diff --git a/CHANGES b/CHANGES index 10bfeaad94..9583c7030a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5422. [bug] When using dnssec-policy, print correct keytiming + metadata. [GL #1843] + 5421. [bug] Fixed a race that could cause named to crash when looking up the nodename of an RBT node if the tree was modified. [GL #1857] diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 65823b1cd3..996b3ac6a6 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1223,18 +1223,7 @@ main(int argc, char **argv) { fatal("-k and -3 cannot be used together"); } - if (ctx.setpub || ctx.setact || ctx.setrev || ctx.setinact || - ctx.setdel || ctx.unsetpub || ctx.unsetact || - ctx.unsetrev || ctx.unsetinact || ctx.unsetdel || - ctx.setsyncadd || ctx.setsyncdel) - { - fatal("cannot use -k together with " - "-P, -A, -R, -I, or -D options " - "(use dnssec-settime on keys afterwards)"); - } - ctx.options |= DST_TYPE_STATE; - ctx.genonly = true; if (strcmp(ctx.policy, "default") == 0) { ctx.use_nsec3 = false; diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index cf2f2452ce..a315ce9d1f 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -23,3 +23,5 @@ rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys rm -f ns*/zones* ns*/*.db.infile +rm -f *.created published.test* retired.test* +rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 3549933642..548ee0c3dd 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -32,6 +32,14 @@ private_type_record() { printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" } +# Set in the key state files the Predecessor/Successor fields. +# Key $1 is the predecessor of key $2. +key_successor() { + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >> "${2}.state" + echo "Successor: ${id2}" >> "${1}.state" +} # Make lines shorter by storing key states in environment variables. H="HIDDEN" @@ -63,26 +71,27 @@ zone="dnssec-keygen.kasp" $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 zone="some-keys.kasp" -$KEYGEN -P none -A none -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -P none -A none -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 zone="legacy.kasp" $KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 $KEYGEN -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 zone="pregenerated.kasp" -$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 zone="rumoured.kasp" Tpub="now" Tact="now+1d" -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $zone 2> keygen.out.$zone.3) -$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 +keytimes="-P ${Tpub} -A ${Tact}" +KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 # # Set up zones that are already signed. @@ -90,11 +99,13 @@ $SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -102,11 +113,13 @@ $SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > sig # These signatures are still good, and can be reused. setup fresh-sigs.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -114,11 +127,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -126,11 +141,13 @@ $SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer # These signatures are already expired, and the private ZSK is missing. setup zsk-missing.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -139,16 +156,18 @@ rm -f "${ZSK}".private # These signatures are already expired, and the private ZSK is retired. setup zsk-retired.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T -I now" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 -$SETTIME -s -I now -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 +$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 # # The zones at enable-dnssec.autosign represent the various steps of the @@ -164,9 +183,20 @@ cp template.db.in $zonefile # Step 2: # The DNSKEY has been published long enough to become OMNIPRESENT. setup step2.enable-dnssec.autosign -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +# DNSKEY TTL: 300 seconds +# zone-propagation-delay: 5 minutes (300 seconds) +# publish-safety: 5 minutes (300 seconds) +# Total: 900 seconds TpubN="now-900s" -$SETTIME -s -P $TpubN -A $TpubN -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +# RRSIG TTL: 12 hour (43200 seconds) +# zone-propagation-delay: 5 minutes (300 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Already passed time: -900 seconds +# Total: 43800 seconds +TsbmN="now+43800s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -174,10 +204,15 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. setup step3.enable-dnssec.autosign -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +# Passed time since publications: 43800 + 900 = 44700 seconds. TpubN="now-44700s" -TactN="now-43800s" -$SETTIME -s -P $TpubN -A $TpubN -g $O -k $O $TactN -r $O $TactN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. +TcotN="now-43800s" +# We can submit the DS now. +TsbmN="now" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -185,13 +220,20 @@ setup step3.enable-dnssec.autosign # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. -# Add 27 hour plus retire safety of 20 minutes (98400 seconds) to the times. setup step4.enable-dnssec.autosign -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) +# DS TTL: 1 day (86400 seconds) +# parent-registration-delay: 1 day (86400 seconds) +# parent-propagation-delay: 1 hour (3600 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Total aditional time: 98400 seconds +# 44700 + 98400 = 143100 TpubN="now-143100s" -TactN="now-142200s" -TomnN="now-98400s" -$SETTIME -s -P $TpubN -A $TpubN -g $O -k $O $TactN -r $O $TactN -d $R $TomnN -z $O $TomnN "$CSK" > settime.out.$zone.1 2>&1 +# 43800 + 98400 = 142200 +TcotN="now-142200s" +TsbmN="now-98400s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -205,11 +247,13 @@ setup step3.enable-dnssec.autosign # Step 1: # Introduce the first key. This will immediately be active. setup step1.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -218,15 +262,37 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 2: # It is time to pre-publish the successor ZSK. setup step2.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -# According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# Also: Ipub = Dprp + TTLkey (+publish-safety) -# so: Tact(N) = Tpub(N+1) + Ipub - Lzsk = now + (1d2h) - 30d = -# now + 26h - 30d = now − 694h +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Ipub = Dprp + TTLkey (+publish-safety) +# +# |3| |4| |5| |6| +# | | | | +# Key N |<-------Lzsk------>| +# | | | | +# Key N+1 | |<-Ipub->|<-->| +# | | | | +# Key N Tact +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Dprp: 1h +# TTLkey: 1h +# publish-safety: 1d +# Ipub: 26h +# +# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d +# = now + 26h - 30d = now − 694h TactN="now-694h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -236,21 +302,58 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # After the publication interval has passed the DNSKEY of the successor ZSK # is OMNIPRESENT and the zone can thus be signed with the successor ZSK. setup step3.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) -# According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# Also: Tret(N) = Tact(N+1) = Tact(N) + Lzsk -# so: Tact(N) = Tact(N+1) - Lzsk = now - 30d -# and: Tpub(N+1) = Tact(N+1) - Ipub = now - 26h -# and: Tret(N+1) = Tact(N+1) + Lzsk +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Tret(N) = Tact(N+1) = Tact(N) + Lzsk +# Trem(N) = Tret(N) + Iret +# Iret = Dsgn + Dprp + TTLsig (+retire-safety) +# +# |3| |4| |5| |6| |7| |8| +# | | | | | | +# Key N |<-------Lzsk------>|<-Iret->|<--->| +# | | | | | | +# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - +# | | | | | | +# Key N Tact Tret Tdea Trem +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Ipub: 26h +# Dsgn: 1w +# Dprp: 1h +# TTLsig: 1d +# retire-safety: 2d +# Iret: 10d1h = 241h +# +# Tact(N) = Tnow - Lzsk = now - 30d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 241h +# Tpub(N+1) = Tnow - Ipub = now - 26h +# Tret(N+1) = Tnow + Lzsk = now + 30d +# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h +# = now + 961h TactN="now-30d" +TretN="now" +TremN="now+241h" TpubN1="now-26h" +TactN1="now" TretN1="now+30d" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A now -I $TretN1 -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +TremN1="now+961h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK1" >> "$infile" @@ -261,48 +364,93 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step4.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) -# According to RFC 7583: Tret(N) = Tact(N) + Lzsk -# Also: Tdea(N) = Tret(N) + Iret -# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - (1w1h1d2d) - 30d = -# now - (10d1h) - 30d = now - 961h -# and: Tret(N) = Tdea(N) - Iret = now - (10d1h) = now - 241h -# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - (10d1h) - 26h = -# now - 267h -# and: Tact(N+1) = Tdea(N) - Iret = Tret(N) -# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - (10d1h) + 30d = -# now + 479h +# According to RFC 7583: +# +# Tret(N) = Tact(N) + Lzsk +# Tdea(N) = Tret(N) + Iret +# +# |3| |4| |5| |6| |7| |8| +# | | | | | | +# Key N |<-------Lzsk------>|<-Iret->|<--->| +# | | | | | | +# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - +# | | | | | | +# Key N Tact Tret Tdea Trem +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Ipub: 26h +# Iret: 241h +# +# Tact(N) = Tnow - Iret - Lzsk +# = now - 241h - 30d = now - 241h - 720h +# = now - 961h +# Tret(N) = Tnow - Iret = now - 241h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - Iret - Ipub +# = now - 241h - 26h +# = now - 267h +# Tact(N+1) = Tnow - Iret = Tret(N) +# Tret(N+1) = Tnow - Iret + Lzsk +# = now - 241h + 30d = now - 241h + 720h +# = now + 479h +# Trem(N+1) = Tnow + Lzsk = now + 30d TactN="now-961h" TretN="now-241h" +TremN="now" TpubN1="now-267h" TactN1="${TretN}" TretN1="now+479h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +TremN1="now+30d" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # Subtract DNSKEY TTL from all the times (1h). +# Tact(N) = now - 961h - 1h = now - 962h +# Tret(N) = now - 241h - 1h = now - 242h +# Tdea(N) = now - 2d - 1h = now - 49h +# Trem(N) = now - 1h +# Tpub(N+1) = now - 267h - 1h = now - 268h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 479h - 1h = now + 478h +# Trem(N+1) = now + 30d - 1h = now + 719h TactN="now-962h" TretN="now-242h" +TremN="now-1h" +TdeaN="now-49h" TpubN1="now-268h" TactN1="${TretN}" TretN1="now+478h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I $TretN -D now -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +TremN1="now+719h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK1" >> "$infile" @@ -317,26 +465,62 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 1: # Introduce the first key. This will immediately be active. setup step1.ksk-doubleksk.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. setup step2.ksk-doubleksk.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) -# According to RFC 7583: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# Also: IpubC = DprpC + TTLkey (+publish-safety) -# so: Tact(N) = Tpub(N+1) - Lksk + Dreg + IpubC = now - 60d + (1d3h) -# now - 1440h + 27h = now - 1413h +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# IpubC = DprpC + TTLkey (+publish-safety) +# +# |1| |2| |3| |4| +# | | | | +# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - - +# | | | | +# Key N+1 | | | | +# | | | | +# Key N Tpub Trdy Tsbm Tact +# Key N+1 +# +# (continued ...) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# DprpC: 1h +# TTLkey: 2h +# publish-safety: 1d +# IpubC: 27h +# +# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h +# = now - 1440h + 27h = now - 1413h TactN="now-1413h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -345,23 +529,63 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 3: # It is time to submit the DS. setup step3.ksk-doubleksk.autosign -KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) -# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) -# Also: Tact(N+1) = Tsbm(N+1) + Dreg -# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 60d = now - 59d -# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1d -# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now + 27h -# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = 1d + 60d +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# Tact(N+1) = Tsbm(N+1) + Dreg +# Iret = DprpP + TTLds (+retire-safety) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# DprpP: 1h +# TTLds: 1h +# retire-safety: 2d +# Iret: 50h +# DprpC: 1h +# TTLkey: 2h +# publish-safety: 1d +# IpubC: 27h +# +# Tact(N) = Tnow + Dreg - Lksk = now + 1d - 60d = now - 59d +# Tret(N) = Tnow + Dreg = now + 1d +# Trem(N) = Tnow + Dreg + Iret = now + 1d + 50h = now + 74h +# Tpub(N+1) = Tnow - IpubC = now - 27h +# Tsbm(N+1) = now +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Dreg + Lksk = now + 1d + 60d = now + 61d +# Trem(N+1) = Tnow + Dreg + Lksk + Iret = now + 61d + 50h +# = now + 1464h + 50h = 1514h TactN="now-59d" TretN="now+1d" +TremN="now+74h" TpubN1="now-27h" +TsbmN1="now" +TactN1="${TretN}" TretN1="now+61d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +TremN1="now+1514h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -371,29 +595,57 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 4: # The DS should be swapped now. setup step4.ksk-doubleksk.autosign -KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Tret(N) = Tsbm(N+1) + Dreg -# Also: Tact(N+1) = Tret(N) -# Also: Iret = DprpP + TTLds (+retire-safety) -# so: Tact(N) = Tdea(N) - Lksk - Iret = now - 60d - 2d2h = now - 1490h -# and: Tret(N) = Tdea(N) - Iret = now - 2d2h = 50h -# and: Tpub(N+1) = Tdea(N) - Iret - Dreg - IpubC = now - 50h - 1d - 1d3h = now - 101h -# and: Tsbm(N+1) = Tdea(N) - Iret - Dreg = now - 50h - 1d = now - 74h -# and: Tact(N+1) = Tret(N) -# and: Tret(N+1) = Tdea(N) + Lksk - Iret = now + 60d - 2d2h = now + 1390h +# According to RFC 7583: +# +# Tret(N) = Tsbm(N+1) + Dreg +# Tdea(N) = Tret(N) + Iret +# Tact(N+1) = Tret(N) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# Iret: 50h +# +# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h +# = now - 1440h - 50h = now - 1490h +# Tret(N) = Tnow - Iret = now - 50h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 50h - 1d - 27h +# = now - 101h +# Tsbm(N+1) = Tnow - Iret - Dreg = now - 50h - 1d = now - 74h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h +# Trem(N+1) = Tnow + Lksk = now + 60d TactN="now-1490h" TretN="now-50h" +TremN="now" TpubN1="now-101h" TsbmN1="now-74h" TactN1="${TretN}" TretN1="now+1390h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +TremN1="now+60d" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -403,20 +655,35 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.ksk-doubleksk.autosign -KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # Subtract DNSKEY TTL from all the times (2h). +# Tact(N) = now - 1490h - 2h = now - 1492h +# Tret(N) = now - 52h - 2h = now - 52h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 101h - 2h = now - 103h +# Tsbm(N+1) = now - 74h - 2h = now - 76h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 1390h - 2h = now + 1388h +# Trem(N+1) = now + 60d + 2h = now + 1442h TactN="now-1492h" TretN="now-52h" -TpubN1="now-102h" -TsbmN1="now-75h" +TremN="now-2h" +TpubN1="now-103h" +TsbmN1="now-76h" TactN1="${TretN}" TretN1="now+1388h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +TremN1="now+1438h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -427,13 +694,19 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # The zones at csk-roll.autosign represent the various steps of a CSK rollover # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). # +# +# The activation time for zone signing (ZSK) is different than for chain of +# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ +# instead of Tact and Tret. +# # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll.autosign -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -441,16 +714,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll.autosign -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# Also: Ipub = Dprp + TTLkey (+publish-safety) -# Also: IpubC = DprpC + TTLkey (+publish-safety) -# Both sums are almost the same, but the KSK case has Dreg in the equation. -# so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1d + 3h = -# now - 4464h + 24h + 3h = now - 4437h +# According to RFC 7583: +# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub +# IpubC = DprpC + TTLkey (+publish-safety) +# Ipub = IpubC +# Lcsk = Lksk = Lzsk +# +# Lcsk: 6mo (186d, 4464h) +# Dreg: 1d +# DprpC: 1h +# TTLkey: 1h +# publish-safety: 1h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1d +# = now - 4464h + 3h + 24h = now - 4437h +# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h TactN="now-4437h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +TactZN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -458,21 +744,60 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) -# Also: Tact(N+1) = Tsbm(N+1) + Dreg -# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 6mo = now - 185d -# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1d -# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h -# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1d + 6mo = now + 187d +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) + Dreg +# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Iret = DprpP + TTLds (+retire-safety) +# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) +# +# Lcsk: 186d +# Dprp: 1h +# DprpP: 1h +# Dreg: 1d +# Dsgn: 25d +# TTLds: 1h +# TTLsig: 1d +# retire-safety: 2h +# Iret: 4h +# IretZ: 26d3h +# Ipub: 3h +# +# TactZ(N) = Tnow - Lcsk = now - 186d +# TretZ(N) = now +# Tact(N) = Tnow + Dreg - Lcsk = now + 1d - 186d = now - 185d +# Tret(N) = Tnow + Dreg = now + 1d +# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow + Lcsk = now + 186d +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Dreg + Lcsk = now + 1d + 186d = now + 187d +# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = +# = now + 5091h +TactZN="now-186d" +TretZN="now" TactN="now-185d" TretN="now+1d" +TremN="now+627h" TpubN1="now-3h" +TsbmN1="now" +TactZN1="${TsbmN1}" +TretZN1="now+186d" +TactN1="${TretN}" TretN1="now+187d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +TremN1="now+5091h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -480,32 +805,55 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the -# DS should be swapped. The ZRRSIG records are all replaced after Iret -# which is Dsgn + Dprp + TTLsig + retire-safety (25d + 1h + 1d + 2h = 26d3h). -# The DS is swapped after Dreg + DprpP + TTLds + retire-safety -# (1d + 1h + 1h + 2h = 1d4h). In other words, the DS is swapped before all -# zone signatures are replaced. +# DS should be swapped. The ZRRSIG records are all replaced after IretZ +# (which is 26d3h). The DS is swapped after Dreg + Iret (which is 1d4h). +# In other words, the DS is swapped before all zone signatures are replaced. setup step4.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Iret = 1h + 1h + 2h = 4h -# Also: Tact(N+1) = Tret(N) -# so: Tact(N) = Tdea(N) - Lksk - Iret = now - 6mo - 4h = now - 4468h -# and: Tret(N) = Tdea(N) - Iret = now - 4h = now - 4h -# and: Tpub(N+1) = Tdea(N) - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h -# and: Tsbm(N+1) = Tdea(N) - Iret - Dreg = now - 4h - 1d = now - 28h -# and: Tact(N+1) = Tret(N) -# and: Tret(N+1) = Tdea(N) + Lksk - Iret = now + 6mo - 4h = now + 4460h +# According to RFC 7583: +# Trem(N) = TretZ(N) + IretZ +# Tnow = Tsbm(N+1) + Dreg + Iret +# +# Lcsk: 186d +# Iret: 4h +# IretZ: 26d3h +# +# TactZ(N) = Tnow - Iret - Dreg - Lcsk = now - 4h - 24h - 4464h +# = now - 4492h +# TretZ(N) = Tnow - Iret - Dreg = now - 4h - 1d = now - 28h +# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h +# Tret(N) = Tnow - Iret = now - 4h = now - 4h +# Trem(N) = Tnow - Iret - Dreg + IretZ = now - 4h - 1d + 26d3h +# = now + 24d23h = now + 599h +# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow - Iret - Dreg + Lcsk = now - 4h - 1d + 186d +# = now + 4436h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - Iret + Lcsk = now + 6mo - 4h = now + 4460h +# Trem(N+1) = Tnow - Iret - Dreg + Lcsk + IretZ = now - 4h - 1d + 186d + 26d3h +# = now + 5063h +TactZN="now-4492h" +TretZN="now-28h" TactN="now-4468h" TretN="now-4h" +TremN="now+599h" TpubN1="now-31h" -TsbmN1="now-28h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4436h" TactN1="${TretN}" TretN1="now+4460h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +TremN1="now+5063h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -515,19 +863,40 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # After the DS is swapped in step 4, also the KRRSIG records can be removed. # At this time these have all become hidden. setup step5.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). +# TactZ(N) = now - 4492h - 2h = now - 4494h +# TretZ(N) = now - 28h - 2h = now - 30h +# Tact(N) = now - 4468h - 2h = now - 4470h +# Tret(N) = now - 4h - 2h = now - 6h +# Trem(N) = now + 599h - 2h = now + 597h +# Tpub(N+1) = now - 31h - 2h = now - 33h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = now + 4436h - 2h = now + 4434h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Trem(N+1) = now + 5063h - 2h = now + 5061h +TactZN="now-4494h" +TretZN="now-30h" TactN="now-4470h" TretN="now-6h" -TdeaN="now-2h" +TremN="now+597h" TpubN1="now-33h" TsbmN1="now-30h" +TactZN1="${TsbmN1}" +TretZN1="now+4434h" TactN1="${TretN}" TretN1="now+4458h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +TremN1="now+5061h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $U now-2h -d $H now-2h -z $U $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -537,27 +906,50 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step6.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Tret(N) = Tact(N) + Lzsk -# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - 25d1h1d2h - 6mo = -# now - 26d3h - 6mo = now - 627h - 4464h = now - 5091h -# and: Tret(N) = Tdea(N) - Iret = now - 627h -# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 627h - 3h = now - 630h -# and: Tact(N+1) = Tdea(N) - Iret = Tret(N) -# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 627h + 6mo = now + 3837h -TactN="now-5091h" -TretN="now-627h" -TdeaN="now-623h" +# According to RFC 7583: +# Trem(N) = TretZ(N) + IretZ +# TretZ(N) = TactZ(N) + Lcsk +# +# Lcsk: 186d +# Iret: 4h +# IretZ: 26d3h +# +# TactZ(N) = Tnow - IretZ - Lcsk = now - 627h - 186d +# = now - 627h - 4464h = now - 5091h +# TretZ(N) = Tnow - IretZ = now - 627h +# Tact(N) = Tnow - IretZ - Lcsk + Dreg = now - 627h - 186d + 1d = +# now - 627h - 4464h + 24h = now - 5067h +# Tret(N) = Tnow - IretZ + Dreg = now - 627h + 24h +# = Tnow - 603h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h +# Trem(N+1) = Tnow + Lcsk = now + 186d +TactZN="now-5091h" +TretZN="now-627h" +TactN="now-5067h" +TretN="now-603h" +TremN="now" TpubN1="now-630h" -TsbmN1="now-627h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+3837h" TactN1="${TretN}" -TretN1="now+3837h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +TretN1="now+4460h" +TremN1="now+186d" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -566,19 +958,40 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step7.