file "../../_common/root.hint.blackhole";
};
-/* These are alorithm rollover test zones. */
-zone "step1.algorithm-roll.kasp" {
- type primary;
- file "step1.algorithm-roll.kasp.db";
- dnssec-policy "rsasha256";
-};
-
-zone "step1.csk-algorithm-roll.kasp" {
- type primary;
- file "step1.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
zone example {
type primary;
file "example.db";
file "../../_common/root.hint.blackhole";
};
-/*
- * Zones for testing KSK/ZSK algorithm roll.
- */
-zone "step1.algorithm-roll.kasp" {
- type primary;
- file "step1.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step2.algorithm-roll.kasp" {
- type primary;
- file "step2.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step3.algorithm-roll.kasp" {
- type primary;
- file "step3.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step4.algorithm-roll.kasp" {
- type primary;
- file "step4.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step5.algorithm-roll.kasp" {
- type primary;
- file "step5.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-zone "step6.algorithm-roll.kasp" {
- type primary;
- file "step6.algorithm-roll.kasp.db";
- dnssec-policy "ecdsa256";
-};
-
-/*
- * Zones for testing CSK algorithm roll.
- */
-zone "step1.csk-algorithm-roll.kasp" {
- type primary;
- file "step1.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step2.csk-algorithm-roll.kasp" {
- type primary;
- file "step2.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step3.csk-algorithm-roll.kasp" {
- type primary;
- file "step3.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step4.csk-algorithm-roll.kasp" {
- type primary;
- file "step4.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step5.csk-algorithm-roll.kasp" {
- type primary;
- file "step5.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
-zone "step6.csk-algorithm-roll.kasp" {
- type primary;
- file "step6.csk-algorithm-roll.kasp.db";
- dnssec-policy "csk-algoroll";
-};
-
zone example {
type primary;
file "example.db";
csk lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
};
};
-
-dnssec-policy "rsasha256" {
- signatures-refresh P5D;
- signatures-validity 30d;
- signatures-validity-dnskey 30d;
-
- keys {
- ksk lifetime unlimited algorithm rsasha256;
- zsk lifetime unlimited algorithm rsasha256;
- };
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 2h;
- zone-propagation-delay 3600;
- max-zone-ttl 6h;
- parent-propagation-delay pt1h;
- parent-ds-ttl 7200;
-};
-
-dnssec-policy "ecdsa256" {
- signatures-refresh P5D;
- signatures-validity 30d;
- signatures-validity-dnskey 30d;
-
- keys {
- ksk lifetime unlimited algorithm ecdsa256;
- zsk lifetime unlimited algorithm ecdsa256;
- };
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 2h;
- zone-propagation-delay 3600;
- max-zone-ttl 6h;
- parent-propagation-delay pt1h;
- parent-ds-ttl 7200;
-};
echo_i "ns6/setup.sh"
-setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
-}
-
-# Make lines shorter by storing key states in environment variables.
-H="HIDDEN"
-R="RUMOURED"
-O="OMNIPRESENT"
-U="UNRETENTIVE"
-
-#
-# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
-# algorithm rollover.
-#
-
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.algorithm-roll.kasp
-echo "$zone" >>zones
-TactN="now"
-ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
-zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone 8 "$KSK" >>"$infile"
-private_type_record $zone 8 "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 2:
-# After the publication interval has passed the DNSKEY is OMNIPRESENT.
-setup step2.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 3 hours.
-TactN="now-3h"
-TpubN1="now-3h"
-# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp =
-# now - 3h + 6h + 1h = now + 4h
-TsbmN1="now+4h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
-zsk1times="-P ${TactN} -A ${TactN} -I now"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 3:
-# The zone signatures are also OMNIPRESENT.
-setup step3.algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 7 hours.
-TactN="now-7h"
-TretN="now-3h"
-TpubN1="now-7h"
-TsbmN1="now"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 4:
-# The DS is swapped and can become OMNIPRESENT.
-setup step4.algorithm-roll.kasp
-# The time passed since the DS has been swapped is 29 hours.
-TactN="now-36h"
-TretN="now-33h"
-TpubN1="now-36h"
-TsbmN1="now-29h"
-TactN1="now-27h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 5:
-# The DNSKEY is removed long enough to be HIDDEN.
-setup step5.algorithm-roll.kasp
-# The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-38h"
-TretN="now-35h"
-TremN="now-2h"
-TpubN1="now-38h"
-TsbmN1="now-31h"
-TactN1="now-29h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 6:
-# The RRSIGs have been removed long enough to be HIDDEN.
-setup step6.algorithm-roll.kasp
-# Additional time passed: 7h.
-TactN="now-45h"
-TretN="now-42h"
-TremN="now-7h"
-TpubN1="now-45h"
-TsbmN1="now-38h"
-TactN1="now-36h"
-TdeaN="now-7h"
-ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
-ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
-zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${KSK1}.state"
-echo "Lifetime: 0" >>"${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone 8 "$KSK1" >>"$infile"
-private_type_record $zone 8 "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-#
-# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
-# algorithm rollover.
-#
-
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.csk-algorithm-roll.kasp
-echo "$zone" >>zones
-TactN="now"
-csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone 5 "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 2:
-# After the publication interval has passed the DNSKEY is OMNIPRESENT.
