setup.sh revision 1.1.1.2
1 #!/bin/sh -e 2 # 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # This Source Code Form is subject to the terms of the Mozilla Public 6 # License, v. 2.0. If a copy of the MPL was not distributed with this 7 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 8 # 9 # See the COPYRIGHT file distributed with this work for additional 10 # information regarding copyright ownership. 11 12 # shellcheck source=conf.sh 13 . "$SYSTEMTESTTOP/conf.sh" 14 15 echo_i "ns6/setup.sh" 16 17 setup() { 18 zone="$1" 19 echo_i "setting up zone: $zone" 20 zonefile="${zone}.db" 21 infile="${zone}.db.infile" 22 } 23 24 private_type_record() { 25 _zone=$1 26 _algorithm=$2 27 _keyfile=$3 28 29 _id=$(keyfile_to_key_id "$_keyfile") 30 31 printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" 32 } 33 34 35 # Make lines shorter by storing key states in environment variables. 36 H="HIDDEN" 37 R="RUMOURED" 38 O="OMNIPRESENT" 39 U="UNRETENTIVE" 40 41 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. 42 setup migrate.kasp 43 echo "$zone" >> zones 44 ksktimes="-P now -A now -P sync now" 45 zsktimes="-P now -A now" 46 KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 47 ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 48 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 49 private_type_record $zone 13 "$KSK" >> "$infile" 50 private_type_record $zone 13 "$ZSK" >> "$infile" 51 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 52 53 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 54 # time the existing keys do not match the policy. The existing keys are 55 # RSASHA1 keys, and will be migrated to a dnssec-policy that dictates 56 # ECDSAP256SHA256 keys. 57 setup migrate-nomatch-algnum.kasp 58 echo "$zone" >> zones 59 Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT 60 Tkey="now-3900s" # DNSKEY TTL + propagation delay 61 Tsig="now-12h" # Zone's maximum TTL + propagation delay 62 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 63 zsktimes="-P ${Tsig} -A ${Tsig}" 64 KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 65 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 66 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 67 private_type_record $zone 5 "$KSK" >> "$infile" 68 private_type_record $zone 5 "$ZSK" >> "$infile" 69 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 70 71 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 72 # time the existing keys do not match the policy. The existing keys are 73 # 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that 74 # dictates 2048 bits RSASHA1 keys. 75 setup migrate-nomatch-alglen.kasp 76 echo "$zone" >> zones 77 Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT 78 Tkey="now-3900s" # DNSKEY TTL + propagation delay 79 Tsig="now-12h" # Zone's maximum TTL + propagation delay 80 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 81 zsktimes="-P ${Tsig} -A ${Tsig}" 82 KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 83 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 84 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 85 private_type_record $zone 5 "$KSK" >> "$infile" 86 private_type_record $zone 5 "$ZSK" >> "$infile" 87 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 88 89 # 90 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 91 # algorithm rollover. 92 # 93 94 # Step 1: 95 # Introduce the first key. This will immediately be active. 96 setup step1.algorithm-roll.kasp 97 echo "$zone" >> zones 98 TactN="now" 99 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 100 zsktimes="-P ${TactN} -A ${TactN}" 101 KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 102 ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 103 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 104 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 105 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 106 private_type_record $zone 5 "$KSK" >> "$infile" 107 private_type_record $zone 5 "$ZSK" >> "$infile" 108 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 109 110 # Step 2: 111 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 112 setup step2.algorithm-roll.kasp 113 # The time passed since the new algorithm keys have been introduced is 3 hours. 114 TactN="now-3h" 115 TpubN1="now-3h" 116 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 117 # now - 3h + 6h + 1h + 1h = now + 5h 118 TsbmN1="now+5h" 119 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 120 zsk1times="-P ${TactN} -A ${TactN} -I now" 121 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 122 zsk2times="-P ${TpubN1} -A ${TpubN1}" 123 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 124 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 125 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 126 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 127 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 128 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 129 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 130 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 131 # Fake lifetime of old algorithm keys. 132 echo "Lifetime: 0" >> "${KSK1}.state" 133 echo "Lifetime: 0" >> "${ZSK1}.state" 134 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 135 private_type_record $zone 5 "$KSK1" >> "$infile" 136 private_type_record $zone 5 "$ZSK1" >> "$infile" 137 private_type_record $zone 13 "$KSK2" >> "$infile" 138 private_type_record $zone 13 "$ZSK2" >> "$infile" 139 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 140 141 # Step 3: 142 # The zone signatures are also OMNIPRESENT. 