mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-09-03 16:15:27 +00:00
fix: usr: Fix several small DNSSEC timing issues
The following small issues related to `dnssec-policy` have been fixed: - In some cases the key manager inside BIND 9 could run every hour, while it could have run less often. - While `CDS` and `CDNSKEY` records will be removed correctly from the zone when the corresponding `DS` record needs to be updated, the expected timing metadata when this will happen was never set. - There were a couple of cases where the safety intervals are added inappropriately, delaying key rollovers longer than necessary. - If you have identical `keys` in your `dnssec-policy`, they may be retired inappropriately. Note that having keys with identical properties is discouraged in all cases. Closes #5242 Merge branch '5242-several-keymgr-issues' into 'main' See merge request isc-projects/bind9!10251
This commit is contained in:
Matthijs Mekking
@@ -130,7 +130,7 @@ $KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1
|
|||||||
zone="multisigner-model2.kasp"
|
zone="multisigner-model2.kasp"
|
||||||
echo_i "setting up zone: $zone"
|
echo_i "setting up zone: $zone"
|
||||||
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.1)
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -f KSK -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.1)
|
||||||
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zone -M 32768:65535 2>keygen.out.$zone.2)
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -M 32768:65535 $zone 2>keygen.out.$zone.2)
|
||||||
cat "${KSK}.key" | grep -v ";.*" >>"${zone}.db"
|
cat "${KSK}.key" | grep -v ";.*" >>"${zone}.db"
|
||||||
cat "${ZSK}.key" | grep -v ";.*" >>"${zone}.db"
|
cat "${ZSK}.key" | grep -v ";.*" >>"${zone}.db"
|
||||||
# Import the ZSK sets of the other providers into their DNSKEY RRset.
|
# Import the ZSK sets of the other providers into their DNSKEY RRset.
|
||||||
@@ -350,10 +350,9 @@ setup step2.enable-dnssec.autosign
|
|||||||
TpubN="now-900s"
|
TpubN="now-900s"
|
||||||
# RRSIG TTL: 12 hour (43200 seconds)
|
# RRSIG TTL: 12 hour (43200 seconds)
|
||||||
# zone-propagation-delay: 5 minutes (300 seconds)
|
# zone-propagation-delay: 5 minutes (300 seconds)
|
||||||
# retire-safety: 20 minutes (1200 seconds)
|
|
||||||
# Already passed time: -900 seconds
|
# Already passed time: -900 seconds
|
||||||
# Total: 43800 seconds
|
# Total: 42600 seconds
|
||||||
TsbmN="now+43800s"
|
TsbmN="now+42600s"
|
||||||
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
||||||
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
|
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
|
||||||
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
|
||||||
@@ -365,10 +364,10 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
|
|||||||
# Step 3:
|
# Step 3:
|
||||||
# The zone signatures have been published long enough to become OMNIPRESENT.
|
# The zone signatures have been published long enough to become OMNIPRESENT.
|
||||||
setup step3.enable-dnssec.autosign
|
setup step3.enable-dnssec.autosign
|
||||||
# Passed time since publications: 43800 + 900 = 44700 seconds.
|
# Passed time since publications: 42600 + 900 = 43500 seconds.
|
||||||
TpubN="now-44700s"
|
TpubN="now-43500s"
|
||||||
# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
|
# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
|
||||||
TcotN="now-43800s"
|
TcotN="now-42600s"
|
||||||
# We can submit the DS now.
|
# We can submit the DS now.
|
||||||
TsbmN="now"
|
TsbmN="now"
|
||||||
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
|
||||||
|
|||||||
@@ -127,9 +127,9 @@ setup step2.algorithm-roll.kasp
|
|||||||
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
# The time passed since the new algorithm keys have been introduced is 3 hours.
|
||||||
TactN="now-3h"
|
TactN="now-3h"
|
||||||
TpubN1="now-3h"
|
TpubN1="now-3h"
|
||||||
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety =
|
# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
|
||||||
# now - 3h + 6h + 1h + 1h = now + 5h
|
# now - 3h + 6h + 1h = now + 4h
|
||||||
TsbmN1="now+5h"
|
TsbmN1="now+4h"
|
||||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
|
||||||
zsk1times="-P ${TactN} -A ${TactN} -I now"
|
zsk1times="-P ${TactN} -A ${TactN} -I now"
|
||||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||||
@@ -156,11 +156,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
|||||||
# Step 3:
|
# Step 3:
|
||||||
# The zone signatures are also OMNIPRESENT.
|
# The zone signatures are also OMNIPRESENT.
|
||||||
setup step3.algorithm-roll.kasp
|
setup step3.algorithm-roll.kasp
|
||||||
# The time passed since the new algorithm keys have been introduced is 9 hours.
|
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||||
TactN="now-9h"
|
TactN="now-7h"
|
||||||
TretN="now-6h"
|
TretN="now-3h"
|
||||||
TpubN1="now-9h"
|
TpubN1="now-7h"
|
||||||
TsbmN1="now-1h"
|
TsbmN1="now"
|
||||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
||||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||||
@@ -188,11 +188,11 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
|||||||
# The DS is swapped and can become OMNIPRESENT.
|
# The DS is swapped and can become OMNIPRESENT.
|
||||||
setup step4.algorithm-roll.kasp
|
setup step4.algorithm-roll.kasp
|
||||||
# The time passed since the DS has been swapped is 29 hours.
|
# The time passed since the DS has been swapped is 29 hours.
|
||||||
TactN="now-38h"
|
TactN="now-36h"
|
||||||
TretN="now-35h"
|
TretN="now-33h"
|
||||||
TpubN1="now-38h"
|
TpubN1="now-36h"
|
||||||
TsbmN1="now-30h"
|
TsbmN1="now-29h"
|
||||||
TactN1="now-29h"
|
TactN1="now-27h"