-setup step2.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 3 hours.
-TactN="now-3h"
-TpubN1="now-3h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 3:
-# The zone signatures are also OMNIPRESENT.
-setup step3.csk-algorithm-roll.kasp
-# The time passed since the new algorithm keys have been introduced is 7 hours.
-TactN="now-7h"
-TretN="now-3h"
-TpubN1="now-7h"
-TactN1="now-3h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 4:
-# The DS is swapped and can become OMNIPRESENT.
-setup step4.csk-algorithm-roll.kasp
-# The time passed since the DS has been swapped is 29 hours.
-TactN="now-36h"
-TretN="now-33h"
-TpubN1="now-36h"
-TactN1="now-33h"
-TsubN1="now-29h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 5:
-# The DNSKEY is removed long enough to be HIDDEN.
-setup step5.csk-algorithm-roll.kasp
-# The time passed since the DNSKEY has been removed is 2 hours.
-TactN="now-38h"
-TretN="now-35h"
-TremN="now-2h"
-TpubN1="now-38h"
-TactN1="now-35h"
-TsubN1="now-31h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 6:
-# The RRSIGs have been removed long enough to be HIDDEN.
-setup step6.csk-algorithm-roll.kasp
-# Additional time passed: 7h.
-TactN="now-45h"
-TretN="now-42h"
-TdeaN="now-9h"
-TremN="now-7h"
-TpubN1="now-45h"
-TactN1="now-42h"
-TsubN1="now-38h"
-csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
-newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >>"${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone 5 "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
#
# Reload testing
#
test "$ret" -eq 0 || echo_i "failed"
status=$((status + ret))
-set_keytimes_csk_policy() {
- # The first key is immediately published and activated.
- created=$(key_get KEY1 CREATED)
- set_keytime "KEY1" "PUBLISHED" "${created}"
- set_keytime "KEY1" "ACTIVE" "${created}"
- # The DS can be published if the DNSKEY and RRSIG records are
- # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
- # zone-propagation-delay (300s) = 86400 + 300 = 86700.
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 86700
- # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
-}
-
-# Set keytimes for dnssec-policy with various algorithms.
-# These all use the same time values.
-set_keytimes_algorithm_policy() {
- # The first KSK is immediately published and activated.
- created=$(key_get KEY1 CREATED)
- set_keytime "KEY1" "PUBLISHED" "${created}"
- set_keytime "KEY1" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY1 BASEFILE)
- grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
- published=$(awk '{print $3}' <published.test${n}.key1)
- set_keytime "KEY1" "PUBLISHED" "${published}"
- set_keytime "KEY1" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY1 PUBLISHED)
-
- # The DS can be published if the DNSKEY and RRSIG records are
- # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
- # zone-propagation-delay (300s) = 86400 + 300 = 86700.
- set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 86700
- # Key lifetime is 10 years, 315360000 seconds.
- set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
- # The key is removed after the retire time plus DS TTL (1d),
- # parent propagation delay (1h), and retire safety (1h) =
- # 86400 + 3600 + 3600 = 93600.
- retired=$(key_get KEY1 RETIRED)
- set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
- # The first ZSKs are immediately published and activated.
- created=$(key_get KEY2 CREATED)
- set_keytime "KEY2" "PUBLISHED" "${created}"
- set_keytime "KEY2" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY2 BASEFILE)
- grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
- published=$(awk '{print $3}' <published.test${n}.key2)
- set_keytime "KEY2" "PUBLISHED" "${published}"
- set_keytime "KEY2" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY2 PUBLISHED)
-
- # Key lifetime for KSK2 is 5 years, 157680000 seconds.
- set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
- # The key is removed after the retire time plus max zone ttl (1d), zone
- # propagation delay (300s), retire safety (1h), and sign delay
- # (signature validity minus refresh, 9d) =
- # 86400 + 300 + 3600 + 777600 = 867900.
- retired=$(key_get KEY2 RETIRED)
- set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
-
- # Second ZSK (KEY3).
- created=$(key_get KEY3 CREATED)
- set_keytime "KEY3" "PUBLISHED" "${created}"
- set_keytime "KEY3" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY3 BASEFILE)
- grep "; Publish:" "${keyfile}.key" >published.test${n}.key3
- published=$(awk '{print $3}' <published.test${n}.key3)
- set_keytime "KEY3" "PUBLISHED" "${published}"
- set_keytime "KEY3" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY3 PUBLISHED)
-
- # Key lifetime for KSK3 is 1 year, 31536000 seconds.
- set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
- retired=$(key_get KEY3 RETIRED)
- set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
-}
-
-# TODO: we might want to test:
-# - configuring a zone with too many active keys (should trigger retire).
-# - configuring a zone with keys not matching the policy.
-
-# Set key times for 'autosign' policy.
-set_keytimes_autosign_policy() {
- # The KSK was published six months ago (with settime).
- created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
- set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
- # Key lifetime is 2 years, 63072000 seconds.
