* information regarding copyright ownership.
*/
-dnssec-policy "csk-algoroll" {
+dnssec-policy "csk-algoroll-kasp" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ csk lifetime unlimited algorithm rsasha256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+dnssec-policy "csk-algoroll-manual" {
+ manual-mode yes;
+
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
* information regarding copyright ownership.
*/
-dnssec-policy "csk-algoroll" {
+dnssec-policy "csk-algoroll-kasp" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+dnssec-policy "csk-algoroll-manual" {
+ manual-mode yes;
+
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
{% set csk_roll = csk_roll | default(False) %}
{% set _csk_file = "csk1.conf" if not csk_roll else "csk2.conf" %}
+{% set zones = ["kasp", "manual"] %}
include "@_csk_file@";
include "named.common.conf";
-zone "step1.csk-algorithm-roll.kasp" {
+{% for tld in zones %}
+zone "step1.csk-algorithm-roll.@tld@" {
type primary;
- file "step1.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
+ file "step1.csk-algorithm-roll.@tld@.db";
+ dnssec-policy "csk-algoroll-@tld@";
};
{% if csk_roll %}
-zone "step2.csk-algorithm-roll.kasp" {
+zone "step2.csk-algorithm-roll.@tld@" {
type primary;
- file "step2.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
+ file "step2.csk-algorithm-roll.@tld@.db";
+ dnssec-policy "csk-algoroll-@tld@";
};
-zone "step3.csk-algorithm-roll.kasp" {
+zone "step3.csk-algorithm-roll.@tld@" {
type primary;
- file "step3.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
+ file "step3.csk-algorithm-roll.@tld@.db";
+ dnssec-policy "csk-algoroll-@tld@";
};
-zone "step4.csk-algorithm-roll.kasp" {
+zone "step4.csk-algorithm-roll.@tld@" {
type primary;
- file "step4.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
+ file "step4.csk-algorithm-roll.@tld@.db";
+ dnssec-policy "csk-algoroll-@tld@";
};
-zone "step5.csk-algorithm-roll.kasp" {
+zone "step5.csk-algorithm-roll.@tld@" {
type primary;
- file "step5.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
+ file "step5.csk-algorithm-roll.@tld@.db";
+ dnssec-policy "csk-algoroll-@tld@";
};
-zone "step6.csk-algorithm-roll.kasp" {
+zone "step6.csk-algorithm-roll.@tld@" {
type primary;
- file "step6.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
+ file "step6.csk-algorithm-roll.@tld@.db";
+ dnssec-policy "csk-algoroll-@tld@";
};
{% endif %}
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
+# The zones at csk-algorithm-roll.$tld represent the various steps of a CSK
# algorithm rollover.
#
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.csk-algorithm-roll.kasp
-echo "$zone" >>zones
-TactN="now-7d"
-TsbmN="now-161h"
-csktimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone 5 "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+for tld in kasp manual; do
+ # Step 1:
+ # Introduce the first key. This will immediately be active.
+ setup step1.csk-algorithm-roll.$tld
+ echo "$zone" >>zones
+ TactN="now-7d"
+ TsbmN="now-161h"
+ csktimes="-P ${TactN} -A ${TactN}"
+ CSK=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone 5 "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 2:
-# After the publication interval has passed the DNSKEY is OMNIPRESENT.
-setup step2.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 3 hours.
-TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
-TsbmN1="now+4h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I now"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # After the publication interval has passed the DNSKEY is OMNIPRESENT.
+ setup step2.csk-algorithm-roll.$tld
+ # The time passed since the new algorithm keys have been introduced is 3 hours.
+ TpubN1="now-3h"
+ # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
+ TsbmN1="now+4h"
+ csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I now"
+ newtimes="-P ${TpubN1} -A ${TpubN1}"
+ CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${CSK1}.state"
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone 5 "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# The zone signatures are also OMNIPRESENT.
-setup step3.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 7 hours.
-TpubN1="now-7h"
-TsbmN1="now"
-ckstimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # The zone signatures are also OMNIPRESENT.
+ setup step3.csk-algorithm-roll.$tld
+ # The time passed since the new algorithm keys have been introduced is 7 hours.
+ TpubN1="now-7h"
+ TsbmN1="now"
+ ckstimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${CSK1}.state"
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone 5 "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# The DS is swapped and can become OMNIPRESENT.
-setup step4.csk-algorithm-roll.kasp
-# The time passed since the DS has been swapped is 3 hours.
-TpubN1="now-10h"
-TsbmN1="now-3h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # The DS is swapped and can become OMNIPRESENT.
+ setup step4.csk-algorithm-roll.$tld
+ # The time passed since the DS has been swapped is 3 hours.
+ TpubN1="now-10h"
+ TsbmN1="now-3h"
+ csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${CSK1}.state"
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone 5 "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 5:
-# The DNSKEY is removed long enough to be HIDDEN.
-setup step5.csk-algorithm-roll.kasp
-# The time passed since the DNSKEY has been removed is 2 hours.
-TpubN1="now-12h"
-TsbmN1="now-5h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 5:
+ # The DNSKEY is removed long enough to be HIDDEN.
+ setup step5.csk-algorithm-roll.$tld
+ # The time passed since the DNSKEY has been removed is 2 hours.
+ TpubN1="now-12h"
+ TsbmN1="now-5h"
+ csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${CSK1}.state"
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone 5 "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 6:
-# The RRSIGs have been removed long enough to be HIDDEN.
-setup step6.csk-algorithm-roll.kasp
-# Additional time passed: 7h.
-TpubN1="now-19h"
-TsbmN1="now-12h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 6:
+ # The RRSIGs have been removed long enough to be HIDDEN.
+ setup step6.csk-algorithm-roll.$tld
+ # Additional time passed: 7h.
+ TpubN1="now-19h"
+ TsbmN1="now-12h"
+ csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ CSK1=$($KEYGEN -k csk-algoroll-$tld -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-algoroll-$tld -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${CSK1}.state"
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone 5 "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
# pylint: disable=redefined-outer-name,unused-import
+import pytest
+
import isctest
+from isctest.util import param
from rollover.common import (
pytestmark,
CDSS,
)
-def test_algoroll_csk_initial(ns6):
+@pytest.mark.parametrize(
+ "tld, policy",
+ [
+ param("kasp", "csk-algoroll"),
+ param("manual", "csk-algoroll-manual"),
+ ],
+)
+def test_algoroll_csk_initial(ns6, tld, policy):
config = ALGOROLL_CONFIG
- policy = "csk-algoroll"
- zone = "step1.csk-algorithm-roll.kasp"
+ zone = f"step1.csk-algorithm-roll.{tld}"
isctest.kasp.wait_keymgr_done(ns6, zone)
* information regarding copyright ownership.
*/
-dnssec-policy "rsasha256" {
+dnssec-policy "rsasha256-kasp" {
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
parent-ds-ttl 7200;
};
-dnssec-policy "ecdsa256" {
+dnssec-policy "rsasha256-manual" {
+ manual-mode yes;
+
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ ksk lifetime unlimited algorithm rsasha256;
+ zsk lifetime unlimited algorithm rsasha256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256-kasp" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ ksk lifetime unlimited algorithm ecdsa256;
+ zsk lifetime unlimited algorithm ecdsa256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256-manual" {
+ manual-mode yes;
+
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
{% set alg_roll = alg_roll | default(False) %}
{% set policy = "rsasha256" if not alg_roll else "ecdsa256" %}
+{% set zones = ["kasp", "manual"] %}
include "kasp.conf";
include "named.common.conf";
-zone "step1.algorithm-roll.kasp" {
+{% for tld in zones %}
+zone "step1.algorithm-roll.@tld@" {
type primary;
- file "step1.algorithm-roll.kasp.db";
- dnssec-policy @policy@;
+ file "step1.algorithm-roll.@tld@.db";
+ dnssec-policy @policy@-@tld@;
};
{% if alg_roll %}
-zone "step2.algorithm-roll.kasp" {
+zone "step2.algorithm-roll.@tld@" {
type primary;
- file "step2.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
+ file "step2.algorithm-roll.@tld@.db";
+ dnssec-policy "ecdsa256-@tld@";
};
-zone "step3.algorithm-roll.kasp" {
+zone "step3.algorithm-roll.@tld@" {
type primary;
- file "step3.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
+ file "step3.algorithm-roll.@tld@.db";
+ dnssec-policy "ecdsa256-@tld@";
};
-zone "step4.algorithm-roll.kasp" {
+zone "step4.algorithm-roll.@tld@" {
type primary;
- file "step4.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
+ file "step4.algorithm-roll.@tld@.db";
+ dnssec-policy "ecdsa256-@tld@";
};
-zone "step5.algorithm-roll.kasp" {
+zone "step5.algorithm-roll.@tld@" {
type primary;
- file "step5.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
+ file "step5.algorithm-roll.@tld@.db";
+ dnssec-policy "ecdsa256-@tld@";
};
-zone "step6.algorithm-roll.kasp" {
+zone "step6.algorithm-roll.@tld@" {
type primary;
- file "step6.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
+ file "step6.algorithm-roll.@tld@.db";
+ dnssec-policy "ecdsa256-@tld@";
};
+
{% endif %}
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
+# The zones at algorithm-roll.$tld represent the various steps of a ZSK/KSK
# algorithm rollover.
#
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.algorithm-roll.kasp
-echo "$zone" >>zones
-TactN="now-7d"
-TsbmN="now-161h"
-ksktimes="-P ${TactN} -A ${TactN}"
-zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone 8 "$KSK" >>"$infile"
-private_type_record $zone 8 "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+for tld in kasp manual; do
+ # Step 1:
+ # Introduce the first key. This will immediately be active.
