rm -rf ./keys/
rm -f dig.out* rrsig.out.* keyevent.out.*
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
+rm -f ns*/named-fips.conf
rm -f ns*/policies/*.conf
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
keys {
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
- zsk key-directory lifetime P30D algorithm 8 1024;
- zsk key-directory lifetime P6M algorithm 8 2000;
+ zsk key-directory lifetime P30D algorithm 8 2048;
+ zsk key-directory lifetime P6M algorithm 8 3072;
};
};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+// NS3
+
+include "policies/kasp.conf";
+include "policies/autosign.conf";
+
+options {
+ query-source address 10.53.0.3;
+ notify-source 10.53.0.3;
+ transfer-source 10.53.0.3;
+ port @PORT@;
+ pid-file "named.pid";
+ listen-on { 10.53.0.3; };
+ listen-on-v6 { none; };
+ allow-transfer { any; };
+ recursion no;
+ dnssec-policy "rsasha256";
+};
+
+key rndc_key {
+ secret "1234abcd8765";
+ algorithm @DEFAULT_HMAC@;
+};
+
+controls {
+ inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
+};
+
+/* Zones that are getting initially signed */
+
+/* The default case: No keys created, using default policy. */
+zone "default.kasp" {
+ type primary;
+ file "default.kasp.db";
+ inline-signing yes;
+ dnssec-policy "default";
+};
+
+/* checkds: Zone with one KSK. */
+zone "checkds-ksk.kasp" {
+ type primary;
+ file "checkds-ksk.kasp.db";
+ inline-signing yes;
+ dnssec-policy "checkds-ksk";
+};
+
+/* checkds: Zone with two KSKs. */
+zone "checkds-doubleksk.kasp" {
+ type primary;
+ file "checkds-doubleksk.kasp.db";
+ inline-signing yes;
+ dnssec-policy "checkds-doubleksk";
+};
+
+/* checkds: Zone with one CSK. */
+zone "checkds-csk.kasp" {
+ type primary;
+ file "checkds-csk.kasp.db";
+ inline-signing yes;
+ dnssec-policy "checkds-csk";
+};
+
+/* Key lifetime unlimited. */
+zone "unlimited.kasp" {
+ type primary;
+ file "unlimited.kasp.db";
+ inline-signing yes;
+ dnssec-policy "unlimited";
+};
+
+/* Manual rollover. */
+zone "manual-rollover.kasp" {
+ type primary;
+ file "manual-rollover.kasp.db";
+ inline-signing yes;
+ dnssec-policy "manual-rollover";
+};
+
+/* A zone that inherits dnssec-policy. */
+zone "inherit.kasp" {
+ type primary;
+ inline-signing yes;
+ file "inherit.kasp.db";
+};
+
+/* A zone that overrides dnssec-policy. */
+zone "unsigned.kasp" {
+ type primary;
+ file "unsigned.kasp.db";
+ inline-signing yes;
+ dnssec-policy "none";
+};
+
+/* A zone that is initially set to insecure. */
+zone "insecure.kasp" {
+ type primary;
+ file "insecure.kasp.db";
+ inline-signing yes;
+ dnssec-policy "insecure";
+};
+
+/* A primary zone with dnssec-policy but keys already created. */
+zone "dnssec-keygen.kasp" {
+ type primary;
+ file "dnssec-keygen.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+};
+
+/* A secondary zone with dnssec-policy. */
+zone "secondary.kasp" {
+ type secondary;
+ primaries { 10.53.0.2; };
+ file "secondary.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+};
+
+/* A dynamic zone with dnssec-policy. */
+zone "dynamic.kasp" {
+ type primary;
+ file "dynamic.kasp.db";
+ dnssec-policy "default";
+ allow-update { any; };
+};
+
+/* A dynamic inline-signed zone with dnssec-policy. */
+zone "dynamic-inline-signing.kasp" {
+ type primary;
+ file "dynamic-inline-signing.kasp.db";
+ dnssec-policy "default";
+ allow-update { any; };
+ inline-signing yes;
+};
+
+/* An inline-signed zone with dnssec-policy. */
+zone "inline-signing.kasp" {
+ type primary;
+ file "inline-signing.kasp.db";
+ dnssec-policy "default";
+ inline-signing yes;
+};
+
+/*
+ * A configured dnssec-policy but some keys already created.
+ */
+zone "some-keys.kasp" {
+ type primary;
+ file "some-keys.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy but some keys already in use.
+ */
+zone "legacy-keys.kasp" {
+ type primary;
+ file "legacy-keys.kasp.db";
+ inline-signing yes;
+ dnssec-policy "migrate-to-dnssec-policy";
+};
+
+/*
+ * A configured dnssec-policy with (too) many keys pregenerated.
+ */
+zone "pregenerated.kasp" {
+ type primary;
+ file "pregenerated.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+};
+
+/*
+ * A configured dnssec-policy with one rumoured key.
