1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. "$SYSTEMTESTTOP/conf.sh" 16 17echo_i "ns3/setup.sh" 18 19setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24 echo "$zone" >> zones 25} 26 27# Set in the key state files the Predecessor/Successor fields. 28# Key $1 is the predecessor of key $2. 29key_successor() { 30 id1=$(keyfile_to_key_id "$1") 31 id2=$(keyfile_to_key_id "$2") 32 echo "Predecessor: ${id1}" >> "${2}.state" 33 echo "Successor: ${id2}" >> "${1}.state" 34} 35 36# Make lines shorter by storing key states in environment variables. 37H="HIDDEN" 38R="RUMOURED" 39O="OMNIPRESENT" 40U="UNRETENTIVE" 41 42# 43# Set up zones that will be initially signed. 44# 45for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ 46 rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \ 47 dynamic dynamic-inline-signing inline-signing \ 48 checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ 49 manual-rollover multisigner-model2 50do 51 setup "${zn}.kasp" 52 cp template.db.in "$zonefile" 53done 54 55if [ -f ../ed25519-supported.file ]; then 56 setup "ed25519.kasp" 57 cp template.db.in "$zonefile" 58 cat ed25519.conf >> named.conf 59fi 60 61if [ -f ../ed448-supported.file ]; then 62 setup "ed448.kasp" 63 cp template.db.in "$zonefile" 64 cat ed448.conf >> named.conf 65fi 66 67# Set up zone that stays unsigned. 68zone="unsigned.kasp" 69echo_i "setting up zone: $zone" 70zonefile="${zone}.db" 71infile="${zone}.db.infile" 72cp template.db.in $infile 73cp template.db.in $zonefile 74 75# Set up zone that stays unsigned. 76zone="insecure.kasp" 77echo_i "setting up zone: $zone" 78zonefile="${zone}.db" 79infile="${zone}.db.infile" 80cp template.db.in $zonefile 81 82# Some of these zones already have keys. 83zone="dnssec-keygen.kasp" 84$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 85 86zone="some-keys.kasp" 87$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 88$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 89 90zone="legacy-keys.kasp" 91ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) 92KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) 93echo $ZSK > legacy-keys.kasp.zsk 94echo $KSK > legacy-keys.kasp.ksk 95# Predecessor keys: 96Tact="now-9mo" 97Tret="now-3mo" 98ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) 99KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) 100$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1 101$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 102 103zone="pregenerated.kasp" 104$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 105$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 106 107zone="multisigner-model2.kasp" 108# Import the ZSK sets of the other providers into their DNSKEY RRset. 109ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) 110ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) 111# ZSK1 will be added to the unsigned zonefile. 112cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db" 113cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1" 114rm -f "../${ZSK1}.*" 115# ZSK2 will be used with a Dynamic Update. 116cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2" 117rm -f "../${ZSK2}.*" 118 119zone="rumoured.kasp" 120Tpub="now" 121Tact="now+1d" 122keytimes="-P ${Tpub} -A ${Tact}" 123KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) 124ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) 125ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) 126$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 127$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 128$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 129 130# 131# Set up zones that are already signed. 132# 133 134# Zone to test manual rollover. 135setup manual-rollover.kasp 136T="now-1d" 137ksktimes="-P $T -A $T -P sync $T" 138zsktimes="-P $T -A $T" 139KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 140ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 141$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 142$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 143cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 144private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 145private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 146$SIGNER -PS -x -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 147 148# These signatures are set to expire long in the past, update immediately. 149setup expired-sigs.autosign 150T="now-6mo" 151ksktimes="-P $T -A $T -P sync $T" 152zsktimes="-P $T -A $T" 153KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 154ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 155$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 156$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 157cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 158private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 159private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 160$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 161 162# These signatures are still good, and can be reused. 163setup fresh-sigs.autosign 164T="now-6mo" 165ksktimes="-P $T -A $T -P sync $T" 166zsktimes="-P $T -A $T" 167KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 168ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 169$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 170$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 171cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 172private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 173private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 174$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 175 176# These signatures are still good, but not fresh enough, update immediately. 177setup unfresh-sigs.autosign 178T="now-6mo" 179ksktimes="-P $T -A $T -P sync $T" 180zsktimes="-P $T -A $T" 181KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 182ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 183$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 184$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 185cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 186private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 187private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 188$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 189 190# These signatures are still good, but the private KSK is missing. 