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). -TactN="now-5093h" -TretN="now-629h" -TdeaN="now-625h" +# TactZ(N) = now - 5091h - 2h = now - 5093h +# TretZ(N) = now - 627h - 2h = now - 629h +# Tact(N) = now - 5067h - 2h = now - 5069h +# Tret(N) = now - 603h - 2h = now - 605h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 630h - 2h = now - 632h +# Tsbm(N+1) = now - 627h - 2h = now - 629h +# TactZ(N+1) = Tsbm(N+1) +# TretZ(N+1) = now + 3837h - 2h = now + 3835h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Trem(N+1) = now + 186d - 2h = now + 4462h +TactZN="now-5093h" +TretZN="now-629h" +TactN="now-5069h" +TretN="now-605h" +TremN="now-2h" TpubN1="now-632h" -TsbmN1="now-629h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+3835h" TactN1="${TretN}" -TretN1="now+3835h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +TretN1="now+4458h" +TremN1="now+4462h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -590,13 +1003,19 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # This scenario differs from the above one because the zone signatures (ZRRSIG) # are replaced with the new key sooner than the DS is swapped. # +# +# The activation time for zone signing (ZSK) is different than for chain of +# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ +# instead of Tact and Tret. +# # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll2.autosign -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -604,16 +1023,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll2.autosign -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# Also: Ipub = Dprp + TTLkey (+publish-safety) -# Also: IpubC = DprpC + TTLkey (+publish-safety) -# Both sums are almost the same, but the KSK case has Dreg in the equation. -# so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1w + 3h = -# now - 4464h + 168h + 3h = now - 4635h -TactN="now-4635h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +# According to RFC 7583: +# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub +# IpubC = DprpC + TTLkey (+publish-safety) +# Ipub = IpubC +# Lcsk = Lksk = Lzsk +# +# Lcsk: 6mo (186d, 4464h) +# Dreg: 1w +# DprpC: 1h +# TTLkey: 1h +# publish-safety: 1h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1w +# = now - 4464h + 3h + 168h = now - 4293h +# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h +TactN="now-4293h" +TactZN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -621,21 +1053,60 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) -# Also: Tact(N+1) = Tsbm(N+1) + Dreg -# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1w - 6mo = now - 179d -# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1w -# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h -# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1w + 6mo = now + 193d +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) + Dreg +# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Iret = DprpP + TTLds (+retire-safety) +# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) +# +# Lcsk: 186d +# Dprp: 1h +# DprpP: 1h +# Dreg: 1w +# Dsgn: 12h +# TTLds: 1h +# TTLsig: 1d +# retire-safety: 1h +# Iret: 3h +# IretZ: 38h +# Ipub: 3h +# +# TactZ(N) = Tnow - Lcsk = now - 186d +# TretZ(N) = now +# Tact(N) = Tnow + Dreg - Lcsk = now + 1w - 186d = now - 179d +# Tret(N) = Tnow + Dreg = now + 7d +# Trem(N) = Tnow + Dreg + Iret = now + 1w + 3h = now + 171h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow + Lcsk = now + 186d +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lcsk + Dreg = now + 186d + 7d = now + 193d +# Trem(N+1) = Tnow + Lcsk + Dreg + Iret = now + 186d + 7d + 3h = +# = now + 193d + 3h = now + 4632h + 3h = now + 4635h +TactZN="now-186d" +TretZN="now" TactN="now-179d" -TretN="now+1w" +TretN="now+7d" +TremN="now+171h" TpubN1="now-3h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+186d" +TactN1="${TretN}" TretN1="now+193d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +TremN1="now+4635h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -643,30 +1114,57 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the -# DS should be swapped. The ZRRSIG records are all replaced after Iret -# which is Dsgn + Dprp + TTLsig + retire-safety (12h + 1h + 1d + 2h = 38h). -# The DS is swapped after Dreg + DprpP + TTLds + retire-safety -# (1w + 1h + 1h + 1h = 1w3h). In other words, the zone signatures are -# replaced before the DS is swapped. +# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h). +# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone +# signatures are replaced before the DS is swapped. setup step4.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Tret(N) = Tact(N) + Lzsk -# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - 38h - 6mo = now - 4502h -# and: Tret(N) = Tdea(N) - Iret = now - 38h -# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 41h -# and: Tact(N+1) = Tdea(N) - Iret = Tret(N) -# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 38h + 6mo = now + 4426h -TactN="now-4502h" -TretN="now-38h" +# According to RFC 7583: +# Trem(N) = Tret(N) + Iret +# Tnow = TretZ(N) + IretZ +# +# Lcsk: 186d +# Dreg: 1w +# Iret: 3h +# IretZ: 38h +# +# TactZ(N) = Tnow - IretZ = Lcsk = now - 38h - 186d +# = now - 38h - 4464h = now - 4502h +# TretZ(N) = Tnow - IretZ = now - 38h +# Tact(N) = Tnow - IretZ - Lcsk + Dreg = now - 38h - 4464h + 168h +# = now - 4334h +# Tret(N) = Tnow - IretZ + Dreg = now - 38h + 168h = now + 130h +# Trem(N) = Tnow - IretZ + Dreg + Iret = now + 130h + 3h = now + 133h +# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d +# = now + 4426h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - IretZ + Dreg + Lcsk = now - 38h + 168h + 4464h +# = now + 4594h +# Trem(N+1) = Tnow - IretZ + Dreg + Lcsk + Iret +# = now + 4594h + 3h = now + 4597h +TactZN="now-4502h" +TretZN="now-38h" +TactN="now-4334h" +TretN="now+130h" +TremN="now+133h" TpubN1="now-41h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4426h" TactN1="${TretN}" -TretN1="now+4426" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN "$CSK2" > settime.out.$zone.1 2>&1 +TretN1="now+4594h" +TremN1="now+4597h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TretZN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -676,17 +1174,41 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the DS can be swapped and the old DNSKEY can be removed from # the zone. setup step5.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -# Subtract Dreg + Iret (174h). -TactN="now-4676h" -TretN="now-212h" -TpubN1="now-215h" +# Subtract Dreg + Iret (171h) - IretZ (38h) = 133h. +# +# TactZ(N) = now - 4502h - 133h = now - 4635h +# TretZ(N) = now - 38h - 133h = now - 171h +# Tact(N) = now - 4334h = 133h = now - 4467h +# Tret(N) = now + 130h - 133h = now - 3h +# Trem(N) = now + 133h - 133h = now +# Tpub(N+1) = now - 41h - 133h = now - 174h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = now + 4426h - 133h = now + 4293h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4594h - 133h = now + 4461h +# Trem(N+1) = now + 4597h - 133h = now + 4464h = now + 186d +TactZN="now-4635h" +TretZN="now-171h" +TactN="now-4467h" +TretN="now-3h" +TremN="now" +TpubN1="now-174h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4293h" TactN1="${TretN}" -TretN1="now+4252h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN "$CSK2" > settime.out.$zone.1 2>&1 +TretN1="now+4461h" +TremN1="now+186d" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $O now-133h "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -695,19 +1217,41 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step6.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) - # Subtract DNSKEY TTL plus zone propagation delay (2h). -TactN="now-4678h" -TretN="now-214h" -TdeaN="now-2h" -TpubN1="now-217h" +# +# TactZ(N) = now - 4635h - 2h = now - 4637h +# TretZ(N) = now - 171h - 2h = now - 173h +# Tact(N) = now - 4467h - 2h = now - 4469h +# Tret(N) = now - 3h - 2h = now - 5h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 174h - 2h = now - 176h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = now + 4293h - 2h = now + 4291h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4461h - 2h = now + 4459h +# Trem(N+1) = now + 4464h - 2h = now + 4462h +TactZN="now-4637h" +TretZN="now-173h" +TactN="now-4469h" +TretN="now-5h" +TremN="now-2h" +TpubN1="now-176h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4291h" TactN1="${TretN}" -TretN1="now+4250h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN "$CSK2" > settime.out.$zone.1 2>&1 +TretN1="now+4459h" +TremN1="now+4462h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 16c92ce0f0..536b1cb619 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -42,10 +42,10 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) -$SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P now -A now -P sync now" +zsktimes="-P now -A now" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -57,13 +57,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # ECDSAP256SHA256 keys. setup migrate-nomatch-algnum.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a RSASHA1 -b 2048 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2) Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay -$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tsig} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -75,13 +75,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # dictates 2048 bits RSASHA1 keys. setup migrate-nomatch-alglen.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2) Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay -$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tsig} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -96,11 +96,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Introduce the first key. This will immediately be active. setup step1.algorithm-roll.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -109,18 +111,24 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. setup step2.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the new algorithm keys have been introduced is 3 hours. TactN="now-3h" TpubN1="now-3h" -TactN1="now+6h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = +# now - 3h + 6h + 1h + 1h = now + 5h +TsbmN1="now+5h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -134,18 +142,23 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 3: # The zone signatures are also OMNIPRESENT. setup step3.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the new algorithm keys have been introduced is 9 hours. TactN="now-9h" +TretN="now-6h" TpubN1="now-9h" -TactN1="now" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +TsbmN1="now-1h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -159,18 +172,24 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 4: # The DS is swapped and can become OMNIPRESENT. setup step4.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the DS has been swapped is 29 hours. TactN="now-38h" +TretN="now-35h" TpubN1="now-38h" +TsbmN1="now-30h" TactN1="now-29h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -184,19 +203,25 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 5: # The DNSKEY is removed long enough to be HIDDEN. setup step5.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the DNSKEY has been removed is 2 hours. TactN="now-40h" -TpubN1="now-40h" -TactN1="now-31h" +TretN="now-37h" TremN="now-2h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +TpubN1="now-40h" +TsbmN1="now-32h" +TactN1="now-31h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -210,20 +235,26 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. setup step6.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # Additional time passed: 7h. TactN="now-47h" +TretN="now-44h" +TremN="now-7h" TpubN1="now-47h" +TsbmN1="now-39h" TactN1="now-38h" TdeaN="now-9h" -TremN="now-7h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -243,9 +274,10 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Introduce the first key. This will immediately be active. setup step1.csk-algorithm-roll.kasp echo "$zone" >> zones -CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 5 "$CSK" >> "$infile" $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -253,13 +285,15 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. setup step2.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the new algorithm keys have been introduced is 3 hours. TactN="now-3h" TpubN1="now-3h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -270,14 +304,17 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 3: # The zone signatures are also OMNIPRESENT. setup step3.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the new algorithm keys have been introduced is 9 hours. TactN="now-9h" +TretN="now-6h" TpubN1="now-9h" TactN1="now-6h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -288,15 +325,18 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 4: # The DS is swapped and can become OMNIPRESENT. setup step4.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the DS has been swapped is 29 hours. TactN="now-38h" +TretN="now-35h" TpubN1="now-38h" TactN1="now-35h" TsubN1="now-29h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -307,16 +347,19 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 5: # The DNSKEY is removed long enough to be HIDDEN. setup step5.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the DNSKEY has been removed is 2 hours. TactN="now-40h" +TretN="now-37h" +TremN="now-2h" TpubN1="now-40h" TactN1="now-37h" TsubN1="now-31h" -TremN="now-2h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -327,17 +370,20 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. setup step6.