# dnssec-keygen
#
set_zone "kasp"
-set_policy "kasp" "4" "200"
+set_policy "kasp" "4" "200" "2"
set_server "keys" "10.53.0.1"
n=$((n+1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
set_zone "kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "." "10.53.0.1"
# Key properties.
set_keyrole "KEY1" "csk"
# Check the zone with default kasp policy has loaded and is signed.
set_zone "default.kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyrole "KEY1" "csk"
#
set_zone "dynamic.kasp"
set_dynamic
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
check_keys
#
set_zone "dynamic-inline-signing.kasp"
set_dynamic
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
check_keys
# Zone: inline-signing.kasp
#
set_zone "inline-signing.kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
check_keys
key_clear "KEY4"
set_zone "checkds-ksk.kasp"
-set_policy "checkds-ksk" "2" "303"
+set_policy "checkds-ksk" "2" "303" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyrole "KEY1" "ksk"
key_clear "KEY4"
set_zone "checkds-doubleksk.kasp"
-set_policy "checkds-doubleksk" "3" "303"
+set_policy "checkds-doubleksk" "3" "303" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyrole "KEY1" "ksk"
key_clear "KEY4"
set_zone "checkds-csk.kasp"
-set_policy "checkds-csk" "1" "303"
+set_policy "checkds-csk" "1" "303" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyrole "KEY1" "csk"
if $SHELL ../testcrypto.sh -q RSASHA1
then
set_zone "rsasha1.kasp"
- set_policy "rsasha1" "3" "1234"
+ set_policy "rsasha1" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
# Zone: unsigned.kasp.
#
set_zone "unsigned.kasp"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns3" "10.53.0.3"
key_clear "KEY1"
# Zone: insecure.kasp.
#
set_zone "insecure.kasp"
-set_policy "insecure" "0" "0"
+set_policy "insecure" "0" "0" "0"
set_server "ns3" "10.53.0.3"
key_clear "KEY1"
# Zone: unlimited.kasp.
#
set_zone "unlimited.kasp"
-set_policy "unlimited" "1" "1234"
+set_policy "unlimited" "1" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyrole "KEY1" "csk"
# Zone: inherit.kasp.
#
set_zone "inherit.kasp"
-set_policy "rsasha256" "3" "1234"
+set_policy "rsasha256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
# Zone: dnssec-keygen.kasp.
#
set_zone "dnssec-keygen.kasp"
-set_policy "rsasha256" "3" "1234"
+set_policy "rsasha256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Zone: some-keys.kasp.
#
set_zone "some-keys.kasp"
-set_policy "rsasha256" "3" "1234"
+set_policy "rsasha256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# There are more pregenerated keys than needed, hence the number of keys is
# six, not three.
set_zone "pregenerated.kasp"
-set_policy "rsasha256" "6" "1234"
+set_policy "rsasha256" "6" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
#
# There are three keys in rumoured state.
set_zone "rumoured.kasp"
-set_policy "rsasha256" "3" "1234"
+set_policy "rsasha256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Zone: secondary.kasp.
#
set_zone "secondary.kasp"
-set_policy "rsasha256" "3" "1234"
+set_policy "rsasha256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
if $SHELL ../testcrypto.sh -q RSASHA1
then
set_zone "rsasha1-nsec3.kasp"
- set_policy "rsasha1-nsec3" "3" "1234"
+ set_policy "rsasha1-nsec3" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
# Zone: rsasha256.kasp.
#
set_zone "rsasha256.kasp"
-set_policy "rsasha256" "3" "1234"
+set_policy "rsasha256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
# Zone: rsasha512.kasp.
#
set_zone "rsasha512.kasp"
-set_policy "rsasha512" "3" "1234"
+set_policy "rsasha512" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
# Zone: ecdsa256.kasp.
#
set_zone "ecdsa256.kasp"
-set_policy "ecdsa256" "3" "1234"
+set_policy "ecdsa256" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
# Zone: ecdsa512.kasp.
#
set_zone "ecdsa384.kasp"
-set_policy "ecdsa384" "3" "1234"
+set_policy "ecdsa384" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
#
if [ -f ed25519-supported.file ]; then
set_zone "ed25519.kasp"
- set_policy "ed25519" "3" "1234"
+ set_policy "ed25519" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "15" "ED25519" "256"
#
if [ -f ed448-supported.file ]; then
set_zone "ed448.kasp"
- set_policy "ed448" "3" "1234"
+ set_policy "ed448" "3" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
set_keyalgorithm "KEY1" "16" "ED448" "456"
# Zone: expired-sigs.autosign.
#
set_zone "expired-sigs.autosign"
-set_policy "autosign" "2" "300"
+set_policy "autosign" "2" "300" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
# Zone: fresh-sigs.autosign.
#
set_zone "fresh-sigs.autosign"
-set_policy "autosign" "2" "300"
+set_policy "autosign" "2" "300" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Zone: unfresh-sigs.autosign.