|
||||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
||||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||||
@@ -220,12 +220,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
|||||||
# The DNSKEY is removed long enough to be HIDDEN.
|
# The DNSKEY is removed long enough to be HIDDEN.
|
||||||
setup step5.algorithm-roll.kasp
|
setup step5.algorithm-roll.kasp
|
||||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||||
TactN="now-40h"
|
TactN="now-38h"
|
||||||
TretN="now-37h"
|
TretN="now-35h"
|
||||||
TremN="now-2h"
|
TremN="now-2h"
|
||||||
TpubN1="now-40h"
|
TpubN1="now-38h"
|
||||||
TsbmN1="now-32h"
|
TsbmN1="now-31h"
|
||||||
TactN1="now-31h"
|
TactN1="now-29h"
|
||||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
||||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||||
@@ -253,13 +253,13 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
|
|||||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||||
setup step6.algorithm-roll.kasp
|
setup step6.algorithm-roll.kasp
|
||||||
# Additional time passed: 7h.
|
# Additional time passed: 7h.
|
||||||
TactN="now-47h"
|
TactN="now-45h"
|
||||||
TretN="now-44h"
|
TretN="now-42h"
|
||||||
TremN="now-7h"
|
TremN="now-7h"
|
||||||
TpubN1="now-47h"
|
TpubN1="now-45h"
|
||||||
TsbmN1="now-39h"
|
TsbmN1="now-38h"
|
||||||
TactN1="now-38h"
|
TactN1="now-36h"
|
||||||
TdeaN="now-9h"
|
TdeaN="now-7h"
|
||||||
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
|
||||||
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
|
||||||
@@ -324,11 +324,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
|||||||
# Step 3:
|
# Step 3:
|
||||||
# The zone signatures are also OMNIPRESENT.
|
# The zone signatures are also OMNIPRESENT.
|
||||||
setup step3.csk-algorithm-roll.kasp
|
setup step3.csk-algorithm-roll.kasp
|
||||||
# The time passed since the new algorithm keys have been introduced is 9 hours.
|
# The time passed since the new algorithm keys have been introduced is 7 hours.
|
||||||
TactN="now-9h"
|
TactN="now-7h"
|
||||||
TretN="now-6h"
|
TretN="now-3h"
|
||||||
TpubN1="now-9h"
|
TpubN1="now-7h"
|
||||||
TactN1="now-6h"
|
TactN1="now-3h"
|
||||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||||
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
|
||||||
@@ -347,10 +347,10 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
|||||||
# The DS is swapped and can become OMNIPRESENT.
|
# The DS is swapped and can become OMNIPRESENT.
|
||||||
setup step4.csk-algorithm-roll.kasp
|
setup step4.csk-algorithm-roll.kasp
|
||||||
# The time passed since the DS has been swapped is 29 hours.
|
# The time passed since the DS has been swapped is 29 hours.
|
||||||
TactN="now-38h"
|
TactN="now-36h"
|
||||||
TretN="now-35h"
|
TretN="now-33h"
|
||||||
TpubN1="now-38h"
|
TpubN1="now-36h"
|
||||||
TactN1="now-35h"
|
TactN1="now-33h"
|
||||||
TsubN1="now-29h"
|
TsubN1="now-29h"
|
||||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||||
@@ -370,11 +370,11 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
|||||||
# The DNSKEY is removed long enough to be HIDDEN.
|
# The DNSKEY is removed long enough to be HIDDEN.
|
||||||
setup step5.csk-algorithm-roll.kasp
|
setup step5.csk-algorithm-roll.kasp
|
||||||
# The time passed since the DNSKEY has been removed is 2 hours.
|
# The time passed since the DNSKEY has been removed is 2 hours.
|
||||||
TactN="now-40h"
|
TactN="now-38h"
|
||||||
TretN="now-37h"
|
TretN="now-35h"
|
||||||
TremN="now-2h"
|
TremN="now-2h"
|
||||||
TpubN1="now-40h"
|
TpubN1="now-38h"
|
||||||
TactN1="now-37h"
|
TactN1="now-35h"
|
||||||
TsubN1="now-31h"
|
TsubN1="now-31h"
|
||||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||||
@@ -394,12 +394,12 @@ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
|
|||||||
# The RRSIGs have been removed long enough to be HIDDEN.
|
# The RRSIGs have been removed long enough to be HIDDEN.
|
||||||
setup step6.csk-algorithm-roll.kasp
|
setup step6.csk-algorithm-roll.kasp
|
||||||
# Additional time passed: 7h.
|
# Additional time passed: 7h.
|
||||||
TactN="now-47h"
|
TactN="now-45h"
|
||||||
TretN="now-44h"
|
TretN="now-42h"
|
||||||
TdeaN="now-9h"
|
TdeaN="now-9h"
|
||||||
TremN="now-7h"
|
TremN="now-7h"
|
||||||
TpubN1="now-47h"
|
TpubN1="now-45h"
|
||||||
TactN1="now-44h"
|
TactN1="now-42h"
|
||||||
TsubN1="now-38h"
|
TsubN1="now-38h"
|
||||||
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
|
||||||
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
newtimes="-P ${TpubN1} -A ${TpubN1}"
|
||||||
|
|||||||
@@ -275,9 +275,8 @@ set_keytimes_csk_policy() {
|
|||||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||||
# The DS can be published if the DNSKEY and RRSIG records are
|
# The DS can be published if the DNSKEY and RRSIG records are
|
||||||
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus
|
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus
|
||||||
# publish-safety (1h) plus zone-propagation-delay (300s) =
|
# zone-propagation-delay (300s) = 86400 + 300 = 86700.
|
||||||
# 86400 + 3600 + 300 = 90300.
|
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
|
||||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
|
|
||||||
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -769,9 +768,8 @@ set_keytimes_algorithm_policy() {
