mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-29 13:38:26 +00:00
Code Issues Releases Wiki Activity

Fix wrong usage of safety intervals in keymgr

Browse Source 
There are a couple of cases where the safety intervals are added
inappropriately:

1. When setting the PublishCDS/SyncPublish timing metadata, we don't
   need to add the publish-safety value if we are calculating the time
   when the zone is completely signed for the first time. This value
   is for when the DNSKEY has been published and we add a safety
   interval before considering the DNSKEY omnipresent.

2. The retire-safety value should only be added to ZSK rollovers if
   there is an actual rollover happening, similar to adding the sign
   delay.

3. The retire-safety value should only be added to KSK rollovers if
   there is an actual rollover happening. We consider the new DS
   omnipresent a bit later, so that we are forced to keep the old DS
   a bit longer.
This commit is contained in:
Matthijs Mekking 2025-03-03 12:07:03 +01:00
parent ef671919d5
commit 63edc4435f
4 changed files with 194 additions and 202 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
bin/tests/system/kasp/ns3/setup.sh
View File

@ -350,10 +350,9 @@ setup step2.enable-dnssec.autosign
TpubN="now-900s" TpubN="now-900s"
# RRSIG TTL: 12 hour (43200 seconds) # RRSIG TTL: 12 hour (43200 seconds)
# zone-propagation-delay: 5 minutes (300 seconds) # zone-propagation-delay: 5 minutes (300 seconds)
# retire-safety: 20 minutes (1200 seconds)
# Already passed time: -900 seconds # Already passed time: -900 seconds
# Total: 43800 seconds # Total: 42600 seconds
TsbmN="now+43800s" TsbmN="now+42600s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
@ -365,10 +364,10 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
# Step 3: # Step 3:
# The zone signatures have been published long enough to become OMNIPRESENT. # The zone signatures have been published long enough to become OMNIPRESENT.
setup step3.enable-dnssec.autosign setup step3.enable-dnssec.autosign
# Passed time since publications: 43800 + 900 = 44700 seconds. # Passed time since publications: 42600 + 900 = 43500 seconds.
TpubN="now-44700s" TpubN="now-43500s"
# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. # The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
TcotN="now-43800s" TcotN="now-42600s"
# We can submit the DS now. # We can submit the DS now.
TsbmN="now" TsbmN="now"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"

82
bin/tests/system/kasp/ns6/setup.sh
View File

@ -127,9 +127,9 @@ setup step2.algorithm-roll.kasp
# The time passed since the new algorithm keys have been introduced is 3 hours. # The time passed since the new algorithm keys have been introduced is 3 hours.
TactN="now-3h" TactN="now-3h"
TpubN1="now-3h" TpubN1="now-3h"
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
# now - 3h + 6h + 1h + 1h = now + 5h # now - 3h + 6h + 1h = now + 4h
TsbmN1="now+5h" TsbmN1="now+4h"
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
zsk1times="-P ${TactN} -A ${TactN} -I now" zsk1times="-P ${TactN} -A ${TactN} -I now"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -156,11 +156,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
# Step 3: # Step 3:
# The zone signatures are also OMNIPRESENT. # The zone signatures are also OMNIPRESENT.
setup step3.algorithm-roll.kasp setup step3.algorithm-roll.kasp
# The time passed since the new algorithm keys have been introduced is 9 hours. # The time passed since the new algorithm keys have been introduced is 7 hours.
TactN="now-9h" TactN="now-7h"
TretN="now-6h" TretN="now-3h"
TpubN1="now-9h" TpubN1="now-7h"
TsbmN1="now-1h" TsbmN1="now"
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -188,11 +188,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
# The DS is swapped and can become OMNIPRESENT. # The DS is swapped and can become OMNIPRESENT.
setup step4.algorithm-roll.kasp setup step4.algorithm-roll.kasp
# The time passed since the DS has been swapped is 29 hours. # The time passed since the DS has been swapped is 29 hours.