#
set_zone "unfresh-sigs.autosign"
-set_policy "autosign" "2" "300"
+set_policy "autosign" "2" "300" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Zone: ksk-missing.autosign.
#
set_zone "ksk-missing.autosign"
-set_policy "autosign" "2" "300"
+set_policy "autosign" "2" "300" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Skip checking the private file, because it is missing.
# Zone: zsk-missing.autosign.
#
set_zone "zsk-missing.autosign"
-set_policy "autosign" "2" "300"
+set_policy "autosign" "2" "300" "2"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Skip checking the private file, because it is missing.
# Zone: zsk-retired.autosign.
#
set_zone "zsk-retired.autosign"
-set_policy "autosign" "3" "300"
+set_policy "autosign" "3" "300" "2"
set_server "ns3" "10.53.0.3"
# The third key is not yet expected to be signing.
set_keyrole "KEY3" "zsk"
set_zone "legacy-keys.kasp"
# This zone has two active keys and two old keys left in key directory, so
# expect 4 key files.
-set_policy "migrate-to-dnssec-policy" "4" "1234"
+set_policy "migrate-to-dnssec-policy" "4" "1234" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY4"
set_zone "unsigned.tld"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns2" "10.53.0.2"
TSIG=""
check_keys
check_subdomain
set_zone "none.inherit.signed"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_subdomain
set_zone "none.override.signed"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_subdomain
set_zone "inherit.none.signed"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_subdomain
set_zone "none.none.signed"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_subdomain
set_zone "inherit.inherit.unsigned"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_subdomain
set_zone "none.inherit.unsigned"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
check_subdomain
set_zone "none.override.unsigned"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
check_subdomain
set_zone "inherit.none.unsigned"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
check_subdomain
set_zone "none.none.unsigned"
-set_policy "none" "0" "0"
+set_policy "none" "0" "0" "0"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
check_keys
set_keystate "KEY1" "STATE_DS" "hidden"
set_zone "signed.tld"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns2" "10.53.0.2"
TSIG=""
check_keys
dnssec_verify
set_zone "override.inherit.signed"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
dnssec_verify
set_zone "inherit.override.signed"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
dnssec_verify
set_zone "override.inherit.unsigned"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha1:sha1:$SHA1"
check_keys
dnssec_verify
set_zone "inherit.override.unsigned"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
check_keys
set_zonesigning "KEY1" "yes"
set_zone "inherit.inherit.signed"
-set_policy "test" "1" "3600"
+set_policy "test" "1" "3600" "2"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha1:sha1:$SHA1"
wait_for_nsec
dnssec_verify
set_zone "override.override.signed"
-set_policy "test" "1" "3600"
+set_policy "test" "1" "3600" "2"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha224:sha224:$SHA224"
wait_for_nsec
dnssec_verify
set_zone "override.none.signed"
-set_policy "test" "1" "3600"
+set_policy "test" "1" "3600" "2"
set_server "ns4" "10.53.0.4"
TSIG="hmac-sha256:sha256:$SHA256"
wait_for_nsec
dnssec_verify
set_zone "override.override.unsigned"
-set_policy "test" "1" "3600"
+set_policy "test" "1" "3600" "2"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha224:sha224:$SHA224"
wait_for_nsec
dnssec_verify
set_zone "override.none.unsigned"
-set_policy "test" "1" "3600"
+set_policy "test" "1" "3600" "2"
set_server "ns5" "10.53.0.5"
TSIG="hmac-sha256:sha256:$SHA256"
wait_for_nsec
# Testing RFC 8901 Multi-Signer Model 2.
#
set_zone "multisigner-model2.kasp"
-set_policy "multisigner-model2" "2" "3600"
+set_policy "multisigner-model2" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
key_clear "KEY1"
key_clear "KEY2"
# Testing manual rollover.
#
set_zone "manual-rollover.kasp"
-set_policy "manual-rollover" "2" "3600"
+set_policy "manual-rollover" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
key_clear "KEY1"
key_clear "KEY2"
dnssec_verify
# Schedule KSK rollover now.
-set_policy "manual-rollover" "3" "3600"
+set_policy "manual-rollover" "3" "3600" "2"
