setup.sh revision 1.1.1.6.2.2
1 #!/bin/sh -e 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 # shellcheck source=conf.sh 15 . ../../conf.sh 16 17 echo_i "ns6/setup.sh" 18 19 setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 } 25 26 # Make lines shorter by storing key states in environment variables. 27 H="HIDDEN" 28 R="RUMOURED" 29 O="OMNIPRESENT" 30 U="UNRETENTIVE" 31 32 # The child zones (step1, step2) beneath these zones represent the various 33 # steps of unsigning a zone. 34 for zn in going-insecure.kasp going-insecure-dynamic.kasp; do 35 # Step 1: 36 # Set up a zone with dnssec-policy that is going insecure. 37 setup step1.$zn 38 echo "$zone" >>zones 39 T="now-10d" 40 ksktimes="-P $T -A $T -P sync $T" 41 zsktimes="-P $T -A $T" 42 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 43 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 44 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 45 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 46 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 47 cp $infile $zonefile 48 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 49 50 # Step 2: 51 # Set up a zone with dnssec-policy that is going insecure. Don't add 52 # this zone to the zones file, because this zone is no longer expected 53 # to be fully signed. 54 setup step2.$zn 55 # The DS was withdrawn from the parent zone 26 hours ago. 56 Trem="now-26h" 57 ksktimes="-P $T -A $T -P sync $T" 58 zsktimes="-P $T -A $T" 59 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 60 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 61 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1 62 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 63 # Fake lifetime of old algorithm keys. 64 echo "Lifetime: 0" >>"${KSK}.state" 65 echo "Lifetime: 5184000" >>"${ZSK}.state" 66 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 67 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 68 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 69 cp $infile $zonefile 70 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 71 done 72 73 # This zone is going straight to "none" policy. This is undefined behavior. 74 setup step1.going-straight-to-none.kasp 75 echo "$zone" >>zones 76 TactN="now" 77 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 78 CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) 79 $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 80 cat template.db.in "${CSK}.key" >"$infile" 81 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 82 cp $infile $zonefile 83 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 84 85 # 86 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 87 # algorithm rollover. 88 # 89 90 # Step 1: 91 # Introduce the first key. This will immediately be active. 92 setup step1.algorithm-roll.kasp 93 echo "$zone" >>zones 94 TactN="now" 95 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 96 zsktimes="-P ${TactN} -A ${TactN}" 97 KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 98 ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 99 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 100 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 101 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 102 private_type_record $zone 8 "$KSK" >>"$infile" 103 private_type_record $zone 8 "$ZSK" >>"$infile" 104 cp $infile $zonefile 105 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 106 107 # Step 2: 108 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 109 setup step2.algorithm-roll.kasp 110 # The time passed since the new algorithm keys have been introduced is 3 hours. 111 TactN="now-3h" 112 TpubN1="now-3h" 113 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 114 # now - 3h + 6h + 1h + 1h = now + 5h 115 TsbmN1="now+5h" 116 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 117 zsk1times="-P ${TactN} -A ${TactN} -I now" 118 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 119 zsk2times="-P ${TpubN1} -A ${TpubN1}" 120 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 121 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 122 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 123 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 124 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 125 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 126 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 127 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 128 # Fake lifetime of old algorithm keys. 129 echo "Lifetime: 0" >>"${KSK1}.state" 130 echo "Lifetime: 0" >>"${ZSK1}.state" 131 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 132 private_type_record $zone 8 "$KSK1" >>"$infile" 133 private_type_record $zone 8 "$ZSK1" >>"$infile" 134 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 135 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 136 cp $infile $zonefile 137 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 138 139 # Step 3: 140 # The zone signatures are also OMNIPRESENT. 141 setup step3.algorithm-roll.kasp 142 # The time passed since the new algorithm keys have been introduced is 9 hours. 