+ * Bugfix case for GL #1593.
+ */
+zone "rumoured.kasp" {
+ type primary;
+ file "rumoured.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+};
+
+/* RFC 8901 Multi-signer Model 2. */
+zone "multisigner-model2.kasp" {
+ type primary;
+ file "multisigner-model2.kasp.db";
+ dnssec-policy "multisigner-model2";
+ allow-update { any; };
+};
+
+/*
+ * Different algorithms.
+ */
+zone "rsasha256.kasp" {
+ type primary;
+ file "rsasha256.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha256";
+};
+zone "rsasha512.kasp" {
+ type primary;
+ file "rsasha512.kasp.db";
+ inline-signing yes;
+ dnssec-policy "rsasha512";
+};
+zone "ecdsa256.kasp" {
+ type primary;
+ file "ecdsa256.kasp.db";
+ inline-signing yes;
+ dnssec-policy "ecdsa256";
+};
+zone "ecdsa384.kasp" {
+ type primary;
+ file "ecdsa384.kasp.db";
+ inline-signing yes;
+ dnssec-policy "ecdsa384";
+};
+
+/*
+ * Zone with too high TTL.
+ */
+zone "max-zone-ttl.kasp" {
+ type primary;
+ file "max-zone-ttl.kasp.db";
+ inline-signing yes;
+ dnssec-policy "ttl";
+};
+
+/*
+ * Zones in different signing states.
+ */
+
+/*
+ * Zone that has expired signatures.
+ */
+zone "expired-sigs.autosign" {
+ type primary;
+ file "expired-sigs.autosign.db";
+ inline-signing yes;
+ dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has valid, fresh signatures.
+ */
+zone "fresh-sigs.autosign" {
+ type primary;
+ file "fresh-sigs.autosign.db";
+ inline-signing yes;
+ dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has unfresh signatures.
+ */
+zone "unfresh-sigs.autosign" {
+ type primary;
+ file "unfresh-sigs.autosign.db";
+ inline-signing yes;
+ dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private KSK.
+ */
+zone "ksk-missing.autosign" {
+ type primary;
+ file "ksk-missing.autosign.db";
+ inline-signing yes;
+ dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has missing private ZSK.
+ */
+zone "zsk-missing.autosign" {
+ type primary;
+ file "zsk-missing.autosign.db";
+ inline-signing yes;
+ dnssec-policy "autosign";
+};
+
+/*
+ * Zone that has inactive ZSK.
+ */
+zone "zsk-retired.autosign" {
+ type primary;
+ file "zsk-retired.autosign.db";
+ inline-signing yes;
+ dnssec-policy "autosign";
+};
+
+/*
+ * Zones for testing enabling DNSSEC.
+ */
+zone "step1.enable-dnssec.autosign" {
+ type primary;
+ file "step1.enable-dnssec.autosign.db";
+ inline-signing yes;
+ dnssec-policy "enable-dnssec";
+};
+zone "step2.enable-dnssec.autosign" {
+ type primary;
+ file "step2.enable-dnssec.autosign.db";
+ inline-signing yes;
+ dnssec-policy "enable-dnssec";
+};
+zone "step3.enable-dnssec.autosign" {
+ type primary;
+ file "step3.enable-dnssec.autosign.db";
+ inline-signing yes;
+ dnssec-policy "enable-dnssec";
+};
+zone "step4.enable-dnssec.autosign" {
+ type primary;
+ file "step4.enable-dnssec.autosign.db";
+ inline-signing yes;
+ dnssec-policy "enable-dnssec";
+};
+
+/*
+ * Zones for testing ZSK Pre-Publication steps.
+ */
+zone "step1.zsk-prepub.autosign" {
+ type primary;
+ file "step1.zsk-prepub.autosign.db";
+ inline-signing yes;
+ dnssec-policy "zsk-prepub";
+};
+zone "step2.zsk-prepub.autosign" {
+ type primary;
+ file "step2.zsk-prepub.autosign.db";
+ inline-signing yes;
+ dnssec-policy "zsk-prepub";
+};
+zone "step3.zsk-prepub.autosign" {
+ type primary;
+ file "step3.zsk-prepub.autosign.db";
+ inline-signing yes;
+ dnssec-policy "zsk-prepub";
+};
+zone "step4.zsk-prepub.autosign" {
+ type primary;
+ file "step4.zsk-prepub.autosign.db";
+ inline-signing yes;
+ dnssec-policy "zsk-prepub";
+};
+zone "step5.zsk-prepub.autosign" {
+ type primary;
+ file "step5.zsk-prepub.autosign.db";
+ inline-signing yes;
+ dnssec-policy "zsk-prepub";
+};
+zone "step6.zsk-prepub.autosign" {
+ type primary;
+ file "step6.zsk-prepub.autosign.db";
+ inline-signing yes;
+ dnssec-policy "zsk-prepub";
+};
+
+/*
+ * Zones for testing KSK Double-KSK steps.
