1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. ../../conf.sh 16 17echo_i "ns3/setup.sh" 18 19setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 echo "$zone" >>zones 25} 26 27# Set in the key state files the Predecessor/Successor fields. 28# Key $1 is the predecessor of key $2. 29key_successor() { 30 id1=$(keyfile_to_key_id "$1") 31 id2=$(keyfile_to_key_id "$2") 32 echo "Predecessor: ${id1}" >>"${2}.state" 33 echo "Successor: ${id2}" >>"${1}.state" 34} 35 36# Make lines shorter by storing key states in environment variables. 37H="HIDDEN" 38R="RUMOURED" 39O="OMNIPRESENT" 40U="UNRETENTIVE" 41 42# 43# Set up zones that will be initially signed. 44# 45for zn in default dnssec-keygen some-keys legacy-keys pregenerated \ 46 rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \ 47 dynamic dynamic-inline-signing inline-signing \ 48 checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ 49 manual-rollover multisigner-model2; do 50 setup "${zn}.kasp" 51 cp template.db.in "$zonefile" 52done 53 54# 55# Setup special zone 56# 57zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." 58echo_i "setting up zone: $zone" 59cp template.db.in "i-am.special.kasp.db" 60 61# 62# Set up RSASHA1 based zones 63# 64for zn in rsasha1 rsasha1-nsec3; do 65 if ( 66 cd .. 67 $SHELL ../testcrypto.sh -q RSASHA1 68 ); then 69 setup "${zn}.kasp" 70 cp template.db.in "$zonefile" 71 else 72 # don't add to zones. 73 echo_i "setting up zone: ${zn}.kasp" 74 cp template.db.in "${zn}.kasp.db" 75 fi 76done 77 78if [ -f ../ed25519-supported.file ]; then 79 setup "ed25519.kasp" 80 cp template.db.in "$zonefile" 81 cat ed25519.conf >>named.conf 82fi 83 84if [ -f ../ed448-supported.file ]; then 85 setup "ed448.kasp" 86 cp template.db.in "$zonefile" 87 cat ed448.conf >>named.conf 88fi 89 90# Set up zones that stay unsigned. 91for zn in unsigned insecure max-zone-ttl; do 92 zone="${zn}.kasp" 93 echo_i "setting up zone: $zone" 94 zonefile="${zone}.db" 95 infile="${zone}.db.infile" 96 cp template.db.in $infile 97 cp template.db.in $zonefile 98done 99 100# Some of these zones already have keys. 101zone="dnssec-keygen.kasp" 102echo_i "setting up zone: $zone" 103$KEYGEN -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1 104 105zone="some-keys.kasp" 106echo_i "setting up zone: $zone" 107$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone >keygen.out.$zone.1 2>&1 108$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone >keygen.out.$zone.2 2>&1 109 110zone="legacy-keys.kasp" 111echo_i "setting up zone: $zone" 112ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.1) 113KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.2) 114echo $ZSK >legacy-keys.kasp.zsk 115echo $KSK >legacy-keys.kasp.ksk 116# Predecessor keys: 117Tact="now-9mo" 118Tret="now-3mo" 119ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.3) 120KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.4) 121$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" >settime.out.$zone.1 2>&1 122$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" >settime.out.$zone.2 2>&1 123 124zone="pregenerated.kasp" 125echo_i "setting up zone: $zone" 126$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1 127$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1 128 129zone="multisigner-model2.kasp" 130echo_i "setting up zone: $zone" 131# Import the ZSK sets of the other providers into their DNSKEY RRset. 132ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.1) 133ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.2) 134# ZSK1 will be added to the unsigned zonefile. 135cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db" 136cat "../${ZSK1}.key" | grep -v ";.*" >"${zone}.zsk1" 137rm -f "../${ZSK1}.*" 138# ZSK2 will be used with a Dynamic Update. 139cat "../${ZSK2}.key" | grep -v ";.*" >"${zone}.zsk2" 140rm -f "../${ZSK2}.*" 141 142zone="rumoured.kasp" 143echo_i "setting up zone: $zone" 144Tpub="now" 145Tact="now+1d" 146keytimes="-P ${Tpub} -A ${Tact}" 147KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2>keygen.out.$zone.1) 148ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2>keygen.out.$zone.2) 149ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2>keygen.out.$zone.3) 150$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" >settime.out.$zone.1 2>&1 151$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" >settime.out.$zone.2 2>&1 152$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" >settime.out.$zone.2 2>&1 153 154# 155# Set up zones that are already signed. 156# 157 158# Zone to test manual rollover. 159setup manual-rollover.kasp 160T="now-1d" 161ksktimes="-P $T -A $T -P sync $T" 162zsktimes="-P $T -A $T" 163KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 164ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 165$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 166$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 167cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 168private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 169private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 170cp $infile $zonefile 171$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 172 173# We are signing the raw version of the zone here. This is unusual and not 174# common operation, but want to make sure that in such a case BIND 9 does not 175# schedule a resigning operation on the raw version. Add expired signatures so 176# a resign is imminent. 177setup dynamic-signed-inline-signing.kasp 178T="now-1d" 179csktimes="-P $T -A $T -P sync $T" 180CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $csktimes $zone 2>keygen.out.$zone.1) 181$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" >settime.out.$zone.1 2>&1 182cat template.db.in "${CSK}.key" >"$infile" 183cp $infile $zonefile 184$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 185 186# These signatures are set to expire long in the past, update immediately. 187setup expired-sigs.autosign 188T="now-6mo" 189ksktimes="-P $T -A $T -P sync $T" 190zsktimes="-P $T -A $T" 191KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 192ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 193$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 194$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 195cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 196private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 197private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 198cp $infile $zonefile 199$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 200 201# These signatures are still good, and can be reused. 