--- /dev/null
+../rollover/common.py
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "csk-roll2" {
+ signatures-refresh 12h;
+ signatures-validity P1D;
+ signatures-validity-dnskey P1D;
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 1h;
+ purge-keys 0;
+
+ cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
+ keys {
+ csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ zone-propagation-delay PT1H;
+ max-zone-ttl 1d;
+
+ parent-ds-ttl PT1H;
+ parent-propagation-delay P1W;
+};
--- /dev/null
+../../rollover/ns3/named.common.conf.j2
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "kasp.conf";
+include "named.common.conf";
+
+zone "step1.csk-roll2.autosign" {
+ type primary;
+ file "step1.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
+zone "step2.csk-roll2.autosign" {
+ type primary;
+ file "step2.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
+zone "step3.csk-roll2.autosign" {
+ type primary;
+ file "step3.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
+zone "step4.csk-roll2.autosign" {
+ type primary;
+ file "step4.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
+zone "step5.csk-roll2.autosign" {
+ type primary;
+ file "step5.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
+zone "step6.csk-roll2.autosign" {
+ type primary;
+ file "step6.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
+zone "step7.csk-roll2.autosign" {
+ type primary;
+ file "step7.csk-roll2.autosign.db";
+ dnssec-policy "csk-roll2";
+};
--- /dev/null
+../../rollover/ns3/template.db.in
\ No newline at end of file
--- /dev/null
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+cd "ns3"
+
+setup() {
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ echo "$zone" >>zones
+}
+
+# Set in the key state files the Predecessor/Successor fields.
+# Key $1 is the predecessor of key $2.
+key_successor() {
+ id1=$(keyfile_to_key_id "$1")
+ id2=$(keyfile_to_key_id "$2")
+ echo "Predecessor: ${id1}" >>"${2}.state"
+ echo "Successor: ${id2}" >>"${1}.state"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+#
+# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
+# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
+# This scenario differs from the csk-roll1 one because the zone signatures (ZRRSIG)
+# are replaced with the new key sooner than the DS is swapped.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-roll2.autosign
+TactN="now-7d"
+keytimes="-P ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to introduce the new CSK.
+setup step2.csk-roll2.autosign
+# According to RFC 7583:
+# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
+# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# IpubC = DprpC + TTLkey (+publish-safety)
+# Ipub = IpubC
+# Lcsk = Lksk = Lzsk
+#
+# Lcsk: 6mo (186d, 4464h)
+# Dreg: N/A
+# DprpC: 1h
+# TTLkey: 1h
+# publish-safety: 1h
+# Ipub: 3h
+#
+# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
+# = now - 4464h + 3h = now - 4461h
+TactN="now-4461h"
+keytimes="-P ${TactN} -A ${TactN}"
+CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 3:
+# It is time to submit the DS and to roll signatures.
+setup step3.csk-roll2.autosign
+# According to RFC 7583:
+#
+# Tsbm(N+1) >= Trdy(N+1)
+# KSK: Tact(N+1) = Tsbm(N+1)
+# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
+# KSK: Iret = DprpP + TTLds (+retire-safety)
+# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
+#
+# Lcsk: 186d
+# Dprp: 1h
+# DprpP: 1w
+# Dreg: N/A
+# Dsgn: 12h
+# TTLds: 1h
+# TTLsig: 1d
+# retire-safety: 1h
+# Iret: 170h
+# IretZ: 38h
+# Ipub: 3h
+#
+# Tpub(N) = now - Lcsk = now - 186d
+# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
+# Tret(N) = now
+# Trem(N) = now + Iret = now + 170h
+# Tpub(N+1) = now - Ipub = now - 3h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + Lcsk = now + 186d
+# Trem(N+1) = now + Lcsk + Iret = now + 186d + 170h =
+# = now + 4464h + 170h = now + 4634h
+TpubN="now-186d"
+TactN="now-4439h"
+TretN="now"
+TremN="now+170h"
+TpubN1="now-3h"
+TactN1="${TretN}"
+TretN1="now+186d"
+TremN1="now+4634h"
+keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 4:
+# Some time later all the ZRRSIG records should be from the new CSK, and the
+# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
+# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
+# signatures are replaced before the DS is swapped.