+ setup step1.algorithm-roll.$tld
+ echo "$zone" >>zones
+ TactN="now-7d"
+ TsbmN="now-161h"
+ ksktimes="-P ${TactN} -A ${TactN}"
+ zsktimes="-P ${TactN} -A ${TactN}"
+ KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone 8 "$KSK" >>"$infile"
+ private_type_record $zone 8 "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 2:
-# After the publication interval has passed the DNSKEY is OMNIPRESENT.
-setup step2.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 3 hours.
-TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
-TsbmN1="now+4h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # After the publication interval has passed the DNSKEY is OMNIPRESENT.
+ setup step2.algorithm-roll.$tld
+ # The time passed since the new algorithm keys have been introduced is 3 hours.
+ TpubN1="now-3h"
+ # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
+ TsbmN1="now+4h"
+ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ zsk2times="-P ${TpubN1} -A ${TpubN1}"
+ KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK1}.state"
+ echo "Lifetime: 0" >>"${ZSK1}.state"
+ cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone 8 "$KSK1" >>"$infile"
+ private_type_record $zone 8 "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# The zone signatures are also OMNIPRESENT.
-setup step3.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 7 hours.
-TpubN1="now-7h"
-TsbmN1="now"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # The zone signatures are also OMNIPRESENT.
+ setup step3.algorithm-roll.$tld
+ # The time passed since the new algorithm keys have been introduced is 7 hours.
+ TpubN1="now-7h"
+ TsbmN1="now"
+ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ zsk2times="-P ${TpubN1} -A ${TpubN1}"
+ KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK1}.state"
+ echo "Lifetime: 0" >>"${ZSK1}.state"
+ cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone 8 "$KSK1" >>"$infile"
+ private_type_record $zone 8 "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# The DS is swapped and can become OMNIPRESENT.
-setup step4.algorithm-roll.kasp
-# The time passed since the DS has been swapped is 3 hours.
-TpubN1="now-10h"
-TsbmN1="now-3h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # The DS is swapped and can become OMNIPRESENT.
+ setup step4.algorithm-roll.$tld
+ # The time passed since the DS has been swapped is 3 hours.
+ TpubN1="now-10h"
+ TsbmN1="now-3h"
+ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ zsk2times="-P ${TpubN1} -A ${TpubN1}"
+ KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK1}.state"
+ echo "Lifetime: 0" >>"${ZSK1}.state"
+ cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone 8 "$KSK1" >>"$infile"
+ private_type_record $zone 8 "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 5:
-# The DNSKEY is removed long enough to be HIDDEN.
-setup step5.algorithm-roll.kasp
-# The time passed since the DNSKEY has been removed is 2 hours.
-TpubN1="now-12h"
-TsbmN1="now-5h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $U $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 5:
+ # The DNSKEY is removed long enough to be HIDDEN.
+ setup step5.algorithm-roll.$tld
+ # The time passed since the DNSKEY has been removed is 2 hours.
+ TpubN1="now-12h"
+ TsbmN1="now-5h"
+ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ zsk2times="-P ${TpubN1} -A ${TpubN1}"
+ KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+ $SETTIME -s -g $H -k $U $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $U $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK1}.state"
+ echo "Lifetime: 0" >>"${ZSK1}.state"
+ cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone 8 "$KSK1" >>"$infile"
+ private_type_record $zone 8 "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 6:
-# The RRSIGs have been removed long enough to be HIDDEN.
-setup step6.algorithm-roll.kasp
-# Additional time passed: 7h.
-TpubN1="now-19h"
-TsbmN1="now-12h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $H $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 6:
+ # The RRSIGs have been removed long enough to be HIDDEN.
+ setup step6.algorithm-roll.$tld
+ # Additional time passed: 7h.
+ TpubN1="now-19h"
+ TsbmN1="now-12h"
+ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+ zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+ zsk2times="-P ${TpubN1} -A ${TpubN1}"
+ KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+ $SETTIME -s -g $H -k $H $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $H $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+ $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK1}.state"
+ echo "Lifetime: 0" >>"${ZSK1}.state"
+ cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone 8 "$KSK1" >>"$infile"
+ private_type_record $zone 8 "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
# pylint: disable=unused-import
+import pytest
+
import isctest
+from isctest.util import param
from rollover.common import (
pytestmark,
CDSS,
)
-def test_algoroll_ksk_zsk_initial(ns6):
+@pytest.mark.parametrize(
+ "tld",
+ [
+ param("kasp"),
+ param("manual"),
+ ],
+)
+def test_algoroll_ksk_zsk_initial(ns6, tld):
config = ALGOROLL_CONFIG
- policy = "rsasha256"
- zone = "step1.algorithm-roll.kasp"
+ policy = f"rsasha256-{tld}"
+ zone = f"step1.algorithm-roll.{tld}"
isctest.kasp.wait_keymgr_done(ns6, zone)
* information regarding copyright ownership.
*/
-dnssec-policy "csk-roll1" {
+dnssec-policy "csk-roll1-autosign" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ purge-keys PT1H;
+
+ cds-digest-types { "sha-384"; }; // use a different digest type for testing purposes
+ keys {
+ csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ zone-propagation-delay 1h;
+ max-zone-ttl P1D;
+
+ parent-ds-ttl 1h;
+ parent-propagation-delay 1h;
+};
+
+dnssec-policy "csk-roll1-manual" {
+ manual-mode yes;
+
signatures-refresh P5D;
signatures-validity 30d;
signatures-validity-dnskey 30d;
* information regarding copyright ownership.
*/
+{% set zones = ["autosign", "manual"] %}
+
include "kasp.conf";
include "named.common.conf";
-zone "step1.csk-roll1.autosign" {
+{% for tld in zones %}
+zone "step1.csk-roll1.@tld@" {
type primary;
- file "step1.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step1.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step2.csk-roll1.autosign" {
+zone "step2.csk-roll1.@tld@" {
type primary;
- file "step2.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step2.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step3.csk-roll1.autosign" {
+zone "step3.csk-roll1.@tld@" {
type primary;
- file "step3.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step3.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step4.csk-roll1.autosign" {
+zone "step4.csk-roll1.@tld@" {
type primary;
- file "step4.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step4.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step5.csk-roll1.autosign" {
+zone "step5.csk-roll1.@tld@" {
type primary;
- file "step5.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step5.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step6.csk-roll1.autosign" {
+zone "step6.csk-roll1.@tld@" {
type primary;
- file "step6.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step6.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step7.csk-roll1.autosign" {
+zone "step7.csk-roll1.@tld@" {
type primary;
- file "step7.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step7.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
-zone "step8.csk-roll1.autosign" {
+zone "step8.csk-roll1.@tld@" {
type primary;
- file "step8.csk-roll1.autosign.db";
- dnssec-policy "csk-roll1";
+ file "step8.csk-roll1.@tld@.db";
+ dnssec-policy "csk-roll1-@tld@";
};
+
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at csk-roll1.autosign represent the various steps of a CSK rollover
+# The zones at csk-roll1.$tld represent the various steps of a CSK rollover
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
#
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.csk-roll1.autosign
-TactN="now-7d"
-keytimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+for tld in autosign manual; do
+ # Step 1:
+ # Introduce the first key. This will immediately be active.
+ setup step1.csk-roll1.$tld
+ TactN="now-7d"
+ keytimes="-P ${TactN} -A ${TactN}"
+ CSK=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 2:
-# It is time to introduce the new CSK.
-setup step2.csk-roll1.autosign
-# According to RFC 7583:
-# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
-# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# IpubC = DprpC + TTLkey (+publish-safety)
-# Ipub = IpubC
-# Lcsk = Lksk = Lzsk
-#
-# Lcsk: 6mo (186d, 4464h)
-# Dreg: N/A
-# DprpC: 1h
-# TTLkey: 1h
-# publish-safety: 1h
-# Ipub: 3h
-#
-# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
-# = now - 4464h + 3h = now - 4461h
-TactN="now-4461h"
-keytimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # It is time to introduce the new CSK.