- active=$(key_get KEY1 ACTIVE)
- set_addkeytime "KEY1" "RETIRED" "${active}" 63072000
- # The key is removed after the retire time plus DS TTL (1d),
- # parent propagation delay (1h), retire safety (1h) =
- # 86400 + 3600 + 3600 = 93600
- retired=$(key_get KEY1 RETIRED)
- set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
- # The ZSK was published six months ago (with settime).
- created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
- set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
- # Key lifetime for KSK2 is 1 year, 31536000 seconds.
- active=$(key_get KEY2 ACTIVE)
- set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
- # The key is removed after the retire time plus:
- # TTLsig (RRSIG TTL): 1 day (86400 seconds)
- # Dprp (propagation delay): 5 minutes (300 seconds)
- # retire-safety: 1 hour (3600 seconds)
- # Dsgn (sign delay): 7 days (604800 seconds)
- # Iret: 695100 seconds.
- retired=$(key_get KEY2 RETIRED)
- set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
-}
-
-_check_next_key_event() {
- _expect=$1
-
- grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" >"keyevent.out.$ZONE.test$n" || return 1
-
- # Get the latest next key event.
- if [ "${DYNAMIC}" = "yes" ]; then
- _time=$(awk '{print $8}' <"keyevent.out.$ZONE.test$n" | tail -1)
- else
- # inline-signing zone adds "(signed)"
- _time=$(awk '{print $9}' <"keyevent.out.$ZONE.test$n" | tail -1)
- fi
-
- # The next key event time must within threshold of the
- # expected time.
- _expectmin=$((_expect - next_key_event_threshold))
- _expectmax=$((_expect + next_key_event_threshold))
-
- test $_expectmin -le "$_time" || return 1
- test $_expectmax -ge "$_time" || return 1
-
- return 0
-}
-
-check_next_key_event() {
- n=$((n + 1))
- echo_i "check next key event for zone ${ZONE} ($n)"
- ret=0
-
- retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status + ret))
-
-}
-
-set_retired_removed() {
- _Lkey=$2
- _Iret=$3
-
- _active=$(key_get $1 ACTIVE)
- set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
- _retired=$(key_get $1 RETIRED)
- set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
-}
-
-rollover_predecessor_keytimes() {
- _addtime=$1
-
- _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
-
- _created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
-}
-
-csk_rollover_predecessor_keytimes() {
- _addtime=$1
-
- _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
-}
-
-#
-# Testing algorithm rollover.
-#
-Lksk=0
-Lzsk=0
-IretKSK=0
-IretZSK=0
-
-#
-# Zone: step1.algorithm-roll.kasp
-#
-set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha256" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-key_clear "KEY4"
-
-# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# These keys are immediately published and activated.
-rollover_predecessor_keytimes 0
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the successor keys need to be published.
-# Since the lifetime of the keys are unlimited, so default to loadkeys
-# interval.
-check_next_key_event 3600
-
-#
-# Zone: step1.csk-algorithm-roll.kasp
-#
-set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "1" "3600"
-set_server "ns6" "10.53.0.6"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-key_clear "KEY2"
-key_clear "KEY3"
-key_clear "KEY4"
-# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# This key is immediately published and activated.
-Lcsk=0
-IretCSK=0
-csk_rollover_predecessor_keytimes 0
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the successor keys need to be published.
-# Since the lifetime of the keys are unlimited, so default to loadkeys
-# interval.
-check_next_key_event 3600
-
-# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy
-# changes).
-echo_i "reconfig dnssec-policy to trigger algorithm rollover"
-copy_setports ns6/named2.conf.in ns6/named.conf
-rndc_reconfig ns6 10.53.0.6
-
-# Calculate time passed to correctly check for next key events.
-now="$(TZ=UTC date +%s)"
-time_passed=$((now - start_time))
-echo_i "${time_passed} seconds passed between start of tests and reconfig"
-
-# Wait until we have seen "zone_rekey done:" message for this key.
-_wait_for_done_signing() {
- _zone=$1
-
- _ksk=$(key_get $2 KSK)
- _zsk=$(key_get $2 ZSK)
- if [ "$_ksk" = "yes" ]; then
- _role="KSK"
- _expect_type=EXPECT_KRRSIG
- elif [ "$_zsk" = "yes" ]; then
- _role="ZSK"
- _expect_type=EXPECT_ZRRSIG
- fi
-
- if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
- _keyid=$(key_get $2 ID)
- _keyalg=$(key_get $2 ALG_STR)
- echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
- grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
- fi
-
- return 0
-}
-
-wait_for_done_signing() {
- n=$((n + 1))
- echo_i "wait for zone ${ZONE} is done signing ($n)"
- ret=0
-
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
-
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status + ret))
-}
-
-#
-# Testing KSK/ZSK algorithm rollover.
-#
-
-# Policy parameters.
-# Lksk: unlimited
-# Lzsk: unlimited
-Lksk=0
-Lzsk=0
-
-#
-# Zone: step1.algorithm-roll.kasp
-#
-set_zone "step1.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# Old RSASHA1 keys.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
-
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
-# New ECDSAP256SHA256 keys.
-key_clear "KEY3"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
-set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
-
-key_clear "KEY4"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "0"
-set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
-# The RSAHSHA1 keys are outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-# The ECDSAP256SHA256 keys are introducing.
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys are published and activated.
-rollover_predecessor_keytimes 0
-# - KSK must be retired since it no longer matches the policy.
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
-retired=$(awk '{print $3}' <retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
-# - The key is removed after the retire interval:
-# IretKSK = TTLds + DprpP + retire-safety
-# TTLds: 2h (7200 seconds)
-# DprpP: 1h (3600 seconds)
-# retire-safety: 2h (7200 seconds)
-# IretKSK: 5h (18000 seconds)
-IretKSK=18000
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-# - ZSK must be retired since it no longer matches the policy.
-keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
-retired=$(awk '{print $3}' <retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
-# - The key is removed after the retire interval:
-# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
-# TTLsig: 6h (21600 seconds)
-# Dprp: 1h (3600 seconds)
-# Dsgn: 25d (2160000 seconds)
-# retire-safety: 2h (7200 seconds)
-# IretZSK: 25d9h (2192400 seconds)
-IretZSK=2192400
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new KSK is published and activated.
-created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp to propagate the zone.
-# TTLsig: 6h (39600 seconds)
-# Dprp: 1h (3600 seconds)
-# Ipub: 7h (25200 seconds)
-Ipub=25200
-set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
-# - The new ZSK is published and activated.
-created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the ecdsa256 keys have been propagated.
-# This is the DNSKEY TTL plus publish safety plus zone propagation delay:
-# 3 times an hour: 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step2.algorithm-roll.kasp
-#
-set_zone "step2.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 keys are outroducing, but need to stay present until the new
-# algorithm chain of trust has been established. Thus the properties, timings
-# and states of the KEY1 and KEY2 are the same as above.
-
-# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent,
-# but the zone signatures are not.
-set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated three hours ago (10800 seconds).
-rollover_predecessor_keytimes -10800
-# - KSK must be retired since it no longer matches the policy.
-created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
-set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}"
-# - ZSK must be retired since it no longer matches the policy.
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
-set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}"
-# - The new keys are published 3 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -10800
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}"
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when all zone signatures are signed with the new
-# algorithm. This is the max-zone-ttl plus zone propagation delay
-# 6h + 1h. But three hours have already passed (the time it took to
-# make the DNSKEY omnipresent), so the next event should be scheduled
-# in 4 hour: 14400 seconds. Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((14400 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step3.algorithm-roll.kasp
-#
-set_zone "step3.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The ECDSAP256SHA256 keys are introducing.
-set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
-# The DS can be swapped.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY3" "STATE_DS" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Check that CDS publication is logged.
-check_cdslog "$DIR" "$ZONE" KEY3
-
-# Set expected key times:
-# - The old keys were activated 7 hours ago (25200 seconds).
-rollover_predecessor_keytimes -25200
-# - And retired 3 hours ago (10800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -10800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -10800
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-# - The new keys are published 7 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -25200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -25200
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -25200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -25200
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Tell named we "saw" the parent swap the DS and see if the next key event is
-# scheduled at the correct time.
-rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
-# Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, and DS TTL:
-# 1h + 2h = 3h = 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step4.algorithm-roll.kasp
-#
-set_zone "step4.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY3" "STATE_DS" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 36 hours ago (129600 seconds).
-rollover_predecessor_keytimes -129600
-# - And retired 33 hours ago (118800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -118800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -118800
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-
-# - The new keys are published 36 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -129600
-set_addkeytime "KEY3" "ACTIVE" "${created}" -129600
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -129600
-set_addkeytime "KEY4" "ACTIVE" "${created}" -129600
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the
-# DNSKEY TTL plus zone propagation delay (2h).
-check_next_key_event 7200
-
-#
-# Zone: step5.algorithm-roll.kasp
-#
-set_zone "step5.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The DNSKEY becomes HIDDEN.
-set_keystate "KEY1" "STATE_DNSKEY" "hidden"
-set_keystate "KEY1" "STATE_KRRSIG" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 38 hours ago (136800 seconds)
-rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-
-# The new keys are published 40 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
-# after the max-zone-ttl plus zone propagation delay (6h + 1h)
-# minus the time already passed since the UNRETENTIVE state has
-# been reached (2h): 7h - 2h = 5h = 18000 seconds. Prevent intermittent
-# false positives on slow platforms by subtracting the number of seconds
-# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((18000 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step6.algorithm-roll.kasp
-#
-set_zone "step6.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
-set_server "ns6" "10.53.0.6"
-# The old zone signatures (KEY2) should now also be HIDDEN.
-set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 45 hours ago (162000 seconds)
-rollover_predecessor_keytimes -162000
-# - And retired 42 hours ago (151200 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -151200
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
-
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -151200
-retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
-
-# The new keys are published 47 hours ago.
-created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -162000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -162000
-published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
-
-created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -162000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -162000
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is never since we established the policy and the keys have
-# an unlimited lifetime. Fallback to the default loadkeys interval.
-check_next_key_event 3600
-
-#
-# Testing CSK algorithm rollover.
-#
-
-# Policy parameters.
-# Lcsk: unlimited
-Lcksk=0
-
-#
-# Zone: step1.csk-algorithm-roll.kasp
-#
-set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# Old RSASHA1 key.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-# New ECDSAP256SHA256 key.
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-key_clear "KEY4"
-# The RSAHSHA1 key is outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-# The ECDSAP256SHA256 key is introducing.
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - CSK must be retired since it no longer matches the policy.
-csk_rollover_predecessor_keytimes 0
-keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
-retired=$(awk '{print $3}' <retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
-# - The key is removed after the retire interval:
-# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
-# TTLsig: 6h (21600 seconds)
-# Dprp: 1h (3600 seconds)
-# Dsgn: 25d (2160000 seconds)
-# retire-safety: 2h (7200 seconds)
-# IretZSK: 25d9h (2192400 seconds)
-IretCSK=2192400
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new CSK is published and activated.
-created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
-# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
-# TTLsig: 6h (39600 seconds)
-# Dprp: 1h (3600 seconds)
-# Ipub: 7h (25200 seconds)
-Ipub=25200
-set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the new key has been propagated.
-# This is the DNSKEY TTL plus publish safety plus zone propagation delay:
-# 3 times an hour: 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step2.csk-algorithm-roll.kasp
-#
-set_zone "step2.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 key is outroducing, but need to stay present until the new
-# algorithm chain of trust has been established. Thus the properties, timings
-# and states of KEY1 is the same as above.
-#
-# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent,
-# but the zone signatures are not.
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old key was activated three hours ago (10800 seconds).
-csk_rollover_predecessor_keytimes -10800
-# - CSK must be retired since it no longer matches the policy.
-created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
-set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}"
-# - The new key was published 3 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -10800
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when all zone signatures are signed with the new algorithm.
-# This is the max-zone-ttl plus zone propagation delay: 6h + 1h. But three
-# hours have already passed (the time it took to make the DNSKEY omnipresent),
-# so the next event should be scheduled in 4 hour: 14400 seconds. Prevent
-# intermittent false positives on slow platforms by subtracting the number of
-# seconds which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((14400 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step3.csk-algorithm-roll.kasp
-#
-set_zone "step3.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The RSAHSHA1 key is outroducing, and it is time to swap the DS.
-# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
-# are now omnipresent, so the DS can be introduced.
-set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-# Check that CDS publication is logged.
-check_cdslog "$DIR" "$ZONE" KEY2
-
-# Set expected key times:
-# - The old key was activated 7 hours ago (25200 seconds).
-csk_rollover_predecessor_keytimes -25200
-# - And was retired 3 hours ago (10800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -10800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 9 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -25200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -25200
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# We ignore any parent registration delay, so set the DS publish time to now.
-rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
-# Next key event is when the DS becomes OMNIPRESENT. This happens after the
-# parent propagation delay, and DS TTL:
-# 1h + 2h = 3h = 10800 seconds.
-check_next_key_event 10800
-
-#
-# Zone: step4.csk-algorithm-roll.kasp
-#
-set_zone "step4.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_zonesigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
-# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 36 hours ago (129600 seconds).
-csk_rollover_predecessor_keytimes -129600
-# - And retired 33 hours ago (118800 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -118800
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 36 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -129600
-set_addkeytime "KEY2" "ACTIVE" "${created}" -129600
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the
-# DNSKEY TTL plus zone propagation delay (2h).
-check_next_key_event 7200
-
-#
-# Zone: step5.csk-algorithm-roll.kasp
-#
-set_zone "step5.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The DNSKEY becomes HIDDEN.
-set_keystate "KEY1" "STATE_DNSKEY" "hidden"
-set_keystate "KEY1" "STATE_KRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old key was activated 38 hours ago (136800 seconds)
-csk_rollover_predecessor_keytimes -136800
-# - And retired 35 hours ago (126000 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 38 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is when the RSASHA1 signatures become HIDDEN. This happens
-# after the max-zone-ttl plus zone propagation delay (6h + 1h) minus the
-# time already passed since the UNRETENTIVE state has been reached (2h):
-# 7h - 2h = 5h = 18000 seconds. Prevent intermittent false positives on slow
-# platforms by subtracting the number of seconds which passed between key
-# creation and invoking 'rndc reconfig'.
-next_time=$((18000 - time_passed))
-check_next_key_event $next_time
-
-#
-# Zone: step6.csk-algorithm-roll.kasp
-#
-set_zone "step6.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
-set_server "ns6" "10.53.0.6"
-# The zone signatures should now also be HIDDEN.
-set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
-
-# Various signing policy checks.
-check_keys
-wait_for_done_signing
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-
-# Set expected key times:
-# - The old keys were activated 45 hours ago (162000 seconds)
-csk_rollover_predecessor_keytimes -162000
-# - And retired 42 hours ago (151200 seconds).
-created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -151200
-retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
-# - The new key was published 47 hours ago.
-created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -162000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -162000
-published=$(key_get KEY2 PUBLISHED)
-set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
-
-# Continue signing policy checks.
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
-
-# Next key event is never since we established the policy and the keys have
-# an unlimited lifetime. Fallback to the default loadkeys interval.
-check_next_key_event 3600
-
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
};
};
+dnssec-policy "rsasha256" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ ksk lifetime unlimited algorithm rsasha256;
+ zsk lifetime unlimited algorithm rsasha256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ ksk lifetime unlimited algorithm ecdsa256;
+ zsk lifetime unlimited algorithm ecdsa256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
{% if RSASHA1_SUPPORTED == "1" %}
dnssec-policy "rsasha1" {
signatures-refresh P5D;
dnssec-policy "default";
allow-update { any; };
};
+
+/* These are alorithm rollover test zones. */
+zone "step1.algorithm-roll.kasp" {
+ type primary;
+ file "step1.algorithm-roll.kasp.db";
+ dnssec-policy "rsasha256";
+};
+
+zone "step1.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step1.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
dnssec-policy "none";
allow-update { any; };
};
+
+/*
+ * Zones for testing KSK/ZSK algorithm roll.
+ */
+zone "step1.algorithm-roll.kasp" {
+ type primary;
+ file "step1.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step2.algorithm-roll.kasp" {
+ type primary;
+ file "step2.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step3.algorithm-roll.kasp" {
+ type primary;
+ file "step3.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step4.algorithm-roll.kasp" {
+ type primary;
+ file "step4.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step5.algorithm-roll.kasp" {
+ type primary;
+ file "step5.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+zone "step6.algorithm-roll.kasp" {
+ type primary;
+ file "step6.algorithm-roll.kasp.db";
+ dnssec-policy "ecdsa256";
+};
+
+/*
+ * Zones for testing CSK algorithm roll.
+ */
+zone "step1.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step1.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step2.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step2.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step3.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step3.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step4.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step4.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step5.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step5.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
+
+zone "step6.csk-algorithm-roll.kasp" {
+ type primary;
+ file "step6.csk-algorithm-roll.kasp.db";
+ dnssec-policy "csk-algoroll";
+};
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+#
+# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
+# algorithm rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.algorithm-roll.kasp
+echo "$zone" >>zones
+TactN="now-7d"
+TsbmN="now-161h"
+ksktimes="-P ${TactN} -A ${TactN}"
+zsktimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 8 "$KSK" >>"$infile"
+private_type_record $zone 8 "$ZSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 2:
+# After the publication interval has passed the DNSKEY is OMNIPRESENT.
+setup step2.algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 3 hours.
+TpubN1="now-3h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
+ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures are also OMNIPRESENT.
+setup step3.algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TpubN1="now-7h"
+TsbmN1="now"
+ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS is swapped and can become OMNIPRESENT.
+setup step4.algorithm-roll.kasp
+# The time passed since the DS has been swapped is 3 hours.
+TpubN1="now-10h"
+TsbmN1="now-3h"
+ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 5:
+# The DNSKEY is removed long enough to be HIDDEN.
+setup step5.algorithm-roll.kasp
+# The time passed since the DNSKEY has been removed is 2 hours.
+TpubN1="now-12h"
+TsbmN1="now-5h"
+ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $U $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 6:
+# The RRSIGs have been removed long enough to be HIDDEN.
+setup step6.algorithm-roll.kasp
+# Additional time passed: 7h.
+TpubN1="now-19h"
+TsbmN1="now-12h"
+ksk1times="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+zsk1times="-P ${TactN} -A ${TactN} -I ${TsbmN1}"
+ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+zsk2times="-P ${TpubN1} -A ${TpubN1}"
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $H $TsbmN1 -r $U $TsbmN1 -d $H $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TsbmN1 -z $U $TsbmN1 "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TsbmN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
+# algorithm rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-algorithm-roll.kasp
+echo "$zone" >>zones
+TactN="now-7d"
+TsbmN="now-161h"
+csktimes="-P ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone 5 "$CSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 2:
+# After the publication interval has passed the DNSKEY is OMNIPRESENT.
+setup step2.csk-algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 3 hours.
+TpubN1="now-3h"
+# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp = now - 3h + 6h + 1h = now + 4h
+TsbmN1="now+4h"
+csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I now"
+newtimes="-P ${TpubN1} -A ${TpubN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 3:
+# The zone signatures are also OMNIPRESENT.
+setup step3.csk-algorithm-roll.kasp
+# The time passed since the new algorithm keys have been introduced is 7 hours.
+TpubN1="now-7h"
+TsbmN1="now"
+ckstimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 4:
+# The DS is swapped and can become OMNIPRESENT.
+setup step4.csk-algorithm-roll.kasp
+# The time passed since the DS has been swapped is 3 hours.
+TpubN1="now-10h"
+TsbmN1="now-3h"
+csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TsbmN1 -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 5:
+# The DNSKEY is removed long enough to be HIDDEN.
+setup step5.csk-algorithm-roll.kasp
+# The time passed since the DNSKEY has been removed is 2 hours.
+TpubN1="now-12h"
+TsbmN1="now-5h"
+csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TactN -r $U $TactN -z $U $TsbmN1 -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -z $O $TsbmN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 6:
+# The RRSIGs have been removed long enough to be HIDDEN.
+setup step6.csk-algorithm-roll.kasp
+# Additional time passed: 7h.
+TpubN1="now-19h"
+TsbmN1="now-12h"
+csktimes="-P ${TactN} -A ${TactN} -P sync ${TsbmN} -I ${TsbmN1}"
+newtimes="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
+CSK1=$($KEYGEN -k csk-algoroll -l csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TactN -r $U $TactN -z $U $TactN -d $H $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Fake lifetime of old algorithm keys.
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
unsigning_config = default_config.copy()
unsigning_config["dnskey-ttl"] = timedelta(seconds=7200)
+ algoroll_config = {
+ "dnskey-ttl": timedelta(hours=1),
+ "ds-ttl": timedelta(seconds=7200),
+ "max-zone-ttl": timedelta(hours=6),
+ "parent-propagation-delay": timedelta(hours=1),
+ "publish-safety": timedelta(hours=1),
+ "purge-keys": timedelta(days=90),
+ "retire-safety": timedelta(hours=2),
+ "signatures-refresh": timedelta(days=5),
+ "signatures-validity": timedelta(days=30),
+ "zone-propagation-delay": timedelta(seconds=3600),
+ }
+
start_time = KeyTimingMetadata.now()
# Test dynamic zones that switch to inline-signing.
}
steps.append(step)
+ # Test algorithm rollover (KSK/ZSK split).
+ isctest.log.info("check algorithm rollover ksk/zsk split")
+ offset = -timedelta(days=7)
+ offval = int(offset.total_seconds())
+ step = {
+ "zone": "step1.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "rsasha256",
+ "keyprops": [
+ f"ksk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offval}",
+ f"zsk 0 8 2048 goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+ ],
+ "nextev": timedelta(hours=1),
+ }
+ steps.append(step)
+
+ # Test algorithm rollover (CSK).
+ isctest.log.info("check algorithm rollover csk")
+ step = {
+ "zone": "step1.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ f"csk 0 8 2048 goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
+ ],
+ "nextev": timedelta(hours=1),
+ }
+ steps.append(step)
+
for step in steps:
check_rollover_step(server, step["config"], step["policy"], step)
}
steps.append(step)
+ # Test algorithm rollover (KSK/ZSK split) (after reconfig).
+ isctest.log.info("check algorithm rollover ksk/zsk split (after reconfig)")
+ offset = -timedelta(days=7)
+ offval = int(offset.total_seconds())
+ ipub = Ipub(algoroll_config)
+ ipubc = IpubC(algoroll_config, rollover=False)
+ iret = Iret(algoroll_config, rollover=False)
+ iretKSK = Iret(algoroll_config, zsk=False, ksk=True, rollover=False)
+ keyttlprop = (
+ algoroll_config["dnskey-ttl"] + algoroll_config["zone-propagation-delay"]
+ )
+ offsets = {}
+ offsets["step2"] = -int(ipub.total_seconds())
+ offsets["step3"] = -int(iret.total_seconds())
+ offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds())
+ offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds())
+ offsets["step6"] = offsets["step5"] - int(iret.total_seconds())
+ algo_steps = [
+ {
+ # Step 1.
+ "zone": "step1.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "ecdsa256",
+ "keyprops": [
+ # The RSASHA keys are outroducing.
+ f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offval}",
+ f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+ # The ECDSAP256SHA256 keys are introducing.
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured ds:hidden",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:rumoured",
+ ],
+ # Next key event is when the ecdsa256 keys have been propagated.
+ "nextev": ipub,
+ },
+ {
+ # Step 2.
+ "zone": "step2.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "ecdsa256",
+ "keyprops": [
+ # The RSASHA keys are outroducing, but need to stay present
+ # until the new algorithm chain of trust has been established.
+ # Thus the expected key states of these keys stay the same.
+ f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offval}",
+ f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+ # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
+ # omnipresent, but the zone signatures are not.
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:hidden offset:{offsets['step2']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{offsets['step2']}",
+ ],
+ # Next key event is when all zone signatures are signed with the new
+ # algorithm. This is the max-zone-ttl plus zone propagation delay. But
+ # the publication interval has already passed. Also, prevent intermittent
+ # false positives on slow platforms by subtracting the time passed between
+ # key creation and invoking 'rndc reconfig'.
+ "nextev": ipubc - ipub - time_passed,
+ },
+ {
+ # Step 3.
+ "zone": "step3.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "ecdsa256",
+ "keyprops": [
+ # The DS can be swapped.
+ f"ksk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent ds:unretentive offset:{offval}",
+ f"zsk 0 8 2048 goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offval}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:rumoured offset:{offsets['step3']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step3']}",
+ ],
+ # Next key event is when the DS becomes OMNIPRESENT. This happens
+ # after the retire interval.
+ "nextev": iretKSK - time_passed,
+ },
+ {
+ # Step 4.
+ "zone": "step4.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "ecdsa256",
+ "keyprops": [
+ # The old DS is HIDDEN, we can remove the old algorithm records.
+ f"ksk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive ds:hidden offset:{offval}",
+ f"zsk 0 8 2048 goal:hidden dnskey:unretentive zrrsig:unretentive offset:{offval}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step4']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step4']}",
+ ],
+ # Next key event is when the old DNSKEY becomes HIDDEN.
+ # This happens after the DNSKEY TTL plus zone propagation delay.
+ "nextev": keyttlprop,
+ },
+ {
+ # Step 5.
+ "zone": "step5.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "ecdsa256",
+ "keyprops": [
+ # The DNSKEY becomes HIDDEN.
+ f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{offval}",
+ f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:unretentive offset:{offval}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step5']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step5']}",
+ ],
+ # Next key event is when the RSASHA signatures become HIDDEN.
+ # This happens after the max-zone-ttl plus zone propagation delay
+ # minus the time already passed since the UNRETENTIVE state has
+ # been reached. Prevent intermittent false positives on slow
+ # platforms by subtracting the number of seconds which passed
+ # between key creation and invoking 'rndc reconfig'.
+ "nextev": iret - iretKSK - keyttlprop - time_passed,
+ },
+ {
+ # Step 6.
+ "zone": "step6.algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "ecdsa256",
+ "keyprops": [
+ # The zone signatures are now HIDDEN.
+ f"ksk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden ds:hidden offset:{offval}",
+ f"zsk 0 8 2048 goal:hidden dnskey:hidden zrrsig:hidden offset:{offval}",
+ f"ksk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step6']}",
+ f"zsk 0 {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step6']}",
+ ],
+ # Next key event is never since we established the policy and the
+ # keys have an unlimited lifetime. Fallback to the default
+ # loadkeys interval.
+ "nextev": timedelta(hours=1),
+ },
+ ]
+ steps = steps + algo_steps
+
+ # Test algorithm rollover (CSK) (after reconfig).
+ isctest.log.info("check algorithm rollover csk (after reconfig)")
+ offsets = {}
+ offsets["step2"] = -int(ipub.total_seconds())
+ offsets["step3"] = -int(iret.total_seconds())
+ offsets["step4"] = offsets["step3"] - int(iretKSK.total_seconds())
+ offsets["step5"] = offsets["step4"] - int(keyttlprop.total_seconds())
+ offsets["step6"] = offsets["step5"] - int(iret.total_seconds())
+ algo_steps = [
+ {
+ # Step 1.
+ "zone": "step1.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ # The RSASHA keys are outroducing.
+ f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
+ # The ECDSAP256SHA256 keys are introducing.
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:rumoured ds:hidden",
+ ],
+ # Next key event is when the ecdsa256 keys have been propagated.
+ "nextev": ipub,
+ },
+ {
+ # Step 2.
+ "zone": "step2.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ # The RSASHA keys are outroducing, but need to stay present
+ # until the new algorithm chain of trust has been established.
+ # Thus the expected key states of these keys stay the same.
+ f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offval}",
+ # The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is
+ # omnipresent, but the zone signatures are not.
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:hidden offset:{offsets['step2']}",
+ ],
+ # Next key event is when all zone signatures are signed with the
+ # new algorithm. This is the child publication interval, minus
+ # the publication interval has already passed. Also, prevent
+ # intermittent false positives on slow platforms by subtracting
+ # the time passed between key creation and invoking 'rndc reconfig'.
+ "nextev": ipubc - ipub - time_passed,
+ },
+ {
+ # Step 3.
+ "zone": "step3.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ # The DS can be swapped.
+ f"csk 0 8 2048 goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:unretentive offset:{offval}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step3']}",
+ ],
+ # Next key event is when the DS becomes OMNIPRESENT. This happens
+ # after the publication interval of the parent side.
+ "nextev": iretKSK - time_passed,
+ },
+ {
+ # Step 4.
+ "zone": "step4.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ # The old DS is HIDDEN, we can remove the old algorithm records.
+ f"csk 0 8 2048 goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:unretentive ds:hidden offset:{offval}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step4']}",
+ ],
+ # Next key event is when the old DNSKEY becomes HIDDEN.
+ # This happens after the DNSKEY TTL plus zone propagation delay.
+ "nextev": keyttlprop,
+ },
+ {
+ # Step 5.
+ "zone": "step5.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ # The DNSKEY becomes HIDDEN.
+ f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:unretentive ds:hidden offset:{offval}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step5']}",
+ ],
+ # Next key event is when the RSASHA signatures become HIDDEN.
+ # This happens after the max-zone-ttl plus zone propagation delay
+ # minus the time already passed since the UNRETENTIVE state has
+ # been reached. Prevent intermittent false positives on slow
+ # platforms by subtracting the number of seconds which passed
+ # between key creation and invoking 'rndc reconfig'.
+ "nextev": iret - iretKSK - keyttlprop - time_passed,
+ },
+ {
+ # Step 6.
+ "zone": "step6.csk-algorithm-roll.kasp",
+ "cdss": cdss,
+ "config": algoroll_config,
+ "policy": "csk-algoroll",
+ "keyprops": [
+ # The zone signatures are now HIDDEN.
+ f"csk 0 8 2048 goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offval}",
+ f"csk 0 {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step6']}",
+ ],
+ # Next key event is never since we established the policy and the
+ # keys have an unlimited lifetime. Fallback to the default
+ # loadkeys interval.
+ "nextev": timedelta(hours=1),
+ },
+ ]
+ steps = steps + algo_steps
+
for step in steps:
check_rollover_step(server, step["config"], step["policy"], step)
projects / thirdparty / bind9.git / commitdiff
