 +24,16 @@ from rollover.common import (
|
||||
)
|
||||
|
||||
|
||||
def test_algoroll_csk_initial(ns6):
|
||||
@pytest.mark.parametrize(
|
||||
"tld, policy",
|
||||
[
|
||||
param("kasp", "csk-algoroll"),
|
||||
param("manual", "csk-algoroll-manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_csk_initial(ns6, tld, policy):
|
||||
config = ALGOROLL_CONFIG
|
||||
policy = "csk-algoroll"
|
||||
zone = "step1.csk-algorithm-roll.kasp"
|
||||
zone = f"step1.csk-algorithm-roll.{tld}"
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns6, zone)
|
||||
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "rsasha256" {
|
||||
dnssec-policy "rsasha256-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
@ -30,7 +30,49 @@ dnssec-policy "rsasha256" {
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "ecdsa256" {
|
||||
dnssec-policy "rsasha256-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
ksk lifetime unlimited algorithm rsasha256;
|
||||
zsk lifetime unlimited algorithm rsasha256;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "ecdsa256-kasp" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
keys {
|
||||
ksk lifetime unlimited algorithm ecdsa256;
|
||||
zsk lifetime unlimited algorithm ecdsa256;
|
||||
};
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
zone-propagation-delay 3600;
|
||||
max-zone-ttl 6h;
|
||||
parent-propagation-delay pt1h;
|
||||
parent-ds-ttl 7200;
|
||||
};
|
||||
|
||||
dnssec-policy "ecdsa256-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -13,44 +13,48 @@
|
||||
|
||||
{% set alg_roll = alg_roll | default(False) %}
|
||||
{% set policy = "rsasha256" if not alg_roll else "ecdsa256" %}
|
||||
{% set zones = ["kasp", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.algorithm-roll.kasp" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step1.algorithm-roll.kasp.db";
|
||||
dnssec-policy @policy@;
|
||||
file "step1.algorithm-roll.@tld@.db";
|
||||
dnssec-policy @policy@-@tld@;
|
||||
};
|
||||
|
||||
{% if alg_roll %}
|
||||
zone "step2.algorithm-roll.kasp" {
|
||||
zone "step2.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step2.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step2.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step3.algorithm-roll.kasp" {
|
||||
zone "step3.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step3.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step3.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step4.algorithm-roll.kasp" {
|
||||
zone "step4.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step4.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step4.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step5.algorithm-roll.kasp" {
|
||||
zone "step5.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step5.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step5.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
zone "step6.algorithm-roll.kasp" {
|
||||
zone "step6.algorithm-roll.@tld@" {
|
||||
type primary;
|
||||
file "step6.algorithm-roll.kasp.db";
|
||||
dnssec-policy "ecdsa256";
|
||||
file "step6.algorithm-roll.@tld@.db";
|
||||
dnssec-policy "ecdsa256-@tld@";
|
||||
};
|
||||
|
||||
{% endif %}
|
||||
{% endfor %}
|
||||
|
||||
@ -30,170 +30,172 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
|
||||
# The zones at algorithm-roll.$tld represent the various steps of a ZSK/KSK
|
||||
# algorithm rollover.
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.algorithm-roll.kasp
|
||||
echo "$zone" >>zones
|
||||
TactN="now-7d"
|
||||
TsbmN="now-161h"
|
||||
ksktimes="-P ${TactN} -A ${TactN}"
|
||||
zsktimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
for tld in kasp manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.algorithm-roll.$tld
|
||||
echo "$zone" >>zones
|
||||
TactN="now-7d"
|
||||
TsbmN="now-161h"
|
||||
ksktimes="-P ${TactN} -A ${TactN}"
|
||||
zsktimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 2:
|
||||
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
||||
setup step2.algorithm-roll.kasp
|
||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||
TpubN1="now-3h"
|
||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
|
||||
TsbmN1="now+4h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
|
||||
setup step2.algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||
TpubN1="now-3h"
|
||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
|
||||
TsbmN1="now+4h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# The zone signatures are also OMNIPRESENT.
|
||||
setup step3.algorithm-roll.kasp
|
||||
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||
TpubN1="now-7h"
|
||||
TsbmN1="now"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# The zone signatures are also OMNIPRESENT.
|
||||
setup step3.algorithm-roll.$tld
|
||||
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||
TpubN1="now-7h"
|
||||
TsbmN1="now"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# The DS is swapped and can become OMNIPRESENT.
|
||||
setup step4.algorithm-roll.kasp
|
||||
# The time passed since the DS has been swapped is 3 hours.
|
||||
TpubN1="now-10h"
|
||||
TsbmN1="now-3h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# The DS is swapped and can become OMNIPRESENT.
|
||||
setup step4.algorithm-roll.$tld
|
||||
# The time passed since the DS has been swapped is 3 hours.
|
||||
TpubN1="now-10h"
|
||||
TsbmN1="now-3h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 5:
|
||||
# The DNSKEY is removed long enough to be HIDDEN.
|
||||
setup step5.algorithm-roll.kasp
|
||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||
TpubN1="now-12h"
|
||||
TsbmN1="now-5h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $U $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $U $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 5:
|
||||
# The DNSKEY is removed long enough to be HIDDEN.
|
||||
setup step5.algorithm-roll.$tld
|
||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||
TpubN1="now-12h"
|
||||
TsbmN1="now-5h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $U $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $U $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 6:
|
||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||
setup step6.algorithm-roll.kasp
|
||||
# Additional time passed: 7h.
|
||||
TpubN1="now-19h"
|
||||
TsbmN1="now-12h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $H $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $H $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 6:
|
||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||
setup step6.algorithm-roll.$tld
|
||||
# Additional time passed: 7h.
|
||||
TpubN1="now-19h"
|
||||
TsbmN1="now-12h"
|
||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
|
||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
|
||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||
zsk2times="-P ${TpubN1} -A ${TpubN1}"
|
||||
KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
|
||||
$SETTIME -s -g $H -k $H $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $H $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