+ setup step2.csk-roll1.$tld
+ # According to RFC 7583:
+ # KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+ # ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+ # IpubC = DprpC + TTLkey (+publish-safety)
+ # Ipub = IpubC
+ # Lcsk = Lksk = Lzsk
+ #
+ # Lcsk: 6mo (186d, 4464h)
+ # Dreg: N/A
+ # DprpC: 1h
+ # TTLkey: 1h
+ # publish-safety: 1h
+ # Ipub: 3h
+ #
+ # Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
+ # = now - 4464h + 3h = now - 4461h
+ TactN="now-4461h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ CSK=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# It is time to submit the DS and to roll signatures.
-setup step3.csk-roll1.autosign
-# According to RFC 7583:
-#
-# Tsbm(N+1) >= Trdy(N+1)
-# KSK: Tact(N+1) = Tsbm(N+1)
-# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
-# KSK: Iret = DprpP + TTLds (+retire-safety)
-# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
-#
-# Lcsk: 186d
-# Dprp: 1h
-# DprpP: 1h
-# Dreg: N/A
-# Dsgn: 25d
-# TTLds: 1h
-# TTLsig: 1d
-# retire-safety: 2h
-# Iret: 4h
-# IretZ: 26d3h
-# Ipub: 3h
-#
-# Tpub(N) = now - Lcsk = now - 186d
-# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
-# Tret(N) = now
-# Trem(N) = now + IretZ = now + 26d3h = now + 627h
-# Tpub(N+1) = now - Ipub = now - 3h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + Lcsk = now + 186d = now + 186d
-# Trem(N+1) = now + Lcsk + IretZ = now + 186d + 26d3h =
-# = now + 5091h
-TpubN="now-186d"
-TactN="now-4439h"
-TretN="now"
-TremN="now+627h"
-TpubN1="now-3h"
-TactN1="${TretN}"
-TretN1="now+186d"
-TremN1="now+5091h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # It is time to submit the DS and to roll signatures.
+ setup step3.csk-roll1.$tld
+ # According to RFC 7583:
+ #
+ # Tsbm(N+1) >= Trdy(N+1)
+ # KSK: Tact(N+1) = Tsbm(N+1)
+ # ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+ # KSK: Iret = DprpP + TTLds (+retire-safety)
+ # ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+ #
+ # Lcsk: 186d
+ # Dprp: 1h
+ # DprpP: 1h
+ # Dreg: N/A
+ # Dsgn: 25d
+ # TTLds: 1h
+ # TTLsig: 1d
+ # retire-safety: 2h
+ # Iret: 4h
+ # IretZ: 26d3h
+ # Ipub: 3h
+ #
+ # Tpub(N) = now - Lcsk = now - 186d
+ # Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
+ # Tret(N) = now
+ # Trem(N) = now + IretZ = now + 26d3h = now + 627h
+ # Tpub(N+1) = now - Ipub = now - 3h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + Lcsk = now + 186d = now + 186d
+ # Trem(N+1) = now + Lcsk + IretZ = now + 186d + 26d3h =
+ # = now + 5091h
+ TpubN="now-186d"
+ TactN="now-4439h"
+ TretN="now"
+ TremN="now+627h"
+ TpubN1="now-3h"
+ TactN1="${TretN}"
+ TretN1="now+186d"
+ TremN1="now+5091h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# Some time later all the ZRRSIG records should be from the new CSK, and the
-# DS should be swapped. The ZRRSIG records are all replaced after IretZ
-# (which is 26d3h). The DS is swapped after Iret (which is 4h).
-# In other words, the DS is swapped before all zone signatures are replaced.
-setup step4.csk-roll1.autosign
-# According to RFC 7583:
-# Trem(N) = Tret(N) - Iret + IretZ
-# now = Tsbm(N+1) + Iret
-#
-# Lcsk: 186d
-# Iret: 4h
-# IretZ: 26d3h
-#
-# Tpub(N) = now - Iret - Lcsk = now - 4h - 186d = now - 4468h
-# Tret(N) = now - Iret = now - 4h = now - 4h
-# Trem(N) = now - Iret + IretZ = now - 4h + 26d3h
-# = now + 623h
-# Tpub(N+1) = now - Iret - IpubC = now - 4h - 3h = now - 7h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now - Iret + Lcsk = now - 4h + 186d = now + 4460h
-# Trem(N+1) = now - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
-# = now + 5087h
-TpubN="now-4468h"
-TactN="now-4443h"
-TretN="now-4h"
-TremN="now+623h"
-TpubN1="now-7h"
-TactN1="${TretN}"
-TretN1="now+4460h"
-TremN1="now+5087h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -z $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -z $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # Some time later all the ZRRSIG records should be from the new CSK, and the
+ # DS should be swapped. The ZRRSIG records are all replaced after IretZ
+ # (which is 26d3h). The DS is swapped after Iret (which is 4h).
+ # In other words, the DS is swapped before all zone signatures are replaced.
+ setup step4.csk-roll1.$tld
+ # According to RFC 7583:
+ # Trem(N) = Tret(N) - Iret + IretZ
+ # now = Tsbm(N+1) + Iret
+ #
+ # Lcsk: 186d
+ # Iret: 4h
+ # IretZ: 26d3h
+ #
+ # Tpub(N) = now - Iret - Lcsk = now - 4h - 186d = now - 4468h
+ # Tret(N) = now - Iret = now - 4h = now - 4h
+ # Trem(N) = now - Iret + IretZ = now - 4h + 26d3h
+ # = now + 623h
+ # Tpub(N+1) = now - Iret - IpubC = now - 4h - 3h = now - 7h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now - Iret + Lcsk = now - 4h + 186d = now + 4460h
+ # Trem(N+1) = now - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h
+ # = now + 5087h
+ TpubN="now-4468h"
+ TactN="now-4443h"
+ TretN="now-4h"
+ TremN="now+623h"
+ TpubN1="now-7h"
+ TactN1="${TretN}"
+ TretN1="now+4460h"
+ TremN1="now+5087h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -z $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -z $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 5:
-# After the DS is swapped in step 4, also the KRRSIG records can be removed.
-# At this time these have all become hidden.
-setup step5.csk-roll1.autosign
-# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
-TpubN="now-4470h"
-TactN="now-4445h"
-TretN="now-6h"
-TremN="now+621h"
-TpubN1="now-9h"
-TactN1="${TretN}"
-TretN1="now+4458h"
-TremN1="now+5085h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 5:
+ # After the DS is swapped in step 4, also the KRRSIG records can be removed.
+ # At this time these have all become hidden.
+ setup step5.csk-roll1.$tld
+ # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
+ TpubN="now-4470h"
+ TactN="now-4445h"
+ TretN="now-6h"
+ TremN="now+621h"
+ TpubN1="now-9h"
+ TactN1="${TretN}"
+ TretN1="now+4458h"
+ TremN1="now+5085h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 6:
-# After the retire interval has passed the predecessor DNSKEY can be
-# removed from the zone.
-setup step6.csk-roll1.autosign
-# According to RFC 7583:
-# Trem(N) = Tret(N) + IretZ
-# Tret(N) = Tact(N) + Lcsk
-#
-# Lcsk: 186d
-# Iret: 4h
-# IretZ: 26d3h
-#
-# Tpub(N) = now - IretZ - Lcsk = now - 627h - 186d
-# = now - 627h - 4464h = now - 5091h
-# Tact(N) = now - 627h - 186d
-# Tret(N) = now - IretZ = now - 627h
-# Trem(N) = now
-# Tpub(N+1) = now - IretZ - Ipub = now - 627h - 3h = now - 630h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now - IretZ + Lcsk = now - 627h + 186d = now + 3837h
-# Trem(N+1) = now + Lcsk = now + 186d
-TpubN="now-5091h"
-TactN="now-5066h"
-TretN="now-627h"
-TremN="now"
-TpubN1="now-630h"
-TactN1="${TretN}"
-TretN1="now+3837h"
-TremN1="now+186d"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 6:
+ # After the retire interval has passed the predecessor DNSKEY can be
+ # removed from the zone.
+ setup step6.csk-roll1.$tld
+ # According to RFC 7583:
+ # Trem(N) = Tret(N) + IretZ
+ # Tret(N) = Tact(N) + Lcsk
+ #
+ # Lcsk: 186d
+ # Iret: 4h
+ # IretZ: 26d3h
+ #
+ # Tpub(N) = now - IretZ - Lcsk = now - 627h - 186d
+ # = now - 627h - 4464h = now - 5091h
+ # Tact(N) = now - 627h - 186d
+ # Tret(N) = now - IretZ = now - 627h
+ # Trem(N) = now
+ # Tpub(N+1) = now - IretZ - Ipub = now - 627h - 3h = now - 630h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now - IretZ + Lcsk = now - 627h + 186d = now + 3837h
+ # Trem(N+1) = now + Lcsk = now + 186d
+ TpubN="now-5091h"
+ TactN="now-5066h"
+ TretN="now-627h"
+ TremN="now"
+ TpubN1="now-630h"
+ TactN1="${TretN}"
+ TretN1="now+3837h"
+ TremN1="now+186d"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 7:
-# Some time later the predecessor DNSKEY enters the HIDDEN state.
