private_type_record $zone 13 $KSK2 >> "$infile"
private_type_record $zone 13 $ZSK >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-roll.autosign represent the various steps of a CSK rollover
+# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-roll.autosign
+CSK=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+TactN="now"
+$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone 13 $CSK >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to introduce the new CSK.
+setup step2.csk-roll.autosign
+CSK=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
+# Also: Ipub = Dprp + TTLkey (+publish-safety)
+# Also: IpubC = DprpC + TTLkey (+publish-safety)
+# Both sums are almost the same, but the KSK case has Dreg in the equation.
+# so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1d + 3h =
+# now - 4464h + 24h + 3h = now - 4437h
+TactN="now-4437h"
+$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone 13 $CSK >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# It is time to submit the DS and to roll signatures.
+setup step3.csk-roll.autosign
+CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1)
+# Also: Tact(N+1) = Tsbm(N+1) + Dreg
+# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1d - 6mo = now - 185d
+# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1d
+# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h
+# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1d + 6mo = now + 187d
+TactN="now-185d"
+TretN="now+1d"
+TpubN1="now-3h"
+TretN1="now+187d"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# Some time later all the ZRRSIG records should be from the new CSK, and the
+# DS should be swapped. The ZRRSIG records are all replaced after Iret
+# which is Dsgn + Dprp + TTLsig + retire-safety (25d + 1h + 1d + 2h = 26d3h).
+# The DS is swapped after Dreg + DprpP + TTLds + retire-safety
+# (1d + 1h + 1h + 2h = 1d4h). In other words, the DS is swapped before all
+# zone signatures are replaced.
+setup step4.csk-roll.autosign
+CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: Tdea(N) = Tret(N) + Iret
+# Also: Iret = 1h + 1h + 2h = 4h
+# Also: Tact(N+1) = Tret(N)
+# so: Tact(N) = Tdea(N) - Lksk - Iret = now - 6mo - 4h = now - 4468h
+# and: Tret(N) = Tdea(N) - Iret = now - 4h = now - 4h
+# and: Tpub(N+1) = Tdea(N) - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h
+# and: Tsbm(N+1) = Tdea(N) - Iret - Dreg = now - 4h - 1d = now - 28h
+# and: Tact(N+1) = Tret(N)
+# and: Tret(N+1) = Tdea(N) + Lksk - Iret = now + 6mo - 4h = now + 4460h
+TactN="now-4468h"
+TretN="now-4h"
+TpubN1="now-31h"
+TsbmN1="now-28h"
+TactN1="${TretN}"
+TretN1="now+4460h"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# After the DS is swapped in step 4, also the KRRSIG records can be removed.
+# At this time these have all become hidden.
+setup step5.csk-roll.autosign
+CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# Substract DNSKEY TTL plus zone propagation delay from all the times (2h).
+TactN="now-4470h"
+TretN="now-6h"
+TdeaN="now-2h"
+TpubN1="now-33h"
+TsbmN1="now-30h"
+TactN1="${TretN}"
+TretN1="now+4458h"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $U $TdeaN -d $H $TdeaN -z $U $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# After the retire interval has passed the predecessor DNSKEY can be
+# removed from the zone.
+setup step6.csk-roll.autosign
+CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: Tdea(N) = Tret(N) + Iret
+# Also: Tret(N) = Tact(N) + Lzsk
+# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety)
+# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - 25d1h1d2h - 6mo =
+# now - 26d3h - 6mo = now - 627h - 4464h = now - 5091h
+# and: Tret(N) = Tdea(N) - Iret = now - 627h
+# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 627h - 3h = now - 630h
+# and: Tact(N+1) = Tdea(N) - Iret = Tret(N)
+# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 627h + 6mo = now + 3837h
+TactN="now-5091h"
+TretN="now-627h"
+TdeaN="now-623h"
+TpubN1="now-630h"
+TsbmN1="now-627h"
+TactN1="${TretN}"
+TretN1="now+3837h"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $H $TdeaN -d $H $TdeaN -z $U $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $R $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 7:
+# Some time later the predecessor DNSKEY enters the HIDDEN state.