|
|||||||
|
|
||||||
# The DS can be published if the DNSKEY and RRSIG records are
|
# The DS can be published if the DNSKEY and RRSIG records are
|
||||||
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus
|
# OMNIPRESENT. This happens after max-zone-ttl (1d) plus
|
||||||
# publish-safety (1h) plus zone-propagation-delay (300s) =
|
# zone-propagation-delay (300s) = 86400 + 300 = 86700.
|
||||||
# 86400 + 3600 + 300 = 90300.
|
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
|
||||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
|
|
||||||
# Key lifetime is 10 years, 315360000 seconds.
|
# Key lifetime is 10 years, 315360000 seconds.
|
||||||
set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
|
set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
|
||||||
# The key is removed after the retire time plus DS TTL (1d),
|
# The key is removed after the retire time plus DS TTL (1d),
|
||||||
@@ -1720,10 +1718,10 @@ published=$(awk '{print $3}' <published.test${n}.key1)
|
|||||||
set_keytime "KEY1" "PUBLISHED" "${published}"
|
set_keytime "KEY1" "PUBLISHED" "${published}"
|
||||||
set_keytime "KEY1" "ACTIVE" "${published}"
|
set_keytime "KEY1" "ACTIVE" "${published}"
|
||||||
published=$(key_get KEY1 PUBLISHED)
|
published=$(key_get KEY1 PUBLISHED)
|
||||||
# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
|
# The DS can be published if the zone is fully signed.
|
||||||
# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
|
# This happens after max-zone-ttl (1d) plus
|
||||||
# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
|
# zone-propagation-delay (300s) = 86400 + 300 = 86700.
|
||||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
|
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
|
||||||
# Key lifetime is 6 months, 315360000 seconds.
|
# Key lifetime is 6 months, 315360000 seconds.
|
||||||
set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
|
set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
|
||||||
# The key is removed after the retire time plus DS TTL (1d), parent
|
# The key is removed after the retire time plus DS TTL (1d), parent
|
||||||
@@ -2486,9 +2484,9 @@ set_keytime "KEY1" "PUBLISHED" "${created}"
|
|||||||
set_keytime "KEY1" "ACTIVE" "${created}"
|
set_keytime "KEY1" "ACTIVE" "${created}"
|
||||||
# - The DS can be published if the DNSKEY and RRSIG records are
|
# - The DS can be published if the DNSKEY and RRSIG records are
|
||||||
# OMNIPRESENT. This happens after max-zone-ttl (12h) plus
|
# OMNIPRESENT. This happens after max-zone-ttl (12h) plus
|
||||||
# publish-safety (5m) plus zone-propagation-delay (5m) =
|
# plus zone-propagation-delay (5m) =
|
||||||
# 43200 + 300 + 300 = 43800.
|
# 43200 + 300 = 43500.
|
||||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
|
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43500
|
||||||
# - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
# - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
|
||||||
|
|
||||||
# Various signing policy checks.
|
# Various signing policy checks.
|
||||||
@@ -2556,7 +2554,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
|
set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
|
||||||
set_addkeytime "KEY1" "ACTIVE" "${created}" -900
|
set_addkeytime "KEY1" "ACTIVE" "${created}" -900
|
||||||
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
|
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 42600
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
check_keytimes
|
check_keytimes
|
||||||
@@ -2566,8 +2564,8 @@ dnssec_verify
|
|||||||
|
|
||||||
# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
|
# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl
|
||||||
# plus zone propagation delay plus retire safety minus the already elapsed
|
# plus zone propagation delay plus retire safety minus the already elapsed
|
||||||
# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds
|
# 900 seconds: 12h + 300s + 20m - 900 = 43500 - 900 = 42600 seconds
|
||||||
check_next_key_event 43800
|
check_next_key_event 42600
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone: step3.enable-dnssec.autosign.
|
# Zone: step3.enable-dnssec.autosign.
|
||||||
@@ -2584,10 +2582,10 @@ check_keys
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The key was published and activated 44700 seconds ago (with settime).
|
# - The key was published and activated 43500 seconds ago (with settime).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
|
set_addkeytime "KEY1" "PUBLISHED" "${created}" -43500
|
||||||
set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
|
set_addkeytime "KEY1" "ACTIVE" "${created}" -43500
|
||||||
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
|
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
@@ -2603,8 +2601,8 @@ check_cdslog "$DIR" "$ZONE" KEY1
|
|||||||
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
|
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "published" "$ZONE"
|
||||||
# Next key event is when the DS can move to the OMNIPRESENT state. This occurs
|
# Next key event is when the DS can move to the OMNIPRESENT state. This occurs
|
||||||
# when the parent propagation delay have passed, plus the DS TTL and retire
|
# when the parent propagation delay have passed, plus the DS TTL and retire
|
||||||
# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds
|
# safety delay: 1h + 2h = 3h = 10800 seconds
|
||||||
check_next_key_event 12000
|
check_next_key_event 10800
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone: step4.enable-dnssec.autosign.
|
# Zone: step4.enable-dnssec.autosign.
|
||||||
@@ -4388,9 +4386,9 @@ check_subdomain
|
|||||||
dnssec_verify
|
dnssec_verify
|
||||||
|
|
||||||
# Next key event is when the DS becomes HIDDEN. This happens after the
|
# Next key event is when the DS becomes HIDDEN. This happens after the
|
||||||
# parent propagation delay, retire safety delay, and DS TTL:
|
# parent propagation delay, and DS TTL:
|
||||||
# 1h + 1h + 1d = 26h = 93600 seconds.
|
# 1h + 1d = 25h = 90000 seconds.
|
||||||
check_next_key_event 93600
|
check_next_key_event 90000
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone: step2.going-insecure.kasp
|
# Zone: step2.going-insecure.kasp
|
||||||
@@ -4456,8 +4454,8 @@ dnssec_verify
|
|||||||
|
|
||||||
# Next key event is when the DS becomes HIDDEN. This happens after the
|
# Next key event is when the DS becomes HIDDEN. This happens after the
|
||||||
# parent propagation delay, retire safety delay, and DS TTL:
|
# parent propagation delay, retire safety delay, and DS TTL:
|
||||||
# 1h + 1h + 1d = 26h = 93600 seconds.
|
# 1h + 1d = 25h = 90000 seconds.
|
||||||
check_next_key_event 93600
|
check_next_key_event 90000
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone: step2.going-insecure-dynamic.kasp
|
# Zone: step2.going-insecure-dynamic.kasp
|
||||||
@@ -4651,12 +4649,11 @@ set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
|||||||
created=$(key_get KEY3 CREATED)
|
created=$(key_get KEY3 CREATED)
|
||||||
set_keytime "KEY3" "PUBLISHED" "${created}"
|
set_keytime "KEY3" "PUBLISHED" "${created}"
|
||||||
set_keytime "KEY3" "ACTIVE" "${created}"
|
set_keytime "KEY3" "ACTIVE" "${created}"
