setup.sh revision 1.1.1.3
1 #!/bin/sh -e 2 # 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # This Source Code Form is subject to the terms of the Mozilla Public 6 # License, v. 2.0. If a copy of the MPL was not distributed with this 7 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 # 9 # See the COPYRIGHT file distributed with this work for additional 10 # information regarding copyright ownership. 11 12 # shellcheck source=conf.sh 13 . "$SYSTEMTESTTOP/conf.sh" 14 15 echo_i "ns6/setup.sh" 16 17 setup() { 18 zone="$1" 19 echo_i "setting up zone: $zone" 20 zonefile="${zone}.db" 21 infile="${zone}.db.infile" 22 } 23 24 private_type_record() { 25 _zone=$1 26 _algorithm=$2 27 _keyfile=$3 28 29 _id=$(keyfile_to_key_id "$_keyfile") 30 31 printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" 32 } 33 34 35 # Make lines shorter by storing key states in environment variables. 36 H="HIDDEN" 37 R="RUMOURED" 38 O="OMNIPRESENT" 39 U="UNRETENTIVE" 40 41 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. 42 setup migrate.kasp 43 echo "$zone" >> zones 44 ksktimes="-P now -A now -P sync now" 45 zsktimes="-P now -A now" 46 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 47 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 48 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 49 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 50 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 51 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 52 53 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 54 # time the existing keys do not match the policy. The existing keys are 55 # RSASHA1 keys, and will be migrated to a dnssec-policy that dictates 56 # ECDSAP256SHA256 keys. 57 setup migrate-nomatch-algnum.kasp 58 echo "$zone" >> zones 59 Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT 60 Tkey="now-3900s" # DNSKEY TTL + propagation delay 61 Tsig="now-12h" # Zone's maximum TTL + propagation delay 62 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 63 zsktimes="-P ${Tsig} -A ${Tsig}" 64 KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 65 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 66 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 67 private_type_record $zone 5 "$KSK" >> "$infile" 68 private_type_record $zone 5 "$ZSK" >> "$infile" 69 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 70 71 # Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 72 # time the existing keys do not match the policy. The existing keys are 73 # 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that 74 # dictates 2048 bits RSASHA1 keys. 75 setup migrate-nomatch-alglen.kasp 76 echo "$zone" >> zones 77 Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT 78 Tkey="now-3900s" # DNSKEY TTL + propagation delay 79 Tsig="now-12h" # Zone's maximum TTL + propagation delay 80 ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 81 zsktimes="-P ${Tsig} -A ${Tsig}" 82 KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 83 ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 84 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 85 private_type_record $zone 5 "$KSK" >> "$infile" 86 private_type_record $zone 5 "$ZSK" >> "$infile" 87 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 88 89 # The child zones (step1, step2) beneath these zones represent the various 90 # steps of unsigning a zone. 91 for zn in going-insecure.kasp going-insecure-dynamic.kasp 92 do 93 # Step 1: 94 # Set up a zone with dnssec-policy that is going insecure. 95 setup step1.$zn 96 echo "$zone" >> zones 97 T="now-10d" 98 ksktimes="-P $T -A $T -P sync $T" 99 zsktimes="-P $T -A $T" 100 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 101 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 102 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 103 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 104 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 105 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 106 107 # Step 2: 108 # Set up a zone with dnssec-policy that is going insecure. Don't add 109 # this zone to the zones file, because this zone is no longer expected 110 # to be fully signed. 111 setup step2.$zn 112 # The DS was withdrawn from the parent zone 26 hours ago. 113 Trem="now-26h" 114 ksktimes="-P $T -A $T -P sync $T" 115 zsktimes="-P $T -A $T" 116 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 117 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 118 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 119 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 120 # Fake lifetime of old algorithm keys. 121 echo "Lifetime: 0" >> "${KSK}.state" 122 echo "Lifetime: 5184000" >> "${ZSK}.state" 123 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 124 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 125 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 126 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 127 done 128 129 # 130 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 131 # algorithm rollover. 132 # 133 134 # Step 1: 135 # Introduce the first key. This will immediately be active. 136 setup step1.algorithm-roll.kasp 137 echo "$zone" >> zones 138 TactN="now" 139 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 140 zsktimes="-P ${TactN} -A ${TactN}" 141 KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 142 ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 143 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 144 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 145 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 146 private_type_record $zone 5 "$KSK" >> "$infile" 147 private_type_record $zone 5 "$ZSK" >> "$infile" 148 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 149 150 # Step 2: 151 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 152 setup step2.algorithm-roll.kasp 153 # The time passed since the new algorithm keys have been introduced is 3 hours. 