+ */
+zone "step1.ksk-doubleksk.autosign" {
+ type primary;
+ file "step1.ksk-doubleksk.autosign.db";
+ inline-signing yes;
+ dnssec-policy "ksk-doubleksk";
+};
+zone "step2.ksk-doubleksk.autosign" {
+ type primary;
+ file "step2.ksk-doubleksk.autosign.db";
+ inline-signing yes;
+ dnssec-policy "ksk-doubleksk";
+};
+zone "step3.ksk-doubleksk.autosign" {
+ type primary;
+ file "step3.ksk-doubleksk.autosign.db";
+ inline-signing yes;
+ dnssec-policy "ksk-doubleksk";
+};
+zone "step4.ksk-doubleksk.autosign" {
+ type primary;
+ file "step4.ksk-doubleksk.autosign.db";
+ inline-signing yes;
+ dnssec-policy "ksk-doubleksk";
+};
+zone "step5.ksk-doubleksk.autosign" {
+ type primary;
+ file "step5.ksk-doubleksk.autosign.db";
+ inline-signing yes;
+ dnssec-policy "ksk-doubleksk";
+};
+zone "step6.ksk-doubleksk.autosign" {
+ type primary;
+ file "step6.ksk-doubleksk.autosign.db";
+ inline-signing yes;
+ dnssec-policy "ksk-doubleksk";
+};
+
+/*
+ * Zones for testing CSK rollover steps.
+ */
+zone "step1.csk-roll.autosign" {
+ type primary;
+ file "step1.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step2.csk-roll.autosign" {
+ type primary;
+ file "step2.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step3.csk-roll.autosign" {
+ type primary;
+ file "step3.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step4.csk-roll.autosign" {
+ type primary;
+ file "step4.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step5.csk-roll.autosign" {
+ type primary;
+ file "step5.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step6.csk-roll.autosign" {
+ type primary;
+ file "step6.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step7.csk-roll.autosign" {
+ type primary;
+ file "step7.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+zone "step8.csk-roll.autosign" {
+ type primary;
+ file "step8.csk-roll.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll";
+};
+
+zone "step1.csk-roll2.autosign" {
+ type primary;
+ file "step1.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
+zone "step2.csk-roll2.autosign" {
+ type primary;
+ file "step2.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
+zone "step3.csk-roll2.autosign" {
+ type primary;
+ file "step3.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
+zone "step4.csk-roll2.autosign" {
+ type primary;
+ file "step4.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
+zone "step5.csk-roll2.autosign" {
+ type primary;
+ file "step5.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
+zone "step6.csk-roll2.autosign" {
+ type primary;
+ file "step6.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
+zone "step7.csk-roll2.autosign" {
+ type primary;
+ file "step7.csk-roll2.autosign.db";
+ inline-signing yes;
+ dnssec-policy "csk-roll2";
+};
// NS3
-include "policies/kasp.conf";
-include "policies/autosign.conf";
+include "named-fips.conf";
-options {
- query-source address 10.53.0.3;
- notify-source 10.53.0.3;
- transfer-source 10.53.0.3;
- port @PORT@;
- pid-file "named.pid";
- listen-on { 10.53.0.3; };
- listen-on-v6 { none; };
- allow-transfer { any; };
- recursion no;
- dnssec-policy "rsasha1";
-};
-
-key rndc_key {
- secret "1234abcd8765";
- algorithm hmac-sha256;
-};
-
-controls {
- inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
-};
-
-/* Zones that are getting initially signed */
-
-/* The default case: No keys created, using default policy. */
-zone "default.kasp" {
- type primary;
- file "default.kasp.db";
- inline-signing yes;
- dnssec-policy "default";
-};
-
-/* checkds: Zone with one KSK. */
-zone "checkds-ksk.kasp" {
- type primary;
- file "checkds-ksk.kasp.db";
- inline-signing yes;
- dnssec-policy "checkds-ksk";
-};
-
-/* checkds: Zone with two KSKs. */
-zone "checkds-doubleksk.kasp" {
- type primary;
- file "checkds-doubleksk.kasp.db";
- inline-signing yes;
- dnssec-policy "checkds-doubleksk";
-};
-
-/* checkds: Zone with one CSK. */
-zone "checkds-csk.kasp" {
- type primary;
- file "checkds-csk.kasp.db";
- inline-signing yes;
- dnssec-policy "checkds-csk";
-};
-
-/* Key lifetime unlimited. */
-zone "unlimited.kasp" {
- type primary;
- file "unlimited.kasp.db";
- inline-signing yes;
- dnssec-policy "unlimited";
-};
-
-/* Manual rollover. */