202setup fresh-sigs.autosign 203T="now-6mo" 204ksktimes="-P $T -A $T -P sync $T" 205zsktimes="-P $T -A $T" 206KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 207ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 208$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 209$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 210cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 211private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 212private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 213cp $infile $zonefile 214$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 215 216# These signatures are still good, but not fresh enough, update immediately. 217setup unfresh-sigs.autosign 218T="now-6mo" 219ksktimes="-P $T -A $T -P sync $T" 220zsktimes="-P $T -A $T" 221KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 222ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 223$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 224$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 225cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 226private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 227private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 228cp $infile $zonefile 229$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 230 231# These signatures are still good, but the private KSK is missing. 232setup ksk-missing.autosign 233T="now-6mo" 234ksktimes="-P $T -A $T -P sync $T" 235zsktimes="-P $T -A $T" 236KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 237ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 238$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 239$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 240cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 241private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 242private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 243cp $infile $zonefile 244$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 245echo "KSK: yes" >>"${KSK}".state 246echo "ZSK: no" >>"${KSK}".state 247echo "Lifetime: 63072000" >>"${KSK}".state # PT2Y 248rm -f "${KSK}".private 249 250# These signatures are still good, but the private ZSK is missing. 251setup zsk-missing.autosign 252T="now-6mo" 253ksktimes="-P $T -A $T -P sync $T" 254zsktimes="-P $T -A $T" 255KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 256ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 257$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 258$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 259cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 260private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 261private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 262cp $infile $zonefile 263$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 264echo "KSK: no" >>"${ZSK}".state 265echo "ZSK: yes" >>"${ZSK}".state 266echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y 267rm -f "${ZSK}".private 268 269# These signatures are already expired, and the private ZSK is retired. 270setup zsk-retired.autosign 271T="now-6mo" 272ksktimes="-P $T -A $T -P sync $T" 273zsktimes="-P $T -A $T -I now" 274KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 275ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 276$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1 277$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 278cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 279private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 280private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 281cp $infile $zonefile 282$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 283$SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1 284 285# 286# The zones at enable-dnssec.autosign represent the various steps of the 287# initial signing of a zone. 288# 289 290# Step 1: 291# This is an unsigned zone and named should perform the initial steps of 292# introducing the DNSSEC records in the right order. 293setup step1.enable-dnssec.autosign 294cp template.db.in $zonefile 295 296# Step 2: 297# The DNSKEY has been published long enough to become OMNIPRESENT. 298setup step2.enable-dnssec.autosign 299# DNSKEY TTL: 300 seconds 300# zone-propagation-delay: 5 minutes (300 seconds) 301# publish-safety: 5 minutes (300 seconds) 302# Total: 900 seconds 303TpubN="now-900s" 304# RRSIG TTL: 12 hour (43200 seconds) 305# zone-propagation-delay: 5 minutes (300 seconds) 306# retire-safety: 20 minutes (1200 seconds) 307# Already passed time: -900 seconds 308# Total: 43800 seconds 309TsbmN="now+43800s" 310keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 311CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) 312$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 313cat template.db.in "${CSK}.key" >"$infile" 314private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 315cp $infile $zonefile 316$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 317 318# Step 3: 319# The zone signatures have been published long enough to become OMNIPRESENT. 320setup step3.enable-dnssec.autosign 321# Passed time since publications: 43800 + 900 = 44700 seconds. 322TpubN="now-44700s" 323# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. 324TcotN="now-43800s" 325# We can submit the DS now. 326TsbmN="now" 327keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 328CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) 329$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1 330cat template.db.in "${CSK}.key" >"$infile" 331private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 332cp $infile $zonefile 333$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 334 335# Step 4: 336# The DS has been submitted long enough ago to become OMNIPRESENT. 337setup step4.enable-dnssec.autosign 338# DS TTL: 2 hour (7200 seconds) 339# parent-propagation-delay: 1 hour (3600 seconds) 340# retire-safety: 20 minutes (1200 seconds) 341# Total aditional time: 12000 seconds 342# 44700 + 12000 = 56700 343TpubN="now-56700s" 344# 43800 + 12000 = 55800 345TcotN="now-55800s" 346TsbmN="now-12000s" 347keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 348CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1) 349$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1 350cat template.db.in "${CSK}.key" >"$infile" 351private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 352cp $infile $zonefile 353$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 354 355# 356# The zones at zsk-prepub.autosign represent the various steps of a ZSK 357# Pre-Publication rollover. 358# 359 360# Step 1: 361# Introduce the first key. This will immediately be active. 