154 TactN="now-3h" 155 TpubN1="now-3h" 156 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 157 # now - 3h + 6h + 1h + 1h = now + 5h 158 TsbmN1="now+5h" 159 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 160 zsk1times="-P ${TactN} -A ${TactN} -I now" 161 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 162 zsk2times="-P ${TpubN1} -A ${TpubN1}" 163 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 164 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 165 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 166 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 167 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 168 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 169 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 170 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 171 # Fake lifetime of old algorithm keys. 172 echo "Lifetime: 0" >> "${KSK1}.state" 173 echo "Lifetime: 0" >> "${ZSK1}.state" 174 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 175 private_type_record $zone 5 "$KSK1" >> "$infile" 176 private_type_record $zone 5 "$ZSK1" >> "$infile" 177 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 178 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 179 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 180 181 # Step 3: 182 # The zone signatures are also OMNIPRESENT. 183 setup step3.algorithm-roll.kasp 184 # The time passed since the new algorithm keys have been introduced is 9 hours. 185 TactN="now-9h" 186 TretN="now-6h" 187 TpubN1="now-9h" 188 TsbmN1="now-1h" 189 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 190 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 191 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 192 zsk2times="-P ${TpubN1} -A ${TpubN1}" 193 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 194 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 195 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 196 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 197 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 198 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 199 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 200 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 201 # Fake lifetime of old algorithm keys. 202 echo "Lifetime: 0" >> "${KSK1}.state" 203 echo "Lifetime: 0" >> "${ZSK1}.state" 204 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 205 private_type_record $zone 5 "$KSK1" >> "$infile" 206 private_type_record $zone 5 "$ZSK1" >> "$infile" 207 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 208 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 209 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 210 211 # Step 4: 212 # The DS is swapped and can become OMNIPRESENT. 213 setup step4.algorithm-roll.kasp 214 # The time passed since the DS has been swapped is 29 hours. 215 TactN="now-38h" 216 TretN="now-35h" 217 TpubN1="now-38h" 218 TsbmN1="now-30h" 219 TactN1="now-29h" 220 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 221 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 222 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 223 zsk2times="-P ${TpubN1} -A ${TpubN1}" 224 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 225 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 226 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 227 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 228 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 229 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 230 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 231 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 232 # Fake lifetime of old algorithm keys. 233 echo "Lifetime: 0" >> "${KSK1}.state" 234 echo "Lifetime: 0" >> "${ZSK1}.state" 235 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 236 private_type_record $zone 5 "$KSK1" >> "$infile" 237 private_type_record $zone 5 "$ZSK1" >> "$infile" 238 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 239 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 240 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 241 242 # Step 5: 243 # The DNSKEY is removed long enough to be HIDDEN. 244 setup step5.algorithm-roll.kasp 245 # The time passed since the DNSKEY has been removed is 2 hours. 246 TactN="now-40h" 247 TretN="now-37h" 248 TremN="now-2h" 249 TpubN1="now-40h" 250 TsbmN1="now-32h" 251 TactN1="now-31h" 252 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 253 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 254 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 255 zsk2times="-P ${TpubN1} -A ${TpubN1}" 256 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 257 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 258 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 259 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 260 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 261 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 262 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 263 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 264 # Fake lifetime of old algorithm keys. 265 echo "Lifetime: 0" >> "${KSK1}.state" 266 echo "Lifetime: 0" >> "${ZSK1}.state" 267 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 268 private_type_record $zone 5 "$KSK1" >> "$infile" 269 private_type_record $zone 5 "$ZSK1" >> "$infile" 270 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 271 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 272 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 273 274 # Step 6: 275 # The RRSIGs have been removed long enough to be HIDDEN. 