143 TactN="now-9h" 144 TretN="now-6h" 145 TpubN1="now-9h" 146 TsbmN1="now-1h" 147 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 148 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 149 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 150 zsk2times="-P ${TpubN1} -A ${TpubN1}" 151 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 152 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 153 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 154 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 155 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 156 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 157 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 158 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 159 # Fake lifetime of old algorithm keys. 160 echo "Lifetime: 0" >>"${KSK1}.state" 161 echo "Lifetime: 0" >>"${ZSK1}.state" 162 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 163 private_type_record $zone 8 "$KSK1" >>"$infile" 164 private_type_record $zone 8 "$ZSK1" >>"$infile" 165 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 166 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 167 cp $infile $zonefile 168 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 169 170 # Step 4: 171 # The DS is swapped and can become OMNIPRESENT. 172 setup step4.algorithm-roll.kasp 173 # The time passed since the DS has been swapped is 29 hours. 174 TactN="now-38h" 175 TretN="now-35h" 176 TpubN1="now-38h" 177 TsbmN1="now-30h" 178 TactN1="now-29h" 179 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 180 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 181 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 182 zsk2times="-P ${TpubN1} -A ${TpubN1}" 183 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 184 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 185 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 186 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 187 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 188 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 189 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 190 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 191 # Fake lifetime of old algorithm keys. 192 echo "Lifetime: 0" >>"${KSK1}.state" 193 echo "Lifetime: 0" >>"${ZSK1}.state" 194 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 195 private_type_record $zone 8 "$KSK1" >>"$infile" 196 private_type_record $zone 8 "$ZSK1" >>"$infile" 197 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 198 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 199 cp $infile $zonefile 200 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 201 202 # Step 5: 203 # The DNSKEY is removed long enough to be HIDDEN. 204 setup step5.algorithm-roll.kasp 205 # The time passed since the DNSKEY has been removed is 2 hours. 206 TactN="now-40h" 207 TretN="now-37h" 208 TremN="now-2h" 209 TpubN1="now-40h" 210 TsbmN1="now-32h" 211 TactN1="now-31h" 212 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 213 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 214 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 215 zsk2times="-P ${TpubN1} -A ${TpubN1}" 216 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 217 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 218 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 219 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 220 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 221 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1 222 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 223 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 224 # Fake lifetime of old algorithm keys. 225 echo "Lifetime: 0" >>"${KSK1}.state" 226 echo "Lifetime: 0" >>"${ZSK1}.state" 227 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 228 private_type_record $zone 8 "$KSK1" >>"$infile" 229 private_type_record $zone 8 "$ZSK1" >>"$infile" 230 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 231 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 232 cp $infile $zonefile 233 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 234 235 # Step 6: 236 # The RRSIGs have been removed long enough to be HIDDEN. 237 setup step6.algorithm-roll.kasp 238 # Additional time passed: 7h. 239 TactN="now-47h" 240 TretN="now-44h" 241 TremN="now-7h" 242 TpubN1="now-47h" 243 TsbmN1="now-39h" 244 TactN1="now-38h" 245 TdeaN="now-9h" 246 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 247 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 248 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 249 zsk2times="-P ${TpubN1} -A ${TpubN1}" 250 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 251 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 252 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 253 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 254 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 255 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 256 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 257 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 258 # Fake lifetime of old algorithm keys. 259 echo "Lifetime: 0" >>"${KSK1}.state" 260 echo "Lifetime: 0" >>"${ZSK1}.state" 261 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 262 private_type_record $zone 8 "$KSK1" >>"$infile" 263 private_type_record $zone 8 "$ZSK1" >>"$infile" 264 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 265 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 266 cp $infile $zonefile 267 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 268 269 # 270 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 271 # algorithm rollover. 