setup.sh revision 1.1.1.6.2.1
1 #!/bin/sh -e 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 # shellcheck source=conf.sh 15 . "$SYSTEMTESTTOP/conf.sh" 16 17 echo_i "ns6/setup.sh" 18 19 setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 } 25 26 # Make lines shorter by storing key states in environment variables. 27 H="HIDDEN" 28 R="RUMOURED" 29 O="OMNIPRESENT" 30 U="UNRETENTIVE" 31 32 # The child zones (step1, step2) beneath these zones represent the various 33 # steps of unsigning a zone. 34 for zn in going-insecure.kasp going-insecure-dynamic.kasp 35 do 36 # Step 1: 37 # Set up a zone with dnssec-policy that is going insecure. 38 setup step1.$zn 39 echo "$zone" >> zones 40 T="now-10d" 41 ksktimes="-P $T -A $T -P sync $T" 42 zsktimes="-P $T -A $T" 43 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 44 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 45 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 46 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 47 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 48 cp $infile $zonefile 49 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 50 51 # Step 2: 52 # Set up a zone with dnssec-policy that is going insecure. Don't add 53 # this zone to the zones file, because this zone is no longer expected 54 # to be fully signed. 55 setup step2.$zn 56 # The DS was withdrawn from the parent zone 26 hours ago. 57 Trem="now-26h" 58 ksktimes="-P $T -A $T -P sync $T" 59 zsktimes="-P $T -A $T" 60 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 61 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 62 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 63 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 64 # Fake lifetime of old algorithm keys. 65 echo "Lifetime: 0" >> "${KSK}.state" 66 echo "Lifetime: 5184000" >> "${ZSK}.state" 67 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 68 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 69 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 70 cp $infile $zonefile 71 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 72 done 73 74 # This zone is going straight to "none" policy. This is undefined behavior. 75 setup step1.going-straight-to-none.kasp 76 echo "$zone" >> zones 77 TactN="now" 78 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 79 CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) 80 $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 81 cat template.db.in "${CSK}.key" > "$infile" 82 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 83 cp $infile $zonefile 84 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 85 86 # 87 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 88 # algorithm rollover. 89 # 90 91 # Step 1: 92 # Introduce the first key. This will immediately be active. 93 setup step1.algorithm-roll.kasp 94 echo "$zone" >> zones 95 TactN="now" 96 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 97 zsktimes="-P ${TactN} -A ${TactN}" 98 KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 99 ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 100 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 101 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 102 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 103 private_type_record $zone 8 "$KSK" >> "$infile" 104 private_type_record $zone 8 "$ZSK" >> "$infile" 105 cp $infile $zonefile 106 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 107 108 # Step 2: 109 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 110 setup step2.algorithm-roll.kasp 111 # The time passed since the new algorithm keys have been introduced is 3 hours. 112 TactN="now-3h" 113 TpubN1="now-3h" 114 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 115 # now - 3h + 6h + 1h + 1h = now + 5h 116 TsbmN1="now+5h" 117 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 118 zsk1times="-P ${TactN} -A ${TactN} -I now" 119 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 120 zsk2times="-P ${TpubN1} -A ${TpubN1}" 121 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 122 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 123 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 124 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 125 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 126 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 127 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 128 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 129 # Fake lifetime of old algorithm keys. 130 echo "Lifetime: 0" >> "${KSK1}.state" 131 echo "Lifetime: 0" >> "${ZSK1}.state" 132 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 133 private_type_record $zone 8 "$KSK1" >> "$infile" 134 private_type_record $zone 8 "$ZSK1" >> "$infile" 135 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 136 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 137 cp $infile $zonefile 138 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 139 140 # Step 3: 141 # The zone signatures are also OMNIPRESENT. 142 setup step3.algorithm-roll.kasp 143 # The time passed since the new algorithm keys have been introduced is 9 hours. 