191setup ksk-missing.autosign 192T="now-6mo" 193ksktimes="-P $T -A $T -P sync $T" 194zsktimes="-P $T -A $T" 195KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 196ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 197$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 198$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 199cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 200private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 201private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 202$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 203echo "KSK: yes" >> "${KSK}".state 204echo "ZSK: no" >> "${KSK}".state 205echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y 206rm -f "${KSK}".private 207 208# These signatures are still good, but the private ZSK is missing. 209setup zsk-missing.autosign 210T="now-6mo" 211ksktimes="-P $T -A $T -P sync $T" 212zsktimes="-P $T -A $T" 213KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 214ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 215$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 216$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 217cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 218private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 219private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 220$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 221echo "KSK: no" >> "${ZSK}".state 222echo "ZSK: yes" >> "${ZSK}".state 223echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y 224rm -f "${ZSK}".private 225 226# These signatures are already expired, and the private ZSK is retired. 227setup zsk-retired.autosign 228T="now-6mo" 229ksktimes="-P $T -A $T -P sync $T" 230zsktimes="-P $T -A $T -I now" 231KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 232ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 233$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 234$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 235cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 236private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 237private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 238$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 239$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 240 241# 242# The zones at enable-dnssec.autosign represent the various steps of the 243# initial signing of a zone. 244# 245 246# Step 1: 247# This is an unsigned zone and named should perform the initial steps of 248# introducing the DNSSEC records in the right order. 249setup step1.enable-dnssec.autosign 250cp template.db.in $zonefile 251 252# Step 2: 253# The DNSKEY has been published long enough to become OMNIPRESENT. 254setup step2.enable-dnssec.autosign 255# DNSKEY TTL: 300 seconds 256# zone-propagation-delay: 5 minutes (300 seconds) 257# publish-safety: 5 minutes (300 seconds) 258# Total: 900 seconds 259TpubN="now-900s" 260# RRSIG TTL: 12 hour (43200 seconds) 261# zone-propagation-delay: 5 minutes (300 seconds) 262# retire-safety: 20 minutes (1200 seconds) 263# Already passed time: -900 seconds 264# Total: 43800 seconds 265TsbmN="now+43800s" 266keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 267CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) 268$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 269cat template.db.in "${CSK}.key" > "$infile" 270private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 271$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 272 273# Step 3: 274# The zone signatures have been published long enough to become OMNIPRESENT. 275setup step3.enable-dnssec.autosign 276# Passed time since publications: 43800 + 900 = 44700 seconds. 277TpubN="now-44700s" 278# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. 279TcotN="now-43800s" 280# We can submit the DS now. 281TsbmN="now" 282keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 283CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) 284$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 285cat template.db.in "${CSK}.key" > "$infile" 286private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 287$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 288 289# Step 4: 290# The DS has been submitted long enough ago to become OMNIPRESENT. 291setup step4.enable-dnssec.autosign 292# DS TTL: 2 hour (7200 seconds) 293# parent-propagation-delay: 1 hour (3600 seconds) 294# retire-safety: 20 minutes (1200 seconds) 295# Total aditional time: 12000 seconds 296# 44700 + 12000 = 56700 297TpubN="now-56700s" 298# 43800 + 12000 = 55800 299TcotN="now-55800s" 300TsbmN="now-12000s" 301keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 302CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) 303$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 304cat template.db.in "${CSK}.key" > "$infile" 305private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 306$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 307setup step4.enable-dnssec.autosign 308 309# 310# The zones at zsk-prepub.autosign represent the various steps of a ZSK 311# Pre-Publication rollover. 312# 313 314# Step 1: 315# Introduce the first key. This will immediately be active. 