--- /dev/null
+../rollover/common.py
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+dnssec-policy "zsk-prepub" {
+ signatures-refresh P1W;
+ signatures-validity P2W;
+ signatures-validity-dnskey P2W;
+
+ dnskey-ttl 3600;
+ publish-safety P1D;
+ retire-safety P2D;
+ purge-keys PT1H;
+
+ keys {
+ ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
+ zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
+ };
+
+ zone-propagation-delay PT1H;
+ max-zone-ttl 1d;
+};
--- /dev/null
+../../rollover/ns3/named.common.conf.j2
\ No newline at end of file
--- /dev/null
+/*
+ * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+ *
+ * SPDX-License-Identifier: MPL-2.0
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, you can obtain one at https://mozilla.org/MPL/2.0/.
+ *
+ * See the COPYRIGHT file distributed with this work for additional
+ * information regarding copyright ownership.
+ */
+
+include "kasp.conf";
+include "named.common.conf";
+
+zone "step1.zsk-prepub.autosign" {
+ type primary;
+ file "step1.zsk-prepub.autosign.db";
+ dnssec-policy "zsk-prepub";
+};
+zone "step2.zsk-prepub.autosign" {
+ type primary;
+ file "step2.zsk-prepub.autosign.db";
+ dnssec-policy "zsk-prepub";
+};
+zone "step3.zsk-prepub.autosign" {
+ type primary;
+ file "step3.zsk-prepub.autosign.db";
+ dnssec-policy "zsk-prepub";
+};
+zone "step4.zsk-prepub.autosign" {
+ type primary;
+ file "step4.zsk-prepub.autosign.db";
+ dnssec-policy "zsk-prepub";
+};
+zone "step5.zsk-prepub.autosign" {
+ type primary;
+ file "step5.zsk-prepub.autosign.db";
+ dnssec-policy "zsk-prepub";
+};
+zone "step6.zsk-prepub.autosign" {
+ type primary;
+ file "step6.zsk-prepub.autosign.db";
+ dnssec-policy "zsk-prepub";
+};
--- /dev/null
+../../rollover/ns3/template.db.in
\ No newline at end of file
--- /dev/null
+#!/bin/sh -e
+
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# shellcheck source=conf.sh
+. ../conf.sh
+
+cd "ns3"
+
+setup() {
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ echo "$zone" >>zones
+}
+
+# Set in the key state files the Predecessor/Successor fields.
+# Key $1 is the predecessor of key $2.
+key_successor() {
+ id1=$(keyfile_to_key_id "$1")
+ id2=$(keyfile_to_key_id "$2")
+ echo "Predecessor: ${id1}" >>"${2}.state"
+ echo "Successor: ${id2}" >>"${1}.state"
+}
+
+# Make lines shorter by storing key states in environment variables.
+H="HIDDEN"
+R="RUMOURED"
+O="OMNIPRESENT"
+U="UNRETENTIVE"
+
+#
+# The zones at zsk-prepub.autosign represent the various steps of a ZSK
+# Pre-Publication rollover.
+#
+
+# Step 1:
+# Introduce the first key. This will immediately be active.
+setup step1.zsk-prepub.autosign
+TactN="now-7d"
+keytimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 2:
+# It is time to pre-publish the successor ZSK.
+setup step2.zsk-prepub.autosign
+# According to RFC 7583:
+# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
+# = now + 26h - 30d = now − 694h
+TactN="now-694h"
+keytimes="-P ${TactN} -A ${TactN}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 3:
+# After the publication interval has passed the DNSKEY of the successor ZSK
+# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
+setup step3.zsk-prepub.autosign
+# According to RFC 7583:
+# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
+# Tact(N+1) = Tact(N) + Lzsk
+#
+# Tact(N) = now - Lzsk = now - 30d
+# Tpub(N+1) = now - Ipub = now - 26h
+# Tact(N+1) = now
+# Tret(N) = now
+# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h
+TactN="now-30d"
+TpubN1="now-26h"
+TactN1="now"
+TremN="now+241h"
+keytimes="-P ${TactN} -A ${TactN}"
+oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 4:
+# After the retire interval has passed the predecessor DNSKEY can be
+# removed from the zone.