362setup step1.zsk-prepub.autosign 363TactN="now" 364ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 365zsktimes="-P ${TactN} -A ${TactN}" 366KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 367ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 368$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 369$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 370cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 371private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 372private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 373cp $infile $zonefile 374$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 375 376# Step 2: 377# It is time to pre-publish the successor ZSK. 378setup step2.zsk-prepub.autosign 379# According to RFC 7583: 380# 381# Tpub(N+1) <= Tact(N) + Lzsk - Ipub 382# Ipub = Dprp + TTLkey (+publish-safety) 383# 384# |3| |4| |5| |6| 385# | | | | 386# Key N |<-------Lzsk------>| 387# | | | | 388# Key N+1 | |<-Ipub->|<-->| 389# | | | | 390# Key N Tact 391# Key N+1 Tpub Trdy Tact 392# 393# Tnow 394# 395# Lzsk: 30d 396# Dprp: 1h 397# TTLkey: 1h 398# publish-safety: 1d 399# Ipub: 26h 400# 401# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d 402# = now + 26h - 30d = now ��� 694h 403TactN="now-694h" 404ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 405zsktimes="-P ${TactN} -A ${TactN}" 406KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 407ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 408$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 409$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 410cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 411private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 412private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 413cp $infile $zonefile 414$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 415 416# Step 3: 417# After the publication interval has passed the DNSKEY of the successor ZSK 418# is OMNIPRESENT and the zone can thus be signed with the successor ZSK. 419setup step3.zsk-prepub.autosign 420# According to RFC 7583: 421# 422# Tpub(N+1) <= Tact(N) + Lzsk - Ipub 423# Tret(N) = Tact(N+1) = Tact(N) + Lzsk 424# Trem(N) = Tret(N) + Iret 425# Iret = Dsgn + Dprp + TTLsig (+retire-safety) 426# 427# |3| |4| |5| |6| |7| |8| 428# | | | | | | 429# Key N |<-------Lzsk------>|<-Iret->|<--->| 430# | | | | | | 431# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - 432# | | | | | | 433# Key N Tact Tret Tdea Trem 434# Key N+1 Tpub Trdy Tact 435# 436# Tnow 437# 438# Lzsk: 30d 439# Ipub: 26h 440# Dsgn: 1w 441# Dprp: 1h 442# TTLsig: 1d 443# retire-safety: 2d 444# Iret: 10d1h = 241h 445# 446# Tact(N) = Tnow - Lzsk = now - 30d 447# Tret(N) = now 448# Trem(N) = Tnow + Iret = now + 241h 449# Tpub(N+1) = Tnow - Ipub = now - 26h 450# Tret(N+1) = Tnow + Lzsk = now + 30d 451# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h 452# = now + 961h 453TactN="now-30d" 454TretN="now" 455TremN="now+241h" 456TpubN1="now-26h" 457TactN1="now" 458TretN1="now+30d" 459TremN1="now+961h" 460ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 461zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 462newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 463KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 464ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 465ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) 466$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 467$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 468$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1 469# Set key rollover relationship. 470key_successor $ZSK1 $ZSK2 471# Sign zone. 472cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" 473private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 474private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" 475private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 476cp $infile $zonefile 477$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 478 479# Step 4: 480# After the retire interval has passed the predecessor DNSKEY can be 481# removed from the zone. 482setup step4.zsk-prepub.autosign 483# According to RFC 7583: 484# 485# Tret(N) = Tact(N) + Lzsk 486# Tdea(N) = Tret(N) + Iret 487# 488# |3| |4| |5| |6| |7| |8| 489# | | | | | | 490# Key N |<-------Lzsk------>|<-Iret->|<--->| 491# | | | | | | 492# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - 493# | | | | | | 494# Key N Tact Tret Tdea Trem 495# Key N+1 Tpub Trdy Tact 496# 497# Tnow 498# 499# Lzsk: 30d 500# Ipub: 26h 501# Iret: 241h 502# 503# Tact(N) = Tnow - Iret - Lzsk 504# = now - 241h - 30d = now - 241h - 720h 505# = now - 961h 506# Tret(N) = Tnow - Iret = now - 241h 507# Trem(N) = Tnow 508# Tpub(N+1) = Tnow - Iret - Ipub 509# = now - 241h - 26h 510# = now - 267h 511# Tact(N+1) = Tnow - Iret = Tret(N) 512# Tret(N+1) = Tnow - Iret + Lzsk 513# = now - 241h + 30d = now - 241h + 720h 514# = now + 479h 515# Trem(N+1) = Tnow + Lzsk = now + 30d 516TactN="now-961h" 517TretN="now-241h" 518TremN="now" 519TpubN1="now-267h" 520TactN1="${TretN}" 521TretN1="now+479h" 522TremN1="now+30d" 523ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 524zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 525newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 526KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 527ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 528ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) 529$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 530$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" >settime.out.$zone.2 2>&1 531$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1 532# Set key rollover relationship. 533key_successor $ZSK1 $ZSK2 534# Sign zone. 535cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" 536cp $infile $zonefile 537$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 538 539# Step 5: 540# The predecessor DNSKEY is removed long enough that is has become HIDDEN. 541setup step5.zsk-prepub.autosign 542# Subtract DNSKEY TTL from all the times (1h). 543# Tact(N) = now - 961h - 1h = now - 962h 544# Tret(N) = now - 241h - 1h = now - 242h 545# Tdea(N) = now - 2d - 1h = now - 49h 546# Trem(N) = now - 1h 547# Tpub(N+1) = now - 267h - 1h = now - 268h 548# Tact(N+1) = Tret(N) 549# Tret(N+1) = now + 479h - 1h = now + 478h 550# Trem(N+1) = now + 30d - 1h = now + 719h 551TactN="now-962h" 552TretN="now-242h" 553TremN="now-1h" 554TdeaN="now-49h" 555TpubN1="now-268h" 556TactN1="${TretN}" 557TretN1="now+478h" 558TremN1="now+719h" 559ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 560zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 561newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 562KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 563ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 564ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) 565$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 566$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 567$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1 568# Set key rollover relationship. 