setup.sh revision 1.1.1.10
1 #!/bin/sh -e 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 # shellcheck source=conf.sh 15 . ../../conf.sh 16 17 echo_i "ns6/setup.sh" 18 19 setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 } 25 26 # Make lines shorter by storing key states in environment variables. 27 H="HIDDEN" 28 R="RUMOURED" 29 O="OMNIPRESENT" 30 U="UNRETENTIVE" 31 32 for zn in shorter-lifetime longer-lifetime limit-lifetime unlimit-lifetime; do 33 setup $zn 34 cp template.db.in $zonefile 35 done 36 37 # The child zones (step1, step2) beneath these zones represent the various 38 # steps of unsigning a zone. 39 for zn in going-insecure.kasp going-insecure-dynamic.kasp; do 40 # Step 1: 41 # Set up a zone with dnssec-policy that is going insecure. 42 setup step1.$zn 43 echo "$zone" >>zones 44 T="now-10d" 45 ksktimes="-P $T -A $T -P sync $T" 46 zsktimes="-P $T -A $T" 47 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 48 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 49 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 50 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 51 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 52 cp $infile $zonefile 53 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 54 55 # Step 2: 56 # Set up a zone with dnssec-policy that is going insecure. Don't add 57 # this zone to the zones file, because this zone is no longer expected 58 # to be fully signed. 59 setup step2.$zn 60 # The DS was withdrawn from the parent zone 26 hours ago. 61 Trem="now-26h" 62 ksktimes="-P $T -A $T -P sync $T" 63 zsktimes="-P $T -A $T" 64 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 65 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 66 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1 67 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 68 # Fake lifetime of old algorithm keys. 69 echo "Lifetime: 0" >>"${KSK}.state" 70 echo "Lifetime: 5184000" >>"${ZSK}.state" 71 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 72 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 73 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 74 cp $infile $zonefile 75 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 76 done 77 78 # This zone is going straight to "none" policy. This is undefined behavior. 79 setup step1.going-straight-to-none.kasp 80 echo "$zone" >>zones 81 TactN="now" 82 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 83 CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) 84 $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 85 cat template.db.in "${CSK}.key" >"$infile" 86 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 87 cp $infile $zonefile 88 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 89 90 # This zone is going straight to "none" policy. This is undefined behavior. 91 setup step1.going-straight-to-none-dynamic.kasp 92 echo "$zone" >>zones 93 TactN="now" 94 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 95 CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) 96 $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 97 cat template.db.in "${CSK}.key" >"$infile" 98 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 99 cp $infile $zonefile 100 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 101 102 # 103 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 104 # algorithm rollover. 105 # 106 107 # Step 1: 108 # Introduce the first key. This will immediately be active. 109 setup step1.algorithm-roll.kasp 110 echo "$zone" >>zones 111 TactN="now" 112 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 113 zsktimes="-P ${TactN} -A ${TactN}" 114 KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 115 ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 116 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 117 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 118 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 119 private_type_record $zone 8 "$KSK" >>"$infile" 120 private_type_record $zone 8 "$ZSK" >>"$infile" 121 cp $infile $zonefile 122 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 123 124 # Step 2: 125 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 126 setup step2.algorithm-roll.kasp 127 # The time passed since the new algorithm keys have been introduced is 3 hours. 128 TactN="now-3h" 129 TpubN1="now-3h" 130 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 131 # now - 3h + 6h + 1h + 1h = now + 5h 132 TsbmN1="now+5h" 133 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 134 zsk1times="-P ${TactN} -A ${TactN} -I now" 135 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 136 zsk2times="-P ${TpubN1} -A ${TpubN1}" 137 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 138 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 139 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 140 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 141 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 142 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 143 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 144 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 145 # Fake lifetime of old algorithm keys. 146 echo "Lifetime: 0" >>"${KSK1}.state" 147 echo "Lifetime: 0" >>"${ZSK1}.state" 148 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 149 private_type_record $zone 8 "$KSK1" >>"$infile" 150 private_type_record $zone 8 "$ZSK1" >>"$infile" 151 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 152 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 153 cp $infile $zonefile 154 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 155 156 # Step 3: 157 # The zone signatures are also OMNIPRESENT. 