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # Additional time passed: 7h. TactN="now-47h" +TretN="now-44h" +TdeaN="now-9h" +TremN="now-7h" TpubN1="now-47h" TactN1="now-44h" TsubN1="now-38h" -TdeaN="now-9h" -TremN="now-7h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 22dd405d41..b0f2d727e2 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -34,28 +34,30 @@ VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" ############################################################################### # Key properties # ############################################################################### -# ID=0 -# EXPECT=1 -# ROLE=2 -# KSK=3 -# ZSK=4 -# LIFETIME=5 -# ALG_NUM=6 -# ALG_STR=7 -# ALG_LEN=8 -# PUBLISHED=9 -# ACTIVE=10 -# RETIRED=11 -# REVOKED=12 -# REMOVED=13 -# GOAL=14 -# STATE_DNSKEY=15 -# STATE_ZRRSIG=16 -# STATE_KRRSIG=17 -# STATE_DS=18 -# EXPECT_ZRRSIG=19 -# EXPECT_KRRSIG=20 -# LEGACY=21 +# ID +# BASEFILE +# EXPECT +# ROLE +# KSK +# ZSK +# LIFETIME +# ALG_NUM +# ALG_STR +# ALG_LEN +# CREATED +# PUBLISHED +# ACTIVE +# RETIRED +# REVOKED +# REMOVED +# GOAL +# STATE_DNSKEY +# STATE_ZRRSIG +# STATE_KRRSIG +# STATE_DS +# EXPECT_ZRRSIG +# EXPECT_KRRSIG +# LEGACY key_key() { echo "${1}__${2}" @@ -69,11 +71,23 @@ key_set() { eval "$(key_key "$1" "$2")='$3'" } +# Save certain values in the KEY array. +key_save() +{ + # Save key id. + key_set "$1" ID "$KEY_ID" + # Save base filename. + key_set "$1" BASEFILE "$BASE_FILE" + # Save creation date. + key_set "$1" CREATED "${KEY_CREATED}" +} + # Clear key state. # # This will update either the KEY1, KEY2, or KEY3 array. key_clear() { key_set "$1" "ID" 'no' + key_set "$1" "IDPAD" 'no' key_set "$1" "EXPECT" 'no' key_set "$1" "ROLE" 'none' key_set "$1" "KSK" 'no' @@ -82,7 +96,9 @@ key_clear() { key_set "$1" "ALG_NUM" '0' key_set "$1" "ALG_STR" 'none' key_set "$1" "ALG_LEN" '0' + key_set "$1" "CREATED" '0' key_set "$1" "PUBLISHED" 'none' + key_set "$1" "SYNCPUBLISH" 'none' key_set "$1" "ACTIVE" 'none' key_set "$1" "RETIRED" 'none' key_set "$1" "REVOKED" 'none' @@ -200,16 +216,38 @@ set_zonesigning() { } # Set key timing metadata. Set to "none" to unset. -# These times are hard to test, so it is just an indication that we expect the -# respective timing metadata in the key files. # $1: Key to update (KEY1, KEY2, ...) -# $2: Time to update (PUBLISHED, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). # $3: Value set_keytime() { key_set "$1" "EXPECT" "yes" key_set "$1" "$2" "$3" } +# Set key timing metadata to a value plus additional time. +# $1: Key to update (KEY1, KEY2, ...) +# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $3: Value +# $4: Additional time. +set_addkeytime() { + if [ -x "$PYTHON" ]; then + # Convert "%Y%m%d%H%M%S" format to epoch seconds. + # Then, add the additional time (can be negative). + _value=$3 + _plus=$4 + $PYTHON > python.out.$ZONE.$1.$2 < "${ZONE}.${KEY_ID}.${_alg_num}.created" || log_error "mismatch created comment in $KEY_FILE" + KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") + + grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" + if [ "$_legacy" == "no" ]; then + grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" + fi + test $_log -eq 1 && echo_i "check key file $BASE_FILE" # Check the public key file. @@ -346,82 +394,150 @@ check_key() { grep "DSChange: " "$STATE_FILE" > /dev/null || log_error "mismatch ds change in $STATE_FILE" fi fi +} + +# Check the key timing metadata for key $1. +check_timingmetadata() { + _dir="$DIR" + _zone="$ZONE" + _key_idpad=$(key_get "$1" ID) + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _base_file=$(key_get "$1" BASEFILE) + _key_file="${_base_file}.key" + _private_file="${_base_file}.private" + _state_file="${_base_file}.state" + + _published=$(key_get "$1" PUBLISHED) + _syncpublish=$(key_get "$1" SYNCPUBLISH) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) # Check timing metadata. + n=$((n+1)) + echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" + ret=0 + if [ "$_published" = "none" ]; then - grep "; Publish:" "$KEY_FILE" > /dev/null && log_error "unexpected publish comment in $KEY_FILE" - grep "Publish:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" + grep "; Publish:" "${_key_file}" > /dev/null && log_error "unexpected publish comment in ${_key_file}" + grep "Publish:" "${_private_file}" > /dev/null && log_error "unexpected publish in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Published: " "$STATE_FILE" > /dev/null && log_error "unexpected publish in $STATE_FILE" + grep "Published: " "${_state_file}" > /dev/null && log_error "unexpected publish in ${_state_file}" fi else - grep "; Publish:" "$KEY_FILE" > /dev/null || log_error "mismatch publish comment in $KEY_FILE" - grep "Publish:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch publish in $PRIVATE_FILE" + grep "; Publish: $_published" "${_key_file}" > /dev/null || log_error "mismatch publish comment in ${_key_file} (expected ${_published})" + grep "Publish: $_published" "${_private_file}" > /dev/null || log_error "mismatch publish in ${_private_file} (expected ${_published})" if [ "$_legacy" == "no" ]; then - grep "Published:" "$STATE_FILE" > /dev/null || log_error "mismatch publish in $STATE_FILE" + grep "Published: $_published" "${_state_file}" > /dev/null || log_error "mismatch publish in ${_state_file} (expected ${_published})" + fi + fi + + if [ "$_syncpublish" = "none" ]; then + grep "; SyncPublish:" "${_key_file}" > /dev/null && log_error "unexpected syncpublish comment in ${_key_file}" + grep "SyncPublish:" "${_private_file}" > /dev/null && log_error "unexpected syncpublish in ${_private_file}" + if [ "$_legacy" == "no" ]; then + grep "PublishCDS: " "${_state_file}" > /dev/null && log_error "unexpected syncpublish in ${_state_file}" + fi + else + grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" + grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" + if [ "$_legacy" == "no" ]; then + grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" fi fi if [ "$_active" = "none" ]; then - grep "; Activate:" "$KEY_FILE" > /dev/null && log_error "unexpected active comment in $KEY_FILE" - grep "Activate:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected active in $PRIVATE_FILE" + grep "; Activate:" "${_key_file}" > /dev/null && log_error "unexpected active comment in ${_key_file}" + grep "Activate:" "${_private_file}" > /dev/null && log_error "unexpected active in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Active: " "$STATE_FILE" > /dev/null && log_error "unexpected active in $STATE_FILE" + grep "Active: " "${_state_file}" > /dev/null && log_error "unexpected active in ${_state_file}" fi else - grep "; Activate:" "$KEY_FILE" > /dev/null || log_error "mismatch active comment in $KEY_FILE" - grep "Activate:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch active in $PRIVATE_FILE" + grep "; Activate: $_active" "${_key_file}" > /dev/null || log_error "mismatch active comment in ${_key_file} (expected ${_active})" + grep "Activate: $_active" "${_private_file}" > /dev/null || log_error "mismatch active in ${_private_file} (expected ${_active})" if [ "$_legacy" == "no" ]; then - grep "Active: " "$STATE_FILE" > /dev/null || log_error "mismatch active in $STATE_FILE" + grep "Active: $_active" "${_state_file}" > /dev/null || log_error "mismatch active in ${_state_file} (expected ${_active})" fi fi if [ "$_retired" = "none" ]; then - grep "; Inactive:" "$KEY_FILE" > /dev/null && log_error "unexpected retired comment in $KEY_FILE" - grep "Inactive:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" + grep "; Inactive:" "${_key_file}" > /dev/null && log_error "unexpected retired comment in ${_key_file}" + grep "Inactive:" "${_private_file}" > /dev/null && log_error "unexpected retired in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Retired: " "$STATE_FILE" > /dev/null && log_error "unexpected retired in $STATE_FILE" + grep "Retired: " "${_state_file}" > /dev/null && log_error "unexpected retired in ${_state_file}" fi else - grep "; Inactive:" "$KEY_FILE" > /dev/null || log_error "mismatch retired comment in $KEY_FILE" - grep "Inactive:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch retired in $PRIVATE_FILE" + grep "; Inactive: $_retired" "${_key_file}" > /dev/null || log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" + grep "Inactive: $_retired" "${_private_file}" > /dev/null || log_error "mismatch retired in ${_private_file} (expected ${_retired})" if [ "$_legacy" == "no" ]; then - grep "Retired: " "$STATE_FILE" > /dev/null || log_error "mismatch retired in $STATE_FILE" + grep "Retired: $_retired" "${_state_file}" > /dev/null || log_error "mismatch retired in ${_state_file} (expected ${_retired})" fi fi if [ "$_revoked" = "none" ]; then - grep "; Revoke:" "$KEY_FILE" > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" - grep "Revoke:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" + grep "; Revoke:" "${_key_file}" > /dev/null && log_error "unexpected revoked comment in ${_key_file}" + grep "Revoke:" "${_private_file}" > /dev/null && log_error "unexpected revoked in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Revoked: " "$STATE_FILE" > /dev/null && log_error "unexpected revoked in $STATE_FILE" + grep "Revoked: " "${_state_file}" > /dev/null && log_error "unexpected revoked in ${_state_file}" fi else - grep "; Revoke:" "$KEY_FILE" > /dev/null || log_error "mismatch revoked comment in $KEY_FILE" - grep "Revoke:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch revoked in $PRIVATE_FILE" + grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" + grep "Revoke: $_revoked" "${_private_file}" > /dev/null || log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" if [ "$_legacy" == "no" ]; then - grep "Revoked: " "$STATE_FILE" > /dev/null || log_error "mismatch revoked in $STATE_FILE" + grep "Revoked: $_revoked" "${_state_file}" > /dev/null || log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" fi fi if [ "$_removed" = "none" ]; then - grep "; Delete:" "$KEY_FILE" > /dev/null && log_error "unexpected removed comment in $KEY_FILE" - grep "Delete:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" + grep "; Delete:" "${_key_file}" > /dev/null && log_error "unexpected removed comment in ${_key_file}" + grep "Delete:" "${_private_file}" > /dev/null && log_error "unexpected removed in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Removed: " "$STATE_FILE" > /dev/null && log_error "unexpected removed in $STATE_FILE" + grep "Removed: " "${_state_file}" > /dev/null && log_error "unexpected removed in ${_state_file}" fi else - grep "; Delete:" "$KEY_FILE" > /dev/null || log_error "mismatch removed comment in $KEY_FILE" - grep "Delete:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch removed in $PRIVATE_FILE" + grep "; Delete: $_removed" "${_key_file}" > /dev/null || log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" + grep "Delete: $_removed" "${_private_file}" > /dev/null || log_error "mismatch removed in ${_private_file} (expected ${_removed})" if [ "$_legacy" == "no" ]; then - grep "Removed: " "$STATE_FILE" > /dev/null || log_error "mismatch removed in $STATE_FILE" + grep "Removed: $_removed" "${_state_file}" > /dev/null || log_error "mismatch removed in ${_state_file} (expected ${_removed})" fi fi - grep "; Created:" "$KEY_FILE" > /dev/null || log_error "mismatch created comment in $KEY_FILE" - grep "Created:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" - if [ "$_legacy" == "no" ]; then - grep "Generated: " "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +check_keytimes() { + # The script relies on Python to set keytimes. + if [ -x "$PYTHON" ]; then + + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY1" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY2" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY3" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY4" + fi fi } @@ -598,12 +714,14 @@ key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" -$KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 lines=$(wc -l < "keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do check_key "KEY1" "$id" + test "$ret" -eq 0 && key_save KEY1 + check_keytimes done test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -632,13 +750,15 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "PUBLISHED" "yes" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "hidden" check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "PUBLISHED" "${now}" +check_keytimes test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -647,13 +767,15 @@ echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and sta ret=0 cp "$STATE_FILE" "$CMP_FILE" $SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "PUBLISHED" "none" set_keystate "KEY1" "GOAL" "none" set_keystate "KEY1" "STATE_DNSKEY" "none" set_keystate "KEY1" "STATE_KRRSIG" "none" set_keystate "KEY1" "STATE_ZRRSIG" "none" set_keystate "KEY1" "STATE_DS" "none" check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "PUBLISHED" "none" +check_keytimes test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -663,13 +785,15 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "ACTIVE" "yes" set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "unretentive" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" set_keystate "KEY1" "STATE_DS" "omnipresent" check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "ACTIVE" "${now}" +check_keytimes test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -724,9 +848,7 @@ check_keys() echo_i "check keys are created for zone ${ZONE} ($n)" ret=0 - n=$((n+1)) echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" - ret=0 _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) test "$_numkeys" -eq "$NUM_KEYS" || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)" test "$ret" -eq 0 || echo_i "failed" @@ -751,22 +873,22 @@ check_keys() if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then ret=0 check_key "KEY1" "$_id" - test "$ret" -eq 0 && key_set KEY1 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY1 && continue fi if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then ret=0 check_key "KEY2" "$_id" - test "$ret" -eq 0 && key_set KEY2 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY2 && continue fi if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then ret=0 check_key "KEY3" "$_id" - test "$ret" -eq 0 && key_set KEY3 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY3 && continue fi if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then ret=0 check_key "KEY4" "$_id" - test "$ret" -eq 0 && key_set KEY4 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY4 && continue fi # This may be an unused key. Assume algorithm of KEY1. @@ -1018,6 +1140,18 @@ check_subdomain() { # # Zone: default.kasp. # +set_keytimes_csk_policy() { + # The first key is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 + # Key lifetime is unlimited, so not setting RETIRED and REMOVED. +} # Check the zone with default kasp policy has loaded and is signed. set_zone "default.kasp" @@ -1029,10 +1163,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" - -# The first key is immediately published and activated. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -1041,6 +1171,8 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1080,6 +1212,8 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1110,6 +1244,8 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1135,10 +1271,85 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify +# Set keytimes for dnssec-policy with various algorithms. +# These all use the same time values. +set_keytimes_algorithm_policy() { + # The first KSK is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" == "pregenerated" ]; then + keyfile=$(key_get KEY1 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 + published=$(awk '{print $3}' < published.test${n}.key1) + set_keytime "KEY1" "PUBLISHED" "${published}" + set_keytime "KEY1" "ACTIVE" "${published}" + fi + published=$(key_get KEY1 PUBLISHED) + + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 + # Key lifetime is 10 years, 315360000 seconds. + set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), and retire safety (1h) = + # 86400 + 3600 + 3600 = 93600. + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The first ZSKs are immediately published and activated. + created=$(key_get KEY2 CREATED) + set_keytime "KEY2" "PUBLISHED" "${created}" + set_keytime "KEY2" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" == "pregenerated" ]; then + keyfile=$(key_get KEY2 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 + published=$(awk '{print $3}' < published.test${n}.key2) + set_keytime "KEY2" "PUBLISHED" "${published}" + set_keytime "KEY2" "ACTIVE" "${published}" + fi + published=$(key_get KEY2 PUBLISHED) + + # Key lifetime for KSK2 is 5 years, 157680000 seconds. + set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 + # The key is removed after the retire time plus max zone ttl (1d), zone + # propagation delay (300s), retire safety (1h), and sign delay + # (signature validity minus refresh, 9d) = + # 86400 + 300 + 3600 + 777600 = 867900. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 + + # Second ZSK (KEY3). + created=$(key_get KEY3 CREATED) + set_keytime "KEY3" "PUBLISHED" "${published}" + set_keytime "KEY3" "ACTIVE" "${published}" + # Key was pregenerated. + if [ "$1" == "pregenerated" ]; then + keyfile=$(key_get KEY3 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 + published=$(awk '{print $3}' < published.test${n}.key3) + set_keytime "KEY3" "PUBLISHED" "${published}" + set_keytime "KEY3" "ACTIVE" "${published}" + fi + published=$(key_get KEY3 PUBLISHED) + + # Key lifetime for KSK3 is 1 year, 31536000 seconds. + set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 + retired=$(key_get KEY3 RETIRED) + set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 +} + # # Zone: rsasha1.kasp. # @@ -1166,19 +1377,7 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" -# The first keys are immediately published and activated. -# Because lifetime > 0, retired timing is also set. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" - -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. set_keystate "KEY1" "GOAL" "omnipresent" @@ -1197,6 +1396,8 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" key_clear "KEY4" check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1229,10 +1430,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# The first key is immediately published and activated. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "none" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -1241,6 +1438,8 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1273,19 +1472,6 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" -# The first keys are immediately published and activated. -# Because lifetime > 0, retired timing is also set. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" - -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. set_keystate "KEY1" "GOAL" "omnipresent" @@ -1304,6 +1490,8 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" key_clear "KEY4" check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1317,6 +1505,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1330,6 +1520,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy "pregenerated" +check_keytimes check_apex check_subdomain dnssec_verify @@ -1343,6 +1535,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1358,6 +1552,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy "pregenerated" +check_keytimes check_apex check_subdomain dnssec_verify @@ -1372,6 +1568,18 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +# Activation date is a day later. +set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 +set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 +set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 +set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 +set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 +set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 +set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 +set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 +set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 +check_keytimes check_apex check_subdomain dnssec_verify @@ -1385,6 +1593,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1438,6 +1648,8 @@ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1455,6 +1667,8 @@ set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1472,6 +1686,8 @@ set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1489,6 +1705,8 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1506,12 +1724,47 @@ set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify # TODO: ED25519 and ED448. +# Set key times for 'autosign' policy. +set_keytimes_autosign_policy() { + # The KSK was published six months ago (with settime). + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 + # Key lifetime is 2 years, 63072000 seconds. + active=$(key_get KEY1 ACTIVE) + set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), retire safety (1h) = + # 86400 + 3600 + 3600 = 93600 + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 + + # The ZSK was published six months ago (with settime). + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 + # Key lifetime for KSK2 is 1 year, 31536000 seconds. + active=$(key_get KEY2 ACTIVE) + set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 + # The key is removed after the retire time plus: + # TTLsig (RRSIG TTL): 1 day (86400 seconds) + # Dprp (propagation delay): 5 minutes (300 seconds) + # retire-safety: 1 hour (3600 seconds) + # Dsgn (sign delay): 7 days (604800 seconds) + # Iret: 695100 seconds. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 +} + # # Zone: expired-sigs.autosign. # @@ -1532,14 +1785,7 @@ set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Both KSK and ZSK stay OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -1554,6 +1800,8 @@ key_clear "KEY3" key_clear "KEY4" check_keys +set_keytimes_autosign_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1609,6 +1857,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_autosign_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1664,6 +1914,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_autosign_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1690,10 +1942,6 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" -# Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. set_keystate "KEY2" "GOAL" "hidden" @@ -1706,6 +1954,30 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys +set_keytimes_autosign_policy + +# The old ZSK is retired. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" 695100 +# The new ZSK is immediately published. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# And becomes active after Ipub: +# DNSKEY TTL: 300 seconds +# zone-propagation-delay 5 minutes (300 seconds) +# publish-safety: 1 hour (3600 seconds) +# Ipub: 4200 seconds +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 +# Lzsk: 1 year (31536000 seconds) +active=$(key_get KEY3 ACTIVE) +set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 +# Iret: 695100 seconds. +retired=$(key_get KEY3 RETIRED) +set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 + +check_keytimes check_apex check_subdomain dnssec_verify @@ -1823,10 +2095,6 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "none" - set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" @@ -1838,6 +2106,8 @@ set_policy "default" "1" "3600" set_server "ns2" "10.53.0.2" TSIG="" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1847,6 +2117,8 @@ set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1856,6 +2128,8 @@ set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1865,6 +2139,8 @@ set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1874,6 +2150,8 @@ set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1897,6 +2175,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1907,6 +2187,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1917,6 +2199,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1927,6 +2211,8 @@ set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1937,6 +2223,8 @@ set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1946,6 +2234,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:keyforview1:$VIEW1" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex dnssec_verify n=$((n+1)) @@ -1995,9 +2285,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -2010,6 +2297,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# The first key is immediately published and activated. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" +# The DS can be published if the DNSKEY and RRSIG records are +# OMNIPRESENT. This happens after max-zone-ttl (12h) plus +# publish-safety (5m) plus zone-propagation-delay (5m) = +# 43200 + 300 + 300 = 43800. +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +# Key lifetime is unlimited, so not setting RETIRED and REMOVED. + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2053,6 +2354,15 @@ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" check_keys + +# The key was published and activated 900 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2073,6 +2383,15 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "rumoured" check_keys + +# The key was published and activated 44700 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 +set_keytime "KEY1" "SYNCPUBLISH" "${created}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2092,6 +2411,15 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys + +# The key was published and activated 143100 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -143100 +set_addkeytime "KEY1" "ACTIVE" "${created}" -143100 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2104,34 +2432,64 @@ check_next_key_event 3600 # Testing ZSK Pre-Publication rollover. # +# Policy parameters. +# Lksk: 2 years (63072000 seconds) +# Lzsk: 30 days (2592000 seconds) +# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 3d1h (262800 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) +# Iret(ZSK): 10d1h (867600 seconds) +Lksk=63072000 +Lzsk=2592000 +IretKSK=262800 +IretZSK=867600 + # # Zone: step1.zsk-prepub.autosign. # set_zone "step1.zsk-prepub.autosign" set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" + +set_retired_removed() { + _Lkey=$2 + _Iret=$3 + + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" +} + +rollover_predecessor_keytimes() { + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lksk" == 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + [ "$Lzsk" == 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" +} + # Key properties. key_clear "KEY1" set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "63072000" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "2592000" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2146,6 +2504,11 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2165,20 +2528,30 @@ set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. key_clear "KEY3" set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "2592000" +set_keylifetime "KEY3" "${Lzsk}" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" -# Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # Key states. -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys + +# The old keys were activated 694 hours ago (2498400 seconds). +rollover_predecessor_keytimes -2498400 +# The new ZSK is published now. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# The new ZSK becomes active when the DNSKEY is OMNIPRESENT. +# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) +# Ipub: 26 hour (93600 seconds). +IpubZSK=93600 +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2204,6 +2577,16 @@ set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" check_keys + +# The old keys are activated 30 days ago (2592000 seconds). +rollover_predecessor_keytimes -2592000 +# The new ZSK is published 26 hours ago (93600 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 +set_keytime "KEY3" "ACTIVE" "${created}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex # Subdomain still has good signatures of ZSK (KEY2). # Set expected zone signing on for KEY2 and off for KEY3, @@ -2236,6 +2619,17 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" check_keys + +# The old keys are activated 961 hours ago (3459600 seconds). +rollover_predecessor_keytimes -3459600 +# The new ZSK is published 267 hours ago (961200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2251,12 +2645,21 @@ check_next_key_event 7200 set_zone "step5.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" -# ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. -set_keytime "KEY2" "REMOVED" "yes" +# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. set_keystate "KEY2" "STATE_DNSKEY" "hidden" -# ZSK (KEY3) remains actively signing, staying in OMNIPRESENT. check_keys + +# The old keys are activated 962 hours ago (3463200 seconds). +rollover_predecessor_keytimes -3463200 +# The new ZSK is published 268 hours ago (964800 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2270,6 +2673,18 @@ check_next_key_event 1627200 # Testing KSK Double-KSK rollover. # +# Policy parameters. +# Lksk: 60 days (16070400 seconds) +# Lzsk: 1 year (31536000 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 50h (180000 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) +# Iret(ZSK): 10d1h (867600 seconds) +Lksk=5184000 +Lzsk=31536000 +IretKSK=180000 +IretZSK=867600 + # # Zone: step1.ksk-doubleksk.autosign. # @@ -2279,25 +2694,17 @@ set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "5184000" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "31536000" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2312,6 +2719,11 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2332,14 +2744,10 @@ set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). key_clear "KEY3" set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "5184000" +set_keylifetime "KEY3" "${Lksk}" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" -# Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # Key states. set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" @@ -2347,6 +2755,27 @@ set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" check_keys + +# The old keys were activated 1413 hours ago (5086800 seconds). +rollover_predecessor_keytimes -5086800 +# The new KSK is published now. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# The new KSK should publish the CDS after the prepublication time. +# TTLkey: 2h +# DprpC: 1h +# publish-safety: 1d +# IpubC: 27h (97200 seconds) +IpubC=97200 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" +# The new KSK becomes active after the registration delay. +# Dreg: 1d (86400 seconds) +Dreg=86400 +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2371,6 +2800,20 @@ set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" set_keystate "KEY3" "STATE_DS" "rumoured" check_keys + +# The old keys were activated 59 days ago (5097600 seconds). +rollover_predecessor_keytimes -5097600 +# The new KSK is published 27 hours ago (97200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 +# The new KSK CDS is published now. +set_keytime "KEY3" "SYNCPUBLISH" "${created}" +# The new KSK becomes active Dreg (1d) later. +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2399,6 +2842,19 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys + +# The old keys were activated 1490 hours ago (5364000 seconds). +rollover_predecessor_keytimes -5364000 +# The new KSK is published 101 hours ago (363600 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -363600 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2419,6 +2875,19 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# The old KSK is activated 1492 hours ago (5371200 seconds). +rollover_predecessor_keytimes -5371200 +# The new KSK is published 103 hours ago (370800 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -370800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2433,6 +2902,28 @@ check_next_key_event 4813200 # Testing CSK key rollover (1). # +# Policy parameters. +# Lcsk: 186 days (5184000 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) +# Iret(KSK): 4h (14400 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) +# Iret(ZSK): 26d3h (2257200 seconds) +Lcsk=16070400 +IretKSK=14400 +IretZSK=2257200 +IretCSK=$IretZSK + +csk_rollover_predecessor_keytimes() { + _addksktime=$1 + _addzsktime=$2 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addksktime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addzsktime}" + [ "$Lcsk" == 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" +} + # # Zone: step1.csk-roll.autosign. # @@ -2442,14 +2933,10 @@ set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "16070400" +set_keylifetime "KEY1" "${Lcsk}" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2462,16 +2949,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# This key is immediately published and activated. +csk_rollover_predecessor_keytimes 0 0 +check_keytimes + check_apex check_subdomain dnssec_verify -# Next key event is when the successor CSK needs to be published. That is -# the CSK lifetime - prepublication time - DS registration delay. The -# prepublication time is DNSKEY TTL plus publish safety plus the zone -# propagation delay. For the csk-roll policy that means: -# 6mo - 1d - 3h = 15973200 seconds. -check_next_key_event 15973200 +# Next key event is when the successor CSK needs to be published. +# This is Lcsk - Ipub - Dreg. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 16059600 # # Zone: step2.csk-roll.autosign. @@ -2486,10 +2977,6 @@ set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" -# Key timings. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Key states. set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" @@ -2498,6 +2985,21 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_DS" "hidden" check_keys + +# This key was activated 4437 hours ago (15973200 seconds) +# and started signing 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -15973200 -16059600 +# The new CSK is published now. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +# The new CSK should publish the CDS after the prepublication time. +# Ipub: 3 hour (10800 seconds) +Ipub="10800" +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2528,6 +3030,19 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys + +# This key was activated 185 days ago (15984000 seconds) +# and started signing 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -15984000 -16070400 +# The new CSK is published three hours ago, CDS must be published now. +# Also signatures are being introduced now. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, @@ -2555,7 +3070,7 @@ set_zone "step4.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is no longer signing the DNSKEY RRset. -set_keysigning "KEY1" "no" +set_keysigning "KEY1" "no" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. set_keystate "KEY1" "STATE_KRRSIG" "unretentive" @@ -2564,6 +3079,19 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys + +# This key was activated 4468 hours ago (16084800 seconds) +# and started signing 4492 hours ago (16171200 seconds). +csk_rollover_predecessor_keytimes -16084800 -16171200 +# The new CSK started signing 1d4h ago (100800 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -100800 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -100800 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2583,6 +3111,19 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# This key was activated 4470 hours ago (16092000 seconds) +# and started signing 4494 hours ago (16178400 seconds). +csk_rollover_predecessor_keytimes -16092000 -16178400 +# The new CSK started signing 1d6h ago (108000 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -108000 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -108000 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2608,6 +3149,19 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys + +# This key was activated 5067 hours ago (18241200 seconds) +# and started signing 5091 hours ago (18327600 seconds). +csk_rollover_predecessor_keytimes -18241200 -18327600 +# The new CSK is activated 627 hours ago (2257200 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2627,20 +3181,48 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DNSKEY" "hidden" check_keys + +# This key was activated 5069 hours ago (18248400 seconds) +# and started signing 5093 hours ago (18334800 seconds). +csk_rollover_predecessor_keytimes -18248400 -18334800 +# The new CSK is activated 629 hours ago (2264400 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify -# Next key event is when the new successor needs to be published. This is the -# CSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL minus zone -# propagation delay. For the csk-roll this is: -# 6mo - 3h - 1d - 26d3h - 1h - 1h = 6mo - 27d8h = 13708800 seconds. -check_next_key_event 13708800 +# Next key event is when the new successor needs to be published. +# This is the Lcsk, minus time passed since the key started signing, +# minus the prepublication time. +# Lcsk: 186d (16070400 seconds) +# Time passed: 629h (2264400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 13795200 # # Testing CSK key rollover (2). # +# Policy parameters. +# Lcsk: 186 days (16070400 seconds) +# Dreg: : 1w (604800 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (1h) +# Iret(KSK): 3h (10800 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) +# Iret(ZSK): 38h (136800 seconds) +Lcsk=16070400 +Dreg=604800 +IretKSK=10800 +IretZSK=136800 +IretCSK=$((Dreg+IretKSK)) + # # Zone: step1.csk-roll2.autosign. # @@ -2654,10 +3236,6 @@ set_keylifetime "KEY1" "16070400" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2670,16 +3248,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# This key is immediately published and activated. +csk_rollover_predecessor_keytimes 0 0 +check_keytimes + check_apex check_subdomain dnssec_verify -# Next key event is when the successor CSK needs to be published. That is -# the CSK lifetime - prepublication time - DS registration delay. The -# prepublication time is DNSKEY TTL plus publish safety plus the zone -# propagation delay. For the csk-roll2 policy that means: -# 6mo - 3h - 1w = 15454800 seconds. -check_next_key_event 15454800 +# Next key event is when the successor CSK needs to be published. +# This is Lcsk - Ipub - Dreg. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 16059600 # # Zone: step2.csk-roll2.autosign. @@ -2694,10 +3276,6 @@ set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" -# Key timings. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Key states. set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" @@ -2706,6 +3284,20 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_DS" "hidden" check_keys + +# This key was activated 4293 hours ago (15454800 seconds) +# and started signing 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -15454800 -16059600 +# The new CSK is published now. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +# The new CSK should publish the CDS after the prepublication time. +# Ipub: 3 hour (10800 seconds) +Ipub="10800" +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + check_apex check_subdomain dnssec_verify @@ -2735,6 +3327,19 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys + +# This key was activated 179 days ago (15465600 seconds) +# and started signing 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -15465600 -16070400 +# The new CSK is published three hours ago, CDS must be published now. +# Also signatures are being introduced now. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, @@ -2768,6 +3373,19 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys + +# This key was activated 4334 hours ago (15602400 seconds) +# and started signing 4502 hours ago (16207200 seconds). +csk_rollover_predecessor_keytimes -15602400 -16207200 +# The new CSK was published 41 hours (147600 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2796,6 +3414,19 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys + +# This key was activated 4467 hours ago (16081200 seconds) +# and started signing 4635 hours ago (16686000 seconds). +csk_rollover_predecessor_keytimes -16081200 -16686000 +# The new CSK was published 174 hours (626400 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -626400 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2816,12 +3447,28 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# This key was activated 4469 hours ago (16088400 seconds) +# and started signing 4637 hours ago (16693200 seconds). +csk_rollover_predecessor_keytimes -16088400 -16693200 +# The new CSK was published 176 hours (633600 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -633600 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify # Next key event is when the new successor needs to be published. -check_next_key_event 14684400 +# This is the Lcsk, minus time passed since the key was published. +# Lcsk: 186d (16070400 seconds) +# Time passed: 176h (633600 seconds) +check_next_key_event 15436800 # # Testing algorithm rollover. @@ -2849,12 +3496,7 @@ set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2866,6 +3508,15 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys + +# These keys are immediately published and activated. +Lksk=0 +Lzsk=0 +IretKSK=0 +IretZSK=0 +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2891,9 +3542,6 @@ set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # The CSK (KEY1) starts in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2902,6 +3550,13 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys + +# This key is immediately published and activated. +Lcsk=0 +IretCSK=0 +csk_rollover_predecessor_keytimes 0 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2938,17 +3593,11 @@ init_migration_match() { key_clear "KEY3" key_clear "KEY4" - set_keytime "KEY1" "PUBLISHED" "yes" - set_keytime "KEY1" "ACTIVE" "yes" - set_keytime "KEY1" "RETIRED" "none" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "rumoured" - set_keytime "KEY2" "PUBLISHED" "yes" - set_keytime "KEY2" "ACTIVE" "yes" - set_keytime "KEY2" "RETIRED" "none" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" @@ -2957,6 +3606,11 @@ init_migration_match # Make sure the zone is signed with legacy keys. check_keys + +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2990,17 +3644,11 @@ init_migration_nomatch_algnum() { key_clear "KEY3" key_clear "KEY4" - set_keytime "KEY1" "PUBLISHED" "yes" - set_keytime "KEY1" "ACTIVE" "yes" - set_keytime "KEY1" "RETIRED" "none" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" - set_keytime "KEY2" "PUBLISHED" "yes" - set_keytime "KEY2" "ACTIVE" "yes" - set_keytime "KEY2" "RETIRED" "none" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -3009,6 +3657,23 @@ init_migration_nomatch_algnum # Make sure the zone is signed with legacy keys. check_keys + +# The KSK is immediately published and activated. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +# The ZSK is immediately published and activated. +# -P: now-12h +# -A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3042,17 +3707,11 @@ init_migration_nomatch_alglen() { key_clear "KEY3" key_clear "KEY4" - set_keytime "KEY1" "PUBLISHED" "yes" - set_keytime "KEY1" "ACTIVE" "yes" - set_keytime "KEY1" "RETIRED" "none" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" - set_keytime "KEY2" "PUBLISHED" "yes" - set_keytime "KEY2" "ACTIVE" "yes" - set_keytime "KEY2" "RETIRED" "none" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -3061,6 +3720,23 @@ init_migration_nomatch_alglen # Make sure the zone is signed with legacy keys. check_keys + +# The KSK is immediately published and activated. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +# The ZSK is immediately published and activated. +# -P: now-12h +# -A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3118,13 +3794,27 @@ set_server "ns6" "10.53.0.6" # Key properties, timings and metadata should be the same as legacy keys above. # However, because the zsk has a lifetime, kasp will set the retired time. init_migration_match - key_set "KEY1" "LEGACY" "no" - key_set "KEY2" "LEGACY" "no" -set_keytime "KEY2" "RETIRED" "yes" check_keys + +rollover_predecessor_keytimes 0 +# Key now has lifetime of 60 days (5184000 seconds). +# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 1d (86400 seconds) +# Dprp: 5m (300 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 10d65m (867900 seconds) +IretZSK=867900 +Lzsk=5184000 +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3147,11 +3837,9 @@ set_server "ns6" "10.53.0.6" init_migration_nomatch_algnum key_set "KEY1" "LEGACY" "no" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" key_set "KEY2" "LEGACY" "no" -set_keytime "KEY2" "RETIRED" "yes" set_keystate "KEY2" "GOAL" "hidden" set_keyrole "KEY3" "ksk" @@ -3166,22 +3854,82 @@ set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "none" set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" -set_keytime "KEY4" "RETIRED" "yes" set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys + +# KSK must be retired since it no longer matches the policy. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +# The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +# -P: now-12h +# -A: now-12h +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" + +# The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3204,11 +3952,9 @@ set_server "ns6" "10.53.0.6" init_migration_nomatch_alglen key_set "KEY1" "LEGACY" "no" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" key_set "KEY2" "LEGACY" "no" -set_keytime "KEY2" "RETIRED" "yes" set_keystate "KEY2" "GOAL" "hidden" set_keyrole "KEY3" "ksk" @@ -3224,22 +3970,82 @@ set_keysigning "KEY4" "no" # This key is considered to be prepublished, so it is not yet signing. set_zonesigning "KEY4" "no" -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "none" set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" -set_keytime "KEY4" "RETIRED" "yes" set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" check_keys + +# KSK must be retired since it no longer matches the policy. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +# The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +# -P: now-12h +# -A: now-12h +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# publish-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" + +# The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3256,6 +4062,12 @@ status=$((status+ret)) # Testing KSK/ZSK algorithm rollover. # +# Policy parameters. +# Lksk: unlimited +# Lzsk: unlimited +Lksk=0 +Lzsk=0 + # # Zone: step1.algorithm-roll.kasp # @@ -3291,35 +4103,77 @@ set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + # The ECDSAP256SHA256 keys are introducing. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" - -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys + +# The old keys are published and activated. +rollover_predecessor_keytimes 0 + +# KSK must be retired since it no longer matches the policy. +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +# The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire-safety +# TTLds: 2h (7200 seconds) +# DprpP: 1h (3600 seconds) +# retire-safety: 2h (7200 seconds) +# IretKSK: 5h (18000 seconds) +IretKSK=18000 +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety +# TTLsig: 6h (21600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 25d (2160000 seconds) +# retire-safety: 2h (7200 seconds) +# IretZSK: 25d9h (2192400 seconds) +IretZSK=2192400 +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new KSK is published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 6h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 8h (28800 seconds) +Ipub=28800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" + +# The new ZSK is published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3346,6 +4200,33 @@ set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" check_keys + +# The old keys were activated three hours ago (10800 seconds). +rollover_predecessor_keytimes -10800 + +# KSK must be retired since it no longer matches the policy. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" + +# The new keys are published 3 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3374,6 +4255,34 @@ set_keystate "KEY3" "STATE_DS" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" check_keys + +# The old keys were activated 9 hours ago (32400 seconds) +# and retired 6 hours ago (21600 seconds). +rollover_predecessor_keytimes -32400 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -21600 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 9 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3403,6 +4312,34 @@ set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys + +# The old keys were activated 38 hours ago (136800 seconds) +# and retired 35 hours ago (126000 seconds). +rollover_predecessor_keytimes -136800 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -126000 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 38 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3423,6 +4360,34 @@ set_keystate "KEY1" "STATE_KRRSIG" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys + +# The old keys were activated 40 hours ago (144000 seconds) +# and retired 35 hours ago (133200 seconds). +rollover_predecessor_keytimes -144000 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -133200 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 40 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3446,6 +4411,34 @@ set_server "ns6" "10.53.0.6" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" check_keys + +# The old keys were activated 47 hours ago (169200 seconds) +# and retired 34 hours ago (158400 seconds). +rollover_predecessor_keytimes -169200 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -158400 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 47 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3458,6 +4451,10 @@ check_next_key_event 3600 # Testing CSK algorithm rollover. # +# Policy parameters. +# Lcsk: unlimited +Lcksk=0 + # # Zone: step1.csk-algorithm-roll.kasp # @@ -3481,17 +4478,12 @@ set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The RSAHSHA1 key is outroducing. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" # The ECDSAP256SHA256 key is introducing. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" @@ -3499,6 +4491,38 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "hidden" check_keys + +# CSK must be retired since it no longer matches the policy. +csk_rollover_predecessor_keytimes 0 0 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety +# TTLsig: 6h (21600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 25d (2160000 seconds) +# retire-safety: 2h (7200 seconds) +# IretZSK: 25d9h (2192400 seconds) +IretCSK=2192400 +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new CSK is published and activated. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 6h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 8h (28800 seconds) +Ipub=28800 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3524,6 +4548,24 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" check_keys + +# The old key was activated three hours ago (10800 seconds). +csk_rollover_predecessor_keytimes -10800 -10800 + +# CSK must be retired since it no longer matches the policy. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" + +# The new key was published 3 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3552,6 +4594,24 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys + +# The old key was activated 9 hours ago (10800 seconds) +# and retired 6 hours ago (21600 seconds). +csk_rollover_predecessor_keytimes -32400 -32400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 9 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3578,6 +4638,24 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys + +# The old key was activated 38 hours ago (136800 seconds) +# and retired 35 hours ago (126000 seconds). +csk_rollover_predecessor_keytimes -136800 -136800 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 38 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3597,6 +4675,24 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# The old key was activated 40 hours ago (144000 seconds) +# and retired 37 hours ago (133200 seconds). +csk_rollover_predecessor_keytimes -144000 -144000 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 40 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3620,6 +4716,24 @@ set_server "ns6" "10.53.0.6" set_keystate "KEY1" "STATE_ZRRSIG" "hidden" check_keys + +# The old keys were activated 47 hours ago (169200 seconds) +# and retired 44 hours ago (158400 seconds). +csk_rollover_predecessor_keytimes -169200 -169200 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 47 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +check_keytimes + check_apex check_subdomain dnssec_verify diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 7e297ab976..65afc771d3 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2021,6 +2021,8 @@ write_key_state(const dst_key_t *key, int type, const char *directory) { printtime(key, DST_TIME_INACTIVE, "Retired", fp); printtime(key, DST_TIME_REVOKE, "Revoked", fp); printtime(key, DST_TIME_DELETE, "Removed", fp); + printtime(key, DST_TIME_SYNCPUBLISH, "PublishCDS", fp); + printtime(key, DST_TIME_SYNCDELETE, "DeleteCDS", fp); printtime(key, DST_TIME_DNSKEY, "DNSKEYChange", fp); printtime(key, DST_TIME_ZRRSIG, "ZRRSIGChange", fp); diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index efa07f4330..9a5480e24c 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -88,12 +88,95 @@ keymgr_keyrole(dst_key_t *key) { return ("NOSIGN"); } +/* + * Set the remove time on key given its retire time. + * + */ +static void +keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) { + isc_stdtime_t retire = 0, remove = 0, ksk_remove = 0, zsk_remove = 0; + bool zsk = false, ksk = false; + isc_result_t ret; + + REQUIRE(key != NULL); + REQUIRE(key->key != NULL); + + ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); + if (ret != ISC_R_SUCCESS) { + return; + } + + ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk); + if (ret == ISC_R_SUCCESS && zsk) { + /* ZSK: Iret = Dsgn + Dprp + TTLsig */ + zsk_remove = retire + dns_kasp_zonemaxttl(kasp) + + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_retiresafety(kasp) + + dns_kasp_signdelay(kasp); + } + ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); + if (ret == ISC_R_SUCCESS && ksk) { + /* KSK: Iret = DprpP + TTLds */ + ksk_remove = retire + dns_kasp_dsttl(kasp) + + dns_kasp_parentpropagationdelay(kasp) + + dns_kasp_retiresafety(kasp); + } + if (zsk && ksk) { + ksk_remove += dns_kasp_parentregistrationdelay(kasp); + } + + remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove; + dst_key_settime(key->key, DST_TIME_DELETE, remove); +} + +/* + * Set the SyncPublish time (when the DS may be submitted to the parent) + * + */ +static void +keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) { + isc_stdtime_t published, syncpublish; + bool ksk = false; + isc_result_t ret; + + REQUIRE(key != NULL); + REQUIRE(key->key != NULL); + + ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &published); + if (ret != ISC_R_SUCCESS) { + return; + } + + ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); + if (ret != ISC_R_SUCCESS || !ksk) { + return; + } + + syncpublish = published + dst_key_getttl(key->key) + + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_publishsafety(kasp); + if (first) { + /* Also need to wait until the signatures are omnipresent. */ + isc_stdtime_t zrrsig_present; + zrrsig_present = published + dns_kasp_zonemaxttl(kasp) + + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_publishsafety(kasp); + if (zrrsig_present > syncpublish) { + syncpublish = zrrsig_present; + } + } + dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, syncpublish); +} + /* * Calculate prepublication time of a successor key of 'key'. * This function can have side effects: - * If the lifetime is not set, it will be set now. - * If there should be a retire time and it is not set, it will be set now. - * If there is no active time set, which would be super weird, set it now. + * 1. If there is no active time set, which would be super weird, set it now. + * 2. If there is no published time set, also super weird, set it now. + * 3. If there is no syncpublished time set, set it now. + * 4. If the lifetime is not set, it will be set now. + * 5. If there should be a retire time and it is not set, it will be set now. + * 6. The removed time is adjusted accordingly. * * This returns when the successor key needs to be published in the zone. * A special value of 0 means there is no need for a successor. @@ -104,40 +187,80 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, uint32_t lifetime, isc_stdtime_t now) { isc_result_t ret; isc_stdtime_t active, retire, pub, prepub; - bool ksk = false; + bool zsk = false, ksk = false; REQUIRE(key != NULL); REQUIRE(key->key != NULL); active = 0; + pub = 0; retire = 0; + + /* + * An active key must have publish and activate timing + * metadata. + */ + ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); + if (ret != ISC_R_SUCCESS) { + /* Super weird, but if it happens, set it to now. */ + dst_key_settime(key->key, DST_TIME_ACTIVATE, now); + active = now; + } + ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub); + if (ret != ISC_R_SUCCESS) { + /* Super weird, but if it happens, set it to now. */ + dst_key_settime(key->key, DST_TIME_PUBLISH, now); + pub = now; + } + + /* + * Calculate prepublication time. + */ prepub = dst_key_getttl(key->key) + dns_kasp_publishsafety(kasp) + dns_kasp_zonepropagationdelay(kasp); ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); if (ret == ISC_R_SUCCESS && ksk) { - /* Add registration delay to the prepublication time. */ + isc_stdtime_t syncpub; + + /* + * Set PublishCDS if not set. + */ + ret = dst_key_gettime(key->key, DST_TIME_SYNCPUBLISH, &syncpub); + if (ret != ISC_R_SUCCESS) { + uint32_t tag; + isc_stdtime_t syncpub1, syncpub2; + + syncpub1 = pub + prepub; + syncpub2 = 0; + ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR, + &tag); + if (ret != ISC_R_SUCCESS) { + /* + * No predecessor, wait for zone to be + * completely signed. + */ + syncpub2 = pub + dns_kasp_zonemaxttl(kasp) + + dns_kasp_publishsafety(kasp) + + dns_kasp_zonepropagationdelay(kasp); + } + + syncpub = syncpub1 > syncpub2 ? syncpub1 : syncpub2; + dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, + syncpub); + } + } + + (void)dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk); + if (!zsk && ksk) { + /* + * Include registration delay in prepublication time. + */ prepub += dns_kasp_parentregistrationdelay(kasp); } ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); if (ret != ISC_R_SUCCESS) { uint32_t klifetime = 0; - /* - * An active key must have publish and activate timing - * metadata. - */ - ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); - if (ret != ISC_R_SUCCESS) { - /* Super weird, but if it happens, set it to now. */ - dst_key_settime(key->key, DST_TIME_ACTIVATE, now); - active = now; - } - ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub); - if (ret != ISC_R_SUCCESS) { - /* Super weird, but if it happens, set it to now. */ - dst_key_settime(key->key, DST_TIME_PUBLISH, now); - pub = now; - } ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime); if (ret != ISC_R_SUCCESS) { @@ -156,6 +279,11 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, dst_key_settime(key->key, DST_TIME_INACTIVE, retire); } + /* + * Update remove time. + */ + keymgr_settime_remove(key, kasp); + /* * Publish successor 'prepub' time before the 'retire' time of 'key'. */ @@ -163,8 +291,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, } static void -keymgr_key_retire(dns_dnsseckey_t *key, isc_stdtime_t now) { +keymgr_key_retire(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now) { char keystr[DST_KEY_FORMATSIZE]; + isc_result_t ret; + isc_stdtime_t retire; dst_key_state_t s; bool ksk, zsk; @@ -172,8 +302,12 @@ keymgr_key_retire(dns_dnsseckey_t *key, isc_stdtime_t now) { REQUIRE(key->key != NULL); /* This key wants to retire and hide in a corner. */ - dst_key_settime(key->key, DST_TIME_INACTIVE, now); + ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); + if (ret != ISC_R_SUCCESS || (retire > now)) { + dst_key_settime(key->key, DST_TIME_INACTIVE, now); + } dst_key_setstate(key->key, DST_KEY_GOAL, HIDDEN); + keymgr_settime_remove(key, kasp); /* This key may not have key states set yet. Pretend as if they are * in the OMNIPRESENT state. @@ -1013,11 +1147,16 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type, dns_kasp_retiresafety(kasp); /* * Only add the sign delay Dsgn if there is an actual - * predecessor key. + * predecessor or successor key. */ - uint32_t pre; - if (dst_key_getnum(key->key, DST_NUM_PREDECESSOR, - &pre) == ISC_R_SUCCESS) { + uint32_t tag; + ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR, + &tag); + if (ret != ISC_R_SUCCESS) { + ret = dst_key_getnum(key->key, + DST_NUM_SUCCESSOR, &tag); + } + if (ret == ISC_R_SUCCESS) { nexttime += dns_kasp_signdelay(kasp); } break; @@ -1373,7 +1512,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, /* No match, so retire unwanted retire key. */ if (!found_match) { - keymgr_key_retire(dkey, now); + keymgr_key_retire(dkey, kasp, now); } } @@ -1428,7 +1567,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, * the kasp key configuration. * Retire excess keys in use. */ - keymgr_key_retire(dkey, now); + keymgr_key_retire(dkey, kasp, + now); } continue; } @@ -1537,8 +1677,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, keymgr_key_init(newkey, kasp, now); } else { newkey = candidate; - dst_key_setnum(newkey->key, DST_NUM_LIFETIME, lifetime); } + dst_key_setnum(newkey->key, DST_NUM_LIFETIME, lifetime); /* Got a key. */ if (active_key == NULL) { @@ -1548,30 +1688,50 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, */ dst_key_settime(newkey->key, DST_TIME_PUBLISH, now); dst_key_settime(newkey->key, DST_TIME_ACTIVATE, now); + keymgr_settime_syncpublish(newkey, kasp, true); active = now; } else { /* * This is a successor. Mark the relationship. */ + isc_stdtime_t created; + (void)dst_key_gettime(newkey->key, DST_TIME_CREATED, + &created); + dst_key_setnum(newkey->key, DST_NUM_PREDECESSOR, dst_key_id(active_key->key)); dst_key_setnum(active_key->key, DST_NUM_SUCCESSOR, dst_key_id(newkey->key)); (void)dst_key_gettime(active_key->key, DST_TIME_INACTIVE, &retire); - dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub); - dst_key_settime(newkey->key, DST_TIME_ACTIVATE, retire); active = retire; + + /* + * If prepublication time and/or retire time are + * in the past (before the new key was created), use + * creation time as published and active time, + * effectively immediately making the key active. + */ + if (prepub < created) { + active += (created - prepub); + prepub = created; + } + if (active < created) { + active = created; + } + dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub); + dst_key_settime(newkey->key, DST_TIME_ACTIVATE, active); + keymgr_settime_syncpublish(newkey, kasp, false); } /* This key wants to be present. */ dst_key_setstate(newkey->key, DST_KEY_GOAL, OMNIPRESENT); /* Do we need to set retire time? */ - (void)dst_key_getnum(newkey->key, DST_NUM_LIFETIME, &lifetime); if (lifetime > 0) { dst_key_settime(newkey->key, DST_TIME_INACTIVE, (active + lifetime)); + keymgr_settime_remove(newkey, kasp); } /* Append dnsseckey to list of new keys. */