|
||||
# Fake lifetime of old algorithm keys.
|
||||
echo "Lifetime: 0" >>"${KSK1}.state"
|
||||
echo "Lifetime: 0" >>"${ZSK1}.state"
|
||||
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone 8 "$KSK1" >>"$infile"
|
||||
private_type_record $zone 8 "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,10 @@
|
||||
|
||||
# pylint: disable=unused-import
|
||||
|
||||
import pytest
|
||||
|
||||
import isctest
|
||||
from isctest.util import param
|
||||
from rollover.common import (
|
||||
pytestmark,
|
||||
CDSS,
|
||||
@ -21,10 +24,17 @@ from rollover.common import (
|
||||
)
|
||||
|
||||
|
||||
def test_algoroll_ksk_zsk_initial(ns6):
|
||||
@pytest.mark.parametrize(
|
||||
"tld",
|
||||
[
|
||||
param("kasp"),
|
||||
param("manual"),
|
||||
],
|
||||
)
|
||||
def test_algoroll_ksk_zsk_initial(ns6, tld):
|
||||
config = ALGOROLL_CONFIG
|
||||
policy = "rsasha256"
|
||||
zone = "step1.algorithm-roll.kasp"
|
||||
policy = f"rsasha256-{tld}"
|
||||
zone = f"step1.algorithm-roll.{tld}"
|
||||
|
||||
isctest.kasp.wait_keymgr_done(ns6, zone)
|
||||
|
||||
|
||||
@ -11,7 +11,31 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-roll1" {
|
||||
dnssec-policy "csk-roll1-autosign" {
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 2h;
|
||||
purge-keys PT1H;
|
||||
|
||||
cds-digest-types { "sha-384"; }; // use a different digest type for testing purposes
|
||||
keys {
|
||||
csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay 1h;
|
||||
max-zone-ttl P1D;
|
||||
|
||||
parent-ds-ttl 1h;
|
||||
parent-propagation-delay 1h;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-roll1-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P5D;
|
||||
signatures-validity 30d;
|
||||
signatures-validity-dnskey 30d;
|
||||
|
||||
@ -11,46 +11,51 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.csk-roll1.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step1.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step1.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step2.csk-roll1.autosign" {
|
||||
zone "step2.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step2.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step2.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step3.csk-roll1.autosign" {
|
||||
zone "step3.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step3.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step3.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step4.csk-roll1.autosign" {
|
||||
zone "step4.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step4.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step4.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step5.csk-roll1.autosign" {
|
||||
zone "step5.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step5.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step5.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step6.csk-roll1.autosign" {
|
||||
zone "step6.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step6.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step6.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step7.csk-roll1.autosign" {
|
||||
zone "step7.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step7.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step7.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
zone "step8.csk-roll1.autosign" {
|
||||
zone "step8.csk-roll1.@tld@" {
|
||||
type primary;
|
||||
file "step8.csk-roll1.autosign.db";
|
||||
dnssec-policy "csk-roll1";
|
||||
file "step8.csk-roll1.@tld@.db";
|
||||
dnssec-policy "csk-roll1-@tld@";
|
||||
};
|
||||
|
||||
{% endfor %}
|
||||
|
||||
@ -40,273 +40,275 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at csk-roll1.autosign represent the various steps of a CSK rollover
|
||||
# The zones at csk-roll1.$tld represent the various steps of a CSK rollover
|
||||
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-roll1.autosign
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-roll1.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 2:
|
||||
# It is time to introduce the new CSK.
|
||||
setup step2.csk-roll1.autosign
|
||||
# According to RFC 7583:
|
||||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||||
# Ipub = IpubC
|
||||
# Lcsk = Lksk = Lzsk
|
||||
#
|
||||
# Lcsk: 6mo (186d, 4464h)
|
||||
# Dreg: N/A
|
||||
# DprpC: 1h
|
||||
# TTLkey: 1h
|
||||
# publish-safety: 1h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
|
||||
# = now - 4464h + 3h = now - 4461h
|
||||
TactN="now-4461h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# It is time to introduce the new CSK.
|
||||
setup step2.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||||
# Ipub = IpubC
|
||||
# Lcsk = Lksk = Lzsk
|
||||
#
|
||||
# Lcsk: 6mo (186d, 4464h)
|
||||
# Dreg: N/A
|
||||
# DprpC: 1h
|
||||
# TTLkey: 1h
|
||||
# publish-safety: 1h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
|
||||
# = now - 4464h + 3h = now - 4461h
|
||||
TactN="now-4461h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# It is time to submit the DS and to roll signatures.
|
||||
setup step3.csk-roll1.autosign
|
||||
# According to RFC 7583:
|
||||
#
|
||||
# Tsbm(N+1) >= Trdy(N+1)
|
||||
# KSK: Tact(N+1) = Tsbm(N+1)
|
||||
# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
|
||||
# KSK: Iret = DprpP + TTLds (+retire-safety)
|
||||
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Dprp: 1h
|
||||
# DprpP: 1h
|
||||
# Dreg: N/A
|
||||
# Dsgn: 25d
|
||||
# TTLds: 1h
|
||||
# TTLsig: 1d
|
||||
# retire-safety: 2h
|
||||
# Iret: 4h
|
||||
# IretZ: 26d3h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tpub(N) = now - Lcsk = now - 186d
|
||||
# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + IretZ = now + 26d3h = now + 627h
|
||||
# Tpub(N+1) = now - Ipub = now - 3h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + Lcsk = now + 186d = now + 186d
|
||||
# Trem(N+1) = now + Lcsk + IretZ = now + 186d + 26d3h =
|
||||
# = now + 5091h
|
||||
TpubN="now-186d"
|
||||
TactN="now-4439h"
|
||||
TretN="now"
|
||||
TremN="now+627h"
|
||||
TpubN1="now-3h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+186d"
|
||||
TremN1="now+5091h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# It is time to submit the DS and to roll signatures.
|
||||
setup step3.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
#
|
||||
# Tsbm(N+1) >= Trdy(N+1)
|
||||
# KSK: Tact(N+1) = Tsbm(N+1)
|
||||
# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
|
||||
# KSK: Iret = DprpP + TTLds (+retire-safety)
|
||||
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Dprp: 1h
|
||||
# DprpP: 1h
|
||||
# Dreg: N/A
|
||||
# Dsgn: 25d
|
||||
# TTLds: 1h
|
||||
# TTLsig: 1d
|
||||
# retire-safety: 2h
|
||||
# Iret: 4h
|
||||
# IretZ: 26d3h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tpub(N) = now - Lcsk = now - 186d
|
||||
# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + IretZ = now + 26d3h = now + 627h
|
||||
# Tpub(N+1) = now - Ipub = now - 3h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + Lcsk = now + 186d = now + 186d
|
||||
# Trem(N+1) = now + Lcsk + IretZ = now + 186d + 26d3h =
|
||||
# = now + 5091h
|
||||
TpubN="now-186d"
|
||||
TactN="now-4439h"
|
||||
TretN="now"
|
||||
TremN="now+627h"
|
||||
TpubN1="now-3h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+186d"
|
||||
TremN1="now+5091h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# Some time later all the ZRRSIG records should be from the new CSK, and the
|
||||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ
|
||||
# (which is 26d3h). The DS is swapped after Iret (which is 4h).
|
||||
# In other words, the DS is swapped before all zone signatures are replaced.
|
||||
setup step4.csk-roll1.autosign
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) - Iret + IretZ
|
||||
# now = Tsbm(N+1) + Iret
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Iret: 4h
|
||||
# IretZ: 26d3h
|
||||
#
|
||||
# Tpub(N) = now - Iret - Lcsk = now - 4h - 186d = now - 4468h
|
||||
# Tret(N) = now - Iret = now - 4h = now - 4h
|
||||
# Trem(N) = now - Iret + IretZ = now - 4h + 26d3h
|
||||
# = now + 623h
|
||||
# Tpub(N+1) = now - Iret - IpubC = now - 4h - 3h = now - 7h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now - Iret + Lcsk = now - 4h + 186d = now + 4460h
|
||||
# Trem(N+1) = now - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
|
||||
# = now + 5087h
|
||||
TpubN="now-4468h"
|
||||
TactN="now-4443h"
|
||||
TretN="now-4h"
|
||||
TremN="now+623h"
|
||||
TpubN1="now-7h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4460h"
|
||||
TremN1="now+5087h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -z $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -z $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# Some time later all the ZRRSIG records should be from the new CSK, and the
|
||||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ
|
||||
# (which is 26d3h). The DS is swapped after Iret (which is 4h).
|
||||
# In other words, the DS is swapped before all zone signatures are replaced.
|
||||
setup step4.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) - Iret + IretZ
|
||||
# now = Tsbm(N+1) + Iret
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Iret: 4h
|
||||
# IretZ: 26d3h
|
||||
#
|
||||
# Tpub(N) = now - Iret - Lcsk = now - 4h - 186d = now - 4468h
|
||||
# Tret(N) = now - Iret = now - 4h = now - 4h
|
||||
# Trem(N) = now - Iret + IretZ = now - 4h + 26d3h
|
||||
# = now + 623h
|
||||
# Tpub(N+1) = now - Iret - IpubC = now - 4h - 3h = now - 7h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now - Iret + Lcsk = now - 4h + 186d = now + 4460h
|
||||
# Trem(N+1) = now - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
|
||||
# = now + 5087h
|
||||
TpubN="now-4468h"
|
||||
TactN="now-4443h"
|
||||
TretN="now-4h"
|
||||
TremN="now+623h"
|
||||
TpubN1="now-7h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4460h"
|
||||
TremN1="now+5087h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -z $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -z $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 5:
