# PRIVKEY_STAT
# PUBKEY_STAT
# STATE_STAT
+# FLAGS
+# KEYDIR
key_key() {
echo "${1}__${2}"
key_set "$1" "PRIVKEY_STAT" '0'
key_set "$1" "PUBKEY_STAT" '0'
key_set "$1" "STATE_STAT" '0'
+ key_set "$1" "KEYDIR" 'none'
}
# Start clear.
_zone=$2
_regex="K${_zone}.+*+*.key"
- find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
+ find "${_dir}" -mindepth 1 -maxdepth 3 -name "${_regex}" | sed "s,.*/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
}
# By default log errors and don't quit immediately.
key_set "$1" "$2" "$3"
}
+# Set key directory.
+# $1: Key to update (KEY1, KEY2, ...)
+# $2: Directory.
+set_keydir() {
+ key_set "$1" "KEYDIR" "$2"
+}
+
# Check the key $1 with id $2.
# This requires environment variables to be set.
#
# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
# KEY_CREATED (from the KEY_FILE)
check_key() {
- _dir="$DIR"
+ _dir=$(key_get "$1" KEYDIR)
+ if [ "$_dir" = "none" ]; then
+ _dir="$DIR"
+ fi
_zone="$ZONE"
_role=$(key_get "$1" ROLE)
_key_idpad="$2"
# Check the key timing metadata for key $1.
check_timingmetadata() {
- _dir="$DIR"
+ _dir=$(key_get "$1" KEYDIR)
+ if [ "$_dir" = "none" ]; then
+ _dir="$DIR"
+ fi
_zone="$ZONE"
_key_idpad=$(key_get "$1" ID)
_key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
# STATE_FILE="${BASE_FILE}.state"
# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
key_unused() {
- _dir=$DIR
- _zone=$ZONE
- _key_idpad=$1
+ _dir="$DIR"
+ _zone="$ZONE"
+ _key_idpad="$1"
_key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
- _alg_num=$2
+ _alg_num="$2"
_alg_numpad=$(printf "%03d" "$_alg_num")
BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
#
# It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly.
# Found key identifiers are stored in the right key array.
+# Keys are found if they are stored inside $DIR or in a subdirectory up to
+# three levels deeper.
check_keys() {
n=$((n + 1))
echo_i "check keys are created for zone ${ZONE} ($n)"
rm -f python.out.*
rm -f *-supported.file
rm -f created.key-* unused.key-*
+rm -f ns3/ksk/K* ns3/zsk/K*
+rm -rf ./ns3/ksk/ ./ns3/zsk/
dnssec-policy "default";
};
+/* A zone that uses dnssec-policy with key stores. */
+zone "keystore.kasp" {
+ type primary;
+ file "keystore.kasp.db";
+ inline-signing yes;
+ dnssec-policy "keystore";
+};
+
/*
* A configured dnssec-policy but some keys already created.
*/
dnssec-policy "ttl" {
max-zone-ttl 299;
};
+
+key-store "ksk" {
+ directory "ksk";
+};
+
+key-store "zsk" {
+ directory "zsk";
+};
+
+dnssec-policy "keystore" {
+ dnskey-ttl 303;
+
+ keys {
+ ksk key-store "ksk" lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-store "zsk" lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
echo_i "ns3/setup.sh"
+# Create key store directories.
+mkdir ksk
+mkdir zsk
+
setup() {
zone="$1"
echo_i "setting up zone: $zone"
rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
dynamic dynamic-inline-signing inline-signing \
checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
- manual-rollover multisigner-model2; do
+ manual-rollover multisigner-model2 keystore; do
setup "${zn}.kasp"
cp template.db.in "$zonefile"
done
set_policy "default" "1" "3600"
set_server "." "10.53.0.1"
# Key properties.
+key_clear "KEY1"
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
set_zone "checkds-ksk.kasp"
set_policy "checkds-ksk" "2" "303"
set_server "ns3" "10.53.0.3"
+
# Key properties.
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
check_subdomain
dnssec_verify
+#
+# Zone: keystore.kasp.
+#
+set_zone "keystore.kasp"
+set_policy "keystore" "2" "303"
+set_server "ns3" "10.53.0.3"
+# Key properties.
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
+set_keydir "KEY1" "ns3/ksk"
+set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
+
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
+set_keydir "KEY2" "ns3/zsk"
+set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
+
+# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+# ZSK: DNSKEY, RRSIG (zsk) published.
+set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY1" "STATE_DS" "hidden"
+
+set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+# Two keys only.
+key_clear "KEY3"
+key_clear "KEY4"
+
+check_keys
+check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+# Reuse set_keytimes_csk_policy to set the KEY1 keytimes.
+set_keytimes_csk_policy
+created=$(key_get KEY2 CREATED)
+set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
+check_keytimes
+check_apex
+check_subdomain
+dnssec_verify
+
#
# Zone: inherit.kasp.
#
projects / thirdparty / bind9.git / commitdiff