+setup step4.csk-roll2.autosign
+# According to RFC 7583:
+# Trem(N) = Tret(N) + IretZ
+#
+# Lcsk: 186d
+# Dreg: N/A
+# Iret: 170h
+# IretZ: 38h
+#
+# Tpub(N) = now - IretZ - Lcsk = now - 38h - 186d
+# = now - 38h - 4464h = now - 4502h
+# Tact(N) = now - Iret - Lcsk + TTLsig = now - 4502h + 25h = now - 4477h
+# Tret(N) = now - IretZ = now - 38h
+# Trem(N) = now - IretZ + Iret = now - 38h + 170h = now + 132h
+# Tpub(N+1) = now - IretZ - IpubC = now - 38h - 3h = now - 41h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now - IretZ + Lcsk = now - 38h + 186d
+# = now + 4426h
+# Trem(N+1) = now - IretZ + Lcsk + Iret
+# = now + 4426h + 3h = now + 4429h
+TpubN="now-4502h"
+TactN="now-4477h"
+TretN="now-38h"
+TremN="now+132h"
+TpubN1="now-41h"
+TactN1="${TretN}"
+TretN1="now+4426h"
+TremN1="now+4429h"
+keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 5:
+# Some time later the DS can be swapped and the old DNSKEY can be removed from
+# the zone.
+setup step5.csk-roll2.autosign
+# Subtract Iret (170h) - IretZ (38h) = 132h.
+#
+# Tpub(N) = now - 4502h - 132h = now - 4634h
+# Tact(N) = now - 4477h - 132h = now - 4609h
+# Tret(N) = now - 38h - 132h = now - 170h
+# Trem(N) = now + 132h - 132h = now
+# Tpub(N+1) = now - 41h - 132h = now - 173h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4426h - 132h = now + 4294h
+# Trem(N+1) = now + 4492h - 132h = now + 4360h
+TpubN="now-4634h"
+TactN="now-4609h"
+TretN="now-170h"
+TremN="now"
+TpubN1="now-173h"
+TactN1="${TretN}"
+TretN1="now+4294h"
+TremN1="now+4360h"
+keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 6:
+# Some time later the predecessor DNSKEY enters the HIDDEN state.
+setup step6.csk-roll2.autosign
+# Subtract DNSKEY TTL plus zone propagation delay (2h).
+#
+# Tpub(N) = now - 4634h - 2h = now - 4636h
+# Tact(N) = now - 4609h - 2h = now - 4611h
+# Tret(N) = now - 170h - 2h = now - 172h
+# Trem(N) = now - 2h
+# Tpub(N+1) = now - 173h - 2h = now - 175h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4294h - 2h = now + 4292h
+# Trem(N+1) = now + 4360h - 2h = now + 4358h
+TpubN="now-4636h"
+TactN="now-4611h"
+TretN="now-172h"
+TremN="now-2h"
+TpubN1="now-175h"
+TactN1="${TretN}"
+TretN1="now+4292h"
+TremN1="now+4358h"
+keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 7:
+# The predecessor DNSKEY can be purged, but purge-keys is disabled.
+setup step7.csk-roll2.autosign
+# Subtract 90 days (default, 2160h) from all the times.
+#
+# Tpub(N) = now - 4636h - 2160h = now - 6796h
+# Tact(N) = now - 4611h - 2160h = now - 6771h
+# Tret(N) = now - 172h - 2160h = now - 2332h
+# Trem(N) = now - 2h - 2160h = now - 2162h
+# Tpub(N+1) = now - 175h - 2160h = now - 2335h
+# Tact(N+1) = Tret(N)
+# Tret(N+1) = now + 4292h - 2160h = now + 2132h
+# Trem(N+1) = now + 4358h - 2160h = now + 2198h
+TpubN="now-6796h"
+TactN="now-6771h"
+TretN="now-2332h"
+TremN="now-2162h"
+TpubN1="now-2335h"
+TactN1="${TretN}"
+TretN1="now+2132h"
+TremN1="now+2198h"
+keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
+newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
+CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
+# Set key rollover relationship.
+key_successor $CSK1 $CSK2
+# Sign zone.