|
||||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
# - It takes TTLsig + Dprp to propagate the zone.
|
||||||
# TTLsig: 6h (39600 seconds)
|
# TTLsig: 6h (39600 seconds)
|
||||||
# Dprp: 1h (3600 seconds)
|
# Dprp: 1h (3600 seconds)
|
||||||
# publish-safety: 1h (3600 seconds)
|
# Ipub: 7h (25200 seconds)
|
||||||
# Ipub: 8h (28800 seconds)
|
Ipub=25200
|
||||||
Ipub=28800
|
|
||||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
|
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||||
# - The new ZSK is published and activated.
|
# - The new ZSK is published and activated.
|
||||||
created=$(key_get KEY4 CREATED)
|
created=$(key_get KEY4 CREATED)
|
||||||
@@ -4725,12 +4722,12 @@ dnssec_verify
|
|||||||
|
|
||||||
# Next key event is when all zone signatures are signed with the new
|
# Next key event is when all zone signatures are signed with the new
|
||||||
# algorithm. This is the max-zone-ttl plus zone propagation delay
|
# algorithm. This is the max-zone-ttl plus zone propagation delay
|
||||||
# plus retire safety: 6h + 1h + 2h. But three hours have already passed
|
# 6h + 1h. But three hours have already passed (the time it took to
|
||||||
# (the time it took to make the DNSKEY omnipresent), so the next event
|
# make the DNSKEY omnipresent), so the next event should be scheduled
|
||||||
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
|
# in 4 hour: 14400 seconds. Prevent intermittent
|
||||||
# false positives on slow platforms by subtracting the number of seconds
|
# false positives on slow platforms by subtracting the number of seconds
|
||||||
# which passed between key creation and invoking 'rndc reconfig'.
|
# which passed between key creation and invoking 'rndc reconfig'.
|
||||||
next_time=$((21600 - time_passed))
|
next_time=$((14400 - time_passed))
|
||||||
check_next_key_event $next_time
|
check_next_key_event $next_time
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -4753,28 +4750,28 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|||||||
check_cdslog "$DIR" "$ZONE" KEY3
|
check_cdslog "$DIR" "$ZONE" KEY3
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old keys were activated 9 hours ago (32400 seconds).
|
# - The old keys were activated 7 hours ago (25200 seconds).
|
||||||
rollover_predecessor_keytimes -32400
|
rollover_predecessor_keytimes -25200
|
||||||
# - And retired 6 hours ago (21600 seconds).
|
# - And retired 3 hours ago (10800 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -21600
|
set_addkeytime "KEY1" "RETIRED" "${created}" -10800
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||||
|
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "RETIRED" "${created}" -21600
|
set_addkeytime "KEY2" "RETIRED" "${created}" -10800
|
||||||
retired=$(key_get KEY2 RETIRED)
|
retired=$(key_get KEY2 RETIRED)
|
||||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||||
# - The new keys are published 9 hours ago.
|
# - The new keys are published 7 hours ago.
|
||||||
created=$(key_get KEY3 CREATED)
|
created=$(key_get KEY3 CREATED)
|
||||||
set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
|
set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
|
||||||
set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
|
set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
|
||||||
published=$(key_get KEY3 PUBLISHED)
|
published=$(key_get KEY3 PUBLISHED)
|
||||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
created=$(key_get KEY4 CREATED)
|
created=$(key_get KEY4 CREATED)
|
||||||
set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
|
set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
|
||||||
set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
|
set_addkeytime "KEY4" "ACTIVE" "${created}" -25200
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
check_keytimes
|
check_keytimes
|
||||||
@@ -4787,9 +4784,9 @@ dnssec_verify
|
|||||||
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
|
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
|
||||||
rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
|
rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
|
||||||
# Next key event is when the DS becomes OMNIPRESENT. This happens after the
|
# Next key event is when the DS becomes OMNIPRESENT. This happens after the
|
||||||
# parent propagation delay, retire safety delay, and DS TTL:
|
# parent propagation delay, and DS TTL:
|
||||||
# 1h + 2h + 2h = 5h = 18000 seconds.
|
# 1h + 2h = 3h = 10800 seconds.
|
||||||
check_next_key_event 18000
|
check_next_key_event 10800
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone: step4.algorithm-roll.kasp
|
# Zone: step4.algorithm-roll.kasp
|
||||||
@@ -4816,29 +4813,29 @@ wait_for_done_signing
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old keys were activated 38 hours ago (136800 seconds).
|
# - The old keys were activated 36 hours ago (129600 seconds).
|
||||||
rollover_predecessor_keytimes -136800
|
rollover_predecessor_keytimes -129600
|
||||||
# - And retired 35 hours ago (126000 seconds).
|
# - And retired 33 hours ago (118800 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -126000
|
set_addkeytime "KEY1" "RETIRED" "${created}" -118800
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||||
|
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "RETIRED" "${created}" -126000
|
set_addkeytime "KEY2" "RETIRED" "${created}" -118800
|
||||||
retired=$(key_get KEY2 RETIRED)
|
retired=$(key_get KEY2 RETIRED)
|
||||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||||
|
|
||||||
# - The new keys are published 38 hours ago.
|
# - The new keys are published 36 hours ago.
|
||||||
created=$(key_get KEY3 CREATED)
|
created=$(key_get KEY3 CREATED)
|
||||||
set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
|
set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
|
||||||
set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
|
set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
|
||||||
published=$(key_get KEY3 PUBLISHED)
|
published=$(key_get KEY3 PUBLISHED)
|
||||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
created=$(key_get KEY4 CREATED)
|
created=$(key_get KEY4 CREATED)
|
||||||
set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
|
set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
|
||||||
set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
|
set_addkeytime "KEY4" "ACTIVE" "${created}" -129600
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
check_keytimes
|
check_keytimes
|
||||||
@@ -4867,29 +4864,29 @@ wait_for_done_signing
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old keys were activated 40 hours ago (144000 seconds)