569key_successor $ZSK1 $ZSK2 570# Sign zone. 571cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" 572private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 573private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" 574private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 575cp $infile $zonefile 576$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 577 578# Step 6: 579# The predecessor DNSKEY can be purged. 580setup step6.zsk-prepub.autosign 581# Subtract purge-keys interval from all the times (1h). 582# Tact(N) = now - 962h - 1h = now - 963h 583# Tret(N) = now - 242h - 1h = now - 243h 584# Tdea(N) = now - 49h - 1h = now - 50h 585# Trem(N) = now - 1h - 1h = now - 2h 586# Tpub(N+1) = now - 268h - 1h = now - 269h 587# Tact(N+1) = Tret(N) 588# Tret(N+1) = now + 478h - 1h = now + 477h 589# Trem(N+1) = now + 719h - 1h = now + 718h 590TactN="now-963h" 591TretN="now-243h" 592TremN="now-2h" 593TdeaN="now-50h" 594TpubN1="now-269h" 595TactN1="${TretN}" 596TretN1="now+477h" 597TremN1="now+718h" 598ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 599zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 600newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 601KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 602ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 603ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3) 604$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 605$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 606$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1 607# Set key rollover relationship. 608key_successor $ZSK1 $ZSK2 609# Sign zone. 610cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile" 611private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 612private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile" 613private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 614cp $infile $zonefile 615$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 616 617# 618# The zones at ksk-doubleksk.autosign represent the various steps of a KSK 619# Double-KSK rollover. 620# 621 622# Step 1: 623# Introduce the first key. This will immediately be active. 624setup step1.ksk-doubleksk.autosign 625TactN="now" 626ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 627zsktimes="-P ${TactN} -A ${TactN}" 628KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 629ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 630$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 631$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 632cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 633cp $infile $zonefile 634$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 635 636# Step 2: 637# It is time to submit the introduce the new KSK. 638setup step2.ksk-doubleksk.autosign 639# According to RFC 7583: 640# 641# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC 642# IpubC = DprpC + TTLkey (+publish-safety) 643# 644# |1| |2| |3| |4| 645# | | | | 646# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - - 647# | | | | 648# Key N+1 | | | | 649# | | | | 650# Key N Tpub Trdy Tsbm Tact 651# Key N+1 652# 653# (continued ...) 654# 655# |5| |6| |7| |8| |9| |10| 656# | | | | | | 657# Key N - - --------------Lksk------->|<-Iret->|<----->| 658# | | | | | | 659# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 660# | | | | | | 661# Key N Tret Tdea Trem 662# Key N+1 Tpub Trdy Tsbm Tact 663# 664# Tnow 665# 666# Lksk: 60d 667# Dreg: 1d 668# DprpC: 1h 669# TTLkey: 2h 670# publish-safety: 1d 671# IpubC: 27h 672# 673# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h 674# = now - 1440h + 27h = now - 1413h 675TactN="now-1413h" 676ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 677zsktimes="-P ${TactN} -A ${TactN}" 678KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 679ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 680$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 681$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 682cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 683private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 684private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 685cp $infile $zonefile 686$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 687 688# Step 3: 689# It is time to submit the DS. 690setup step3.ksk-doubleksk.autosign 691# According to RFC 7583: 692# 693# Tsbm(N+1) >= Trdy(N+1) 694# Tact(N+1) = Tsbm(N+1) + Dreg 695# Iret = DprpP + TTLds (+retire-safety) 696# 697# |5| |6| |7| |8| |9| |10| 698# | | | | | | 699# Key N - - --------------Lksk------->|<-Iret->|<----->| 700# | | | | | | 701# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 702# | | | | | | 703# Key N Tret Tdea Trem 704# Key N+1 Tpub Trdy Tsbm Tact 705# 706# Tnow 707# 708# Lksk: 60d 709# Dreg: N/A 710# DprpP: 1h 711# TTLds: 1h 712# retire-safety: 2d 713# Iret: 50h 714# DprpC: 1h 715# TTLkey: 2h 716# publish-safety: 1d 717# IpubC: 27h 718# 719# Tact(N) = Tnow + Lksk = now - 60d = now - 60d 720# Tret(N) = now 721# Trem(N) = Tnow + Iret = now + 50h 722# Tpub(N+1) = Tnow - IpubC = now - 27h 723# Tsbm(N+1) = now 724# Tact(N+1) = Tret(N) 725# Tret(N+1) = Tnow + Lksk = now + 60d 726# Trem(N+1) = Tnow + Lksk + Iret = now + 60d + 50h 727# = now + 1440h + 50h = 1490h 728TactN="now-60d" 729TretN="now" 730TremN="now+50h" 731TpubN1="now-27h" 732TsbmN1="now" 733TactN1="${TretN}" 734TretN1="now+60d" 735TremN1="now+1490h" 736ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 737newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 738zsktimes="-P ${TactN} -A ${TactN}" 739KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 740KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) 741ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) 742$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 743$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1 744$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 745# Set key rollover relationship. 