+setup step7.csk-roll.autosign
+CSK1=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# Substract DNSKEY TTL plus zone propagation delay from all the times (2h).
+TactN="now-5093h"
+TretN="now-629h"
+TdeaN="now-625h"
+TpubN1="now-632h"
+TsbmN1="now-629h"
+TactN1="${TretN}"
+TretN1="now+3835h"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U now-2h -r $H $TdeaN -d $H $TdeaN -z $H $TsbmN1 $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TdeaN -z $O $TsbmN1 $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+#
+# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
+# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
+# This scenario differs from the above one because the zone signatures (ZRRSIG)
+# are replaced with the new key sooner than the DS is swapped.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.csk-roll2.autosign
+CSK=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+TactN="now"
+$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone 13 $CSK >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to introduce the new CSK.
+setup step2.csk-roll2.autosign
+CSK=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# According to RFC 7583: KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
+# Also: Ipub = Dprp + TTLkey (+publish-safety)
+# Also: IpubC = DprpC + TTLkey (+publish-safety)
+# Both sums are almost the same, but the KSK case has Dreg in the equation.
+# so: Tact(N) = Tpub(N+1) - Lcsk + Dreg + IpubC = now - 6mo + 1w + 3h =
+# now - 4464h + 168h + 3h = now - 4635h
+TactN="now-4635h"
+$SETTIME -s -P $TactN -A $TactN -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" > "$infile"
+private_type_record $zone 13 $CSK >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 3:
+# It is time to submit the DS and to roll signatures.
+setup step3.csk-roll2.autosign
+CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: Tsbm(N+1) >= Trdy(N+1)
+# Also: Tact(N+1) = Tsbm(N+1) + Dreg
+# so: Tact(N) = Tsbm(N+1) + Dreg - Lksk = now + 1w - 6mo = now - 179d
+# and: Tret(N) = Tsbm(N+1) + Dreg = now + 1w
+# and: Tpub(N+1) <= Tsbm(N+1) - IpubC = now - 3h
+# and: Tret(N+1) = Tsbm(N+1) + Dreg + Lksk = now + 1w + 6mo = now + 193d
+TactN="now-179d"
+TretN="now+1w"
+TpubN1="now-3h"
+TretN1="now+193d"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TretN -I $TretN1 -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 4:
+# Some time later all the ZRRSIG records should be from the new CSK, and the
+# DS should be swapped. The ZRRSIG records are all replaced after Iret
+# which is Dsgn + Dprp + TTLsig + retire-safety (12h + 1h + 1d + 2h = 38h).
+# The DS is swapped after Dreg + DprpP + TTLds + retire-safety
+# (1w + 1h + 1h + 1h = 1w3h). In other words, the zone signatures are
+# replaced before the DS is swapped.
+setup step4.csk-roll2.autosign
+CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# According to RFC 7583: Tdea(N) = Tret(N) + Iret
+# Also: Tret(N) = Tact(N) + Lzsk
+# Also: Iret = Dsgn + Dprp + TTLsig (+retire-safety)
+# so: Tact(N) = Tdea(N) - Iret - Lzsk = now - 38h - 6mo = now - 4502h
+# and: Tret(N) = Tdea(N) - Iret = now - 38h
+# and: Tpub(N+1) = Tdea(N) - Iret - Ipub = now - 41h
+# and: Tact(N+1) = Tdea(N) - Iret = Tret(N)
+# and: Tret(N+1) = Tdea(N) - Iret + Lzsk = now - 38h + 6mo = now + 4426h
+TactN="now-4502h"
+TretN="now-38h"
+TpubN1="now-41h"
+TactN1="${TretN}"
+TretN1="now+4426"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $U $TretN $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $R $TretN $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 5:
+# Some time later the DS can be swapped and the old DNSKEY can be removed from
+# the zone.
