setup.sh revision 1.1.1.9
1 #!/bin/sh -e 2 3 # Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4 # 5 # SPDX-License-Identifier: MPL-2.0 6 # 7 # This Source Code Form is subject to the terms of the Mozilla Public 8 # License, v. 2.0. If a copy of the MPL was not distributed with this 9 # file, you can obtain one at https://mozilla.org/MPL/2.0/. 10 # 11 # See the COPYRIGHT file distributed with this work for additional 12 # information regarding copyright ownership. 13 14 # shellcheck source=conf.sh 15 . ../../conf.sh 16 17 echo_i "ns6/setup.sh" 18 19 setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 } 25 26 # Make lines shorter by storing key states in environment variables. 27 H="HIDDEN" 28 R="RUMOURED" 29 O="OMNIPRESENT" 30 U="UNRETENTIVE" 31 32 for zn in shorter-lifetime longer-lifetime limit-lifetime unlimit-lifetime; do 33 setup $zn 34 cp template.db.in $zonefile 35 done 36 37 # The child zones (step1, step2) beneath these zones represent the various 38 # steps of unsigning a zone. 39 for zn in going-insecure.kasp going-insecure-dynamic.kasp; do 40 # Step 1: 41 # Set up a zone with dnssec-policy that is going insecure. 42 setup step1.$zn 43 echo "$zone" >>zones 44 T="now-10d" 45 ksktimes="-P $T -A $T -P sync $T" 46 zsktimes="-P $T -A $T" 47 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 48 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 49 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 50 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 51 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 52 cp $infile $zonefile 53 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 54 55 # Step 2: 56 # Set up a zone with dnssec-policy that is going insecure. Don't add 57 # this zone to the zones file, because this zone is no longer expected 58 # to be fully signed. 59 setup step2.$zn 60 # The DS was withdrawn from the parent zone 26 hours ago. 61 Trem="now-26h" 62 ksktimes="-P $T -A $T -P sync $T" 63 zsktimes="-P $T -A $T" 64 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 65 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 66 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1 67 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 68 # Fake lifetime of old algorithm keys. 69 echo "Lifetime: 0" >>"${KSK}.state" 70 echo "Lifetime: 5184000" >>"${ZSK}.state" 71 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 72 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 73 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 74 cp $infile $zonefile 75 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 76 done 77 78 # This zone is going straight to "none" policy. This is undefined behavior. 79 setup step1.going-straight-to-none.kasp 80 echo "$zone" >>zones 81 TactN="now" 82 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 83 CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) 84 $SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 85 cat template.db.in "${CSK}.key" >"$infile" 86 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 87 cp $infile $zonefile 88 $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 89 90 # 91 # The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 92 # algorithm rollover. 93 # 94 95 # Step 1: 96 # Introduce the first key. This will immediately be active. 97 setup step1.algorithm-roll.kasp 98 echo "$zone" >>zones 99 TactN="now" 100 ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 101 zsktimes="-P ${TactN} -A ${TactN}" 102 KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 103 ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 104 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 105 $SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 106 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 107 private_type_record $zone 8 "$KSK" >>"$infile" 108 private_type_record $zone 8 "$ZSK" >>"$infile" 109 cp $infile $zonefile 110 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 111 112 # Step 2: 113 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 114 setup step2.algorithm-roll.kasp 115 # The time passed since the new algorithm keys have been introduced is 3 hours. 116 TactN="now-3h" 117 TpubN1="now-3h" 118 # Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 119 # now - 3h + 6h + 1h + 1h = now + 5h 120 TsbmN1="now+5h" 121 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 122 zsk1times="-P ${TactN} -A ${TactN} -I now" 123 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 124 zsk2times="-P ${TpubN1} -A ${TpubN1}" 125 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 126 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 127 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 128 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 129 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 130 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 131 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 132 $SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 133 # Fake lifetime of old algorithm keys. 134 echo "Lifetime: 0" >>"${KSK1}.state" 135 echo "Lifetime: 0" >>"${ZSK1}.state" 136 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 137 private_type_record $zone 8 "$KSK1" >>"$infile" 138 private_type_record $zone 8 "$ZSK1" >>"$infile" 139 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 140 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 141 cp $infile $zonefile 142 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 143 144 # Step 3: 145 # The zone signatures are also OMNIPRESENT. 146 setup step3.algorithm-roll.kasp 147 # The time passed since the new algorithm keys have been introduced is 9 hours. 