-setup step7.csk-roll1.autosign
-# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
-TpubN="now-5093h"
-TactN="now-5068h"
-TretN="now-629h"
-TremN="now-2h"
-TpubN1="now-632h"
-TactN1="${TretN}"
-TretN1="now+3835h"
-TremN1="now+4462h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 7:
+ # Some time later the predecessor DNSKEY enters the HIDDEN state.
+ setup step7.csk-roll1.$tld
+ # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
+ TpubN="now-5093h"
+ TactN="now-5068h"
+ TretN="now-629h"
+ TremN="now-2h"
+ TpubN1="now-632h"
+ TactN1="${TretN}"
+ TretN1="now+3835h"
+ TremN1="now+4462h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 8:
-# The predecessor DNSKEY can be purged.
-setup step8.csk-roll1.autosign
-TpubN="now-5094h"
-TactN="now-5069h"
-TretN="now-630h"
-TremN="now-3h"
-TpubN1="now-633h"
-TactN1="${TretN}"
-TretN1="now+3834h"
-TremN1="now+4461h"
-# Subtract purge-keys interval from all the times (1h).
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll1 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll1 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 8:
+ # The predecessor DNSKEY can be purged.
+ setup step8.csk-roll1.$tld
+ TpubN="now-5094h"
+ TactN="now-5069h"
+ TretN="now-630h"
+ TremN="now-3h"
+ TpubN1="now-633h"
+ TactN1="${TretN}"
+ TretN1="now+3834h"
+ TremN1="now+4461h"
+ # Subtract purge-keys interval from all the times (1h).
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll1-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
* information regarding copyright ownership.
*/
-dnssec-policy "csk-roll2" {
+dnssec-policy "csk-roll2-autosign" {
+ signatures-refresh 12h;
+ signatures-validity P1D;
+ signatures-validity-dnskey P1D;
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 1h;
+ purge-keys 0;
+
+ cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
+ keys {
+ csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ zone-propagation-delay PT1H;
+ max-zone-ttl 1d;
+
+ parent-ds-ttl PT1H;
+ parent-propagation-delay P1W;
+};
+
+dnssec-policy "csk-roll2-manual" {
+ manual-mode yes;
+
signatures-refresh 12h;
signatures-validity P1D;
signatures-validity-dnskey P1D;
* information regarding copyright ownership.
*/
+{% set zones = ["autosign", "manual"] %}
+
include "kasp.conf";
include "named.common.conf";
-zone "step1.csk-roll2.autosign" {
+{% for tld in zones %}
+zone "step1.csk-roll2.@tld@" {
type primary;
- file "step1.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step1.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
-zone "step2.csk-roll2.autosign" {
+zone "step2.csk-roll2.@tld@" {
type primary;
- file "step2.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step2.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
-zone "step3.csk-roll2.autosign" {
+zone "step3.csk-roll2.@tld@" {
type primary;
- file "step3.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step3.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
-zone "step4.csk-roll2.autosign" {
+zone "step4.csk-roll2.@tld@" {
type primary;
- file "step4.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step4.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
-zone "step5.csk-roll2.autosign" {
+zone "step5.csk-roll2.@tld@" {
type primary;
- file "step5.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step5.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
-zone "step6.csk-roll2.autosign" {
+zone "step6.csk-roll2.@tld@" {
type primary;
- file "step6.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step6.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
-zone "step7.csk-roll2.autosign" {
+zone "step7.csk-roll2.@tld@" {
type primary;
- file "step7.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
+ file "step7.csk-roll2.@tld@.db";
+ dnssec-policy "csk-roll2-@tld@";
};
+
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
+# The zones at csk-roll2.$tld represent the various steps of a CSK rollover
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
# This scenario differs from the csk-roll1 one because the zone signatures (ZRRSIG)
# are replaced with the new key sooner than the DS is swapped.
#
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.csk-roll2.autosign
-TactN="now-7d"
-keytimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+for tld in autosign manual; do
+ # Step 1:
+ # Introduce the first key. This will immediately be active.
+ setup step1.csk-roll2.$tld
+ TactN="now-7d"
+ keytimes="-P ${TactN} -A ${TactN}"
+ CSK=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 2:
-# It is time to introduce the new CSK.
-setup step2.csk-roll2.autosign
-# According to RFC 7583:
-# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
-# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# IpubC = DprpC + TTLkey (+publish-safety)
-# Ipub = IpubC
-# Lcsk = Lksk = Lzsk
-#
-# Lcsk: 6mo (186d, 4464h)
-# Dreg: N/A
-# DprpC: 1h
-# TTLkey: 1h
-# publish-safety: 1h
-# Ipub: 3h
-#
-# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
-# = now - 4464h + 3h = now - 4461h
-TactN="now-4461h"
-keytimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # It is time to introduce the new CSK.
+ setup step2.csk-roll2.$tld
+ # According to RFC 7583:
+ # KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+ # ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+ # IpubC = DprpC + TTLkey (+publish-safety)
+ # Ipub = IpubC
+ # Lcsk = Lksk = Lzsk
+ #
+ # Lcsk: 6mo (186d, 4464h)
+ # Dreg: N/A
+ # DprpC: 1h
+ # TTLkey: 1h
+ # publish-safety: 1h
+ # Ipub: 3h
+ #
+ # Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
+ # = now - 4464h + 3h = now - 4461h
+ TactN="now-4461h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ CSK=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# It is time to submit the DS and to roll signatures.
-setup step3.csk-roll2.autosign
-# According to RFC 7583:
-#
-# Tsbm(N+1) >= Trdy(N+1)
-# KSK: Tact(N+1) = Tsbm(N+1)
-# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
-# KSK: Iret = DprpP + TTLds (+retire-safety)
-# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
-#
-# Lcsk: 186d
-# Dprp: 1h
-# DprpP: 1w
-# Dreg: N/A
-# Dsgn: 12h
-# TTLds: 1h
-# TTLsig: 1d
-# retire-safety: 1h
-# Iret: 170h
-# IretZ: 38h
-# Ipub: 3h
-#
-# Tpub(N) = now - Lcsk = now - 186d
-# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
-# Tret(N) = now
-# Trem(N) = now + Iret = now + 170h
-# Tpub(N+1) = now - Ipub = now - 3h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + Lcsk = now + 186d
-# Trem(N+1) = now + Lcsk + Iret = now + 186d + 170h =
-# = now + 4464h + 170h = now + 4634h
-TpubN="now-186d"
-TactN="now-4439h"
-TretN="now"
-TremN="now+170h"
-TpubN1="now-3h"
-TactN1="${TretN}"
-TretN1="now+186d"
-TremN1="now+4634h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # It is time to submit the DS and to roll signatures.
+ setup step3.csk-roll2.$tld
+ # According to RFC 7583:
+ #
+ # Tsbm(N+1) >= Trdy(N+1)
+ # KSK: Tact(N+1) = Tsbm(N+1)
+ # ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+ # KSK: Iret = DprpP + TTLds (+retire-safety)
+ # ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+ #
+ # Lcsk: 186d
+ # Dprp: 1h
+ # DprpP: 1w
+ # Dreg: N/A
+ # Dsgn: 12h
+ # TTLds: 1h
+ # TTLsig: 1d
+ # retire-safety: 1h
+ # Iret: 170h
+ # IretZ: 38h
+ # Ipub: 3h
+ #
+ # Tpub(N) = now - Lcsk = now - 186d
+ # Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
+ # Tret(N) = now
+ # Trem(N) = now + Iret = now + 170h
+ # Tpub(N+1) = now - Ipub = now - 3h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + Lcsk = now + 186d
+ # Trem(N+1) = now + Lcsk + Iret = now + 186d + 170h =
+ # = now + 4464h + 170h = now + 4634h
+ TpubN="now-186d"
+ TactN="now-4439h"
+ TretN="now"
+ TremN="now+170h"
+ TpubN1="now-3h"
+ TactN1="${TretN}"
+ TretN1="now+186d"
+ TremN1="now+4634h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# Some time later all the ZRRSIG records should be from the new CSK, and the
-# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
-# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
-# signatures are replaced before the DS is swapped.
-setup step4.csk-roll2.autosign
-# According to RFC 7583:
-# Trem(N) = Tret(N) + IretZ
-#
-# Lcsk: 186d
-# Dreg: N/A
-# Iret: 170h
-# IretZ: 38h
-#
-# Tpub(N) = now - IretZ - Lcsk = now - 38h - 186d
-# = now - 38h - 4464h = now - 4502h
-# Tact(N) = now - Iret - Lcsk + TTLsig = now - 4502h + 25h = now - 4477h
-# Tret(N) = now - IretZ = now - 38h
-# Trem(N) = now - IretZ + Iret = now - 38h + 170h = now + 132h
-# Tpub(N+1) = now - IretZ - IpubC = now - 38h - 3h = now - 41h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now - IretZ + Lcsk = now - 38h + 186d
-# = now + 4426h
-# Trem(N+1) = now - IretZ + Lcsk + Iret
-# = now + 4426h + 3h = now + 4429h
-TpubN="now-4502h"
-TactN="now-4477h"
-TretN="now-38h"
-TremN="now+132h"
-TpubN1="now-41h"
-TactN1="${TretN}"
-TretN1="now+4426h"
-TremN1="now+4429h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # Some time later all the ZRRSIG records should be from the new CSK, and the
+ # DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
+ # The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
+ # signatures are replaced before the DS is swapped.