|
||||
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
|
||||
# At this time these have all become hidden.
|
||||
setup step5.csk-roll1.autosign
|
||||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||||
TpubN="now-4470h"
|
||||
TactN="now-4445h"
|
||||
TretN="now-6h"
|
||||
TremN="now+621h"
|
||||
TpubN1="now-9h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4458h"
|
||||
TremN1="now+5085h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 5:
|
||||
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
|
||||
# At this time these have all become hidden.
|
||||
setup step5.csk-roll1.$tld
|
||||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||||
TpubN="now-4470h"
|
||||
TactN="now-4445h"
|
||||
TretN="now-6h"
|
||||
TremN="now+621h"
|
||||
TpubN1="now-9h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4458h"
|
||||
TremN1="now+5085h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 6:
|
||||
# After the retire interval has passed the predecessor DNSKEY can be
|
||||
# removed from the zone.
|
||||
setup step6.csk-roll1.autosign
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) + IretZ
|
||||
# Tret(N) = Tact(N) + Lcsk
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Iret: 4h
|
||||
# IretZ: 26d3h
|
||||
#
|
||||
# Tpub(N) = now - IretZ - Lcsk = now - 627h - 186d
|
||||
# = now - 627h - 4464h = now - 5091h
|
||||
# Tact(N) = now - 627h - 186d
|
||||
# Tret(N) = now - IretZ = now - 627h
|
||||
# Trem(N) = now
|
||||
# Tpub(N+1) = now - IretZ - Ipub = now - 627h - 3h = now - 630h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now - IretZ + Lcsk = now - 627h + 186d = now + 3837h
|
||||
# Trem(N+1) = now + Lcsk = now + 186d
|
||||
TpubN="now-5091h"
|
||||
TactN="now-5066h"
|
||||
TretN="now-627h"
|
||||
TremN="now"
|
||||
TpubN1="now-630h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+3837h"
|
||||
TremN1="now+186d"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 6:
|
||||
# After the retire interval has passed the predecessor DNSKEY can be
|
||||
# removed from the zone.
|
||||
setup step6.csk-roll1.$tld
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) + IretZ
|
||||
# Tret(N) = Tact(N) + Lcsk
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Iret: 4h
|
||||
# IretZ: 26d3h
|
||||
#
|
||||
# Tpub(N) = now - IretZ - Lcsk = now - 627h - 186d
|
||||
# = now - 627h - 4464h = now - 5091h
|
||||
# Tact(N) = now - 627h - 186d
|
||||
# Tret(N) = now - IretZ = now - 627h
|
||||
# Trem(N) = now
|
||||
# Tpub(N+1) = now - IretZ - Ipub = now - 627h - 3h = now - 630h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now - IretZ + Lcsk = now - 627h + 186d = now + 3837h
|
||||
# Trem(N+1) = now + Lcsk = now + 186d
|
||||
TpubN="now-5091h"
|
||||
TactN="now-5066h"
|
||||
TretN="now-627h"
|
||||
TremN="now"
|
||||
TpubN1="now-630h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+3837h"
|
||||
TremN1="now+186d"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 7:
|
||||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||||
setup step7.csk-roll1.autosign
|
||||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||||
TpubN="now-5093h"
|
||||
TactN="now-5068h"
|
||||
TretN="now-629h"
|
||||
TremN="now-2h"
|
||||
TpubN1="now-632h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+3835h"
|
||||
TremN1="now+4462h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 7:
|
||||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||||
setup step7.csk-roll1.$tld
|
||||
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
|
||||
TpubN="now-5093h"
|
||||
TactN="now-5068h"
|
||||
TretN="now-629h"
|
||||
TremN="now-2h"
|
||||
TpubN1="now-632h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+3835h"
|
||||
TremN1="now+4462h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 8:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step8.csk-roll1.autosign
|
||||
TpubN="now-5094h"
|
||||
TactN="now-5069h"
|
||||
TretN="now-630h"
|
||||
TremN="now-3h"
|
||||
TpubN1="now-633h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+3834h"
|
||||
TremN1="now+4461h"
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 8:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step8.csk-roll1.$tld
|
||||
TpubN="now-5094h"
|
||||
TactN="now-5069h"
|
||||
TretN="now-630h"
|
||||
TremN="now-3h"
|
||||
TpubN1="now-633h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+3834h"
|
||||
TremN1="now+4461h"
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,31 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "csk-roll2" {
|
||||
dnssec-policy "csk-roll2-autosign" {
|
||||
signatures-refresh 12h;
|
||||
signatures-validity P1D;
|
||||
signatures-validity-dnskey P1D;
|
||||
|
||||
dnskey-ttl 1h;
|
||||
publish-safety PT1H;
|
||||
retire-safety 1h;
|
||||
purge-keys 0;
|
||||
|
||||
cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
|
||||
keys {
|
||||
csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay PT1H;
|
||||
max-zone-ttl 1d;
|
||||
|
||||
parent-ds-ttl PT1H;
|
||||
parent-propagation-delay P1W;
|
||||
};
|
||||
|
||||
dnssec-policy "csk-roll2-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh 12h;
|
||||
signatures-validity P1D;
|
||||
signatures-validity-dnskey P1D;
|
||||
|
||||
@ -11,41 +11,46 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.csk-roll2.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step1.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step1.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step2.csk-roll2.autosign" {
|
||||
zone "step2.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step2.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step2.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step3.csk-roll2.autosign" {
|
||||
zone "step3.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step3.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step3.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step4.csk-roll2.autosign" {
|
||||
zone "step4.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step4.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step4.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step5.csk-roll2.autosign" {
|
||||
zone "step5.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step5.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step5.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step6.csk-roll2.autosign" {
|
||||
zone "step6.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step6.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step6.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
zone "step7.csk-roll2.autosign" {
|
||||
zone "step7.csk-roll2.@tld@" {
|
||||
type primary;
|
||||
file "step7.csk-roll2.autosign.db";
|
||||
dnssec-policy "csk-roll2";
|
||||
file "step7.csk-roll2.@tld@.db";
|
||||
dnssec-policy "csk-roll2-@tld@";
|
||||
};
|
||||
|
||||
{% endfor %}
|
||||
|
||||
@ -40,260 +40,262 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
|
||||
# The zones at csk-roll2.$tld represent the various steps of a CSK rollover
|
||||
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
|
||||
# This scenario differs from the csk-roll1 one because the zone signatures (ZRRSIG)
|
||||
# are replaced with the new key sooner than the DS is swapped.
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-roll2.autosign
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.csk-roll2.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 2:
|
||||
# It is time to introduce the new CSK.
|
||||
setup step2.csk-roll2.autosign
|
||||
# According to RFC 7583:
|
||||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||||
# Ipub = IpubC
|
||||
# Lcsk = Lksk = Lzsk
|
||||
#
|
||||
# Lcsk: 6mo (186d, 4464h)
|
||||
# Dreg: N/A
|
||||
# DprpC: 1h
|
||||
# TTLkey: 1h
|
||||
# publish-safety: 1h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
|
||||
# = now - 4464h + 3h = now - 4461h
|
||||
TactN="now-4461h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# It is time to introduce the new CSK.