|
# - The old keys were activated 38 hours ago (136800 seconds)
|
||||||
rollover_predecessor_keytimes -144000
|
rollover_predecessor_keytimes -136800
|
||||||
# - And retired 37 hours ago (133200 seconds).
|
# - And retired 35 hours ago (126000 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -133200
|
set_addkeytime "KEY1" "RETIRED" "${created}" -126000
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||||
|
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "RETIRED" "${created}" -133200
|
set_addkeytime "KEY2" "RETIRED" "${created}" -126000
|
||||||
retired=$(key_get KEY2 RETIRED)
|
retired=$(key_get KEY2 RETIRED)
|
||||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||||
|
|
||||||
# The new keys are published 40 hours ago.
|
# The new keys are published 40 hours ago.
|
||||||
created=$(key_get KEY3 CREATED)
|
created=$(key_get KEY3 CREATED)
|
||||||
set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
|
set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
|
||||||
set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
|
set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
|
||||||
published=$(key_get KEY3 PUBLISHED)
|
published=$(key_get KEY3 PUBLISHED)
|
||||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
created=$(key_get KEY4 CREATED)
|
created=$(key_get KEY4 CREATED)
|
||||||
set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
|
set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
|
||||||
set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
|
set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
check_keytimes
|
check_keytimes
|
||||||
@@ -4898,12 +4895,12 @@ check_subdomain
|
|||||||
dnssec_verify
|
dnssec_verify
|
||||||
|
|
||||||
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
|
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
|
||||||
# after the max-zone-ttl plus zone propagation delay plus retire safety
|
# after the max-zone-ttl plus zone propagation delay (6h + 1h)
|
||||||
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
|
# minus the time already passed since the UNRETENTIVE state has
|
||||||
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
|
# been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
|
||||||
# false positives on slow platforms by subtracting the number of seconds
|
# false positives on slow platforms by subtracting the number of seconds
|
||||||
# which passed between key creation and invoking 'rndc reconfig'.
|
# which passed between key creation and invoking 'rndc reconfig'.
|
||||||
next_time=$((25200 - time_passed))
|
next_time=$((18000 - time_passed))
|
||||||
check_next_key_event $next_time
|
check_next_key_event $next_time
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -4921,29 +4918,29 @@ wait_for_done_signing
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old keys were activated 47 hours ago (169200 seconds)
|
# - The old keys were activated 45 hours ago (162000 seconds)
|
||||||
rollover_predecessor_keytimes -169200
|
rollover_predecessor_keytimes -162000
|
||||||
# - And retired 44 hours ago (158400 seconds).
|
# - And retired 42 hours ago (151200 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -158400
|
set_addkeytime "KEY1" "RETIRED" "${created}" -151200
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
|
||||||
|
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "RETIRED" "${created}" -158400
|
set_addkeytime "KEY2" "RETIRED" "${created}" -151200
|
||||||
retired=$(key_get KEY2 RETIRED)
|
retired=$(key_get KEY2 RETIRED)
|
||||||
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
|
||||||
|
|
||||||
# The new keys are published 47 hours ago.
|
# The new keys are published 47 hours ago.
|
||||||
created=$(key_get KEY3 CREATED)
|
created=$(key_get KEY3 CREATED)
|
||||||
set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
|
set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
|
||||||
set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
|
set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
|
||||||
published=$(key_get KEY3 PUBLISHED)
|
published=$(key_get KEY3 PUBLISHED)
|
||||||
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
created=$(key_get KEY4 CREATED)
|
created=$(key_get KEY4 CREATED)
|
||||||
set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
|
set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
|
||||||
set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
|
set_addkeytime "KEY4" "ACTIVE" "${created}" -162000
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
check_keytimes
|
check_keytimes
|
||||||
@@ -5026,9 +5023,8 @@ set_keytime "KEY2" "ACTIVE" "${created}"
|
|||||||
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
|
||||||
# TTLsig: 6h (39600 seconds)
|
# TTLsig: 6h (39600 seconds)
|
||||||
# Dprp: 1h (3600 seconds)
|
# Dprp: 1h (3600 seconds)
|
||||||
# publish-safety: 1h (3600 seconds)
|
# Ipub: 7h (25200 seconds)
|
||||||
# Ipub: 8h (28800 seconds)
|
Ipub=25200
|
||||||
Ipub=28800
|
|
||||||
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
|
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
|
||||||
|
|
||||||
# Continue signing policy checks.
|
# Continue signing policy checks.
|
||||||
@@ -5082,14 +5078,13 @@ check_apex
|
|||||||
check_subdomain
|
check_subdomain
|
||||||
dnssec_verify
|
dnssec_verify
|
||||||
|
|
||||||
# Next key event is when all zone signatures are signed with the new
|
# Next key event is when all zone signatures are signed with the new algorithm.
|
||||||
# algorithm. This is the max-zone-ttl plus zone propagation delay
|
# This is the max-zone-ttl plus zone propagation delay: 6h + 1h. But three
|
||||||
# plus retire safety: 6h + 1h + 2h. But three hours have already passed
|
# hours have already passed (the time it took to make the DNSKEY omnipresent),
|
||||||
# (the time it took to make the DNSKEY omnipresent), so the next event
|
# so the next event should be scheduled in 4 hour: 14400 seconds. Prevent
|
||||||
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
|
# intermittent false positives on slow platforms by subtracting the number of
|
||||||
# false positives on slow platforms by subtracting the number of seconds
|
# seconds which passed between key creation and invoking 'rndc reconfig'.
|
||||||
# which passed between key creation and invoking 'rndc reconfig'.
|
next_time=$((14400 - time_passed))
|
||||||
next_time=$((21600 - time_passed))
|
|
||||||
check_next_key_event $next_time
|
check_next_key_event $next_time
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -5114,17 +5109,17 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
|||||||
check_cdslog "$DIR" "$ZONE" KEY2
|
check_cdslog "$DIR" "$ZONE" KEY2
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old key was activated 9 hours ago (32400 seconds).