TactN="now-38h" TactN="now-36h"
TretN="now-35h" TretN="now-33h"
TpubN1="now-38h" TpubN1="now-36h"
TsbmN1="now-30h" TsbmN1="now-29h"
TactN1="now-29h" TactN1="now-27h"
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -220,12 +220,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
# The DNSKEY is removed long enough to be HIDDEN. # The DNSKEY is removed long enough to be HIDDEN.
setup step5.algorithm-roll.kasp setup step5.algorithm-roll.kasp
# The time passed since the DNSKEY has been removed is 2 hours. # The time passed since the DNSKEY has been removed is 2 hours.
TactN="now-40h" TactN="now-38h"
TretN="now-37h" TretN="now-35h"
TremN="now-2h" TremN="now-2h"
TpubN1="now-40h" TpubN1="now-38h"
TsbmN1="now-32h" TsbmN1="now-31h"
TactN1="now-31h" TactN1="now-29h"
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -253,13 +253,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
# The RRSIGs have been removed long enough to be HIDDEN. # The RRSIGs have been removed long enough to be HIDDEN.
setup step6.algorithm-roll.kasp setup step6.algorithm-roll.kasp
# Additional time passed: 7h. # Additional time passed: 7h.
TactN="now-47h" TactN="now-45h"
TretN="now-44h" TretN="now-42h"
TremN="now-7h" TremN="now-7h"
TpubN1="now-47h" TpubN1="now-45h"
TsbmN1="now-39h" TsbmN1="now-38h"
TactN1="now-38h" TactN1="now-36h"
TdeaN="now-9h" TdeaN="now-7h"
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
@ -324,11 +324,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
# Step 3: # Step 3:
# The zone signatures are also OMNIPRESENT. # The zone signatures are also OMNIPRESENT.
setup step3.csk-algorithm-roll.kasp setup step3.csk-algorithm-roll.kasp
# The time passed since the new algorithm keys have been introduced is 9 hours. # The time passed since the new algorithm keys have been introduced is 7 hours.
TactN="now-9h" TactN="now-7h"
TretN="now-6h" TretN="now-3h"
TpubN1="now-9h" TpubN1="now-7h"
TactN1="now-6h" TactN1="now-3h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}" newtimes="-P ${TpubN1} -A ${TpubN1}"
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
@ -347,10 +347,10 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
# The DS is swapped and can become OMNIPRESENT. # The DS is swapped and can become OMNIPRESENT.
setup step4.csk-algorithm-roll.kasp setup step4.csk-algorithm-roll.kasp
# The time passed since the DS has been swapped is 29 hours. # The time passed since the DS has been swapped is 29 hours.
TactN="now-38h" TactN="now-36h"
TretN="now-35h" TretN="now-33h"
TpubN1="now-38h" TpubN1="now-36h"
TactN1="now-35h" TactN1="now-33h"
TsubN1="now-29h" TsubN1="now-29h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}" newtimes="-P ${TpubN1} -A ${TpubN1}"
@ -370,11 +370,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
# The DNSKEY is removed long enough to be HIDDEN. # The DNSKEY is removed long enough to be HIDDEN.
setup step5.csk-algorithm-roll.kasp setup step5.csk-algorithm-roll.kasp
# The time passed since the DNSKEY has been removed is 2 hours. # The time passed since the DNSKEY has been removed is 2 hours.
TactN="now-40h" TactN="now-38h"
TretN="now-37h" TretN="now-35h"
TremN="now-2h" TremN="now-2h"
TpubN1="now-40h" TpubN1="now-38h"
TactN1="now-37h" TactN1="now-35h"
TsubN1="now-31h" TsubN1="now-31h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}" newtimes="-P ${TpubN1} -A ${TpubN1}"