143 setup step3.algorithm-roll.kasp 144 # The time passed since the new algorithm keys have been introduced is 9 hours. 145 TactN="now-9h" 146 TretN="now-6h" 147 TpubN1="now-9h" 148 TsbmN1="now-1h" 149 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 150 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 151 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 152 zsk2times="-P ${TpubN1} -A ${TpubN1}" 153 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 154 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 155 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 156 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 157 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 158 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 159 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 160 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 161 # Fake lifetime of old algorithm keys. 162 echo "Lifetime: 0" >> "${KSK1}.state" 163 echo "Lifetime: 0" >> "${ZSK1}.state" 164 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 165 private_type_record $zone 5 "$KSK1" >> "$infile" 166 private_type_record $zone 5 "$ZSK1" >> "$infile" 167 private_type_record $zone 13 "$KSK2" >> "$infile" 168 private_type_record $zone 13 "$ZSK2" >> "$infile" 169 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 170 171 # Step 4: 172 # The DS is swapped and can become OMNIPRESENT. 173 setup step4.algorithm-roll.kasp 174 # The time passed since the DS has been swapped is 29 hours. 175 TactN="now-38h" 176 TretN="now-35h" 177 TpubN1="now-38h" 178 TsbmN1="now-30h" 179 TactN1="now-29h" 180 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 181 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 182 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 183 zsk2times="-P ${TpubN1} -A ${TpubN1}" 184 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 185 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 186 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 187 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 188 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 189 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 190 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 191 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 192 # Fake lifetime of old algorithm keys. 193 echo "Lifetime: 0" >> "${KSK1}.state" 194 echo "Lifetime: 0" >> "${ZSK1}.state" 195 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 196 private_type_record $zone 5 "$KSK1" >> "$infile" 197 private_type_record $zone 5 "$ZSK1" >> "$infile" 198 private_type_record $zone 13 "$KSK2" >> "$infile" 199 private_type_record $zone 13 "$ZSK2" >> "$infile" 200 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 201 202 # Step 5: 203 # The DNSKEY is removed long enough to be HIDDEN. 204 setup step5.algorithm-roll.kasp 205 # The time passed since the DNSKEY has been removed is 2 hours. 206 TactN="now-40h" 207 TretN="now-37h" 208 TremN="now-2h" 209 TpubN1="now-40h" 210 TsbmN1="now-32h" 211 TactN1="now-31h" 212 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 213 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 214 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 215 zsk2times="-P ${TpubN1} -A ${TpubN1}" 216 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 217 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 218 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 219 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 220 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 221 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 222 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 223 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 224 # Fake lifetime of old algorithm keys. 225 echo "Lifetime: 0" >> "${KSK1}.state" 226 echo "Lifetime: 0" >> "${ZSK1}.state" 227 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 228 private_type_record $zone 5 "$KSK1" >> "$infile" 229 private_type_record $zone 5 "$ZSK1" >> "$infile" 230 private_type_record $zone 13 "$KSK2" >> "$infile" 231 private_type_record $zone 13 "$ZSK2" >> "$infile" 232 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 233 234 # Step 6: 235 # The RRSIGs have been removed long enough to be HIDDEN. 236 setup step6.algorithm-roll.kasp 237 # Additional time passed: 7h. 238 TactN="now-47h" 239 TretN="now-44h" 240 TremN="now-7h" 241 TpubN1="now-47h" 242 TsbmN1="now-39h" 243 TactN1="now-38h" 244 TdeaN="now-9h" 245 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 246 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 247 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 248 zsk2times="-P ${TpubN1} -A ${TpubN1}" 249 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 250 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 251 KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 252 ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 253 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 254 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 255 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 256 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 257 # Fake lifetime of old algorithm keys. 258 echo "Lifetime: 0" >> "${KSK1}.state" 259 echo "Lifetime: 0" >> "${ZSK1}.state" 260 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 261 private_type_record $zone 5 "$KSK1" >> "$infile" 262 private_type_record $zone 5 "$ZSK1" >> "$infile" 263 private_type_record $zone 13 "$KSK2" >> "$infile" 264 private_type_record $zone 13 "$ZSK2" >> "$infile" 265 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 266 267 # 268 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 269 # algorithm rollover. 