746key_successor $KSK1 $KSK2 747# Sign zone. 748cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" 749private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" 750private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 751private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 752cp $infile $zonefile 753$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 754 755# Step 4: 756# The DS should be swapped now. 757setup step4.ksk-doubleksk.autosign 758# According to RFC 7583: 759# 760# Tret(N) = Tsbm(N+1) 761# Tdea(N) = Tret(N) + Iret 762# Tact(N+1) = Tret(N) 763# 764# |5| |6| |7| |8| |9| |10| 765# | | | | | | 766# Key N - - --------------Lksk------->|<-Iret->|<----->| 767# | | | | | | 768# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 769# | | | | | | 770# Key N Tret Tdea Trem 771# Key N+1 Tpub Trdy Tsbm Tact 772# 773# Tnow 774# 775# Lksk: 60d 776# Dreg: N/A 777# Iret: 50h 778# 779# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h 780# = now - 1440h - 50h = now - 1490h 781# Tret(N) = Tnow - Iret = now - 50h 782# Trem(N) = Tnow 783# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h 784# = now - 77h 785# Tsbm(N+1) = Tnow - Iret = now - 50h 786# Tact(N+1) = Tret(N) 787# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h 788# Trem(N+1) = Tnow + Lksk = now + 60d 789TactN="now-1490h" 790TretN="now-50h" 791TremN="now" 792TpubN1="now-77h" 793TsbmN1="now-50h" 794TactN1="${TretN}" 795TretN1="now+1390h" 796TremN1="now+60d" 797ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 798newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 799zsktimes="-P ${TactN} -A ${TactN}" 800KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 801KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) 802ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) 803$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1 804$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.2 2>&1 805$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 806# Set key rollover relationship. 807key_successor $KSK1 $KSK2 808# Sign zone. 809cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" 810private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" 811private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 812private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 813cp $infile $zonefile 814$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 815 816# Step 5: 817# The predecessor DNSKEY is removed long enough that is has become HIDDEN. 818setup step5.ksk-doubleksk.autosign 819# Subtract DNSKEY TTL from all the times (2h). 820# Tact(N) = now - 1490h - 2h = now - 1492h 821# Tret(N) = now - 50h - 2h = now - 52h 822# Trem(N) = now - 2h 823# Tpub(N+1) = now - 77h - 2h = now - 79h 824# Tsbm(N+1) = now - 50h - 2h = now - 52h 825# Tact(N+1) = Tret(N) 826# Tret(N+1) = now + 1390h - 2h = now + 1388h 827# Trem(N+1) = now + 60d - 2h = now + 1442h 828TactN="now-1492h" 829TretN="now-52h" 830TremN="now-2h" 831TpubN1="now-79h" 832TsbmN1="now-52h" 833TactN1="${TretN}" 834TretN1="now+1388h" 835TremN1="now+1442h" 836ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 837newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 838zsktimes="-P ${TactN} -A ${TactN}" 839KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 840KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) 841ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) 842$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1 843$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1 844$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 845# Set key rollover relationship. 846key_successor $KSK1 $KSK2 847# Sign zone. 848cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" 849private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" 850private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 851private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 852cp $infile $zonefile 853$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 854 855# Step 6: 856# The predecessor DNSKEY can be purged. 857setup step6.ksk-doubleksk.autosign 858# Subtract purge-keys interval from all the times (1h). 859# Tact(N) = now - 1492h - 1h = now - 1493h 860# Tret(N) = now - 52h - 1h = now - 53h 861# Trem(N) = now - 2h - 1h = now - 3h 862# Tpub(N+1) = now - 79h - 1h = now - 80h 863# Tsbm(N+1) = now - 52h - 1h = now - 53h 864# Tact(N+1) = Tret(N) 865# Tret(N+1) = now + 1388h - 1h = now + 1387h 866# Trem(N+1) = now + 1442h - 1h = now + 1441h 867TactN="now-1493h" 868TretN="now-53h" 869TremN="now-3h" 870TpubN1="now-80h" 871TsbmN1="now-53h" 872TactN1="${TretN}" 873TretN1="now+1387h" 874TremN1="now+1441h" 875ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 876newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 877zsktimes="-P ${TactN} -A ${TactN}" 878KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 879KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) 880ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) 881$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1 882$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1 883$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 884# Set key rollover relationship. 885key_successor $KSK1 $KSK2 886# Sign zone. 887cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" 888private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" 889private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 890private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 891cp $infile $zonefile 892$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 893 894# 895# The zones at csk-roll.autosign represent the various steps of a CSK rollover 896# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). 897# 898 899# Step 1: 900# Introduce the first key. This will immediately be active. 901setup step1.csk-roll.autosign 902TactN="now" 903csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 904CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 905$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 906cat template.db.in "${CSK}.key" >"$infile" 907private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 908cp $infile $zonefile 909$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 910 911# Step 2: 912# It is time to introduce the new CSK. 913setup step2.csk-roll.autosign 914# According to RFC 7583: 915# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC 916# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub 917# IpubC = DprpC + TTLkey (+publish-safety) 918# Ipub = IpubC 919# Lcsk = Lksk = Lzsk 920# 921# Lcsk: 6mo (186d, 4464h) 922# Dreg: N/A 923# DprpC: 1h 924# TTLkey: 1h 925# publish-safety: 1h 926# Ipub: 3h 927# 928# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h 929# = now - 4464h + 3h = now - 4461h 930TactN="now-4461h" 931csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 932CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 933$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 934cat template.db.in "${CSK}.key" >"$infile" 935private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 936cp $infile $zonefile 937$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 938 939# Step 3: 940# It is time to submit the DS and to roll signatures. 