@ -394,12 +394,12 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
# The RRSIGs have been removed long enough to be HIDDEN. # The RRSIGs have been removed long enough to be HIDDEN.
setup step6.csk-algorithm-roll.kasp setup step6.csk-algorithm-roll.kasp
# Additional time passed: 7h. # Additional time passed: 7h.
TactN="now-47h" TactN="now-45h"
TretN="now-44h" TretN="now-42h"
TdeaN="now-9h" TdeaN="now-9h"
TremN="now-7h" TremN="now-7h"
TpubN1="now-47h" TpubN1="now-45h"
TactN1="now-44h" TactN1="now-42h"
TsubN1="now-38h" TsubN1="now-38h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}" newtimes="-P ${TpubN1} -A ${TpubN1}"

245
bin/tests/system/kasp/tests.sh
View File

@ -275,9 +275,8 @@ set_keytimes_csk_policy() {
set_keytime "KEY1" "ACTIVE" "${created}" set_keytime "KEY1" "ACTIVE" "${created}"
# The DS can be published if the DNSKEY and RRSIG records are # The DS can be published if the DNSKEY and RRSIG records are
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
# publish-safety (1h) plus zone-propagation-delay (300s) = # zone-propagation-delay (300s) = 86400 + 300 = 86700.
# 86400 + 3600 + 300 = 90300. set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
# Key lifetime is unlimited, so not setting RETIRED and REMOVED. # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
} }
@ -769,9 +768,8 @@ set_keytimes_algorithm_policy() {
# The DS can be published if the DNSKEY and RRSIG records are # The DS can be published if the DNSKEY and RRSIG records are
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
# publish-safety (1h) plus zone-propagation-delay (300s) = # zone-propagation-delay (300s) = 86400 + 300 = 86700.
# 86400 + 3600 + 300 = 90300. set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
# Key lifetime is 10 years, 315360000 seconds. # Key lifetime is 10 years, 315360000 seconds.
set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
# The key is removed after the retire time plus DS TTL (1d), # The key is removed after the retire time plus DS TTL (1d),
@ -1720,10 +1718,10 @@ published=$(awk '{print $3}' <published.test${n}.key1)
set_keytime "KEY1" "PUBLISHED" "${published}" set_keytime "KEY1" "PUBLISHED" "${published}"
set_keytime "KEY1" "ACTIVE" "${published}" set_keytime "KEY1" "ACTIVE" "${published}"
published=$(key_get KEY1 PUBLISHED) published=$(key_get KEY1 PUBLISHED)
# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT. # The DS can be published if the zone is fully signed.
# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus # This happens after max-zone-ttl (1d) plus
# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300. # zone-propagation-delay (300s) = 86400 + 300 = 86700.
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
# Key lifetime is 6 months, 315360000 seconds. # Key lifetime is 6 months, 315360000 seconds.
set_addkeytime "KEY1" "RETIRED" "${published}" 16070400 set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
# The key is removed after the retire time plus DS TTL (1d), parent # The key is removed after the retire time plus DS TTL (1d), parent
@ -2486,9 +2484,9 @@ set_keytime "KEY1" "PUBLISHED" "${created}"
set_keytime "KEY1" "ACTIVE" "${created}" set_keytime "KEY1" "ACTIVE" "${created}"
# - The DS can be published if the DNSKEY and RRSIG records are # - The DS can be published if the DNSKEY and RRSIG records are
# OMNIPRESENT. This happens after max-zone-ttl (12h) plus # OMNIPRESENT. This happens after max-zone-ttl (12h) plus
# publish-safety (5m) plus zone-propagation-delay (5m) = # plus zone-propagation-delay (5m) =
# 43200 + 300 + 300 = 43800. # 43200 + 300 = 43500.
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43500
# - Key lifetime is unlimited, so not setting RETIRED and REMOVED. # - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
# Various signing policy checks. # Various signing policy checks.
@ -2556,7 +2554,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
set_addkeytime "KEY1" "ACTIVE" "${created}" -900 set_addkeytime "KEY1" "ACTIVE" "${created}" -900
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 42600
# Continue signing policy checks. # Continue signing policy checks.
check_keytimes check_keytimes
@ -2566,8 +2564,8 @@ dnssec_verify
# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl # Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
# plus zone propagation delay plus retire safety minus the already elapsed # plus zone propagation delay plus retire safety minus the already elapsed
# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds # 900 seconds: 12h + 300s + 20m - 900 = 43500 - 900 = 42600 seconds