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+from datetime import timedelta
+
+import isctest
+from isctest.kasp import Ipub, Iret
+from common import (
+ pytestmark,
+ alg,
+ size,
+ TIMEDELTA,
+)
+
+
+CDSS = ["CDNSKEY", "CDS (SHA-256)", "CDS (SHA-384)"]
+CONFIG = {
+ "dnskey-ttl": TIMEDELTA["PT1H"],
+ "ds-ttl": TIMEDELTA["PT1H"],
+ "max-zone-ttl": TIMEDELTA["P1D"],
+ "parent-propagation-delay": TIMEDELTA["P7D"],
+ "publish-safety": TIMEDELTA["PT1H"],
+ "purge-keys": TIMEDELTA[0],
+ "retire-safety": TIMEDELTA["PT1H"],
+ "signatures-refresh": TIMEDELTA["PT12H"],
+ "signatures-validity": TIMEDELTA["P1D"],
+ "zone-propagation-delay": TIMEDELTA["PT1H"],
+}
+POLICY = "csk-roll2"
+CSK_LIFETIME = timedelta(days=31 * 6)
+LIFETIME_POLICY = int(CSK_LIFETIME.total_seconds())
+
+IPUB = Ipub(CONFIG)
+IRET = Iret(CONFIG, zsk=True, ksk=True)
+IRETZSK = Iret(CONFIG)
+IRETKSK = Iret(CONFIG, ksk=True)
+KEYTTLPROP = CONFIG["dnskey-ttl"] + CONFIG["zone-propagation-delay"]
+OFFSETS = {}
+OFFSETS["step1-p"] = -int(timedelta(days=7).total_seconds())
+OFFSETS["step2-p"] = -int(CSK_LIFETIME.total_seconds() - IPUB.total_seconds())
+OFFSETS["step2-s"] = 0
+OFFSETS["step3-p"] = -int(CSK_LIFETIME.total_seconds())
+OFFSETS["step3-s"] = -int(IPUB.total_seconds())
+OFFSETS["step4-p"] = OFFSETS["step3-p"] - int(IRETZSK.total_seconds())
+OFFSETS["step4-s"] = OFFSETS["step3-s"] - int(IRETZSK.total_seconds())
+OFFSETS["step5-p"] = OFFSETS["step4-p"] - int(
+ IRETKSK.total_seconds() - IRETZSK.total_seconds()
+)
+OFFSETS["step5-s"] = OFFSETS["step4-s"] - int(
+ IRETKSK.total_seconds() - IRETZSK.total_seconds()
+)
+OFFSETS["step6-p"] = OFFSETS["step5-p"] - int(KEYTTLPROP.total_seconds())
+OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(KEYTTLPROP.total_seconds())
+OFFSETS["step7-p"] = OFFSETS["step6-p"] - int(timedelta(days=90).total_seconds())
+OFFSETS["step7-s"] = OFFSETS["step6-s"] - int(timedelta(days=90).total_seconds())
+
+
+def test_csk_roll2_step1(alg, size, servers):
+ step = {
+ # Introduce the first key. This will immediately be active.
+ "zone": "step1.csk-roll2.autosign",
+ "cdss": CDSS,
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
+ ],
+ # Next key event is when the successor CSK needs to be published
+ # minus time already elapsed. This is Lcsk - Ipub + Dreg (we ignore
+ # registration delay).
+ "nextev": CSK_LIFETIME - IPUB - TIMEDELTA["P7D"],
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_csk_roll2_step2(alg, size, servers):
+ step = {
+ # Successor CSK is prepublished (signs DNSKEY RRset, but not yet
+ # other RRsets).
+ # CSK1 goal: omnipresent -> hidden
+ # CSK2 goal: hidden -> omnipresent
+ # CSK2 dnskey: hidden -> rumoured
+ # CSK2 krrsig: hidden -> rumoured
+ "zone": "step2.csk-roll2.autosign",
+ "cdss": CDSS,
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{OFFSETS['step2-s']}",
+ ],
+ "keyrelationships": [0, 1],
+ # Next key event is when the successor CSK becomes OMNIPRESENT.