+setup step5.csk-roll2.autosign
+CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# Substract Dreg + Iret (174h).
+TactN="now-4676h"
+TretN="now-212h"
+TpubN1="now-215h"
+TactN1="${TretN}"
+TretN1="now+4252h"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $O $TactN -r $O $TactN -d $U $TretN -z $H $TretN $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $R $TretN -z $O $TretN $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
+
+# Step 6:
+# Some time later the predecessor DNSKEY enters the HIDDEN state.
+setup step6.csk-roll2.autosign
+CSK1=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+CSK2=`$KEYGEN -k csk-roll2 -l policies/autosign.conf $zone 2> keygen.out.$zone.1`
+# Substract DNSKEY TTL plus zone propagation delay (2h).
+TactN="now-4678h"
+TretN="now-214h"
+TdeaN="now-2h"
+TpubN1="now-217h"
+TactN1="${TretN}"
+TretN1="now+4250h"
+$SETTIME -s -P $TactN -A $TactN -I $TretN -g $H -k $U $TdeaN -r $U $TdeaN -d $H $TretN -z $H $TretN $CSK1 > settime.out.$zone.1 2>&1
+$SETTIME -s -S $CSK1 -i 0 $CSK2 > settime.out.$zone.3 2>&1
+$SETTIME -s -P $TpubN1 -A $TactN1 -I $TretN1 -g $O -k $O $TretN -r $O $TretN -d $O $TretN -z $O $TretN $CSK2 > settime.out.$zone.1 2>&1
+cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
+private_type_record $zone 13 $CSK1 >> "$infile"
+private_type_record $zone 13 $CSK2 >> "$infile"
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
STATE_ZRRSIG=16
STATE_KRRSIG=17
STATE_DS=18
-EXPECT_RRSIG=19
+EXPECT_ZRRSIG=19
+EXPECT_KRRSIG=20
# Clear key state.
#
[$REMOVED]="none" \
[$GOAL]="none" [$STATE_DNSKEY]="none" \
[$STATE_KRRSIG]="none" [$STATE_ZRRSIG]="none" \
- [$STATE_DS]="none" [$EXPECT_RRSIG]="no")
+ [$STATE_DS]="none" \
+ [$EXPECT_ZRRSIG]="no" [$EXPECT_KRRSIG]="no")
if [ $1 == "KEY1" ]; then
KEY1=(${_key[*]})
# $4: Algorithm (number)
# $5: Algorithm (string-format)
# $6: Algorithm length
-# $7: Is signing
+# $7: Is zone signing
+# $8: Is key signing
#
# This will update either the KEY1, KEY2 or KEY3 array.
key_properties() {
KEY1[$ALG_NUM]=$4
KEY1[$ALG_STR]=$5
KEY1[$ALG_LEN]=$6
- KEY1[$EXPECT_RRSIG]=$7
+ KEY1[$EXPECT_ZRRSIG]=$7
+ KEY1[$EXPECT_KRRSIG]=$8
elif [ $1 == "KEY2" ]; then
KEY2[$EXPECT]="yes"
KEY2[$ROLE]=$2
KEY2[$ALG_NUM]=$4
KEY2[$ALG_STR]=$5
KEY2[$ALG_LEN]=$6
- KEY2[$EXPECT_RRSIG]=$7
+ KEY2[$EXPECT_ZRRSIG]=$7
+ KEY2[$EXPECT_KRRSIG]=$8
elif [ $1 == "KEY3" ]; then
KEY3[$EXPECT]="yes"