|
||||
setup step2.csk-roll2.$tld
|
||||
# According to RFC 7583:
|
||||
# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
|
||||
# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||||
# Ipub = IpubC
|
||||
# Lcsk = Lksk = Lzsk
|
||||
#
|
||||
# Lcsk: 6mo (186d, 4464h)
|
||||
# Dreg: N/A
|
||||
# DprpC: 1h
|
||||
# TTLkey: 1h
|
||||
# publish-safety: 1h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
|
||||
# = now - 4464h + 3h = now - 4461h
|
||||
TactN="now-4461h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
CSK=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# It is time to submit the DS and to roll signatures.
|
||||
setup step3.csk-roll2.autosign
|
||||
# According to RFC 7583:
|
||||
#
|
||||
# Tsbm(N+1) >= Trdy(N+1)
|
||||
# KSK: Tact(N+1) = Tsbm(N+1)
|
||||
# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
|
||||
# KSK: Iret = DprpP + TTLds (+retire-safety)
|
||||
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Dprp: 1h
|
||||
# DprpP: 1w
|
||||
# Dreg: N/A
|
||||
# Dsgn: 12h
|
||||
# TTLds: 1h
|
||||
# TTLsig: 1d
|
||||
# retire-safety: 1h
|
||||
# Iret: 170h
|
||||
# IretZ: 38h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tpub(N) = now - Lcsk = now - 186d
|
||||
# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + Iret = now + 170h
|
||||
# Tpub(N+1) = now - Ipub = now - 3h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + Lcsk = now + 186d
|
||||
# Trem(N+1) = now + Lcsk + Iret = now + 186d + 170h =
|
||||
# = now + 4464h + 170h = now + 4634h
|
||||
TpubN="now-186d"
|
||||
TactN="now-4439h"
|
||||
TretN="now"
|
||||
TremN="now+170h"
|
||||
TpubN1="now-3h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+186d"
|
||||
TremN1="now+4634h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# It is time to submit the DS and to roll signatures.
|
||||
setup step3.csk-roll2.$tld
|
||||
# According to RFC 7583:
|
||||
#
|
||||
# Tsbm(N+1) >= Trdy(N+1)
|
||||
# KSK: Tact(N+1) = Tsbm(N+1)
|
||||
# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
|
||||
# KSK: Iret = DprpP + TTLds (+retire-safety)
|
||||
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Dprp: 1h
|
||||
# DprpP: 1w
|
||||
# Dreg: N/A
|
||||
# Dsgn: 12h
|
||||
# TTLds: 1h
|
||||
# TTLsig: 1d
|
||||
# retire-safety: 1h
|
||||
# Iret: 170h
|
||||
# IretZ: 38h
|
||||
# Ipub: 3h
|
||||
#
|
||||
# Tpub(N) = now - Lcsk = now - 186d
|
||||
# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + Iret = now + 170h
|
||||
# Tpub(N+1) = now - Ipub = now - 3h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + Lcsk = now + 186d
|
||||
# Trem(N+1) = now + Lcsk + Iret = now + 186d + 170h =
|
||||
# = now + 4464h + 170h = now + 4634h
|
||||
TpubN="now-186d"
|
||||
TactN="now-4439h"
|
||||
TretN="now"
|
||||
TremN="now+170h"
|
||||
TpubN1="now-3h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+186d"
|
||||
TremN1="now+4634h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# Some time later all the ZRRSIG records should be from the new CSK, and the
|
||||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
|
||||
# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
|
||||
# signatures are replaced before the DS is swapped.
|
||||
setup step4.csk-roll2.autosign
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) + IretZ
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Dreg: N/A
|
||||
# Iret: 170h
|
||||
# IretZ: 38h
|
||||
#
|
||||
# Tpub(N) = now - IretZ - Lcsk = now - 38h - 186d
|
||||
# = now - 38h - 4464h = now - 4502h
|
||||
# Tact(N) = now - Iret - Lcsk + TTLsig = now - 4502h + 25h = now - 4477h
|
||||
# Tret(N) = now - IretZ = now - 38h
|
||||
# Trem(N) = now - IretZ + Iret = now - 38h + 170h = now + 132h
|
||||
# Tpub(N+1) = now - IretZ - IpubC = now - 38h - 3h = now - 41h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now - IretZ + Lcsk = now - 38h + 186d
|
||||
# = now + 4426h
|
||||
# Trem(N+1) = now - IretZ + Lcsk + Iret
|
||||
# = now + 4426h + 3h = now + 4429h
|
||||
TpubN="now-4502h"
|
||||
TactN="now-4477h"
|
||||
TretN="now-38h"
|
||||
TremN="now+132h"
|
||||
TpubN1="now-41h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4426h"
|
||||
TremN1="now+4429h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# Some time later all the ZRRSIG records should be from the new CSK, and the
|
||||
# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
|
||||
# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
|
||||
# signatures are replaced before the DS is swapped.
|
||||
setup step4.csk-roll2.$tld
|
||||
# According to RFC 7583:
|
||||
# Trem(N) = Tret(N) + IretZ
|
||||
#
|
||||
# Lcsk: 186d
|
||||
# Dreg: N/A
|
||||
# Iret: 170h
|
||||
# IretZ: 38h
|
||||
#
|
||||
# Tpub(N) = now - IretZ - Lcsk = now - 38h - 186d
|
||||
# = now - 38h - 4464h = now - 4502h
|
||||
# Tact(N) = now - Iret - Lcsk + TTLsig = now - 4502h + 25h = now - 4477h
|
||||
# Tret(N) = now - IretZ = now - 38h
|
||||
# Trem(N) = now - IretZ + Iret = now - 38h + 170h = now + 132h
|
||||
# Tpub(N+1) = now - IretZ - IpubC = now - 38h - 3h = now - 41h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now - IretZ + Lcsk = now - 38h + 186d
|
||||
# = now + 4426h
|
||||
# Trem(N+1) = now - IretZ + Lcsk + Iret
|
||||
# = now + 4426h + 3h = now + 4429h
|
||||
TpubN="now-4502h"
|
||||
TactN="now-4477h"
|
||||
TretN="now-38h"
|
||||
TremN="now+132h"
|
||||
TpubN1="now-41h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4426h"
|
||||
TremN1="now+4429h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 5:
|
||||
# Some time later the DS can be swapped and the old DNSKEY can be removed from
|
||||
# the zone.
|
||||
setup step5.csk-roll2.autosign
|
||||
# Subtract Iret (170h) - IretZ (38h) = 132h.
|
||||
#
|
||||
# Tpub(N) = now - 4502h - 132h = now - 4634h
|
||||
# Tact(N) = now - 4477h - 132h = now - 4609h
|
||||
# Tret(N) = now - 38h - 132h = now - 170h
|
||||
# Trem(N) = now + 132h - 132h = now
|
||||
# Tpub(N+1) = now - 41h - 132h = now - 173h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 4426h - 132h = now + 4294h
|
||||
# Trem(N+1) = now + 4492h - 132h = now + 4360h
|
||||
TpubN="now-4634h"
|
||||
TactN="now-4609h"
|
||||
TretN="now-170h"
|
||||
TremN="now"
|
||||
TpubN1="now-173h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4294h"
|
||||
TremN1="now+4360h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 5:
