From 1c216317308a43fa198b6630c7f9b7ebbb00f915 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 28 Apr 2020 14:32:57 +0200 Subject: [PATCH 01/17] keygen -k: allow to set times, not genonly For testing purposes mainly, we want to allow set keytimings on generated keys, such that we don't have to "keygen/settime" which can result in one second off times. --- bin/dnssec/dnssec-keygen.c | 11 ----------- bin/tests/system/kasp/ns3/setup.sh | 4 ++-- 2 files changed, 2 insertions(+), 13 deletions(-) diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c index 65823b1cd3..996b3ac6a6 100644 --- a/bin/dnssec/dnssec-keygen.c +++ b/bin/dnssec/dnssec-keygen.c @@ -1223,18 +1223,7 @@ main(int argc, char **argv) { fatal("-k and -3 cannot be used together"); } - if (ctx.setpub || ctx.setact || ctx.setrev || ctx.setinact || - ctx.setdel || ctx.unsetpub || ctx.unsetact || - ctx.unsetrev || ctx.unsetinact || ctx.unsetdel || - ctx.setsyncadd || ctx.setsyncdel) - { - fatal("cannot use -k together with " - "-P, -A, -R, -I, or -D options " - "(use dnssec-settime on keys afterwards)"); - } - ctx.options |= DST_TYPE_STATE; - ctx.genonly = true; if (strcmp(ctx.policy, "default") == 0) { ctx.use_nsec3 = false; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 3549933642..6fc5c07a17 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -71,8 +71,8 @@ $KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 $KEYGEN -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 zone="pregenerated.kasp" -$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 zone="rumoured.kasp" Tpub="now" From 18dc27afd39c6a0e2247c8dab8791309286d5c85 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 28 Apr 2020 15:05:43 +0200 Subject: [PATCH 02/17] Set keytimes appropriately when using kasp While kasp relies on key states to determine when a key needs to be published or be used for signing, the keytimes are used by operators to get some expectation of key publication and usage. Update the code such that these keytimes are set appropriately. That means: - Print "PublishCDS" and "DeleteCDS" times in the state files. - The keymgr sets the "Removed" and "PublishCDS" times and derives those from the dnssec-policy. - Tweak setting of the "Retired" time, when retiring keys, only update the time to now when the retire time is not yet set, or is in the future. This also fixes a bug in "keymgr_transition_time" where we may wait too long before zone signatrues become omnipresent or hidden. Not only can we skip waiting the sign delay Dsgn if there is no predecessor, we can also skip it if there is no successor. Finally, this commit moves setting the lifetime, reducing two calls to one. --- lib/dns/dst_api.c | 2 + lib/dns/keymgr.c | 141 +++++++++++++++++++++++++++++++++++++++++----- 2 files changed, 130 insertions(+), 13 deletions(-) diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c index 7e297ab976..65afc771d3 100644 --- a/lib/dns/dst_api.c +++ b/lib/dns/dst_api.c @@ -2021,6 +2021,8 @@ write_key_state(const dst_key_t *key, int type, const char *directory) { printtime(key, DST_TIME_INACTIVE, "Retired", fp); printtime(key, DST_TIME_REVOKE, "Revoked", fp); printtime(key, DST_TIME_DELETE, "Removed", fp); + printtime(key, DST_TIME_SYNCPUBLISH, "PublishCDS", fp); + printtime(key, DST_TIME_SYNCDELETE, "DeleteCDS", fp); printtime(key, DST_TIME_DNSKEY, "DNSKEYChange", fp); printtime(key, DST_TIME_ZRRSIG, "ZRRSIGChange", fp); diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index efa07f4330..d749650085 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -88,12 +88,91 @@ keymgr_keyrole(dst_key_t *key) { return ("NOSIGN"); } +/* + * Set the remove time on key given its retire time. + * + */ +static void +keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) { + isc_stdtime_t retire = 0, remove = 0, ksk_remove = 0, zsk_remove = 0; + bool zsk = false, ksk = false; + isc_result_t ret; + + REQUIRE(key != NULL); + REQUIRE(key->key != NULL); + + ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); + if (ret != ISC_R_SUCCESS) { + return; + } + + ret = dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk); + if (ret == ISC_R_SUCCESS && zsk) { + /* ZSK: Iret = Dsgn + Dprp + TTLsig */ + zsk_remove = retire + dns_kasp_zonemaxttl(kasp) + + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_retiresafety(kasp) + + dns_kasp_signdelay(kasp); + } + ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); + if (ret == ISC_R_SUCCESS && ksk) { + /* KSK: Iret = DprpP + TTLds */ + ksk_remove = retire + dns_kasp_dsttl(kasp) + + dns_kasp_parentregistrationdelay(kasp) + + dns_kasp_parentpropagationdelay(kasp) + + dns_kasp_retiresafety(kasp); + } + remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove; + dst_key_settime(key->key, DST_TIME_DELETE, remove); +} + +/* + * Set the SyncPublish time (when the DS may be submitted to the parent) + * + */ +static void +keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) { + isc_stdtime_t published, syncpublish; + bool ksk = false; + isc_result_t ret; + + REQUIRE(key != NULL); + REQUIRE(key->key != NULL); + + ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &published); + if (ret != ISC_R_SUCCESS) { + return; + } + + ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); + if (ret != ISC_R_SUCCESS || !ksk) { + return; + } + + syncpublish = published + dst_key_getttl(key->key) + + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_publishsafety(kasp); + if (first) { + /* Also need to wait until the signatures are omnipresent. */ + isc_stdtime_t zrrsig_present; + zrrsig_present = published + dns_kasp_zonemaxttl(kasp) + + dns_kasp_zonepropagationdelay(kasp) + + dns_kasp_publishsafety(kasp); + if (zrrsig_present > syncpublish) { + syncpublish = zrrsig_present; + } + } + dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, syncpublish); +} + /* * Calculate prepublication time of a successor key of 'key'. * This function can have side effects: - * If the lifetime is not set, it will be set now. - * If there should be a retire time and it is not set, it will be set now. - * If there is no active time set, which would be super weird, set it now. + * 1. If there is no active time set, which would be super weird, set it now. + * 2. If there is no published time set, also super weird, set it now. + * 3. If the lifetime is not set, it will be set now. + * 4. If there should be a retire time and it is not set, it will be set now. + * 5. The removed time is adjusted accordingly. * * This returns when the successor key needs to be published in the zone. * A special value of 0 means there is no need for a successor. @@ -156,6 +235,11 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, dst_key_settime(key->key, DST_TIME_INACTIVE, retire); } + /* + * Update remove time. + */ + keymgr_settime_remove(key, kasp); + /* * Publish successor 'prepub' time before the 'retire' time of 'key'. */ @@ -163,8 +247,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, } static void -keymgr_key_retire(dns_dnsseckey_t *key, isc_stdtime_t now) { +keymgr_key_retire(dns_dnsseckey_t *key, dns_kasp_t *kasp, isc_stdtime_t now) { char keystr[DST_KEY_FORMATSIZE]; + isc_result_t ret; + isc_stdtime_t retire; dst_key_state_t s; bool ksk, zsk; @@ -172,8 +258,12 @@ keymgr_key_retire(dns_dnsseckey_t *key, isc_stdtime_t now) { REQUIRE(key->key != NULL); /* This key wants to retire and hide in a corner. */ - dst_key_settime(key->key, DST_TIME_INACTIVE, now); + ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); + if (ret != ISC_R_SUCCESS || (retire > now)) { + dst_key_settime(key->key, DST_TIME_INACTIVE, now); + } dst_key_setstate(key->key, DST_KEY_GOAL, HIDDEN); + keymgr_settime_remove(key, kasp); /* This key may not have key states set yet. Pretend as if they are * in the OMNIPRESENT state. @@ -1013,11 +1103,16 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type, dns_kasp_retiresafety(kasp); /* * Only add the sign delay Dsgn if there is an actual - * predecessor key. + * predecessor or successor key. */ - uint32_t pre; - if (dst_key_getnum(key->key, DST_NUM_PREDECESSOR, - &pre) == ISC_R_SUCCESS) { + uint32_t tag; + ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR, + &tag); + if (ret != ISC_R_SUCCESS) { + ret = dst_key_getnum(key->key, + DST_NUM_SUCCESSOR, &tag); + } + if (ret == ISC_R_SUCCESS) { nexttime += dns_kasp_signdelay(kasp); } break; @@ -1373,7 +1468,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, /* No match, so retire unwanted retire key. */ if (!found_match) { - keymgr_key_retire(dkey, now); + keymgr_key_retire(dkey, kasp, now); } } @@ -1428,7 +1523,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, * the kasp key configuration. * Retire excess keys in use. */ - keymgr_key_retire(dkey, now); + keymgr_key_retire(dkey, kasp, + now); } continue; } @@ -1537,8 +1633,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, keymgr_key_init(newkey, kasp, now); } else { newkey = candidate; - dst_key_setnum(newkey->key, DST_NUM_LIFETIME, lifetime); } + dst_key_setnum(newkey->key, DST_NUM_LIFETIME, lifetime); /* Got a key. */ if (active_key == NULL) { @@ -1548,19 +1644,38 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, */ dst_key_settime(newkey->key, DST_TIME_PUBLISH, now); dst_key_settime(newkey->key, DST_TIME_ACTIVATE, now); + keymgr_settime_syncpublish(newkey, kasp, true); active = now; } else { /* * This is a successor. Mark the relationship. */ + isc_stdtime_t created; + (void)dst_key_gettime(newkey->key, DST_TIME_CREATED, + &created); + dst_key_setnum(newkey->key, DST_NUM_PREDECESSOR, dst_key_id(active_key->key)); dst_key_setnum(active_key->key, DST_NUM_SUCCESSOR, dst_key_id(newkey->key)); (void)dst_key_gettime(active_key->key, DST_TIME_INACTIVE, &retire); + /* + * If prepublication time and/or retire time are + * in the past (before the new key was created), use + * creation time as published and active time, + * effectively immediately making the key active. + */ + if (prepub < created) { + retire += (created - prepub); + prepub = created; + } + if (retire < created) { + retire = created; + } dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub); dst_key_settime(newkey->key, DST_TIME_ACTIVATE, retire); + keymgr_settime_syncpublish(newkey, kasp, false); active = retire; } @@ -1568,10 +1683,10 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, dst_key_setstate(newkey->key, DST_KEY_GOAL, OMNIPRESENT); /* Do we need to set retire time? */ - (void)dst_key_getnum(newkey->key, DST_NUM_LIFETIME, &lifetime); if (lifetime > 0) { dst_key_settime(newkey->key, DST_TIME_INACTIVE, (active + lifetime)); + keymgr_settime_remove(newkey, kasp); } /* Append dnsseckey to list of new keys. */ From 637d5f9a68e3807127befc0348074e3d00513997 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 28 Apr 2020 16:10:57 +0200 Subject: [PATCH 03/17] Move setting keytimes from settime to keygen In the kasp system test, we are going to set the keytimes on dnssec-keygen so we can test them against the key creation time. This prevents off by one second in the test, something that can happen if you set those times with dnssec-settime after dnssec-keygen. Also fix some test output filenames. --- bin/tests/system/kasp/ns3/setup.sh | 355 ++++++++++++++++++----------- bin/tests/system/kasp/ns6/setup.sh | 189 ++++++++------- 2 files changed, 328 insertions(+), 216 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 6fc5c07a17..49d6c44555 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -77,12 +77,13 @@ $KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 zone="rumoured.kasp" Tpub="now" Tact="now+1d" -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $zone 2> keygen.out.$zone.3) -$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 +keytimes="-P ${Tpub} -A ${Tact}" +KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 # # Set up zones that are already signed. @@ -90,11 +91,13 @@ $SETTIME -s -P $Tpub -A $Tact -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" # These signatures are set to expire long in the past, update immediately. setup expired-sigs.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -102,11 +105,13 @@ $SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > sig # These signatures are still good, and can be reused. setup fresh-sigs.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -114,11 +119,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # These signatures are still good, but not fresh enough, update immediately. setup unfresh-sigs.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -126,11 +133,13 @@ $SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer # These signatures are already expired, and the private ZSK is missing. setup zsk-missing.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -139,16 +148,18 @@ rm -f "${ZSK}".private # These signatures are already expired, and the private ZSK is retired. setup zsk-retired.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zone 2> keygen.out.$zone.2) T="now-6mo" -$SETTIME -s -P $T -A $T -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $T -A $T -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P $T -A $T -P sync $T" +zsktimes="-P $T -A $T -I now" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 -$SETTIME -s -I now -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 +$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 # # The zones at enable-dnssec.autosign represent the various steps of the @@ -164,9 +175,10 @@ cp template.db.in $zonefile # Step 2: # The DNSKEY has been published long enough to become OMNIPRESENT. setup step2.enable-dnssec.autosign -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TpubN="now-900s" -$SETTIME -s -P $TpubN -A $TpubN -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +keytimes="-P ${TpubN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -174,10 +186,11 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. setup step3.enable-dnssec.autosign -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TpubN="now-44700s" TactN="now-43800s" -$SETTIME -s -P $TpubN -A $TpubN -g $O -k $O $TactN -r $O $TactN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +keytimes="-P ${TpubN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -187,11 +200,12 @@ setup step3.enable-dnssec.autosign # The DS has been submitted long enough ago to become OMNIPRESENT. # Add 27 hour plus retire safety of 20 minutes (98400 seconds) to the times. setup step4.enable-dnssec.autosign -CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TpubN="now-143100s" TactN="now-142200s" TomnN="now-98400s" -$SETTIME -s -P $TpubN -A $TpubN -g $O -k $O $TactN -r $O $TactN -d $R $TomnN -z $O $TomnN "$CSK" > settime.out.$zone.1 2>&1 +keytimes="-P ${TpubN} -A ${TpubN}" +CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $R $TomnN -z $O $TomnN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -205,11 +219,13 @@ setup step3.enable-dnssec.autosign # Step 1: # Introduce the first key. This will immediately be active. setup step1.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -218,15 +234,17 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 2: # It is time to pre-publish the successor ZSK. setup step2.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # Also: Ipub = Dprp + TTLkey (+publish-safety) # so: Tact(N) = Tpub(N+1) + Ipub - Lzsk = now + (1d2h) - 30d = # now + 26h - 30d = now − 694h TactN="now-694h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -236,9 +254,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # After the publication interval has passed the DNSKEY of the successor ZSK # is OMNIPRESENT and the zone can thus be signed with the successor ZSK. setup step3.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # Also: Tret(N) = Tact(N+1) = Tact(N) + Lzsk # so: Tact(N) = Tact(N+1) - Lzsk = now - 30d @@ -247,10 +262,18 @@ ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) TactN="now-30d" TpubN1="now-26h" TretN1="now+30d" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A now -I $TretN1 -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I now" +newtimes="-P ${TpubN1} -A now -I ${TretN1}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK1" >> "$infile" @@ -261,9 +284,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step4.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tret(N) = Tact(N) + Lzsk # Also: Tdea(N) = Tret(N) + Iret # Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) @@ -280,29 +300,38 @@ TretN="now-241h" TpubN1="now-267h" TactN1="${TretN}" TretN1="now+479h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 $SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.zsk-prepub.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.3) # Subtract DNSKEY TTL from all the times (1h). TactN="now-962h" TretN="now-242h" TpubN1="now-268h" TactN1="${TretN}" TretN1="now+478h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I $TretN -D now -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D now" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 $SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK1" >> "$infile" @@ -317,26 +346,30 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 1: # Introduce the first key. This will immediately be active. setup step1.ksk-doubleksk.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 # Step 2: # It is time to submit the introduce the new KSK. setup step2.ksk-doubleksk.autosign -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) # According to RFC 7583: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC # Also: IpubC = DprpC + TTLkey (+publish-safety) # so: Tact(N) = Tpub(N+1) - Lksk + Dreg + IpubC = now - 60d + (1d3h) # now - 1440h + 27h = now - 1413h TactN="now-1413h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK" >> "$infile" @@ -345,9 +378,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 3: # It is time to submit the DS. setup step3.ksk-doubleksk.autosign -KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) # Also: Tact(N+1) = Tsbm(N+1) + Dreg # so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 60d = now - 59d @@ -358,10 +388,16 @@ TactN="now-59d" TretN="now+1d" TpubN1="now-27h" TretN1="now+61d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -371,9 +407,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 4: # The DS should be swapped now. setup step4.ksk-doubleksk.autosign -KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Tret(N) = Tsbm(N+1) + Dreg # Also: Tact(N+1) = Tret(N) @@ -390,10 +423,16 @@ TpubN1="now-101h" TsbmN1="now-74h" TactN1="${TretN}" TretN1="now+1390h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -403,9 +442,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 5: # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.ksk-doubleksk.autosign -KSK1=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.2) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.3) # Subtract DNSKEY TTL from all the times (2h). TactN="now-1492h" TretN="now-52h" @@ -413,10 +449,16 @@ TpubN1="now-102h" TsbmN1="now-75h" TactN1="${TretN}" TretN1="now+1388h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 +ksktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) +$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -431,9 +473,10 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll.autosign -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -441,7 +484,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll.autosign -CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC # Also: Ipub = Dprp + TTLkey (+publish-safety) @@ -450,7 +492,9 @@ CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1d + 3h = # now - 4464h + 24h + 3h = now - 4437h TactN="now-4437h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -458,8 +502,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) # Also: Tact(N+1) = Tsbm(N+1) + Dreg # so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 6mo = now - 185d @@ -470,9 +512,13 @@ TactN="now-185d" TretN="now+1d" TpubN1="now-3h" TretN1="now+187d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -486,8 +532,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # (1d + 1h + 1h + 2h = 1d4h). In other words, the DS is swapped before all # zone signatures are replaced. setup step4.