setup.sh revision 1.1.1.6
1 #!/bin/sh -e 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 # shellcheck source=conf.sh 15 . "$SYSTEMTESTTOP/conf.sh" 16 17 echo_i "ns6/setup.sh" 18 19 setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 } 25 26 # Make lines shorter by storing key states in environment variables. 27 H="HIDDEN" 28 R="RUMOURED" 29 O="OMNIPRESENT" 30 U="UNRETENTIVE" 31 32 # The child zones (step1, step2) beneath these zones represent the various 33 # steps of unsigning a zone. 34 for zn in going-insecure.kasp going-insecure-dynamic.kasp 35 do 36 # Step 1: 37 # Set up a zone with dnssec-policy that is going insecure. 38 setup step1.$zn 39 echo "$zone" >> zones 40 T="now-10d" 41 ksktimes="-P $T -A $T -P sync $T" 42 zsktimes="-P $T -A $T" 43 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 44 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 45 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 46 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 47 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 48 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 49 50 # Step 2: 51 # Set up a zone with dnssec-policy that is going insecure. Don't add 52 # this zone to the zones file, because this zone is no longer expected 53 # to be fully signed. 54 setup step2.$zn 55 # The DS was withdrawn from the parent zone 26 hours ago. 56 Trem="now-26h" 57 ksktimes="-P $T -A $T -P sync $T" 58 zsktimes="-P $T -A $T" 59 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 60 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 61 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 62 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 63 # Fake lifetime of old algorithm keys. 64 echo "Lifetime: 0" >> "${KSK}.state" 65 echo "Lifetime: 5184000" >> "${ZSK}.state" 66 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 67 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 68 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 69 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 70 done 71 72 # This zone is going straight to "none" policy. This is undefined behavior. 73 setup step1.going-straight-to-none.kasp 74 echo "$zone" >> zones 75 TactN="now" 76 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 77 CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) 78 $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 79 cat template.db.in "${CSK}.key" > "$infile" 80 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 81 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 82 83 # 84 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 85 # algorithm rollover. 86 # 87 88 # Step 1: 89 # Introduce the first key. This will immediately be active. 90 setup step1.algorithm-roll.kasp 91 echo "$zone" >> zones 92 TactN="now" 93 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 94 zsktimes="-P ${TactN} -A ${TactN}" 95 KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 96 ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 97 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 98 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 99 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 100 private_type_record $zone 5 "$KSK" >> "$infile" 101 private_type_record $zone 5 "$ZSK" >> "$infile" 102 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 103 104 # Step 2: 105 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 106 setup step2.algorithm-roll.kasp 107 # The time passed since the new algorithm keys have been introduced is 3 hours. 108 TactN="now-3h" 109 TpubN1="now-3h" 110 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 111 # now - 3h + 6h + 1h + 1h = now + 5h 112 TsbmN1="now+5h" 113 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 114 zsk1times="-P ${TactN} -A ${TactN} -I now" 115 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 116 zsk2times="-P ${TpubN1} -A ${TpubN1}" 117 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 118 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 119 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 120 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 121 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 122 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 123 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 124 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 125 # Fake lifetime of old algorithm keys. 126 echo "Lifetime: 0" >> "${KSK1}.state" 127 echo "Lifetime: 0" >> "${ZSK1}.state" 128 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 129 private_type_record $zone 5 "$KSK1" >> "$infile" 130 private_type_record $zone 5 "$ZSK1" >> "$infile" 131 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 132 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 133 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 134 135 # Step 3: 136 # The zone signatures are also OMNIPRESENT. 137 setup step3.algorithm-roll.kasp 138 # The time passed since the new algorithm keys have been introduced is 9 hours. 139 TactN="now-9h" 140 TretN="now-6h" 141 TpubN1="now-9h" 142 TsbmN1="now-1h" 143 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 144 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 145 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 146 zsk2times="-P ${TpubN1} -A ${TpubN1}" 147 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 148 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 149 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 150 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 151 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 152 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 153 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 154 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 155 # Fake lifetime of old algorithm keys. 156 echo "Lifetime: 0" >> "${KSK1}.state" 157 echo "Lifetime: 0" >> "${ZSK1}.state" 158 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 159 private_type_record $zone 5 "$KSK1" >> "$infile" 160 private_type_record $zone 5 "$ZSK1" >> "$infile" 161 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 162 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 163 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 164 165 # Step 4: 166 # The DS is swapped and can become OMNIPRESENT. 167 setup step4.algorithm-roll.kasp 168 # The time passed since the DS has been swapped is 29 hours. 169 TactN="now-38h" 170 TretN="now-35h" 171 TpubN1="now-38h" 172 TsbmN1="now-30h" 173 TactN1="now-29h" 174 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 175 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 176 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 177 zsk2times="-P ${TpubN1} -A ${TpubN1}" 178 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 179 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 180 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 181 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 182 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 183 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 184 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 185 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 186 # Fake lifetime of old algorithm keys. 187 echo "Lifetime: 0" >> "${KSK1}.state" 188 echo "Lifetime: 0" >> "${ZSK1}.state" 189 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 190 private_type_record $zone 5 "$KSK1" >> "$infile" 191 private_type_record $zone 5 "$ZSK1" >> "$infile" 192 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 193 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 194 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 195 196 # Step 5: 197 # The DNSKEY is removed long enough to be HIDDEN. 198 setup step5.algorithm-roll.kasp 199 # The time passed since the DNSKEY has been removed is 2 hours. 