+ setup step4.csk-roll2.$tld
+ # According to RFC 7583:
+ # Trem(N) = Tret(N) + IretZ
+ #
+ # Lcsk: 186d
+ # Dreg: N/A
+ # Iret: 170h
+ # IretZ: 38h
+ #
+ # Tpub(N) = now - IretZ - Lcsk = now - 38h - 186d
+ # = now - 38h - 4464h = now - 4502h
+ # Tact(N) = now - Iret - Lcsk + TTLsig = now - 4502h + 25h = now - 4477h
+ # Tret(N) = now - IretZ = now - 38h
+ # Trem(N) = now - IretZ + Iret = now - 38h + 170h = now + 132h
+ # Tpub(N+1) = now - IretZ - IpubC = now - 38h - 3h = now - 41h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now - IretZ + Lcsk = now - 38h + 186d
+ # = now + 4426h
+ # Trem(N+1) = now - IretZ + Lcsk + Iret
+ # = now + 4426h + 3h = now + 4429h
+ TpubN="now-4502h"
+ TactN="now-4477h"
+ TretN="now-38h"
+ TremN="now+132h"
+ TpubN1="now-41h"
+ TactN1="${TretN}"
+ TretN1="now+4426h"
+ TremN1="now+4429h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 5:
-# Some time later the DS can be swapped and the old DNSKEY can be removed from
-# the zone.
-setup step5.csk-roll2.autosign
-# Subtract Iret (170h) - IretZ (38h) = 132h.
-#
-# Tpub(N) = now - 4502h - 132h = now - 4634h
-# Tact(N) = now - 4477h - 132h = now - 4609h
-# Tret(N) = now - 38h - 132h = now - 170h
-# Trem(N) = now + 132h - 132h = now
-# Tpub(N+1) = now - 41h - 132h = now - 173h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4426h - 132h = now + 4294h
-# Trem(N+1) = now + 4492h - 132h = now + 4360h
-TpubN="now-4634h"
-TactN="now-4609h"
-TretN="now-170h"
-TremN="now"
-TpubN1="now-173h"
-TactN1="${TretN}"
-TretN1="now+4294h"
-TremN1="now+4360h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 5:
+ # Some time later the DS can be swapped and the old DNSKEY can be removed from
+ # the zone.
+ setup step5.csk-roll2.$tld
+ # Subtract Iret (170h) - IretZ (38h) = 132h.
+ #
+ # Tpub(N) = now - 4502h - 132h = now - 4634h
+ # Tact(N) = now - 4477h - 132h = now - 4609h
+ # Tret(N) = now - 38h - 132h = now - 170h
+ # Trem(N) = now + 132h - 132h = now
+ # Tpub(N+1) = now - 41h - 132h = now - 173h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + 4426h - 132h = now + 4294h
+ # Trem(N+1) = now + 4492h - 132h = now + 4360h
+ TpubN="now-4634h"
+ TactN="now-4609h"
+ TretN="now-170h"
+ TremN="now"
+ TpubN1="now-173h"
+ TactN1="${TretN}"
+ TretN1="now+4294h"
+ TremN1="now+4360h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 6:
-# Some time later the predecessor DNSKEY enters the HIDDEN state.
-setup step6.csk-roll2.autosign
-# Subtract DNSKEY TTL plus zone propagation delay (2h).
-#
-# Tpub(N) = now - 4634h - 2h = now - 4636h
-# Tact(N) = now - 4609h - 2h = now - 4611h
-# Tret(N) = now - 170h - 2h = now - 172h
-# Trem(N) = now - 2h
-# Tpub(N+1) = now - 173h - 2h = now - 175h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4294h - 2h = now + 4292h
-# Trem(N+1) = now + 4360h - 2h = now + 4358h
-TpubN="now-4636h"
-TactN="now-4611h"
-TretN="now-172h"
-TremN="now-2h"
-TpubN1="now-175h"
-TactN1="${TretN}"
-TretN1="now+4292h"
-TremN1="now+4358h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 6:
+ # Some time later the predecessor DNSKEY enters the HIDDEN state.
+ setup step6.csk-roll2.$tld
+ # Subtract DNSKEY TTL plus zone propagation delay (2h).
+ #
+ # Tpub(N) = now - 4634h - 2h = now - 4636h
+ # Tact(N) = now - 4609h - 2h = now - 4611h
+ # Tret(N) = now - 170h - 2h = now - 172h
+ # Trem(N) = now - 2h
+ # Tpub(N+1) = now - 173h - 2h = now - 175h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + 4294h - 2h = now + 4292h
+ # Trem(N+1) = now + 4360h - 2h = now + 4358h
+ TpubN="now-4636h"
+ TactN="now-4611h"
+ TretN="now-172h"
+ TremN="now-2h"
+ TpubN1="now-175h"
+ TactN1="${TretN}"
+ TretN1="now+4292h"
+ TremN1="now+4358h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 7:
-# The predecessor DNSKEY can be purged, but purge-keys is disabled.
-setup step7.csk-roll2.autosign
-# Subtract 90 days (default, 2160h) from all the times.
-#
-# Tpub(N) = now - 4636h - 2160h = now - 6796h
-# Tact(N) = now - 4611h - 2160h = now - 6771h
-# Tret(N) = now - 172h - 2160h = now - 2332h
-# Trem(N) = now - 2h - 2160h = now - 2162h
-# Tpub(N+1) = now - 175h - 2160h = now - 2335h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4292h - 2160h = now + 2132h
-# Trem(N+1) = now + 4358h - 2160h = now + 2198h
-TpubN="now-6796h"
-TactN="now-6771h"
-TretN="now-2332h"
-TremN="now-2162h"
-TpubN1="now-2335h"
-TactN1="${TretN}"
-TretN1="now+2132h"
-TremN1="now+2198h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 7:
+ # The predecessor DNSKEY can be purged, but purge-keys is disabled.
+ setup step7.csk-roll2.$tld
+ # Subtract 90 days (default, 2160h) from all the times.
+ #
+ # Tpub(N) = now - 4636h - 2160h = now - 6796h
+ # Tact(N) = now - 4611h - 2160h = now - 6771h
+ # Tret(N) = now - 172h - 2160h = now - 2332h
+ # Trem(N) = now - 2h - 2160h = now - 2162h
+ # Tpub(N+1) = now - 175h - 2160h = now - 2335h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + 4292h - 2160h = now + 2132h
+ # Trem(N+1) = now + 4358h - 2160h = now + 2198h
+ TpubN="now-6796h"
+ TactN="now-6771h"
+ TretN="now-2332h"
+ TremN="now-2162h"
+ TpubN1="now-2335h"
+ TactN1="${TretN}"
+ TretN1="now+2132h"
+ TremN1="now+2198h"
+ keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+ CSK1=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ CSK2=$($KEYGEN -k csk-roll2-$tld -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
+ # Set key rollover relationship.
+ key_successor $CSK1 $CSK2
+ # Sign zone.
+ cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
* information regarding copyright ownership.
*/
-dnssec-policy "enable-dnssec" {
+dnssec-policy "enable-dnssec-autosign" {
+ signatures-refresh P1W;
+ signatures-validity P2W;
+ signatures-validity-dnskey P2W;
+
+ dnskey-ttl 300;
+ max-zone-ttl PT12H;
+ zone-propagation-delay PT5M;
+ retire-safety PT20M;
+ publish-safety PT5M;
+
+ parent-propagation-delay 1h;
+ parent-ds-ttl 2h;
+
+ keys {
+ csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
+ };
+};
+
+dnssec-policy "enable-dnssec-manual" {
+ manual-mode yes;
+
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
* information regarding copyright ownership.