+ "nextev": IPUB,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_csk_roll2_step3(alg, size, servers):
+ step = {
+ # Successor CSK becomes omnipresent, meaning we can start signing
+ # the remainder of the zone with the successor CSK, and we can
+ # submit the DS.
+ "zone": "step3.csk-roll2.autosign",
+ "cdss": CDSS,
+ # Predecessor CSK will be removed, so moving to UNRETENTIVE.
+ # CSK1 zrrsig: omnipresent -> unretentive
+ # Successor CSK DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED.
+ # CSK2 dnskey: rumoured -> omnipresent
+ # CSK2 krrsig: rumoured -> omnipresent
+ # CSK2 zrrsig: hidden -> rumoured
+ # The predecessor DS can be withdrawn and the successor DS can be
+ # introduced.
+ # CSK1 ds: omnipresent -> unretentive
+ # CSK2 ds: hidden -> rumoured
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{OFFSETS['step3-p']}",
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{OFFSETS['step3-s']}",
+ ],
+ "keyrelationships": [0, 1],
+ # Next key event is when the predecessor DS has been replaced with
+ # the successor DS and enough time has passed such that the all
+ # validators that have this DS RRset cached only know about the
+ # successor DS. This is the the retire interval.
+ "nextev": IRETZSK,
+ # Set 'smooth' to true so expected signatures of subdomain are
+ # from the predecessor ZSK.
+ "smooth": True,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_csk_roll2_step4(alg, size, servers):
+ step = {
+ "zone": "step4.csk-roll2.autosign",
+ "cdss": CDSS,
+ # The predecessor ZRRSIG is HIDDEN. The successor ZRRSIG is
+ # OMNIPRESENT.
+ # CSK1 zrrsig: unretentive -> hidden
+ # CSK2 zrrsig: rumoured -> omnipresent
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:unretentive offset:{OFFSETS['step4-p']}",
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{OFFSETS['step4-s']}",
+ ],
+ "keyrelationships": [0, 1],
+ # Next key event is when the predecessor DS has been replaced with
+ # the successor DS and enough time has passed such that the all
+ # validators that have this DS RRset cached only know about the
+ # successor DS. This is the retire interval of the KSK part (minus)
+ # time already elapsed).
+ "nextev": IRET - IRETZSK,
+ # We already swapped the DS in the previous step, so disable ds-swap.
+ "ds-swap": False,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_csk_roll2_step5(alg, size, servers):
+ step = {
+ "zone": "step5.csk-roll2.autosign",
+ "cdss": CDSS,
+ # The predecessor DNSKEY can be removed.
+ # CSK1 dnskey: omnipresent -> unretentive
+ # CSK1 krrsig: omnipresent -> unretentive
+ # CSK1 ds: unretentive -> hidden
+ # The successor key is now fully OMNIPRESENT.
+ # CSK2 ds: rumoured -> omnipresent
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:hidden ds:hidden offset:{OFFSETS['step5-p']}",
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-s']}",
+ ],
+ "keyrelationships": [0, 1],
+ # Next key event is when the DNSKEY enters the HIDDEN state.
+ # This is the DNSKEY TTL plus zone propagation delay.
+ "nextev": KEYTTLPROP,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_csk_roll2_step6(alg, size, servers):
+ step = {
+ "zone": "step6.csk-roll2.autosign",
+ "cdss": CDSS,
+ # The predecessor CSK is now completely HIDDEN.
+ # CSK1 dnskey: unretentive -> hidden
+ # CSK1 krrsig: unretentive -> hidden
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step6-p']}",
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-s']}",
+ ],
+ "keyrelationships": [0, 1],
+ # Next key event is when the new successor needs to be published.
+ # This is the Lcsk, minus time passed since the key was published.
+ "nextev": CSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_csk_roll2_step7(alg, size, servers):
+ step = {
+ "zone": "step7.csk-roll2.autosign",
+ "cdss": CDSS,
+ # The predecessor CSK is now completely HIDDEN.