check_next_key_event 43800 check_next_key_event 42600
# #
# Zone: step3.enable-dnssec.autosign. # Zone: step3.enable-dnssec.autosign.
@ -2584,10 +2582,10 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The key was published and activated 44700 seconds ago (with settime). # - The key was published and activated 43500 seconds ago (with settime).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 set_addkeytime "KEY1" "PUBLISHED" "${created}" -43500
set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 set_addkeytime "KEY1" "ACTIVE" "${created}" -43500
set_keytime "KEY1" "SYNCPUBLISH" "${created}" set_keytime "KEY1" "SYNCPUBLISH" "${created}"
# Continue signing policy checks. # Continue signing policy checks.
@ -2603,8 +2601,8 @@ check_cdslog "$DIR" "$ZONE" KEY1
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE" rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
# Next key event is when the DS can move to the OMNIPRESENT state. This occurs # Next key event is when the DS can move to the OMNIPRESENT state. This occurs
# when the parent propagation delay have passed, plus the DS TTL and retire # when the parent propagation delay have passed, plus the DS TTL and retire
# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds # safety delay: 1h + 2h = 3h = 10800 seconds
check_next_key_event 12000 check_next_key_event 10800
# #
# Zone: step4.enable-dnssec.autosign. # Zone: step4.enable-dnssec.autosign.
@ -4388,9 +4386,9 @@ check_subdomain
dnssec_verify dnssec_verify
# Next key event is when the DS becomes HIDDEN. This happens after the # Next key event is when the DS becomes HIDDEN. This happens after the
# parent propagation delay, retire safety delay, and DS TTL: # parent propagation delay, and DS TTL:
# 1h + 1h + 1d = 26h = 93600 seconds. # 1h + 1d = 25h = 90000 seconds.
check_next_key_event 93600 check_next_key_event 90000
# #
# Zone: step2.going-insecure.kasp # Zone: step2.going-insecure.kasp
@ -4456,8 +4454,8 @@ dnssec_verify
# Next key event is when the DS becomes HIDDEN. This happens after the # Next key event is when the DS becomes HIDDEN. This happens after the
# parent propagation delay, retire safety delay, and DS TTL: # parent propagation delay, retire safety delay, and DS TTL:
# 1h + 1h + 1d = 26h = 93600 seconds. # 1h + 1d = 25h = 90000 seconds.
check_next_key_event 93600 check_next_key_event 90000
# #
# Zone: step2.going-insecure-dynamic.kasp # Zone: step2.going-insecure-dynamic.kasp
@ -4651,12 +4649,11 @@ set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
created=$(key_get KEY3 CREATED) created=$(key_get KEY3 CREATED)
set_keytime "KEY3" "PUBLISHED" "${created}" set_keytime "KEY3" "PUBLISHED" "${created}"
set_keytime "KEY3" "ACTIVE" "${created}" set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # - It takes TTLsig + Dprp to propagate the zone.
# TTLsig: 6h (39600 seconds) # TTLsig: 6h (39600 seconds)
# Dprp: 1h (3600 seconds) # Dprp: 1h (3600 seconds)
# publish-safety: 1h (3600 seconds) # Ipub: 7h (25200 seconds)
# Ipub: 8h (28800 seconds) Ipub=25200
Ipub=28800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The new ZSK is published and activated. # - The new ZSK is published and activated.
created=$(key_get KEY4 CREATED) created=$(key_get KEY4 CREATED)
@ -4725,12 +4722,12 @@ dnssec_verify
# Next key event is when all zone signatures are signed with the new # Next key event is when all zone signatures are signed with the new
# algorithm. This is the max-zone-ttl plus zone propagation delay # algorithm. This is the max-zone-ttl plus zone propagation delay
# plus retire safety: 6h + 1h + 2h. But three hours have already passed # 6h + 1h. But three hours have already passed (the time it took to
# (the time it took to make the DNSKEY omnipresent), so the next event # make the DNSKEY omnipresent), so the next event should be scheduled
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent # in 4 hour: 14400 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds # false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'. # which passed between key creation and invoking 'rndc reconfig'.