*/
+{% set zones = ["autosign", "manual"] %}
+
include "kasp.conf";
include "named.common.conf";
-zone "step1.enable-dnssec.autosign" {
+{% for tld in zones %}
+zone "step1.enable-dnssec.@tld@" {
type primary;
- file "step1.enable-dnssec.autosign.db";
- dnssec-policy "enable-dnssec";
+ file "step1.enable-dnssec.@tld@.db";
+ dnssec-policy "enable-dnssec-@tld@";
};
-zone "step2.enable-dnssec.autosign" {
+zone "step2.enable-dnssec.@tld@" {
type primary;
- file "step2.enable-dnssec.autosign.db";
- dnssec-policy "enable-dnssec";
+ file "step2.enable-dnssec.@tld@.db";
+ dnssec-policy "enable-dnssec-@tld@";
};
-zone "step3.enable-dnssec.autosign" {
+zone "step3.enable-dnssec.@tld@" {
type primary;
- file "step3.enable-dnssec.autosign.db";
- dnssec-policy "enable-dnssec";
+ file "step3.enable-dnssec.@tld@.db";
+ dnssec-policy "enable-dnssec-@tld@";
};
-zone "step4.enable-dnssec.autosign" {
+zone "step4.enable-dnssec.@tld@" {
type primary;
- file "step4.enable-dnssec.autosign.db";
- dnssec-policy "enable-dnssec";
+ file "step4.enable-dnssec.@tld@.db";
+ dnssec-policy "enable-dnssec-@tld@";
};
+
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at enable-dnssec.autosign represent the various steps of the
+# The zones at enable-dnssec.$tld represent the various steps of the
# initial signing of a zone.
#
-# Step 1:
-# This is an unsigned zone and named should perform the initial steps of
-# introducing the DNSSEC records in the right order.
-setup step1.enable-dnssec.autosign
-cp template.db.in $zonefile
+for tld in autosign manual; do
+ # Step 1:
+ # This is an unsigned zone and named should perform the initial steps of
+ # introducing the DNSSEC records in the right order.
+ setup step1.enable-dnssec.$tld
+ cp template.db.in $zonefile
-# Step 2:
-# The DNSKEY has been published long enough to become OMNIPRESENT.
-setup step2.enable-dnssec.autosign
-# DNSKEY TTL: 300 seconds
-# zone-propagation-delay: 5 minutes (300 seconds)
-# publish-safety: 5 minutes (300 seconds)
-# Total: 900 seconds
-TpubN="now-900s"
-keytimes="-P ${TpubN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # The DNSKEY has been published long enough to become OMNIPRESENT.
+ setup step2.enable-dnssec.$tld
+ # DNSKEY TTL: 300 seconds
+ # zone-propagation-delay: 5 minutes (300 seconds)
+ # publish-safety: 5 minutes (300 seconds)
+ # Total: 900 seconds
+ TpubN="now-900s"
+ keytimes="-P ${TpubN} -A ${TpubN}"
+ CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# The zone signatures have been published long enough to become OMNIPRESENT.
-setup step3.enable-dnssec.autosign
-# Passed time since publication:
-# max-zone-ttl: 12 hours (43200 seconds)
-# zone-propagation-delay: 5 minutes (300 seconds)
-TpubN="now-43500s"
-# We can submit the DS now.
-keytimes="-P ${TpubN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # The zone signatures have been published long enough to become OMNIPRESENT.
+ setup step3.enable-dnssec.$tld
+ # Passed time since publication:
+ # max-zone-ttl: 12 hours (43200 seconds)
+ # zone-propagation-delay: 5 minutes (300 seconds)
+ TpubN="now-43500s"
+ # We can submit the DS now.
+ keytimes="-P ${TpubN} -A ${TpubN}"
+ CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -k $O $TpubN -r $O $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# The DS has been submitted long enough ago to become OMNIPRESENT.
-setup step4.enable-dnssec.autosign
-# DS TTL: 2 hour (7200 seconds)
-# parent-propagation-delay: 1 hour (3600 seconds)
-# Total aditional time: 10800 seconds
-# 43500 + 10800 = 54300
-TpubN="now-54300s"
-TsbmN="now-10800s"
-keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}"
-CSK=$($KEYGEN -k enable-dnssec -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # The DS has been submitted long enough ago to become OMNIPRESENT.
+ setup step4.enable-dnssec.$tld
+ # DS TTL: 2 hour (7200 seconds)
+ # parent-propagation-delay: 1 hour (3600 seconds)
+ # Total aditional time: 10800 seconds
+ # 43500 + 10800 = 54300
+ TpubN="now-54300s"
+ TsbmN="now-10800s"
+ keytimes="-P ${TpubN} -A ${TpubN} -P sync ${TsbmN}"
+ CSK=$($KEYGEN -k enable-dnssec-$tld -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+ $SETTIME -s -g $O -P ds $TsbmN -k $O $TpubN -r $O $TpubN -d $R $TpubN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
+ cat template.db.in "${CSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
file "three-is-a-crowd.kasp.db";
inline-signing yes;
/* Use same policy as KSK rollover test zones. */
- dnssec-policy "ksk-doubleksk";
+ dnssec-policy "ksk-doubleksk-autosign";
};
CDSS = ["CDS (SHA-256)"]
-POLICY = "ksk-doubleksk"
+POLICY = "ksk-doubleksk-autosign"
OFFSET1 = -int(timedelta(days=60).total_seconds())
OFFSET2 = -int(timedelta(hours=27).total_seconds())
TTL = int(KSK_CONFIG["dnskey-ttl"].total_seconds())
* information regarding copyright ownership.
*/
-dnssec-policy "ksk-doubleksk" {
+dnssec-policy "ksk-doubleksk-autosign" {
+ signatures-refresh P1W;
+ signatures-validity P2W;
+ signatures-validity-dnskey P2W;
+
+ dnskey-ttl 2h;
+ publish-safety P1D;
+ retire-safety P2D;
+ purge-keys PT1H;
+
+ cdnskey no;
+ keys {
+ ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ zone-propagation-delay PT1H;
+ max-zone-ttl 1d;
+
+ parent-ds-ttl 3600;
+ parent-propagation-delay PT1H;
+};
+
+dnssec-policy "ksk-doubleksk-manual" {
+ manual-mode yes;
+
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
* information regarding copyright ownership.
*/
+{% set zones = ["autosign", "manual"] %}
+
include "kasp.conf";
include "named.common.conf";
-zone "step1.ksk-doubleksk.autosign" {
+{% for tld in zones %}
+zone "step1.ksk-doubleksk.@tld@" {
type primary;
- file "step1.ksk-doubleksk.autosign.db";
- dnssec-policy "ksk-doubleksk";
+ file "step1.ksk-doubleksk.@tld@.db";
+ dnssec-policy "ksk-doubleksk-@tld@";
};
-zone "step2.ksk-doubleksk.autosign" {
+zone "step2.ksk-doubleksk.@tld@" {
type primary;
- file "step2.ksk-doubleksk.autosign.db";
- dnssec-policy "ksk-doubleksk";
+ file "step2.ksk-doubleksk.@tld@.db";
+ dnssec-policy "ksk-doubleksk-@tld@";
};
-zone "step3.ksk-doubleksk.autosign" {
+zone "step3.ksk-doubleksk.@tld@" {
type primary;
- file "step3.ksk-doubleksk.autosign.db";
- dnssec-policy "ksk-doubleksk";
+ file "step3.ksk-doubleksk.@tld@.db";
+ dnssec-policy "ksk-doubleksk-@tld@";
};
-zone "step4.ksk-doubleksk.autosign" {
+zone "step4.ksk-doubleksk.@tld@" {
type primary;
- file "step4.ksk-doubleksk.autosign.db";
- dnssec-policy "ksk-doubleksk";
+ file "step4.ksk-doubleksk.@tld@.db";
+ dnssec-policy "ksk-doubleksk-@tld@";
};
-zone "step5.ksk-doubleksk.autosign" {
+zone "step5.ksk-doubleksk.@tld@" {
type primary;
- file "step5.ksk-doubleksk.autosign.db";
- dnssec-policy "ksk-doubleksk";
+ file "step5.ksk-doubleksk.@tld@.db";
+ dnssec-policy "ksk-doubleksk-@tld@";
};
-zone "step6.ksk-doubleksk.autosign" {
+zone "step6.ksk-doubleksk.@tld@" {
type primary;
- file "step6.ksk-doubleksk.autosign.db";
- dnssec-policy "ksk-doubleksk";
+ file "step6.ksk-doubleksk.@tld@.db";
+ dnssec-policy "ksk-doubleksk-@tld@";
};
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
+# The zones at ksk-doubleksk.$tld represent the various steps of a KSK
# Double-KSK rollover.
#
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.ksk-doubleksk.autosign
-TactN="now-7d"
-keytimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+for tld in autosign manual; do
+ # Step 1:
+ # Introduce the first key. This will immediately be active.
+ setup step1.ksk-doubleksk.$tld
+ TactN="now-7d"
+ keytimes="-P ${TactN} -A ${TactN}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 2:
-# It is time to submit the introduce the new KSK.
-setup step2.ksk-doubleksk.autosign
-# Lksk: 60d
-# Dreg: n/a
-# DprpC: 1h
-# TTLds: 1d
-# TTLkey: 2h
-# publish-safety: 1d
-# retire-safety: 2d
-#
-# According to RFC 7583:
-# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
-# IpubC = DprpC + TTLkey (+publish-safety)
-#
-# IpubC = 27h
-# Tact(N) = now - Lksk + Dreg + IpubC = now - 60d + 27h
-# = now - 1440h + 27h = now - 1413h
-TactN="now-1413h"
-keytimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # It is time to submit the introduce the new KSK.