+setup step4.zsk-prepub.autosign
+# Lzsk: 30d
+# Ipub: 26h
+# Dsgn: 1w
+# Dprp: 1h
+# TTLsig: 1d
+# retire-safety: 2d
+#
+# According to RFC 7583:
+# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
+# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h
+#
+# Tact(N) = now - Iret - Lzsk
+# = now - 241h - 30d = now - 241h - 720h
+# = now - 961h
+# Tpub(N+1) = now - Iret - Ipub
+# = now - 241h - 26h
+# = now - 267h
+# Tact(N+1) = now - Iret = now - 241h
+TactN="now-961h"
+TpubN1="now-267h"
+TactN1="now-241h"
+TremN="now"
+keytimes="-P ${TactN} -A ${TactN}"
+oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+cp $infile $zonefile
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 5:
+# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
+setup step5.zsk-prepub.autosign
+# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
+# Tact(N) = now - 961h - 2h = now - 963h
+# Tpub(N+1) = now - 267h - 2h = now - 269h
+# Tact(N+1) = now - 241h - 2h = now - 243h
+# Trem(N) = Tact(N+1) + Iret = now -2h
+TactN="now-963h"
+TremN="now-2h"
+TpubN1="now-269h"
+TactN1="now-243h"
+TremN="now-2h"
+keytimes="-P ${TactN} -A ${TactN}"
+oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# Step 6:
+# The predecessor DNSKEY can be purged.
+setup step6.zsk-prepub.autosign
+# Subtract purge-keys interval from all the times (1h).
+TactN="now-964h"
+TremN="now-3h"
+TpubN1="now-270h"
+TactN1="now-244h"
+TremN="now-3h"
+keytimes="-P ${TactN} -A ${TactN}"
+oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
+newtimes="-P ${TpubN1} -A ${TactN1}"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
+# Set key rollover relationship.
+key_successor $ZSK1 $ZSK2
+# Sign zone.
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
+cp $infile $zonefile
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
--- /dev/null
+# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+#
+# SPDX-License-Identifier: MPL-2.0
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, you can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# See the COPYRIGHT file distributed with this work for additional
+# information regarding copyright ownership.
+
+# pylint: disable=redefined-outer-name,unused-import
+
+from datetime import timedelta
+
+import isctest
+from isctest.kasp import Ipub, Iret
+from common import (
+ pytestmark,
+ alg,
+ size,
+ TIMEDELTA,
+)
+
+CONFIG = {
+ "dnskey-ttl": TIMEDELTA["PT1H"],
+ "ds-ttl": TIMEDELTA["P1D"],
+ "max-zone-ttl": TIMEDELTA["P1D"],
+ "parent-propagation-delay": TIMEDELTA["PT1H"],
+ "publish-safety": TIMEDELTA["P1D"],
+ "purge-keys": TIMEDELTA["PT1H"],
+ "retire-safety": TIMEDELTA["P2D"],
+ "signatures-refresh": TIMEDELTA["P7D"],
+ "signatures-validity": TIMEDELTA["P14D"],
+ "zone-propagation-delay": TIMEDELTA["PT1H"],
+}
+POLICY = "zsk-prepub"
+ZSK_LIFETIME = TIMEDELTA["P30D"]
+LIFETIME_POLICY = int(ZSK_LIFETIME.total_seconds())
+IPUB = Ipub(CONFIG)
+IRET = Iret(CONFIG, rollover=True)
+KEYTTLPROP = CONFIG["dnskey-ttl"] + CONFIG["zone-propagation-delay"]
+OFFSETS = {}
+OFFSETS["step1-p"] = -int(TIMEDELTA["P7D"].total_seconds())
+OFFSETS["step2-p"] = -int(ZSK_LIFETIME.total_seconds() - IPUB.total_seconds())
+OFFSETS["step2-s"] = 0
+OFFSETS["step3-p"] = -int(ZSK_LIFETIME.total_seconds())
+OFFSETS["step3-s"] = -int(IPUB.total_seconds())
+OFFSETS["step4-p"] = OFFSETS["step3-p"] - int(IRET.total_seconds())
+OFFSETS["step4-s"] = OFFSETS["step3-s"] - int(IRET.total_seconds())
+OFFSETS["step5-p"] = OFFSETS["step4-p"] - int(KEYTTLPROP.total_seconds())
+OFFSETS["step5-s"] = OFFSETS["step4-s"] - int(KEYTTLPROP.total_seconds())
+OFFSETS["step6-p"] = OFFSETS["step5-p"] - int(CONFIG["purge-keys"].total_seconds())
+OFFSETS["step6-s"] = OFFSETS["step5-s"] - int(CONFIG["purge-keys"].total_seconds())
+
+
+def test_zsk_prepub_step1(alg, size, servers):
+ step = {
+ # Introduce the first key. This will immediately be active.