158 setup step3.algorithm-roll.kasp 159 # The time passed since the new algorithm keys have been introduced is 9 hours. 160 TactN="now-9h" 161 TretN="now-6h" 162 TpubN1="now-9h" 163 TsbmN1="now-1h" 164 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 165 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 166 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 167 zsk2times="-P ${TpubN1} -A ${TpubN1}" 168 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 169 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 170 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 171 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 172 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 173 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 174 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 175 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 176 # Fake lifetime of old algorithm keys. 177 echo "Lifetime: 0" >>"${KSK1}.state" 178 echo "Lifetime: 0" >>"${ZSK1}.state" 179 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 180 private_type_record $zone 8 "$KSK1" >>"$infile" 181 private_type_record $zone 8 "$ZSK1" >>"$infile" 182 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 183 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 184 cp $infile $zonefile 185 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 186 187 # Step 4: 188 # The DS is swapped and can become OMNIPRESENT. 189 setup step4.algorithm-roll.kasp 190 # The time passed since the DS has been swapped is 29 hours. 191 TactN="now-38h" 192 TretN="now-35h" 193 TpubN1="now-38h" 194 TsbmN1="now-30h" 195 TactN1="now-29h" 196 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 197 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 198 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 199 zsk2times="-P ${TpubN1} -A ${TpubN1}" 200 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 201 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 202 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 203 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 204 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 205 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 206 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 207 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 208 # Fake lifetime of old algorithm keys. 209 echo "Lifetime: 0" >>"${KSK1}.state" 210 echo "Lifetime: 0" >>"${ZSK1}.state" 211 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 212 private_type_record $zone 8 "$KSK1" >>"$infile" 213 private_type_record $zone 8 "$ZSK1" >>"$infile" 214 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 215 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 216 cp $infile $zonefile 217 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 218 219 # Step 5: 220 # The DNSKEY is removed long enough to be HIDDEN. 221 setup step5.algorithm-roll.kasp 222 # The time passed since the DNSKEY has been removed is 2 hours. 223 TactN="now-40h" 224 TretN="now-37h" 225 TremN="now-2h" 226 TpubN1="now-40h" 227 TsbmN1="now-32h" 228 TactN1="now-31h" 229 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 230 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 231 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 232 zsk2times="-P ${TpubN1} -A ${TpubN1}" 233 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 234 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 235 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 236 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 237 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 238 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1 239 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 240 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 241 # Fake lifetime of old algorithm keys. 242 echo "Lifetime: 0" >>"${KSK1}.state" 243 echo "Lifetime: 0" >>"${ZSK1}.state" 244 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 245 private_type_record $zone 8 "$KSK1" >>"$infile" 246 private_type_record $zone 8 "$ZSK1" >>"$infile" 247 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 248 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 249 cp $infile $zonefile 250 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 251 252 # Step 6: 253 # The RRSIGs have been removed long enough to be HIDDEN. 254 setup step6.algorithm-roll.kasp 255 # Additional time passed: 7h. 256 TactN="now-47h" 257 TretN="now-44h" 258 TremN="now-7h" 259 TpubN1="now-47h" 260 TsbmN1="now-39h" 261 TactN1="now-38h" 262 TdeaN="now-9h" 263 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 264 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 265 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 266 zsk2times="-P ${TpubN1} -A ${TpubN1}" 267 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 268 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 269 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 270 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 271 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 272 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 273 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 274 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 275 # Fake lifetime of old algorithm keys. 276 echo "Lifetime: 0" >>"${KSK1}.state" 277 echo "Lifetime: 0" >>"${ZSK1}.state" 278 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 279 private_type_record $zone 8 "$KSK1" >>"$infile" 280 private_type_record $zone 8 "$ZSK1" >>"$infile" 281 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 282 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 283 cp $infile $zonefile 284 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 285 286 # 287 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 288 # algorithm rollover. 