KEY3[$ROLE]=$2
KEY3[$ALG_NUM]=$4
KEY3[$ALG_STR]=$5
KEY3[$ALG_LEN]=$6
- KEY3[$EXPECT_RRSIG]=$7
+ KEY3[$EXPECT_ZRRSIG]=$7
+ KEY3[$EXPECT_KRRSIG]=$8
fi
}
# Temporarily don't log errors because we are searching multiple files.
_log=0
# Check one algorithm.
-key_properties "KEY1" "csk" "31536000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "csk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
id=$(get_keyids $DIR $ZONE "${KEY1[$ALG_NUM]}")
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
# Check the other algorithm.
-key_properties "KEY1" "ksk" "31536000" "8" "RSASHA256" "2048" "yes"
+key_properties "KEY1" "ksk" "31536000" "8" "RSASHA256" "2048" "no" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
-key_properties "KEY2" "zsk" "2592000" "8" "RSASHA256" "1024" "yes"
+key_properties "KEY2" "zsk" "2592000" "8" "RSASHA256" "1024" "yes" "no"
key_timings "KEY2" "none" "none" "none" "none" "none"
key_states "KEY2" "none" "none" "none" "none" "none"
-key_properties "KEY3" "zsk" "16070400" "8" "RSASHA256" "2000" "yes"
+key_properties "KEY3" "zsk" "16070400" "8" "RSASHA256" "2000" "yes" "no"
key_timings "KEY3" "none" "none" "none" "none" "none"
key_states "KEY3" "none" "none" "none" "none" "none"
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
zone_properties "." "kasp" "default" "3600"
-key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
$KEYGEN -k $POLICY $ZONE > keygen.out.$POLICY.test$n 2>/dev/null || ret=1
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
zone_properties "." "kasp" "default" "3600"
-key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
key_timings "KEY1" "none" "none" "none" "none" "none"
key_states "KEY1" "none" "none" "none" "none" "none"
$KEYGEN -k $POLICY $ZONE > keygen.out.$POLICY.test$n 2>/dev/null || ret=1
# Check the zone with default kasp policy has loaded and is signed.
zone_properties "ns3" "default.kasp" "_default" "3600"
-key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "csk" "0" "13" "ECDSAP256SHA256" "256" "yes" "yes"
# The first key is immediately published and activated.
key_timings "KEY1" "published" "active" "none" "none" "none" "none"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
# Zone: rsasha1.kasp.
#
zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3"
-key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes"
-key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes"
+key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
# The first keys are immediately published and activated.
# Because lifetime > 0, retired timing is also set.
key_timings "KEY1" "published" "active" "retired" "none" "none"
_file=$2
_role=$3
- if [ "${KEY1[$EXPECT_RRSIG]}" == "yes" ] && [ "${KEY1[$_role]}" == "yes" ]; then
+ if [ $_role == $KSK ]; then
+ _expect_type=$EXPECT_KRRSIG
+ elif [ $_role == $ZSK ]; then
+ _expect_type=$EXPECT_ZRRSIG
+ fi
+
+ if [ "${KEY1[$_expect_type]}" == "yes" ] && [ "${KEY1[$_role]}" == "yes" ]; then
get_keys_which_signed $_qtype $_file | grep "^${KEY1[$ID]}$" > /dev/null || log_error "${_qtype} RRset not signed with key ${KEY1[$ID]}"
elif [ "${KEY1[$EXPECT]}" == "yes" ]; then
get_keys_which_signed $_qtype $_file | grep "^${KEY1[$ID]}$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with ${KEY1[$ID]}"
fi
- if [ "${KEY2[$EXPECT_RRSIG]}" == "yes" ] && [ "${KEY2[$_role]}" == "yes" ]; then
+ if [ "${KEY2[$_expect_type]}" == "yes" ] && [ "${KEY2[$_role]}" == "yes" ]; then
get_keys_which_signed $_qtype $_file | grep "^${KEY2[$ID]}$" > /dev/null || log_error "${_qtype} RRset not signed with ${KEY2[$ID]}"
elif [ "${KEY2[$EXPECT]}" == "yes" ]; then
get_keys_which_signed $_qtype $_file | grep "^${KEY2[$ID]}$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with ${KEY2[$ID]}"
fi
- if [ "${KEY3[$EXPECT_RRSIG]}" == "yes" ] && [ "${KEY3[$_role]}" == "yes" ]; then
+ if [ "${KEY3[$_expect_type]}" == "yes" ] && [ "${KEY3[$_role]}" == "yes" ]; then
get_keys_which_signed $_qtype $_file | grep "^${KEY3[$ID]}$" > /dev/null || log_error "${_qtype} RRset not signed with ${KEY3[$ID]}"
elif [ "${KEY3[$EXPECT]}" == "yes" ]; then
get_keys_which_signed $_qtype $_file | grep "^${KEY3[$ID]}$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with ${KEY3[$ID]}"