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Iret = 1h + 1h + 2h = 4h # Also: Tact(N+1) = Tret(N) @@ -503,9 +547,15 @@ TpubN1="now-31h" TsbmN1="now-28h" TactN1="${TretN}" TretN1="now+4460h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -515,8 +565,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # After the DS is swapped in step 4, also the KRRSIG records can be removed. # At this time these have all become hidden. setup step5.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). TactN="now-4470h" TretN="now-6h" @@ -525,9 +573,15 @@ TpubN1="now-33h" TsbmN1="now-30h" TactN1="${TretN}" TretN1="now+4458h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -537,8 +591,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step6.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Tret(N) = Tact(N) + Lzsk # Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) @@ -555,9 +607,15 @@ TpubN1="now-630h" TsbmN1="now-627h" TactN1="${TretN}" TretN1="now+3837h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -P -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -P -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -566,8 +624,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 7: # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step7.csk-roll.autosign -CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). TactN="now-5093h" TretN="now-629h" @@ -576,9 +632,15 @@ TpubN1="now-632h" TsbmN1="now-629h" TactN1="${TretN}" TretN1="now+3835h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -594,9 +656,10 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll2.autosign -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -604,7 +667,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll2.autosign -CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC # Also: Ipub = Dprp + TTLkey (+publish-safety) @@ -613,7 +675,9 @@ CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1 # so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1w + 3h = # now - 4464h + 168h + 3h = now - 4635h TactN="now-4635h" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -621,8 +685,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) # Also: Tact(N+1) = Tsbm(N+1) + Dreg # so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1w - 6mo = now - 179d @@ -633,9 +695,15 @@ TactN="now-179d" TretN="now+1w" TpubN1="now-3h" TretN1="now+193d" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -649,8 +717,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # (1w + 1h + 1h + 1h = 1w3h). In other words, the zone signatures are # replaced before the DS is swapped. setup step4.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # According to RFC 7583: Tdea(N) = Tret(N) + Iret # Also: Tret(N) = Tact(N) + Lzsk # Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) @@ -664,9 +730,15 @@ TretN="now-38h" TpubN1="now-41h" TactN1="${TretN}" TretN1="now+4426" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -676,17 +748,21 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the DS can be swapped and the old DNSKEY can be removed from # the zone. setup step5.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) # Subtract Dreg + Iret (174h). TactN="now-4676h" TretN="now-212h" TpubN1="now-215h" TactN1="${TretN}" TretN1="now+4252h" -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" @@ -695,9 +771,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 6: # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step6.csk-roll2.autosign -CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1) - # Subtract DNSKEY TTL plus zone propagation delay (2h). TactN="now-4678h" TretN="now-214h" @@ -705,9 +778,15 @@ TdeaN="now-2h" TpubN1="now-217h" TactN1="${TretN}" TretN1="now+4250h" +csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) $SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN "$CSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN "$CSK2" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 16c92ce0f0..e7813fdabd 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -42,10 +42,10 @@ U="UNRETENTIVE" # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. setup migrate.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 7200 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zone 2> keygen.out.$zone.2) -$SETTIME -P now -P sync now -A now "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -P now -A now "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P now -A now -P sync now" +zsktimes="-P now -A now" +KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -57,13 +57,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # ECDSAP256SHA256 keys. setup migrate-nomatch-algnum.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a RSASHA1 -b 2048 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2) Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay -$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tsig} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -75,13 +75,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # dictates 2048 bits RSASHA1 keys. setup migrate-nomatch-alglen.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a RSASHA1 -b 1024 -f KSK -L 300 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zone 2> keygen.out.$zone.2) Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT Tkey="now-3900s" # DNSKEY TTL + propagation delay Tsig="now-12h" # Zone's maximum TTL + propagation delay -$SETTIME -P $Tkey -P sync $Tds -A $Tkey "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -P $Tsig -A $Tsig "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" +zsktimes="-P ${Tsig} -A ${Tsig}" +KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -96,11 +96,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Introduce the first key. This will immediately be active. setup step1.algorithm-roll.kasp echo "$zone" >> zones -KSK=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +ksktimes="-P ${TactN} -A ${TactN}" +zsktimes="-P ${TactN} -A ${TactN}" +KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) +ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" private_type_record $zone 5 "$KSK" >> "$infile" private_type_record $zone 5 "$ZSK" >> "$infile" @@ -109,18 +111,22 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. setup step2.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the new algorithm keys have been introduced is 3 hours. TactN="now-3h" TpubN1="now-3h" TactN1="now+6h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TpubN1}" +zsk2times="-P ${TpubN1} -A ${TactN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -134,18 +140,22 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 3: # The zone signatures are also OMNIPRESENT. setup step3.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the new algorithm keys have been introduced is 9 hours. TactN="now-9h" TpubN1="now-9h" TactN1="now" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TactN1}" +zsk2times="-P ${TpubN1} -A ${TactN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -159,18 +169,22 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 4: # The DS is swapped and can become OMNIPRESENT. setup step4.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the DS has been swapped is 29 hours. TactN="now-38h" TpubN1="now-38h" TactN1="now-29h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TactN1}" +zsk2times="-P ${TpubN1} -A ${TactN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -184,19 +198,23 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 5: # The DNSKEY is removed long enough to be HIDDEN. setup step5.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # The time passed since the DNSKEY has been removed is 2 hours. TactN="now-40h" TpubN1="now-40h" TactN1="now-31h" TremN="now-2h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TactN1}" +zsk2times="-P ${TpubN1} -A ${TactN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -210,20 +228,24 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. setup step6.algorithm-roll.kasp -KSK1=$($KEYGEN -a RSASHA1 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zone 2> keygen.out.$zone.2) -KSK2=$($KEYGEN -a ECDSAP256SHA256 -f KSK -L 3600 $zone 2> keygen.out.$zone.1) -ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zone 2> keygen.out.$zone.2) # Additional time passed: 7h. TactN="now-47h" TpubN1="now-47h" TactN1="now-38h" TdeaN="now-9h" TremN="now-7h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.2 2>&1 +ksk1times="-P ${TactN} -A ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TactN1}" +zsk2times="-P ${TpubN1} -A ${TactN1}" +KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) +ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) +KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) +ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${KSK1}.state" echo "Lifetime: 0" >> "${ZSK1}.state" @@ -243,9 +265,10 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Introduce the first key. This will immediately be active. setup step1.csk-algorithm-roll.kasp echo "$zone" >> zones -CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) TactN="now" -$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN}" +CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 5 "$CSK" >> "$infile" $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -253,13 +276,15 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 2: # After the publication interval has passed the DNSKEY is OMNIPRESENT. setup step2.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the new algorithm keys have been introduced is 3 hours. TactN="now-3h" TpubN1="now-3h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -270,14 +295,16 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 3: # The zone signatures are also OMNIPRESENT. setup step3.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the new algorithm keys have been introduced is 9 hours. TactN="now-9h" TpubN1="now-9h" TactN1="now-6h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -288,15 +315,17 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 4: # The DS is swapped and can become OMNIPRESENT. setup step4.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the DS has been swapped is 29 hours. TactN="now-38h" TpubN1="now-38h" TactN1="now-35h" TsubN1="now-29h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -307,16 +336,18 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 5: # The DNSKEY is removed long enough to be HIDDEN. setup step5.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # The time passed since the DNSKEY has been removed is 2 hours. TactN="now-40h" TpubN1="now-40h" TactN1="now-37h" TsubN1="now-31h" TremN="now-2h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" @@ -327,8 +358,6 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig # Step 6: # The RRSIGs have been removed long enough to be HIDDEN. setup step6.csk-algorithm-roll.kasp -CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $zone 2> keygen.out.$zone.1) -CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $zone 2> keygen.out.$zone.1) # Additional time passed: 7h. TactN="now-47h" TpubN1="now-47h" @@ -336,8 +365,12 @@ TactN1="now-44h" TsubN1="now-38h" TdeaN="now-9h" TremN="now-7h" -$SETTIME -s -P $TactN -A $TactN -I now -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TpubN1 -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.1 2>&1 +csktimes="-P ${TactN} -A ${TactN} -I now" +newtimes="-P ${TpubN1} -A ${TpubN1}" +CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) +CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) +$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 # Fake lifetime of old algorithm keys. echo "Lifetime: 0" >> "${CSK1}.state" cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" From 5a590c47a50bec2b6936aad685d10ead850dfd6b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 29 Apr 2020 09:37:41 +0200 Subject: [PATCH 04/17] Set key rollover relationship without settime Using dnssec-setttime after dnssec-keygen in the kasp system test can lead to off by one second failures, so reduce the usage of dnssec-settime in the setup scripts. This commit deals with setting the key rollover relationship (predecessor/successor). --- bin/tests/system/kasp/ns3/setup.sh | 32 ++++++++++++++++++++++++------ 1 file changed, 26 insertions(+), 6 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 49d6c44555..73faa593cd 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -32,6 +32,14 @@ private_type_record() { printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" } +# Set in the key state files the Predecessor/Successor fields. +# Key $1 is the predecessor of key $2. +key_successor() { + id1=$(keyfile_to_key_id "$1") + id2=$(keyfile_to_key_id "$2") + echo "Predecessor: ${id1}" >> "${2}.state" + echo "Successor: ${id2}" >> "${1}.state" +} # Make lines shorter by storing key states in environment variables. H="HIDDEN" @@ -308,8 +316,10 @@ ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$ ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 $SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -330,8 +340,10 @@ ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out. ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -S "$ZSK1" -i 0 "$ZSK2" > settime.out.$zone.3 2>&1 $SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +# Set key rollover relationship. +key_successor $ZSK1 $ZSK2 +# Sign zone. cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" private_type_record $zone 13 "$KSK" >> "$infile" private_type_record $zone 13 "$ZSK1" >> "$infile" @@ -395,9 +407,11 @@ KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$ KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -430,9 +444,11 @@ KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$ KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -456,9 +472,11 @@ KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$ KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$KSK1" -i 0 "$KSK2" > settime.out.$zone.3 2>&1 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +# Set key rollover relationship. +key_successor $KSK1 $KSK2 +# Sign zone. cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" private_type_record $zone 13 "$KSK1" >> "$infile" private_type_record $zone 13 "$KSK2" >> "$infile" @@ -517,8 +535,10 @@ newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -S "$CSK1" -i 0 "$CSK2" > settime.out.$zone.3 2>&1 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +# Set key rollover relationship. +key_successor $CSK1 $CSK2 +# Sign zone. cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" private_type_record $zone 13 "$CSK1" >> "$infile" private_type_record $zone 13 "$CSK2" >> "$infile" From 8204e31f0ed67229a263bf37cc3b8bb19023dbd2 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 29 Apr 2020 10:01:27 +0200 Subject: [PATCH 05/17] Fix some more test output filenames After removing dnssec-settime calls that set key rollover relationship, we can adjust the counts in test output filenames. Also fix a couple of more wrong counts in output filenames. --- bin/tests/system/kasp/ns3/setup.sh | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 73faa593cd..90b2f1a9b6 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -278,7 +278,7 @@ ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$ ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. @@ -316,7 +316,7 @@ ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$ ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. @@ -340,7 +340,7 @@ ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out. ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 $SETTIME -s -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.4 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. @@ -407,8 +407,8 @@ KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$ KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. @@ -444,8 +444,8 @@ KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$ KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. @@ -472,8 +472,8 @@ KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$ KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $KSK1 $KSK2 # Sign zone. @@ -535,7 +535,7 @@ newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. From 8483f71258cc7273a3b184e75fee7e52eb782a53 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 29 Apr 2020 10:51:41 +0200 Subject: [PATCH 06/17] Stop keeping track of key parameter count Stop tracking in the comments the number of key parameters in the kasp system test, it adds nothing beneficial. --- bin/tests/system/kasp/tests.sh | 44 +++++++++++++++++----------------- 1 file changed, 22 insertions(+), 22 deletions(-) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 22dd405d41..d9439fd595 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -34,28 +34,28 @@ VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" ############################################################################### # Key properties # ############################################################################### -# ID=0 -# EXPECT=1 -# ROLE=2 -# KSK=3 -# ZSK=4 -# LIFETIME=5 -# ALG_NUM=6 -# ALG_STR=7 -# ALG_LEN=8 -# PUBLISHED=9 -# ACTIVE=10 -# RETIRED=11 -# REVOKED=12 -# REMOVED=13 -# GOAL=14 -# STATE_DNSKEY=15 -# STATE_ZRRSIG=16 -# STATE_KRRSIG=17 -# STATE_DS=18 -# EXPECT_ZRRSIG=19 -# EXPECT_KRRSIG=20 -# LEGACY=21 +# ID +# EXPECT +# ROLE +# KSK +# ZSK +# LIFETIME +# ALG_NUM +# ALG_STR +# ALG_LEN +# PUBLISHED +# ACTIVE +# RETIRED +# REVOKED +# REMOVED +# GOAL +# STATE_DNSKEY +# STATE_ZRRSIG +# STATE_KRRSIG +# STATE_DS +# EXPECT_ZRRSIG +# EXPECT_KRRSIG +# LEGACY key_key() { echo "${1}__${2}" From f8e34b57b4955ff83e969e661291cfb6e5130d7b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 30 Apr 2020 13:13:12 +0200 Subject: [PATCH 07/17] Start testing keytiming metadata This commit adds testing keytiming metadata. In order to facilitate this, the kasp system test undergoes a few changes: 1. When finding a key file, rather than only saving the key ID, also save the base filename and creation date with `key_save`. These can be used later to set expected key times. 2. Add a test function `set_addkeytime` that takes a key, which keytiming to update, a datetime in keytiming format, and a number (seconds) to add, and sets the new time in the given keytime parameter of the given key. This is used to set the expected key times. 3. Split `check_keys` in `check_keys` and `check_keytimes`. First we need to find the keyfile before we can check the keytimes. We need to retrieve the creation date (and sometimes other keytimes) to determine the other expected key times. 