next_time=$((21600 - time_passed)) next_time=$((14400 - time_passed))
check_next_key_event $next_time check_next_key_event $next_time
# #
@ -4753,28 +4750,28 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_cdslog "$DIR" "$ZONE" KEY3 check_cdslog "$DIR" "$ZONE" KEY3
# Set expected key times: # Set expected key times:
# - The old keys were activated 9 hours ago (32400 seconds). # - The old keys were activated 7 hours ago (25200 seconds).
rollover_predecessor_keytimes -32400 rollover_predecessor_keytimes -25200
# - And retired 6 hours ago (21600 seconds). # - And retired 3 hours ago (10800 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -21600 set_addkeytime "KEY1" "RETIRED" "${created}" -10800
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "RETIRED" "${created}" -21600 set_addkeytime "KEY2" "RETIRED" "${created}" -10800
retired=$(key_get KEY2 RETIRED) retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new keys are published 9 hours ago. # - The new keys are published 7 hours ago.
created=$(key_get KEY3 CREATED) created=$(key_get KEY3 CREATED)
set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
published=$(key_get KEY3 PUBLISHED) published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED) created=$(key_get KEY4 CREATED)
set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 set_addkeytime "KEY4" "ACTIVE" "${created}" -25200
# Continue signing policy checks. # Continue signing policy checks.
check_keytimes check_keytimes
@ -4787,9 +4784,9 @@ dnssec_verify
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE" rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
# Next key event is when the DS becomes OMNIPRESENT. This happens after the # Next key event is when the DS becomes OMNIPRESENT. This happens after the
# parent propagation delay, retire safety delay, and DS TTL: # parent propagation delay, and DS TTL:
# 1h + 2h + 2h = 5h = 18000 seconds. # 1h + 2h = 3h = 10800 seconds.
check_next_key_event 18000 check_next_key_event 10800
# #
# Zone: step4.algorithm-roll.kasp # Zone: step4.algorithm-roll.kasp
@ -4816,29 +4813,29 @@ wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The old keys were activated 38 hours ago (136800 seconds). # - The old keys were activated 36 hours ago (129600 seconds).
rollover_predecessor_keytimes -136800 rollover_predecessor_keytimes -129600
# - And retired 35 hours ago (126000 seconds). # - And retired 33 hours ago (118800 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -126000 set_addkeytime "KEY1" "RETIRED" "${created}" -118800
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "RETIRED" "${created}" -126000 set_addkeytime "KEY2" "RETIRED" "${created}" -118800
retired=$(key_get KEY2 RETIRED) retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new keys are published 38 hours ago. # - The new keys are published 36 hours ago.
created=$(key_get KEY3 CREATED) created=$(key_get KEY3 CREATED)
set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
published=$(key_get KEY3 PUBLISHED) published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED) created=$(key_get KEY4 CREATED)
set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 set_addkeytime "KEY4" "ACTIVE" "${created}" -129600
# Continue signing policy checks. # Continue signing policy checks.
check_keytimes check_keytimes
@ -4867,29 +4864,29 @@ wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The old keys were activated 40 hours ago (144000 seconds) # - The old keys were activated 38 hours ago (136800 seconds)
rollover_predecessor_keytimes -144000 rollover_predecessor_keytimes -136800
# - And retired 37 hours ago (133200 seconds). # - And retired 35 hours ago (126000 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -133200 set_addkeytime "KEY1" "RETIRED" "${created}" -126000
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "RETIRED" "${created}" -133200 set_addkeytime "KEY2" "RETIRED" "${created}" -126000
retired=$(key_get KEY2 RETIRED) retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# The new keys are published 40 hours ago. # The new keys are published 40 hours ago.