+ setup step2.ksk-doubleksk.$tld
+ # Lksk: 60d
+ # Dreg: n/a
+ # DprpC: 1h
+ # TTLds: 1d
+ # TTLkey: 2h
+ # publish-safety: 1d
+ # retire-safety: 2d
+ #
+ # According to RFC 7583:
+ # Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
+ # IpubC = DprpC + TTLkey (+publish-safety)
+ #
+ # IpubC = 27h
+ # Tact(N) = now - Lksk + Dreg + IpubC = now - 60d + 27h
+ # = now - 1440h + 27h = now - 1413h
+ TactN="now-1413h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $keytimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# It is time to submit the DS.
-setup step3.ksk-doubleksk.autosign
-# According to RFC 7583:
-# Iret = DprpP + TTLds (+retire-safety)
-#
-# Iret = 50h
-# Tpub(N) = now - Lksk = now - 60d = now - 60d
-# Tact(N) = now - 1413h
-# Tret(N) = now
-# Trem(N) = now + Iret = now + 50h
-# Tpub(N+1) = now - IpubC = now - 27h
-# Tact(N+1) = now
-# Tret(N+1) = now + Lksk = now + 60d
-# Trem(N+1) = now + Lksk + Iret = now + 60d + 50h
-# = now + 1440h + 50h = 1490h
-TpubN="now-60d"
-TactN="now-1413h"
-TretN="now"
-TremN="now+50h"
-TpubN1="now-27h"
-TactN1="now"
-TretN1="now+60d"
-TremN1="now+1490h"
-ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
-zsktimes="-P ${TpubN} -A ${TpubN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TpubN -r $O $TpubN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN -z $O $TpubN "$ZSK" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $KSK1 $KSK2
-# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # It is time to submit the DS.
+ setup step3.ksk-doubleksk.$tld
+ # According to RFC 7583:
+ # Iret = DprpP + TTLds (+retire-safety)
+ #
+ # Iret = 50h
+ # Tpub(N) = now - Lksk = now - 60d = now - 60d
+ # Tact(N) = now - 1413h
+ # Tret(N) = now
+ # Trem(N) = now + Iret = now + 50h
+ # Tpub(N+1) = now - IpubC = now - 27h
+ # Tact(N+1) = now
+ # Tret(N+1) = now + Lksk = now + 60d
+ # Trem(N+1) = now + Lksk + Iret = now + 60d + 50h
+ # = now + 1440h + 50h = 1490h
+ TpubN="now-60d"
+ TactN="now-1413h"
+ TretN="now"
+ TremN="now+50h"
+ TpubN1="now-27h"
+ TactN1="now"
+ TretN1="now+60d"
+ TremN1="now+1490h"
+ ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
+ zsktimes="-P ${TpubN} -A ${TpubN}"
+ KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $H -k $O $TpubN -r $O $TpubN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TpubN -z $O $TpubN "$ZSK" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $KSK1 $KSK2
+ # Sign zone.
+ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# The DS should be swapped now.
-setup step4.ksk-doubleksk.autosign
-# Tpub(N) = now - Lksk - Iret = now - 60d - 50h
-# = now - 1440h - 50h = now - 1490h
-# Tact(N) = now - 1490h + 27h = now - 1463h
-# Tret(N) = now - Iret = now - 50h
-# Trem(N) = now
-# Tpub(N+1) = now - Iret - IpubC = now - 50h - 27h
-# = now - 77h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + Lksk - Iret = now + 60d - 50h = now + 1390h
-# Trem(N+1) = now + Lksk = now + 60d
-TpubN="now-1490h"
-TactN="now-1463h"
-TretN="now-50h"
-TremN="now"
-TpubN1="now-77h"
-TactN1="${TretN}"
-TretN1="now+1390h"
-TremN1="now+60d"
-ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
-zsktimes="-P ${TpubN} -A ${TpubN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -D ds $TretN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $KSK1 $KSK2
-# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # The DS should be swapped now.
+ setup step4.ksk-doubleksk.$tld
+ # Tpub(N) = now - Lksk - Iret = now - 60d - 50h
+ # = now - 1440h - 50h = now - 1490h
+ # Tact(N) = now - 1490h + 27h = now - 1463h
+ # Tret(N) = now - Iret = now - 50h
+ # Trem(N) = now
+ # Tpub(N+1) = now - Iret - IpubC = now - 50h - 27h
+ # = now - 77h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + Lksk - Iret = now + 60d - 50h = now + 1390h
+ # Trem(N+1) = now + Lksk = now + 60d
+ TpubN="now-1490h"
+ TactN="now-1463h"
+ TretN="now-50h"
+ TremN="now"
+ TpubN1="now-77h"
+ TactN1="${TretN}"
+ TretN1="now+1390h"
+ TremN1="now+60d"
+ ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
+ zsktimes="-P ${TpubN} -A ${TpubN}"
+ KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TretN -D ds $TretN "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $KSK1 $KSK2
+ # Sign zone.
+ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 5:
-# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
-setup step5.ksk-doubleksk.autosign
-# Subtract DNSKEY TTL + zone-propagation-delay from all the times (3h).
-# Tpub(N) = now - 1490h - 3h = now - 1493h
-# Tact(N) = now - 1463h - 3h = now - 1466h
-# Tret(N) = now - 50h - 3h = now - 53h
-# Trem(N) = now - 3h
-# Tpub(N+1) = now - 77h - 3h = now - 80h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 1390h - 3h = now + 1387h
-# Trem(N+1) = now + 60d - 3h = now + 1441h
-TpubN="now-1493h"
-TactN="now-1466h"
-TretN="now-53h"
-TremN="now-3h"
-TpubN1="now-80h"
-TactN1="${TretN}"
-TretN1="now+1387h"
-TremN1="now+1441h"
-ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
-zsktimes="-P ${TpubN} -A ${TpubN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $KSK1 $KSK2
-# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 5:
+ # The predecessor DNSKEY is removed long enough that is has become HIDDEN.
+ setup step5.ksk-doubleksk.$tld
+ # Subtract DNSKEY TTL + zone-propagation-delay from all the times (3h).
+ # Tpub(N) = now - 1490h - 3h = now - 1493h
+ # Tact(N) = now - 1463h - 3h = now - 1466h
+ # Tret(N) = now - 50h - 3h = now - 53h
+ # Trem(N) = now - 3h
+ # Tpub(N+1) = now - 77h - 3h = now - 80h
+ # Tact(N+1) = Tret(N)
+ # Tret(N+1) = now + 1390h - 3h = now + 1387h
+ # Trem(N+1) = now + 60d - 3h = now + 1441h
+ TpubN="now-1493h"
+ TactN="now-1466h"
+ TretN="now-53h"
+ TremN="now-3h"
+ TpubN1="now-80h"
+ TactN1="${TretN}"
+ TretN1="now+1387h"
+ TremN1="now+1441h"
+ ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
+ zsktimes="-P ${TpubN} -A ${TpubN}"
+ KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $KSK1 $KSK2
+ # Sign zone.
+ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 6:
-# The predecessor DNSKEY can be purged.
-setup step6.ksk-doubleksk.autosign
-# Subtract purge-keys interval from all the times (1h).
-TpubN="now-1494h"
-TactN="now-1467h"
-TretN="now-54h"
-TremN="now-4h"
-TpubN1="now-81h"
-TactN1="${TretN}"
-TretN1="now+1386h"
-TremN1="now+1440h"
-ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
-zsktimes="-P ${TpubN} -A ${TpubN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $KSK1 $KSK2
-# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 6:
+ # The predecessor DNSKEY can be purged.
+ setup step6.ksk-doubleksk.$tld
+ # Subtract purge-keys interval from all the times (1h).
+ TpubN="now-1494h"
+ TactN="now-1467h"
+ TretN="now-54h"
+ TremN="now-4h"
+ TpubN1="now-81h"
+ TactN1="${TretN}"
+ TretN1="now+1386h"
+ TremN1="now+1440h"
+ ksktimes="-P ${TpubN} -A ${TpubN} -P sync ${TactN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+ newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TactN1} -I ${TretN1} -D ${TremN1}"
+ zsktimes="-P ${TpubN} -A ${TpubN}"
+ KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $KSK1 $KSK2
+ # Sign zone.
+ cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -G "cds:sha-256" -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
CDSS = ["CDS (SHA-256)"]
-POLICY = "ksk-doubleksk"
+POLICY = "ksk-doubleksk-autosign"
OFFSETS = {}
OFFSETS["step1-p"] = -int(TIMEDELTA["P7D"].total_seconds())
OFFSETS["step2-p"] = -int(KSK_LIFETIME.total_seconds() - KSK_IPUBC.total_seconds())
* information regarding copyright ownership.