4. Add helper functions to set the expected key times per policy. This avoids lots of duplication. Check for keytimes for the first test cases (all that do not cover rollovers). --- bin/tests/system/kasp/clean.sh | 1 + bin/tests/system/kasp/ns3/setup.sh | 4 +- bin/tests/system/kasp/tests.sh | 476 +++++++++++++++++++++++------ 3 files changed, 384 insertions(+), 97 deletions(-) diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index cf2f2452ce..ab48689a30 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -23,3 +23,4 @@ rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys rm -f ns*/zones* ns*/*.db.infile +rm -f *.created published.test* diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 90b2f1a9b6..9aec5642ec 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -71,8 +71,8 @@ zone="dnssec-keygen.kasp" $KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 zone="some-keys.kasp" -$KEYGEN -P none -A none -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 -$KEYGEN -P none -A none -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 +$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 +$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 zone="legacy.kasp" $KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index d9439fd595..dd6ef564a8 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -35,6 +35,7 @@ VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" # Key properties # ############################################################################### # ID +# BASEFILE # EXPECT # ROLE # KSK @@ -43,6 +44,7 @@ VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" # ALG_NUM # ALG_STR # ALG_LEN +# CREATED # PUBLISHED # ACTIVE # RETIRED @@ -69,11 +71,23 @@ key_set() { eval "$(key_key "$1" "$2")='$3'" } +# Save certain values in the KEY array. +key_save() +{ + # Save key id. + key_set "$1" ID "$KEY_ID" + # Save base filename. + key_set "$1" BASEFILE "$BASE_FILE" + # Save creation date. + key_set "$1" CREATED "${KEY_CREATED}" +} + # Clear key state. # # This will update either the KEY1, KEY2, or KEY3 array. key_clear() { key_set "$1" "ID" 'no' + key_set "$1" "IDPAD" 'no' key_set "$1" "EXPECT" 'no' key_set "$1" "ROLE" 'none' key_set "$1" "KSK" 'no' @@ -82,7 +96,9 @@ key_clear() { key_set "$1" "ALG_NUM" '0' key_set "$1" "ALG_STR" 'none' key_set "$1" "ALG_LEN" '0' + key_set "$1" "CREATED" '0' key_set "$1" "PUBLISHED" 'none' + key_set "$1" "SYNCPUBLISH" 'none' key_set "$1" "ACTIVE" 'none' key_set "$1" "RETIRED" 'none' key_set "$1" "REVOKED" 'none' @@ -200,16 +216,38 @@ set_zonesigning() { } # Set key timing metadata. Set to "none" to unset. -# These times are hard to test, so it is just an indication that we expect the -# respective timing metadata in the key files. # $1: Key to update (KEY1, KEY2, ...) -# $2: Time to update (PUBLISHED, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). # $3: Value set_keytime() { key_set "$1" "EXPECT" "yes" key_set "$1" "$2" "$3" } +# Set key timing metadata to a value plus additional time. +# $1: Key to update (KEY1, KEY2, ...) +# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). +# $3: Value +# $4: Additional time. +set_addkeytime() { + # Convert "%Y%m%d%H%M%S" format to epoch seconds. + _date=$(echo "$3" | awk ' + {print substr($1,1,8)}') + _time=$(echo "$3" | awk ' + BEGIN {OFS=":"} + {print substr($1,9,2), substr($1,11,2), substr($1,13,2)}') + + # Add additional time. + _plus=$4 + echo_i "addkey_time: $1 $2 $3 $4: $_date $_time $_plus" + + + _epoch=$(date -u -d "$_date $_time" +"%s") + _epoch=$((_epoch+_plus)) + + key_set "$1" "$2" $(date -u -d @$_epoch +%Y%m%d%H%M%S) +} + # Set key state metadata. Set to "none" to unset. # $1: Key to update (KEY1, KEY2, ...) # $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS) @@ -228,6 +266,7 @@ set_keystate() { # PRIVATE_FILE="${BASE_FILE}.private" # STATE_FILE="${BASE_FILE}.state" # KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') +# KEY_CREATED (from the KEY_FILE) check_key() { _dir="$DIR" _zone="$ZONE" @@ -286,6 +325,15 @@ check_key() { [ "$ret" -eq 0 ] || log_error "${BASE_FILE} files missing" [ "$ret" -eq 0 ] || return + # Retrieve creation date. + grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || log_error "mismatch created comment in $KEY_FILE" + KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") + + grep "Created: ${_created}" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" + if [ "$_legacy" == "no" ]; then + grep "Generated: ${_created}" "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" + fi + test $_log -eq 1 && echo_i "check key file $BASE_FILE" # Check the public key file. @@ -346,82 +394,146 @@ check_key() { grep "DSChange: " "$STATE_FILE" > /dev/null || log_error "mismatch ds change in $STATE_FILE" fi fi +} + +# Check the key timing metadata for key $1. +check_timingmetadata() { + _dir="$DIR" + _zone="$ZONE" + _key_idpad=$(key_get "$1" ID) + _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') + _alg_num=$(key_get "$1" ALG_NUM) + _alg_numpad=$(printf "%03d" "$_alg_num") + + _published=$(key_get "$1" PUBLISHED) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) + + _goal=$(key_get "$1" GOAL) + _state_dnskey=$(key_get "$1" STATE_DNSKEY) + _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) + _state_krrsig=$(key_get "$1" STATE_KRRSIG) + _state_ds=$(key_get "$1" STATE_DS) + + _base_file=$(key_get "$1" BASEFILE) + _key_file="${_base_file}.key" + _private_file="${_base_file}.private" + _state_file="${_base_file}.state" + + _published=$(key_get "$1" PUBLISHED) + _syncpublish=$(key_get "$1" SYNCPUBLISH) + _active=$(key_get "$1" ACTIVE) + _retired=$(key_get "$1" RETIRED) + _revoked=$(key_get "$1" REVOKED) + _removed=$(key_get "$1" REMOVED) # Check timing metadata. + n=$((n+1)) + echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" + ret=0 + if [ "$_published" = "none" ]; then - grep "; Publish:" "$KEY_FILE" > /dev/null && log_error "unexpected publish comment in $KEY_FILE" - grep "Publish:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" + grep "; Publish:" "${_key_file}" > /dev/null && log_error "unexpected publish comment in ${_key_file}" + grep "Publish:" "${_private_file}" > /dev/null && log_error "unexpected publish in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Published: " "$STATE_FILE" > /dev/null && log_error "unexpected publish in $STATE_FILE" + grep "Published: " "${_state_file}" > /dev/null && log_error "unexpected publish in ${_state_file}" fi else - grep "; Publish:" "$KEY_FILE" > /dev/null || log_error "mismatch publish comment in $KEY_FILE" - grep "Publish:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch publish in $PRIVATE_FILE" + grep "; Publish: $_published" "${_key_file}" > /dev/null || log_error "mismatch publish comment in ${_key_file} (expected ${_published})" + grep "Publish: $_published" "${_private_file}" > /dev/null || log_error "mismatch publish in ${_private_file} (expected ${_published})" if [ "$_legacy" == "no" ]; then - grep "Published:" "$STATE_FILE" > /dev/null || log_error "mismatch publish in $STATE_FILE" + grep "Published: $_published" "${_state_file}" > /dev/null || log_error "mismatch publish in ${_state_file} (expected ${_published})" + fi + fi + + if [ "$_syncpublish" = "none" ]; then + grep "; SyncPublish:" "${_key_file}" > /dev/null && log_error "unexpected syncpublish comment in ${_key_file}" + grep "SyncPublish:" "${_private_file}" > /dev/null && log_error "unexpected syncpublish in ${_private_file}" + if [ "$_legacy" == "no" ]; then + grep "PublishCDS: " "${_state_file}" > /dev/null && log_error "unexpected syncpublish in ${_state_file}" + fi + else + grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" + grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" + if [ "$_legacy" == "no" ]; then + grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" fi fi if [ "$_active" = "none" ]; then - grep "; Activate:" "$KEY_FILE" > /dev/null && log_error "unexpected active comment in $KEY_FILE" - grep "Activate:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected active in $PRIVATE_FILE" + grep "; Activate:" "${_key_file}" > /dev/null && log_error "unexpected active comment in ${_key_file}" + grep "Activate:" "${_private_file}" > /dev/null && log_error "unexpected active in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Active: " "$STATE_FILE" > /dev/null && log_error "unexpected active in $STATE_FILE" + grep "Active: " "${_state_file}" > /dev/null && log_error "unexpected active in ${_state_file}" fi else - grep "; Activate:" "$KEY_FILE" > /dev/null || log_error "mismatch active comment in $KEY_FILE" - grep "Activate:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch active in $PRIVATE_FILE" + grep "; Activate: $_active" "${_key_file}" > /dev/null || log_error "mismatch active comment in ${_key_file} (expected ${_active})" + grep "Activate: $_active" "${_private_file}" > /dev/null || log_error "mismatch active in ${_private_file} (expected ${_active})" if [ "$_legacy" == "no" ]; then - grep "Active: " "$STATE_FILE" > /dev/null || log_error "mismatch active in $STATE_FILE" + grep "Active: $_active" "${_state_file}" > /dev/null || log_error "mismatch active in ${_state_file} (expected ${_active})" fi fi if [ "$_retired" = "none" ]; then - grep "; Inactive:" "$KEY_FILE" > /dev/null && log_error "unexpected retired comment in $KEY_FILE" - grep "Inactive:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" + grep "; Inactive:" "${_key_file}" > /dev/null && log_error "unexpected retired comment in ${_key_file}" + grep "Inactive:" "${_private_file}" > /dev/null && log_error "unexpected retired in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Retired: " "$STATE_FILE" > /dev/null && log_error "unexpected retired in $STATE_FILE" + grep "Retired: " "${_state_file}" > /dev/null && log_error "unexpected retired in ${_state_file}" fi else - grep "; Inactive:" "$KEY_FILE" > /dev/null || log_error "mismatch retired comment in $KEY_FILE" - grep "Inactive:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch retired in $PRIVATE_FILE" + grep "; Inactive: $_retired" "${_key_file}" > /dev/null || log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" + grep "Inactive: $_retired" "${_private_file}" > /dev/null || log_error "mismatch retired in ${_private_file} (expected ${_retired})" if [ "$_legacy" == "no" ]; then - grep "Retired: " "$STATE_FILE" > /dev/null || log_error "mismatch retired in $STATE_FILE" + grep "Retired: $_retired" "${_state_file}" > /dev/null || log_error "mismatch retired in ${_state_file} (expected ${_retired})" fi fi if [ "$_revoked" = "none" ]; then - grep "; Revoke:" "$KEY_FILE" > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" - grep "Revoke:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" + grep "; Revoke:" "${_key_file}" > /dev/null && log_error "unexpected revoked comment in ${_key_file}" + grep "Revoke:" "${_private_file}" > /dev/null && log_error "unexpected revoked in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Revoked: " "$STATE_FILE" > /dev/null && log_error "unexpected revoked in $STATE_FILE" + grep "Revoked: " "${_state_file}" > /dev/null && log_error "unexpected revoked in ${_state_file}" fi else - grep "; Revoke:" "$KEY_FILE" > /dev/null || log_error "mismatch revoked comment in $KEY_FILE" - grep "Revoke:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch revoked in $PRIVATE_FILE" + grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" + grep "Revoke: $_revoked" "${_private_file}" > /dev/null || log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" if [ "$_legacy" == "no" ]; then - grep "Revoked: " "$STATE_FILE" > /dev/null || log_error "mismatch revoked in $STATE_FILE" + grep "Revoked: $_revoked" "${_state_file}" > /dev/null || log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" fi fi if [ "$_removed" = "none" ]; then - grep "; Delete:" "$KEY_FILE" > /dev/null && log_error "unexpected removed comment in $KEY_FILE" - grep "Delete:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" + grep "; Delete:" "${_key_file}" > /dev/null && log_error "unexpected removed comment in ${_key_file}" + grep "Delete:" "${_private_file}" > /dev/null && log_error "unexpected removed in ${_private_file}" if [ "$_legacy" == "no" ]; then - grep "Removed: " "$STATE_FILE" > /dev/null && log_error "unexpected removed in $STATE_FILE" + grep "Removed: " "${_state_file}" > /dev/null && log_error "unexpected removed in ${_state_file}" fi else - grep "; Delete:" "$KEY_FILE" > /dev/null || log_error "mismatch removed comment in $KEY_FILE" - grep "Delete:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch removed in $PRIVATE_FILE" + grep "; Delete: $_removed" "${_key_file}" > /dev/null || log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" + grep "Delete: $_removed" "${_private_file}" > /dev/null || log_error "mismatch removed in ${_private_file} (expected ${_removed})" if [ "$_legacy" == "no" ]; then - grep "Removed: " "$STATE_FILE" > /dev/null || log_error "mismatch removed in $STATE_FILE" + grep "Removed: $_removed" "${_state_file}" > /dev/null || log_error "mismatch removed in ${_state_file} (expected ${_removed})" fi fi - grep "; Created:" "$KEY_FILE" > /dev/null || log_error "mismatch created comment in $KEY_FILE" - grep "Created:" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" - if [ "$_legacy" == "no" ]; then - grep "Generated: " "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" + test "$ret" -eq 0 || echo_i "failed" + status=$((status+ret)) +} + +check_keytimes() { + if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY1" + fi + if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY2" + fi + if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY3" + fi + if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then + check_timingmetadata "KEY4" fi } @@ -598,12 +710,14 @@ key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" -$KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 +$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 lines=$(wc -l < "keygen.out.$POLICY.test$n") test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" ids=$(get_keyids "$DIR" "$ZONE") for id in $ids; do check_key "KEY1" "$id" + test "$ret" -eq 0 && key_save KEY1 + check_keytimes done test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -632,13 +746,15 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "PUBLISHED" "yes" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "hidden" check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "PUBLISHED" "${now}" +check_keytimes test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -647,13 +763,15 @@ echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and sta ret=0 cp "$STATE_FILE" "$CMP_FILE" $SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "PUBLISHED" "none" set_keystate "KEY1" "GOAL" "none" set_keystate "KEY1" "STATE_DNSKEY" "none" set_keystate "KEY1" "STATE_KRRSIG" "none" set_keystate "KEY1" "STATE_ZRRSIG" "none" set_keystate "KEY1" "STATE_DS" "none" check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "PUBLISHED" "none" +check_keytimes test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -663,13 +781,15 @@ ret=0 cp "$STATE_FILE" "$CMP_FILE" now=$(date +%Y%m%d%H%M%S) $SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" -set_keytime "KEY1" "ACTIVE" "yes" set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "unretentive" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" set_keystate "KEY1" "STATE_DS" "omnipresent" check_key "KEY1" "$id" +test "$ret" -eq 0 && key_save KEY1 +set_keytime "KEY1" "ACTIVE" "${now}" +check_keytimes test "$ret" -eq 0 || echo_i "failed" status=$((status+ret)) @@ -724,9 +844,7 @@ check_keys() echo_i "check keys are created for zone ${ZONE} ($n)" ret=0 - n=$((n+1)) echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" - ret=0 _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) test "$_numkeys" -eq "$NUM_KEYS" || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)" test "$ret" -eq 0 || echo_i "failed" @@ -751,22 +869,22 @@ check_keys() if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then ret=0 check_key "KEY1" "$_id" - test "$ret" -eq 0 && key_set KEY1 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY1 && continue fi if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then ret=0 check_key "KEY2" "$_id" - test "$ret" -eq 0 && key_set KEY2 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY2 && continue fi if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then ret=0 check_key "KEY3" "$_id" - test "$ret" -eq 0 && key_set KEY3 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY3 && continue fi if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then ret=0 check_key "KEY4" "$_id" - test "$ret" -eq 0 && key_set KEY4 "ID" "$KEY_ID" && continue + test "$ret" -eq 0 && key_save KEY4 && continue fi # This may be an unused key. Assume algorithm of KEY1. @@ -1018,6 +1136,18 @@ check_subdomain() { # # Zone: default.kasp. # +set_keytimes_csk_policy() { + # The first key is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 + # Key lifetime is unlimited, so not setting RETIRED and REMOVED. +} # Check the zone with default kasp policy has loaded and is signed. set_zone "default.kasp" @@ -1029,10 +1159,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" - -# The first key is immediately published and activated. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -1041,6 +1167,8 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1080,6 +1208,8 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1110,6 +1240,8 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1135,10 +1267,85 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify +# Set keytimes for dnssec-policy with various algorithms. +# These all use the same time values. +set_keytimes_algorithm_policy() { + # The first KSK is immediately published and activated. + created=$(key_get KEY1 CREATED) + set_keytime "KEY1" "PUBLISHED" "${created}" + set_keytime "KEY1" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" == "pregenerated" ]; then + keyfile=$(key_get KEY1 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 + published=$(awk '{print $3}' < published.test${n}.key1) + set_keytime "KEY1" "PUBLISHED" "${published}" + set_keytime "KEY1" "ACTIVE" "${published}" + fi + published=$(key_get KEY1 PUBLISHED) + + # The DS can be published if the DNSKEY and RRSIG records are + # OMNIPRESENT. This happens after max-zone-ttl (1d) plus + # publish-safety (1h) plus zone-propagation-delay (300s) = + # 86400 + 3600 + 300 = 90300. + set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 + # Key lifetime is 10 years, 315360000 seconds. + set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 + # The key is removed after the retire time plus DS TTL (1d), parent + # registration delay (1d), parent propagation delay (1h), + # and retire safety (1h) = 86400 + 86400 + 3600 + 3600 = 180000. + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 180000 + + # The first ZSKs are immediately published and activated. + created=$(key_get KEY2 CREATED) + set_keytime "KEY2" "PUBLISHED" "${created}" + set_keytime "KEY2" "ACTIVE" "${created}" + # Key was pregenerated. + if [ "$1" == "pregenerated" ]; then + keyfile=$(key_get KEY2 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 + published=$(awk '{print $3}' < published.test${n}.key2) + set_keytime "KEY2" "PUBLISHED" "${published}" + set_keytime "KEY2" "ACTIVE" "${published}" + fi + published=$(key_get KEY2 PUBLISHED) + + # Key lifetime for KSK2 is 5 years, 157680000 seconds. + set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 + # The key is removed after the retire time plus max zone ttl (1d), zone + # propagation delay (300s), retire safety (1h), and sign delay + # (signature validity minus refresh, 9d) = + # 86400 + 300 + 3600 + 777600 = 867900. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 + + # Second ZSK (KEY3). + created=$(key_get KEY3 CREATED) + set_keytime "KEY3" "PUBLISHED" "${published}" + set_keytime "KEY3" "ACTIVE" "${published}" + # Key was pregenerated. + if [ "$1" == "pregenerated" ]; then + keyfile=$(key_get KEY3 BASEFILE) + grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 + published=$(awk '{print $3}' < published.test${n}.key3) + set_keytime "KEY3" "PUBLISHED" "${published}" + set_keytime "KEY3" "ACTIVE" "${published}" + fi + published=$(key_get KEY3 PUBLISHED) + + # Key lifetime for KSK3 is 1 year, 31536000 seconds. + set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 + retired=$(key_get KEY3 RETIRED) + set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 +} + # # Zone: rsasha1.kasp. # @@ -1166,19 +1373,7 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" -# The first keys are immediately published and activated. -# Because lifetime > 0, retired timing is also set. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" - -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. set_keystate "KEY1" "GOAL" "omnipresent" @@ -1197,6 +1392,8 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" key_clear "KEY4" check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1229,10 +1426,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# The first key is immediately published and activated. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "none" # DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -1241,6 +1434,8 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1273,19 +1468,6 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "yes" -# The first keys are immediately published and activated. -# Because lifetime > 0, retired timing is also set. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" - -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. # ZSK: DNSKEY, RRSIG (zsk) published. set_keystate "KEY1" "GOAL" "omnipresent" @@ -1304,6 +1486,8 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" key_clear "KEY4" check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1317,6 +1501,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1330,6 +1516,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy "pregenerated" +check_keytimes check_apex check_subdomain dnssec_verify @@ -1343,6 +1531,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1358,6 +1548,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy "pregenerated" +check_keytimes check_apex check_subdomain dnssec_verify @@ -1372,6 +1564,18 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +# Activation date is a day later. +set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 +set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 +set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 +set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 +set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 +set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 +set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 +set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 +set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 +check_keytimes check_apex check_subdomain dnssec_verify @@ -1385,6 +1589,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1438,6 +1644,8 @@ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1455,6 +1663,8 @@ set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1472,6 +1682,8 @@ set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1489,6 +1701,8 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1506,12 +1720,47 @@ set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" # Key timings and states same as above. check_keys +set_keytimes_algorithm_policy +check_keytimes check_apex check_subdomain dnssec_verify # TODO: ED25519 and ED448. +# Set key times for 'autosign' policy. +set_keytimes_autosign_policy() { + # The KSK was published six months ago (with settime). + created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 + set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 + # Key lifetime is 2 years, 63072000 seconds. + active=$(key_get KEY1 ACTIVE) + set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 + # The key is removed after the retire time plus DS TTL (1d), parent + # registration delay (1d), propagation delay (1h), retire safety (1h) = + # 86400 + 86400 + 3600 + 3600 = 180000 + retired=$(key_get KEY1 RETIRED) + set_addkeytime "KEY1" "REMOVED" "${retired}" 180000 + + # The ZSK was published six months ago (with settime). + created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 + set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 + # Key lifetime for KSK2 is 1 year, 31536000 seconds. + active=$(key_get KEY2 ACTIVE) + set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 + # The key is removed after the retire time plus: + # TTLsig (RRSIG TTL): 1 day (86400 seconds) + # Dprp (propagation delay): 5 minutes (300 seconds) + # retire-safety: 1 hour (3600 seconds) + # Dsgn (sign delay): 7 days (604800 seconds) + # Iret: 695100 seconds. + retired=$(key_get KEY2 RETIRED) + set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 +} + # # Zone: expired-sigs.autosign. # @@ -1532,14 +1781,7 @@ set_keylifetime "KEY2" "31536000" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Both KSK and ZSK stay OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -1554,6 +1796,8 @@ key_clear "KEY3" key_clear "KEY4" check_keys +set_keytimes_autosign_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1609,6 +1853,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_autosign_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1664,6 +1910,8 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys +set_keytimes_autosign_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1690,10 +1938,6 @@ set_keylifetime "KEY3" "31536000" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" -# Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK # is active. set_keystate "KEY2" "GOAL" "hidden" @@ -1706,6 +1950,30 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys +set_keytimes_autosign_policy + +# The old ZSK is retired. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" 695100 +# The new ZSK is immediately published. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# And becomes active after Ipub: +# DNSKEY TTL: 300 seconds +# zone-propagation-delay 5 minutes (300 seconds) +# publish-safety: 1 hour (3600 seconds) +# Ipub: 4200 seconds +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 +# Lzsk: 1 year (31536000 seconds) +active=$(key_get KEY3 ACTIVE) +set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 +# Iret: 695100 seconds. +retired=$(key_get KEY3 RETIRED) +set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 + +check_keytimes check_apex check_subdomain dnssec_verify @@ -1823,10 +2091,6 @@ set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "none" - set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" @@ -1838,6 +2102,8 @@ set_policy "default" "1" "3600" set_server "ns2" "10.53.0.2" TSIG="" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1847,6 +2113,8 @@ set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1856,6 +2124,8 @@ set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1865,6 +2135,8 @@ set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1874,6 +2146,8 @@ set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1897,6 +2171,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1907,6 +2183,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1917,6 +2195,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1927,6 +2207,8 @@ set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1937,6 +2219,8 @@ set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex check_subdomain dnssec_verify @@ -1946,6 +2230,8 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:keyforview1:$VIEW1" wait_for_nsec check_keys +set_keytimes_csk_policy +check_keytimes check_apex dnssec_verify n=$((n+1)) From 30cb5c97c2362776c93fb5eab15ef4ab3c592a11 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 30 Apr 2020 13:22:23 +0200 Subject: [PATCH 08/17] Set SyncPublish on keys Set the SyncPublish metadata on keys that don't have them yet. --- lib/dns/keymgr.c | 75 ++++++++++++++++++++++++++++++++++-------------- 1 file changed, 54 insertions(+), 21 deletions(-) diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index d749650085..83cc25602a 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -170,9 +170,10 @@ keymgr_settime_syncpublish(dns_dnsseckey_t *key, dns_kasp_t *kasp, bool first) { * This function can have side effects: * 1. If there is no active time set, which would be super weird, set it now. * 2. If there is no published time set, also super weird, set it now. - * 3. If the lifetime is not set, it will be set now. - * 4. If there should be a retire time and it is not set, it will be set now. - * 5. The removed time is adjusted accordingly. + * 3. If there is no syncpublished time set, set it now. + * 4. If the lifetime is not set, it will be set now. + * 5. If there should be a retire time and it is not set, it will be set now. + * 6. The removed time is adjusted accordingly. * * This returns when the successor key needs to be published in the zone. * A special value of 0 means there is no need for a successor. @@ -189,34 +190,66 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, REQUIRE(key->key != NULL); active = 0; + pub = 0; retire = 0; + + /* + * An active key must have publish and activate timing + * metadata. + */ + ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); + if (ret != ISC_R_SUCCESS) { + /* Super weird, but if it happens, set it to now. */ + dst_key_settime(key->key, DST_TIME_ACTIVATE, now); + active = now; + } + ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub); + if (ret != ISC_R_SUCCESS) { + /* Super weird, but if it happens, set it to now. */ + dst_key_settime(key->key, DST_TIME_PUBLISH, now); + pub = now; + } + + /* + * Calculate prepublication time. + */ prepub = dst_key_getttl(key->key) + dns_kasp_publishsafety(kasp) + dns_kasp_zonepropagationdelay(kasp); ret = dst_key_getbool(key->key, DST_BOOL_KSK, &ksk); if (ret == ISC_R_SUCCESS && ksk) { - /* Add registration delay to the prepublication time. */ - prepub += dns_kasp_parentregistrationdelay(kasp); + isc_stdtime_t syncpub; + + /* + * Set PublishCDS if not set. + */ + ret = dst_key_gettime(key->key, DST_TIME_SYNCPUBLISH, &syncpub); + if (ret != ISC_R_SUCCESS) { + uint32_t tag; + isc_stdtime_t syncpub1, syncpub2; + + syncpub1 = pub + prepub; + syncpub2 = 0; + ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR, + &tag); + if (ret != ISC_R_SUCCESS) { + /* + * No predecessor, wait for zone to be + * completely signed. + */ + syncpub2 = pub + dns_kasp_zonemaxttl(kasp) + + dns_kasp_publishsafety(kasp) + + dns_kasp_zonepropagationdelay(kasp); + } + + syncpub = syncpub1 > syncpub2 ? syncpub1 : syncpub2; + dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, + syncpub); + } } ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); if (ret != ISC_R_SUCCESS) { uint32_t klifetime = 0; - /* - * An active key must have publish and activate timing - * metadata. - */ - ret = dst_key_gettime(key->key, DST_TIME_ACTIVATE, &active); - if (ret != ISC_R_SUCCESS) { - /* Super weird, but if it happens, set it to now. */ - dst_key_settime(key->key, DST_TIME_ACTIVATE, now); - active = now; - } - ret = dst_key_gettime(key->key, DST_TIME_PUBLISH, &pub); - if (ret != ISC_R_SUCCESS) { - /* Super weird, but if it happens, set it to now. */ - dst_key_settime(key->key, DST_TIME_PUBLISH, now); - pub = now; - } ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime); if (ret != ISC_R_SUCCESS) { From cf51c87fadc7182a96b1b1d5870a7a2fc2a2513b Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 30 Apr 2020 13:48:07 +0200 Subject: [PATCH 09/17] Test keytimes on enable-dnssec case This improves keytime testing for enabling DNSSEC. It now tests for specific times, and also tests for SyncPublish. --- bin/tests/system/kasp/ns3/setup.sh | 38 ++++++++++++++++++++------ bin/tests/system/kasp/tests.sh | 44 ++++++++++++++++++++++++++++-- 2 files changed, 70 insertions(+), 12 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 9aec5642ec..fc8ca76354 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -183,8 +183,18 @@ cp template.db.in $zonefile # Step 2: # The DNSKEY has been published long enough to become OMNIPRESENT. setup step2.enable-dnssec.autosign +# DNSKEY TTL: 300 seconds +# zone-propagation-delay: 5 minutes (300 seconds) +# publish-safety: 5 minutes (300 seconds) +# Total: 900 seconds TpubN="now-900s" -keytimes="-P ${TpubN} -A ${TpubN}" +# RRSIG TTL: 12 hour (43200 seconds) +# zone-propagation-delay: 5 minutes (300 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Already passed time: -900 seconds +# Total: 43800 seconds +TsbmN="now+43800s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" @@ -194,11 +204,15 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # The zone signatures have been published long enough to become OMNIPRESENT. setup step3.enable-dnssec.autosign +# Passed time since publications: 43800 + 900 = 44700 seconds. TpubN="now-44700s" -TactN="now-43800s" -keytimes="-P ${TpubN} -A ${TpubN}" +# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. +TcotN="now-43800s" +# We can submit the DS now. +TsbmN="now" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -206,14 +220,20 @@ setup step3.enable-dnssec.autosign # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. -# Add 27 hour plus retire safety of 20 minutes (98400 seconds) to the times. setup step4.enable-dnssec.autosign +# DS TTL: 1 day (86400 seconds) +# parent-registration-delay: 1 day (86400 seconds) +# parent-propagation-delay: 1 hour (3600 seconds) +# retire-safety: 20 minutes (1200 seconds) +# Total aditional time: 98400 seconds +# 44700 + 98400 = 143100 TpubN="now-143100s" -TactN="now-142200s" -TomnN="now-98400s" -keytimes="-P ${TpubN} -A ${TpubN}" +# 43800 + 98400 = 142200 +TcotN="now-142200s" +TsbmN="now-98400s" +keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $R $TomnN -z $O $TomnN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index dd6ef564a8..ab1e5c58e6 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2281,9 +2281,6 @@ set_keylifetime "KEY1" "0" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # The DNSKEY and signatures are introduced first, the DS remains hidden. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" @@ -2296,6 +2293,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# The first key is immediately published and activated. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "PUBLISHED" "${created}" +set_keytime "KEY1" "ACTIVE" "${created}" +# The DS can be published if the DNSKEY and RRSIG records are +# OMNIPRESENT. This happens after max-zone-ttl (12h) plus +# publish-safety (5m) plus zone-propagation-delay (5m) = +# 43200 + 300 + 300 = 43800. +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 +# Key lifetime is unlimited, so not setting RETIRED and REMOVED. + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2339,6 +2350,15 @@ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" check_keys + +# The key was published and activated 900 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2359,6 +2379,15 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "rumoured" check_keys + +# The key was published and activated 44700 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 +set_keytime "KEY1" "SYNCPUBLISH" "${created}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2378,6 +2407,15 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys + +# The key was published and activated 143100 seconds ago (with settime). +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -143100 +set_addkeytime "KEY1" "ACTIVE" "${created}" -143100 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400 + +check_keytimes + check_apex check_subdomain dnssec_verify From e01fcbbaf8121106be79b6b9073c228af8d51b2d Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 1 May 2020 13:43:52 +0200 Subject: [PATCH 10/17] Test keytimes on ZSK rollover This improves keytime testing on ZSK rollover. It now tests for specific times, and also tests for SyncPublish and Removed keytimes. --- bin/tests/system/kasp/ns3/setup.sh | 151 ++++++++++++++++++++++------- bin/tests/system/kasp/tests.sh | 115 ++++++++++++++++++---- 2 files changed, 212 insertions(+), 54 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index fc8ca76354..ae02b73aa5 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -248,7 +248,7 @@ setup step3.enable-dnssec.autosign # Introduce the first key. This will immediately be active. setup step1.zsk-prepub.autosign TactN="now" -ksktimes="-P ${TactN} -A ${TactN}" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) @@ -262,12 +262,31 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 2: # It is time to pre-publish the successor ZSK. setup step2.zsk-prepub.autosign -# According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# Also: Ipub = Dprp + TTLkey (+publish-safety) -# so: Tact(N) = Tpub(N+1) + Ipub - Lzsk = now + (1d2h) - 30d = -# now + 26h - 30d = now − 694h +# According to RFC 7583: +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Ipub = Dprp + TTLkey (+publish-safety) +# +# |3| |4| |5| |6| +# | | | | +# Key N |<-------Lzsk------>| +# | | | | +# Key N+1 | |<-Ipub->|<-->| +# | | | | +# Key N Tact +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Dprp: 1h +# TTLkey: 1h +# publish-safety: 1d +# Ipub: 26h +# +# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d +# = now + 26h - 30d = now − 694h TactN="now-694h" -ksktimes="-P ${TactN} -A ${TactN}" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) @@ -282,17 +301,49 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # After the publication interval has passed the DNSKEY of the successor ZSK # is OMNIPRESENT and the zone can thus be signed with the successor ZSK. setup step3.zsk-prepub.autosign -# According to RFC 7583: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# Also: Tret(N) = Tact(N+1) = Tact(N) + Lzsk -# so: Tact(N) = Tact(N+1) - Lzsk = now - 30d -# and: Tpub(N+1) = Tact(N+1) - Ipub = now - 26h -# and: Tret(N+1) = Tact(N+1) + Lzsk +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lzsk - Ipub +# Tret(N) = Tact(N+1) = Tact(N) + Lzsk +# Trem(N) = Tret(N) + Iret +# Iret = Dsgn + Dprp + TTLsig (+retire-safety) +# +# |3| |4| |5| |6| |7| |8| +# | | | | | | +# Key N |<-------Lzsk------>|<-Iret->|<--->| +# | | | | | | +# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - +# | | | | | | +# Key N Tact Tret Tdea Trem +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Ipub: 26h +# Dsgn: 1w +# Dprp: 1h +# TTLsig: 1d +# retire-safety: 2d +# Iret: 10d1h = 241h +# +# Tact(N) = Tnow - Lzsk = now - 30d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 241h +# Tpub(N+1) = Tnow - Ipub = now - 26h +# Tret(N+1) = Tnow + Lzsk = now + 30d +# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h +# = now + 961h TactN="now-30d" +TretN="now" +TremN="now+241h" TpubN1="now-26h" +TactN1="now" TretN1="now+30d" -ksktimes="-P ${TactN} -A ${TactN}" -zsktimes="-P ${TactN} -A ${TactN} -I now" -newtimes="-P ${TpubN1} -A now -I ${TretN1}" +TremN1="now+961h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) @@ -312,25 +363,48 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step4.zsk-prepub.autosign -# According to RFC 7583: Tret(N) = Tact(N) + Lzsk -# Also: Tdea(N) = Tret(N) + Iret -# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - (1w1h1d2d) - 30d = -# now - (10d1h) - 30d = now - 961h -# and: Tret(N) = Tdea(N) - Iret = now - (10d1h) = now - 241h -# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - (10d1h) - 26h = -# now - 267h -# and: Tact(N+1) = Tdea(N) - Iret = Tret(N) -# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - (10d1h) + 30d = -# now + 479h +# According to RFC 7583: +# Tret(N) = Tact(N) + Lzsk +# Tdea(N) = Tret(N) + Iret +# +# |3| |4| |5| |6| |7| |8| +# | | | | | | +# Key N |<-------Lzsk------>|<-Iret->|<--->| +# | | | | | | +# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - +# | | | | | | +# Key N Tact Tret Tdea Trem +# Key N+1 Tpub Trdy Tact +# +# Tnow +# +# Lzsk: 30d +# Ipub: 26h +# Iret: 241h +# +# Tact(N) = Tnow - Iret - Lzsk +# = now - 241h - 30d = now - 241h - 720h +# = now - 961h +# Tret(N) = Tnow - Iret = now - 241h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - Iret - Ipub +# = now - 241h - 26h +# = now - 267h +# Tact(N+1) = Tnow - Iret = Tret(N) +# Tret(N+1) = Tnow - Iret + Lzsk +# = now - 241h + 30d = now - 241h + 720h +# = now + 479h +# Trem(N+1) = Tnow + Lzsk = now + 30d TactN="now-961h" TretN="now-241h" +TremN="now" TpubN1="now-267h" TactN1="${TretN}" TretN1="now+479h" -ksktimes="-P ${TactN} -A ${TactN}" -zsktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+30d" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) @@ -347,20 +421,31 @@ $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > sign # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.zsk-prepub.autosign # Subtract DNSKEY TTL from all the times (1h). +# Tact(N) = now - 961h - 1h = now - 962h +# Tret(N) = now - 241h - 1h = now - 242h +# Tdea(N) = now - 2d - 1h = now - 49h +# Trem(N) = now - 1h +# Tpub(N+1) = now - 267h - 1h = now - 268h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 479h - 1h = now + 478h +# Trem(N+1) = now + 30d - 1h = now + 719h TactN="now-962h" TretN="now-242h" +TremN="now-1h" +TdeaN="now-49h" TpubN1="now-268h" TactN1="${TretN}" TretN1="now+478h" -ksktimes="-P ${TactN} -A ${TactN}" -zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D now" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+719h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" +zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $newtimes $zone 2> keygen.out.