|
# - The old key was activated 7 hours ago (25200 seconds).
|
||||||
csk_rollover_predecessor_keytimes -32400
|
csk_rollover_predecessor_keytimes -25200
|
||||||
# - And was retired 6 hours ago (21600 seconds).
|
# - And was retired 3 hours ago (10800 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -21600
|
set_addkeytime "KEY1" "RETIRED" "${created}" -10800
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
||||||
# - The new key was published 9 hours ago.
|
# - The new key was published 9 hours ago.
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
|
set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
|
||||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
|
set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
|
||||||
published=$(key_get KEY2 PUBLISHED)
|
published=$(key_get KEY2 PUBLISHED)
|
||||||
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
|
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
|
||||||
|
|
||||||
@@ -5138,9 +5133,9 @@ dnssec_verify
|
|||||||
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
|
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
|
||||||
rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
|
rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
|
||||||
# Next key event is when the DS becomes OMNIPRESENT. This happens after the
|
# Next key event is when the DS becomes OMNIPRESENT. This happens after the
|
||||||
# parent propagation delay, retire safety delay, and DS TTL:
|
# parent propagation delay, and DS TTL:
|
||||||
# 1h + 2h + 2h = 5h = 18000 seconds.
|
# 1h + 2h = 3h = 10800 seconds.
|
||||||
check_next_key_event 18000
|
check_next_key_event 10800
|
||||||
|
|
||||||
#
|
#
|
||||||
# Zone: step4.csk-algorithm-roll.kasp
|
# Zone: step4.csk-algorithm-roll.kasp
|
||||||
@@ -5164,17 +5159,17 @@ wait_for_done_signing
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old key was activated 38 hours ago (136800 seconds)
|
# - The old keys were activated 36 hours ago (129600 seconds).
|
||||||
csk_rollover_predecessor_keytimes -136800
|
csk_rollover_predecessor_keytimes -129600
|
||||||
# - And retired 35 hours ago (126000 seconds).
|
# - And retired 33 hours ago (118800 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -126000
|
set_addkeytime "KEY1" "RETIRED" "${created}" -118800
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
||||||
# - The new key was published 38 hours ago.
|
# - The new key was published 36 hours ago.
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
|
set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
|
||||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
|
set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
|
||||||
published=$(key_get KEY2 PUBLISHED)
|
published=$(key_get KEY2 PUBLISHED)
|
||||||
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
@@ -5204,17 +5199,17 @@ wait_for_done_signing
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old key was activated 40 hours ago (144000 seconds)
|
# - The old key was activated 38 hours ago (136800 seconds)
|
||||||
csk_rollover_predecessor_keytimes -144000
|
csk_rollover_predecessor_keytimes -136800
|
||||||
# - And retired 37 hours ago (133200 seconds).
|
# - And retired 35 hours ago (126000 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -133200
|
set_addkeytime "KEY1" "RETIRED" "${created}" -126000
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
||||||
# - The new key was published 40 hours ago.
|
# - The new key was published 38 hours ago.
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
|
set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
|
||||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
|
set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
|
||||||
published=$(key_get KEY2 PUBLISHED)
|
published=$(key_get KEY2 PUBLISHED)
|
||||||
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
@@ -5225,12 +5220,12 @@ check_subdomain
|
|||||||
dnssec_verify
|
dnssec_verify
|
||||||
|
|
||||||
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
|
# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
|
||||||
# after the max-zone-ttl plus zone propagation delay plus retire safety
|
# after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
|
||||||
# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has
|
# time already passed since the UNRETENTIVE state has been reached (2h):
|
||||||
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
|
# 7h - 2h = 5h = 18000 seconds. Prevent intermittent false positives on slow
|
||||||
# false positives on slow platforms by subtracting the number of seconds
|
# platforms by subtracting the number of seconds which passed between key
|
||||||
# which passed between key creation and invoking 'rndc reconfig'.
|
# creation and invoking 'rndc reconfig'.
|
||||||
next_time=$((25200 - time_passed))
|
next_time=$((18000 - time_passed))
|
||||||
check_next_key_event $next_time
|
check_next_key_event $next_time
|
||||||
|
|
||||||
#
|
#
|
||||||
@@ -5248,17 +5243,17 @@ wait_for_done_signing
|
|||||||
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
|
||||||
|
|
||||||
# Set expected key times:
|
# Set expected key times:
|
||||||
# - The old keys were activated 47 hours ago (169200 seconds)
|
# - The old keys were activated 45 hours ago (162000 seconds)
|
||||||
csk_rollover_predecessor_keytimes -169200
|
csk_rollover_predecessor_keytimes -162000
|
||||||
# - And retired 44 hours ago (158400 seconds).
|
# - And retired 42 hours ago (151200 seconds).
|
||||||
created=$(key_get KEY1 CREATED)
|
created=$(key_get KEY1 CREATED)
|
||||||
set_addkeytime "KEY1" "RETIRED" "${created}" -158400
|
set_addkeytime "KEY1" "RETIRED" "${created}" -151200
|
||||||
retired=$(key_get KEY1 RETIRED)
|
retired=$(key_get KEY1 RETIRED)
|
||||||
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
|
||||||
# - The new key was published 47 hours ago.
|
# - The new key was published 47 hours ago.
|
||||||
created=$(key_get KEY2 CREATED)
|
created=$(key_get KEY2 CREATED)
|
||||||
set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
|
set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
|
||||||
set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
|
set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
|
||||||
published=$(key_get KEY2 PUBLISHED)
|
published=$(key_get KEY2 PUBLISHED)
|
||||||
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
|
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
|
||||||
|
|
||||||
|
|||||||
107
lib/dns/keymgr.c
107
lib/dns/keymgr.c
@@ -189,13 +189,19 @@ dns_keymgr_settime_syncpublish(dst_key_t *key, dns_kasp_t *kasp, bool first) {
|
|||||||
isc_stdtime_t zrrsig_present;
|
isc_stdtime_t zrrsig_present;
|
||||||
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
|
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
|
||||||
zrrsig_present = published + ttlsig +
|
zrrsig_present = published + ttlsig +
|
||||||
dns_kasp_zonepropagationdelay(kasp) +
|
dns_kasp_zonepropagationdelay(kasp);
|
||||||
dns_kasp_publishsafety(kasp);
|
|
||||||
if (zrrsig_present > syncpublish) {
|
if (zrrsig_present > syncpublish) {
|
||||||
syncpublish = zrrsig_present;
|
syncpublish = zrrsig_present;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncpublish);
|
dst_key_settime(key, DST_TIME_SYNCPUBLISH, syncpublish);
|
||||||
|
|
||||||
|
uint32_t lifetime = 0;
|
||||||
|
ret = dst_key_getnum(key, DST_NUM_LIFETIME, &lifetime);
|
||||||
|
if (ret == ISC_R_SUCCESS && lifetime > 0) {
|
||||||
|
dst_key_settime(key, DST_TIME_SYNCDELETE,
|
||||||
|
(syncpublish + lifetime));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
@@ -243,6 +249,17 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
|
|||||||
pub = now;
|
pub = now;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* To calculate phase out times ("Retired", "Removed", ...),
|
||||||
|
* the key lifetime is required.