289 # 290 291 # Step 1: 292 # Introduce the first key. This will immediately be active. 293 setup step1.csk-algorithm-roll.kasp 294 echo "$zone" >>zones 295 TactN="now" 296 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 297 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 298 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 299 cat template.db.in "${CSK}.key" >"$infile" 300 private_type_record $zone 5 "$CSK" >>"$infile" 301 cp $infile $zonefile 302 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 303 304 # Step 2: 305 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 306 setup step2.csk-algorithm-roll.kasp 307 # The time passed since the new algorithm keys have been introduced is 3 hours. 308 TactN="now-3h" 309 TpubN1="now-3h" 310 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 311 newtimes="-P ${TpubN1} -A ${TpubN1}" 312 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 313 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 314 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 315 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 316 # Fake lifetime of old algorithm keys. 317 echo "Lifetime: 0" >>"${CSK1}.state" 318 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 319 private_type_record $zone 5 "$CSK1" >>"$infile" 320 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 321 cp $infile $zonefile 322 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 323 324 # Step 3: 325 # The zone signatures are also OMNIPRESENT. 326 setup step3.csk-algorithm-roll.kasp 327 # The time passed since the new algorithm keys have been introduced is 9 hours. 328 TactN="now-9h" 329 TretN="now-6h" 330 TpubN1="now-9h" 331 TactN1="now-6h" 332 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 333 newtimes="-P ${TpubN1} -A ${TpubN1}" 334 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 335 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 336 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 337 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 338 # Fake lifetime of old algorithm keys. 339 echo "Lifetime: 0" >>"${CSK1}.state" 340 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 341 private_type_record $zone 5 "$CSK1" >>"$infile" 342 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 343 cp $infile $zonefile 344 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 345 346 # Step 4: 347 # The DS is swapped and can become OMNIPRESENT. 348 setup step4.csk-algorithm-roll.kasp 349 # The time passed since the DS has been swapped is 29 hours. 350 TactN="now-38h" 351 TretN="now-35h" 352 TpubN1="now-38h" 353 TactN1="now-35h" 354 TsubN1="now-29h" 355 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 356 newtimes="-P ${TpubN1} -A ${TpubN1}" 357 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 358 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 359 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 360 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1 361 # Fake lifetime of old algorithm keys. 362 echo "Lifetime: 0" >>"${CSK1}.state" 363 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 364 private_type_record $zone 5 "$CSK1" >>"$infile" 365 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 366 cp $infile $zonefile 367 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 368 369 # Step 5: 370 # The DNSKEY is removed long enough to be HIDDEN. 371 setup step5.csk-algorithm-roll.kasp 372 # The time passed since the DNSKEY has been removed is 2 hours. 373 TactN="now-40h" 374 TretN="now-37h" 375 TremN="now-2h" 376 TpubN1="now-40h" 377 TactN1="now-37h" 378 TsubN1="now-31h" 379 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 380 newtimes="-P ${TpubN1} -A ${TpubN1}" 381 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 382 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 383 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1 384 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1 385 # Fake lifetime of old algorithm keys. 386 echo "Lifetime: 0" >>"${CSK1}.state" 387 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 388 private_type_record $zone 5 "$CSK1" >>"$infile" 389 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 390 cp $infile $zonefile 391 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 392 393 # Step 6: 394 # The RRSIGs have been removed long enough to be HIDDEN. 395 setup step6.csk-algorithm-roll.kasp 396 # Additional time passed: 7h. 397 TactN="now-47h" 398 TretN="now-44h" 399 TdeaN="now-9h" 400 TremN="now-7h" 401 TpubN1="now-47h" 402 TactN1="now-44h" 403 TsubN1="now-38h" 404 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 405 newtimes="-P ${TpubN1} -A ${TpubN1}" 406 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 407 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 408 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 409 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 410 # Fake lifetime of old algorithm keys. 411 echo "Lifetime: 0" >>"${CSK1}.state" 412 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 413 private_type_record $zone 5 "$CSK1" >>"$infile" 414 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 415 cp $infile $zonefile 416 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 417 418 # 419 # Reload testing 420 # 421 echo "example" >>zones 422 cp example.db.in example.db 423 424 setup "dynamic2inline.kasp" 425 cp template.db.in $zonefile 426
Indexes created Sat Feb 28 05:31:39 UTC 2026