+ "zone": "step1.zsk-prepub.autosign",
+ "keyprops": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step1-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step1-p']}",
+ ],
+ # Next key event is when the successor ZSK needs to be published.
+ # That is the ZSK lifetime - prepublication time (minus time
+ # already passed).
+ "nextev": ZSK_LIFETIME - IPUB - timedelta(days=7),
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_zsk_prepub_step2(alg, size, servers):
+ step = {
+ # it is time to pre-publish the successor zsk.
+ # zsk1 goal: omnipresent -> hidden
+ # zsk2 goal: hidden -> omnipresent
+ # zsk2 dnskey: hidden -> rumoured
+ "zone": "step2.zsk-prepub.autosign",
+ "keyprops": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step2-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step2-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{OFFSETS['step2-s']}",
+ ],
+ "keyrelationships": [1, 2],
+ # next key event is when the successor zsk becomes omnipresent.
+ # that is the dnskey ttl plus the zone propagation delay
+ "nextev": IPUB,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_zsk_prepub_step3(alg, size, servers):
+ step = {
+ # predecessor zsk is no longer actively signing. successor zsk is
+ # now actively signing.
+ # zsk1 zrrsig: omnipresent -> unretentive
+ # zsk2 dnskey: rumoured -> omnipresent
+ # zsk2 zrrsig: hidden -> rumoured
+ "zone": "step3.zsk-prepub.autosign",
+ "keyprops": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step3-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{OFFSETS['step3-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{OFFSETS['step3-s']}",
+ ],
+ "keyrelationships": [1, 2],
+ # next key event is when all the rrsig records have been replaced
+ # with signatures of the new zsk, in other words when zrrsig
+ # becomes omnipresent.
+ "nextev": IRET,
+ # set 'smooth' to true so expected signatures of subdomain are
+ # from the predecessor zsk.
+ "smooth": True,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_zsk_prepub_step4(alg, size, servers):
+ step = {
+ # predecessor zsk is no longer needed. all rrsets are signed with
+ # the successor zsk.
+ # zsk1 dnskey: omnipresent -> unretentive
+ # zsk1 zrrsig: unretentive -> hidden
+ # zsk2 zrrsig: rumoured -> omnipresent
+ "zone": "step4.zsk-prepub.autosign",
+ "keyprops": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step4-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{OFFSETS['step4-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step4-s']}",
+ ],
+ "keyrelationships": [1, 2],
+ # next key event is when the dnskey enters the hidden state.
+ # this is the dnskey ttl plus zone propagation delay.
+ "nextev": KEYTTLPROP,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_zsk_prepub_step5(alg, size, servers):
+ step = {
+ # predecessor zsk is now removed.