set_keystate "KEY1" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
dnssec_verify
# Schedule ZSK rollover now.
-set_policy "manual-rollover" "4" "3600"
+set_policy "manual-rollover" "4" "3600" "2"
set_keystate "KEY2" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
# Zone: step1.enable-dnssec.autosign.
#
set_zone "step1.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300"
+set_policy "enable-dnssec" "1" "300" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
# Zone: step2.enable-dnssec.autosign.
#
set_zone "step2.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300"
+set_policy "enable-dnssec" "1" "300" "2"
set_server "ns3" "10.53.0.3"
# The DNSKEY is omnipresent, but the zone signatures not yet.
# Thus, the DS remains hidden.
# Zone: step3.enable-dnssec.autosign.
#
set_zone "step3.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300"
+set_policy "enable-dnssec" "1" "300" "2"
set_server "ns3" "10.53.0.3"
# All signatures should be omnipresent, so the DS can be submitted.
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
# Zone: step4.enable-dnssec.autosign.
#
set_zone "step4.enable-dnssec.autosign"
-set_policy "enable-dnssec" "1" "300"
+set_policy "enable-dnssec" "1" "300" "2"
set_server "ns3" "10.53.0.3"
# The DS is omnipresent.
set_keystate "KEY1" "STATE_DS" "omnipresent"
# Zone: step1.zsk-prepub.autosign.
#
set_zone "step1.zsk-prepub.autosign"
-set_policy "zsk-prepub" "2" "3600"
+set_policy "zsk-prepub" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
set_retired_removed() {
# Zone: step2.zsk-prepub.autosign.
#
set_zone "step2.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600"
+set_policy "zsk-prepub" "3" "3600" "2"
set_server "ns3" "10.53.0.3"
# New ZSK (KEY3) is prepublished, but not yet signing.
key_clear "KEY3"
# Zone: step3.zsk-prepub.autosign.
#
set_zone "step3.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600"
+set_policy "zsk-prepub" "3" "3600" "2"
set_server "ns3" "10.53.0.3"
# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
# Zone: step4.zsk-prepub.autosign.
#
set_zone "step4.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600"
+set_policy "zsk-prepub" "3" "3600" "2"
set_server "ns3" "10.53.0.3"
# ZSK (KEY2) DNSKEY is no longer needed.
# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
# Zone: step5.zsk-prepub.autosign.
#
set_zone "step5.zsk-prepub.autosign"
-set_policy "zsk-prepub" "3" "3600"
+set_policy "zsk-prepub" "3" "3600" "2"
set_server "ns3" "10.53.0.3"
# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed.
set_keystate "KEY2" "STATE_DNSKEY" "hidden"
# Zone: step6.zsk-prepub.autosign.
#
set_zone "step6.zsk-prepub.autosign"
-set_policy "zsk-prepub" "2" "3600"
+set_policy "zsk-prepub" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# ZSK (KEY2) DNSKEY is purged.
key_clear "KEY2"
# Zone: step1.ksk-doubleksk.autosign.
#
set_zone "step1.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "2" "7200"
+set_policy "ksk-doubleksk" "2" "7200" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
# Zone: step2.ksk-doubleksk.autosign.
#
set_zone "step2.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200"
+set_policy "ksk-doubleksk" "3" "7200" "2"
set_server "ns3" "10.53.0.3"
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
key_clear "KEY3"
# Zone: step3.ksk-doubleksk.autosign.
#
set_zone "step3.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200"
+set_policy "ksk-doubleksk" "3" "7200" "2"
set_server "ns3" "10.53.0.3"
# The DNSKEY RRset has become omnipresent.
# Zone: step4.ksk-doubleksk.autosign.
#
set_zone "step4.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200"
+set_policy "ksk-doubleksk" "3" "7200" "2"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY can be removed.
set_keysigning "KEY1" "no"
# Zone: step5.ksk-doubleksk.autosign.
#
set_zone "step5.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "3" "7200"
+set_policy "ksk-doubleksk" "3" "7200" "2"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY is now HIDDEN.