$zone.3) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $H -k $U $TretN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 -$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 +$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 # Set key rollover relationship. key_successor $ZSK1 $ZSK2 # Sign zone. diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index ab1e5c58e6..d9e346b2d3 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -329,9 +329,9 @@ check_key() { grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || log_error "mismatch created comment in $KEY_FILE" KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") - grep "Created: ${_created}" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" + grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" if [ "$_legacy" == "no" ]; then - grep "Generated: ${_created}" "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" + grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" fi test $_log -eq 1 && echo_i "check key file $BASE_FILE" @@ -2434,28 +2434,56 @@ check_next_key_event 3600 set_zone "step1.zsk-prepub.autosign" set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" +# Policy parameters. +# Lksk: 2 years (63072000 seconds) +# Lzsk: 30 days (2592000 seconds) +# Iret(KSK): DS TTL (1d) + Dreg (1d) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 4d1h (349200 seconds) +# Iret(ZSK): 10d1h (867600 seconds). +Lksk=63072000 +Lzsk=2592000 +IretKSK=349200 +IretZSK=867600 + +set_retired_removed() { + _Lkey=$2 + _Iret=$3 + + _active=$(key_get $1 ACTIVE) + set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" + _retired=$(key_get $1 RETIRED) + set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" +} + +zsk_prepub_predecessor_keytimes() { + _addtime=$1 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" + set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + + _created=$(key_get KEY2 CREATED) + set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" + set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" +} + # Key properties. key_clear "KEY1" set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "63072000" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "2592000" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2470,6 +2498,11 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# These keys are immediately published and activated. +zsk_prepub_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2489,20 +2522,30 @@ set_server "ns3" "10.53.0.3" # New ZSK (KEY3) is prepublished, but not yet signing. key_clear "KEY3" set_keyrole "KEY3" "zsk" -set_keylifetime "KEY3" "2592000" +set_keylifetime "KEY3" "${Lzsk}" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "no" set_zonesigning "KEY3" "no" -# Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # Key states. -set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys + +# The old keys were activated 694 hours ago (2498400 seconds). +zsk_prepub_predecessor_keytimes -2498400 +# The new ZSK is published now. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# The new ZSK becomes active when the DNSKEY is OMNIPRESENT. +# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) +# Ipub: 26 hour (93600 seconds). +IpubZSK=93600 +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2528,6 +2571,16 @@ set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" check_keys + +# The old keys are activated 30 days ago (2592000 seconds). +zsk_prepub_predecessor_keytimes -2592000 +# The new ZSK is published 26 hours ago (93600 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 +set_keytime "KEY3" "ACTIVE" "${created}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex # Subdomain still has good signatures of ZSK (KEY2). # Set expected zone signing on for KEY2 and off for KEY3, @@ -2560,6 +2613,17 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" check_keys + +# The old keys are activated 961 hours ago (3459600 seconds). +zsk_prepub_predecessor_keytimes -3459600 +# The new ZSK is published 267 hours ago (961200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2575,12 +2639,21 @@ check_next_key_event 7200 set_zone "step5.zsk-prepub.autosign" set_policy "zsk-prepub" "3" "3600" set_server "ns3" "10.53.0.3" -# ZSK (KEY3) DNSKEY is now completely HIDDEN and removed. -set_keytime "KEY2" "REMOVED" "yes" +# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. set_keystate "KEY2" "STATE_DNSKEY" "hidden" -# ZSK (KEY3) remains actively signing, staying in OMNIPRESENT. check_keys + +# The old keys are activated 962 hours ago (3463200 seconds). +zsk_prepub_predecessor_keytimes -3463200 +# The new ZSK is published 268 hours ago (964800 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" +set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify From 50bbbb76a868101ae86ab9761cb3be419163e777 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 4 May 2020 12:30:40 +0200 Subject: [PATCH 11/17] kasp: registration delay adjustments Registration delay is not part of the Iret retire interval, thus removed from the calculation when setting the Delete time metadata. Include the registration delay in prepublication time, because we need to prepublish the key sooner than just the Ipub publication interval. --- bin/tests/system/kasp/ns3/setup.sh | 2 ++ bin/tests/system/kasp/tests.sh | 50 ++++++++++++++++-------------- lib/dns/keymgr.c | 6 +++- 3 files changed, 33 insertions(+), 25 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index ae02b73aa5..2cc1986cfe 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -263,6 +263,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # It is time to pre-publish the successor ZSK. setup step2.zsk-prepub.autosign # According to RFC 7583: +# # Tpub(N+1) <= Tact(N) + Lzsk - Ipub # Ipub = Dprp + TTLkey (+publish-safety) # @@ -364,6 +365,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # removed from the zone. setup step4.zsk-prepub.autosign # According to RFC 7583: +# # Tret(N) = Tact(N) + Lzsk # Tdea(N) = Tret(N) + Iret # diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index d9e346b2d3..a5d92b7a6b 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -1297,11 +1297,11 @@ set_keytimes_algorithm_policy() { set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 # Key lifetime is 10 years, 315360000 seconds. set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 - # The key is removed after the retire time plus DS TTL (1d), parent - # registration delay (1d), parent propagation delay (1h), - # and retire safety (1h) = 86400 + 86400 + 3600 + 3600 = 180000. + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), and retire safety (1h) = + # 86400 + 3600 + 3600 = 93600. retired=$(key_get KEY1 RETIRED) - set_addkeytime "KEY1" "REMOVED" "${retired}" 180000 + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 # The first ZSKs are immediately published and activated. created=$(key_get KEY2 CREATED) @@ -1738,11 +1738,11 @@ set_keytimes_autosign_policy() { # Key lifetime is 2 years, 63072000 seconds. active=$(key_get KEY1 ACTIVE) set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 - # The key is removed after the retire time plus DS TTL (1d), parent - # registration delay (1d), propagation delay (1h), retire safety (1h) = - # 86400 + 86400 + 3600 + 3600 = 180000 + # The key is removed after the retire time plus DS TTL (1d), + # parent propagation delay (1h), retire safety (1h) = + # 86400 + 3600 + 3600 = 93600 retired=$(key_get KEY1 RETIRED) - set_addkeytime "KEY1" "REMOVED" "${retired}" 180000 + set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 # The ZSK was published six months ago (with settime). created=$(key_get KEY2 CREATED) @@ -2428,22 +2428,24 @@ check_next_key_event 3600 # Testing ZSK Pre-Publication rollover. # +# Policy parameters. +# Lksk: 2 years (63072000 seconds) +# Lzsk: 30 days (2592000 seconds) +# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 3d1h (262800 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) +# Iret(ZSK): 10d1h (867600 seconds) +Lksk=63072000 +Lzsk=2592000 +IretKSK=262800 +IretZSK=867600 + # # Zone: step1.zsk-prepub.autosign. # set_zone "step1.zsk-prepub.autosign" set_policy "zsk-prepub" "2" "3600" set_server "ns3" "10.53.0.3" -# Policy parameters. -# Lksk: 2 years (63072000 seconds) -# Lzsk: 30 days (2592000 seconds) -# Iret(KSK): DS TTL (1d) + Dreg (1d) + DprpP (1h) + retire-safety (2d) -# Iret(KSK): 4d1h (349200 seconds) -# Iret(ZSK): 10d1h (867600 seconds). -Lksk=63072000 -Lzsk=2592000 -IretKSK=349200 -IretZSK=867600 set_retired_removed() { _Lkey=$2 @@ -2455,7 +2457,7 @@ set_retired_removed() { set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" } -zsk_prepub_predecessor_keytimes() { +rollover_predecessor_keytimes() { _addtime=$1 _created=$(key_get KEY1 CREATED) @@ -2500,7 +2502,7 @@ key_clear "KEY4" check_keys # These keys are immediately published and activated. -zsk_prepub_predecessor_keytimes 0 +rollover_predecessor_keytimes 0 check_keytimes check_apex @@ -2534,7 +2536,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys # The old keys were activated 694 hours ago (2498400 seconds). -zsk_prepub_predecessor_keytimes -2498400 +rollover_predecessor_keytimes -2498400 # The new ZSK is published now. created=$(key_get KEY3 CREATED) set_keytime "KEY3" "PUBLISHED" "${created}" @@ -2573,7 +2575,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" check_keys # The old keys are activated 30 days ago (2592000 seconds). -zsk_prepub_predecessor_keytimes -2592000 +rollover_predecessor_keytimes -2592000 # The new ZSK is published 26 hours ago (93600 seconds). created=$(key_get KEY3 CREATED) set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 @@ -2615,7 +2617,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" check_keys # The old keys are activated 961 hours ago (3459600 seconds). -zsk_prepub_predecessor_keytimes -3459600 +rollover_predecessor_keytimes -3459600 # The new ZSK is published 267 hours ago (961200 seconds). created=$(key_get KEY3 CREATED) set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 @@ -2645,7 +2647,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys # The old keys are activated 962 hours ago (3463200 seconds). -zsk_prepub_predecessor_keytimes -3463200 +rollover_predecessor_keytimes -3463200 # The new ZSK is published 268 hours ago (964800 seconds). created=$(key_get KEY3 CREATED) set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 83cc25602a..2735fecacb 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -118,7 +118,6 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) { if (ret == ISC_R_SUCCESS && ksk) { /* KSK: Iret = DprpP + TTLds */ ksk_remove = retire + dns_kasp_dsttl(kasp) + - dns_kasp_parentregistrationdelay(kasp) + dns_kasp_parentpropagationdelay(kasp) + dns_kasp_retiresafety(kasp); } @@ -245,6 +244,11 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, syncpub); } + + /* + * Include registration delay in prepublication time. + */ + prepub += dns_kasp_parentregistrationdelay(kasp); } ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire); From 649d0833ce271fb4b2fc6c999ba936883a82de2f Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 4 May 2020 12:33:52 +0200 Subject: [PATCH 12/17] Test keytimes on KSK rollover This improves keytime testing on KSK rollover. It now tests for specific times, and also tests for SyncPublish and Removed keytimes. --- bin/tests/system/kasp/ns3/setup.sh | 160 +++++++++++++++++++++++------ bin/tests/system/kasp/tests.sh | 96 ++++++++++++++--- 2 files changed, 211 insertions(+), 45 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 2cc1986cfe..25d8ad46c1 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -466,7 +466,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Introduce the first key. This will immediately be active. setup step1.ksk-doubleksk.autosign TactN="now" -ksktimes="-P ${TactN} -A ${TactN}" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) @@ -478,12 +478,44 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 2: # It is time to submit the introduce the new KSK. setup step2.ksk-doubleksk.autosign -# According to RFC 7583: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# Also: IpubC = DprpC + TTLkey (+publish-safety) -# so: Tact(N) = Tpub(N+1) - Lksk + Dreg + IpubC = now - 60d + (1d3h) -# now - 1440h + 27h = now - 1413h +# According to RFC 7583: +# +# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# IpubC = DprpC + TTLkey (+publish-safety) +# +# |1| |2| |3| |4| +# | | | | +# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - - +# | | | | +# Key N+1 | | | | +# | | | | +# Key N Tpub Trdy Tsbm Tact +# Key N+1 +# +# (continued ...) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# DprpC: 1h +# TTLkey: 2h +# publish-safety: 1d +# IpubC: 27h +# +# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h +# = now - 1440h + 27h = now - 1413h TactN="now-1413h" -ksktimes="-P ${TactN} -A ${TactN}" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) @@ -497,18 +529,53 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 3: # It is time to submit the DS. setup step3.ksk-doubleksk.autosign -# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) -# Also: Tact(N+1) = Tsbm(N+1) + Dreg -# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 60d = now - 59d -# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1d -# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now + 27h -# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = 1d + 60d +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# Tact(N+1) = Tsbm(N+1) + Dreg +# Iret = DprpP + TTLds (+retire-safety) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# DprpP: 1h +# TTLds: 1h +# retire-safety: 2d +# Iret: 50h +# DprpC: 1h +# TTLkey: 2h +# publish-safety: 1d +# IpubC: 27h +# +# Tact(N) = Tnow + Dreg - Lksk = now + 1d - 60d = now - 59d +# Tret(N) = Tnow + Dreg = now + 1d +# Trem(N) = Tnow + Dreg + Iret = now + 1d + 50h = now + 74h +# Tpub(N+1) = Tnow - IpubC = now - 27h +# Tsbm(N+1) = now +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Dreg + Lksk = now + 1d + 60d = now + 61d +# Trem(N+1) = Tnow + Dreg + Lksk + Iret = now + 61d + 50h +# = now + 1464h + 50h = 1514h TactN="now-59d" TretN="now+1d" +TremN="now+74h" TpubN1="now-27h" +TsbmN1="now" +TactN1="${TretN}" TretN1="now+61d" -ksktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+1514h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) @@ -528,24 +595,47 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # Step 4: # The DS should be swapped now. setup step4.ksk-doubleksk.autosign -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Tret(N) = Tsbm(N+1) + Dreg -# Also: Tact(N+1) = Tret(N) -# Also: Iret = DprpP + TTLds (+retire-safety) -# so: Tact(N) = Tdea(N) - Lksk - Iret = now - 60d - 2d2h = now - 1490h -# and: Tret(N) = Tdea(N) - Iret = now - 2d2h = 50h -# and: Tpub(N+1) = Tdea(N) - Iret - Dreg - IpubC = now - 50h - 1d - 1d3h = now - 101h -# and: Tsbm(N+1) = Tdea(N) - Iret - Dreg = now - 50h - 1d = now - 74h -# and: Tact(N+1) = Tret(N) -# and: Tret(N+1) = Tdea(N) + Lksk - Iret = now + 60d - 2d2h = now + 1390h +# According to RFC 7583: +# +# Tret(N) = Tsbm(N+1) + Dreg +# Tdea(N) = Tret(N) + Iret +# Tact(N+1) = Tret(N) +# +# |5| |6| |7| |8| |9| |10| +# | | | | | | +# Key N - - --------------Lksk------->|<-Iret->|<----->| +# | | | | | | +# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - +# | | | | | | +# Key N Tret Tdea Trem +# Key N+1 Tpub Trdy Tsbm Tact +# +# Tnow +# +# Lksk: 60d +# Dreg: 1d +# Iret: 50h +# +# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h +# = now - 1440h - 50h = now - 1490h +# Tret(N) = Tnow - Iret = now - 50h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 50h - 1d - 27h +# = now - 101h +# Tsbm(N+1) = Tnow - Iret - Dreg = now - 50h - 1d = now - 74h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h +# Trem(N+1) = Tnow + Lksk = now + 60d TactN="now-1490h" TretN="now-50h" +TremN="now" TpubN1="now-101h" TsbmN1="now-74h" TactN1="${TretN}" TretN1="now+1390h" -ksktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+60d" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) @@ -566,14 +656,24 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # The predecessor DNSKEY is removed long enough that is has become HIDDEN. setup step5.ksk-doubleksk.autosign # Subtract DNSKEY TTL from all the times (2h). +# Tact(N) = now - 1490h - 2h = now - 1492h +# Tret(N) = now - 52h - 2h = now - 52h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 101h - 2h = now - 103h +# Tsbm(N+1) = now - 74h - 2h = now - 76h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 1390h - 2h = now + 1388h +# Trem(N+1) = now + 60d + 2h = now + 1442h TactN="now-1492h" TretN="now-52h" -TpubN1="now-102h" -TsbmN1="now-75h" +TremN="now-2h" +TpubN1="now-103h" +TsbmN1="now-76h" TactN1="${TretN}" TretN1="now+1388h" -ksktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+1438h" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index a5d92b7a6b..0a7cae9ee3 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2669,6 +2669,18 @@ check_next_key_event 1627200 # Testing KSK Double-KSK rollover. # +# Policy parameters. +# Lksk: 60 days (5184000 seconds) +# Lzsk: 1 year (31536000 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) +# Iret(KSK): 50h (180000 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) +# Iret(ZSK): 10d1h (867600 seconds) +Lksk=5184000 +Lzsk=31536000 +IretKSK=180000 +IretZSK=867600 + # # Zone: step1.ksk-doubleksk.autosign. # @@ -2678,25 +2690,17 @@ set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" set_keyrole "KEY1" "ksk" -set_keylifetime "KEY1" "5184000" +set_keylifetime "KEY1" "${Lksk}" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "no" key_clear "KEY2" set_keyrole "KEY2" "zsk" -set_keylifetime "KEY2" "31536000" +set_keylifetime "KEY2" "${Lzsk}" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2711,6 +2715,11 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2731,14 +2740,10 @@ set_server "ns3" "10.53.0.3" # New KSK (KEY3) is prepublished (and signs DNSKEY RRset). key_clear "KEY3" set_keyrole "KEY3" "ksk" -set_keylifetime "KEY3" "5184000" +set_keylifetime "KEY3" "${Lksk}" set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY3" "yes" set_zonesigning "KEY3" "no" -# Key timings. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "yes" # Key states. set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" @@ -2746,6 +2751,27 @@ set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" check_keys + +# The old keys were activated 1413 hours ago (5086800 seconds). +rollover_predecessor_keytimes -5086800 +# The new KSK is published now. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +# The new KSK should publish the CDS after the prepublication time. +# TTLkey: 2h +# DprpC: 1h +# publish-safety: 1d +# IpubC: 27h (97200 seconds) +IpubC=97200 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" +# The new KSK becomes active after the registration delay. +# Dreg: 1d (86400 seconds) +Dreg=86400 +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2770,6 +2796,20 @@ set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" set_keystate "KEY3" "STATE_DS" "rumoured" check_keys + +# The old keys were activated 59 days ago (5097600 seconds). +rollover_predecessor_keytimes -5097600 +# The new KSK is published 27 hours ago (97200 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 +# The new KSK CDS is published now. +set_keytime "KEY3" "SYNCPUBLISH" "${created}" +# The new KSK becomes active Dreg (1d) later. +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2798,6 +2838,19 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys + +# The old keys were activated 1490 hours ago (5364000 seconds). +rollover_predecessor_keytimes -5364000 +# The new KSK is published 101 hours ago (363600 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -363600 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2818,6 +2871,19 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# The old KSK is activated 1492 hours ago (5371200 seconds). +rollover_predecessor_keytimes -5371200 +# The new KSK is published 103 hours ago (370800 seconds). +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -370800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" +syncpub=$(key_get KEY3 SYNCPUBLISH) +set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" +check_keytimes + check_apex check_subdomain dnssec_verify From e233433772e576443fdf917308091ca14110b81c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 11 May 2020 15:12:32 +0200 Subject: [PATCH 13/17] Test keytimes on CSK rollover This improves keytime testing on CSK rollover. It now tests for specific times, and also tests for SyncPublish and Removed keytimes. Since an "active key" for ZSK and KSK means something different, this makes it tricky to decide when a CSK is active. An "active key" intuitively means the key is signing so we say a CSK is active when it is creating zone signatures. This change means a lot of timings for the CSK rollover tests need to be adjusted. The keymgr code needs a slight change on calculating the prepublication time: For a KSK we need to include the parent registration delay, but for CSK we look at the zone signing property and stick with the ZSK prepublication calculation. --- bin/tests/system/kasp/ns3/setup.sh | 494 +++++++++++++++++++++-------- bin/tests/system/kasp/tests.sh | 244 ++++++++++++-- lib/dns/keymgr.c | 20 +- 3 files changed, 595 insertions(+), 163 deletions(-) diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index 25d8ad46c1..548ee0c3dd 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -694,12 +694,17 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # The zones at csk-roll.autosign represent the various steps of a CSK rollover # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). # +# +# The activation time for zone signing (ZSK) is different than for chain of +# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ +# instead of Tact and Tret. +# # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll.autosign TactN="now" -csktimes="-P ${TactN} -A ${TactN}" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" @@ -709,17 +714,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll.autosign -# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# Also: Ipub = Dprp + TTLkey (+publish-safety) -# Also: IpubC = DprpC + TTLkey (+publish-safety) -# Both sums are almost the same, but the KSK case has Dreg in the equation. -# so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1d + 3h = -# now - 4464h + 24h + 3h = now - 4437h +# According to RFC 7583: +# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub +# IpubC = DprpC + TTLkey (+publish-safety) +# Ipub = IpubC +# Lcsk = Lksk = Lzsk +# +# Lcsk: 6mo (186d, 4464h) +# Dreg: 1d +# DprpC: 1h +# TTLkey: 1h +# publish-safety: 1h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1d +# = now - 4464h + 3h + 24h = now - 4437h +# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h TactN="now-4437h" -csktimes="-P ${TactN} -A ${TactN}" +TactZN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}" CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -727,21 +744,56 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll.autosign -# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) -# Also: Tact(N+1) = Tsbm(N+1) + Dreg -# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 6mo = now - 185d -# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1d -# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h -# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1d + 6mo = now + 187d +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) + Dreg +# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Iret = DprpP + TTLds (+retire-safety) +# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) +# +# Lcsk: 186d +# Dprp: 1h +# DprpP: 1h +# Dreg: 1d +# Dsgn: 25d +# TTLds: 1h +# TTLsig: 1d +# retire-safety: 2h +# Iret: 4h +# IretZ: 26d3h +# Ipub: 3h +# +# TactZ(N) = Tnow - Lcsk = now - 186d +# TretZ(N) = now +# Tact(N) = Tnow + Dreg - Lcsk = now + 1d - 186d = now - 185d +# Tret(N) = Tnow + Dreg = now + 1d +# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow + Lcsk = now + 186d +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Dreg + Lcsk = now + 1d + 186d = now + 187d +# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = +# = now + 5091h +TactZN="now-186d" +TretZN="now" TactN="now-185d" TretN="now+1d" +TremN="now+627h" TpubN1="now-3h" +TsbmN1="now" +TactZN1="${TsbmN1}" +TretZN1="now+186d" +TactN1="${TretN}" TretN1="now+187d" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}" +TremN1="now+5091h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 @@ -753,32 +805,51 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the -# DS should be swapped. The ZRRSIG records are all replaced after Iret -# which is Dsgn + Dprp + TTLsig + retire-safety (25d + 1h + 1d + 2h = 26d3h). -# The DS is swapped after Dreg + DprpP + TTLds + retire-safety -# (1d + 1h + 1h + 2h = 1d4h). In other words, the DS is swapped before all -# zone signatures are replaced. +# DS should be swapped. The ZRRSIG records are all replaced after IretZ +# (which is 26d3h). The DS is swapped after Dreg + Iret (which is 1d4h). +# In other words, the DS is swapped before all zone signatures are replaced. setup step4.csk-roll.autosign -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Iret = 1h + 1h + 2h = 4h -# Also: Tact(N+1) = Tret(N) -# so: Tact(N) = Tdea(N) - Lksk - Iret = now - 6mo - 4h = now - 4468h -# and: Tret(N) = Tdea(N) - Iret = now - 4h = now - 4h -# and: Tpub(N+1) = Tdea(N) - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h -# and: Tsbm(N+1) = Tdea(N) - Iret - Dreg = now - 4h - 1d = now - 28h -# and: Tact(N+1) = Tret(N) -# and: Tret(N+1) = Tdea(N) + Lksk - Iret = now + 6mo - 4h = now + 4460h +# According to RFC 7583: +# Trem(N) = TretZ(N) + IretZ +# Tnow = Tsbm(N+1) + Dreg + Iret +# +# Lcsk: 186d +# Iret: 4h +# IretZ: 26d3h +# +# TactZ(N) = Tnow - Iret - Dreg - Lcsk = now - 4h - 24h - 4464h +# = now - 4492h +# TretZ(N) = Tnow - Iret - Dreg = now - 4h - 1d = now - 28h +# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h +# Tret(N) = Tnow - Iret = now - 4h = now - 4h +# Trem(N) = Tnow - Iret - Dreg + IretZ = now - 4h - 1d + 26d3h +# = now + 24d23h = now + 599h +# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow - Iret - Dreg + Lcsk = now - 4h - 1d + 186d +# = now + 4436h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - Iret + Lcsk = now + 6mo - 4h = now + 4460h +# Trem(N+1) = Tnow - Iret - Dreg + Lcsk + IretZ = now - 4h - 1d + 186d + 26d3h +# = now + 5063h +TactZN="now-4492h" +TretZN="now-28h" TactN="now-4468h" TretN="now-4h" +TremN="now+599h" TpubN1="now-31h" -TsbmN1="now-28h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4436h" TactN1="${TretN}" TretN1="now+4460h" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+5063h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 @@ -793,19 +864,36 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # At this time these have all become hidden. setup step5.csk-roll.autosign # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). +# TactZ(N) = now - 4492h - 2h = now - 4494h +# TretZ(N) = now - 28h - 2h = now - 30h +# Tact(N) = now - 4468h - 2h = now - 4470h +# Tret(N) = now - 4h - 2h = now - 6h +# Trem(N) = now + 599h - 2h = now + 597h +# Tpub(N+1) = now - 31h - 2h = now - 33h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = now + 4436h - 2h = now + 4434h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Trem(N+1) = now + 5063h - 2h = now + 5061h +TactZN="now-4494h" +TretZN="now-30h" TactN="now-4470h" TretN="now-6h" -TdeaN="now-2h" +TremN="now+597h" TpubN1="now-33h" TsbmN1="now-30h" +TactZN1="${TsbmN1}" +TretZN1="now+4434h" TactN1="${TretN}" TretN1="now+4458h" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TremN1="now+5061h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $U now-2h -d $H now-2h -z $U $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -818,28 +906,47 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # After the retire interval has passed the predecessor DNSKEY can be # removed from the zone. setup step6.csk-roll.autosign -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Tret(N) = Tact(N) + Lzsk -# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - 25d1h1d2h - 6mo = -# now - 26d3h - 6mo = now - 627h - 4464h = now - 5091h -# and: Tret(N) = Tdea(N) - Iret = now - 627h -# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 627h - 3h = now - 630h -# and: Tact(N+1) = Tdea(N) - Iret = Tret(N) -# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 627h + 6mo = now + 3837h -TactN="now-5091h" -TretN="now-627h" -TdeaN="now-623h" +# According to RFC 7583: +# Trem(N) = TretZ(N) + IretZ +# TretZ(N) = TactZ(N) + Lcsk +# +# Lcsk: 186d +# Iret: 4h +# IretZ: 26d3h +# +# TactZ(N) = Tnow - IretZ - Lcsk = now - 627h - 186d +# = now - 627h - 4464h = now - 5091h +# TretZ(N) = Tnow - IretZ = now - 627h +# Tact(N) = Tnow - IretZ - Lcsk + Dreg = now - 627h - 186d + 1d = +# now - 627h - 4464h + 24h = now - 5067h +# Tret(N) = Tnow - IretZ + Dreg = now - 627h + 24h +# = Tnow - 603h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h +# Trem(N+1) = Tnow + Lcsk = now + 186d +TactZN="now-5091h" +TretZN="now-627h" +TactN="now-5067h" +TretN="now-603h" +TremN="now" TpubN1="now-630h" -TsbmN1="now-627h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+3837h" TactN1="${TretN}" -TretN1="now+3837h" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TretN1="now+4460h" +TremN1="now+186d" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -P -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -852,19 +959,36 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step7.csk-roll.autosign # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). -TactN="now-5093h" -TretN="now-629h" -TdeaN="now-625h" +# TactZ(N) = now - 5091h - 2h = now - 5093h +# TretZ(N) = now - 627h - 2h = now - 629h +# Tact(N) = now - 5067h - 2h = now - 5069h +# Tret(N) = now - 603h - 2h = now - 605h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 630h - 2h = now - 632h +# Tsbm(N+1) = now - 627h - 2h = now - 629h +# TactZ(N+1) = Tsbm(N+1) +# TretZ(N+1) = now + 3837h - 2h = now + 3835h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Trem(N+1) = now + 186d - 2h = now + 4462h +TactZN="now-5093h" +TretZN="now-629h" +TactN="now-5069h" +TretN="now-605h" +TremN="now-2h" TpubN1="now-632h" -TsbmN1="now-629h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+3835h" TactN1="${TretN}" -TretN1="now+3835h" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TretN1="now+4458h" +TremN1="now+4462h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -879,12 +1003,17 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # This scenario differs from the above one because the zone signatures (ZRRSIG) # are replaced with the new key sooner than the DS is swapped. # +# +# The activation time for zone signing (ZSK) is different than for chain of +# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ +# instead of Tact and Tret. +# # Step 1: # Introduce the first key. This will immediately be active. setup step1.csk-roll2.autosign TactN="now" -csktimes="-P ${TactN} -A ${TactN}" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" @@ -894,17 +1023,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 2: # It is time to introduce the new CSK. setup step2.csk-roll2.autosign -# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub -# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# Also: Ipub = Dprp + TTLkey (+publish-safety) -# Also: IpubC = DprpC + TTLkey (+publish-safety) -# Both sums are almost the same, but the KSK case has Dreg in the equation. -# so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1w + 3h = -# now - 4464h + 168h + 3h = now - 4635h -TactN="now-4635h" -csktimes="-P ${TactN} -A ${TactN}" +# According to RFC 7583: +# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC +# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub +# IpubC = DprpC + TTLkey (+publish-safety) +# Ipub = IpubC +# Lcsk = Lksk = Lzsk +# +# Lcsk: 6mo (186d, 4464h) +# Dreg: 1w +# DprpC: 1h +# TTLkey: 1h +# publish-safety: 1h +# Ipub: 3h +# +# Tact(N) = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1w +# = now - 4464h + 3h + 168h = now - 4293h +# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h +TactN="now-4293h" +TactZN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}" CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -912,21 +1053,56 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 3: # It is time to submit the DS and to roll signatures. setup step3.csk-roll2.autosign -# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1) -# Also: Tact(N+1) = Tsbm(N+1) + Dreg -# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1w - 6mo = now - 179d -# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1w -# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h -# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1w + 6mo = now + 193d +# According to RFC 7583: +# +# Tsbm(N+1) >= Trdy(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) + Dreg +# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Iret = DprpP + TTLds (+retire-safety) +# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) +# +# Lcsk: 186d +# Dprp: 1h +# DprpP: 1h +# Dreg: 1w +# Dsgn: 12h +# TTLds: 1h +# TTLsig: 1d +# retire-safety: 1h +# Iret: 3h +# IretZ: 38h +# Ipub: 3h +# +# TactZ(N) = Tnow - Lcsk = now - 186d +# TretZ(N) = now +# Tact(N) = Tnow + Dreg - Lcsk = now + 1w - 186d = now - 179d +# Tret(N) = Tnow + Dreg = now + 7d +# Trem(N) = Tnow + Dreg + Iret = now + 1w + 3h = now + 171h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow + Lcsk = now + 186d +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lcsk + Dreg = now + 186d + 7d = now + 193d +# Trem(N+1) = Tnow + Lcsk + Dreg + Iret = now + 186d + 7d + 3h = +# = now + 193d + 3h = now + 4632h + 3h = now + 4635h +TactZN="now-186d" +TretZN="now" TactN="now-179d" -TretN="now+1w" +TretN="now+7d" +TremN="now+171h" TpubN1="now-3h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+186d" +TactN1="${TretN}" TretN1="now+193d" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TretN} -I ${TretN1}" +TremN1="now+4635h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 @@ -938,31 +1114,54 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the -# DS should be swapped. The ZRRSIG records are all replaced after Iret -# which is Dsgn + Dprp + TTLsig + retire-safety (12h + 1h + 1d + 2h = 38h). -# The DS is swapped after Dreg + DprpP + TTLds + retire-safety -# (1w + 1h + 1h + 1h = 1w3h). In other words, the zone signatures are -# replaced before the DS is swapped. +# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h). +# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone +# signatures are replaced before the DS is swapped. setup step4.csk-roll2.autosign -# According to RFC 7583: Tdea(N) = Tret(N) + Iret -# Also: Tret(N) = Tact(N) + Lzsk -# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety) -# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - 38h - 6mo = now - 4502h -# and: Tret(N) = Tdea(N) - Iret = now - 38h -# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 41h -# and: Tact(N+1) = Tdea(N) - Iret = Tret(N) -# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 38h + 6mo = now + 4426h -TactN="now-4502h" -TretN="now-38h" +# According to RFC 7583: +# Trem(N) = Tret(N) + Iret +# Tnow = TretZ(N) + IretZ +# +# Lcsk: 186d +# Dreg: 1w +# Iret: 3h +# IretZ: 38h +# +# TactZ(N) = Tnow - IretZ = Lcsk = now - 38h - 186d +# = now - 38h - 4464h = now - 4502h +# TretZ(N) = Tnow - IretZ = now - 38h +# Tact(N) = Tnow - IretZ - Lcsk + Dreg = now - 38h - 4464h + 168h +# = now - 4334h +# Tret(N) = Tnow - IretZ + Dreg = now - 38h + 168h = now + 130h +# Trem(N) = Tnow - IretZ + Dreg + Iret = now + 130h + 3h = now + 133h +# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d +# = now + 4426h +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - IretZ + Dreg + Lcsk = now - 38h + 168h + 4464h +# = now + 4594h +# Trem(N+1) = Tnow - IretZ + Dreg + Lcsk + Iret +# = now + 4594h + 3h = now + 4597h +TactZN="now-4502h" +TretZN="now-38h" +TactN="now-4334h" +TretN="now+130h" +TremN="now+133h" TpubN1="now-41h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4426h" TactN1="${TretN}" -TretN1="now+4426" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TretN1="now+4594h" +TremN1="now+4597h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TretZN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -975,18 +1174,38 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the DS can be swapped and the old DNSKEY can be removed from # the zone. setup step5.csk-roll2.autosign -# Subtract Dreg + Iret (174h). -TactN="now-4676h" -TretN="now-212h" -TpubN1="now-215h" +# Subtract Dreg + Iret (171h) - IretZ (38h) = 133h. +# +# TactZ(N) = now - 4502h - 133h = now - 4635h +# TretZ(N) = now - 38h - 133h = now - 171h +# Tact(N) = now - 4334h = 133h = now - 4467h +# Tret(N) = now + 130h - 133h = now - 3h +# Trem(N) = now + 133h - 133h = now +# Tpub(N+1) = now - 41h - 133h = now - 174h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = now + 4426h - 133h = now + 4293h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4594h - 133h = now + 4461h +# Trem(N+1) = now + 4597h - 133h = now + 4464h = now + 186d +TactZN="now-4635h" +TretZN="now-171h" +TactN="now-4467h" +TretN="now-3h" +TremN="now" +TpubN1="now-174h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4293h" TactN1="${TretN}" -TretN1="now+4252h" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TretN1="now+4461h" +TremN1="now+186d" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $O now-133h "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -999,18 +1218,37 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step6.csk-roll2.autosign # Subtract DNSKEY TTL plus zone propagation