1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. ../../conf.sh 16 17echo_i "ns3/setup.sh" 18 19setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24} 25 26# Make lines shorter by storing key states in environment variables. 27H="HIDDEN" 28R="RUMOURED" 29O="OMNIPRESENT" 30U="UNRETENTIVE" 31 32# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. 33setup migrate.kasp 34echo "$zone" >>zones 35ksktimes="-P now -A now -P sync now" 36zsktimes="-P now -A now" 37KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 38ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 39cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 40private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 41private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 42$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 43 44# Set up Single-Type Signing Scheme zones with auto-dnssec maintain to 45# migrate to dnssec-policy. This is a zone that has 'update-check-ksk no;' 46# configured, meaning the zone is signed with a single CSK. 47setup csk.kasp 48echo "$zone" >>zones 49csktimes="-P now -A now -P sync now" 50CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $csktimes $zone 2>keygen.out.$zone.1) 51cat template.db.in "${CSK}.key" >"$infile" 52private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 53$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 54 55setup csk-nosep.kasp 56echo "$zone" >>zones 57csktimes="-P now -A now -P sync now" 58CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $csktimes $zone 2>keygen.out.$zone.1) 59cat template.db.in "${CSK}.key" >"$infile" 60private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 61$SIGNER -S -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 62 63# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 64# time the existing keys do not match the policy. The existing keys are 65# RSASHA256 keys, and will be migrated to a dnssec-policy that dictates 66# ECDSAP256SHA256 keys. 67setup migrate-nomatch-algnum.kasp 68echo "$zone" >>zones 69Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT 70Tkey="now-3900s" # DNSKEY TTL + propagation delay 71Tsig="now-12h" # Zone's maximum TTL + propagation delay 72ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 73zsktimes="-P ${Tkey} -A ${Tsig}" 74KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 75ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 76cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 77private_type_record $zone 5 "$KSK" >>"$infile" 78private_type_record $zone 5 "$ZSK" >>"$infile" 79$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 80 81# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 82# time the existing keys do not match the policy. The existing keys are 83# 2048 bits RSASHA256 keys, and will be migrated to a dnssec-policy that 84# dictates 3072 bits RSASHA256 keys. 85setup migrate-nomatch-alglen.kasp 86echo "$zone" >>zones 87Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT 88Tkey="now-3900s" # DNSKEY TTL + propagation delay 89Tsig="now-12h" # Zone's maximum TTL + propagation delay 90ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 91zsktimes="-P ${Tkey} -A ${Tsig}" 92KSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 93ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 94cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 95private_type_record $zone 5 "$KSK" >>"$infile" 96private_type_record $zone 5 "$ZSK" >>"$infile" 97$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 98 99# Set up a zone with auto-dnssec maintain to migrate to default dnssec-policy. 100# The zone is signed with KSK/ZSK split, but the dnssec-policy uses CSK. 101setup migrate-nomatch-kzc.kasp 102echo "$zone" >>zones 103Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT 104Tkey="now-3900s" # DNSKEY TTL + propagation delay 105Tsig="now-12h" # Zone's maximum TTL + propagation delay 106ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 107zsktimes="-P ${Tkey} -A ${Tsig}" 108KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 109ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 110cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 111cp $infile $zonefile 112private_type_record $zone 5 "$KSK" >>"$infile" 113private_type_record $zone 5 "$ZSK" >>"$infile" 114$SIGNER -PS -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 115 116# 117# Set up zones to test time metadata correctly sets state. 118# 119 120# Key states expected to be rumoured after migration. 121setup rumoured.kasp 122echo "$zone" >>zones 123Tds="now-2h" 124Tkey="now-300s" 125Tsig="now-11h" 126ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 127zsktimes="-P ${Tkey} -A ${Tsig}" 128KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 129ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 130cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 131private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 132private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 133$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 134 135# Key states expected to be omnipresent after migration. 136setup omnipresent.kasp 137echo "$zone" >>zones 138Tds="now-3h" # Time according to dnssec-policy that DS will be OMNIPRESENT 139Tkey="now-3900s" # DNSKEY TTL + propagation delay 140Tsig="now-12h" # Zone's maximum TTL + propagation delay 141ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 142zsktimes="-P ${Tkey} -A ${Tsig}" 143KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 144ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2) 145cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 146private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 147private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 148$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile >signer.out.$zone.1 2>&1 149