|
||||||
|
*/
|
||||||
|
uint32_t klifetime = 0;
|
||||||
|
ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
|
||||||
|
if (ret != ISC_R_SUCCESS) {
|
||||||
|
dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
|
||||||
|
klifetime = lifetime;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Calculate prepublication time.
|
* Calculate prepublication time.
|
||||||
*/
|
*/
|
||||||
@@ -272,13 +289,16 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
|
|||||||
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
|
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp,
|
||||||
true);
|
true);
|
||||||
syncpub2 = pub + ttlsig +
|
syncpub2 = pub + ttlsig +
|
||||||
dns_kasp_publishsafety(kasp) +
|
|
||||||
dns_kasp_zonepropagationdelay(kasp);
|
dns_kasp_zonepropagationdelay(kasp);
|
||||||
}
|
}
|
||||||
|
|
||||||
syncpub = ISC_MAX(syncpub1, syncpub2);
|
syncpub = ISC_MAX(syncpub1, syncpub2);
|
||||||
dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
|
dst_key_settime(key->key, DST_TIME_SYNCPUBLISH,
|
||||||
syncpub);
|
syncpub);
|
||||||
|
if (klifetime > 0) {
|
||||||
|
dst_key_settime(key->key, DST_TIME_SYNCDELETE,
|
||||||
|
(syncpub + klifetime));
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -291,13 +311,6 @@ keymgr_prepublication_time(dns_dnsseckey_t *key, dns_kasp_t *kasp,
|
|||||||
|
|
||||||
ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
|
ret = dst_key_gettime(key->key, DST_TIME_INACTIVE, &retire);
|
||||||
if (ret != ISC_R_SUCCESS) {
|
if (ret != ISC_R_SUCCESS) {
|
||||||
uint32_t klifetime = 0;
|
|
||||||
|
|
||||||
ret = dst_key_getnum(key->key, DST_NUM_LIFETIME, &klifetime);
|
|
||||||
if (ret != ISC_R_SUCCESS) {
|
|
||||||
dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
|
|
||||||
klifetime = lifetime;
|
|
||||||
}
|
|
||||||
if (klifetime == 0) {
|
if (klifetime == 0) {
|
||||||
/*
|
/*
|
||||||
* No inactive time and no lifetime,
|
* No inactive time and no lifetime,
|
||||||
@@ -398,7 +411,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
|
|||||||
/* Initialize lifetime. */
|
/* Initialize lifetime. */
|
||||||
if (r != ISC_R_SUCCESS) {
|
if (r != ISC_R_SUCCESS) {
|
||||||
dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
|
dst_key_setnum(key->key, DST_NUM_LIFETIME, lifetime);
|
||||||
return;
|
l = lifetime - 1;
|
||||||
}
|
}
|
||||||
/* Skip keys that are still hidden or already retiring. */
|
/* Skip keys that are still hidden or already retiring. */
|
||||||
if (g != OMNIPRESENT) {
|
if (g != OMNIPRESENT) {
|
||||||
@@ -420,6 +433,7 @@ keymgr_key_update_lifetime(dns_dnsseckey_t *key, dns_kasp_t *kasp,
|
|||||||
} else {
|
} else {
|
||||||
dst_key_unsettime(key->key, DST_TIME_INACTIVE);
|
dst_key_unsettime(key->key, DST_TIME_INACTIVE);
|
||||||
dst_key_unsettime(key->key, DST_TIME_DELETE);
|
dst_key_unsettime(key->key, DST_TIME_DELETE);
|
||||||
|
dst_key_unsettime(key->key, DST_TIME_SYNCDELETE);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -1286,6 +1300,7 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
|
|||||||
isc_result_t ret;
|
isc_result_t ret;
|
||||||
isc_stdtime_t lastchange, dstime, nexttime = now;
|
isc_stdtime_t lastchange, dstime, nexttime = now;
|
||||||
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
|
dns_ttl_t ttlsig = dns_kasp_zonemaxttl(kasp, true);
|
||||||
|
uint32_t dsstate;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* No need to wait if we move things into an uncertain state.
|
* No need to wait if we move things into an uncertain state.
|
||||||
@@ -1355,15 +1370,12 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
|
|||||||
* records. This translates to:
|
* records. This translates to:
|
||||||
*
|
*
|
||||||
* Dsgn + zone-propagation-delay + max-zone-ttl.
|
* Dsgn + zone-propagation-delay + max-zone-ttl.
|
||||||
*
|
|
||||||
* We will also add the retire-safety interval.
|
|
||||||
*/
|
*/
|
||||||
nexttime = lastchange + ttlsig +
|
nexttime = lastchange + ttlsig +
|
||||||
dns_kasp_zonepropagationdelay(kasp) +
|
dns_kasp_zonepropagationdelay(kasp);
|
||||||
dns_kasp_retiresafety(kasp);
|
|
||||||
/*
|
/*
|
||||||
* Only add the sign delay Dsgn if there is an actual
|
* Only add the sign delay Dsgn and retire-safety if
|
||||||
* predecessor or successor key.
|
* there is an actual predecessor or successor key.