-zone "manual-rollover.kasp" {
- type primary;
- file "manual-rollover.kasp.db";
- inline-signing yes;
- dnssec-policy "manual-rollover";
-};
-
-/* A master zone with dnssec-policy, no keys created. */
zone "rsasha1.kasp" {
type primary;
file "rsasha1.kasp.db";
dnssec-policy "rsasha1";
};
-/* A zone that inherits dnssec-policy. */
-zone "inherit.kasp" {
- type primary;
- inline-signing yes;
- file "inherit.kasp.db";
-};
-
-/* A zone that overrides dnssec-policy. */
-zone "unsigned.kasp" {
- type primary;
- file "unsigned.kasp.db";
- inline-signing yes;
- dnssec-policy "none";
-};
-
-/* A zone that is initially set to insecure. */
-zone "insecure.kasp" {
- type primary;
- file "insecure.kasp.db";
- inline-signing yes;
- dnssec-policy "insecure";
-};
-
-/* A master zone with dnssec-policy but keys already created. */
-zone "dnssec-keygen.kasp" {
- type primary;
- file "dnssec-keygen.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha1";
-};
-
-/* A secondary zone with dnssec-policy. */
-zone "secondary.kasp" {
- type secondary;
- primaries { 10.53.0.2; };
- file "secondary.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha1";
-};
-
-/* A dynamic zone with dnssec-policy. */
-zone "dynamic.kasp" {
- type primary;
- file "dynamic.kasp.db";
- dnssec-policy "default";
- allow-update { any; };
-};
-
-/* A dynamic inline-signed zone with dnssec-policy. */
-zone "dynamic-inline-signing.kasp" {
- type primary;
- file "dynamic-inline-signing.kasp.db";
- dnssec-policy "default";
- allow-update { any; };
- inline-signing yes;
-};
-
-/* An inline-signed zone with dnssec-policy. */
-zone "inline-signing.kasp" {
- type primary;
- file "inline-signing.kasp.db";
- dnssec-policy "default";
- inline-signing yes;
-};
-
-/*
- * A configured dnssec-policy but some keys already created.
- */
-zone "some-keys.kasp" {
- type primary;
- file "some-keys.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha1";
-};
-
-/*
- * A configured dnssec-policy but some keys already in use.
- */
-zone "legacy-keys.kasp" {
- type primary;
- file "legacy-keys.kasp.db";
- inline-signing yes;
- dnssec-policy "migrate-to-dnssec-policy";
-};
-
-/*
- * A configured dnssec-policy with (too) many keys pregenerated.
- */
-zone "pregenerated.kasp" {
- type primary;
- file "pregenerated.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha1";
-};
-
-/*
- * A configured dnssec-policy with one rumoured key.
- * Bugfix case for GL #1593.
- */
-zone "rumoured.kasp" {
- type primary;
- file "rumoured.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha1";
-};
-
-/* RFC 8901 Multi-signer Model 2. */
-zone "multisigner-model2.kasp" {
- type primary;
- file "multisigner-model2.kasp.db";
- dnssec-policy "multisigner-model2";
- allow-update { any; };
-};
-
-/*
- * Different algorithms.
- */
zone "rsasha1-nsec3.kasp" {
type primary;
file "rsasha1-nsec3.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1-nsec3";
};
-zone "rsasha256.kasp" {
- type primary;
- file "rsasha256.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha256";
-};
-zone "rsasha512.kasp" {
- type primary;
- file "rsasha512.kasp.db";
- inline-signing yes;
- dnssec-policy "rsasha512";
-};
-zone "ecdsa256.kasp" {
- type primary;
- file "ecdsa256.kasp.db";
- inline-signing yes;
- dnssec-policy "ecdsa256";
-};
-zone "ecdsa384.kasp" {
- type primary;
- file "ecdsa384.kasp.db";
- inline-signing yes;
- dnssec-policy "ecdsa384";
-};
-
-/*
- * Zone with too high TTL.
- */
-zone "max-zone-ttl.kasp" {
- type primary;
- file "max-zone-ttl.kasp.db";
- inline-signing yes;
- dnssec-policy "ttl";
-};
-
-/*
- * Zones in different signing states.
- */
-
-/*
- * Zone that has expired signatures.
- */
-zone "expired-sigs.autosign" {
- type primary;
- file "expired-sigs.autosign.db";
- inline-signing yes;
- dnssec-policy "autosign";
-};
-
-/*
- * Zone that has valid, fresh signatures.
- */
-zone "fresh-sigs.autosign" {
- type primary;
- file "fresh-sigs.autosign.db";
- inline-signing yes;
- dnssec-policy "autosign";
-};
-
-/*
- * Zone that has unfresh signatures.
- */
-zone "unfresh-sigs.autosign" {
- type primary;
- file "unfresh-sigs.autosign.db";
- inline-signing yes;
- dnssec-policy "autosign";
-};
-
-/*
- * Zone that has missing private KSK.