*/
-dnssec-policy "zsk-prepub" {
+dnssec-policy "zsk-prepub-autosign" {
+ signatures-refresh P1W;
+ signatures-validity P2W;
+ signatures-validity-dnskey P2W;
+
+ dnskey-ttl 3600;
+ publish-safety P1D;
+ retire-safety P2D;
+ purge-keys PT1H;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ zone-propagation-delay PT1H;
+ max-zone-ttl 1d;
+};
+
+dnssec-policy "zsk-prepub-manual" {
+ manual-mode yes;
+
signatures-refresh P1W;
signatures-validity P2W;
signatures-validity-dnskey P2W;
* information regarding copyright ownership.
*/
+{% set zones = ["autosign", "manual"] %}
+
include "kasp.conf";
include "named.common.conf";
-zone "step1.zsk-prepub.autosign" {
+{% for tld in zones %}
+zone "step1.zsk-prepub.@tld@" {
type primary;
- file "step1.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
+ file "step1.zsk-prepub.@tld@.db";
+ dnssec-policy "zsk-prepub-@tld@";
};
-zone "step2.zsk-prepub.autosign" {
+zone "step2.zsk-prepub.@tld@" {
type primary;
- file "step2.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
+ file "step2.zsk-prepub.@tld@.db";
+ dnssec-policy "zsk-prepub-@tld@";
};
-zone "step3.zsk-prepub.autosign" {
+zone "step3.zsk-prepub.@tld@" {
type primary;
- file "step3.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
+ file "step3.zsk-prepub.@tld@.db";
+ dnssec-policy "zsk-prepub-@tld@";
};
-zone "step4.zsk-prepub.autosign" {
+zone "step4.zsk-prepub.@tld@" {
type primary;
- file "step4.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
+ file "step4.zsk-prepub.@tld@.db";
+ dnssec-policy "zsk-prepub-@tld@";
};
-zone "step5.zsk-prepub.autosign" {
+zone "step5.zsk-prepub.@tld@" {
type primary;
- file "step5.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
+ file "step5.zsk-prepub.@tld@.db";
+ dnssec-policy "zsk-prepub-@tld@";
};
-zone "step6.zsk-prepub.autosign" {
+zone "step6.zsk-prepub.@tld@" {
type primary;
- file "step6.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
+ file "step6.zsk-prepub.@tld@.db";
+ dnssec-policy "zsk-prepub-@tld@";
};
+{% endfor %}
U="UNRETENTIVE"
#
-# The zones at zsk-prepub.autosign represent the various steps of a ZSK
+# The zones at zsk-prepub.$tld represent the various steps of a ZSK
# Pre-Publication rollover.
#
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.zsk-prepub.autosign
-TactN="now-7d"
-keytimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+for tld in autosign manual; do
+ # Step 1:
+ # Introduce the first key. This will immediately be active.
+ setup step1.zsk-prepub.$tld
+ TactN="now-7d"
+ keytimes="-P ${TactN} -A ${TactN}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 2:
-# It is time to pre-publish the successor ZSK.
-setup step2.zsk-prepub.autosign
-# According to RFC 7583:
-# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
-# = now + 26h - 30d = now − 694h
-TactN="now-694h"
-keytimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 2:
+ # It is time to pre-publish the successor ZSK.
+ setup step2.zsk-prepub.$tld
+ # According to RFC 7583:
+ # Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
+ # = now + 26h - 30d = now − 694h
+ TactN="now-694h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 3:
-# After the publication interval has passed the DNSKEY of the successor ZSK
-# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
-setup step3.zsk-prepub.autosign
-# According to RFC 7583:
-# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# Tact(N+1) = Tact(N) + Lzsk
-#
-# Tact(N) = now - Lzsk = now - 30d
-# Tpub(N+1) = now - Ipub = now - 26h
-# Tact(N+1) = now
-# Tret(N) = now
-# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h
-TactN="now-30d"
-TpubN1="now-26h"
-TactN1="now"
-TremN="now+241h"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 3:
+ # After the publication interval has passed the DNSKEY of the successor ZSK
+ # is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
+ setup step3.zsk-prepub.$tld
+ # According to RFC 7583:
+ # Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+ # Tact(N+1) = Tact(N) + Lzsk
+ #
+ # Tact(N) = now - Lzsk = now - 30d
+ # Tpub(N+1) = now - Ipub = now - 26h
+ # Tact(N+1) = now
+ # Tret(N) = now
+ # Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h
+ TactN="now-30d"
+ TpubN1="now-26h"
+ TactN1="now"
+ TremN="now+241h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+ newtimes="-P ${TpubN1} -A ${TactN1}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $ZSK1 $ZSK2
+ # Sign zone.
+ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 4:
-# After the retire interval has passed the predecessor DNSKEY can be
-# removed from the zone.
-setup step4.zsk-prepub.autosign
-# Lzsk: 30d
-# Ipub: 26h
-# Dsgn: 1w
-# Dprp: 1h
-# TTLsig: 1d
-# retire-safety: 2d
-#
-# According to RFC 7583:
-# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
-# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h
-#
-# Tact(N) = now - Iret - Lzsk
-# = now - 241h - 30d = now - 241h - 720h
-# = now - 961h
-# Tpub(N+1) = now - Iret - Ipub
-# = now - 241h - 26h
-# = now - 267h
-# Tact(N+1) = now - Iret = now - 241h
-TactN="now-961h"
-TpubN1="now-267h"
-TactN1="now-241h"
-TremN="now"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-cp $infile $zonefile
-$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 4:
+ # After the retire interval has passed the predecessor DNSKEY can be
+ # removed from the zone.
+ setup step4.zsk-prepub.$tld
+ # Lzsk: 30d
+ # Ipub: 26h
+ # Dsgn: 1w
+ # Dprp: 1h
+ # TTLsig: 1d
+ # retire-safety: 2d
+ #
+ # According to RFC 7583:
+ # Iret = Dsgn + Dprp + TTLsig (+retire-safety)
+ # Iret = 1w + 1h + 1d + 2d = 10d1h = 241h
+ #
+ # Tact(N) = now - Iret - Lzsk
+ # = now - 241h - 30d = now - 241h - 720h
+ # = now - 961h
+ # Tpub(N+1) = now - Iret - Ipub
+ # = now - 241h - 26h
+ # = now - 267h
+ # Tact(N+1) = now - Iret = now - 241h
+ TactN="now-961h"
+ TpubN1="now-267h"
+ TactN1="now-241h"
+ TremN="now"
+ keytimes="-P ${TactN} -A ${TactN}"
+ oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+ newtimes="-P ${TpubN1} -A ${TactN1}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $ZSK1 $ZSK2
+ # Sign zone.
+ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+ cp $infile $zonefile
+ $SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 5:
-# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
-setup step5.zsk-prepub.autosign
-# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
-# Tact(N) = now - 961h - 2h = now - 963h
-# Tpub(N+1) = now - 267h - 2h = now - 269h
-# Tact(N+1) = now - 241h - 2h = now - 243h
-# Trem(N) = Tact(N+1) + Iret = now -2h
-TactN="now-963h"
-TremN="now-2h"
-TpubN1="now-269h"
-TactN1="now-243h"
-TremN="now-2h"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 5:
+ # The predecessor DNSKEY is removed long enough that is has become HIDDEN.
+ setup step5.zsk-prepub.$tld
+ # Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
+ # Tact(N) = now - 961h - 2h = now - 963h
+ # Tpub(N+1) = now - 267h - 2h = now - 269h
+ # Tact(N+1) = now - 241h - 2h = now - 243h
+ # Trem(N) = Tact(N+1) + Iret = now -2h
+ TactN="now-963h"
+ TremN="now-2h"
+ TpubN1="now-269h"
+ TactN1="now-243h"
+ TremN="now-2h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+ newtimes="-P ${TpubN1} -A ${TactN1}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $ZSK1 $ZSK2
+ # Sign zone.
+ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-# Step 6:
-# The predecessor DNSKEY can be purged.
-setup step6.zsk-prepub.autosign
-# Subtract purge-keys interval from all the times (1h).
-TactN="now-964h"
-TremN="now-3h"
-TpubN1="now-270h"
-TactN1="now-244h"
-TremN="now-3h"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+ # Step 6:
+ # The predecessor DNSKEY can be purged.
+ setup step6.zsk-prepub.$tld
+ # Subtract purge-keys interval from all the times (1h).
+ TactN="now-964h"
+ TremN="now-3h"
+ TpubN1="now-270h"
+ TactN1="now-244h"
+ TremN="now-3h"
+ keytimes="-P ${TactN} -A ${TactN}"
+ oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+ newtimes="-P ${TpubN1} -A ${TactN1}"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+ $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
+ $SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
+ # Set key rollover relationship.
+ key_successor $ZSK1 $ZSK2
+ # Sign zone.
+ cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+done
"signatures-validity": TIMEDELTA["P14D"],
"zone-propagation-delay": TIMEDELTA["PT1H"],
}
-POLICY = "zsk-prepub"
+POLICY = "zsk-prepub-autosign"
ZSK_LIFETIME = TIMEDELTA["P30D"]
LIFETIME_POLICY = int(ZSK_LIFETIME.total_seconds())
IPUB = Ipub(CONFIG)
projects / thirdparty / bind9.git / commitdiff