+ "keyprops": [
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{OFFSETS['step7-p']}",
+ f"csk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{OFFSETS['step7-s']}",
+ ],
+ "keyrelationships": [0, 1],
+ "nextev": None,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
"PT1H": timedelta(hours=1),
"PT2H": timedelta(hours=2),
"PT6H": timedelta(hours=6),
+ "PT12H": timedelta(hours=12),
"P1D": timedelta(days=1),
"P5D": timedelta(days=5),
"P7D": timedelta(days=7),
parent-ds-ttl 1h;
parent-propagation-delay 1h;
};
-
-dnssec-policy "csk-roll2" {
- signatures-refresh 12h;
- signatures-validity P1D;
- signatures-validity-dnskey P1D;
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 1h;
- purge-keys 0;
-
- cds-digest-types { "sha-256"; "sha-384"; }; // use two digest type for testing purposes
- keys {
- csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
- };
-
- zone-propagation-delay PT1H;
- max-zone-ttl 1d;
-
- parent-ds-ttl PT1H;
- parent-propagation-delay P1W;
-};
file "step8.csk-roll1.autosign.db";
dnssec-policy "csk-roll1";
};
-
-zone "step1.csk-roll2.autosign" {
- type primary;
- file "step1.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
-zone "step2.csk-roll2.autosign" {
- type primary;
- file "step2.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
-zone "step3.csk-roll2.autosign" {
- type primary;
- file "step3.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
-zone "step4.csk-roll2.autosign" {
- type primary;
- file "step4.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
-zone "step5.csk-roll2.autosign" {
- type primary;
- file "step5.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
-zone "step6.csk-roll2.autosign" {
- type primary;
- file "step6.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
-zone "step7.csk-roll2.autosign" {
- type primary;
- file "step7.csk-roll2.autosign.db";
- dnssec-policy "csk-roll2";
-};
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -G "cdnskey,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-#
-# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
-# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
-# This scenario differs from the above one because the zone signatures (ZRRSIG)
-# are replaced with the new key sooner than the DS is swapped.
-#
-
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.csk-roll2.autosign
-TactN="now-7d"
-keytimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 2:
-# It is time to introduce the new CSK.
-setup step2.csk-roll2.autosign
-# According to RFC 7583:
-# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC
-# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# IpubC = DprpC + TTLkey (+publish-safety)
-# Ipub = IpubC
-# Lcsk = Lksk = Lzsk
-#
-# Lcsk: 6mo (186d, 4464h)
-# Dreg: N/A
-# DprpC: 1h
-# TTLkey: 1h
-# publish-safety: 1h
-# Ipub: 3h
-#
-# Tact(N) = now - Lcsk + Ipub = now - 186d + 3h
-# = now - 4464h + 3h = now - 4461h
-TactN="now-4461h"
-keytimes="-P ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 3:
-# It is time to submit the DS and to roll signatures.
-setup step3.csk-roll2.autosign
-# According to RFC 7583:
-#
-# Tsbm(N+1) >= Trdy(N+1)
-# KSK: Tact(N+1) = Tsbm(N+1)
-# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
-# KSK: Iret = DprpP + TTLds (+retire-safety)
-# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
-#
-# Lcsk: 186d
-# Dprp: 1h
-# DprpP: 1w
-# Dreg: N/A
-# Dsgn: 12h
-# TTLds: 1h
-# TTLsig: 1d
-# retire-safety: 1h
-# Iret: 170h
-# IretZ: 38h
-# Ipub: 3h
-#
-# Tpub(N) = now - Lcsk = now - 186d
-# Tact(N) = now - Lcsk + Dprp + TTLsig = now - 4439h
-# Tret(N) = now
-# Trem(N) = now + Iret = now + 170h
-# Tpub(N+1) = now - Ipub = now - 3h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + Lcsk = now + 186d
-# Trem(N+1) = now + Lcsk + Iret = now + 186d + 170h =
-# = now + 4464h + 170h = now + 4634h
-TpubN="now-186d"
-TactN="now-4439h"
-TretN="now"
-TremN="now+170h"
-TpubN1="now-3h"
-TactN1="${TretN}"
-TretN1="now+186d"
-TremN1="now+4634h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 4:
-# Some time later all the ZRRSIG records should be from the new CSK, and the
-# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h).
-# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
-# signatures are replaced before the DS is swapped.