200 TactN="now-40h" 201 TretN="now-37h" 202 TremN="now-2h" 203 TpubN1="now-40h" 204 TsbmN1="now-32h" 205 TactN1="now-31h" 206 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 207 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 208 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 209 zsk2times="-P ${TpubN1} -A ${TpubN1}" 210 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 211 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 212 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 213 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 214 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 215 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 216 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 217 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 218 # Fake lifetime of old algorithm keys. 219 echo "Lifetime: 0" >> "${KSK1}.state" 220 echo "Lifetime: 0" >> "${ZSK1}.state" 221 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 222 private_type_record $zone 5 "$KSK1" >> "$infile" 223 private_type_record $zone 5 "$ZSK1" >> "$infile" 224 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 225 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 226 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 227 228 # Step 6: 229 # The RRSIGs have been removed long enough to be HIDDEN. 230 setup step6.algorithm-roll.kasp 231 # Additional time passed: 7h. 232 TactN="now-47h" 233 TretN="now-44h" 234 TremN="now-7h" 235 TpubN1="now-47h" 236 TsbmN1="now-39h" 237 TactN1="now-38h" 238 TdeaN="now-9h" 239 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 240 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 241 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 242 zsk2times="-P ${TpubN1} -A ${TpubN1}" 243 KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 244 ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 245 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 246 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 247 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 248 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 249 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 250 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 251 # Fake lifetime of old algorithm keys. 252 echo "Lifetime: 0" >> "${KSK1}.state" 253 echo "Lifetime: 0" >> "${ZSK1}.state" 254 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 255 private_type_record $zone 5 "$KSK1" >> "$infile" 256 private_type_record $zone 5 "$ZSK1" >> "$infile" 257 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 258 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 259 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 260 261 # 262 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 263 # algorithm rollover. 264 # 265 266 # Step 1: 267 # Introduce the first key. This will immediately be active. 268 setup step1.csk-algorithm-roll.kasp 269 echo "$zone" >> zones 270 TactN="now" 271 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 272 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 273 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 274 cat template.db.in "${CSK}.key" > "$infile" 275 private_type_record $zone 5 "$CSK" >> "$infile" 276 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 277 278 # Step 2: 279 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 280 setup step2.csk-algorithm-roll.kasp 281 # The time passed since the new algorithm keys have been introduced is 3 hours. 282 TactN="now-3h" 283 TpubN1="now-3h" 284 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 285 newtimes="-P ${TpubN1} -A ${TpubN1}" 286 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 287 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 288 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 289 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 290 # Fake lifetime of old algorithm keys. 291 echo "Lifetime: 0" >> "${CSK1}.state" 292 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 293 private_type_record $zone 5 "$CSK1" >> "$infile" 294 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 295 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 296 297 # Step 3: 298 # The zone signatures are also OMNIPRESENT. 299 setup step3.csk-algorithm-roll.kasp 300 # The time passed since the new algorithm keys have been introduced is 9 hours. 301 TactN="now-9h" 302 TretN="now-6h" 303 TpubN1="now-9h" 304 TactN1="now-6h" 305 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 306 newtimes="-P ${TpubN1} -A ${TpubN1}" 307 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 308 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 309 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 310 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 311 # Fake lifetime of old algorithm keys. 312 echo "Lifetime: 0" >> "${CSK1}.state" 313 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 314 private_type_record $zone 5 "$CSK1" >> "$infile" 315 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 316 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 317 318 # Step 4: 319 # The DS is swapped and can become OMNIPRESENT. 320 setup step4.csk-algorithm-roll.kasp 321 # The time passed since the DS has been swapped is 29 hours. 322 TactN="now-38h" 323 TretN="now-35h" 324 TpubN1="now-38h" 325 TactN1="now-35h" 326 TsubN1="now-29h" 327 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 328 newtimes="-P ${TpubN1} -A ${TpubN1}" 329 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 330 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 331 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 332 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 333 # Fake lifetime of old algorithm keys. 334 echo "Lifetime: 0" >> "${CSK1}.state" 335 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 336 private_type_record $zone 5 "$CSK1" >> "$infile" 337 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 338 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 339 340 # Step 5: 341 # The DNSKEY is removed long enough to be HIDDEN. 342 setup step5.csk-algorithm-roll.kasp 343 # The time passed since the DNSKEY has been removed is 2 hours. 344 TactN="now-40h" 345 TretN="now-37h" 346 TremN="now-2h" 347 TpubN1="now-40h" 348 TactN1="now-37h" 349 TsubN1="now-31h" 350 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 351 newtimes="-P ${TpubN1} -A ${TpubN1}" 352 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 353 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 354 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 355 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 356 # Fake lifetime of old algorithm keys. 357 echo "Lifetime: 0" >> "${CSK1}.state" 358 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 359 private_type_record $zone 5 "$CSK1" >> "$infile" 360 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 361 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 362 363 # Step 6: 364 # The RRSIGs have been removed long enough to be HIDDEN. 365 setup step6.csk-algorithm-roll.kasp 366 # Additional time passed: 7h. 367 TactN="now-47h" 368 TretN="now-44h" 369 TdeaN="now-9h" 370 TremN="now-7h" 371 TpubN1="now-47h" 372 TactN1="now-44h" 373 TsubN1="now-38h" 374 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 375 newtimes="-P ${TpubN1} -A ${TpubN1}" 376 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 377 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 378 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 379 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 380 # Fake lifetime of old algorithm keys. 381 echo "Lifetime: 0" >> "${CSK1}.state" 382 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 383 private_type_record $zone 5 "$CSK1" >> "$infile" 384 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 385 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 386 387 # 388 # Reload testing 389 # 390 echo "example" >> zones 391 cp example.db.in example.db 392
Indexes created Sat Feb 28 05:31:39 UTC 2026