+ # zsk1 dnskey: unretentive -> hidden
+ "zone": "step5.zsk-prepub.autosign",
+ "keyprops": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step5-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{OFFSETS['step5-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step5-s']}",
+ ],
+ "keyrelationships": [1, 2],
+ # next key event is when the new successor needs to be published.
+ # this is the zsk lifetime minus IRET minus IPUB minus time
+ # elapsed.
+ "nextev": ZSK_LIFETIME - IRET - IPUB - KEYTTLPROP,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
+
+
+def test_zsk_prepub_step6(alg, size, servers):
+ step = {
+ # predecessor zsk is now purged.
+ "zone": "step6.zsk-prepub.autosign",
+ "keyprops": [
+ f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{OFFSETS['step6-p']}",
+ f"zsk {LIFETIME_POLICY} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{OFFSETS['step6-s']}",
+ ],
+ "nextev": None,
+ }
+ isctest.kasp.check_rollover_step(servers["ns3"], CONFIG, POLICY, step)
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
};
};
-
-dnssec-policy "zsk-prepub" {
- signatures-refresh P1W;
- signatures-validity P2W;
- signatures-validity-dnskey P2W;
-
- dnskey-ttl 3600;
- publish-safety P1D;
- retire-safety P2D;
- purge-keys PT1H;
-
- keys {
- ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
- zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
- };
-
- zone-propagation-delay PT1H;
- max-zone-ttl 1d;
-};
file "step4.enable-dnssec.autosign.db";
dnssec-policy "enable-dnssec";
};
-
-/*
- * Zones for testing ZSK Pre-Publication steps.
- */
-zone "step1.zsk-prepub.autosign" {
- type primary;
- file "step1.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
-};
-zone "step2.zsk-prepub.autosign" {
- type primary;
- file "step2.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
-};
-zone "step3.zsk-prepub.autosign" {
- type primary;
- file "step3.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
-};
-zone "step4.zsk-prepub.autosign" {
- type primary;
- file "step4.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
-};
-zone "step5.zsk-prepub.autosign" {
- type primary;
- file "step5.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
-};
-zone "step6.zsk-prepub.autosign" {
- type primary;
- file "step6.zsk-prepub.autosign.db";
- dnssec-policy "zsk-prepub";
-};
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-#
-# The zones at zsk-prepub.autosign represent the various steps of a ZSK
-# Pre-Publication rollover.
-#
-
-# Step 1:
-# Introduce the first key. This will immediately be active.
-setup step1.zsk-prepub.autosign
-TactN="now-7d"
-keytimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 2:
-# It is time to pre-publish the successor ZSK.
-setup step2.zsk-prepub.autosign
-# According to RFC 7583:
-# Tact(N) = now + Ipub - Lzsk = now + 26h - 30d
-# = now + 26h - 30d = now − 694h
-TactN="now-694h"
-keytimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $keytimes $zone 2>keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 3:
-# After the publication interval has passed the DNSKEY of the successor ZSK
-# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
-setup step3.zsk-prepub.autosign
-# According to RFC 7583:
-# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
-# Tact(N+1) = Tact(N) + Lzsk
-#
-# Tact(N) = now - Lzsk = now - 30d
-# Tpub(N+1) = now - Ipub = now - 26h
-# Tact(N+1) = now
-# Tret(N) = now
-# Trem(N) = now + Iret = now + Dsign + Dprp + TTLsig + retire-safety = 8d1h = now + 241h
-TactN="now-30d"
-TpubN1="now-26h"
-TactN1="now"
-TremN="now+241h"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 4:
-# After the retire interval has passed the predecessor DNSKEY can be
-# removed from the zone.