316setup step1.zsk-prepub.autosign 317TactN="now" 318ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 319zsktimes="-P ${TactN} -A ${TactN}" 320KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 321ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 322$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 323$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 324cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 325private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 326private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 327$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 328 329# Step 2: 330# It is time to pre-publish the successor ZSK. 331setup step2.zsk-prepub.autosign 332# According to RFC 7583: 333# 334# Tpub(N+1) <= Tact(N) + Lzsk - Ipub 335# Ipub = Dprp + TTLkey (+publish-safety) 336# 337# |3| |4| |5| |6| 338# | | | | 339# Key N |<-------Lzsk------>| 340# | | | | 341# Key N+1 | |<-Ipub->|<-->| 342# | | | | 343# Key N Tact 344# Key N+1 Tpub Trdy Tact 345# 346# Tnow 347# 348# Lzsk: 30d 349# Dprp: 1h 350# TTLkey: 1h 351# publish-safety: 1d 352# Ipub: 26h 353# 354# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d 355# = now + 26h - 30d = now − 694h 356TactN="now-694h" 357ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 358zsktimes="-P ${TactN} -A ${TactN}" 359KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 360ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 361$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 362$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 363cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 364private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 365private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 366$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 367 368# Step 3: 369# After the publication interval has passed the DNSKEY of the successor ZSK 370# is OMNIPRESENT and the zone can thus be signed with the successor ZSK. 371setup step3.zsk-prepub.autosign 372# According to RFC 7583: 373# 374# Tpub(N+1) <= Tact(N) + Lzsk - Ipub 375# Tret(N) = Tact(N+1) = Tact(N) + Lzsk 376# Trem(N) = Tret(N) + Iret 377# Iret = Dsgn + Dprp + TTLsig (+retire-safety) 378# 379# |3| |4| |5| |6| |7| |8| 380# | | | | | | 381# Key N |<-------Lzsk------>|<-Iret->|<--->| 382# | | | | | | 383# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - 384# | | | | | | 385# Key N Tact Tret Tdea Trem 386# Key N+1 Tpub Trdy Tact 387# 388# Tnow 389# 390# Lzsk: 30d 391# Ipub: 26h 392# Dsgn: 1w 393# Dprp: 1h 394# TTLsig: 1d 395# retire-safety: 2d 396# Iret: 10d1h = 241h 397# 398# Tact(N) = Tnow - Lzsk = now - 30d 399# Tret(N) = now 400# Trem(N) = Tnow + Iret = now + 241h 401# Tpub(N+1) = Tnow - Ipub = now - 26h 402# Tret(N+1) = Tnow + Lzsk = now + 30d 403# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h 404# = now + 961h 405TactN="now-30d" 406TretN="now" 407TremN="now+241h" 408TpubN1="now-26h" 409TactN1="now" 410TretN1="now+30d" 411TremN1="now+961h" 412ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 413zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 414newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 415KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 416ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 417ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 418$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 419$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 420$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 421# Set key rollover relationship. 422key_successor $ZSK1 $ZSK2 423# Sign zone. 424cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 425private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 426private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" 427private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 428$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 429 430# Step 4: 431# After the retire interval has passed the predecessor DNSKEY can be 432# removed from the zone. 433setup step4.zsk-prepub.autosign 434# According to RFC 7583: 435# 436# Tret(N) = Tact(N) + Lzsk 437# Tdea(N) = Tret(N) + Iret 438# 439# |3| |4| |5| |6| |7| |8| 440# | | | | | | 441# Key N |<-------Lzsk------>|<-Iret->|<--->| 442# | | | | | | 443# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - 444# | | | | | | 445# Key N Tact Tret Tdea Trem 446# Key N+1 Tpub Trdy Tact 447# 448# Tnow 449# 450# Lzsk: 30d 451# Ipub: 26h 452# Iret: 241h 453# 454# Tact(N) = Tnow - Iret - Lzsk 455# = now - 241h - 30d = now - 241h - 720h 456# = now - 961h 457# Tret(N) = Tnow - Iret = now - 241h 458# Trem(N) = Tnow 459# Tpub(N+1) = Tnow - Iret - Ipub 460# = now - 241h - 26h 461# = now - 267h 462# Tact(N+1) = Tnow - Iret = Tret(N) 463# Tret(N+1) = Tnow - Iret + Lzsk 464# = now - 241h + 30d = now - 241h + 720h 465# = now + 479h 466# Trem(N+1) = Tnow + Lzsk = now + 30d 467TactN="now-961h" 468TretN="now-241h" 469TremN="now" 470TpubN1="now-267h" 471TactN1="${TretN}" 472TretN1="now+479h" 473TremN1="now+30d" 474ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 475zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 476newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 477KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 478ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 479ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 480$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 481$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 482$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 483# Set key rollover relationship. 484key_successor $ZSK1 $ZSK2 485# Sign zone. 486cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 487$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 488 489# Step 5: 490# The predecessor DNSKEY is removed long enough that is has become HIDDEN. 491setup step5.zsk-prepub.autosign 492# Subtract DNSKEY TTL from all the times (1h). 493# Tact(N) = now - 961h - 1h = now - 962h 494# Tret(N) = now - 241h - 1h = now - 242h 495# Tdea(N) = now - 2d - 1h = now - 49h 496# Trem(N) = now - 1h 497# Tpub(N+1) = now - 267h - 1h = now - 268h 498# Tact(N+1) = Tret(N) 499# Tret(N+1) = now + 479h - 1h = now + 478h 500# Trem(N+1) = now + 30d - 1h = now + 719h 501TactN="now-962h" 502TretN="now-242h" 503TremN="now-1h" 504TdeaN="now-49h" 505TpubN1="now-268h" 506TactN1="${TretN}" 507TretN1="now+478h" 508TremN1="now+719h" 509ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 510zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 511newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 512KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 513ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 514ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 515$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 516$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 517$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 518# Set key rollover relationship. 519key_successor $ZSK1 $ZSK2 520# Sign zone. 521cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 522private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 523private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" 524private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 525$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 526 527# Step 6: 528# The predecessor DNSKEY can be purged. 