# Test DNSKEY query.
_qtype="DNSKEY"
+ _key_algnum="${KEY1[$ALG_NUM]}"
n=$((n+1))
echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)"
ret=0
# Zone: rsasha1-nsec3.kasp.
#
zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3"
-key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "yes"
-key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes"
-key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes"
+key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
+key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no"
+key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
# key_timings and key_states same as above.
check_keys
check_apex
# Zone: rsasha256.kasp.
#
zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3"
-key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "yes"
-key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes"
-key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes"
+key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
+key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no"
+key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
# key_timings and key_states same as above.
check_keys
check_apex
# Zone: rsasha512.kasp.
#
zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3"
-key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "yes"
-key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes"
-key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes"
+key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
+key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no"
+key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
# key_timings and key_states same as above.
check_keys
check_apex
# Zone: ecdsa256.kasp.
#
zone_properties "ns3" "ecdsa256.kasp" "ecdsa256" "1234" "3"
-key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "yes"
-key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes"
-key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "ksk" "315360000" "13" "ECDSAP256SHA256" "256" "no" "yes"
+key_properties "KEY2" "zsk" "157680000" "13" "ECDSAP256SHA256" "256" "yes" "no"
+key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
# key_timings and key_states same as above.
check_keys
check_apex
# Zone: ecdsa512.kasp.
#
zone_properties "ns3" "ecdsa384.kasp" "ecdsa384" "1234" "3"
-key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "yes"
-key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes"
-key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes"
+key_properties "KEY1" "ksk" "315360000" "14" "ECDSAP384SHA384" "384" "no" "yes"
+key_properties "KEY2" "zsk" "157680000" "14" "ECDSAP384SHA384" "384" "yes" "no"
+key_properties "KEY3" "zsk" "31536000" "14" "ECDSAP384SHA384" "384" "yes" "no"
# key_timings and key_states same as above.
check_keys
check_apex
#
zone_properties "ns3" "expired-sigs.autosign" "autosign" "300" "2"
# Both KSK and ZSK stay OMNIPRESENT.
-key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
-key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none"
key_timings "KEY2" "published" "active" "retired" "none" "none"
# Expect only two keys.
#
zone_properties "ns3" "zsk-missing.autosign" "autosign" "300" "2"
# KSK stays OMNIPRESENT.
-key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
# key_properties, key_timings and key_states same as above.
# KSK properties, timings and states same as above.
# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
# is active.
-key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_timings "KEY2" "published" "active" "retired" "none" "none"
key_states "KEY2" "hidden" "omnipresent" "omnipresent" "none" "none"
# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT,
# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN.
-key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no"
+key_properties "KEY3" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "no" "no"
key_timings "KEY3" "published" "active" "retired" "none" "none"
key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none"
#
zone_properties "ns3" "step1.zsk-prepub.autosign" "zsk-prepub" "3600" "2"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "ksk" "63072000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
-key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none"
key_timings "KEY2" "published" "active" "retired" "none" "none"