276 setup step6.algorithm-roll.kasp 277 # Additional time passed: 7h. 278 TactN="now-47h" 279 TretN="now-44h" 280 TremN="now-7h" 281 TpubN1="now-47h" 282 TsbmN1="now-39h" 283 TactN1="now-38h" 284 TdeaN="now-9h" 285 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 286 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 287 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 288 zsk2times="-P ${TpubN1} -A ${TpubN1}" 289 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 290 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 291 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 292 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 293 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 294 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 295 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 296 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 297 # Fake lifetime of old algorithm keys. 298 echo "Lifetime: 0" >> "${KSK1}.state" 299 echo "Lifetime: 0" >> "${ZSK1}.state" 300 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 301 private_type_record $zone 5 "$KSK1" >> "$infile" 302 private_type_record $zone 5 "$ZSK1" >> "$infile" 303 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 304 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 305 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 306 307 # 308 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 309 # algorithm rollover. 310 # 311 312 # Step 1: 313 # Introduce the first key. This will immediately be active. 314 setup step1.csk-algorithm-roll.kasp 315 echo "$zone" >> zones 316 TactN="now" 317 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 318 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 319 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 320 cat template.db.in "${CSK}.key" > "$infile" 321 private_type_record $zone 5 "$CSK" >> "$infile" 322 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 323 324 # Step 2: 325 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 326 setup step2.csk-algorithm-roll.kasp 327 # The time passed since the new algorithm keys have been introduced is 3 hours. 328 TactN="now-3h" 329 TpubN1="now-3h" 330 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 331 newtimes="-P ${TpubN1} -A ${TpubN1}" 332 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 333 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 334 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 335 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 336 # Fake lifetime of old algorithm keys. 337 echo "Lifetime: 0" >> "${CSK1}.state" 338 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 339 private_type_record $zone 5 "$CSK1" >> "$infile" 340 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 341 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 342 343 # Step 3: 344 # The zone signatures are also OMNIPRESENT. 345 setup step3.csk-algorithm-roll.kasp 346 # The time passed since the new algorithm keys have been introduced is 9 hours. 347 TactN="now-9h" 348 TretN="now-6h" 349 TpubN1="now-9h" 350 TactN1="now-6h" 351 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 352 newtimes="-P ${TpubN1} -A ${TpubN1}" 353 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 354 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 355 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 356 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 357 # Fake lifetime of old algorithm keys. 358 echo "Lifetime: 0" >> "${CSK1}.state" 359 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 360 private_type_record $zone 5 "$CSK1" >> "$infile" 361 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 362 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 363 364 # Step 4: 365 # The DS is swapped and can become OMNIPRESENT. 366 setup step4.csk-algorithm-roll.kasp 367 # The time passed since the DS has been swapped is 29 hours. 368 TactN="now-38h" 369 TretN="now-35h" 370 TpubN1="now-38h" 371 TactN1="now-35h" 372 TsubN1="now-29h" 373 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 374 newtimes="-P ${TpubN1} -A ${TpubN1}" 375 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 376 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 377 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 378 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 379 # Fake lifetime of old algorithm keys. 380 echo "Lifetime: 0" >> "${CSK1}.state" 381 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 382 private_type_record $zone 5 "$CSK1" >> "$infile" 383 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 384 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 385 386 # Step 5: 387 # The DNSKEY is removed long enough to be HIDDEN. 388 setup step5.csk-algorithm-roll.kasp 389 # The time passed since the DNSKEY has been removed is 2 hours. 390 TactN="now-40h" 391 TretN="now-37h" 392 TremN="now-2h" 393 TpubN1="now-40h" 394 TactN1="now-37h" 395 TsubN1="now-31h" 396 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 397 newtimes="-P ${TpubN1} -A ${TpubN1}" 398 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 399 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 400 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 401 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 402 # Fake lifetime of old algorithm keys. 403 echo "Lifetime: 0" >> "${CSK1}.state" 404 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 405 private_type_record $zone 5 "$CSK1" >> "$infile" 406 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 407 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 408 409 # Step 6: 410 # The RRSIGs have been removed long enough to be HIDDEN. 411 setup step6.csk-algorithm-roll.kasp 412 # Additional time passed: 7h. 413 TactN="now-47h" 414 TretN="now-44h" 415 TdeaN="now-9h" 416 TremN="now-7h" 417 TpubN1="now-47h" 418 TactN1="now-44h" 419 TsubN1="now-38h" 420 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 421 newtimes="-P ${TpubN1} -A ${TpubN1}" 422 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 423 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 424 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 425 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 426 # Fake lifetime of old algorithm keys. 427 echo "Lifetime: 0" >> "${CSK1}.state" 428 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 429 private_type_record $zone 5 "$CSK1" >> "$infile" 430 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 431 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 432
Indexes created Sat Feb 28 05:31:39 UTC 2026