529setup step6.zsk-prepub.autosign 530# Subtract purge-keys interval from all the times (1h). 531# Tact(N) = now - 962h - 1h = now - 963h 532# Tret(N) = now - 242h - 1h = now - 243h 533# Tdea(N) = now - 49h - 1h = now - 50h 534# Trem(N) = now - 1h - 1h = now - 2h 535# Tpub(N+1) = now - 268h - 1h = now - 269h 536# Tact(N+1) = Tret(N) 537# Tret(N+1) = now + 478h - 1h = now + 477h 538# Trem(N+1) = now + 719h - 1h = now + 718h 539TactN="now-963h" 540TretN="now-243h" 541TremN="now-2h" 542TdeaN="now-50h" 543TpubN1="now-269h" 544TactN1="${TretN}" 545TretN1="now+477h" 546TremN1="now+718h" 547ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 548zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 549newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 550KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 551ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 552ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 553$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 554$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 555$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 556# Set key rollover relationship. 557key_successor $ZSK1 $ZSK2 558# Sign zone. 559cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 560private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 561private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" 562private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 563$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 564 565# 566# The zones at ksk-doubleksk.autosign represent the various steps of a KSK 567# Double-KSK rollover. 568# 569 570# Step 1: 571# Introduce the first key. This will immediately be active. 572setup step1.ksk-doubleksk.autosign 573TactN="now" 574ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 575zsktimes="-P ${TactN} -A ${TactN}" 576KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 577ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 578$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 579$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 580cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 581$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 582 583# Step 2: 584# It is time to submit the introduce the new KSK. 585setup step2.ksk-doubleksk.autosign 586# According to RFC 7583: 587# 588# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC 589# IpubC = DprpC + TTLkey (+publish-safety) 590# 591# |1| |2| |3| |4| 592# | | | | 593# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - - 594# | | | | 595# Key N+1 | | | | 596# | | | | 597# Key N Tpub Trdy Tsbm Tact 598# Key N+1 599# 600# (continued ...) 601# 602# |5| |6| |7| |8| |9| |10| 603# | | | | | | 604# Key N - - --------------Lksk------->|<-Iret->|<----->| 605# | | | | | | 606# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 607# | | | | | | 608# Key N Tret Tdea Trem 609# Key N+1 Tpub Trdy Tsbm Tact 610# 611# Tnow 612# 613# Lksk: 60d 614# Dreg: 1d 615# DprpC: 1h 616# TTLkey: 2h 617# publish-safety: 1d 618# IpubC: 27h 619# 620# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h 621# = now - 1440h + 27h = now - 1413h 622TactN="now-1413h" 623ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 624zsktimes="-P ${TactN} -A ${TactN}" 625KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 626ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 627$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 628$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 629cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 630private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 631private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 632$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 633 634# Step 3: 635# It is time to submit the DS. 636setup step3.ksk-doubleksk.autosign 637# According to RFC 7583: 638# 639# Tsbm(N+1) >= Trdy(N+1) 640# Tact(N+1) = Tsbm(N+1) + Dreg 641# Iret = DprpP + TTLds (+retire-safety) 642# 643# |5| |6| |7| |8| |9| |10| 644# | | | | | | 645# Key N - - --------------Lksk------->|<-Iret->|<----->| 646# | | | | | | 647# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 648# | | | | | | 649# Key N Tret Tdea Trem 650# Key N+1 Tpub Trdy Tsbm Tact 651# 652# Tnow 653# 654# Lksk: 60d 655# Dreg: N/A 656# DprpP: 1h 657# TTLds: 1h 658# retire-safety: 2d 659# Iret: 50h 660# DprpC: 1h 661# TTLkey: 2h 662# publish-safety: 1d 663# IpubC: 27h 664# 665# Tact(N) = Tnow + Lksk = now - 60d = now - 60d 666# Tret(N) = now 667# Trem(N) = Tnow + Iret = now + 50h 668# Tpub(N+1) = Tnow - IpubC = now - 27h 669# Tsbm(N+1) = now 670# Tact(N+1) = Tret(N) 671# Tret(N+1) = Tnow + Lksk = now + 60d 672# Trem(N+1) = Tnow + Lksk + Iret = now + 60d + 50h 673# = now + 1440h + 50h = 1490h 674TactN="now-60d" 675TretN="now" 676TremN="now+50h" 677TpubN1="now-27h" 678TsbmN1="now" 679TactN1="${TretN}" 680TretN1="now+60d" 681TremN1="now+1490h" 682ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 683newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 684zsktimes="-P ${TactN} -A ${TactN}" 685KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 686KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 687ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 688$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 689$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 690$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 691# Set key rollover relationship. 