delay (2h). -TactN="now-4678h" -TretN="now-214h" -TdeaN="now-2h" -TpubN1="now-217h" +# +# TactZ(N) = now - 4635h - 2h = now - 4637h +# TretZ(N) = now - 171h - 2h = now - 173h +# Tact(N) = now - 4467h - 2h = now - 4469h +# Tret(N) = now - 3h - 2h = now - 5h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 174h - 2h = now - 176h +# Tsbm(N+1) = TretZ(N) +# TactZ(N+1) = TretZ(N) +# TretZ(N+1) = now + 4293h - 2h = now + 4291h +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4461h - 2h = now + 4459h +# Trem(N+1) = now + 4464h - 2h = now + 4462h +TactZN="now-4637h" +TretZN="now-173h" +TactN="now-4469h" +TretN="now-5h" +TremN="now-2h" +TpubN1="now-176h" +TsbmN1="${TretZN}" +TactZN1="${TretZN}" +TretZN1="now+4291h" TactN1="${TretN}" -TretN1="now+4250h" -csktimes="-P ${TactN} -A ${TactN} -I ${TretN}" -newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1}" +TretN1="now+4459h" +TremN1="now+4462h" +csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 0a7cae9ee3..ab697c1e4e 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2670,7 +2670,7 @@ check_next_key_event 1627200 # # Policy parameters. -# Lksk: 60 days (5184000 seconds) +# Lksk: 60 days (16070400 seconds) # Lzsk: 1 year (31536000 seconds) # Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) # Iret(KSK): 50h (180000 seconds) @@ -2898,6 +2898,28 @@ check_next_key_event 4813200 # Testing CSK key rollover (1). # +# Policy parameters. +# Lcsk: 186 days (5184000 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) +# Iret(KSK): 4h (14400 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) +# Iret(ZSK): 26d3h (2257200 seconds) +Lcsk=16070400 +IretKSK=14400 +IretZSK=2257200 +IretCSK=$IretZSK + +csk_rollover_predecessor_keytimes() { + _addksktime=$1 + _addzsktime=$2 + + _created=$(key_get KEY1 CREATED) + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addksktime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addzsktime}" + set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" +} + # # Zone: step1.csk-roll.autosign. # @@ -2907,14 +2929,10 @@ set_server "ns3" "10.53.0.3" # Key properties. key_clear "KEY1" set_keyrole "KEY1" "csk" -set_keylifetime "KEY1" "16070400" +set_keylifetime "KEY1" "${Lcsk}" set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY1" "yes" set_zonesigning "KEY1" "yes" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" # The CSK (KEY1) starts in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -2927,16 +2945,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# This key is immediately published and activated. +csk_rollover_predecessor_keytimes 0 0 +check_keytimes + check_apex check_subdomain dnssec_verify -# Next key event is when the successor CSK needs to be published. That is -# the CSK lifetime - prepublication time - DS registration delay. The -# prepublication time is DNSKEY TTL plus publish safety plus the zone -# propagation delay. For the csk-roll policy that means: -# 6mo - 1d - 3h = 15973200 seconds. -check_next_key_event 15973200 +# Next key event is when the successor CSK needs to be published. +# This is Lcsk - Ipub - Dreg. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 16059600 # # Zone: step2.csk-roll.autosign. @@ -2951,10 +2973,6 @@ set_keylifetime "KEY2" "16070400" set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY2" "yes" set_zonesigning "KEY2" "no" -# Key timings. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" # Key states. set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" @@ -2963,6 +2981,21 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_DS" "hidden" check_keys + +# This key was activated 4437 hours ago (15973200 seconds) +# and started signing 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -15973200 -16059600 +# The new CSK is published now. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +# The new CSK should publish the CDS after the prepublication time. +# Ipub: 3 hour (10800 seconds) +Ipub="10800" +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -2993,6 +3026,19 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys + +# This key was activated 185 days ago (15984000 seconds) +# and started signing 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -15984000 -16070400 +# The new CSK is published three hours ago, CDS must be published now. +# Also signatures are being introduced now. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, @@ -3020,7 +3066,7 @@ set_zone "step4.csk-roll.autosign" set_policy "csk-roll" "2" "3600" set_server "ns3" "10.53.0.3" # The old CSK (KEY1) is no longer signing the DNSKEY RRset. -set_keysigning "KEY1" "no" +set_keysigning "KEY1" "no" # The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public # but can remove the KRRSIG records. set_keystate "KEY1" "STATE_KRRSIG" "unretentive" @@ -3029,6 +3075,19 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys + +# This key was activated 4468 hours ago (16084800 seconds) +# and started signing 4492 hours ago (16171200 seconds). +csk_rollover_predecessor_keytimes -16084800 -16171200 +# The new CSK started signing 1d4h ago (100800 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -100800 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -100800 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3048,6 +3107,19 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# This key was activated 4470 hours ago (16092000 seconds) +# and started signing 4494 hours ago (16178400 seconds). +csk_rollover_predecessor_keytimes -16092000 -16178400 +# The new CSK started signing 1d6h ago (108000 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -108000 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -108000 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3073,6 +3145,19 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys + +# This key was activated 5067 hours ago (18241200 seconds) +# and started signing 5091 hours ago (18327600 seconds). +csk_rollover_predecessor_keytimes -18241200 -18327600 +# The new CSK is activated 627 hours ago (2257200 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3092,20 +3177,48 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DNSKEY" "hidden" check_keys + +# This key was activated 5069 hours ago (18248400 seconds) +# and started signing 5093 hours ago (18334800 seconds). +csk_rollover_predecessor_keytimes -18248400 -18334800 +# The new CSK is activated 629 hours ago (2264400 seconds). +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 +syncpub=$(key_get KEY2 SYNCPUBLISH) +set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify -# Next key event is when the new successor needs to be published. This is the -# CSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL minus zone -# propagation delay. For the csk-roll this is: -# 6mo - 3h - 1d - 26d3h - 1h - 1h = 6mo - 27d8h = 13708800 seconds. -check_next_key_event 13708800 +# Next key event is when the new successor needs to be published. +# This is the Lcsk, minus time passed since the key started signing, +# minus the prepublication time. +# Lcsk: 186d (16070400 seconds) +# Time passed: 629h (2264400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 13795200 # # Testing CSK key rollover (2). # +# Policy parameters. +# Lcsk: 186 days (16070400 seconds) +# Dreg: : 1w (604800 seconds) +# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (1h) +# Iret(KSK): 3h (10800 seconds) +# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) +# Iret(ZSK): 38h (136800 seconds) +Lcsk=16070400 +Dreg=604800 +IretKSK=10800 +IretZSK=136800 +IretCSK=$((Dreg+IretKSK)) + # # Zone: step1.csk-roll2.autosign. # @@ -3135,16 +3248,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys + +# This key is immediately published and activated. +csk_rollover_predecessor_keytimes 0 0 +check_keytimes + check_apex check_subdomain dnssec_verify -# Next key event is when the successor CSK needs to be published. That is -# the CSK lifetime - prepublication time - DS registration delay. The -# prepublication time is DNSKEY TTL plus publish safety plus the zone -# propagation delay. For the csk-roll2 policy that means: -# 6mo - 3h - 1w = 15454800 seconds. -check_next_key_event 15454800 +# Next key event is when the successor CSK needs to be published. +# This is Lcsk - Ipub - Dreg. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +check_next_key_event 16059600 # # Zone: step2.csk-roll2.autosign. @@ -3171,6 +3288,20 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_DS" "hidden" check_keys + +# This key was activated 4293 hours ago (15454800 seconds) +# and started signing 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -15454800 -16059600 +# The new CSK is published now. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +# The new CSK should publish the CDS after the prepublication time. +# Ipub: 3 hour (10800 seconds) +Ipub="10800" +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" + check_apex check_subdomain dnssec_verify @@ -3200,6 +3331,19 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys + +# This key was activated 179 days ago (15465600 seconds) +# and started signing 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -15465600 -16070400 +# The new CSK is published three hours ago, CDS must be published now. +# Also signatures are being introduced now. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" +set_keytime "KEY2" "SYNCPUBLISH" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex # Subdomain still has good signatures of old CSK (KEY1). # Set expected zone signing on for KEY1 and off for KEY2, @@ -3233,6 +3377,19 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys + +# This key was activated 4334 hours ago (15602400 seconds) +# and started signing 4502 hours ago (16207200 seconds). +csk_rollover_predecessor_keytimes -15602400 -16207200 +# The new CSK was published 41 hours (147600 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3261,6 +3418,19 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys + +# This key was activated 4467 hours ago (16081200 seconds) +# and started signing 4635 hours ago (16686000 seconds). +csk_rollover_predecessor_keytimes -16081200 -16686000 +# The new CSK was published 174 hours (626400 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -626400 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3281,12 +3451,28 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# This key was activated 4469 hours ago (16088400 seconds) +# and started signing 4637 hours ago (16693200 seconds). +csk_rollover_predecessor_keytimes -16088400 -16693200 +# The new CSK was published 176 hours (633600 seconds) ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -633600 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" +set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" +set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" +check_keytimes + check_apex check_subdomain dnssec_verify # Next key event is when the new successor needs to be published. -check_next_key_event 14684400 +# This is the Lcsk, minus time passed since the key was published. +# Lcsk: 186d (16070400 seconds) +# Time passed: 176h (633600 seconds) +check_next_key_event 15436800 # # Testing algorithm rollover. diff --git a/lib/dns/keymgr.c b/lib/dns/keymgr.c index 2735fecacb..9a5480e24c 100644 --- a/lib/dns/keymgr.c +++ b/lib/dns/keymgr.c @@ -121,6 +121,10 @@ keymgr_settime_remove(dns_dnsseckey_t *key, dns_kasp_t *kasp) { dns_kasp_parentpropagationdelay(kasp) + dns_kasp_retiresafety(kasp); } + if (zsk && ksk) { + ksk_remove += dns_kasp_parentregistrationdelay(kasp); + } + remove = ksk_remove > zsk_remove ? ksk_remove : zsk_remove; dst_key_settime(key->key, DST_TIME_DELETE, remove); } @@ -183,7 +187,7 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, uint32_t lifetime, isc_stdtime_t now) { isc_result_t ret; isc_stdtime_t active, retire, pub, prepub; - bool ksk = false; + bool zsk = false, ksk = false; REQUIRE(key != NULL); REQUIRE(key->key != NULL); @@ -244,7 +248,10 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp, dst_key_settime(key->key, DST_TIME_SYNCPUBLISH, syncpub); } + } + (void)dst_key_getbool(key->key, DST_BOOL_ZSK, &zsk); + if (!zsk && ksk) { /* * Include registration delay in prepublication time. */ @@ -1697,6 +1704,8 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, dst_key_id(newkey->key)); (void)dst_key_gettime(active_key->key, DST_TIME_INACTIVE, &retire); + active = retire; + /* * If prepublication time and/or retire time are * in the past (before the new key was created), use @@ -1704,16 +1713,15 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass, * effectively immediately making the key active. */ if (prepub < created) { - retire += (created - prepub); + active += (created - prepub); prepub = created; } - if (retire < created) { - retire = created; + if (active < created) { + active = created; } dst_key_settime(newkey->key, DST_TIME_PUBLISH, prepub); - dst_key_settime(newkey->key, DST_TIME_ACTIVATE, retire); + dst_key_settime(newkey->key, DST_TIME_ACTIVATE, active); keymgr_settime_syncpublish(newkey, kasp, false); - active = retire; } /* This key wants to be present. */ From da5e1e3a0fc57f00a83eb77d21aee2cbae01e8cb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Tue, 12 May 2020 17:12:21 +0200 Subject: [PATCH 14/17] Test keytimes on policy changes This improves keytime testing on reconfiguration of the dnssec-policy. --- bin/tests/system/kasp/clean.sh | 2 +- bin/tests/system/kasp/ns6/setup.sh | 4 +- bin/tests/system/kasp/tests.sh | 253 +++++++++++++++++++++++------ 3 files changed, 210 insertions(+), 49 deletions(-) diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index ab48689a30..95c5781535 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -23,4 +23,4 @@ rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.* rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys rm -f ns*/zones* ns*/*.db.infile -rm -f *.created published.test* +rm -f *.created published.test* retired.test* diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index e7813fdabd..0d978844bd 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -97,7 +97,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step1.algorithm-roll.kasp echo "$zone" >> zones TactN="now" -ksktimes="-P ${TactN} -A ${TactN}" +ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" zsktimes="-P ${TactN} -A ${TactN}" KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) @@ -266,7 +266,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step1.csk-algorithm-roll.kasp echo "$zone" >> zones TactN="now" -csktimes="-P ${TactN} -A ${TactN}" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index ab697c1e4e..20ff30e69d 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -2464,12 +2464,12 @@ rollover_predecessor_keytimes() { set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" - set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" + [ "$Lksk" == 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" _created=$(key_get KEY2 CREATED) set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" - set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" + [ "$Lzsk" == 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" } # Key properties. @@ -2917,7 +2917,7 @@ csk_rollover_predecessor_keytimes() { set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addksktime}" set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}" set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addzsktime}" - set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" + [ "$Lcsk" == 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" } # @@ -3500,12 +3500,7 @@ set_keysigning "KEY2" "no" set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" # The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -3517,6 +3512,15 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys + +# These keys are immediately published and activated. +Lksk=0 +Lzsk=0 +IretKSK=0 +IretZSK=0 +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3542,9 +3546,6 @@ set_zonesigning "KEY1" "yes" key_clear "KEY2" key_clear "KEY3" key_clear "KEY4" -# Key timings. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" # The CSK (KEY1) starts in OMNIPRESENT. set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" @@ -3553,6 +3554,13 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys + +# This key is immediately published and activated. +Lcsk=0 +IretCSK=0 +csk_rollover_predecessor_keytimes 0 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3589,17 +3597,11 @@ init_migration_match() { key_clear "KEY3" key_clear "KEY4" - set_keytime "KEY1" "PUBLISHED" "yes" - set_keytime "KEY1" "ACTIVE" "yes" - set_keytime "KEY1" "RETIRED" "none" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "rumoured" set_keystate "KEY1" "STATE_KRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "rumoured" - set_keytime "KEY2" "PUBLISHED" "yes" - set_keytime "KEY2" "ACTIVE" "yes" - set_keytime "KEY2" "RETIRED" "none" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" @@ -3608,6 +3610,11 @@ init_migration_match # Make sure the zone is signed with legacy keys. check_keys + +# These keys are immediately published and activated. +rollover_predecessor_keytimes 0 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3641,17 +3648,11 @@ init_migration_nomatch_algnum() { key_clear "KEY3" key_clear "KEY4" - set_keytime "KEY1" "PUBLISHED" "yes" - set_keytime "KEY1" "ACTIVE" "yes" - set_keytime "KEY1" "RETIRED" "none" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" - set_keytime "KEY2" "PUBLISHED" "yes" - set_keytime "KEY2" "ACTIVE" "yes" - set_keytime "KEY2" "RETIRED" "none" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -3660,6 +3661,23 @@ init_migration_nomatch_algnum # Make sure the zone is signed with legacy keys. check_keys + +# The KSK is immediately published and activated. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +# The ZSK is immediately published and activated. +# -P: now-12h +# -A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3693,17 +3711,11 @@ init_migration_nomatch_alglen() { key_clear "KEY3" key_clear "KEY4" - set_keytime "KEY1" "PUBLISHED" "yes" - set_keytime "KEY1" "ACTIVE" "yes" - set_keytime "KEY1" "RETIRED" "none" set_keystate "KEY1" "GOAL" "omnipresent" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" - set_keytime "KEY2" "PUBLISHED" "yes" - set_keytime "KEY2" "ACTIVE" "yes" - set_keytime "KEY2" "RETIRED" "none" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" @@ -3712,6 +3724,23 @@ init_migration_nomatch_alglen # Make sure the zone is signed with legacy keys. check_keys + +# The KSK is immediately published and activated. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +# The ZSK is immediately published and activated. +# -P: now-12h +# -A: now-12h +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3769,13 +3798,27 @@ set_server "ns6" "10.53.0.6" # Key properties, timings and metadata should be the same as legacy keys above. # However, because the zsk has a lifetime, kasp will set the retired time. init_migration_match - key_set "KEY1" "LEGACY" "no" - key_set "KEY2" "LEGACY" "no" -set_keytime "KEY2" "RETIRED" "yes" check_keys + +rollover_predecessor_keytimes 0 +# Key now has lifetime of 60 days (5184000 seconds). +# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 1d (86400 seconds) +# Dprp: 5m (300 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 10d65m (867900 seconds) +IretZSK=867900 +Lzsk=5184000 +active=$(key_get KEY2 ACTIVE) +set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3798,11 +3841,9 @@ set_server "ns6" "10.53.0.6" init_migration_nomatch_algnum key_set "KEY1" "LEGACY" "no" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" key_set "KEY2" "LEGACY" "no" -set_keytime "KEY2" "RETIRED" "yes" set_keystate "KEY2" "GOAL" "hidden" set_keyrole "KEY3" "ksk" @@ -3817,22 +3858,82 @@ set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "none" set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" -set_keytime "KEY4" "RETIRED" "yes" set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys + +# KSK must be retired since it no longer matches the policy. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +# The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +# -P: now-12h +# -A: now-12h +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# retire-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" + +# The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify @@ -3875,22 +3976,82 @@ set_keysigning "KEY4" "no" # This key is considered to be prepublished, so it is not yet signing. set_zonesigning "KEY4" "no" -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" -set_keytime "KEY3" "RETIRED" "none" set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" -set_keytime "KEY4" "RETIRED" "yes" set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "hidden" check_keys + +# KSK must be retired since it no longer matches the policy. +# -P : now-3900s +# -P sync: now-24h +# -A : now-3900s +# The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire_safety. +# TTLds: 2h (7200 seconds) +# Dprp: 1h (3600 seconds) +# retire-safety: 1h (3600 seconds) +# IretKSK: 4h (14400 seconds) +IretKSK=14400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 +set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +# -P: now-12h +# -A: now-12h +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 9d (777600 seconds) +# publish-safety: 1h (3600 seconds) +# IretZSK: 9d13h (824400 seconds) +IretZSK=824400 +Lzsk=5184000 +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new KSK is immediately published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 11h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 13h (46800 seconds) +Ipub=46800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" + +# The ZSK is immediately published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" +active=$(key_get KEY4 ACTIVE) +set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" +retired=$(key_get KEY4 RETIRED) +set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" +check_keytimes + check_apex check_subdomain dnssec_verify From 61c1040ae5fabcac36f0f88c4206120b3261c9bb Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Wed, 13 May 2020 17:12:23 +0200 Subject: [PATCH 15/17] Test keytimes on algorithm rollover This improves keytime testing on algorithm rollover. It now tests for specific times, and also tests for SyncPublish and Removed keytimes. --- bin/tests/system/kasp/ns6/setup.sh | 79 ++++--- bin/tests/system/kasp/tests.sh | 342 +++++++++++++++++++++++++++-- 2 files changed, 371 insertions(+), 50 deletions(-) diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh index 0d978844bd..536b1cb619 100644 --- a/bin/tests/system/kasp/ns6/setup.sh +++ b/bin/tests/system/kasp/ns6/setup.sh @@ -114,11 +114,13 @@ setup step2.algorithm-roll.kasp # The time passed since the new algorithm keys have been introduced is 3 hours. TactN="now-3h" TpubN1="now-3h" -TactN1="now+6h" -ksk1times="-P ${TactN} -A ${TactN} -I now" -zsk1times="-P ${TactN} -A ${TactN} -I now" -ksk2times="-P ${TpubN1} -A ${TpubN1}" -zsk2times="-P ${TpubN1} -A ${TactN1}" +# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = +# now - 3h + 6h + 1h + 1h = now + 5h +TsbmN1="now+5h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" +zsk1times="-P ${TactN} -A ${TactN} -I now" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) @@ -142,12 +144,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step3.algorithm-roll.kasp # The time passed since the new algorithm keys have been introduced is 9 hours. TactN="now-9h" +TretN="now-6h" TpubN1="now-9h" -TactN1="now" -ksk1times="-P ${TactN} -A ${TactN} -I now" -zsk1times="-P ${TactN} -A ${TactN} -I now" -ksk2times="-P ${TpubN1} -A ${TactN1}" -zsk2times="-P ${TpubN1} -A ${TactN1}" +TsbmN1="now-1h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) @@ -171,12 +174,14 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step4.algorithm-roll.kasp # The time passed since the DS has been swapped is 29 hours. TactN="now-38h" +TretN="now-35h" TpubN1="now-38h" +TsbmN1="now-30h" TactN1="now-29h" -ksk1times="-P ${TactN} -A ${TactN} -I now" -zsk1times="-P ${TactN} -A ${TactN} -I now" -ksk2times="-P ${TpubN1} -A ${TactN1}" -zsk2times="-P ${TpubN1} -A ${TactN1}" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) @@ -200,13 +205,15 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step5.algorithm-roll.kasp # The time passed since the DNSKEY has been removed is 2 hours. TactN="now-40h" -TpubN1="now-40h" -TactN1="now-31h" +TretN="now-37h" TremN="now-2h" -ksk1times="-P ${TactN} -A ${TactN} -I now" -zsk1times="-P ${TactN} -A ${TactN} -I now" -ksk2times="-P ${TpubN1} -A ${TactN1}" -zsk2times="-P ${TpubN1} -A ${TactN1}" +TpubN1="now-40h" +TsbmN1="now-32h" +TactN1="now-31h" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) @@ -230,14 +237,16 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step6.algorithm-roll.kasp # Additional time passed: 7h. TactN="now-47h" +TretN="now-44h" +TremN="now-7h" TpubN1="now-47h" +TsbmN1="now-39h" TactN1="now-38h" TdeaN="now-9h" -TremN="now-7h" -ksk1times="-P ${TactN} -A ${TactN} -I now" -zsk1times="-P ${TactN} -A ${TactN} -I now" -ksk2times="-P ${TpubN1} -A ${TactN1}" -zsk2times="-P ${TpubN1} -A ${TactN1}" +ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" +zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" +ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" +zsk2times="-P ${TpubN1} -A ${TpubN1}" KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) @@ -279,7 +288,7 @@ setup step2.csk-algorithm-roll.kasp # The time passed since the new algorithm keys have been introduced is 3 hours. TactN="now-3h" TpubN1="now-3h" -csktimes="-P ${TactN} -A ${TactN} -I now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" newtimes="-P ${TpubN1} -A ${TpubN1}" CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) @@ -297,9 +306,10 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig setup step3.csk-algorithm-roll.kasp # The time passed since the new algorithm keys have been introduced is 9 hours. TactN="now-9h" +TretN="now-6h" TpubN1="now-9h" TactN1="now-6h" -csktimes="-P ${TactN} -A ${TactN} -I now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) @@ -317,10 +327,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig setup step4.csk-algorithm-roll.kasp # The time passed since the DS has been swapped is 29 hours. TactN="now-38h" +TretN="now-35h" TpubN1="now-38h" TactN1="now-35h" TsubN1="now-29h" -csktimes="-P ${TactN} -A ${TactN} -I now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) @@ -338,11 +349,12 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig setup step5.csk-algorithm-roll.kasp # The time passed since the DNSKEY has been removed is 2 hours. TactN="now-40h" +TretN="now-37h" +TremN="now-2h" TpubN1="now-40h" TactN1="now-37h" TsubN1="now-31h" -TremN="now-2h" -csktimes="-P ${TactN} -A ${TactN} -I now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) @@ -360,12 +372,13 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > sig setup step6.csk-algorithm-roll.kasp # Additional time passed: 7h. TactN="now-47h" +TretN="now-44h" +TdeaN="now-9h" +TremN="now-7h" TpubN1="now-47h" TactN1="now-44h" TsubN1="now-38h" -TdeaN="now-9h" -TremN="now-7h" -csktimes="-P ${TactN} -A ${TactN} -I now" +csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" newtimes="-P ${TpubN1} -A ${TpubN1}" CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index 20ff30e69d..da6e5cffff 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -4068,6 +4068,12 @@ status=$((status+ret)) # Testing KSK/ZSK algorithm rollover. # +# Policy parameters. +# Lksk: unlimited +# Lzsk: unlimited +Lksk=0 +Lzsk=0 + # # Zone: step1.algorithm-roll.kasp # @@ -4103,35 +4109,77 @@ set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" set_keysigning "KEY4" "no" set_zonesigning "KEY4" "yes" # The RSAHSHA1 keys are outroducing. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" - -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" -set_keytime "KEY2" "RETIRED" "yes" set_keystate "KEY2" "GOAL" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" + # The ECDSAP256SHA256 keys are introducing. -set_keytime "KEY3" "PUBLISHED" "yes" -set_keytime "KEY3" "ACTIVE" "yes" set_keystate "KEY3" "GOAL" "omnipresent" set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" - -set_keytime "KEY4" "PUBLISHED" "yes" -set_keytime "KEY4" "ACTIVE" "yes" set_keystate "KEY4" "GOAL" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys + +# The old keys are published and activated. +rollover_predecessor_keytimes 0 + +# KSK must be retired since it no longer matches the policy. +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +# The key is removed after the retire interval: +# IretKSK = TTLds + DprpP + retire-safety +# TTLds: 2h (7200 seconds) +# DprpP: 1h (3600 seconds) +# retire-safety: 2h (7200 seconds) +# IretKSK: 5h (18000 seconds) +IretKSK=18000 +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +keyfile=$(key_get KEY2 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk +retired=$(awk '{print $3}' < retired.test${n}.zsk) +set_keytime "KEY2" "RETIRED" "${retired}" +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety +# TTLsig: 6h (21600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 25d (2160000 seconds) +# retire-safety: 2h (7200 seconds) +# IretZSK: 25d9h (2192400 seconds) +IretZSK=2192400 +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new KSK is published and activated. +created=$(key_get KEY3 CREATED) +set_keytime "KEY3" "PUBLISHED" "${created}" +set_keytime "KEY3" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 6h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 8h (28800 seconds) +Ipub=28800 +set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" + +# The new ZSK is published and activated. +created=$(key_get KEY4 CREATED) +set_keytime "KEY4" "PUBLISHED" "${created}" +set_keytime "KEY4" "ACTIVE" "${created}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4158,6 +4206,33 @@ set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" check_keys + +# The old keys were activated three hours ago (10800 seconds). +rollover_predecessor_keytimes -10800 + +# KSK must be retired since it no longer matches the policy. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" + +# ZSK must be retired since it no longer matches the policy. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "RETIRED" "${created}" +set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" + +# The new keys are published 3 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4186,6 +4261,34 @@ set_keystate "KEY3" "STATE_DS" "rumoured" set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" check_keys + +# The old keys were activated 9 hours ago (32400 seconds) +# and retired 6 hours ago (21600 seconds). +rollover_predecessor_keytimes -32400 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -21600 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 9 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4215,6 +4318,34 @@ set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys + +# The old keys were activated 38 hours ago (136800 seconds) +# and retired 35 hours ago (126000 seconds). +rollover_predecessor_keytimes -136800 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -126000 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 38 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4235,6 +4366,34 @@ set_keystate "KEY1" "STATE_KRRSIG" "hidden" set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys + +# The old keys were activated 40 hours ago (144000 seconds) +# and retired 35 hours ago (133200 seconds). +rollover_predecessor_keytimes -144000 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -133200 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 40 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4258,6 +4417,34 @@ set_server "ns6" "10.53.0.6" set_keystate "KEY2" "STATE_ZRRSIG" "hidden" check_keys + +# The old keys were activated 47 hours ago (169200 seconds) +# and retired 34 hours ago (158400 seconds). +rollover_predecessor_keytimes -169200 + +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" + +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "RETIRED" "${created}" -158400 +retired=$(key_get KEY2 RETIRED) +set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" + +# The new keys are published 47 hours ago. +created=$(key_get KEY3 CREATED) +set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 +published=$(key_get KEY3 PUBLISHED) +set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} + +created=$(key_get KEY4 CREATED) +set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4270,6 +4457,10 @@ check_next_key_event 3600 # Testing CSK algorithm rollover. # +# Policy parameters. +# Lcsk: unlimited +Lcksk=0 + # # Zone: step1.csk-algorithm-roll.kasp # @@ -4293,17 +4484,12 @@ set_zonesigning "KEY2" "yes" key_clear "KEY3" key_clear "KEY4" # The RSAHSHA1 key is outroducing. -set_keytime "KEY1" "PUBLISHED" "yes" -set_keytime "KEY1" "ACTIVE" "yes" -set_keytime "KEY1" "RETIRED" "yes" set_keystate "KEY1" "GOAL" "hidden" set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" # The ECDSAP256SHA256 key is introducing. -set_keytime "KEY2" "PUBLISHED" "yes" -set_keytime "KEY2" "ACTIVE" "yes" set_keystate "KEY2" "GOAL" "omnipresent" set_keystate "KEY2" "STATE_DNSKEY" "rumoured" set_keystate "KEY2" "STATE_KRRSIG" "rumoured" @@ -4311,6 +4497,38 @@ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" set_keystate "KEY2" "STATE_DS" "hidden" check_keys + +# CSK must be retired since it no longer matches the policy. +csk_rollover_predecessor_keytimes 0 0 +keyfile=$(key_get KEY1 BASEFILE) +grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk +retired=$(awk '{print $3}' < retired.test${n}.ksk) +set_keytime "KEY1" "RETIRED" "${retired}" +# The key is removed after the retire interval: +# IretZSK = TTLsig + Dprp + Dsgn + retire-safety +# TTLsig: 6h (21600 seconds) +# Dprp: 1h (3600 seconds) +# Dsgn: 25d (2160000 seconds) +# retire-safety: 2h (7200 seconds) +# IretZSK: 25d9h (2192400 seconds) +IretCSK=2192400 +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new CSK is published and activated. +created=$(key_get KEY2 CREATED) +set_keytime "KEY2" "PUBLISHED" "${created}" +set_keytime "KEY2" "ACTIVE" "${created}" +# It takes TTLsig + Dprp + publish-safety hours to propagate +# the zone. +# TTLsig: 6h (39600 seconds) +# Dprp: 1h (3600 seconds) +# publish-safety: 1h (3600 seconds) +# Ipub: 8h (28800 seconds) +Ipub=28800 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4336,6 +4554,24 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" check_keys + +# The old key was activated three hours ago (10800 seconds). +csk_rollover_predecessor_keytimes -10800 -10800 + +# CSK must be retired since it no longer matches the policy. +created=$(key_get KEY1 CREATED) +set_keytime "KEY1" "RETIRED" "${created}" +set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" + +# The new key was published 3 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4364,6 +4600,24 @@ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY2" "STATE_DS" "rumoured" check_keys + +# The old key was activated 9 hours ago (10800 seconds) +# and retired 6 hours ago (21600 seconds). +csk_rollover_predecessor_keytimes -32400 -32400 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -21600 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 9 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 +set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4390,6 +4644,24 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys + +# The old key was activated 38 hours ago (136800 seconds) +# and retired 35 hours ago (126000 seconds). +csk_rollover_predecessor_keytimes -136800 -136800 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -126000 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 38 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4409,6 +4681,24 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys + +# The old key was activated 40 hours ago (144000 seconds) +# and retired 37 hours ago (133200 seconds). +csk_rollover_predecessor_keytimes -144000 -144000 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -133200 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 40 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 +set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +check_keytimes + check_apex check_subdomain dnssec_verify @@ -4432,6 +4722,24 @@ set_server "ns6" "10.53.0.6" set_keystate "KEY1" "STATE_ZRRSIG" "hidden" check_keys + +# The old keys were activated 47 hours ago (169200 seconds) +# and retired 44 hours ago (158400 seconds). +csk_rollover_predecessor_keytimes -169200 -169200 +created=$(key_get KEY1 CREATED) +set_addkeytime "KEY1" "RETIRED" "${created}" -158400 +retired=$(key_get KEY1 RETIRED) +set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" + +# The new key was published 47 hours ago. +created=$(key_get KEY2 CREATED) +set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 +set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 +published=$(key_get KEY2 PUBLISHED) +set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} + +check_keytimes + check_apex check_subdomain dnssec_verify From bcf3c9fecf9989949d2629d8ee24756010b4025a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Thu, 14 May 2020 08:48:13 +0200 Subject: [PATCH 16/17] Add change entry --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 10bfeaad94..9583c7030a 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5422. [bug] When using dnssec-policy, print correct keytiming + metadata. [GL #1843] + 5421. [bug] Fixed a race that could cause named to crash when looking up the nodename of an RBT node if the tree was modified. [GL #1857] From 5b3decaf4864149f1269157d62d12724399bf591 Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 15 May 2020 10:27:27 +0200 Subject: [PATCH 17/17] Replace date -d with python script The usage of 'date -d' in the kasp system test is not portable, replace with a python script. Also remove some leftover "set_keytime 'yes'" calls. --- bin/tests/system/kasp/clean.sh | 1 + bin/tests/system/kasp/tests.sh | 78 ++++++++++++++++------------------ 2 files changed, 37 insertions(+), 42 deletions(-) diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 95c5781535..a315ce9d1f 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -24,3 +24,4 @@ rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys rm -f ns*/zones* ns*/*.db.infile rm -f *.created published.test* retired.test* +rm -f python.out.* diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index da6e5cffff..b0f2d727e2 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -230,22 +230,22 @@ set_keytime() { # $3: Value # $4: Additional time. set_addkeytime() { - # Convert "%Y%m%d%H%M%S" format to epoch seconds. - _date=$(echo "$3" | awk ' - {print substr($1,1,8)}') - _time=$(echo "$3" | awk ' - BEGIN {OFS=":"} - {print substr($1,9,2), substr($1,11,2), substr($1,13,2)}') - - # Add additional time. - _plus=$4 - echo_i "addkey_time: $1 $2 $3 $4: $_date $_time $_plus" - - - _epoch=$(date -u -d "$_date $_time" +"%s") - _epoch=$((_epoch+_plus)) - - key_set "$1" "$2" $(date -u -d @$_epoch +%Y%m%d%H%M%S) + if [ -x "$PYTHON" ]; then + # Convert "%Y%m%d%H%M%S" format to epoch seconds. + # Then, add the additional time (can be negative). + _value=$3 + _plus=$4 + $PYTHON > python.out.$ZONE.$1.$2 <