created=$(key_get KEY3 CREATED) created=$(key_get KEY3 CREATED)
set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
published=$(key_get KEY3 PUBLISHED) published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED) created=$(key_get KEY4 CREATED)
set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
# Continue signing policy checks. # Continue signing policy checks.
check_keytimes check_keytimes
@ -4898,12 +4895,12 @@ check_subdomain
dnssec_verify dnssec_verify
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens # Next key event is when the RSASHA1 signatures become HIDDEN. This happens
# after the max-zone-ttl plus zone propagation delay plus retire safety # after the max-zone-ttl plus zone propagation delay (6h + 1h)
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has # minus the time already passed since the UNRETENTIVE state has
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent # been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds # false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'. # which passed between key creation and invoking 'rndc reconfig'.
next_time=$((25200 - time_passed)) next_time=$((18000 - time_passed))
check_next_key_event $next_time check_next_key_event $next_time
# #
@ -4921,29 +4918,29 @@ wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The old keys were activated 47 hours ago (169200 seconds) # - The old keys were activated 45 hours ago (162000 seconds)
rollover_predecessor_keytimes -169200 rollover_predecessor_keytimes -162000
# - And retired 44 hours ago (158400 seconds). # - And retired 42 hours ago (151200 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -158400 set_addkeytime "KEY1" "RETIRED" "${created}" -151200
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "RETIRED" "${created}" -158400 set_addkeytime "KEY2" "RETIRED" "${created}" -151200
retired=$(key_get KEY2 RETIRED) retired=$(key_get KEY2 RETIRED)
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# The new keys are published 47 hours ago. # The new keys are published 47 hours ago.
created=$(key_get KEY3 CREATED) created=$(key_get KEY3 CREATED)
set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
published=$(key_get KEY3 PUBLISHED) published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED) created=$(key_get KEY4 CREATED)
set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 set_addkeytime "KEY4" "ACTIVE" "${created}" -162000
# Continue signing policy checks. # Continue signing policy checks.
check_keytimes check_keytimes
@ -5026,9 +5023,8 @@ set_keytime "KEY2" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone. # - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 6h (39600 seconds) # TTLsig: 6h (39600 seconds)
# Dprp: 1h (3600 seconds) # Dprp: 1h (3600 seconds)
# publish-safety: 1h (3600 seconds) # Ipub: 7h (25200 seconds)
# Ipub: 8h (28800 seconds) Ipub=25200
Ipub=28800
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
# Continue signing policy checks. # Continue signing policy checks.
@ -5082,14 +5078,13 @@ check_apex
check_subdomain check_subdomain
dnssec_verify dnssec_verify
# Next key event is when all zone signatures are signed with the new # Next key event is when all zone signatures are signed with the new algorithm.
# algorithm. This is the max-zone-ttl plus zone propagation delay # This is the max-zone-ttl plus zone propagation delay: 6h + 1h. But three
# plus retire safety: 6h + 1h + 2h. But three hours have already passed # hours have already passed (the time it took to make the DNSKEY omnipresent),
# (the time it took to make the DNSKEY omnipresent), so the next event # so the next event should be scheduled in 4 hour: 14400 seconds. Prevent
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent # intermittent false positives on slow platforms by subtracting the number of
# false positives on slow platforms by subtracting the number of seconds # seconds which passed between key creation and invoking 'rndc reconfig'.
# which passed between key creation and invoking 'rndc reconfig'. next_time=$((14400 - time_passed))
next_time=$((21600 - time_passed))
check_next_key_event $next_time check_next_key_event $next_time
# #
@ -5114,17 +5109,17 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_cdslog "$DIR" "$ZONE" KEY2 check_cdslog "$DIR" "$ZONE" KEY2
# Set expected key times: # Set expected key times:
# - The old key was activated 9 hours ago (32400 seconds). # - The old key was activated 7 hours ago (25200 seconds).
csk_rollover_predecessor_keytimes -32400 csk_rollover_predecessor_keytimes -25200
# - And was retired 6 hours ago (21600 seconds). # - And was retired 3 hours ago (10800 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -21600 set_addkeytime "KEY1" "RETIRED" "${created}" -10800
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 9 hours ago. # - The new key was published 9 hours ago.