692key_successor $KSK1 $KSK2 693# Sign zone. 694cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 695private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 696private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 697private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 698$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 699 700# Step 4: 701# The DS should be swapped now. 702setup step4.ksk-doubleksk.autosign 703# According to RFC 7583: 704# 705# Tret(N) = Tsbm(N+1) 706# Tdea(N) = Tret(N) + Iret 707# Tact(N+1) = Tret(N) 708# 709# |5| |6| |7| |8| |9| |10| 710# | | | | | | 711# Key N - - --------------Lksk------->|<-Iret->|<----->| 712# | | | | | | 713# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 714# | | | | | | 715# Key N Tret Tdea Trem 716# Key N+1 Tpub Trdy Tsbm Tact 717# 718# Tnow 719# 720# Lksk: 60d 721# Dreg: N/A 722# Iret: 50h 723# 724# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h 725# = now - 1440h - 50h = now - 1490h 726# Tret(N) = Tnow - Iret = now - 50h 727# Trem(N) = Tnow 728# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h 729# = now - 77h 730# Tsbm(N+1) = Tnow - Iret = now - 50h 731# Tact(N+1) = Tret(N) 732# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h 733# Trem(N+1) = Tnow + Lksk = now + 60d 734TactN="now-1490h" 735TretN="now-50h" 736TremN="now" 737TpubN1="now-77h" 738TsbmN1="now-50h" 739TactN1="${TretN}" 740TretN1="now+1390h" 741TremN1="now+60d" 742ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 743newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 744zsktimes="-P ${TactN} -A ${TactN}" 745KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 746KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 747ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 748$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 749$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 750$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 751# Set key rollover relationship. 752key_successor $KSK1 $KSK2 753# Sign zone. 754cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 755private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 756private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 757private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 758$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 759 760# Step 5: 761# The predecessor DNSKEY is removed long enough that is has become HIDDEN. 762setup step5.ksk-doubleksk.autosign 763# Subtract DNSKEY TTL from all the times (2h). 764# Tact(N) = now - 1490h - 2h = now - 1492h 765# Tret(N) = now - 50h - 2h = now - 52h 766# Trem(N) = now - 2h 767# Tpub(N+1) = now - 77h - 2h = now - 79h 768# Tsbm(N+1) = now - 50h - 2h = now - 52h 769# Tact(N+1) = Tret(N) 770# Tret(N+1) = now + 1390h - 2h = now + 1388h 771# Trem(N+1) = now + 60d - 2h = now + 1442h 772TactN="now-1492h" 773TretN="now-52h" 774TremN="now-2h" 775TpubN1="now-79h" 776TsbmN1="now-52h" 777TactN1="${TretN}" 778TretN1="now+1388h" 779TremN1="now+1442h" 780ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 781newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 782zsktimes="-P ${TactN} -A ${TactN}" 783KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 784KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 785ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 786$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 787$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 788$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 789# Set key rollover relationship. 790key_successor $KSK1 $KSK2 791# Sign zone. 792cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 793private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 794private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 795private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 796$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 797 798# Step 6: 799# The predecessor DNSKEY can be purged. 800setup step6.ksk-doubleksk.autosign 801# Subtract purge-keys interval from all the times (1h). 802# Tact(N) = now - 1492h - 1h = now - 1493h 803# Tret(N) = now - 52h - 1h = now - 53h 804# Trem(N) = now - 2h - 1h = now - 3h 805# Tpub(N+1) = now - 79h - 1h = now - 80h 806# Tsbm(N+1) = now - 52h - 1h = now - 53h 807# Tact(N+1) = Tret(N) 808# Tret(N+1) = now + 1388h - 1h = now + 1387h 809# Trem(N+1) = now + 1442h - 1h = now + 1441h 810TactN="now-1493h" 811TretN="now-53h" 812TremN="now-3h" 813TpubN1="now-80h" 814TsbmN1="now-53h" 815TactN1="${TretN}" 816TretN1="now+1387h" 817TremN1="now+1441h" 818ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 819newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 820zsktimes="-P ${TactN} -A ${TactN}" 821KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 822KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 823ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 824$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 825$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 826$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 827# Set key rollover relationship. 828key_successor $KSK1 $KSK2 829# Sign zone. 830cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 831private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 832private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 833private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 834$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 835 836# 837# The zones at csk-roll.autosign represent the various steps of a CSK rollover 838# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). 839# 840 841# Step 1: 842# Introduce the first key. This will immediately be active. 843setup step1.csk-roll.autosign 844TactN="now" 845csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 846CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 847$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 848cat template.db.in "${CSK}.key" > "$infile" 849private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 850$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 851 852# Step 2: 853# It is time to introduce the new CSK. 854setup step2.csk-roll.autosign 855# According to RFC 7583: 856# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC 857# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub 858# IpubC = DprpC + TTLkey (+publish-safety) 859# Ipub = IpubC 860# Lcsk = Lksk = Lzsk 861# 862# Lcsk: 6mo (186d, 4464h) 863# Dreg: N/A 864# DprpC: 1h 865# TTLkey: 1h 866# publish-safety: 1h 867# Ipub: 3h 868# 869# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h 870# = now - 4464h + 3h = now - 4461h 871TactN="now-4461h" 872csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 873CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 874$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 875cat template.db.in "${CSK}.key" > "$infile" 876private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 877$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 878 879# Step 3: 880# It is time to submit the DS and to roll signatures. 