144 TactN="now-9h" 145 TretN="now-6h" 146 TpubN1="now-9h" 147 TsbmN1="now-1h" 148 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 149 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 150 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 151 zsk2times="-P ${TpubN1} -A ${TpubN1}" 152 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 153 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 154 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 155 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 156 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 157 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 158 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 159 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 160 # Fake lifetime of old algorithm keys. 161 echo "Lifetime: 0" >> "${KSK1}.state" 162 echo "Lifetime: 0" >> "${ZSK1}.state" 163 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 164 private_type_record $zone 8 "$KSK1" >> "$infile" 165 private_type_record $zone 8 "$ZSK1" >> "$infile" 166 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 167 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 168 cp $infile $zonefile 169 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 170 171 # Step 4: 172 # The DS is swapped and can become OMNIPRESENT. 173 setup step4.algorithm-roll.kasp 174 # The time passed since the DS has been swapped is 29 hours. 175 TactN="now-38h" 176 TretN="now-35h" 177 TpubN1="now-38h" 178 TsbmN1="now-30h" 179 TactN1="now-29h" 180 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 181 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 182 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 183 zsk2times="-P ${TpubN1} -A ${TpubN1}" 184 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 185 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 186 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 187 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 188 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 189 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 190 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 191 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 192 # Fake lifetime of old algorithm keys. 193 echo "Lifetime: 0" >> "${KSK1}.state" 194 echo "Lifetime: 0" >> "${ZSK1}.state" 195 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 196 private_type_record $zone 8 "$KSK1" >> "$infile" 197 private_type_record $zone 8 "$ZSK1" >> "$infile" 198 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 199 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 200 cp $infile $zonefile 201 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 202 203 # Step 5: 204 # The DNSKEY is removed long enough to be HIDDEN. 205 setup step5.algorithm-roll.kasp 206 # The time passed since the DNSKEY has been removed is 2 hours. 207 TactN="now-40h" 208 TretN="now-37h" 209 TremN="now-2h" 210 TpubN1="now-40h" 211 TsbmN1="now-32h" 212 TactN1="now-31h" 213 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 214 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 215 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 216 zsk2times="-P ${TpubN1} -A ${TpubN1}" 217 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 218 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 219 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 220 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 221 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 222 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 223 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 224 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 225 # Fake lifetime of old algorithm keys. 226 echo "Lifetime: 0" >> "${KSK1}.state" 227 echo "Lifetime: 0" >> "${ZSK1}.state" 228 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 229 private_type_record $zone 8 "$KSK1" >> "$infile" 230 private_type_record $zone 8 "$ZSK1" >> "$infile" 231 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 232 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 233 cp $infile $zonefile 234 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 235 236 # Step 6: 237 # The RRSIGs have been removed long enough to be HIDDEN. 238 setup step6.algorithm-roll.kasp 239 # Additional time passed: 7h. 240 TactN="now-47h" 241 TretN="now-44h" 242 TremN="now-7h" 243 TpubN1="now-47h" 244 TsbmN1="now-39h" 245 TactN1="now-38h" 246 TdeaN="now-9h" 247 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 248 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 249 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 250 zsk2times="-P ${TpubN1} -A ${TpubN1}" 251 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 252 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 253 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 254 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 255 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 256 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 257 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 258 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 259 # Fake lifetime of old algorithm keys. 260 echo "Lifetime: 0" >> "${KSK1}.state" 261 echo "Lifetime: 0" >> "${ZSK1}.state" 262 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 263 private_type_record $zone 8 "$KSK1" >> "$infile" 264 private_type_record $zone 8 "$ZSK1" >> "$infile" 265 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 266 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 267 cp $infile $zonefile 268 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 269 270 # 271 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 272 # algorithm rollover. 