1#!/bin/sh -e
2
3# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
4#
5# SPDX-License-Identifier: MPL-2.0
6#
7# This Source Code Form is subject to the terms of the Mozilla Public
8# License, v. 2.0.  If a copy of the MPL was not distributed with this
9# file, you can obtain one at https://mozilla.org/MPL/2.0/.
10#
11# See the COPYRIGHT file distributed with this work for additional
12# information regarding copyright ownership.
13
14# shellcheck source=conf.sh
15. ../../conf.sh
16
17echo_i "ns3/setup.sh"
18
19setup() {
20  zone="$1"
21  echo_i "setting up zone: $zone"
22  zonefile="${zone}.db"
23  infile="${zone}.db.infile"
24}
25
26# Make lines shorter by storing key states in environment variables.
27H="HIDDEN"
28R="RUMOURED"
29O="OMNIPRESENT"
30U="UNRETENTIVE"
31
32# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy.
33setup migrate.kasp
34echo "$zone" >>zones
35ksktimes="-P now -A now -P sync now"
36zsktimes="-P now -A now"
37KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
38ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
39cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
40private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
41private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
42$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
43
44# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to
45# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;'
46# configured, meaning the zone is signed with a single CSK.
47setup csk.kasp
48echo "$zone" >>zones
49csktimes="-P now -A now -P sync now"
50CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1)
51cat template.db.in "${CSK}.key" >"$infile"
52private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
53$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
54
55setup csk-nosep.kasp
56echo "$zone" >>zones
57csktimes="-P now -A now -P sync now"
58CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1)
59cat template.db.in "${CSK}.key" >"$infile"
60private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
61$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
62
63# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
64# time the existing keys do not match the policy.  The existing keys are
65# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates
66# ECDSAP256SHA256 keys.
67setup migrate-nomatch-algnum.kasp
68echo "$zone" >>zones
69Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
70Tkey="now-3900s" # DNSKEY TTL + propagation delay
71Tsig="now-12h"   # Zone's maximum TTL + propagation delay
72ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
73zsktimes="-P ${Tkey} -A ${Tsig}"
74KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
75ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
76cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
77private_type_record $zone 5 "$KSK" >>"$infile"
78private_type_record $zone 5 "$ZSK" >>"$infile"
79$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
80
81# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
82# time the existing keys do not match the policy.  The existing keys are
83# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that
84# dictates 3072 bits RSASHA256 keys.
85setup migrate-nomatch-alglen.kasp
86echo "$zone" >>zones
87Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
88Tkey="now-3900s" # DNSKEY TTL + propagation delay
89Tsig="now-12h"   # Zone's maximum TTL + propagation delay
90ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
91zsktimes="-P ${Tkey} -A ${Tsig}"
92KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
93ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
94cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
95private_type_record $zone 5 "$KSK" >>"$infile"
96private_type_record $zone 5 "$ZSK" >>"$infile"
97$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
98
99# Set up a zone with auto-dnssec maintain to migrate to default dnssec-policy.
100# The zone is signed with KSK/ZSK split, but the dnssec-policy uses CSK.
101setup migrate-nomatch-kzc.kasp
102echo "$zone" >>zones
103Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
104Tkey="now-3900s" # DNSKEY TTL + propagation delay
105Tsig="now-12h"   # Zone's maximum TTL + propagation delay
106ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
107zsktimes="-P ${Tkey} -A ${Tsig}"
108KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
109ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
110cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
111cp $infile $zonefile
112private_type_record $zone 5 "$KSK" >>"$infile"
113private_type_record $zone 5 "$ZSK" >>"$infile"
114$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
115
116#
117# Set up zones to test time metadata correctly sets state.
118#
119
120# Key states expected to be rumoured after migration.
121setup rumoured.kasp
122echo "$zone" >>zones
123Tds="now-2h"
124Tkey="now-300s"
125Tsig="now-11h"
126ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
127zsktimes="-P ${Tkey} -A ${Tsig}"
128KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
129ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
130cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
131private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
132private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
133$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
134
135# Key states expected to be omnipresent after migration.
136setup omnipresent.kasp
137echo "$zone" >>zones
138Tds="now-3h"     # Time according to dnssec-policy that DS will be OMNIPRESENT
139Tkey="now-3900s" # DNSKEY TTL + propagation delay
140Tsig="now-12h"   # Zone's maximum TTL + propagation delay
141ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}"
142zsktimes="-P ${Tkey} -A ${Tsig}"
143KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
144ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
145cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
146private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
147private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
148$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1
149