- */
-zone "ksk-missing.autosign" {
- type primary;
- file "ksk-missing.autosign.db";
- inline-signing yes;
- dnssec-policy "autosign";
-};
-
-/*
- * Zone that has missing private ZSK.
- */
-zone "zsk-missing.autosign" {
- type primary;
- file "zsk-missing.autosign.db";
- inline-signing yes;
- dnssec-policy "autosign";
-};
-
-/*
- * Zone that has inactive ZSK.
- */
-zone "zsk-retired.autosign" {
- type primary;
- file "zsk-retired.autosign.db";
- inline-signing yes;
- dnssec-policy "autosign";
-};
-
-/*
- * Zones for testing enabling DNSSEC.
- */
-zone "step1.enable-dnssec.autosign" {
- type primary;
- file "step1.enable-dnssec.autosign.db";
- inline-signing yes;
- dnssec-policy "enable-dnssec";
-};
-zone "step2.enable-dnssec.autosign" {
- type primary;
- file "step2.enable-dnssec.autosign.db";
- inline-signing yes;
- dnssec-policy "enable-dnssec";
-};
-zone "step3.enable-dnssec.autosign" {
- type primary;
- file "step3.enable-dnssec.autosign.db";
- inline-signing yes;
- dnssec-policy "enable-dnssec";
-};
-zone "step4.enable-dnssec.autosign" {
- type primary;
- file "step4.enable-dnssec.autosign.db";
- inline-signing yes;
- dnssec-policy "enable-dnssec";
-};
-
-/*
- * Zones for testing ZSK Pre-Publication steps.
- */
-zone "step1.zsk-prepub.autosign" {
- type primary;
- file "step1.zsk-prepub.autosign.db";
- inline-signing yes;
- dnssec-policy "zsk-prepub";
-};
-zone "step2.zsk-prepub.autosign" {
- type primary;
- file "step2.zsk-prepub.autosign.db";
- inline-signing yes;
- dnssec-policy "zsk-prepub";
-};
-zone "step3.zsk-prepub.autosign" {
- type primary;
- file "step3.zsk-prepub.autosign.db";
- inline-signing yes;
- dnssec-policy "zsk-prepub";
-};
-zone "step4.zsk-prepub.autosign" {
- type primary;
- file "step4.zsk-prepub.autosign.db";
- inline-signing yes;
- dnssec-policy "zsk-prepub";
-};
-zone "step5.zsk-prepub.autosign" {
- type primary;
- file "step5.zsk-prepub.autosign.db";
- inline-signing yes;
- dnssec-policy "zsk-prepub";
-};
-zone "step6.zsk-prepub.autosign" {
- type primary;
- file "step6.zsk-prepub.autosign.db";
- inline-signing yes;
- dnssec-policy "zsk-prepub";
-};
-
-/*
- * Zones for testing KSK Double-KSK steps.
- */
-zone "step1.ksk-doubleksk.autosign" {
- type primary;
- file "step1.ksk-doubleksk.autosign.db";
- inline-signing yes;
- dnssec-policy "ksk-doubleksk";
-};
-zone "step2.ksk-doubleksk.autosign" {
- type primary;
- file "step2.ksk-doubleksk.autosign.db";
- inline-signing yes;
- dnssec-policy "ksk-doubleksk";
-};
-zone "step3.ksk-doubleksk.autosign" {
- type primary;
- file "step3.ksk-doubleksk.autosign.db";
- inline-signing yes;
- dnssec-policy "ksk-doubleksk";
-};
-zone "step4.ksk-doubleksk.autosign" {
- type primary;
- file "step4.ksk-doubleksk.autosign.db";
- inline-signing yes;
- dnssec-policy "ksk-doubleksk";
-};
-zone "step5.ksk-doubleksk.autosign" {
- type primary;
- file "step5.ksk-doubleksk.autosign.db";
- inline-signing yes;
- dnssec-policy "ksk-doubleksk";
-};
-zone "step6.ksk-doubleksk.autosign" {
- type primary;
- file "step6.ksk-doubleksk.autosign.db";
- inline-signing yes;
- dnssec-policy "ksk-doubleksk";
-};
-
-/*
- * Zones for testing CSK rollover steps.