# Initially only two keys.
# KSK (KEY1) doesn't change.
# ZSK (KEY2) remains active, no change in properties/timings/states.
# New ZSK (KEY3) is prepublished.
-key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no"
+key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY3" "omnipresent" "rumoured" "hidden" "none" "none"
key_timings "KEY3" "published" "active" "retired" "none" "none"
check_keys
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
-key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no"
+key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY2" "hidden" "omnipresent" "unretentive" "none" "none"
-key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_states "KEY3" "omnipresent" "omnipresent" "rumoured" "none" "none"
check_keys
check_apex
# Subdomain still has good signatures of ZSK (KEY2)
-key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes"
-key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no"
+key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no"
+key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no"
check_subdomain
dnssec_verify
# ZSK (KEY2) properties and timing metadata same as above.
# ZSK (KEY2) DNSKEY is no longer needed.
# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
-key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no"
+key_properties "KEY2" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY2" "hidden" "unretentive" "hidden" "none" "none"
-key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY3" "zsk" "2592000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_states "KEY3" "omnipresent" "omnipresent" "omnipresent" "none" "none"
check_keys
check_apex
#
zone_properties "ns3" "step1.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "2"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_timings "KEY1" "published" "active" "retired" "none" "none"
key_states "KEY1" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
-key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY2" "zsk" "31536000" "13" "ECDSAP256SHA256" "256" "yes" "no"
key_timings "KEY2" "published" "active" "retired" "none" "none"
key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "none" "none"
# Initially only two keys.
# ZSK (KEY2) doesn't change.
# KSK (KEY1) remains active, no change in properties/timings/states.
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
-key_properties "KEY3" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "yes"
+key_properties "KEY3" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "yes"
key_states "KEY3" "omnipresent" "rumoured" "none" "rumoured" "hidden"
key_timings "KEY3" "published" "active" "retired" "none" "none"
check_keys
zone_properties "ns3" "step4.ksk-doubleksk.autosign" "ksk-doubleksk" "7200" "3"
# ZSK (KEY2) doesn't change.
# KSK (KEY1) DNSKEY can be removed.
-key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no"
+key_properties "KEY1" "ksk" "5184000" "13" "ECDSAP256SHA256" "256" "no" "no"
key_states "KEY1" "hidden" "unretentive" "none" "unretentive" "hidden"
# New KSK (KEY3) DS is now OMNIPRESENT.
key_states "KEY3" "omnipresent" "omnipresent" "none" "omnipresent" "omnipresent"
# 5184000 - 97200 - 86400 - 180000 - 7200 = 4813200 seconds.
check_next_key_event 4813200
+#
+# Testing CSK key rollover (1).
+#
+
+#
+# Zone: step1.csk-roll.autosign.
+#
+zone_properties "ns3" "step1.csk-roll.autosign" "csk-roll" "3600" "1"
+# The CSK (KEY1) starts in OMNIPRESENT.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_timings "KEY1" "published" "active" "retired" "none" "none"
+key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+# Initially only one key.
+key_clear "KEY2"
+key_clear "KEY3"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK needs to be published. That is
+# the CSK lifetime - prepublication time - DS registration delay. The
+# prepublication time is DNSKEY TTL plus publish safety plus the zone
+# propagation delay. For the csk-roll policy that means:
+# 6mo - 1d - 3h = 15973200 seconds.
+check_next_key_event 15973200
+
+#
+# Zone: step2.csk-roll.autosign.
+#
+# Set key properties for testing keys.
+zone_properties "ns3" "step2.csk-roll.autosign" "csk-roll" "3600" "2"
+# CSK (KEY1) remains active, no change in properties/timings/states.
+# New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden"
+key_timings "KEY2" "published" "active" "retired" "none" "none"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK becomes OMNIPRESENT. That is the
+# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For
+# the csk-roll policy, this means 3 hours = 10800 seconds.
+check_next_key_event 10800
+
+#
+# Zone: step3.csk-roll.autosign.
+#
+# Set key properties for testing keys.