|
||||
# Some time later the DS can be swapped and the old DNSKEY can be removed from
|
||||
# the zone.
|
||||
setup step5.csk-roll2.$tld
|
||||
# Subtract Iret (170h) - IretZ (38h) = 132h.
|
||||
#
|
||||
# Tpub(N) = now - 4502h - 132h = now - 4634h
|
||||
# Tact(N) = now - 4477h - 132h = now - 4609h
|
||||
# Tret(N) = now - 38h - 132h = now - 170h
|
||||
# Trem(N) = now + 132h - 132h = now
|
||||
# Tpub(N+1) = now - 41h - 132h = now - 173h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 4426h - 132h = now + 4294h
|
||||
# Trem(N+1) = now + 4492h - 132h = now + 4360h
|
||||
TpubN="now-4634h"
|
||||
TactN="now-4609h"
|
||||
TretN="now-170h"
|
||||
TremN="now"
|
||||
TpubN1="now-173h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4294h"
|
||||
TremN1="now+4360h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 6:
|
||||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||||
setup step6.csk-roll2.autosign
|
||||
# Subtract DNSKEY TTL plus zone propagation delay (2h).
|
||||
#
|
||||
# Tpub(N) = now - 4634h - 2h = now - 4636h
|
||||
# Tact(N) = now - 4609h - 2h = now - 4611h
|
||||
# Tret(N) = now - 170h - 2h = now - 172h
|
||||
# Trem(N) = now - 2h
|
||||
# Tpub(N+1) = now - 173h - 2h = now - 175h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 4294h - 2h = now + 4292h
|
||||
# Trem(N+1) = now + 4360h - 2h = now + 4358h
|
||||
TpubN="now-4636h"
|
||||
TactN="now-4611h"
|
||||
TretN="now-172h"
|
||||
TremN="now-2h"
|
||||
TpubN1="now-175h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4292h"
|
||||
TremN1="now+4358h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 6:
|
||||
# Some time later the predecessor DNSKEY enters the HIDDEN state.
|
||||
setup step6.csk-roll2.$tld
|
||||
# Subtract DNSKEY TTL plus zone propagation delay (2h).
|
||||
#
|
||||
# Tpub(N) = now - 4634h - 2h = now - 4636h
|
||||
# Tact(N) = now - 4609h - 2h = now - 4611h
|
||||
# Tret(N) = now - 170h - 2h = now - 172h
|
||||
# Trem(N) = now - 2h
|
||||
# Tpub(N+1) = now - 173h - 2h = now - 175h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 4294h - 2h = now + 4292h
|
||||
# Trem(N+1) = now + 4360h - 2h = now + 4358h
|
||||
TpubN="now-4636h"
|
||||
TactN="now-4611h"
|
||||
TretN="now-172h"
|
||||
TremN="now-2h"
|
||||
TpubN1="now-175h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+4292h"
|
||||
TremN1="now+4358h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 7:
|
||||
# The predecessor DNSKEY can be purged, but purge-keys is disabled.
|
||||
setup step7.csk-roll2.autosign
|
||||
# Subtract 90 days (default, 2160h) from all the times.
|
||||
#
|
||||
# Tpub(N) = now - 4636h - 2160h = now - 6796h
|
||||
# Tact(N) = now - 4611h - 2160h = now - 6771h
|
||||
# Tret(N) = now - 172h - 2160h = now - 2332h
|
||||
# Trem(N) = now - 2h - 2160h = now - 2162h
|
||||
# Tpub(N+1) = now - 175h - 2160h = now - 2335h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 4292h - 2160h = now + 2132h
|
||||
# Trem(N+1) = now + 4358h - 2160h = now + 2198h
|
||||
TpubN="now-6796h"
|
||||
TactN="now-6771h"
|
||||
TretN="now-2332h"
|
||||
TremN="now-2162h"
|
||||
TpubN1="now-2335h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+2132h"
|
||||
TremN1="now+2198h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 7:
|
||||
# The predecessor DNSKEY can be purged, but purge-keys is disabled.
|
||||
setup step7.csk-roll2.$tld
|
||||
# Subtract 90 days (default, 2160h) from all the times.
|
||||
#
|
||||
# Tpub(N) = now - 4636h - 2160h = now - 6796h
|
||||
# Tact(N) = now - 4611h - 2160h = now - 6771h
|
||||
# Tret(N) = now - 172h - 2160h = now - 2332h
|
||||
# Trem(N) = now - 2h - 2160h = now - 2162h
|
||||
# Tpub(N+1) = now - 175h - 2160h = now - 2335h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 4292h - 2160h = now + 2132h
|
||||
# Trem(N+1) = now + 4358h - 2160h = now + 2198h
|
||||
TpubN="now-6796h"
|
||||
TactN="now-6771h"
|
||||
TretN="now-2332h"
|
||||
TremN="now-2162h"
|
||||
TpubN1="now-2335h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+2132h"
|
||||
TremN1="now+2198h"
|
||||
keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $CSK1 $CSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -11,7 +11,28 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "enable-dnssec" {
|
||||
dnssec-policy "enable-dnssec-autosign" {
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
dnskey-ttl 300;
|
||||
max-zone-ttl PT12H;
|
||||
zone-propagation-delay PT5M;
|
||||
retire-safety PT20M;
|
||||
publish-safety PT5M;
|
||||
|
||||
parent-propagation-delay 1h;
|
||||
parent-ds-ttl 2h;
|
||||
|
||||
keys {
|
||||
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
|
||||
};
|
||||
};
|
||||
|
||||
dnssec-policy "enable-dnssec-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
@ -11,26 +11,31 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.enable-dnssec.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step1.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step1.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
zone "step2.enable-dnssec.autosign" {
|
||||
zone "step2.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step2.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step2.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
zone "step3.enable-dnssec.autosign" {
|
||||
zone "step3.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step3.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step3.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
zone "step4.enable-dnssec.autosign" {
|
||||
zone "step4.enable-dnssec.@tld@" {
|
||||
type primary;
|
||||
file "step4.enable-dnssec.autosign.db";
|
||||
dnssec-policy "enable-dnssec";
|
||||
file "step4.enable-dnssec.@tld@.db";
|
||||
dnssec-policy "enable-dnssec-@tld@";
|
||||
};
|
||||
|
||||
{% endfor %}
|
||||
|
||||
@ -40,61 +40,63 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at enable-dnssec.autosign represent the various steps of the
|
||||
# The zones at enable-dnssec.$tld represent the various steps of the
|
||||
# initial signing of a zone.
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# This is an unsigned zone and named should perform the initial steps of
|
||||
# introducing the DNSSEC records in the right order.
|
||||
setup step1.enable-dnssec.autosign
|
||||
cp template.db.in $zonefile
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# This is an unsigned zone and named should perform the initial steps of
|
||||
# introducing the DNSSEC records in the right order.
|
||||
setup step1.enable-dnssec.$tld
|
||||
cp template.db.in $zonefile
|
||||
|
||||
# Step 2:
|
||||
# The DNSKEY has been published long enough to become OMNIPRESENT.
|
||||
setup step2.enable-dnssec.autosign
|
||||
# DNSKEY TTL: 300 seconds
|
||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||
# publish-safety: 5 minutes (300 seconds)
|
||||
# Total: 900 seconds
|
||||
TpubN="now-900s"
|
||||
keytimes="-P ${TpubN} -A ${TpubN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# The DNSKEY has been published long enough to become OMNIPRESENT.
|
||||
setup step2.enable-dnssec.$tld
|
||||
# DNSKEY TTL: 300 seconds
|
||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||
# publish-safety: 5 minutes (300 seconds)
|
||||
# Total: 900 seconds
|
||||
TpubN="now-900s"
|
||||
keytimes="-P ${TpubN} -A ${TpubN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# The zone signatures have been published long enough to become OMNIPRESENT.