272 # 273 274 # Step 1: 275 # Introduce the first key. This will immediately be active. 276 setup step1.csk-algorithm-roll.kasp 277 echo "$zone" >>zones 278 TactN="now" 279 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 280 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 281 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 282 cat template.db.in "${CSK}.key" >"$infile" 283 private_type_record $zone 5 "$CSK" >>"$infile" 284 cp $infile $zonefile 285 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 286 287 # Step 2: 288 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 289 setup step2.csk-algorithm-roll.kasp 290 # The time passed since the new algorithm keys have been introduced is 3 hours. 291 TactN="now-3h" 292 TpubN1="now-3h" 293 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 294 newtimes="-P ${TpubN1} -A ${TpubN1}" 295 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 296 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 297 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 298 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 299 # Fake lifetime of old algorithm keys. 300 echo "Lifetime: 0" >>"${CSK1}.state" 301 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 302 private_type_record $zone 5 "$CSK1" >>"$infile" 303 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 304 cp $infile $zonefile 305 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 306 307 # Step 3: 308 # The zone signatures are also OMNIPRESENT. 309 setup step3.csk-algorithm-roll.kasp 310 # The time passed since the new algorithm keys have been introduced is 9 hours. 311 TactN="now-9h" 312 TretN="now-6h" 313 TpubN1="now-9h" 314 TactN1="now-6h" 315 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 316 newtimes="-P ${TpubN1} -A ${TpubN1}" 317 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 318 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 319 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 320 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 321 # Fake lifetime of old algorithm keys. 322 echo "Lifetime: 0" >>"${CSK1}.state" 323 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 324 private_type_record $zone 5 "$CSK1" >>"$infile" 325 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 326 cp $infile $zonefile 327 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 328 329 # Step 4: 330 # The DS is swapped and can become OMNIPRESENT. 331 setup step4.csk-algorithm-roll.kasp 332 # The time passed since the DS has been swapped is 29 hours. 333 TactN="now-38h" 334 TretN="now-35h" 335 TpubN1="now-38h" 336 TactN1="now-35h" 337 TsubN1="now-29h" 338 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 339 newtimes="-P ${TpubN1} -A ${TpubN1}" 340 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 341 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 342 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 343 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1 344 # Fake lifetime of old algorithm keys. 345 echo "Lifetime: 0" >>"${CSK1}.state" 346 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 347 private_type_record $zone 5 "$CSK1" >>"$infile" 348 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 349 cp $infile $zonefile 350 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 351 352 # Step 5: 353 # The DNSKEY is removed long enough to be HIDDEN. 354 setup step5.csk-algorithm-roll.kasp 355 # The time passed since the DNSKEY has been removed is 2 hours. 356 TactN="now-40h" 357 TretN="now-37h" 358 TremN="now-2h" 359 TpubN1="now-40h" 360 TactN1="now-37h" 361 TsubN1="now-31h" 362 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 363 newtimes="-P ${TpubN1} -A ${TpubN1}" 364 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 365 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 366 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1 367 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1 368 # Fake lifetime of old algorithm keys. 369 echo "Lifetime: 0" >>"${CSK1}.state" 370 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 371 private_type_record $zone 5 "$CSK1" >>"$infile" 372 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 373 cp $infile $zonefile 374 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 375 376 # Step 6: 377 # The RRSIGs have been removed long enough to be HIDDEN. 378 setup step6.csk-algorithm-roll.kasp 379 # Additional time passed: 7h. 380 TactN="now-47h" 381 TretN="now-44h" 382 TdeaN="now-9h" 383 TremN="now-7h" 384 TpubN1="now-47h" 385 TactN1="now-44h" 386 TsubN1="now-38h" 387 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 388 newtimes="-P ${TpubN1} -A ${TpubN1}" 389 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 390 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 391 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 392 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 393 # Fake lifetime of old algorithm keys. 394 echo "Lifetime: 0" >>"${CSK1}.state" 395 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 396 private_type_record $zone 5 "$CSK1" >>"$infile" 397 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 398 cp $infile $zonefile 399 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 400 401 # 402 # Reload testing 403 # 404 echo "example" >>zones 405 cp example.db.in example.db 406 407 setup "dynamic2inline.kasp" 408 cp template.db.in $zonefile 409
Indexes created Sat Feb 28 05:31:39 UTC 2026