- */
-zone "step1.csk-roll.autosign" {
- type primary;
- file "step1.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step2.csk-roll.autosign" {
- type primary;
- file "step2.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step3.csk-roll.autosign" {
- type primary;
- file "step3.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step4.csk-roll.autosign" {
- type primary;
- file "step4.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step5.csk-roll.autosign" {
- type primary;
- file "step5.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step6.csk-roll.autosign" {
- type primary;
- file "step6.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step7.csk-roll.autosign" {
- type primary;
- file "step7.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-zone "step8.csk-roll.autosign" {
- type primary;
- file "step8.csk-roll.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll";
-};
-
-zone "step1.csk-roll2.autosign" {
- type primary;
- file "step1.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
-zone "step2.csk-roll2.autosign" {
- type primary;
- file "step2.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
-zone "step3.csk-roll2.autosign" {
- type primary;
- file "step3.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
-zone "step4.csk-roll2.autosign" {
- type primary;
- file "step4.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
-zone "step5.csk-roll2.autosign" {
- type primary;
- file "step5.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
-zone "step6.csk-roll2.autosign" {
- type primary;
- file "step6.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
-zone "step7.csk-roll2.autosign" {
- type primary;
- file "step7.csk-roll2.autosign.db";
- inline-signing yes;
- dnssec-policy "csk-roll2";
-};
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unlimited" {
+ dnskey-ttl 1234;
+
+ keys {
+ csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "manual-rollover" {
+ dnskey-ttl 3600;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "multisigner-model2" {
+ dnskey-ttl 3600;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "migrate-to-dnssec-policy" {
+ dnskey-ttl 1234;
+
+ keys {
+ ksk key-directory lifetime P6M algorithm 8;
+ zsk key-directory lifetime P6M algorithm 8;
+ };
+};
+
+dnssec-policy "rsasha256" {
+ dnskey-ttl 1234;
+
+ keys {
+ ksk key-directory lifetime P10Y algorithm 8;
+ zsk key-directory lifetime P5Y algorithm 8;
+ zsk key-directory lifetime P1Y algorithm 8 3072;
+ };
+};
+
+dnssec-policy "rsasha512" {
+ dnskey-ttl 1234;
+
+ keys {
+ ksk key-directory lifetime P10Y algorithm 10;
+ zsk key-directory lifetime P5Y algorithm 10;
+ zsk key-directory lifetime P1Y algorithm 10 3072;
+ };
+};
+
+dnssec-policy "ecdsa256" {
+ dnskey-ttl 1234;
+
+ keys {
+ ksk key-directory lifetime P10Y algorithm 13;
+ zsk key-directory lifetime P5Y algorithm 13;
+ zsk key-directory lifetime P1Y algorithm 13 256;
+ };
+};
+
+dnssec-policy "ecdsa384" {
+ dnskey-ttl 1234;
+
+ keys {
+ ksk key-directory lifetime P10Y algorithm 14;
+ zsk key-directory lifetime P5Y algorithm 14;
+ zsk key-directory lifetime P1Y algorithm 14 384;
+ };
+};
+
+dnssec-policy "checkds-ksk" {
+ dnskey-ttl 303;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "checkds-doubleksk" {
+ dnskey-ttl 303;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "checkds-csk" {
+ dnskey-ttl 303;
+
+ keys {
+ csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "ttl" {
+ max-zone-ttl 299;
+};
* information regarding copyright ownership.
*/
-dnssec-policy "unlimited" {
- dnskey-ttl 1234;
-
- keys {
- csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "manual-rollover" {
- dnskey-ttl 3600;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "multisigner-model2" {
- dnskey-ttl 3600;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
+include "policies/kasp-fips.conf";
dnssec-policy "rsasha1" {
dnskey-ttl 1234;
};
};
-dnssec-policy "migrate-to-dnssec-policy" {
- dnskey-ttl 1234;
-
- keys {
- ksk key-directory lifetime P6M algorithm 5;
- zsk key-directory lifetime P6M algorithm 5;
- };
-};
-
dnssec-policy "rsasha1-nsec3" {
dnskey-ttl 1234;
zsk key-directory lifetime P1Y algorithm 7 2000;
};
};
-
-dnssec-policy "rsasha256" {
- dnskey-ttl 1234;
-
- keys {
- ksk key-directory lifetime P10Y algorithm 8;
- zsk key-directory lifetime P5Y algorithm 8;
- zsk key-directory lifetime P1Y algorithm 8 2000;
- };
-};
-
-dnssec-policy "rsasha512" {
- dnskey-ttl 1234;
-
- keys {
- ksk key-directory lifetime P10Y algorithm 10;
- zsk key-directory lifetime P5Y algorithm 10;
- zsk key-directory lifetime P1Y algorithm 10 2000;
- };
-};
-
-dnssec-policy "ecdsa256" {
- dnskey-ttl 1234;
-
- keys {
- ksk key-directory lifetime P10Y algorithm 13;
- zsk key-directory lifetime P5Y algorithm 13;
- zsk key-directory lifetime P1Y algorithm 13 256;
- };
-};
-
-dnssec-policy "ecdsa384" {
- dnskey-ttl 1234;
-
- keys {
- ksk key-directory lifetime P10Y algorithm 14;
- zsk key-directory lifetime P5Y algorithm 14;
- zsk key-directory lifetime P1Y algorithm 14 384;
- };
-};
-
-dnssec-policy "checkds-ksk" {
- dnskey-ttl 303;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "checkds-doubleksk" {
- dnskey-ttl 303;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "checkds-csk" {
- dnskey-ttl 303;
-
- keys {
- csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- };
-};
-
-dnssec-policy "ttl" {
- max-zone-ttl 299;
-};
#
# Set up zones that will be initially signed.
#
-for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
- rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
+for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
+ rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
dynamic dynamic-inline-signing inline-signing \
checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
manual-rollover multisigner-model2
cp template.db.in "$zonefile"
done
+#
+# Set up RSASHA1 based zones
+#
+for zn in rsasha1 rsasha1-nsec3
+do
+ if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
+ then
+ setup "${zn}.kasp"
+ cp template.db.in "$zonefile"
+ else
+ # don't add to zones.