148 TactN="now-9h" 149 TretN="now-6h" 150 TpubN1="now-9h" 151 TsbmN1="now-1h" 152 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 153 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 154 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 155 zsk2times="-P ${TpubN1} -A ${TpubN1}" 156 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 157 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 158 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 159 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 160 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 161 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 162 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 163 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 164 # Fake lifetime of old algorithm keys. 165 echo "Lifetime: 0" >>"${KSK1}.state" 166 echo "Lifetime: 0" >>"${ZSK1}.state" 167 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 168 private_type_record $zone 8 "$KSK1" >>"$infile" 169 private_type_record $zone 8 "$ZSK1" >>"$infile" 170 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 171 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 172 cp $infile $zonefile 173 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 174 175 # Step 4: 176 # The DS is swapped and can become OMNIPRESENT. 177 setup step4.algorithm-roll.kasp 178 # The time passed since the DS has been swapped is 29 hours. 179 TactN="now-38h" 180 TretN="now-35h" 181 TpubN1="now-38h" 182 TsbmN1="now-30h" 183 TactN1="now-29h" 184 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 185 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 186 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 187 zsk2times="-P ${TpubN1} -A ${TpubN1}" 188 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 189 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 190 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 191 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 192 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 193 $SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 194 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 195 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 196 # Fake lifetime of old algorithm keys. 197 echo "Lifetime: 0" >>"${KSK1}.state" 198 echo "Lifetime: 0" >>"${ZSK1}.state" 199 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 200 private_type_record $zone 8 "$KSK1" >>"$infile" 201 private_type_record $zone 8 "$ZSK1" >>"$infile" 202 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 203 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 204 cp $infile $zonefile 205 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 206 207 # Step 5: 208 # The DNSKEY is removed long enough to be HIDDEN. 209 setup step5.algorithm-roll.kasp 210 # The time passed since the DNSKEY has been removed is 2 hours. 211 TactN="now-40h" 212 TretN="now-37h" 213 TremN="now-2h" 214 TpubN1="now-40h" 215 TsbmN1="now-32h" 216 TactN1="now-31h" 217 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 218 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 219 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 220 zsk2times="-P ${TpubN1} -A ${TpubN1}" 221 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 222 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 223 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 224 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 225 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 226 $SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1 227 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 228 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 229 # Fake lifetime of old algorithm keys. 230 echo "Lifetime: 0" >>"${KSK1}.state" 231 echo "Lifetime: 0" >>"${ZSK1}.state" 232 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 233 private_type_record $zone 8 "$KSK1" >>"$infile" 234 private_type_record $zone 8 "$ZSK1" >>"$infile" 235 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 236 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 237 cp $infile $zonefile 238 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 239 240 # Step 6: 241 # The RRSIGs have been removed long enough to be HIDDEN. 242 setup step6.algorithm-roll.kasp 243 # Additional time passed: 7h. 244 TactN="now-47h" 245 TretN="now-44h" 246 TremN="now-7h" 247 TpubN1="now-47h" 248 TsbmN1="now-39h" 249 TactN1="now-38h" 250 TdeaN="now-9h" 251 ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 252 zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 253 ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 254 zsk2times="-P ${TpubN1} -A ${TpubN1}" 255 KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 256 ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 257 KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 258 ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 259 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 260 $SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 261 $SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 262 $SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 263 # Fake lifetime of old algorithm keys. 264 echo "Lifetime: 0" >>"${KSK1}.state" 265 echo "Lifetime: 0" >>"${ZSK1}.state" 266 cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 267 private_type_record $zone 8 "$KSK1" >>"$infile" 268 private_type_record $zone 8 "$ZSK1" >>"$infile" 269 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 270 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 271 cp $infile $zonefile 272 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 273 274 # 275 # The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 276 # algorithm rollover. 