941setup step3.csk-roll.autosign 942# According to RFC 7583: 943# 944# Tsbm(N+1) >= Trdy(N+1) 945# KSK: Tact(N+1) = Tsbm(N+1) 946# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) 947# KSK: Iret = DprpP + TTLds (+retire-safety) 948# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) 949# 950# Lcsk: 186d 951# Dprp: 1h 952# DprpP: 1h 953# Dreg: N/A 954# Dsgn: 25d 955# TTLds: 1h 956# TTLsig: 1d 957# retire-safety: 2h 958# Iret: 4h 959# IretZ: 26d3h 960# Ipub: 3h 961# 962# Tact(N) = Tnow - Lcsk = now - 186d 963# Tret(N) = now 964# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h 965# Tpub(N+1) = Tnow - Ipub = now - 3h 966# Tsbm(N+1) = Tret(N) 967# Tact(N+1) = Tret(N) 968# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d 969# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = 970# = now + 5091h 971TactN="now-186d" 972TretN="now" 973TremN="now+627h" 974TpubN1="now-3h" 975TsbmN1="now" 976TactN1="${TretN}" 977TretN1="now+186d" 978TremN1="now+5091h" 979csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 980newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 981CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 982CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 983$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 984$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 985# Set key rollover relationship. 986key_successor $CSK1 $CSK2 987# Sign zone. 988cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 989private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 990private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 991cp $infile $zonefile 992$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 993 994# Step 4: 995# Some time later all the ZRRSIG records should be from the new CSK, and the 996# DS should be swapped. The ZRRSIG records are all replaced after IretZ 997# (which is 26d3h). The DS is swapped after Iret (which is 4h). 998# In other words, the DS is swapped before all zone signatures are replaced. 999setup step4.csk-roll.autosign 1000# According to RFC 7583: 1001# Trem(N) = Tret(N) - Iret + IretZ 1002# Tnow = Tsbm(N+1) + Iret 1003# 1004# Lcsk: 186d 1005# Iret: 4h 1006# IretZ: 26d3h 1007# 1008# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h 1009# Tret(N) = Tnow - Iret = now - 4h = now - 4h 1010# Trem(N) = Tnow - Iret + IretZ = now - 4h + 26d3h 1011# = now + 623h 1012# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h 1013# Tsbm(N+1) = Tret(N) 1014# Tact(N+1) = Tret(N) 1015# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h 1016# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h 1017# = now + 5087h 1018TactN="now-4468h" 1019TretN="now-4h" 1020TremN="now+623h" 1021TpubN1="now-7h" 1022TsbmN1="${TretN}" 1023TactN1="${TretN}" 1024TretN1="now+4460h" 1025TremN1="now+5087h" 1026csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1027newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1028CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1029CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1030$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 1031$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 1032# Set key rollover relationship. 1033key_successor $CSK1 $CSK2 1034# Sign zone. 1035cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1036private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1037private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1038cp $infile $zonefile 1039$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1040 1041# Step 5: 1042# After the DS is swapped in step 4, also the KRRSIG records can be removed. 1043# At this time these have all become hidden. 1044setup step5.csk-roll.autosign 1045# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). 1046# Tact(N) = now - 4468h - 2h = now - 4470h 1047# Tret(N) = now - 4h - 2h = now - 6h 1048# Trem(N) = now + 623h - 2h = now + 621h 1049# Tpub(N+1) = now - 7h - 2h = now - 9h 1050# Tsbm(N+1) = Tret(N) 1051# Tact(N+1) = Tret(N) 1052# Tret(N+1) = now + 4460h - 2h = now + 4458h 1053# Trem(N+1) = now + 5087h - 2h = now + 5085h 1054TactN="now-4470h" 1055TretN="now-6h" 1056TremN="now+621h" 1057TpubN1="now-9h" 1058TsbmN1="${TretN}" 1059TactN1="${TretN}" 1060TretN1="now+4458h" 1061TremN1="now+5085h" 1062csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1063newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1064CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1065CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1066$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 1067$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 1068# Set key rollover relationship. 1069key_successor $CSK1 $CSK2 1070# Sign zone. 1071cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1072private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1073private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1074cp $infile $zonefile 1075$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1076 1077# Step 6: 1078# After the retire interval has passed the predecessor DNSKEY can be 1079# removed from the zone. 1080setup step6.csk-roll.autosign 1081# According to RFC 7583: 1082# Trem(N) = Tret(N) + IretZ 1083# Tret(N) = Tact(N) + Lcsk 1084# 1085# Lcsk: 186d 1086# Iret: 4h 1087# IretZ: 26d3h 1088# 1089# Tact(N) = Tnow - IretZ - Lcsk = now - 627h - 186d 1090# = now - 627h - 4464h = now - 5091h 1091# Tret(N) = Tnow - IretZ = now - 627h 1092# Trem(N) = Tnow 1093# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h 1094# Tsbm(N+1) = Tret(N) 1095# Tact(N+1) = Tret(N) 1096# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h 1097# Trem(N+1) = Tnow + Lcsk = now + 186d 1098TactN="now-5091h" 1099TretN="now-627h" 1100TremN="now" 1101TpubN1="now-630h" 1102TsbmN1="${TretN}" 1103TactN1="${TretN}" 1104TretN1="now+3837h" 1105TremN1="now+186d" 1106csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1107newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1108CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1109CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1110$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 1111$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 1112# Set key rollover relationship. 1113key_successor $CSK1 $CSK2 1114# Sign zone. 1115cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1116private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1117private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1118cp $infile $zonefile 1119$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1120 1121# Step 7: 1122# Some time later the predecessor DNSKEY enters the HIDDEN state. 1123setup step7.csk-roll.autosign 1124# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). 1125# Tact(N) = now - 5091h - 2h = now - 5093h 1126# Tret(N) = now - 627h - 2h = now - 629h 1127# Trem(N) = now - 2h 1128# Tpub(N+1) = now - 630h - 2h = now - 632h 1129# Tsbm(N+1) = Tret(N) 1130# Tact(N+1) = Tret(N) 1131# Tret(N+1) = now + 3837h - 2h = now + 3835h 1132# Trem(N+1) = now + 186d - 2h = now + 4462h 1133TactN="now-5093h" 1134TretN="now-629h" 1135TremN="now-2h" 1136TpubN1="now-632h" 1137TsbmN1="${TretN}" 1138TactN1="${TretN}" 1139TretN1="now+3835h" 1140TremN1="now+4462h" 1141csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1142newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1143CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1144CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1145$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 1146$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 1147# Set key rollover relationship. 