+ echo_i "setting up zone: ${zn}.kasp"
+ cp template.db.in "${zn}.kasp.db"
+ fi
+done
+
if [ -f ../ed25519-supported.file ]; then
setup "ed25519.kasp"
cp template.db.in "$zonefile"
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
zone="some-keys.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
zone="legacy-keys.kasp"
echo_i "setting up zone: $zone"
-ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
-KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
echo $ZSK > legacy-keys.kasp.zsk
echo $KSK > legacy-keys.kasp.ksk
# Predecessor keys:
Tact="now-9mo"
Tret="now-3mo"
-ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
-KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1
$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1
zone="pregenerated.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
zone="multisigner-model2.kasp"
echo_i "setting up zone: $zone"
Tpub="now"
Tact="now+1d"
keytimes="-P ${Tpub} -A ${Tact}"
-KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1
type primary;
file "step1.algorithm-roll.kasp.db";
inline-signing yes;
- dnssec-policy "rsasha1";
+ dnssec-policy "rsasha256";
};
zone "step1.csk-algorithm-roll.kasp" {
signatures-validity-dnskey 30d;
keys {
- csk lifetime unlimited algorithm rsasha1;
+ csk lifetime unlimited algorithm rsasha256;
};
dnskey-ttl 1h;
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "unsigning" {
+ dnskey-ttl 7200;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
+ };
+};
+
+dnssec-policy "rsasha256" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ ksk lifetime unlimited algorithm rsasha256;
+ zsk lifetime unlimited algorithm rsasha256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
+
+dnssec-policy "ecdsa256" {
+ signatures-refresh P5D;
+ signatures-validity 30d;
+ signatures-validity-dnskey 30d;
+
+ keys {
+ ksk lifetime unlimited algorithm ecdsa256;
+ zsk lifetime unlimited algorithm ecdsa256;
+ };
+
+ dnskey-ttl 1h;
+ publish-safety PT1H;
+ retire-safety 2h;
+ zone-propagation-delay 3600;
+ max-zone-ttl 6h;
+ parent-propagation-delay pt1h;
+ parent-ds-ttl 7200;
+};
* information regarding copyright ownership.
*/
-dnssec-policy "unsigning" {
- dnskey-ttl 7200;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
- };
-};
+include "policies/kasp-fips.conf";
dnssec-policy "rsasha1" {
signatures-refresh P5D;
parent-propagation-delay pt1h;
parent-ds-ttl 7200;
};
-
-dnssec-policy "ecdsa256" {
- signatures-refresh P5D;
- signatures-validity 30d;
- signatures-validity-dnskey 30d;
-
- keys {
- ksk lifetime unlimited algorithm ecdsa256;
- zsk lifetime unlimited algorithm ecdsa256;
- };
-
- dnskey-ttl 1h;
- publish-safety PT1H;
- retire-safety 2h;
- zone-propagation-delay 3600;
- max-zone-ttl 6h;
- parent-propagation-delay pt1h;
- parent-ds-ttl 7200;
-};
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 5 "$KSK" >> "$infile"
-private_type_record $zone 5 "$ZSK" >> "$infile"
+private_type_record $zone 8 "$KSK" >> "$infile"
+private_type_record $zone 8 "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 2:
zsk1times="-P ${TactN} -A ${TactN} -I now"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5 "$KSK1" >> "$infile"
-private_type_record $zone 5 "$ZSK1" >> "$infile"
+private_type_record $zone 8 "$KSK1" >> "$infile"
+private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5 "$KSK1" >> "$infile"
-private_type_record $zone 5 "$ZSK1" >> "$infile"
+private_type_record $zone 8 "$KSK1" >> "$infile"
+private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5 "$KSK1" >> "$infile"
-private_type_record $zone 5 "$ZSK1" >> "$infile"
+private_type_record $zone 8 "$KSK1" >> "$infile"
+private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5 "$KSK1" >> "$infile"
-private_type_record $zone 5 "$ZSK1" >> "$infile"
+private_type_record $zone 8 "$KSK1" >> "$infile"
+private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
echo "Lifetime: 0" >> "${KSK1}.state"
echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 5 "$KSK1" >> "$infile"
-private_type_record $zone 5 "$ZSK1" >> "$infile"
+private_type_record $zone 8 "$KSK1" >> "$infile"
+private_type_record $zone 8 "$ZSK1" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
mkdir keys
copy_setports ns2/named.conf.in ns2/named.conf
-copy_setports ns3/named.conf.in ns3/named.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+ copy_setports ns3/named-fips.conf.in ns3/named.conf
+else
+ copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
+ copy_setports ns3/named.conf.in ns3/named.conf
+fi
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
fi
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
+copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+ cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
+fi
copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
+copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1
+then
+ cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
+fi
# Setup zones
(
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "2592000"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "1024"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "yes"
set_keyrole "KEY4" "zsk"
set_keylifetime "KEY4" "16070400"
-set_keyalgorithm "KEY4" "8" "RSASHA256" "2000"
+set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
set_keysigning "KEY4" "no"
set_zonesigning "KEY4" "yes"