-setup step4.zsk-prepub.autosign
-# Lzsk: 30d
-# Ipub: 26h
-# Dsgn: 1w
-# Dprp: 1h
-# TTLsig: 1d
-# retire-safety: 2d
-#
-# According to RFC 7583:
-# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
-# Iret = 1w + 1h + 1d + 2d = 10d1h = 241h
-#
-# Tact(N) = now - Iret - Lzsk
-# = now - 241h - 30d = now - 241h - 720h
-# = now - 961h
-# Tpub(N+1) = now - Iret - Ipub
-# = now - 241h - 26h
-# = now - 267h
-# Tact(N+1) = now - Iret = now - 241h
-TactN="now-961h"
-TpubN1="now-267h"
-TactN1="now-241h"
-TremN="now"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $U $TactN1 "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-cp $infile $zonefile
-$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 5:
-# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
-setup step5.zsk-prepub.autosign
-# Subtract DNSKEY TTL + zone-propagation-delay from all the times (2h).
-# Tact(N) = now - 961h - 2h = now - 963h
-# Tpub(N+1) = now - 267h - 2h = now - 269h
-# Tact(N+1) = now - 241h - 2h = now - 243h
-# Trem(N) = Tact(N+1) + Iret = now -2h
-TactN="now-963h"
-TremN="now-2h"
-TpubN1="now-269h"
-TactN1="now-243h"
-TremN="now-2h"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
-
-# Step 6:
-# The predecessor DNSKEY can be purged.
-setup step6.zsk-prepub.autosign
-# Subtract purge-keys interval from all the times (1h).
-TactN="now-964h"
-TremN="now-3h"
-TpubN1="now-270h"
-TactN1="now-244h"
-TremN="now-3h"
-keytimes="-P ${TactN} -A ${TactN}"
-oldtimes="-P ${TactN} -A ${TactN} -I ${TactN1} -D ${TremN}"
-newtimes="-P ${TpubN1} -A ${TactN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $keytimes $zone 2>keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $oldtimes $zone 2>keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TremN -z $H $TremN "$ZSK1" >settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TremN "$ZSK2" >settime.out.$zone.3 2>&1
-# Set key rollover relationship.
-key_successor $ZSK1 $ZSK2
-# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
-cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
for step in steps:
isctest.kasp.check_rollover_step(server, config, policy, step)
-
-
-def test_rollover_zsk_prepublication(servers):
- server = servers["ns3"]
- policy = "zsk-prepub"
- config = {
- "dnskey-ttl": timedelta(seconds=3600),
- "ds-ttl": timedelta(days=1),
- "max-zone-ttl": timedelta(days=1),
- "parent-propagation-delay": timedelta(hours=1),
- "publish-safety": timedelta(days=1),
- "purge-keys": timedelta(hours=1),
- "retire-safety": timedelta(days=2),
- "signatures-refresh": timedelta(days=7),
- "signatures-validity": timedelta(days=14),
- "zone-propagation-delay": timedelta(hours=1),
- }
- alg = os.environ["DEFAULT_ALGORITHM_NUMBER"]
- size = os.environ["DEFAULT_BITS"]
- zsk_lifetime = timedelta(days=30)
- lifetime_policy = int(zsk_lifetime.total_seconds())
-
- ipub = Ipub(config)
- iret = Iret(config, rollover=True)
- keyttlprop = config["dnskey-ttl"] + config["zone-propagation-delay"]
- offsets = {}
- offsets["step1-p"] = -int(timedelta(days=7).total_seconds())
- offsets["step2-p"] = -int(zsk_lifetime.total_seconds() - ipub.total_seconds())
- offsets["step2-s"] = 0
- offsets["step3-p"] = -int(zsk_lifetime.total_seconds())
- offsets["step3-s"] = -int(ipub.total_seconds())
- offsets["step4-p"] = offsets["step3-p"] - int(iret.total_seconds())
- offsets["step4-s"] = offsets["step3-s"] - int(iret.total_seconds())
- offsets["step5-p"] = offsets["step4-p"] - int(keyttlprop.total_seconds())
- offsets["step5-s"] = offsets["step4-s"] - int(keyttlprop.total_seconds())
- offsets["step6-p"] = offsets["step5-p"] - int(config["purge-keys"].total_seconds())
- offsets["step6-s"] = offsets["step5-s"] - int(config["purge-keys"].total_seconds())
-
- steps = [
- {
- # Step 1.