1148key_successor $CSK1 $CSK2 1149# Sign zone. 1150cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1151private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1152private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1153cp $infile $zonefile 1154$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1155 1156# Step 8: 1157# The predecessor DNSKEY can be purged. 1158setup step8.csk-roll.autosign 1159# Subtract purge-keys interval from all the times (1h). 1160# Tact(N) = now - 5093h - 1h = now - 5094h 1161# Tret(N) = now - 629h - 1h = now - 630h 1162# Trem(N) = now - 2h - 1h = now - 3h 1163# Tpub(N+1) = now - 632h - 1h = now - 633h 1164# Tsbm(N+1) = Tret(N) 1165# Tact(N+1) = Tret(N) 1166# Tret(N+1) = now + 3835h - 1h = now + 3834h 1167# Trem(N+1) = now + 4462h - 1h = now + 4461h 1168TactN="now-5094h" 1169TretN="now-630h" 1170TremN="now-3h" 1171TpubN1="now-633h" 1172TsbmN1="${TretN}" 1173TactN1="${TretN}" 1174TretN1="now+3834h" 1175TremN1="now+4461h" 1176csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1177newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1178CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1179CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1180$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 1181$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 1182# Set key rollover relationship. 1183key_successor $CSK1 $CSK2 1184# Sign zone. 1185cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1186private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1187private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1188cp $infile $zonefile 1189$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1190 1191# 1192# The zones at csk-roll2.autosign represent the various steps of a CSK rollover 1193# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). 1194# This scenario differs from the above one because the zone signatures (ZRRSIG) 1195# are replaced with the new key sooner than the DS is swapped. 1196# 1197 1198# Step 1: 1199# Introduce the first key. This will immediately be active. 1200setup step1.csk-roll2.autosign 1201TactN="now" 1202csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 1203CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1204$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 1205cat template.db.in "${CSK}.key" >"$infile" 1206private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 1207cp $infile $zonefile 1208$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1209 1210# Step 2: 1211# It is time to introduce the new CSK. 1212setup step2.csk-roll2.autosign 1213# According to RFC 7583: 1214# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC 1215# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub 1216# IpubC = DprpC + TTLkey (+publish-safety) 1217# Ipub = IpubC 1218# Lcsk = Lksk = Lzsk 1219# 1220# Lcsk: 6mo (186d, 4464h) 1221# Dreg: N/A 1222# DprpC: 1h 1223# TTLkey: 1h 1224# publish-safety: 1h 1225# Ipub: 3h 1226# 1227# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h 1228# = now - 4464h + 3h = now - 4461h 1229TactN="now-4461h" 1230csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 1231CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1232$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1 1233cat template.db.in "${CSK}.key" >"$infile" 1234private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 1235cp $infile $zonefile 1236$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1237 1238# Step 3: 1239# It is time to submit the DS and to roll signatures. 1240setup step3.csk-roll2.autosign 1241# According to RFC 7583: 1242# 1243# Tsbm(N+1) >= Trdy(N+1) 1244# KSK: Tact(N+1) = Tsbm(N+1) 1245# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) 1246# KSK: Iret = DprpP + TTLds (+retire-safety) 1247# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) 1248# 1249# Lcsk: 186d 1250# Dprp: 1h 1251# DprpP: 1w 1252# Dreg: N/A 1253# Dsgn: 12h 1254# TTLds: 1h 1255# TTLsig: 1d 1256# retire-safety: 1h 1257# Iret: 170h 1258# IretZ: 38h 1259# Ipub: 3h 1260# 1261# Tact(N) = Tnow - Lcsk = now - 186d 1262# Tret(N) = now 1263# Trem(N) = Tnow + Iret = now + 170h 1264# Tpub(N+1) = Tnow - Ipub = now - 3h 1265# Tsbm(N+1) = Tret(N) 1266# Tact(N+1) = Tret(N) 1267# Tret(N+1) = Tnow + Lcsk = now + 186d 1268# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h = 1269# = now + 4464h + 170h = now + 4634h 1270TactN="now-186d" 1271TretN="now" 1272TremN="now+170h" 1273TpubN1="now-3h" 1274TsbmN1="${TretN}" 1275TactN1="${TretN}" 1276TretN1="now+186d" 1277TremN1="now+4634h" 1278csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1279newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1280CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1281CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1282$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 1283$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 1284# Set key rollover relationship. 1285key_successor $CSK1 $CSK2 1286# Sign zone. 1287cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1288private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1289private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1290cp $infile $zonefile 1291$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1292 1293# Step 4: 1294# Some time later all the ZRRSIG records should be from the new CSK, and the 1295# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h). 1296# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone 1297# signatures are replaced before the DS is swapped. 1298setup step4.csk-roll2.autosign 1299# According to RFC 7583: 1300# Trem(N) = Tret(N) + IretZ 1301# 1302# Lcsk: 186d 1303# Dreg: N/A 1304# Iret: 170h 1305# IretZ: 38h 1306# 1307# Tact(N) = Tnow - IretZ = Lcsk = now - 38h - 186d 1308# = now - 38h - 4464h = now - 4502h 1309# Tret(N) = Tnow - IretZ = now - 38h 1310# Trem(N) = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h 1311# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h 1312# Tsbm(N+1) = Tret(N) 1313# Tact(N+1) = Tret(N) 1314# Tret(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d 1315# = now + 4426h 1316# Trem(N+1) = Tnow - IretZ + Lcsk + Iret 1317# = now + 4426h + 3h = now + 4429h 1318TactN="now-4502h" 1319TretN="now-38h" 1320TremN="now+132h" 1321TpubN1="now-41h" 1322TsbmN1="${TretN}" 1323TactN1="${TretN}" 1324TretN1="now+4426h" 1325TremN1="now+4429h" 1326csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1327newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1328CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1329CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1330$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 1331$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 1332# Set key rollover relationship. 