881setup step3.csk-roll.autosign 882# According to RFC 7583: 883# 884# Tsbm(N+1) >= Trdy(N+1) 885# KSK: Tact(N+1) = Tsbm(N+1) 886# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) 887# KSK: Iret = DprpP + TTLds (+retire-safety) 888# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) 889# 890# Lcsk: 186d 891# Dprp: 1h 892# DprpP: 1h 893# Dreg: N/A 894# Dsgn: 25d 895# TTLds: 1h 896# TTLsig: 1d 897# retire-safety: 2h 898# Iret: 4h 899# IretZ: 26d3h 900# Ipub: 3h 901# 902# Tact(N) = Tnow - Lcsk = now - 186d 903# Tret(N) = now 904# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h 905# Tpub(N+1) = Tnow - Ipub = now - 3h 906# Tsbm(N+1) = Tret(N) 907# Tact(N+1) = Tret(N) 908# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d 909# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = 910# = now + 5091h 911TactN="now-186d" 912TretN="now" 913TremN="now+627h" 914TpubN1="now-3h" 915TsbmN1="now" 916TactN1="${TretN}" 917TretN1="now+186d" 918TremN1="now+5091h" 919csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 920newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 921CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 922CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 923$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 924$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 925# Set key rollover relationship. 926key_successor $CSK1 $CSK2 927# Sign zone. 928cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 929private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 930private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 931$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 932 933# Step 4: 934# Some time later all the ZRRSIG records should be from the new CSK, and the 935# DS should be swapped. The ZRRSIG records are all replaced after IretZ 936# (which is 26d3h). The DS is swapped after Iret (which is 4h). 937# In other words, the DS is swapped before all zone signatures are replaced. 938setup step4.csk-roll.autosign 939# According to RFC 7583: 940# Trem(N) = Tret(N) - Iret + IretZ 941# Tnow = Tsbm(N+1) + Iret 942# 943# Lcsk: 186d 944# Iret: 4h 945# IretZ: 26d3h 946# 947# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h 948# Tret(N) = Tnow - Iret = now - 4h = now - 4h 949# Trem(N) = Tnow - Iret + IretZ = now - 4h + 26d3h 950# = now + 623h 951# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h 952# Tsbm(N+1) = Tret(N) 953# Tact(N+1) = Tret(N) 954# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h 955# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h 956# = now + 5087h 957TactN="now-4468h" 958TretN="now-4h" 959TremN="now+623h" 960TpubN1="now-7h" 961TsbmN1="${TretN}" 962TactN1="${TretN}" 963TretN1="now+4460h" 964TremN1="now+5087h" 965csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 966newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 967CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 968CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 969$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 970$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 971# Set key rollover relationship. 972key_successor $CSK1 $CSK2 973# Sign zone. 974cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 975private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 976private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 977$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 978 979# Step 5: 980# After the DS is swapped in step 4, also the KRRSIG records can be removed. 981# At this time these have all become hidden. 982setup step5.csk-roll.autosign 983# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). 984# Tact(N) = now - 4468h - 2h = now - 4470h 985# Tret(N) = now - 4h - 2h = now - 6h 986# Trem(N) = now + 623h - 2h = now + 621h 987# Tpub(N+1) = now - 7h - 2h = now - 9h 988# Tsbm(N+1) = Tret(N) 989# Tact(N+1) = Tret(N) 990# Tret(N+1) = now + 4460h - 2h = now + 4458h 991# Trem(N+1) = now + 5087h - 2h = now + 5085h 992TactN="now-4470h" 993TretN="now-6h" 994TremN="now+621h" 995TpubN1="now-9h" 996TsbmN1="${TretN}" 997TactN1="${TretN}" 998TretN1="now+4458h" 999TremN1="now+5085h" 1000csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1001newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1002CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1003CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1004$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 1005$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 1006# Set key rollover relationship. 1007key_successor $CSK1 $CSK2 1008# Sign zone. 1009cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1010private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1011private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1012$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1013 1014# Step 6: 1015# After the retire interval has passed the predecessor DNSKEY can be 1016# removed from the zone. 1017setup step6.csk-roll.autosign 1018# According to RFC 7583: 1019# Trem(N) = Tret(N) + IretZ 1020# Tret(N) = Tact(N) + Lcsk 1021# 1022# Lcsk: 186d 1023# Iret: 4h 1024# IretZ: 26d3h 1025# 1026# Tact(N) = Tnow - IretZ - Lcsk = now - 627h - 186d 1027# = now - 627h - 4464h = now - 5091h 1028# Tret(N) = Tnow - IretZ = now - 627h 1029# Trem(N) = Tnow 1030# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h 1031# Tsbm(N+1) = Tret(N) 1032# Tact(N+1) = Tret(N) 1033# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h 1034# Trem(N+1) = Tnow + Lcsk = now + 186d 1035TactN="now-5091h" 1036TretN="now-627h" 1037TremN="now" 1038TpubN1="now-630h" 1039TsbmN1="${TretN}" 1040TactN1="${TretN}" 1041TretN1="now+3837h" 1042TremN1="now+186d" 1043csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1044newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1045CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1046CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1047$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 1048$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 1049# Set key rollover relationship. 