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
# Zone: step6.ksk-doubleksk.autosign.
#
set_zone "step6.ksk-doubleksk.autosign"
-set_policy "ksk-doubleksk" "2" "7200"
+set_policy "ksk-doubleksk" "2" "7200" "2"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY is purged.
key_clear "KEY1"
# Zone: step1.csk-roll.autosign.
#
set_zone "step1.csk-roll.autosign"
-set_policy "csk-roll" "1" "3600"
+set_policy "csk-roll" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
# Zone: step2.csk-roll.autosign.
#
set_zone "step2.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600"
+set_policy "csk-roll" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
key_clear "KEY2"
# Zone: step3.csk-roll.autosign.
#
set_zone "step3.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600"
+set_policy "csk-roll" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# Swap zone signing role.
set_zonesigning "KEY1" "no"
# Zone: step4.csk-roll.autosign.
#
set_zone "step4.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600"
+set_policy "csk-roll" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) is no longer signing the DNSKEY RRset.
set_keysigning "KEY1" "no"
# Zone: step5.csk-roll.autosign.
#
set_zone "step5.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600"
+set_policy "csk-roll" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) KRRSIG records are now all hidden.
set_keystate "KEY1" "STATE_KRRSIG" "hidden"
# Zone: step6.csk-roll.autosign.
#
set_zone "step6.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600"
+set_policy "csk-roll" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can
# be removed).
# Zone: step7.csk-roll.autosign.
#
set_zone "step7.csk-roll.autosign"
-set_policy "csk-roll" "2" "3600"
+set_policy "csk-roll" "2" "3600" "2"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) is now completely HIDDEN.
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
# Zone: step8.csk-roll.autosign.
#
set_zone "step8.csk-roll.autosign"
-set_policy "csk-roll" "1" "3600"
+set_policy "csk-roll" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) is purged.
key_clear "KEY1"
# Zone: step1.csk-roll2.autosign.
#
set_zone "step1.csk-roll2.autosign"
-set_policy "csk-roll2" "1" "3600"
+set_policy "csk-roll2" "1" "3600" "4"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
# Zone: step2.csk-roll2.autosign.
#
set_zone "step2.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600"
+set_policy "csk-roll2" "2" "3600" "4"
set_server "ns3" "10.53.0.3"
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
key_clear "KEY2"
# Zone: step3.csk-roll2.autosign.
#
set_zone "step3.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600"
+set_policy "csk-roll2" "2" "3600" "4"
set_server "ns3" "10.53.0.3"
# CSK (KEY1) can be removed, so move to UNRETENTIVE.
set_zonesigning "KEY1" "no"
# Zone: step4.csk-roll2.autosign.
#
set_zone "step4.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600"
+set_policy "csk-roll2" "2" "3600" "4"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) ZRRSIG is now HIDDEN.
set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
# Zone: step5.csk-roll2.autosign.
#
set_zone "step5.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600"
+set_policy "csk-roll2" "2" "3600" "4"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) DNSKEY can be removed.
set_keysigning "KEY1" "no"
# Zone: step6.csk-roll2.autosign.
#
set_zone "step6.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600"
+set_policy "csk-roll2" "2" "3600" "4"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) is now completely HIDDEN.
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
# Zone: step7.csk-roll2.autosign.
#
set_zone "step7.csk-roll2.autosign"
-set_policy "csk-roll2" "2" "3600"
+set_policy "csk-roll2" "2" "3600" "4"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) could have been purged, but purge-keys is disabled.
# Test #2375: Scheduled rollovers are happening faster than they can finish
#
set_zone "step1.three-is-a-crowd.kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns3" "10.53.0.3"
# TODO (GL #2471).
# Test dynamic zones that switch to inline-signing.
set_zone "dynamic2inline.kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns6" "10.53.0.6"
# Key properties.
key_clear "KEY1"
# Zone: step1.algorithm-roll.kasp
#
set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha256" "2" "3600"
+set_policy "rsasha256" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# Key properties.
key_clear "KEY1"
# Zone: step1.csk-algorithm-roll.kasp
#
set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "1" "3600"
+set_policy "csk-algoroll" "1" "3600" "2"
set_server "ns6" "10.53.0.6"
# Key properties.
key_clear "KEY1"
# Zone step1.going-insecure.kasp
#
set_zone "step1.going-insecure.kasp"
-set_policy "unsigning" "2" "7200"
+set_policy "unsigning" "2" "7200" "2"
set_server "ns6" "10.53.0.6"
# Policy parameters.
set_zone "step1.going-insecure-dynamic.kasp"
set_dynamic
-set_policy "unsigning" "2" "7200"
+set_policy "unsigning" "2" "7200" "2"
set_server "ns6" "10.53.0.6"
init_migration_insecure
# Zone step1.going-straight-to-none.kasp
#
set_zone "step1.going-straight-to-none.kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns6" "10.53.0.6"
# Key properties.
set_keyrole "KEY1" "csk"
# Test dynamic zones that switch to inline-signing.
set_zone "dynamic2inline.kasp"
-set_policy "default" "1" "3600"
+set_policy "default" "1" "3600" "2"
set_server "ns6" "10.53.0.6"
# Key properties.
key_clear "KEY1"
# Zone: step1.going-insecure.kasp
#
set_zone "step1.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "7200" "2"
set_server "ns6" "10.53.0.6"
# Expect a CDS/CDNSKEY Delete Record.
set_cdsdelete
# Zone: step2.going-insecure.kasp
#
set_zone "step2.going-insecure.kasp"
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "7200" "2"
set_server "ns6" "10.53.0.6"