-setup step4.csk-roll2.autosign
-# According to RFC 7583:
-# Trem(N) = Tret(N) + IretZ
-#
-# Lcsk: 186d
-# Dreg: N/A
-# Iret: 170h
-# IretZ: 38h
-#
-# Tpub(N) = now - IretZ - Lcsk = now - 38h - 186d
-# = now - 38h - 4464h = now - 4502h
-# Tact(N) = now - Iret - Lcsk + TTLsig = now - 4502h + 25h = now - 4477h
-# Tret(N) = now - IretZ = now - 38h
-# Trem(N) = now - IretZ + Iret = now - 38h + 170h = now + 132h
-# Tpub(N+1) = now - IretZ - IpubC = now - 38h - 3h = now - 41h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now - IretZ + Lcsk = now - 38h + 186d
-# = now + 4426h
-# Trem(N+1) = now - IretZ + Lcsk + Iret
-# = now + 4426h + 3h = now + 4429h
-TpubN="now-4502h"
-TactN="now-4477h"
-TretN="now-38h"
-TremN="now+132h"
-TpubN1="now-41h"
-TactN1="${TretN}"
-TretN1="now+4426h"
-TremN1="now+4429h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TactN1 -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 5:
-# Some time later the DS can be swapped and the old DNSKEY can be removed from
-# the zone.
-setup step5.csk-roll2.autosign
-# Subtract Iret (170h) - IretZ (38h) = 132h.
-#
-# Tpub(N) = now - 4502h - 132h = now - 4634h
-# Tact(N) = now - 4477h - 132h = now - 4609h
-# Tret(N) = now - 38h - 132h = now - 170h
-# Trem(N) = now + 132h - 132h = now
-# Tpub(N+1) = now - 41h - 132h = now - 173h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4426h - 132h = now + 4294h
-# Trem(N+1) = now + 4492h - 132h = now + 4360h
-TpubN="now-4634h"
-TactN="now-4609h"
-TretN="now-170h"
-TremN="now"
-TpubN1="now-173h"
-TactN1="${TretN}"
-TretN1="now+4294h"
-TremN1="now+4360h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O now-133h -d $R $TactN1 -P ds $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 6:
-# Some time later the predecessor DNSKEY enters the HIDDEN state.
-setup step6.csk-roll2.autosign
-# Subtract DNSKEY TTL plus zone propagation delay (2h).
-#
-# Tpub(N) = now - 4634h - 2h = now - 4636h
-# Tact(N) = now - 4609h - 2h = now - 4611h
-# Tret(N) = now - 170h - 2h = now - 172h
-# Trem(N) = now - 2h
-# Tpub(N+1) = now - 173h - 2h = now - 175h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4294h - 2h = now + 4292h
-# Trem(N+1) = now + 4360h - 2h = now + 4358h
-TpubN="now-4636h"
-TactN="now-4611h"
-TretN="now-172h"
-TremN="now-2h"
-TpubN1="now-175h"
-TactN1="${TretN}"
-TretN1="now+4292h"
-TremN1="now+4358h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 7:
-# The predecessor DNSKEY can be purged, but purge-keys is disabled.
-setup step7.csk-roll2.autosign
-# Subtract 90 days (default, 2160h) from all the times.
-#
-# Tpub(N) = now - 4636h - 2160h = now - 6796h
-# Tact(N) = now - 4611h - 2160h = now - 6771h
-# Tret(N) = now - 172h - 2160h = now - 2332h
-# Trem(N) = now - 2h - 2160h = now - 2162h
-# Tpub(N+1) = now - 175h - 2160h = now - 2335h
-# Tact(N+1) = Tret(N)
-# Tret(N+1) = now + 4292h - 2160h = now + 2132h
-# Trem(N+1) = now + 4358h - 2160h = now + 2198h
-TpubN="now-6796h"
-TactN="now-6771h"
-TretN="now-2332h"
-TremN="now-2162h"
-TpubN1="now-2335h"
-TactN1="${TretN}"
-TretN1="now+2132h"
-TremN1="now+2198h"
-keytimes="-P ${TpubN} -P sync ${TactN} -A ${TpubN} -I ${TretN} -D ${TremN} -D sync ${TactN1}"
-newtimes="-P ${TpubN1} -P sync ${TactN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l kasp.conf $keytimes $zone 2>keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l kasp.conf $newtimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
-# Set key rollover relationship.