1333key_successor $CSK1 $CSK2 1334# Sign zone. 1335cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1336private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1337private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1338cp $infile $zonefile 1339$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1340 1341# Step 5: 1342# Some time later the DS can be swapped and the old DNSKEY can be removed from 1343# the zone. 1344setup step5.csk-roll2.autosign 1345# Subtract Iret (170h) - IretZ (38h) = 132h. 1346# 1347# Tact(N) = now - 4502h - 132h = now - 4634h 1348# Tret(N) = now - 38h - 132h = now - 170h 1349# Trem(N) = now + 132h - 132h = now 1350# Tpub(N+1) = now - 41h - 132h = now - 173h 1351# Tsbm(N+1) = Tret(N) 1352# Tact(N+1) = Tret(N) 1353# Tret(N+1) = now + 4426h - 132h = now + 4294h 1354# Trem(N+1) = now + 4492h - 132h = now + 4360h 1355TactN="now-4634h" 1356TretN="now-170h" 1357TremN="now" 1358TpubN1="now-173h" 1359TsbmN1="${TretN}" 1360TactN1="${TretN}" 1361TretN1="now+4294h" 1362TremN1="now+4360h" 1363csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1364newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1365CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1366CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1367$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1 1368$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1 1369# Set key rollover relationship. 1370key_successor $CSK1 $CSK2 1371# Sign zone. 1372cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1373private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1374private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1375cp $infile $zonefile 1376$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1377 1378# Step 6: 1379# Some time later the predecessor DNSKEY enters the HIDDEN state. 1380setup step6.csk-roll2.autosign 1381# Subtract DNSKEY TTL plus zone propagation delay (2h). 1382# 1383# Tact(N) = now - 4634h - 2h = now - 4636h 1384# Tret(N) = now - 170h - 2h = now - 172h 1385# Trem(N) = now - 2h 1386# Tpub(N+1) = now - 173h - 2h = now - 175h 1387# Tsbm(N+1) = Tret(N) 1388# Tact(N+1) = Tret(N) 1389# Tret(N+1) = now + 4294h - 2h = now + 4292h 1390# Trem(N+1) = now + 4360h - 2h = now + 4358h 1391TactN="now-4636h" 1392TretN="now-172h" 1393TremN="now-2h" 1394TpubN1="now-175h" 1395TsbmN1="${TretN}" 1396TactN1="${TretN}" 1397TretN1="now+4292h" 1398TremN1="now+4358h" 1399csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1400newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1401CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1402CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1403$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1 1404$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1 1405# Set key rollover relationship. 1406key_successor $CSK1 $CSK2 1407# Sign zone. 1408cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1409private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1410private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1411cp $infile $zonefile 1412$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1413 1414# Step 7: 1415# The predecessor DNSKEY can be purged, but purge-keys is disabled. 1416setup step7.csk-roll2.autosign 1417# Subtract 90 days (default, 2160h) from all the times. 1418# Tact(N) = now - 4636h - 2160h = now - 6796h 1419# Tret(N) = now - 172h - 2160h = now - 2332h 1420# Trem(N) = now - 2h - 2160h = now - 2162h 1421# Tpub(N+1) = now - 175h - 2160h = now - 2335h 1422# Tsbm(N+1) = Tret(N) 1423# Tact(N+1) = Tret(N) 1424# Tret(N+1) = now + 4294h - 2160h = now + 2134h 1425# Trem(N+1) = now + 4360h - 2160h = now + 2200h 1426TactN="now-6796h" 1427TretN="now-2332h" 1428TremN="now-2162h" 1429TpubN1="now-2335h" 1430TsbmN1="${TretN}" 1431TactN1="${TretN}" 1432TretN1="now+2134h" 1433TremN1="now+2200h" 1434csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1435newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1436CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1) 1437CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2) 1438$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1 1439$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1 1440# Set key rollover relationship. 1441key_successor $CSK1 $CSK2 1442# Sign zone. 1443cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 1444private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile" 1445private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 1446cp $infile $zonefile 1447$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1448 1449# Test #2375, the "three is a crowd" bug, where a new key is introduced but the 1450# previous rollover has not finished yet. In other words, we have a key KEY2 1451# that is the successor of key KEY1, and we introduce a new key KEY3 that is 1452# the successor of key KEY2: 1453# 1454# KEY1 < KEY2 < KEY3. 1455# 1456# The expected behavior is that all three keys remain in the zone, and not 1457# the bug behavior where KEY2 is removed and immediately replaced with KEY3. 1458# 1459# Set up a zone that has a KSK (KEY1) and have the successor key (KEY2) 1460# published as well. 1461setup three-is-a-crowd.kasp 1462# These times are the same as step3.ksk-doubleksk.autosign. 1463TactN="now-60d" 1464TretN="now" 1465TremN="now+50h" 1466TpubN1="now-27h" 1467TsbmN1="now" 1468TactN1="${TretN}" 1469TretN1="now+60d" 1470TremN1="now+1490h" 1471ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 1472newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 1473zsktimes="-P ${TactN} -A ${TactN}" 1474KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 1475KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2) 1476ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3) 1477$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 1478$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1 1479$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1 1480# Set key rollover relationship. 1481key_successor $KSK1 $KSK2 1482# Sign zone. 1483cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile" 1484private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile" 1485private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 1486private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 1487cp $infile $zonefile 1488$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 1489