277 # 278 279 # Step 1: 280 # Introduce the first key. This will immediately be active. 281 setup step1.csk-algorithm-roll.kasp 282 echo "$zone" >>zones 283 TactN="now" 284 csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 285 CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 286 $SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 287 cat template.db.in "${CSK}.key" >"$infile" 288 private_type_record $zone 5 "$CSK" >>"$infile" 289 cp $infile $zonefile 290 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 291 292 # Step 2: 293 # After the publication interval has passed the DNSKEY is OMNIPRESENT. 294 setup step2.csk-algorithm-roll.kasp 295 # The time passed since the new algorithm keys have been introduced is 3 hours. 296 TactN="now-3h" 297 TpubN1="now-3h" 298 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 299 newtimes="-P ${TpubN1} -A ${TpubN1}" 300 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 301 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 302 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 303 $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 304 # Fake lifetime of old algorithm keys. 305 echo "Lifetime: 0" >>"${CSK1}.state" 306 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 307 private_type_record $zone 5 "$CSK1" >>"$infile" 308 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 309 cp $infile $zonefile 310 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 311 312 # Step 3: 313 # The zone signatures are also OMNIPRESENT. 314 setup step3.csk-algorithm-roll.kasp 315 # The time passed since the new algorithm keys have been introduced is 9 hours. 316 TactN="now-9h" 317 TretN="now-6h" 318 TpubN1="now-9h" 319 TactN1="now-6h" 320 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 321 newtimes="-P ${TpubN1} -A ${TpubN1}" 322 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 323 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 324 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 325 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 326 # Fake lifetime of old algorithm keys. 327 echo "Lifetime: 0" >>"${CSK1}.state" 328 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 329 private_type_record $zone 5 "$CSK1" >>"$infile" 330 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 331 cp $infile $zonefile 332 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 333 334 # Step 4: 335 # The DS is swapped and can become OMNIPRESENT. 336 setup step4.csk-algorithm-roll.kasp 337 # The time passed since the DS has been swapped is 29 hours. 338 TactN="now-38h" 339 TretN="now-35h" 340 TpubN1="now-38h" 341 TactN1="now-35h" 342 TsubN1="now-29h" 343 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 344 newtimes="-P ${TpubN1} -A ${TpubN1}" 345 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 346 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 347 $SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 348 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1 349 # Fake lifetime of old algorithm keys. 350 echo "Lifetime: 0" >>"${CSK1}.state" 351 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 352 private_type_record $zone 5 "$CSK1" >>"$infile" 353 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 354 cp $infile $zonefile 355 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 356 357 # Step 5: 358 # The DNSKEY is removed long enough to be HIDDEN. 359 setup step5.csk-algorithm-roll.kasp 360 # The time passed since the DNSKEY has been removed is 2 hours. 361 TactN="now-40h" 362 TretN="now-37h" 363 TremN="now-2h" 364 TpubN1="now-40h" 365 TactN1="now-37h" 366 TsubN1="now-31h" 367 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 368 newtimes="-P ${TpubN1} -A ${TpubN1}" 369 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 370 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 371 $SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1 372 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1 373 # Fake lifetime of old algorithm keys. 374 echo "Lifetime: 0" >>"${CSK1}.state" 375 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 376 private_type_record $zone 5 "$CSK1" >>"$infile" 377 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 378 cp $infile $zonefile 379 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 380 381 # Step 6: 382 # The RRSIGs have been removed long enough to be HIDDEN. 383 setup step6.csk-algorithm-roll.kasp 384 # Additional time passed: 7h. 385 TactN="now-47h" 386 TretN="now-44h" 387 TdeaN="now-9h" 388 TremN="now-7h" 389 TpubN1="now-47h" 390 TactN1="now-44h" 391 TsubN1="now-38h" 392 csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 393 newtimes="-P ${TpubN1} -A ${TpubN1}" 394 CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 395 CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 396 $SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 397 $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 398 # Fake lifetime of old algorithm keys. 399 echo "Lifetime: 0" >>"${CSK1}.state" 400 cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 401 private_type_record $zone 5 "$CSK1" >>"$infile" 402 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 403 cp $infile $zonefile 404 $SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 405 406 # 407 # Reload testing 408 # 409 echo "example" >>zones 410 cp example.db.in example.db 411 412 setup "dynamic2inline.kasp" 413 cp template.db.in $zonefile 414
Indexes created Sat Feb 28 05:31:39 UTC 2026