1050key_successor $CSK1 $CSK2 1051# Sign zone. 1052cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1053private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1054private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1055$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1056 1057# Step 7: 1058# Some time later the predecessor DNSKEY enters the HIDDEN state. 1059setup step7.csk-roll.autosign 1060# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). 1061# Tact(N) = now - 5091h - 2h = now - 5093h 1062# Tret(N) = now - 627h - 2h = now - 629h 1063# Trem(N) = now - 2h 1064# Tpub(N+1) = now - 630h - 2h = now - 632h 1065# Tsbm(N+1) = Tret(N) 1066# Tact(N+1) = Tret(N) 1067# Tret(N+1) = now + 3837h - 2h = now + 3835h 1068# Trem(N+1) = now + 186d - 2h = now + 4462h 1069TactN="now-5093h" 1070TretN="now-629h" 1071TremN="now-2h" 1072TpubN1="now-632h" 1073TsbmN1="${TretN}" 1074TactN1="${TretN}" 1075TretN1="now+3835h" 1076TremN1="now+4462h" 1077csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1078newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1079CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1080CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1081$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 1082$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 1083# Set key rollover relationship. 1084key_successor $CSK1 $CSK2 1085# Sign zone. 1086cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1087private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1088private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1089$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1090 1091# Step 8: 1092# The predecessor DNSKEY can be purged. 1093setup step8.csk-roll.autosign 1094# Subtract purge-keys interval from all the times (1h). 1095# Tact(N) = now - 5093h - 1h = now - 5094h 1096# Tret(N) = now - 629h - 1h = now - 630h 1097# Trem(N) = now - 2h - 1h = now - 3h 1098# Tpub(N+1) = now - 632h - 1h = now - 633h 1099# Tsbm(N+1) = Tret(N) 1100# Tact(N+1) = Tret(N) 1101# Tret(N+1) = now + 3835h - 1h = now + 3834h 1102# Trem(N+1) = now + 4462h - 1h = now + 4461h 1103TactN="now-5094h" 1104TretN="now-630h" 1105TremN="now-3h" 1106TpubN1="now-633h" 1107TsbmN1="${TretN}" 1108TactN1="${TretN}" 1109TretN1="now+3834h" 1110TremN1="now+4461h" 1111csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1112newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1113CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1114CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1115$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 1116$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 1117# Set key rollover relationship. 1118key_successor $CSK1 $CSK2 1119# Sign zone. 1120cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1121private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1122private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1123$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1124 1125# 1126# The zones at csk-roll2.autosign represent the various steps of a CSK rollover 1127# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). 1128# This scenario differs from the above one because the zone signatures (ZRRSIG) 1129# are replaced with the new key sooner than the DS is swapped. 1130# 1131 1132# Step 1: 1133# Introduce the first key. This will immediately be active. 1134setup step1.csk-roll2.autosign 1135TactN="now" 1136csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 1137CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1138$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 1139cat template.db.in "${CSK}.key" > "$infile" 1140private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 1141$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1142 1143# Step 2: 1144# It is time to introduce the new CSK. 1145setup step2.csk-roll2.autosign 1146# According to RFC 7583: 1147# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC 1148# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub 1149# IpubC = DprpC + TTLkey (+publish-safety) 1150# Ipub = IpubC 1151# Lcsk = Lksk = Lzsk 1152# 1153# Lcsk: 6mo (186d, 4464h) 1154# Dreg: N/A 1155# DprpC: 1h 1156# TTLkey: 1h 1157# publish-safety: 1h 1158# Ipub: 3h 1159# 1160# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h 1161# = now - 4464h + 3h = now - 4461h 1162TactN="now-4461h" 1163csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 1164CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1165$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 1166cat template.db.in "${CSK}.key" > "$infile" 1167private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 1168$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1169 1170# Step 3: 1171# It is time to submit the DS and to roll signatures. 1172setup step3.csk-roll2.autosign 1173# According to RFC 7583: 1174# 1175# Tsbm(N+1) >= Trdy(N+1) 1176# KSK: Tact(N+1) = Tsbm(N+1) 1177# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) 1178# KSK: Iret = DprpP + TTLds (+retire-safety) 1179# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) 1180# 1181# Lcsk: 186d 1182# Dprp: 1h 1183# DprpP: 1w 1184# Dreg: N/A 1185# Dsgn: 12h 1186# TTLds: 1h 1187# TTLsig: 1d 1188# retire-safety: 1h 1189# Iret: 170h 1190# IretZ: 38h 1191# Ipub: 3h 1192# 1193# Tact(N) = Tnow - Lcsk = now - 186d 1194# Tret(N) = now 1195# Trem(N) = Tnow + Iret = now + 170h 1196# Tpub(N+1) = Tnow - Ipub = now - 3h 1197# Tsbm(N+1) = Tret(N) 1198# Tact(N+1) = Tret(N) 1199# Tret(N+1) = Tnow + Lcsk = now + 186d 1200# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h = 1201# = now + 4464h + 170h = now + 4634h 1202TactN="now-186d" 1203TretN="now" 1204TremN="now+170h" 1205TpubN1="now-3h" 1206TsbmN1="${TretN}" 1207TactN1="${TretN}" 1208TretN1="now+186d" 1209TremN1="now+4634h" 1210csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1211newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1212CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1213CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1214$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 1215$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 1216# Set key rollover relationship. 