273 # 274 275 # Step 1: 276 # Introduce the first key. This will immediately be active. 277 setup step1.csk-algorithm-roll.kasp 278 echo "$zone" >> zones 279 TactN="now" 280 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 281 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 282 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 283 cat template.db.in "${CSK}.key" > "$infile" 284 private_type_record $zone 5 "$CSK" >> "$infile" 285 cp $infile $zonefile 286 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 287 288 # Step 2: 289 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 290 setup step2.csk-algorithm-roll.kasp 291 # The time passed since the new algorithm keys have been introduced is 3 hours. 292 TactN="now-3h" 293 TpubN1="now-3h" 294 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 295 newtimes="-P ${TpubN1} -A ${TpubN1}" 296 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 297 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 298 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 299 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 300 # Fake lifetime of old algorithm keys. 301 echo "Lifetime: 0" >> "${CSK1}.state" 302 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 303 private_type_record $zone 5 "$CSK1" >> "$infile" 304 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 305 cp $infile $zonefile 306 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 307 308 # Step 3: 309 # The zone signatures are also OMNIPRESENT. 310 setup step3.csk-algorithm-roll.kasp 311 # The time passed since the new algorithm keys have been introduced is 9 hours. 312 TactN="now-9h" 313 TretN="now-6h" 314 TpubN1="now-9h" 315 TactN1="now-6h" 316 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 317 newtimes="-P ${TpubN1} -A ${TpubN1}" 318 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 319 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 320 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 321 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 322 # Fake lifetime of old algorithm keys. 323 echo "Lifetime: 0" >> "${CSK1}.state" 324 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 325 private_type_record $zone 5 "$CSK1" >> "$infile" 326 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 327 cp $infile $zonefile 328 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 329 330 # Step 4: 331 # The DS is swapped and can become OMNIPRESENT. 332 setup step4.csk-algorithm-roll.kasp 333 # The time passed since the DS has been swapped is 29 hours. 334 TactN="now-38h" 335 TretN="now-35h" 336 TpubN1="now-38h" 337 TactN1="now-35h" 338 TsubN1="now-29h" 339 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 340 newtimes="-P ${TpubN1} -A ${TpubN1}" 341 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 342 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 343 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 344 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 345 # Fake lifetime of old algorithm keys. 346 echo "Lifetime: 0" >> "${CSK1}.state" 347 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 348 private_type_record $zone 5 "$CSK1" >> "$infile" 349 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 350 cp $infile $zonefile 351 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 352 353 # Step 5: 354 # The DNSKEY is removed long enough to be HIDDEN. 355 setup step5.csk-algorithm-roll.kasp 356 # The time passed since the DNSKEY has been removed is 2 hours. 357 TactN="now-40h" 358 TretN="now-37h" 359 TremN="now-2h" 360 TpubN1="now-40h" 361 TactN1="now-37h" 362 TsubN1="now-31h" 363 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 364 newtimes="-P ${TpubN1} -A ${TpubN1}" 365 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 366 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 367 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 368 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 369 # Fake lifetime of old algorithm keys. 370 echo "Lifetime: 0" >> "${CSK1}.state" 371 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 372 private_type_record $zone 5 "$CSK1" >> "$infile" 373 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 374 cp $infile $zonefile 375 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 376 377 # Step 6: 378 # The RRSIGs have been removed long enough to be HIDDEN. 379 setup step6.csk-algorithm-roll.kasp 380 # Additional time passed: 7h. 381 TactN="now-47h" 382 TretN="now-44h" 383 TdeaN="now-9h" 384 TremN="now-7h" 385 TpubN1="now-47h" 386 TactN1="now-44h" 387 TsubN1="now-38h" 388 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 389 newtimes="-P ${TpubN1} -A ${TpubN1}" 390 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 391 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 392 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 393 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 394 # Fake lifetime of old algorithm keys. 395 echo "Lifetime: 0" >> "${CSK1}.state" 396 cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 397 private_type_record $zone 5 "$CSK1" >> "$infile" 398 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 399 cp $infile $zonefile 400 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1 401 402 # 403 # Reload testing 404 # 405 echo "example" >> zones 406 cp example.db.in example.db 407 408 setup "dynamic2inline.kasp" 409 cp template.db.in $zonefile 410
Indexes created Sat Feb 28 05:31:39 UTC 2026