-key_successor $CSK1 $CSK2
-# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -z -x -G "cdnskey,cds:sha-256,cds:sha-384" -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
]
for step in steps:
- isctest.kasp.check_rollover_step(server, config, policy, step)
-
-
-def test_rollover_csk_roll2(servers):
- server = servers["ns3"]
- policy = "csk-roll2"
- cdss = ["CDNSKEY", "CDS (SHA-256)", "CDS (SHA-384)"]
- config = {
- "dnskey-ttl": timedelta(hours=1),
- "ds-ttl": timedelta(seconds=3600),
- "max-zone-ttl": timedelta(days=1),
- "parent-propagation-delay": timedelta(days=7),
- "publish-safety": timedelta(hours=1),
- "purge-keys": timedelta(0),
- "retire-safety": timedelta(hours=1),
- "signatures-refresh": timedelta(hours=12),
- "signatures-validity": timedelta(days=1),
- "zone-propagation-delay": timedelta(hours=1),
- }
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
- csk_lifetime = timedelta(days=31 * 6)
- lifetime_policy = int(csk_lifetime.total_seconds())
-
- ipub = Ipub(config)
- iret = Iret(config, zsk=True, ksk=True)
- iretZSK = Iret(config)
- iretKSK = Iret(config, ksk=True)
- keyttlprop = config["dnskey-ttl"] + config["zone-propagation-delay"]
- offsets = {}
- offsets["step1-p"] = -int(timedelta(days=7).total_seconds())
- offsets["step2-p"] = -int(csk_lifetime.total_seconds() - ipub.total_seconds())
- offsets["step2-s"] = 0
- offsets["step3-p"] = -int(csk_lifetime.total_seconds())
- offsets["step3-s"] = -int(ipub.total_seconds())
- offsets["step4-p"] = offsets["step3-p"] - int(iretZSK.total_seconds())
- offsets["step4-s"] = offsets["step3-s"] - int(iretZSK.total_seconds())
- offsets["step5-p"] = offsets["step4-p"] - int(
- iretKSK.total_seconds() - iretZSK.total_seconds()
- )
- offsets["step5-s"] = offsets["step4-s"] - int(
- iretKSK.total_seconds() - iretZSK.total_seconds()
- )
- offsets["step6-p"] = offsets["step5-p"] - int(keyttlprop.total_seconds())
- offsets["step6-s"] = offsets["step5-s"] - int(keyttlprop.total_seconds())
- offsets["step7-p"] = offsets["step6-p"] - int(timedelta(days=90).total_seconds())
- offsets["step7-s"] = offsets["step6-s"] - int(timedelta(days=90).total_seconds())
-
- steps = [
- {
- # Step 1.
- # Introduce the first key. This will immediately be active.
- "zone": "step1.csk-roll2.autosign",
- "cdss": cdss,
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step1-p']}",
- ],
- # Next key event is when the successor CSK needs to be published
- # minus time already elapsed. This is Lcsk - Ipub + Dreg (we ignore
- # registration delay).
- "nextev": csk_lifetime - ipub - timedelta(days=7),
- },
- {
- # Step 2.
- # Successor CSK is prepublished (signs DNSKEY RRset, but not yet
- # other RRsets).
- # CSK1 goal: omnipresent -> hidden
- # CSK2 goal: hidden -> omnipresent
- # CSK2 dnskey: hidden -> rumoured
- # CSK2 krrsig: hidden -> rumoured
- "zone": "step2.csk-roll2.autosign",
- "cdss": cdss,
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step2-p']}",
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured krrsig:rumoured zrrsig:hidden ds:hidden offset:{offsets['step2-s']}",
- ],
- "keyrelationships": [0, 1],
- # Next key event is when the successor CSK becomes OMNIPRESENT.
- "nextev": ipub,
- },
- {
- # Step 3.
- # Successor CSK becomes omnipresent, meaning we can start signing
- # the remainder of the zone with the successor CSK, and we can
- # submit the DS.
- "zone": "step3.csk-roll2.autosign",
- "cdss": cdss,
- # Predecessor CSK will be removed, so moving to UNRETENTIVE.