1217key_successor $CSK1 $CSK2 1218# Sign zone. 1219cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1220private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1221private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1222$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1223 1224# Step 4: 1225# Some time later all the ZRRSIG records should be from the new CSK, and the 1226# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h). 1227# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone 1228# signatures are replaced before the DS is swapped. 1229setup step4.csk-roll2.autosign 1230# According to RFC 7583: 1231# Trem(N) = Tret(N) + IretZ 1232# 1233# Lcsk: 186d 1234# Dreg: N/A 1235# Iret: 170h 1236# IretZ: 38h 1237# 1238# Tact(N) = Tnow - IretZ = Lcsk = now - 38h - 186d 1239# = now - 38h - 4464h = now - 4502h 1240# Tret(N) = Tnow - IretZ = now - 38h 1241# Trem(N) = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h 1242# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h 1243# Tsbm(N+1) = Tret(N) 1244# Tact(N+1) = Tret(N) 1245# Tret(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d 1246# = now + 4426h 1247# Trem(N+1) = Tnow - IretZ + Lcsk + Iret 1248# = now + 4426h + 3h = now + 4429h 1249TactN="now-4502h" 1250TretN="now-38h" 1251TremN="now+132h" 1252TpubN1="now-41h" 1253TsbmN1="${TretN}" 1254TactN1="${TretN}" 1255TretN1="now+4426h" 1256TremN1="now+4429h" 1257csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1258newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1259CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1260CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1261$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 1262$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 1263# Set key rollover relationship. 1264key_successor $CSK1 $CSK2 1265# Sign zone. 1266cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1267private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1268private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1269$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1270 1271# Step 5: 1272# Some time later the DS can be swapped and the old DNSKEY can be removed from 1273# the zone. 1274setup step5.csk-roll2.autosign 1275# Subtract Iret (170h) - IretZ (38h) = 132h. 1276# 1277# Tact(N) = now - 4502h - 132h = now - 4634h 1278# Tret(N) = now - 38h - 132h = now - 170h 1279# Trem(N) = now + 132h - 132h = now 1280# Tpub(N+1) = now - 41h - 132h = now - 173h 1281# Tsbm(N+1) = Tret(N) 1282# Tact(N+1) = Tret(N) 1283# Tret(N+1) = now + 4426h - 132h = now + 4294h 1284# Trem(N+1) = now + 4492h - 132h = now + 4360h 1285TactN="now-4634h" 1286TretN="now-170h" 1287TremN="now" 1288TpubN1="now-173h" 1289TsbmN1="${TretN}" 1290TactN1="${TretN}" 1291TretN1="now+4294h" 1292TremN1="now+4360h" 1293csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1294newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1295CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1296CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1297$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 1298$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 1299# Set key rollover relationship. 1300key_successor $CSK1 $CSK2 1301# Sign zone. 1302cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1303private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1304private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1305$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1306 1307# Step 6: 1308# Some time later the predecessor DNSKEY enters the HIDDEN state. 1309setup step6.csk-roll2.autosign 1310# Subtract DNSKEY TTL plus zone propagation delay (2h). 1311# 1312# Tact(N) = now - 4634h - 2h = now - 4636h 1313# Tret(N) = now - 170h - 2h = now - 172h 1314# Trem(N) = now - 2h 1315# Tpub(N+1) = now - 173h - 2h = now - 175h 1316# Tsbm(N+1) = Tret(N) 1317# Tact(N+1) = Tret(N) 1318# Tret(N+1) = now + 4294h - 2h = now + 4292h 1319# Trem(N+1) = now + 4360h - 2h = now + 4358h 1320TactN="now-4636h" 1321TretN="now-172h" 1322TremN="now-2h" 1323TpubN1="now-175h" 1324TsbmN1="${TretN}" 1325TactN1="${TretN}" 1326TretN1="now+4292h" 1327TremN1="now+4358h" 1328csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1329newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1330CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1331CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1332$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 1333$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 1334# Set key rollover relationship. 1335key_successor $CSK1 $CSK2 1336# Sign zone. 1337cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1338private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1339private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1340$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1341 1342# Step 7: 1343# The predecessor DNSKEY can be purged, but purge-keys is disabled. 1344setup step7.csk-roll2.autosign 1345# Subtract 90 days (default, 2160h) from all the times. 1346# Tact(N) = now - 4636h - 2160h = now - 6796h 1347# Tret(N) = now - 172h - 2160h = now - 2332h 1348# Trem(N) = now - 2h - 2160h = now - 2162h 1349# Tpub(N+1) = now - 175h - 2160h = now - 2335h 1350# Tsbm(N+1) = Tret(N) 1351# Tact(N+1) = Tret(N) 1352# Tret(N+1) = now + 4294h - 2160h = now + 2134h 1353# Trem(N+1) = now + 4360h - 2160h = now + 2200h 1354TactN="now-6796h" 1355TretN="now-2332h" 1356TremN="now-2162h" 1357TpubN1="now-2335h" 1358TsbmN1="${TretN}" 1359TactN1="${TretN}" 1360TretN1="now+2134h" 1361TremN1="now+2200h" 1362csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1363newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1364CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1365CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1366$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 1367$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 1368# Set key rollover relationship. 1369key_successor $CSK1 $CSK2 1370# Sign zone. 1371cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1372private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1373private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1374$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1375