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
published=$(key_get KEY2 PUBLISHED) published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
@ -5138,9 +5133,9 @@ dnssec_verify
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE" rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE" rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
# Next key event is when the DS becomes OMNIPRESENT. This happens after the # Next key event is when the DS becomes OMNIPRESENT. This happens after the
# parent propagation delay, retire safety delay, and DS TTL: # parent propagation delay, and DS TTL:
# 1h + 2h + 2h = 5h = 18000 seconds. # 1h + 2h = 3h = 10800 seconds.
check_next_key_event 18000 check_next_key_event 10800
# #
# Zone: step4.csk-algorithm-roll.kasp # Zone: step4.csk-algorithm-roll.kasp
@ -5164,17 +5159,17 @@ wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The old key was activated 38 hours ago (136800 seconds) # - The old keys were activated 36 hours ago (129600 seconds).
csk_rollover_predecessor_keytimes -136800 csk_rollover_predecessor_keytimes -129600
# - And retired 35 hours ago (126000 seconds). # - And retired 33 hours ago (118800 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -126000 set_addkeytime "KEY1" "RETIRED" "${created}" -118800
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 38 hours ago. # - The new key was published 36 hours ago.
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
published=$(key_get KEY2 PUBLISHED) published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@ -5204,17 +5199,17 @@ wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The old key was activated 40 hours ago (144000 seconds) # - The old key was activated 38 hours ago (136800 seconds)
csk_rollover_predecessor_keytimes -144000 csk_rollover_predecessor_keytimes -136800
# - And retired 37 hours ago (133200 seconds). # - And retired 35 hours ago (126000 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -133200 set_addkeytime "KEY1" "RETIRED" "${created}" -126000
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 40 hours ago. # - The new key was published 38 hours ago.
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
published=$(key_get KEY2 PUBLISHED) published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@ -5225,12 +5220,12 @@ check_subdomain
dnssec_verify dnssec_verify
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens # Next key event is when the RSASHA1 signatures become HIDDEN. This happens
# after the max-zone-ttl plus zone propagation delay plus retire safety # after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has # time already passed since the UNRETENTIVE state has been reached (2h):
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent # 7h - 2h = 5h = 18000 seconds. Prevent intermittent false positives on slow
# false positives on slow platforms by subtracting the number of seconds # platforms by subtracting the number of seconds which passed between key
# which passed between key creation and invoking 'rndc reconfig'. # creation and invoking 'rndc reconfig'.
next_time=$((25200 - time_passed)) next_time=$((18000 - time_passed))
check_next_key_event $next_time check_next_key_event $next_time
# #
@ -5248,17 +5243,17 @@ wait_for_done_signing
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times: # Set expected key times:
# - The old keys were activated 47 hours ago (169200 seconds) # - The old keys were activated 45 hours ago (162000 seconds)
csk_rollover_predecessor_keytimes -169200 csk_rollover_predecessor_keytimes -162000
# - And retired 44 hours ago (158400 seconds). # - And retired 42 hours ago (151200 seconds).
created=$(key_get KEY1 CREATED) created=$(key_get KEY1 CREATED)
set_addkeytime "KEY1" "RETIRED" "${created}" -158400 set_addkeytime "KEY1" "RETIRED" "${created}" -151200
retired=$(key_get KEY1 RETIRED) retired=$(key_get KEY1 RETIRED)
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 47 hours ago. # - The new key was published 47 hours ago.
created=$(key_get KEY2 CREATED) created=$(key_get KEY2 CREATED)
set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
published=$(key_get KEY2 PUBLISHED) published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}

58
lib/dns/keymgr.c
View File

@ -189,8 +189,7 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
isc_stdtime_t zrrsig_present; isc_stdtime_t zrrsig_present;
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
zrrsig_present = published + ttlsig + zrrsig_present = published + ttlsig +
dns_kasp_zonepropagationdelay(kasp) + dns_kasp_zonepropagationdelay(kasp);
dns_kasp_publishsafety(kasp);
if (zrrsig_present > syncpublish) { if (zrrsig_present > syncpublish) {
syncpublish = zrrsig_present; syncpublish = zrrsig_present;
} }
@ -272,7 +271,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
true); true);
syncpub2 = pub + ttlsig + syncpub2 = pub + ttlsig +
dns_kasp_publishsafety(kasp) +
dns_kasp_zonepropagationdelay(kasp); dns_kasp_zonepropagationdelay(kasp);
} }
@ -1286,6 +1284,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
isc_result_t ret; isc_result_t ret;
isc_stdtime_t lastchange, dstime, nexttime = now; isc_stdtime_t lastchange, dstime, nexttime = now;
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true); dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
uint32_t dsstate;
/* /*
* No need to wait if we move things into an uncertain state. * No need to wait if we move things into an uncertain state.