- # CSK1 zrrsig: omnipresent -> unretentive
- # Successor CSK DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED.
- # CSK2 dnskey: rumoured -> omnipresent
- # CSK2 krrsig: rumoured -> omnipresent
- # CSK2 zrrsig: hidden -> rumoured
- # The predecessor DS can be withdrawn and the successor DS can be
- # introduced.
- # CSK1 ds: omnipresent -> unretentive
- # CSK2 ds: hidden -> rumoured
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:unretentive ds:unretentive offset:{offsets['step3-p']}",
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:rumoured ds:rumoured offset:{offsets['step3-s']}",
- ],
- "keyrelationships": [0, 1],
- # Next key event is when the predecessor DS has been replaced with
- # the successor DS and enough time has passed such that the all
- # validators that have this DS RRset cached only know about the
- # successor DS. This is the the retire interval.
- "nextev": iretZSK,
- # Set 'smooth' to true so expected signatures of subdomain are
- # from the predecessor ZSK.
- "smooth": True,
- },
- {
- # Step 4.
- "zone": "step4.csk-roll2.autosign",
- "cdss": cdss,
- # The predecessor ZRRSIG is HIDDEN. The successor ZRRSIG is
- # OMNIPRESENT.
- # CSK1 zrrsig: unretentive -> hidden
- # CSK2 zrrsig: rumoured -> omnipresent
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent krrsig:omnipresent zrrsig:hidden ds:unretentive offset:{offsets['step4-p']}",
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:rumoured offset:{offsets['step4-s']}",
- ],
- "keyrelationships": [0, 1],
- # Next key event is when the predecessor DS has been replaced with
- # the successor DS and enough time has passed such that the all
- # validators that have this DS RRset cached only know about the
- # successor DS. This is the retire interval of the KSK part (minus)
- # time already elapsed).
- "nextev": iret - iretZSK,
- # We already swapped the DS in the previous step, so disable ds-swap.
- "ds-swap": False,
- },
- {
- # Step 5.
- "zone": "step5.csk-roll2.autosign",
- "cdss": cdss,
- # The predecessor DNSKEY can be removed.
- # CSK1 dnskey: omnipresent -> unretentive
- # CSK1 krrsig: omnipresent -> unretentive
- # CSK1 ds: unretentive -> hidden
- # The successor key is now fully OMNIPRESENT.
- # CSK2 ds: rumoured -> omnipresent
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:hidden dnskey:unretentive krrsig:unretentive zrrsig:hidden ds:hidden offset:{offsets['step5-p']}",
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step5-s']}",
- ],
- "keyrelationships": [0, 1],
- # Next key event is when the DNSKEY enters the HIDDEN state.
- # This is the DNSKEY TTL plus zone propagation delay.
- "nextev": keyttlprop,
- },
- {
- # Step 6.
- "zone": "step6.csk-roll2.autosign",
- "cdss": cdss,
- # The predecessor CSK is now completely HIDDEN.
- # CSK1 dnskey: unretentive -> hidden
- # CSK1 krrsig: unretentive -> hidden
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offsets['step6-p']}",
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step6-s']}",
- ],
- "keyrelationships": [0, 1],
- # Next key event is when the new successor needs to be published.
- # This is the Lcsk, minus time passed since the key was published.
- "nextev": csk_lifetime - iret - ipub - keyttlprop,
- },
- {
- # Step 7.
- "zone": "step7.csk-roll2.autosign",
- "cdss": cdss,
- # The predecessor CSK is now completely HIDDEN.
- "keyprops": [
- f"csk {lifetime_policy} {alg} {size} goal:hidden dnskey:hidden krrsig:hidden zrrsig:hidden ds:hidden offset:{offsets['step7-p']}",
- f"csk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent zrrsig:omnipresent ds:omnipresent offset:{offsets['step7-s']}",
- ],
- "keyrelationships": [0, 1],
- "nextev": None,
- },
- ]
-
- for step in steps:
- isctest.kasp.check_rollover_step(server, config, policy, step)
+ sctest.kasp.check_rollover_step(server, config, policy, step)
projects / thirdparty / bind9.git / commitdiff
