mirror of
https://gitlab.isc.org/isc-projects/bind9
synced 2025-08-22 01:59:26 +00:00
e4529b6308
If we hit an error when issuing an 'rndc dnssec -step' command, and the keymgr runs again at a later scheduled time, we don't want to enforce transitions.
296 lines
13 KiB
Bash
296 lines
13 KiB
Bash
#!/bin/sh -e
|
|
|
|
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
#
|
|
# SPDX-License-Identifier: MPL-2.0
|
|
#
|
|
# This Source Code Form is subject to the terms of the Mozilla Public
|
|
# License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
# file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
#
|
|
# See the COPYRIGHT file distributed with this work for additional
|
|
# information regarding copyright ownership.
|
|
|
|
# shellcheck source=conf.sh
|
|
. ../../conf.sh
|
|
|
|
echo_i "ns3/setup.sh"
|
|
|
|
# Create key store directories.
|
|
mkdir ksk
|
|
mkdir zsk
|
|
|
|
setup() {
|
|
zone="$1"
|
|
echo_i "setting up zone: $zone"
|
|
zonefile="${zone}.db"
|
|
infile="${zone}.db.infile"
|
|
echo "$zone" >>zones
|
|
}
|
|
|
|
# Set in the key state files the Predecessor/Successor fields.
|
|
# Key $1 is the predecessor of key $2.
|
|
key_successor() {
|
|
id1=$(keyfile_to_key_id "$1")
|
|
id2=$(keyfile_to_key_id "$2")
|
|
echo "Predecessor: ${id1}" >>"${2}.state"
|
|
echo "Successor: ${id2}" >>"${1}.state"
|
|
}
|
|
|
|
# Make lines shorter by storing key states in environment variables.
|
|
H="HIDDEN"
|
|
R="RUMOURED"
|
|
O="OMNIPRESENT"
|
|
U="UNRETENTIVE"
|
|
|
|
#
|
|
# Set up zones that will be initially signed.
|
|
#
|
|
for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
|
|
rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
|
|
dynamic dynamic-inline-signing inline-signing \
|
|
checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
|
|
keystore; do
|
|
setup "${zn}.kasp"
|
|
cp template.db.in "$zonefile"
|
|
done
|
|
|
|
#
|
|
# Setup special zone
|
|
#
|
|
zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
|
|
echo_i "setting up zone: $zone"
|
|
cp template.db.in "i-am.special.kasp.db"
|
|
|
|
#
|
|
# Set up RSASHA1 based zones
|
|
#
|
|
for zn in rsasha1 rsasha1-nsec3; do
|
|
if [ $RSASHA1_SUPPORTED = 1 ]; then
|
|
setup "${zn}.kasp"
|
|
cp template.db.in "$zonefile"
|
|
else
|
|
# don't add to zones.
|
|
echo_i "setting up zone: ${zn}.kasp"
|
|
cp template.db.in "${zn}.kasp.db"
|
|
fi
|
|
done
|
|
|
|
if [ $ED25519_SUPPORTED = 1 ]; then
|
|
setup "ed25519.kasp"
|
|
cp template.db.in "$zonefile"
|
|
cat ed25519.conf >>named.conf
|
|
fi
|
|
|
|
if [ $ED448_SUPPORTED = 1 ]; then
|
|
setup "ed448.kasp"
|
|
cp template.db.in "$zonefile"
|
|
cat ed448.conf >>named.conf
|
|
fi
|
|
|
|
# Set up zones that stay unsigned.
|
|
for zn in unsigned insecure max-zone-ttl; do
|
|
zone="${zn}.kasp"
|
|
echo_i "setting up zone: $zone"
|
|
zonefile="${zone}.db"
|
|
infile="${zone}.db.infile"
|
|
cp template.db.in $infile
|
|
cp template.db.in $zonefile
|
|
done
|
|
|
|
# Some of these zones already have keys.
|
|
zone="dnssec-keygen.kasp"
|
|
echo_i "setting up zone: $zone"
|
|
$KEYGEN -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1
|
|
|
|
zone="some-keys.kasp"
|
|
echo_i "setting up zone: $zone"
|
|
$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone >keygen.out.$zone.1 2>&1
|
|
$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone >keygen.out.$zone.2 2>&1
|
|
|
|
zone="legacy-keys.kasp"
|
|
echo_i "setting up zone: $zone"
|
|
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.1)
|
|
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.2)
|
|
echo $ZSK >legacy-keys.kasp.zsk
|
|
echo $KSK >legacy-keys.kasp.ksk
|
|
# Predecessor keys:
|
|
Tact="now-9mo"
|
|
Tret="now-3mo"
|
|
ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.3)
|
|
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.4)
|
|
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" >settime.out.$zone.2 2>&1
|
|
|
|
zone="pregenerated.kasp"
|
|
echo_i "setting up zone: $zone"
|
|
$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1
|
|
$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1
|
|
|
|
zone="rumoured.kasp"
|
|
echo_i "setting up zone: $zone"
|
|
Tpub="now"
|
|
Tact="now+1d"
|
|
keytimes="-P ${Tpub} -A ${Tact}"
|
|
KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2>keygen.out.$zone.2)
|
|
ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2>keygen.out.$zone.3)
|
|
$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" >settime.out.$zone.2 2>&1