# The DS is long enough removed from the zone to be considered HIDDEN.
#
set_zone "step1.going-insecure-dynamic.kasp"
set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "7200" "2"
set_server "ns6" "10.53.0.6"
# Expect a CDS/CDNSKEY Delete Record.
set_cdsdelete
#
set_zone "step2.going-insecure-dynamic.kasp"
set_dynamic
-set_policy "insecure" "2" "7200"
+set_policy "insecure" "2" "7200" "2"
set_server "ns6" "10.53.0.6"
# The DS is long enough removed from the zone to be considered HIDDEN.
# Zone: step1.going-straight-to-none.kasp
#
set_zone "step1.going-straight-to-none.kasp"
-set_policy "none" "1" "3600"
+set_policy "none" "1" "3600" "2"
set_server "ns6" "10.53.0.6"
# The zone will go bogus after signatures expire, but remains validly signed for now.
# Zone: step1.algorithm-roll.kasp
#
set_zone "step1.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
+set_policy "ecdsa256" "4" "3600" "2"
set_server "ns6" "10.53.0.6"
# Old RSASHA1 keys.
key_clear "KEY1"
# Zone: step2.algorithm-roll.kasp
#
set_zone "step2.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
+set_policy "ecdsa256" "4" "3600" "2"
set_server "ns6" "10.53.0.6"
# The RSAHSHA1 keys are outroducing, but need to stay present until the new
# algorithm chain of trust has been established. Thus the properties, timings
# Zone: step3.algorithm-roll.kasp
#
set_zone "step3.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
+set_policy "ecdsa256" "4" "3600" "2"
set_server "ns6" "10.53.0.6"
# The ECDSAP256SHA256 keys are introducing.
set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
# Zone: step4.algorithm-roll.kasp
#
set_zone "step4.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
+set_policy "ecdsa256" "4" "3600" "2"
set_server "ns6" "10.53.0.6"
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
set_keysigning "KEY1" "no"
# Zone: step5.algorithm-roll.kasp
#
set_zone "step5.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
+set_policy "ecdsa256" "4" "3600" "2"
set_server "ns6" "10.53.0.6"
# The DNSKEY becomes HIDDEN.
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
# Zone: step6.algorithm-roll.kasp
#
set_zone "step6.algorithm-roll.kasp"
-set_policy "ecdsa256" "4" "3600"
+set_policy "ecdsa256" "4" "3600" "2"
set_server "ns6" "10.53.0.6"
# The old zone signatures (KEY2) should now also be HIDDEN.
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
# Zone: step1.csk-algorithm-roll.kasp
#
set_zone "step1.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
+set_policy "csk-algoroll" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# Old RSASHA1 key.
key_clear "KEY1"
# Zone: step2.csk-algorithm-roll.kasp
#
set_zone "step2.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
+set_policy "csk-algoroll" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# The RSAHSHA1 key is outroducing, but need to stay present until the new
# algorithm chain of trust has been established. Thus the properties, timings
# Zone: step3.csk-algorithm-roll.kasp
#
set_zone "step3.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
+set_policy "csk-algoroll" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# The RSAHSHA1 key is outroducing, and it is time to swap the DS.
# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures
# Zone: step4.csk-algorithm-roll.kasp
#
set_zone "step4.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
+set_policy "csk-algoroll" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
set_keysigning "KEY1" "no"
# Zone: step5.csk-algorithm-roll.kasp
#
set_zone "step5.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
+set_policy "csk-algoroll" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# The DNSKEY becomes HIDDEN.
set_keystate "KEY1" "STATE_DNSKEY" "hidden"
# Zone: step6.csk-algorithm-roll.kasp
#
set_zone "step6.csk-algorithm-roll.kasp"
-set_policy "csk-algoroll" "2" "3600"
+set_policy "csk-algoroll" "2" "3600" "2"
set_server "ns6" "10.53.0.6"
# The zone signatures should now also be HIDDEN.
set_keystate "KEY1" "STATE_ZRRSIG" "hidden"
projects / thirdparty / bind9.git / commitdiff