270 # 271 272 # Step 1: 273 # Introduce the first key. This will immediately be active. 274 setup step1.csk-algorithm-roll.kasp 275 echo "$zone" >> zones 276 TactN="now" 277 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 278 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 279 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 280 cat template.db.in "${CSK}.key" > "$infile" 281 private_type_record $zone 5 "$CSK" >> "$infile" 282 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 283 284 # Step 2: 285 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 286 setup step2.csk-algorithm-roll.kasp 287 # The time passed since the new algorithm keys have been introduced is 3 hours. 288 TactN="now-3h" 289 TpubN1="now-3h" 290 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 291 newtimes="-P ${TpubN1} -A ${TpubN1}" 292 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 293 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 294 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 295 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 296 # Fake lifetime of old algorithm keys. 297 echo "Lifetime: 0" >> "${CSK1}.state" 298 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 299 private_type_record $zone 5 "$CSK1" >> "$infile" 300 private_type_record $zone 13 "$CSK2" >> "$infile" 301 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 302 303 # Step 3: 304 # The zone signatures are also OMNIPRESENT. 305 setup step3.csk-algorithm-roll.kasp 306 # The time passed since the new algorithm keys have been introduced is 9 hours. 307 TactN="now-9h" 308 TretN="now-6h" 309 TpubN1="now-9h" 310 TactN1="now-6h" 311 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 312 newtimes="-P ${TpubN1} -A ${TpubN1}" 313 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 314 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 315 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 316 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 317 # Fake lifetime of old algorithm keys. 318 echo "Lifetime: 0" >> "${CSK1}.state" 319 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 320 private_type_record $zone 5 "$CSK1" >> "$infile" 321 private_type_record $zone 13 "$CSK2" >> "$infile" 322 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 323 324 # Step 4: 325 # The DS is swapped and can become OMNIPRESENT. 326 setup step4.csk-algorithm-roll.kasp 327 # The time passed since the DS has been swapped is 29 hours. 328 TactN="now-38h" 329 TretN="now-35h" 330 TpubN1="now-38h" 331 TactN1="now-35h" 332 TsubN1="now-29h" 333 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 334 newtimes="-P ${TpubN1} -A ${TpubN1}" 335 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 336 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 337 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 338 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 339 # Fake lifetime of old algorithm keys. 340 echo "Lifetime: 0" >> "${CSK1}.state" 341 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 342 private_type_record $zone 5 "$CSK1" >> "$infile" 343 private_type_record $zone 13 "$CSK2" >> "$infile" 344 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 345 346 # Step 5: 347 # The DNSKEY is removed long enough to be HIDDEN. 348 setup step5.csk-algorithm-roll.kasp 349 # The time passed since the DNSKEY has been removed is 2 hours. 350 TactN="now-40h" 351 TretN="now-37h" 352 TremN="now-2h" 353 TpubN1="now-40h" 354 TactN1="now-37h" 355 TsubN1="now-31h" 356 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 357 newtimes="-P ${TpubN1} -A ${TpubN1}" 358 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 359 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 360 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 361 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 362 # Fake lifetime of old algorithm keys. 363 echo "Lifetime: 0" >> "${CSK1}.state" 364 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 365 private_type_record $zone 5 "$CSK1" >> "$infile" 366 private_type_record $zone 13 "$CSK2" >> "$infile" 367 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 368 369 # Step 6: 370 # The RRSIGs have been removed long enough to be HIDDEN. 371 setup step6.csk-algorithm-roll.kasp 372 # Additional time passed: 7h. 373 TactN="now-47h" 374 TretN="now-44h" 375 TdeaN="now-9h" 376 TremN="now-7h" 377 TpubN1="now-47h" 378 TactN1="now-44h" 379 TsubN1="now-38h" 380 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 381 newtimes="-P ${TpubN1} -A ${TpubN1}" 382 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 383 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 384 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 385 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 386 # Fake lifetime of old algorithm keys. 387 echo "Lifetime: 0" >> "${CSK1}.state" 388 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 389 private_type_record $zone 5 "$CSK1" >> "$infile" 390 private_type_record $zone 13 "$CSK2" >> "$infile" 391 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 392
Indexes created Sat Feb 28 05:31:39 UTC 2026