@ -1355,15 +1354,12 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
* records. This translates to: * records. This translates to:
* *
* Dsgn + zone-propagation-delay + max-zone-ttl. * Dsgn + zone-propagation-delay + max-zone-ttl.
*
* We will also add the retire-safety interval.
*/ */
nexttime = lastchange + ttlsig + nexttime = lastchange + ttlsig +
dns_kasp_zonepropagationdelay(kasp) + dns_kasp_zonepropagationdelay(kasp);
dns_kasp_retiresafety(kasp);
/* /*
* Only add the sign delay Dsgn if there is an actual * Only add the sign delay Dsgn and retire-safety if
* predecessor or successor key. * there is an actual predecessor or successor key.
*/ */
uint32_t tag; uint32_t tag;
ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR, ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
@ -1373,7 +1369,8 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
DST_NUM_SUCCESSOR, &tag); DST_NUM_SUCCESSOR, &tag);
} }
if (ret == ISC_R_SUCCESS) { if (ret == ISC_R_SUCCESS) {
nexttime += dns_kasp_signdelay(kasp); nexttime += dns_kasp_signdelay(kasp) +
dns_kasp_retiresafety(kasp);
} }
break; break;
default: default:
@ -1399,35 +1396,36 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
* This translates to: * This translates to:
* *
* parent-propagation-delay + parent-ds-ttl. * parent-propagation-delay + parent-ds-ttl.
*
* We will also add the retire-safety interval.
*/ */
case OMNIPRESENT: case OMNIPRESENT:
/* Make sure DS has been seen in the parent. */
ret = dst_key_gettime(key->key, DST_TIME_DSPUBLISH,
&dstime);
if (ret != ISC_R_SUCCESS || dstime > now) {
/* Not yet, try again in an hour. */
nexttime = now + 3600;
} else {
nexttime =
dstime + dns_kasp_dsttl(kasp) +
dns_kasp_parentpropagationdelay(kasp) +
dns_kasp_retiresafety(kasp);
}
break;
case HIDDEN: case HIDDEN:
/* Make sure DS has been withdrawn from the parent. */ /* Make sure DS has been seen in/withdrawn from the
ret = dst_key_gettime(key->key, DST_TIME_DSDELETE, * parent. */
&dstime); dsstate = next_state == HIDDEN ? DST_TIME_DSDELETE
: DST_TIME_DSPUBLISH;
ret = dst_key_gettime(key->key, dsstate, &dstime);
if (ret != ISC_R_SUCCESS || dstime > now) { if (ret != ISC_R_SUCCESS || dstime > now) {
/* Not yet, try again in an hour. */ /* Not yet, try again in an hour. */
nexttime = now + 3600; nexttime = now + 3600;
} else { } else {
nexttime = nexttime =
dstime + dns_kasp_dsttl(kasp) + dstime + dns_kasp_dsttl(kasp) +
dns_kasp_parentpropagationdelay(kasp) + dns_kasp_parentpropagationdelay(kasp);
dns_kasp_retiresafety(kasp); /*
* Only add the retire-safety if there is an
* actual predecessor or successor key.
*/
uint32_t tag;
ret = dst_key_getnum(key->key,
DST_NUM_PREDECESSOR, &tag);
if (ret != ISC_R_SUCCESS) {
ret = dst_key_getnum(key->key,
DST_NUM_SUCCESSOR,
&tag);
}
if (ret == ISC_R_SUCCESS) {
nexttime += dns_kasp_retiresafety(kasp);
}
} }
break; break;
default: default: