key_clear "KEY1"
key_clear "KEY2"
key_clear "KEY3"
+key_clear "KEY4"
###############################################################################
# Utilities #
test $_log -eq 1 && echo_i "error: $1"
ret=$((ret+1))
}
-
-# Set zone properties for testing keys.
-# $1: Key directory
-# $2: Zone name
-# $3: Policy name
-# $4: DNSKEY TTL
-# $5: Number of keys
-# $6: Name server
-#
-# This will set the following environment variables for testing:
-# DIR, ZONE, POLICY, DNSKEY_TTL, NUM_KEYS, SERVER
-zone_properties() {
+# Set server key-directory ($1) and address ($2) for testing keys.
+set_server() {
DIR=$1
- ZONE=$2
- POLICY=$3
- DNSKEY_TTL=$4
- NUM_KEYS=$5
- SERVER=$6
+ SERVER=$2
+}
+# Set zone name for testing keys.
+set_zone() {
+ ZONE=$1
+}
+# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys.
+set_policy() {
+ POLICY=$1
+ NUM_KEYS=$2
+ DNSKEY_TTL=$3
}
# Set key properties for testing keys.
}
# Check the key $1 with id $2.
-# This requires environment variables to be set with 'zone_properties',
-# 'key_properties', 'key_timings', and 'key_states'.
+# This requires environment variables to be set.
#
# This will set the following environment variables for testing:
# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
}
# Check the key with key id $1 and see if it is unused.
-# This requires environment variables to be set with 'zone_properties',
-# and 'key_properties'.
+# This requires environment variables to be set.
#
# This will set the following environment variables for testing:
# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
#
# dnssec-keygen
#
-zone_properties "keys" "kasp" "kasp" "200" "10.53.0.1"
+set_zone "kasp"
+set_policy "kasp" "4" "200"
+set_server "keys" "10.53.0.1"
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)"
ret=0
$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
lines=$(wc -l < "keygen.out.$POLICY.test$n")
-test "$lines" -eq 4 || log_error "wrong number of keys created for policy kasp: $lines"
+test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines"
# Temporarily don't log errors because we are searching multiple files.
_log=0
key_states "KEY4" "none" "none" "none" "none" "none"
lines=$(get_keyids "$DIR" "$ZONE" | wc -l)
-test "$lines" -eq 4 || log_error "bad number of key ids"
+test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids"
ids=$(get_keyids "$DIR" "$ZONE")
for id in $ids; do
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
-zone_properties "." "kasp" "default" "3600" "10.53.0.1"
+set_zone "kasp"
+set_policy "default" "1" "3600"
+set_server "." "10.53.0.1"
+
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
-zone_properties "." "kasp" "default" "3600" "10.53.0.1"
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
$KEYGEN -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
lines=$(wc -l < "keygen.out.$POLICY.test$n")
-test "$lines" -eq 1 || log_error "wrong number of keys created for policy default: $lines"
+test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines"
ids=$(get_keyids "$DIR" "$ZONE")
for id in $ids; do
check_key "KEY1" "$id"
#
# Check the zone with default kasp policy has loaded and is signed.
-zone_properties "ns3" "default.kasp" "default" "3600" "1" "10.53.0.3"
+set_zone "default.kasp"
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
# The first key is immediately published and activated.
key_timings "KEY1" "published" "active" "none" "none" "none" "none"
#
# Zone: rsasha1.kasp.
#
-zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "rsasha1.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
#
# Zone: unsigned.kasp.
#
-zone_properties "ns3" "unsigned.kasp" "none" "0" "0" "10.53.0.3"
+set_zone "unsigned.kasp"
+set_policy "none" "0" "0"
+set_server "ns3" "10.53.0.3"
+
key_clear "KEY1"
key_clear "KEY2"
key_clear "KEY3"
#
# Zone: unlimited.kasp.
#
-zone_properties "ns3" "unlimited.kasp" "unlimited" "1234" "1" "10.53.0.3"
+set_zone "unlimited.kasp"
+set_policy "unlimited" "1" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_clear "KEY2"
key_clear "KEY3"
#
# Zone: inherit.kasp.
#
-zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "inherit.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
#
# Zone: dnssec-keygen.kasp.
#
-zone_properties "ns3" "dnssec-keygen.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "dnssec-keygen.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
#
# Zone: some-keys.kasp.
#
-zone_properties "ns3" "some-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "some-keys.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
#
# Zone: legacy-keys.kasp.
#
-zone_properties "ns3" "legacy-keys.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "legacy-keys.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
#
# There are more pregenerated keys than needed, hence the number of keys is
# six, not three.
-zone_properties "ns3" "pregenerated.kasp" "rsasha1" "1234" "6" "10.53.0.3"
+set_zone "pregenerated.kasp"
+set_policy "rsasha1" "6" "1234"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
# Zone: rumoured.kasp.
#
# There are three keys in rumoured state.
-zone_properties "ns3" "rumoured.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "rumoured.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
#
# Zone: secondary.kasp.
#
-zone_properties "ns3" "secondary.kasp" "rsasha1" "1234" "3" "10.53.0.3"
+set_zone "secondary.kasp"
+set_policy "rsasha1" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
# KSK properties, timings and states same as above.
check_keys
check_apex
#
# Zone: rsasha1-nsec3.kasp.
#
-zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3"
+set_zone "rsasha1-nsec3.kasp"
+set_policy "rsasha1-nsec3" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
#
# Zone: rsasha256.kasp.
#
-zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3"
+set_zone "rsasha256.kasp"
+set_policy "rsasha256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
#
# Zone: rsasha512.kasp.
#
-zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3"
+set_zone "rsasha512.kasp"
+set_policy "rsasha512" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "2048" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
#
# Zone: ecdsa256.kasp.
#
-zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3" "10.53.0.3"
+set_zone "ecdsa256.kasp"
+set_policy "ecdsa256" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
#
# Zone: ecdsa512.kasp.
#
-zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3" "10.53.0.3"
+set_zone "ecdsa384.kasp"
+set_policy "ecdsa384" "3" "1234"
+set_server "ns3" "10.53.0.3"
+
key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes"
key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no"
key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no"
#
# Zone: expired-sigs.autosign.
#
-zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
+set_zone "expired-sigs.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+
# Both KSK and ZSK stay OMNIPRESENT.
key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: fresh-sigs.autosign.
#
-zone_properties "ns3" "fresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
+set_zone "fresh-sigs.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
#
# Zone: unfresh-sigs.autosign.
#
-zone_properties "ns3" "unfresh-sigs.autosign" "autosign" "300" "2" "10.53.0.3"
+set_zone "unfresh-sigs.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+
# key_properties, key_timings and key_states same as above.
check_keys
check_apex
#
# Zone: zsk-missing.autosign.
#
-zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2" "10.53.0.3"
+set_zone "zsk-missing.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+
# KSK stays OMNIPRESENT.
key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: zsk-retired.autosign.
#
-zone_properties "ns3" "zsk-retired.autosign" "autosign" "300" "3" "10.53.0.3"
+set_zone "zsk-retired.autosign"
+set_policy "autosign" "2" "300"
+set_server "ns3" "10.53.0.3"
+
# KSK properties, timings and states same as above.
# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
# is active.
key_clear "KEY2"
key_clear "KEY3"
-zone_properties "ns2" "unsigned.tld" "none" "0" "0" "10.53.0.2"
+set_zone "unsigned.tld"
+set_policy "none" "0" "0"
+set_server "ns2" "10.53.0.2"
TSIG=""
check_keys
check_apex
check_subdomain
-zone_properties "ns4" "none.inherit.signed" "none" "0" "0" "10.53.0.4"
+set_zone "none.inherit.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
-zone_properties "ns4" "none.override.signed" "none" "0" "0" "10.53.0.4"
+set_zone "none.override.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
-zone_properties "ns4" "inherit.none.signed" "none" "0" "0" "10.53.0.4"
+set_zone "inherit.none.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
-zone_properties "ns4" "none.none.signed" "none" "0" "0" "10.53.0.4"
+set_zone "none.none.signed"
+set_policy "none" "0" "0"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
-zone_properties "ns5" "inherit.inherit.unsigned" "none" "0" "0" "10.53.0.5"
+set_zone "inherit.inherit.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
-zone_properties "ns5" "none.inherit.unsigned" "none" "0" "0" "10.53.0.5"
+set_zone "none.inherit.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
-zone_properties "ns5" "none.override.unsigned" "none" "0" "0" "10.53.0.5"
+set_zone "none.override.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
-zone_properties "ns5" "inherit.none.unsigned" "none" "0" "0" "10.53.0.5"
+set_zone "inherit.none.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
-zone_properties "ns5" "none.none.unsigned" "none" "0" "0" "10.53.0.5"
+set_zone "none.none.unsigned"
+set_policy "none" "0" "0"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
key_timings "KEY1" "published" "active" "none" "none" "none"
key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden"
-zone_properties "ns2" "signed.tld" "default" "3600" "1" "10.53.0.2"
+set_zone "signed.tld"
+set_policy "default" "1" "3600"
+set_server "ns2" "10.53.0.2"
TSIG=""
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns4" "override.inherit.signed" "default" "3600" "1" "10.53.0.4"
+set_zone "override.inherit.signed"
+set_policy "default" "1" "3600"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns4" "inherit.override.signed" "default" "3600" "1" "10.53.0.4"
+set_zone "inherit.override.signed"
+set_policy "default" "1" "3600"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns5" "override.inherit.unsigned" "default" "3600" "1" "10.53.0.5"
+set_zone "override.inherit.unsigned"
+set_policy "default" "1" "3600"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns5" "inherit.override.unsigned" "default" "3600" "1" "10.53.0.5"
+set_zone "inherit.override.unsigned"
+set_policy "default" "1" "3600"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
key_timings "KEY1" "published" "active" "none" "none" "none"
key_states "KEY1" "omnipresent" "rumoured" "rumoured" "rumoured" "hidden"
-zone_properties "ns4" "inherit.inherit.signed" "test" "3600" "1" "10.53.0.4"
+set_zone "inherit.inherit.signed"
+set_policy "test" "1" "3600"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns4" "override.override.signed" "test" "3600" "1" "10.53.0.4"
+set_zone "override.override.signed"
+set_policy "test" "1" "3600"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns4" "override.none.signed" "test" "3600" "1" "10.53.0.4"
+set_zone "override.none.signed"
+set_policy "test" "1" "3600"
+set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns5" "override.override.unsigned" "test" "3600" "1" "10.53.0.5"
+set_zone "override.override.unsigned"
+set_policy "test" "1" "3600"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_apex
check_subdomain
dnssec_verify
-zone_properties "ns5" "override.none.unsigned" "test" "3600" "1" "10.53.0.5"
+set_zone "override.none.unsigned"
+set_policy "test" "1" "3600"
+set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_apex
#
# Zone: step1.enable-dnssec.autosign.
#
-zone_properties "ns3" "step1.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3"
+set_zone "step1.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+
# The DNSKEY and signatures are introduced first, the DS remains hidden.
key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "published" "active" "none" "none" "none"
#
# Zone: step2.enable-dnssec.autosign.
#
-zone_properties "ns3" "step2.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3"
+set_zone "step2.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+
# The DNSKEY and signatures are introduced first, the DS remains hidden.
key_states "KEY1" "omnipresent" "omnipresent" "rumoured" "omnipresent" "hidden"
check_keys
#
# Zone: step3.enable-dnssec.autosign.
#
-zone_properties "ns3" "step3.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3"
+set_zone "step3.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+
# The DS can be introduced.
key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured"
check_keys
#
# Zone: step4.enable-dnssec.autosign.
#
-zone_properties "ns3" "step4.enable-dnssec.autosign" "enable-dnssec" "300" "1" "10.53.0.3"
+set_zone "step4.enable-dnssec.autosign"
+set_policy "enable-dnssec" "1" "300"
+set_server "ns3" "10.53.0.3"
+
# The DS is omnipresent.
key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
check_keys
#
# Zone: step1.zsk-prepub.autosign.
#
-zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2" "10.53.0.3"
+set_zone "step1.zsk-prepub.autosign"
+set_policy "zsk-prepub" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: step2.zsk-prepub.autosign.
#
-zone_properties "ns3" "step2.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
+set_zone "step2.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+
# KSK (KEY1) doesn't change.
# ZSK (KEY2) remains active, no change in properties/timings/states.
# New ZSK (KEY3) is prepublished.
#
# Zone: step3.zsk-prepub.autosign.
#
-zone_properties "ns3" "step3.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
+set_zone "step3.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+
# KSK (KEY1) doesn't change.
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
#
# Zone: step4.zsk-prepub.autosign.
#
-zone_properties "ns3" "step4.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
+set_zone "step4.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+
# KSK (KEY1) doesn't change.
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY2) DNSKEY is no longer needed.
#
# Zone: step5.zsk-prepub.autosign.
#
-zone_properties "ns3" "step5.zsk-prepub.autosign" "zsk-prepub" "3600" "3" "10.53.0.3"
+set_zone "step5.zsk-prepub.autosign"
+set_policy "zsk-prepub" "3" "3600"
+set_server "ns3" "10.53.0.3"
+
# KSK (KEY1) doesn't change.
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY3) DNSKEY is now completely HIDDEN and removed.
#
# Zone: step1.ksk-doubleksk.autosign.
#
-zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2" "10.53.0.3"
+set_zone "step1.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "2" "7200"
+set_server "ns3" "10.53.0.3"
+
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: step2.ksk-doubleksk.autosign.
#
-zone_properties "ns3" "step2.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
+set_zone "step2.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+
# ZSK (KEY2) doesn't change.
# KSK (KEY1) remains active, no change in properties/timings/states.
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
#
# Zone: step3.ksk-doubleksk.autosign.
#
-zone_properties "ns3" "step3.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
+set_zone "step3.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DS will be removed, so it is UNRETENTIVE.
key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive"
#
# Zone: step4.ksk-doubleksk.autosign.
#
-zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
+set_zone "step4.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DNSKEY can be removed.
key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no"
#
# Zone: step5.ksk-doubleksk.autosign.
#
-zone_properties "ns3" "step5.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3" "10.53.0.3"
+set_zone "step5.ksk-doubleksk.autosign"
+set_policy "ksk-doubleksk" "3" "7200"
+set_server "ns3" "10.53.0.3"
+
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DNSKEY is now HIDDEN.
key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden"
#
# Zone: step1.csk-roll.autosign.
#
-zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1" "10.53.0.3"
+set_zone "step1.csk-roll.autosign"
+set_policy "csk-roll" "1" "3600"
+set_server "ns3" "10.53.0.3"
+
# The CSK (KEY1) starts in OMNIPRESENT.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: step2.csk-roll.autosign.
#
+set_zone "step2.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# Set key properties for testing keys.
-zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# CSK (KEY1) remains active, no change in properties/timings/states.
# New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
#
# Zone: step3.csk-roll.autosign.
#
+set_zone "step3.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# Set key properties for testing keys.
-zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
#
# Zone: step4.csk-roll.autosign.
#
-zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
+set_zone "step4.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public
# but can remove the KRRSIG records.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
#
# Zone: step5.csk-roll.autosign.
#
-zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
+set_zone "step5.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) KRRSIG records are now all hidden.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden"
#
# Zone: step6.csk-roll.autosign.
#
-zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
+set_zone "step6.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) DNSKEY can be removed.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden"
#
# Zone: step7.csk-roll.autosign.
#
-zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2" "10.53.0.3"
+set_zone "step7.csk-roll.autosign"
+set_policy "csk-roll" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) is now completely HIDDEN.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
#
# Zone: step1.csk-roll2.autosign.
#
-zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1" "10.53.0.3"
+set_zone "step1.csk-roll2.autosign"
+set_policy "csk-roll2" "1" "3600"
+set_server "ns3" "10.53.0.3"
+
# The CSK (KEY1) starts in OMNIPRESENT.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: step2.csk-roll2.autosign.
#
+set_zone "step2.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# Set key properties for testing keys.
-zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
# CSK (KEY1) remains active, no change in properties/timings/states.
# New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
#
# Zone: step3.csk-roll2.autosign.
#
+set_zone "step3.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# Set key properties for testing keys.
-zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
#
# Zone: step4.csk-roll2.autosign.
#
-zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
+set_zone "step4.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) ZRRSIG is now HIDDEN.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive"
#
# Zone: step5.csk-roll2.autosign.
#
-zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2" "10.53.0.3"
+set_zone "step5.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) DNSKEY can be removed.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden"
#
# Zone: step6.csk-roll2.autosign.
#
-zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2" "10.53.0.3"
+set_zone "step6.csk-roll2.autosign"
+set_policy "csk-roll2" "2" "3600"
+set_server "ns3" "10.53.0.3"
+
# The old CSK (KEY1) is now completely HIDDEN.
key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
#
# Zone: step1.algorithm-roll.kasp
#
-zone_properties "ns6" "step1.algorithm-roll.kasp" "rsasha1" "3600" "2" "10.53.0.6"
+set_zone "step1.algorithm-roll.kasp"
+set_policy "rsasha1" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes"
key_timings "KEY1" "published" "active" "none" "none" "none"
#
# Zone: step1.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step1.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "1" "10.53.0.6"
+set_zone "step1.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "1" "3600"
+set_server "ns6" "10.53.0.6"
+
# The CSK (KEY1) starta in OMNIPRESENT.
key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes"
key_timings "KEY1" "published" "active" "none" "none" "none"
#
# Zone: step1.algorithm-roll.kasp
#
-zone_properties "ns6" "step1.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6"
+set_zone "step1.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+
# The RSAHSHA1 keys are outroducing.
key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: step2.algorithm-roll.kasp
#
-zone_properties "ns6" "step2.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6"
+set_zone "step2.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+
# The RSAHSHA1 keys are outroducing, but need to stay present until the new
# algorithm chain of trust has been established. Thus the properties, timings
# and states of the KEY1 and KEY2 are the same as above.
#
# Zone: step3.algorithm-roll.kasp
#
-zone_properties "ns6" "step3.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6"
+set_zone "step3.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+
# The RSAHSHA1 keys are outroducing, and it is time to swap the DS.
key_states "KEY1" "hidden" "omnipresent" "none" "omnipresent" "unretentive"
# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures
#
# Zone: step4.algorithm-roll.kasp
#
-zone_properties "ns6" "step4.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6"
+set_zone "step4.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
key_properties "KEY1" "ksk" "0" "5" "RSASHA1" "2048" "no" "no"
key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden"
#
# Zone: step5.algorithm-roll.kasp
#
-zone_properties "ns6" "step5.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6"
+set_zone "step5.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+
# The DNSKEY becomes HIDDEN.
key_states "KEY1" "hidden" "hidden" "none" "hidden" "hidden"
key_states "KEY2" "hidden" "hidden" "unretentive" "none" "none"
#
# Zone: step6.algorithm-roll.kasp
#
-zone_properties "ns6" "step6.algorithm-roll.kasp" "ecdsa256" "3600" "4" "10.53.0.6"
+set_zone "step6.algorithm-roll.kasp"
+set_policy "ecdsa256" "4" "3600"
+set_server "ns6" "10.53.0.6"
+
# The zone signatures should now also be HIDDEN.
key_states "KEY2" "hidden" "hidden" "hidden" "none" "none"
#
# Zone: step1.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step1.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6"
+set_zone "step1.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The RSAHSHA1 key is outroducing.
key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "yes" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
#
# Zone: step2.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step2.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6"
+set_zone "step2.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The RSAHSHA1 key is outroducing, but need to stay present until the new
# algorithm chain of trust has been established. Thus the properties, timings
# and states of KEY1 is the same as above.
#
# Zone: step3.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step3.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6"
+set_zone "step3.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The RSAHSHA1 key is outroducing, and it is time to swap the DS.
key_states "KEY1" "hidden" "omnipresent" "omnipresent" "omnipresent" "unretentive"
# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
#
# Zone: step4.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step4.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6"
+set_zone "step4.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
key_properties "KEY1" "csk" "0" "5" "RSASHA1" "2048" "no" "no"
key_states "KEY1" "hidden" "unretentive" "unretentive" "unretentive" "hidden"
#
# Zone: step5.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step5.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6"
+set_zone "step5.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The DNSKEY becomes HIDDEN.
key_states "KEY1" "hidden" "hidden" "unretentive" "hidden" "hidden"
#
# Zone: step6.csk-algorithm-roll.kasp
#
-zone_properties "ns6" "step6.csk-algorithm-roll.kasp" "csk-algoroll" "3600" "2" "10.53.0.6"
+set_zone "step6.csk-algorithm-roll.kasp"
+set_policy "csk-algoroll" "2" "3600"
+set_server "ns6" "10.53.0.6"
+
# The zone signatures should now also be HIDDEN.
key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
projects / thirdparty / bind9.git / commitdiff