+zone_properties "ns3" "step3.csk-roll.autosign" "csk-roll" "3600" "2"
+# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
+# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG
+# are in RUMOURED state.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "rumoured"
+check_keys
+check_apex
+# Subdomain still has good signatures of old CSK (KEY1)
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+check_subdomain
+dnssec_verify
+
+# Next key event is when the predecessor DS has been replaced with the
+# successor DS and enough time has passed such that the all validators that
+# have this DS RRset cached only know about the successor DS. This is the
+# registration delay plus the retire interval, which is the parent
+# propagation delay plus the DS TTL plus the retire-safety. For the
+# csk-roll policy this means: 1d + 1h + 1h + 2h = 1d4h = 100800 seconds.
+check_next_key_event 100800
+
+#
+# Zone: step4.csk-roll.autosign.
+#
+zone_properties "ns3" "step4.csk-roll.autosign" "csk-roll" "3600" "2"
+# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public
+# but can remove the KRRSIG records.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
+key_states "KEY1" "hidden" "omnipresent" "unretentive" "unretentive" "hidden"
+# The new CSK (KEY2) DS is now OMNIPRESENT.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "omnipresent"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the KRRSIG enters the HIDDEN state. This is the
+# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is:
+# 1h + 1h = 7200 seconds.
+check_next_key_event 7200
+
+#
+# Zone: step5.csk-roll.autosign.
+#
+zone_properties "ns3" "step5.csk-roll.autosign" "csk-roll" "3600" "2"
+# The old CSK (KEY1) KRRSIG records are now all hidden.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
+key_states "KEY1" "hidden" "omnipresent" "unretentive" "hidden" "hidden"
+# The new CSK (KEY2) state does not change.
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY can be removed. This is when all ZRRSIG
+# records have been replaced with signatures of the new CSK. We have
+# calculated the interval to be 26d3h of which 1d4h (Dreg + Iret(KSK)) plus
+# 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in
+# 26d3h - 1d4h - 2h = 597h = 2149200 seconds.
+check_next_key_event 2149200
+
+#
+# Zone: step6.csk-roll.autosign.
+#
+zone_properties "ns3" "step6.csk-roll.autosign" "csk-roll" "3600" "2"
+# The old CSK (KEY1) DNSKEY can be removed.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
+key_states "KEY1" "hidden" "unretentive" "hidden" "hidden" "hidden"
+# The new CSK (KEY2) is now fully OMNIPRESENT.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY enters the HIDDEN state. This is the
+# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is:
+# 1h + 1h = 7200 seconds.
+check_next_key_event 7200
+
+#
+# Zone: step7.csk-roll.autosign.
+#
+zone_properties "ns3" "step7.csk-roll.autosign" "csk-roll" "3600" "2"
+# The old CSK (KEY1) is now completely HIDDEN.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
+key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
+# The new CSK (KEY2) is now fully OMNIPRESENT.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new successor needs to be published. This is the
+# CSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL minus zone
+# propagation delay. For the csk-roll this is:
+# 6mo - 3h - 1d - 26d3h - 1h - 1h = 6mo - 27d8h = 13708800 seconds.
+check_next_key_event 13708800
+
+#
+# Testing CSK key rollover (1).
+#
+
+#
+# Zone: step1.csk-roll2.autosign.
+#
+zone_properties "ns3" "step1.csk-roll2.autosign" "csk-roll2" "3600" "1"
+# The CSK (KEY1) starts in OMNIPRESENT.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_timings "KEY1" "published" "active" "retired" "none" "none"
+key_states "KEY1" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+# Initially only one key.
+key_clear "KEY2"
+key_clear "KEY3"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK needs to be published. That is
+# the CSK lifetime - prepublication time - DS registration delay. The
+# prepublication time is DNSKEY TTL plus publish safety plus the zone
+# propagation delay. For the csk-roll2 policy that means:
+# 6mo - 3h - 1w = 15454800 seconds.
+check_next_key_event 15454800
+
+#
+# Zone: step2.csk-roll2.autosign.
+#
+# Set key properties for testing keys.