|
||||||
*/
|
*/
|
||||||
uint32_t tag;
|
uint32_t tag;
|
||||||
ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
|
ret = dst_key_getnum(key->key, DST_NUM_PREDECESSOR,
|
||||||
@@ -1373,7 +1385,8 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
|
|||||||
DST_NUM_SUCCESSOR, &tag);
|
DST_NUM_SUCCESSOR, &tag);
|
||||||
}
|
}
|
||||||
if (ret == ISC_R_SUCCESS) {
|
if (ret == ISC_R_SUCCESS) {
|
||||||
nexttime += dns_kasp_signdelay(kasp);
|
nexttime += dns_kasp_signdelay(kasp) +
|
||||||
|
dns_kasp_retiresafety(kasp);
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@@ -1399,35 +1412,36 @@ keymgr_transition_time(dns_dnsseckey_t *key, int type,
|
|||||||
* This translates to:
|
* This translates to:
|
||||||
*
|
*
|
||||||
* parent-propagation-delay + parent-ds-ttl.
|
* parent-propagation-delay + parent-ds-ttl.
|
||||||
*
|
|
||||||
* We will also add the retire-safety interval.
|
|
||||||
*/
|
*/
|
||||||
case OMNIPRESENT:
|
case OMNIPRESENT:
|
||||||
/* Make sure DS has been seen in the parent. */
|
|
||||||
ret = dst_key_gettime(key->key, DST_TIME_DSPUBLISH,
|
|
||||||
&dstime);
|
|
||||||
if (ret != ISC_R_SUCCESS || dstime > now) {
|
|
||||||
/* Not yet, try again in an hour. */
|
|
||||||
nexttime = now + 3600;
|
|
||||||
} else {
|
|
||||||
nexttime =
|
|
||||||
dstime + dns_kasp_dsttl(kasp) +
|
|
||||||
dns_kasp_parentpropagationdelay(kasp) +
|
|
||||||
dns_kasp_retiresafety(kasp);
|
|
||||||
}
|
|
||||||
break;
|
|
||||||
case HIDDEN:
|
case HIDDEN:
|
||||||
/* Make sure DS has been withdrawn from the parent. */
|
/* Make sure DS has been seen in/withdrawn from the
|
||||||
ret = dst_key_gettime(key->key, DST_TIME_DSDELETE,
|
* parent. */
|
||||||
&dstime);
|
dsstate = next_state == HIDDEN ? DST_TIME_DSDELETE
|
||||||
|
: DST_TIME_DSPUBLISH;
|
||||||
|
ret = dst_key_gettime(key->key, dsstate, &dstime);
|
||||||
if (ret != ISC_R_SUCCESS || dstime > now) {
|
if (ret != ISC_R_SUCCESS || dstime > now) {
|
||||||
/* Not yet, try again in an hour. */
|
/* Not yet, try again in an hour. */
|
||||||
nexttime = now + 3600;
|
nexttime = now + 3600;
|
||||||
} else {
|
} else {
|
||||||
nexttime =
|
nexttime =
|
||||||
dstime + dns_kasp_dsttl(kasp) +
|
dstime + dns_kasp_dsttl(kasp) +
|
||||||
dns_kasp_parentpropagationdelay(kasp) +
|
dns_kasp_parentpropagationdelay(kasp);
|
||||||
dns_kasp_retiresafety(kasp);
|
/*
|
||||||
|
* Only add the retire-safety if there is an
|
||||||
|
* actual predecessor or successor key.
|
||||||
|
*/
|
||||||
|
uint32_t tag;
|
||||||
|
ret = dst_key_getnum(key->key,
|
||||||
|
DST_NUM_PREDECESSOR, &tag);
|
||||||
|
if (ret != ISC_R_SUCCESS) {
|
||||||
|
ret = dst_key_getnum(key->key,
|
||||||
|
DST_NUM_SUCCESSOR,
|
||||||
|
&tag);
|
||||||
|
}
|
||||||
|
if (ret == ISC_R_SUCCESS) {
|
||||||
|
nexttime += dns_kasp_retiresafety(kasp);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
default:
|
default:
|
||||||
@@ -1763,8 +1777,10 @@ keymgr_key_rollover(dns_kasp_key_t *kaspkey, dns_dnsseckey_t *active_key,
|
|||||||
if (prepub == 0 || prepub > now) {
|
if (prepub == 0 || prepub > now) {
|
||||||
/* No need to start rollover now. */
|
/* No need to start rollover now. */
|
||||||
if (*nexttime == 0 || prepub < *nexttime) {
|
if (*nexttime == 0 || prepub < *nexttime) {
|
||||||
|
if (prepub > 0) {
|
||||||
*nexttime = prepub;
|
*nexttime = prepub;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
return ISC_R_SUCCESS;
|
return ISC_R_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -2022,6 +2038,20 @@ keymgr_purge_keyfile(dst_key_t *key, int type) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
dst_key_doublematch(dns_dnsseckey_t *key, dns_kasp_t *kasp) {
|
||||||
|
int matches = 0;
|
||||||
|
|
||||||
|
for (dns_kasp_key_t *kkey = ISC_LIST_HEAD(dns_kasp_keys(kasp));
|
||||||
|
kkey != NULL; kkey = ISC_LIST_NEXT(kkey, link))
|
||||||
|
{
|
||||||
|
if (dns_kasp_key_match(kkey, key)) {
|
||||||
|
matches++;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return matches > 1;
|
||||||
|
}
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Examine 'keys' and match 'kasp' policy.
|
* Examine 'keys' and match 'kasp' policy.
|
||||||
*
|
*
|
||||||
@@ -2161,6 +2191,7 @@ dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
|
|||||||
* matches the kasp policy.
|
* matches the kasp policy.
|
||||||
*/
|
*/
|
||||||
if (!dst_key_is_unused(dkey->key) &&
|
if (!dst_key_is_unused(dkey->key) &&
|
||||||
|
!dst_key_doublematch(dkey, kasp) &&
|
||||||
(dst_key_goal(dkey->key) ==
|
(dst_key_goal(dkey->key) ==
|
||||||
OMNIPRESENT) &&
|
OMNIPRESENT) &&
|
||||||
!keymgr_dep(dkey->key, keyring,
|
!keymgr_dep(dkey->key, keyring,
|
||||||
|
|||||||
Reference in New Issue
Block a user