|
|
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" >settime.out.$zone.2 2>&1
|
|
|
|
#
|
|
# Set up zones that are already signed.
|
|
#
|
|
|
|
# We are signing the raw version of the zone here. This is unusual and not
|
|
# common operation, but want to make sure that in such a case BIND 9 does not
|
|
# schedule a resigning operation on the raw version. Add expired signatures so
|
|
# a resign is imminent.
|
|
setup dynamic-signed-inline-signing.kasp
|
|
T="now-1d"
|
|
csktimes="-P $T -A $T -P sync $T"
|
|
CSK=$($KEYGEN -K keys -a $DEFAULT_ALGORITHM -L 3600 -f KSK $csktimes $zone 2>keygen.out.$zone.1)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "keys/$CSK" >settime.out.$zone.1 2>&1
|
|
cat template.db.in "keys/${CSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "keys/$CSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -PS -K keys -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# Treat the next zones as if they were signed six months ago.
|
|
T="now-6mo"
|
|
keytimes="-P $T -A $T"
|
|
|
|
# These signatures are set to expire long in the past, update immediately.
|
|
setup expired-sigs.autosign
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# The DNSKEY's TTLs do not match the policy.
|
|
setup dnskey-ttl-mismatch.autosign
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 30 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK " >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# These signatures are still good, and can be reused.
|
|
setup fresh-sigs.autosign
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# These signatures are still good, but not fresh enough, update immediately.
|
|
setup unfresh-sigs.autosign
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# These signatures are still good, but the private KSK is missing.
|
|
setup ksk-missing.autosign
|
|
# KSK file will be gone missing, so we set expected times during setup.
|
|
TI="now+550d" # Lifetime of 2 years minus 6 months equals 550 days
|
|
TD="now+13226h" # 550 days plus retire time of 1 day 2 hours equals 13226 hours
|
|
TS="now-257755mi" # 6 months minus 1 day, 5 minutes equals 257695 minutes
|
|
ksktimes="$keytimes -P sync $TS -I $TI -D $TD"
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
echo "KSK: yes" >>"${KSK}".state
|
|
echo "ZSK: no" >>"${KSK}".state
|
|
echo "Lifetime: 63072000" >>"${KSK}".state # PT2Y
|
|
rm -f "${KSK}".private
|
|
|
|
# These signatures are still good, but the private ZSK is missing.
|
|
setup zsk-missing.autosign
|
|
# ZSK file will be gone missing, so we set expected times during setup.
|
|
TI="now+185d" # Lifetime of 1 year minus 6 months equals 185 days
|
|
TD="now+277985mi" # 185 days plus retire time (sign delay, retire safety, propagation, zone TTL)
|
|
zsktimes="$keytimes -I $TI -D $TD"
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
echo "KSK: no" >>"${ZSK}".state
|
|
echo "ZSK: yes" >>"${ZSK}".state
|
|
echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y
|
|
rm -f "${ZSK}".private
|
|
|
|
# These signatures are still good, but the key files will be removed
|
|
# before a second run of reconfiguring keys.
|
|
setup keyfiles-missing.autosign
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# These signatures are still good, but the key files will be removed
|
|
# before a second run of reconfiguring keys, now in manual-mode.
|
|
setup keyfiles-missing.manual
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $keytimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
|
|
# These signatures are already expired, and the private ZSK is retired.
|
|
setup zsk-retired.autosign
|
|
zsktimes="$keytimes -I now"
|
|
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
|
|
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
|
|
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
|
|
$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
|
|
cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
|
|
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
|
|
cp $infile $zonefile
|
|
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
|
|
$SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1
|
|
# An old key that is being purged should not prevent keymgr to be run.
|
|
T1="now-1y"
|
|
T2="now-2y"
|
|
oldtimes="-P $T2 -A $T2 -I $T1 -D $T1"
|
|
OLD=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $oldtimes $zone 2>keygen.out.$zone.3)
|
|
$SETTIME -s -g $H -k $H $T1 -z $H $T1 "$OLD" >settime.out.$zone.3 2>&1
|