- # Introduce the first key. This will immediately be active.
- "zone": "step1.zsk-prepub.autosign",
- "keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step1-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step1-p']}",
- ],
- # Next key event is when the successor ZSK needs to be published.
- # That is the ZSK lifetime - prepublication time (minus time
- # already passed).
- "nextev": zsk_lifetime - ipub - timedelta(days=7),
- },
- {
- # Step 2.
- # It is time to pre-publish the successor ZSK.
- # ZSK1 goal: omnipresent -> hidden
- # ZSK2 goal: hidden -> omnipresent
- # ZSK2 dnskey: hidden -> rumoured
- "zone": "step2.zsk-prepub.autosign",
- "keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step2-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step2-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:rumoured zrrsig:hidden offset:{offsets['step2-s']}",
- ],
- "keyrelationships": [1, 2],
- # Next key event is when the successor ZSK becomes OMNIPRESENT.
- # That is the DNSKEY TTL plus the zone propagation delay
- "nextev": ipub,
- },
- {
- # Step 3.
- # Predecessor ZSK is no longer actively signing. Successor ZSK is
- # now actively signing.
- # ZSK1 zrrsig: omnipresent -> unretentive
- # ZSK2 dnskey: rumoured -> omnipresent
- # ZSK2 zrrsig: hidden -> rumoured
- "zone": "step3.zsk-prepub.autosign",
- "keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step3-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:omnipresent zrrsig:unretentive offset:{offsets['step3-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:rumoured offset:{offsets['step3-s']}",
- ],
- "keyrelationships": [1, 2],
- # Next key event is when all the RRSIG records have been replaced
- # with signatures of the new ZSK, in other words when ZRRSIG
- # becomes OMNIPRESENT.
- "nextev": iret,
- # Set 'smooth' to true so expected signatures of subdomain are
- # from the predecessor ZSK.
- "smooth": True,
- },
- {
- # Step 4.
- # Predecessor ZSK is no longer needed. All RRsets are signed with
- # the successor ZSK.
- # ZSK1 dnskey: omnipresent -> unretentive
- # ZSK1 zrrsig: unretentive -> hidden
- # ZSK2 zrrsig: rumoured -> omnipresent
- "zone": "step4.zsk-prepub.autosign",
- "keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step4-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:unretentive zrrsig:hidden offset:{offsets['step4-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step4-s']}",
- ],
- "keyrelationships": [1, 2],
- # Next key event is when the DNSKEY enters the HIDDEN state.
- # This is the DNSKEY TTL plus zone propagation delay.
- "nextev": keyttlprop,
- },
- {
- # Step 5.
- # Predecessor ZSK is now removed.
- # ZSK1 dnskey: unretentive -> hidden
- "zone": "step5.zsk-prepub.autosign",
- "keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step5-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:hidden dnskey:hidden zrrsig:hidden offset:{offsets['step5-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step5-s']}",
- ],
- "keyrelationships": [1, 2],
- # Next key event is when the new successor needs to be published.
- # This is the ZSK lifetime minus Iret minus Ipub minus time
- # elapsed.
- "nextev": zsk_lifetime - iret - ipub - keyttlprop,
- },
- {
- # Step 6.
- # Predecessor ZSK is now purged.
- "zone": "step6.zsk-prepub.autosign",
- "keyprops": [
- f"ksk unlimited {alg} {size} goal:omnipresent dnskey:omnipresent krrsig:omnipresent ds:omnipresent offset:{offsets['step6-p']}",
- f"zsk {lifetime_policy} {alg} {size} goal:omnipresent dnskey:omnipresent zrrsig:omnipresent offset:{offsets['step6-s']}",
- ],
- "nextev": None,
- },
- ]
-
- for step in steps:
- isctest.kasp.check_rollover_step(server, config, policy, step)
projects / thirdparty / bind9.git / commitdiff