+zone_properties "ns3" "step2.csk-roll2.autosign" "csk-roll2" "3600" "2"
+# CSK (KEY1) remains active, no change in properties/timings/states.
+# New CSK (KEY2) is prepublished (and signs DNSKEY RRset).
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+key_states "KEY2" "omnipresent" "rumoured" "hidden" "rumoured" "hidden"
+key_timings "KEY2" "published" "active" "retired" "none" "none"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the successor CSK becomes OMNIPRESENT. That is the
+# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For
+# the csk-roll2 policy, this means 3 hours = 10800 seconds.
+check_next_key_event 10800
+
+#
+# Zone: step3.csk-roll2.autosign.
+#
+# Set key properties for testing keys.
+zone_properties "ns3" "step3.csk-roll2.autosign" "csk-roll2" "3600" "2"
+# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+key_states "KEY1" "hidden" "omnipresent" "unretentive" "omnipresent" "unretentive"
+# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG
+# are in RUMOURED state.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "rumoured" "omnipresent" "rumoured"
+check_keys
+check_apex
+# Subdomain still has good signatures of old CSK (KEY1)
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+check_subdomain
+dnssec_verify
+
+# Next key event is when the predecessor ZRRSIG records have been replaced
+# with that of the successor and enough time has passed such that the all
+# validators that have such signed RRsets in cache only know about the
+# successor signatures. This is the retire interval: Dsgn plus the
+# maximum zone TTL plus the zone propagation delay plus retire-safety. For the
+# csk-roll2 policy that means: 12h (because 1d validity and refresh within
+# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds.
+check_next_key_event 136800
+
+#
+# Zone: step4.csk-roll2.autosign.
+#
+zone_properties "ns3" "step4.csk-roll2.autosign" "csk-roll2" "3600" "2"
+# The old CSK (KEY1) ZRRSIG is now HIDDEN.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "yes"
+key_states "KEY1" "hidden" "omnipresent" "hidden" "omnipresent" "unretentive"
+# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "rumoured"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the predecessor DS has been replaced with the
+# successor DS and enough time has passed such that the all validators that
+# have this DS RRset cached only know about the successor DS. This is the
+# registration delay plus the retire interval, which is the parent
+# propagation delay plus the DS TTL plus the retire-safety. For the
+# csk-roll2 policy this means: 1w + 1h + 1h + 1h = 171h = 615600 seconds.
+# However, 136800 seconds have passed already, so 478800 seconds left.
+check_next_key_event 478800
+
+#
+# Zone: step5.csk-roll2.autosign.
+#
+zone_properties "ns3" "step5.csk-roll2.autosign" "csk-roll2" "3600" "2"
+# The old CSK (KEY1) DNSKEY can be removed.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
+key_states "KEY1" "hidden" "unretentive" "hidden" "unretentive" "hidden"
+# The new CSK (KEY2) is now fully OMNIPRESENT.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the DNSKEY enters the HIDDEN state. This is the
+# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is:
+# 1h + 1h = 7200 seconds.
+check_next_key_event 7200
+
+#
+# Zone: step6.csk-roll2.autosign.
+#
+zone_properties "ns3" "step6.csk-roll2.autosign" "csk-roll" "3600" "2"
+# The old CSK (KEY1) is now completely HIDDEN.
+key_properties "KEY1" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "no" "no"
+key_states "KEY1" "hidden" "hidden" "hidden" "hidden" "hidden"
+# The new CSK (KEY2) is now fully OMNIPRESENT.
+key_properties "KEY2" "csk" "16070400" "13" "ECDSAP256SHA256" "256" "yes" "yes"
+key_states "KEY2" "omnipresent" "omnipresent" "omnipresent" "omnipresent" "omnipresent"
+check_keys
+check_apex
+check_subdomain
+dnssec_verify
+
+# Next key event is when the new successor needs to be published.
+check_next_key_event 14684400
+
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
projects / thirdparty / bind9.git / commitdiff