|
||||
setup step3.enable-dnssec.autosign
|
||||
# Passed time since publication:
|
||||
# max-zone-ttl: 12 hours (43200 seconds)
|
||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||
TpubN="now-43500s"
|
||||
# We can submit the DS now.
|
||||
keytimes="-P ${TpubN} -A ${TpubN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# The zone signatures have been published long enough to become OMNIPRESENT.
|
||||
setup step3.enable-dnssec.$tld
|
||||
# Passed time since publication:
|
||||
# max-zone-ttl: 12 hours (43200 seconds)
|
||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||
TpubN="now-43500s"
|
||||
# We can submit the DS now.
|
||||
keytimes="-P ${TpubN} -A ${TpubN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# The DS has been submitted long enough ago to become OMNIPRESENT.
|
||||
setup step4.enable-dnssec.autosign
|
||||
# DS TTL: 2 hour (7200 seconds)
|
||||
# parent-propagation-delay: 1 hour (3600 seconds)
|
||||
# Total aditional time: 10800 seconds
|
||||
# 43500 + 10800 = 54300
|
||||
TpubN="now-54300s"
|
||||
TsbmN="now-10800s"
|
||||
keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# The DS has been submitted long enough ago to become OMNIPRESENT.
|
||||
setup step4.enable-dnssec.$tld
|
||||
# DS TTL: 2 hour (7200 seconds)
|
||||
# parent-propagation-delay: 1 hour (3600 seconds)
|
||||
# Total aditional time: 10800 seconds
|
||||
# 43500 + 10800 = 54300
|
||||
TpubN="now-54300s"
|
||||
TsbmN="now-10800s"
|
||||
keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}"
|
||||
CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||
$SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
|
||||
cat template.db.in "${CSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -19,5 +19,5 @@ zone "three-is-a-crowd.kasp" {
|
||||
file "three-is-a-crowd.kasp.db";
|
||||
inline-signing yes;
|
||||
/* Use same policy as KSK rollover test zones. */
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
dnssec-policy "ksk-doubleksk-autosign";
|
||||
};
|
||||
|
||||
@ -27,7 +27,7 @@ from rollover.common import (
|
||||
|
||||
|
||||
CDSS = ["CDS (SHA-256)"]
|
||||
POLICY = "ksk-doubleksk"
|
||||
POLICY = "ksk-doubleksk-autosign"
|
||||
OFFSET1 = -int(timedelta(days=60).total_seconds())
|
||||
OFFSET2 = -int(timedelta(hours=27).total_seconds())
|
||||
TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds())
|
||||
|
||||
@ -11,7 +11,32 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "ksk-doubleksk" {
|
||||
dnssec-policy "ksk-doubleksk-autosign" {
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
dnskey-ttl 2h;
|
||||
publish-safety P1D;
|
||||
retire-safety P2D;
|
||||
purge-keys PT1H;
|
||||
|
||||
cdnskey no;
|
||||
keys {
|
||||
ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay PT1H;
|
||||
max-zone-ttl 1d;
|
||||
|
||||
parent-ds-ttl 3600;
|
||||
parent-propagation-delay PT1H;
|
||||
};
|
||||
|
||||
dnssec-policy "ksk-doubleksk-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
@ -11,36 +11,40 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.ksk-doubleksk.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step1.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step1.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step2.ksk-doubleksk.autosign" {
|
||||
zone "step2.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step2.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step2.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step3.ksk-doubleksk.autosign" {
|
||||
zone "step3.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step3.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step3.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step4.ksk-doubleksk.autosign" {
|
||||
zone "step4.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step4.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step4.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step5.ksk-doubleksk.autosign" {
|
||||
zone "step5.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step5.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step5.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
zone "step6.ksk-doubleksk.autosign" {
|
||||
zone "step6.ksk-doubleksk.@tld@" {
|
||||
type primary;
|
||||
file "step6.ksk-doubleksk.autosign.db";
|
||||
dnssec-policy "ksk-doubleksk";
|
||||
file "step6.ksk-doubleksk.@tld@.db";
|
||||
dnssec-policy "ksk-doubleksk-@tld@";
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
@ -40,202 +40,204 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
|
||||
# The zones at ksk-doubleksk.$tld represent the various steps of a KSK
|
||||
# Double-KSK rollover.
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.ksk-doubleksk.autosign
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.ksk-doubleksk.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 2:
|
||||
# It is time to submit the introduce the new KSK.
|
||||
setup step2.ksk-doubleksk.autosign
|
||||
# Lksk: 60d
|
||||
# Dreg: n/a
|
||||
# DprpC: 1h
|
||||
# TTLds: 1d
|
||||
# TTLkey: 2h
|
||||
# publish-safety: 1d
|
||||
# retire-safety: 2d
|
||||
#
|
||||
# According to RFC 7583:
|
||||
# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
|
||||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||||
#
|
||||
# IpubC = 27h
|
||||
# Tact(N) = now - Lksk + Dreg + IpubC = now - 60d + 27h
|
||||
# = now - 1440h + 27h = now - 1413h
|
||||
TactN="now-1413h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# It is time to submit the introduce the new KSK.
|
||||
setup step2.ksk-doubleksk.$tld
|
||||
# Lksk: 60d
|
||||
# Dreg: n/a
|
||||
# DprpC: 1h
|
||||
# TTLds: 1d
|
||||
# TTLkey: 2h
|
||||
# publish-safety: 1d
|
||||
# retire-safety: 2d
|
||||
#
|
||||
# According to RFC 7583:
|
||||
# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
|
||||
# IpubC = DprpC + TTLkey (+publish-safety)
|
||||
#
|
||||
# IpubC = 27h
|
||||
# Tact(N) = now - Lksk + Dreg + IpubC = now - 60d + 27h
|
||||
# = now - 1440h + 27h = now - 1413h
|
||||
TactN="now-1413h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# It is time to submit the DS.
|
||||
setup step3.ksk-doubleksk.autosign
|
||||
# According to RFC 7583:
|
||||
# Iret = DprpP + TTLds (+retire-safety)
|
||||
#
|
||||
# Iret = 50h
|
||||
# Tpub(N) = now - Lksk = now - 60d = now - 60d
|
||||
# Tact(N) = now - 1413h
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + Iret = now + 50h
|
||||
# Tpub(N+1) = now - IpubC = now - 27h
|
||||
# Tact(N+1) = now
|
||||
# Tret(N+1) = now + Lksk = now + 60d
|
||||
# Trem(N+1) = now + Lksk + Iret = now + 60d + 50h
|
||||
# = now + 1440h + 50h = 1490h
|
||||
TpubN="now-60d"
|
||||
TactN="now-1413h"
|
||||
TretN="now"
|
||||
TremN="now+50h"
|
||||
TpubN1="now-27h"
|
||||
TactN1="now"
|
||||
TretN1="now+60d"
|
||||
TremN1="now+1490h"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $O $TpubN -r $O $TpubN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN -z $O $TpubN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# It is time to submit the DS.
|
||||
setup step3.ksk-doubleksk.$tld
|
||||
# According to RFC 7583:
|
||||
# Iret = DprpP + TTLds (+retire-safety)
|
||||
#
|
||||
# Iret = 50h
|
||||
# Tpub(N) = now - Lksk = now - 60d = now - 60d
|
||||
# Tact(N) = now - 1413h
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + Iret = now + 50h
|
||||
# Tpub(N+1) = now - IpubC = now - 27h
|
||||
# Tact(N+1) = now
|
||||
# Tret(N+1) = now + Lksk = now + 60d
|
||||
# Trem(N+1) = now + Lksk + Iret = now + 60d + 50h
|
||||
# = now + 1440h + 50h = 1490h
|
||||
TpubN="now-60d"
|
||||
TactN="now-1413h"
|
||||
TretN="now"
|
||||
TremN="now+50h"
|
||||
TpubN1="now-27h"
|
||||
TactN1="now"
|
||||
TretN1="now+60d"
|
||||
TremN1="now+1490h"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $O $TpubN -r $O $TpubN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TpubN -z $O $TpubN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# The DS should be swapped now.