#
# Zone: rsasha1.kasp.
#
-set_zone "rsasha1.kasp"
-set_policy "rsasha1" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "315360000"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+ set_zone "rsasha1.kasp"
+ set_policy "rsasha1" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ key_clear "KEY1"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "315360000"
+ set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "157680000"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+ key_clear "KEY2"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "157680000"
+ set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
-set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+ key_clear "KEY3"
+ set_keyrole "KEY3" "zsk"
+ set_keylifetime "KEY3" "31536000"
+ set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+ set_keysigning "KEY3" "no"
+ set_zonesigning "KEY3" "yes"
-# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
-# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
-set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+ # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+ # ZSK: DNSKEY, RRSIG (zsk) published.
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+ set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
-# Three keys only.
-key_clear "KEY4"
+ set_keystate "KEY3" "GOAL" "omnipresent"
+ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+ # Three keys only.
+ key_clear "KEY4"
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
+fi
#
# Zone: unsigned.kasp.
# Zone: inherit.kasp.
#
set_zone "inherit.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "315360000"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "157680000"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY3"
set_keyrole "KEY3" "zsk"
set_keylifetime "KEY3" "31536000"
-set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
set_keysigning "KEY3" "no"
set_zonesigning "KEY3" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# Zone: dnssec-keygen.kasp.
#
set_zone "dnssec-keygen.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Zone: some-keys.kasp.
#
set_zone "some-keys.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# There are more pregenerated keys than needed, hence the number of keys is
# six, not three.
set_zone "pregenerated.kasp"
-set_policy "rsasha1" "6" "1234"
+set_policy "rsasha256" "6" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
#
# There are three keys in rumoured state.
set_zone "rumoured.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
# Zone: secondary.kasp.
#
set_zone "secondary.kasp"
-set_policy "rsasha1" "3" "1234"
+set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties, timings and states same as above.
#
# Zone: rsasha1-nsec3.kasp.
#
-set_zone "rsasha1-nsec3.kasp"
-set_policy "rsasha1-nsec3" "3" "1234"
-set_server "ns3" "10.53.0.3"
-# Key properties.
-set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
-set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
-set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
-# Key timings and states same as above.
+if $SHELL ../testcrypto.sh -q RSASHA1
+then
+ set_zone "rsasha1-nsec3.kasp"
+ set_policy "rsasha1-nsec3" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
+ set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
+ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
+ # Key timings and states same as above.
-check_keys
-check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
-set_keytimes_algorithm_policy
-check_keytimes
-check_apex
-check_subdomain
-dnssec_verify
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
+fi
#
# Zone: rsasha256.kasp.
# Key properties.
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keyalgorithm "KEY3" "8" "RSASHA256" "2000"
+set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
# Key timings and states same as above.
check_keys
# Key properties.
set_keyalgorithm "KEY1" "10" "RSASHA512" "2048"
set_keyalgorithm "KEY2" "10" "RSASHA512" "2048"
-set_keyalgorithm "KEY3" "10" "RSASHA512" "2000"
+set_keyalgorithm "KEY3" "10" "RSASHA512" "3072"
# Key timings and states same as above.
check_keys
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "16070400"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "16070400"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# Zone: step1.algorithm-roll.kasp
#
set_zone "step1.algorithm-roll.kasp"
-set_policy "rsasha1" "2" "3600"
+set_policy "rsasha256" "2" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
key_clear "KEY3"
key_clear "KEY1"
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY1"
set_keyrole "KEY1" "ksk"
set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "no"
key_clear "KEY2"
set_keyrole "KEY2" "zsk"
set_keylifetime "KEY2" "0"
-set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
set_keysigning "KEY2" "no"
set_zonesigning "KEY2" "yes"
# New ECDSAP256SHA256 keys.
key_clear "KEY1"
set_keyrole "KEY1" "csk"
set_keylifetime "KEY1" "0"
-set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
set_keysigning "KEY1" "yes"
set_zonesigning "KEY1" "yes"
# New ECDSAP256SHA256 key.
projects / thirdparty / bind9.git / commitdiff