|
||||
setup step4.ksk-doubleksk.autosign
|
||||
# Tpub(N) = now - Lksk - Iret = now - 60d - 50h
|
||||
# = now - 1440h - 50h = now - 1490h
|
||||
# Tact(N) = now - 1490h + 27h = now - 1463h
|
||||
# Tret(N) = now - Iret = now - 50h
|
||||
# Trem(N) = now
|
||||
# Tpub(N+1) = now - Iret - IpubC = now - 50h - 27h
|
||||
# = now - 77h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + Lksk - Iret = now + 60d - 50h = now + 1390h
|
||||
# Trem(N+1) = now + Lksk = now + 60d
|
||||
TpubN="now-1490h"
|
||||
TactN="now-1463h"
|
||||
TretN="now-50h"
|
||||
TremN="now"
|
||||
TpubN1="now-77h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+1390h"
|
||||
TremN1="now+60d"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -D ds $TretN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# The DS should be swapped now.
|
||||
setup step4.ksk-doubleksk.$tld
|
||||
# Tpub(N) = now - Lksk - Iret = now - 60d - 50h
|
||||
# = now - 1440h - 50h = now - 1490h
|
||||
# Tact(N) = now - 1490h + 27h = now - 1463h
|
||||
# Tret(N) = now - Iret = now - 50h
|
||||
# Trem(N) = now
|
||||
# Tpub(N+1) = now - Iret - IpubC = now - 50h - 27h
|
||||
# = now - 77h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + Lksk - Iret = now + 60d - 50h = now + 1390h
|
||||
# Trem(N+1) = now + Lksk = now + 60d
|
||||
TpubN="now-1490h"
|
||||
TactN="now-1463h"
|
||||
TretN="now-50h"
|
||||
TremN="now"
|
||||
TpubN1="now-77h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+1390h"
|
||||
TremN1="now+60d"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -D ds $TretN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 5:
|
||||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||||
setup step5.ksk-doubleksk.autosign
|
||||
# Subtract DNSKEY TTL + zone-propagation-delay from all the times (3h).
|
||||
# Tpub(N) = now - 1490h - 3h = now - 1493h
|
||||
# Tact(N) = now - 1463h - 3h = now - 1466h
|
||||
# Tret(N) = now - 50h - 3h = now - 53h
|
||||
# Trem(N) = now - 3h
|
||||
# Tpub(N+1) = now - 77h - 3h = now - 80h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 1390h - 3h = now + 1387h
|
||||
# Trem(N+1) = now + 60d - 3h = now + 1441h
|
||||
TpubN="now-1493h"
|
||||
TactN="now-1466h"
|
||||
TretN="now-53h"
|
||||
TremN="now-3h"
|
||||
TpubN1="now-80h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+1387h"
|
||||
TremN1="now+1441h"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 5:
|
||||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||||
setup step5.ksk-doubleksk.$tld
|
||||
# Subtract DNSKEY TTL + zone-propagation-delay from all the times (3h).
|
||||
# Tpub(N) = now - 1490h - 3h = now - 1493h
|
||||
# Tact(N) = now - 1463h - 3h = now - 1466h
|
||||
# Tret(N) = now - 50h - 3h = now - 53h
|
||||
# Trem(N) = now - 3h
|
||||
# Tpub(N+1) = now - 77h - 3h = now - 80h
|
||||
# Tact(N+1) = Tret(N)
|
||||
# Tret(N+1) = now + 1390h - 3h = now + 1387h
|
||||
# Trem(N+1) = now + 60d - 3h = now + 1441h
|
||||
TpubN="now-1493h"
|
||||
TactN="now-1466h"
|
||||
TretN="now-53h"
|
||||
TremN="now-3h"
|
||||
TpubN1="now-80h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+1387h"
|
||||
TremN1="now+1441h"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 6:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step6.ksk-doubleksk.autosign
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
TpubN="now-1494h"
|
||||
TactN="now-1467h"
|
||||
TretN="now-54h"
|
||||
TremN="now-4h"
|
||||
TpubN1="now-81h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+1386h"
|
||||
TremN1="now+1440h"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 6:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step6.ksk-doubleksk.$tld
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
TpubN="now-1494h"
|
||||
TactN="now-1467h"
|
||||
TretN="now-54h"
|
||||
TremN="now-4h"
|
||||
TpubN1="now-81h"
|
||||
TactN1="${TretN}"
|
||||
TretN1="now+1386h"
|
||||
TremN1="now+1440h"
|
||||
ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
|
||||
zsktimes="-P ${TpubN} -A ${TpubN}"
|
||||
KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
||||
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $KSK1 $KSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -30,7 +30,7 @@ from rollover.common import (
|
||||
|
||||
|
||||
CDSS = ["CDS (SHA-256)"]
|
||||
POLICY = "ksk-doubleksk"
|
||||
POLICY = "ksk-doubleksk-autosign"
|
||||
OFFSETS = {}
|
||||
OFFSETS["step1-p"] = -int(TIMEDELTA["P7D"].total_seconds())
|
||||
OFFSETS["step2-p"] = -int(KSK_LIFETIME.total_seconds() - KSK_IPUBC.total_seconds())
|
||||
|
||||
@ -11,7 +11,28 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
dnssec-policy "zsk-prepub" {
|
||||
dnssec-policy "zsk-prepub-autosign" {
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
dnskey-ttl 3600;
|
||||
publish-safety P1D;
|
||||
retire-safety P2D;
|
||||
purge-keys PT1H;
|
||||
|
||||
keys {
|
||||
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
|
||||
zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
|
||||
};
|
||||
|
||||
zone-propagation-delay PT1H;
|
||||
max-zone-ttl 1d;
|
||||
};
|
||||
|
||||
dnssec-policy "zsk-prepub-manual" {
|
||||
manual-mode yes;
|
||||
|
||||
signatures-refresh P1W;
|
||||
signatures-validity P2W;
|
||||
signatures-validity-dnskey P2W;
|
||||
|
||||
@ -11,36 +11,40 @@
|
||||
* information regarding copyright ownership.
|
||||
*/
|
||||
|
||||
{% set zones = ["autosign", "manual"] %}
|
||||
|
||||
include "kasp.conf";
|
||||
include "named.common.conf";
|
||||
|
||||
zone "step1.zsk-prepub.autosign" {
|
||||
{% for tld in zones %}
|
||||
zone "step1.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step1.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step1.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step2.zsk-prepub.autosign" {
|
||||
zone "step2.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step2.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step2.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step3.zsk-prepub.autosign" {
|
||||
zone "step3.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step3.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step3.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step4.zsk-prepub.autosign" {
|
||||
zone "step4.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step4.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step4.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step5.zsk-prepub.autosign" {
|
||||
zone "step5.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step5.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step5.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
zone "step6.zsk-prepub.autosign" {
|
||||
zone "step6.zsk-prepub.@tld@" {
|
||||
type primary;
|
||||
file "step6.zsk-prepub.autosign.db";
|
||||
dnssec-policy "zsk-prepub";
|
||||
file "step6.zsk-prepub.@tld@.db";
|
||||
dnssec-policy "zsk-prepub-@tld@";
|
||||
};
|
||||
{% endfor %}
|
||||
|
||||
@ -40,177 +40,179 @@ O="OMNIPRESENT"
|
||||
U="UNRETENTIVE"
|
||||
|
||||
#
|
||||
# The zones at zsk-prepub.autosign represent the various steps of a ZSK
|
||||
# The zones at zsk-prepub.$tld represent the various steps of a ZSK
|
||||
# Pre-Publication rollover.
|
||||
#
|
||||
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.zsk-prepub.autosign
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
for tld in autosign manual; do
|
||||
# Step 1:
|
||||
# Introduce the first key. This will immediately be active.
|
||||
setup step1.zsk-prepub.$tld
|
||||
TactN="now-7d"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 2:
|
||||
# It is time to pre-publish the successor ZSK.
|
||||
setup step2.zsk-prepub.autosign
|
||||
# According to RFC 7583:
|
||||
# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
|
||||
# = now + 26h - 30d = now − 694h
|
||||
TactN="now-694h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 2:
|
||||
# It is time to pre-publish the successor ZSK.
|
||||
setup step2.zsk-prepub.$tld
|
||||
# According to RFC 7583:
|
||||
# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
|
||||
# = now + 26h - 30d = now − 694h
|
||||
TactN="now-694h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
|
||||
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 3:
|
||||
# After the publication interval has passed the DNSKEY of the successor ZSK
|
||||
# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
|
||||
setup step3.zsk-prepub.autosign
|
||||
# According to RFC 7583:
|
||||
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# Tact(N+1) = Tact(N) + Lzsk
|
||||
#
|
||||
# Tact(N) = now - Lzsk = now - 30d
|
||||
# Tpub(N+1) = now - Ipub = now - 26h
|
||||
# Tact(N+1) = now
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h
|
||||
TactN="now-30d"
|
||||
TpubN1="now-26h"
|
||||
TactN1="now"
|
||||
TremN="now+241h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 3:
|
||||
# After the publication interval has passed the DNSKEY of the successor ZSK
|
||||
# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
|
||||
setup step3.zsk-prepub.$tld
|
||||
# According to RFC 7583:
|
||||
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
|
||||
# Tact(N+1) = Tact(N) + Lzsk
|
||||
#
|
||||
# Tact(N) = now - Lzsk = now - 30d
|
||||
# Tpub(N+1) = now - Ipub = now - 26h
|
||||
# Tact(N+1) = now
|
||||
# Tret(N) = now
|
||||
# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h
|
||||
TactN="now-30d"
|
||||
TpubN1="now-26h"
|
||||
TactN1="now"
|
||||
TremN="now+241h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 4:
|
||||
# After the retire interval has passed the predecessor DNSKEY can be
|
||||
# removed from the zone.
|
||||
setup step4.zsk-prepub.autosign
|
||||
# Lzsk: 30d
|
||||
# Ipub: 26h
|
||||
# Dsgn: 1w
|
||||
# Dprp: 1h
|
||||
# TTLsig: 1d
|
||||
# retire-safety: 2d
|
||||
#
|
||||
# According to RFC 7583:
|
||||
# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
|
||||
# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h
|
||||
#
|
||||
# Tact(N) = now - Iret - Lzsk
|
||||
# = now - 241h - 30d = now - 241h - 720h
|
||||
# = now - 961h
|
||||
# Tpub(N+1) = now - Iret - Ipub
|
||||
# = now - 241h - 26h
|
||||
# = now - 267h
|
||||
# Tact(N+1) = now - Iret = now - 241h
|
||||
TactN="now-961h"
|
||||
TpubN1="now-267h"
|
||||
TactN1="now-241h"
|
||||
TremN="now"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 4:
|
||||
# After the retire interval has passed the predecessor DNSKEY can be
|
||||
# removed from the zone.
|
||||
setup step4.zsk-prepub.$tld
|
||||
# Lzsk: 30d
|
||||
# Ipub: 26h
|
||||
# Dsgn: 1w
|
||||
# Dprp: 1h
|
||||
# TTLsig: 1d
|
||||
# retire-safety: 2d
|
||||
#
|
||||
# According to RFC 7583:
|
||||
# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
|
||||
# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h
|
||||
#
|
||||
# Tact(N) = now - Iret - Lzsk
|
||||
# = now - 241h - 30d = now - 241h - 720h
|
||||
# = now - 961h
|
||||
# Tpub(N+1) = now - Iret - Ipub
|
||||
# = now - 241h - 26h
|
||||
# = now - 267h
|
||||
# Tact(N+1) = now - Iret = now - 241h
|
||||
TactN="now-961h"
|
||||
TpubN1="now-267h"
|
||||
TactN1="now-241h"
|
||||
TremN="now"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 5:
|
||||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||||
setup step5.zsk-prepub.autosign
|
||||
# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
|
||||
# Tact(N) = now - 961h - 2h = now - 963h
|
||||
# Tpub(N+1) = now - 267h - 2h = now - 269h
|
||||
# Tact(N+1) = now - 241h - 2h = now - 243h
|
||||
# Trem(N) = Tact(N+1) + Iret = now -2h
|
||||
TactN="now-963h"
|
||||
TremN="now-2h"
|
||||
TpubN1="now-269h"
|
||||
TactN1="now-243h"
|
||||
TremN="now-2h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 5:
|
||||
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
|
||||
setup step5.zsk-prepub.$tld
|
||||
# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
|
||||
# Tact(N) = now - 961h - 2h = now - 963h
|
||||
# Tpub(N+1) = now - 267h - 2h = now - 269h
|
||||
# Tact(N+1) = now - 241h - 2h = now - 243h
|
||||
# Trem(N) = Tact(N+1) + Iret = now -2h
|
||||
TactN="now-963h"
|
||||
TremN="now-2h"
|
||||
TpubN1="now-269h"
|
||||
TactN1="now-243h"
|
||||
TremN="now-2h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
|
||||
# Step 6:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step6.zsk-prepub.autosign
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
TactN="now-964h"
|
||||
TremN="now-3h"
|
||||
TpubN1="now-270h"
|
||||
TactN1="now-244h"
|
||||
TremN="now-3h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
# Step 6:
|
||||
# The predecessor DNSKEY can be purged.
|
||||
setup step6.zsk-prepub.$tld
|
||||
# Subtract purge-keys interval from all the times (1h).
|
||||
TactN="now-964h"
|
||||
TremN="now-3h"
|
||||
TpubN1="now-270h"
|
||||
TactN1="now-244h"
|
||||
TremN="now-3h"
|
||||
keytimes="-P ${TactN} -A ${TactN}"
|
||||
oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
|
||||
newtimes="-P ${TpubN1} -A ${TactN1}"
|
||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
||||
ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
|
||||
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
|
||||
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
|
||||
$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
|
||||
$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
|
||||
# Set key rollover relationship.
|
||||
key_successor $ZSK1 $ZSK2
|
||||
# Sign zone.
|
||||
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
|
||||
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
|
||||
cp $infile $zonefile
|
||||
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
||||
done
|
||||
|
||||
@ -34,7 +34,7 @@ CONFIG = {
|
||||
"signatures-validity": TIMEDELTA["P14D"],
|
||||
"zone-propagation-delay": TIMEDELTA["PT1H"],
|
||||
}
|
||||
POLICY = "zsk-prepub"
|
||||
POLICY = "zsk-prepub-autosign"
|
||||
ZSK_LIFETIME = TIMEDELTA["P30D"]
|
||||
LIFETIME_POLICY = int(ZSK_LIFETIME.total_seconds())
|
||||
IPUB = Ipub(CONFIG)
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user