1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# shellcheck source=conf.sh 13. ../../conf.sh 14 15echo_i "ns3/setup.sh" 16 17setup() { 18 zone="$1" 19 echo_i "setting up zone: $zone" 20 zonefile="${zone}.db" 21 infile="${zone}.db.infile" 22 echo "$zone" >> zones 23} 24 25# Set in the key state files the Predecessor/Successor fields. 26# Key $1 is the predecessor of key $2. 27key_successor() { 28 id1=$(keyfile_to_key_id "$1") 29 id2=$(keyfile_to_key_id "$2") 30 echo "Predecessor: ${id1}" >> "${2}.state" 31 echo "Successor: ${id2}" >> "${1}.state" 32} 33 34# Make lines shorter by storing key states in environment variables. 35H="HIDDEN" 36R="RUMOURED" 37O="OMNIPRESENT" 38U="UNRETENTIVE" 39 40# 41# Set up zones that will be initially signed. 42# 43for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \ 44 rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \ 45 dynamic dynamic-inline-signing inline-signing \ 46 checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \ 47 manual-rollover multisigner-model2 48do 49 setup "${zn}.kasp" 50 cp template.db.in "$zonefile" 51done 52 53if [ -f ../ed25519-supported.file ]; then 54 setup "ed25519.kasp" 55 cp template.db.in "$zonefile" 56 cat ed25519.conf >> named.conf 57fi 58 59if [ -f ../ed448-supported.file ]; then 60 setup "ed448.kasp" 61 cp template.db.in "$zonefile" 62 cat ed448.conf >> named.conf 63fi 64 65# Set up zone that stays unsigned. 66zone="unsigned.kasp" 67echo_i "setting up zone: $zone" 68zonefile="${zone}.db" 69infile="${zone}.db.infile" 70cp template.db.in $infile 71cp template.db.in $zonefile 72 73# Set up zone that stays unsigned. 74zone="insecure.kasp" 75echo_i "setting up zone: $zone" 76zonefile="${zone}.db" 77infile="${zone}.db.infile" 78cp template.db.in $zonefile 79 80# Some of these zones already have keys. 81zone="dnssec-keygen.kasp" 82$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 83 84zone="some-keys.kasp" 85$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1 86$KEYGEN -G -a RSASHA1 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1 87 88zone="legacy-keys.kasp" 89ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1) 90KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.2) 91echo $ZSK > legacy-keys.kasp.zsk 92echo $KSK > legacy-keys.kasp.ksk 93# Predecessor keys: 94Tact="now-9mo" 95Tret="now-3mo" 96ZSK=$($KEYGEN -a RSASHA1 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3) 97KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $zone 2> keygen.out.$zone.4) 98$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1 99$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1 100 101zone="pregenerated.kasp" 102$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1 103$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1 104 105zone="multisigner-model2.kasp" 106# Import the ZSK sets of the other providers into their DNSKEY RRset. 107ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1) 108ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2) 109# ZSK1 will be added to the unsigned zonefile. 110cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db" 111cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1" 112rm -f "../${ZSK1}.*" 113# ZSK2 will be used with a Dynamic Update. 114cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2" 115rm -f "../${ZSK2}.*" 116 117zone="rumoured.kasp" 118Tpub="now" 119Tact="now+1d" 120keytimes="-P ${Tpub} -A ${Tact}" 121KSK=$($KEYGEN -a RSASHA1 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1) 122ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2) 123ZSK2=$($KEYGEN -a RSASHA1 -L 1234 $keytimes $zone 2> keygen.out.$zone.3) 124$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1 125$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1 126$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1 127 128# 129# Set up zones that are already signed. 130# 131 132# Zone to test manual rollover. 133setup manual-rollover.kasp 134T="now-1d" 135ksktimes="-P $T -A $T -P sync $T" 136zsktimes="-P $T -A $T" 137KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 138ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 139$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 140$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 141cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 142private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 143private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 144$SIGNER -PS -x -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 145 146# These signatures are set to expire long in the past, update immediately. 147setup expired-sigs.autosign 148T="now-6mo" 149ksktimes="-P $T -A $T -P sync $T" 150zsktimes="-P $T -A $T" 151KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 152ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 153$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 154$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 155cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 156private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 157private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 158$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 159 160# These signatures are still good, and can be reused. 161setup fresh-sigs.autosign 162T="now-6mo" 163ksktimes="-P $T -A $T -P sync $T" 164zsktimes="-P $T -A $T" 165KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 166ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 167$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 168$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 169cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 170private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 171private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 172$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 173 174# These signatures are still good, but not fresh enough, update immediately. 175setup unfresh-sigs.autosign 176T="now-6mo" 177ksktimes="-P $T -A $T -P sync $T" 178zsktimes="-P $T -A $T" 179KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 180ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 181$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 182$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 183cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 184private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 185private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 186$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 187 188# These signatures are still good, but the private KSK is missing. 189setup ksk-missing.autosign 190T="now-6mo" 191ksktimes="-P $T -A $T -P sync $T" 192zsktimes="-P $T -A $T" 193KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 194ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 195$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 196$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 197cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 198private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 199private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 200$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 201echo "KSK: yes" >> "${KSK}".state 202echo "ZSK: no" >> "${KSK}".state 203echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y 204rm -f "${KSK}".private 205 206# These signatures are still good, but the private ZSK is missing. 207setup zsk-missing.autosign 208T="now-6mo" 209ksktimes="-P $T -A $T -P sync $T" 210zsktimes="-P $T -A $T" 211KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 212ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 213$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 214$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 215cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 216private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 217private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 218$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 219echo "KSK: no" >> "${ZSK}".state 220echo "ZSK: yes" >> "${ZSK}".state 221echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y 222rm -f "${ZSK}".private 223 224# These signatures are already expired, and the private ZSK is retired. 225setup zsk-retired.autosign 226T="now-6mo" 227ksktimes="-P $T -A $T -P sync $T" 228zsktimes="-P $T -A $T -I now" 229KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 230ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 231$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1 232$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 233cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 234private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 235private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 236$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 237$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1 238 239# 240# The zones at enable-dnssec.autosign represent the various steps of the 241# initial signing of a zone. 242# 243 244# Step 1: 245# This is an unsigned zone and named should perform the initial steps of 246# introducing the DNSSEC records in the right order. 247setup step1.enable-dnssec.autosign 248cp template.db.in $zonefile 249 250# Step 2: 251# The DNSKEY has been published long enough to become OMNIPRESENT. 252setup step2.enable-dnssec.autosign 253# DNSKEY TTL: 300 seconds 254# zone-propagation-delay: 5 minutes (300 seconds) 255# publish-safety: 5 minutes (300 seconds) 256# Total: 900 seconds 257TpubN="now-900s" 258# RRSIG TTL: 12 hour (43200 seconds) 259# zone-propagation-delay: 5 minutes (300 seconds) 260# retire-safety: 20 minutes (1200 seconds) 261# Already passed time: -900 seconds 262# Total: 43800 seconds 263TsbmN="now+43800s" 264keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 265CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) 266$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 267cat template.db.in "${CSK}.key" > "$infile" 268private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 269$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 270 271# Step 3: 272# The zone signatures have been published long enough to become OMNIPRESENT. 273setup step3.enable-dnssec.autosign 274# Passed time since publications: 43800 + 900 = 44700 seconds. 275TpubN="now-44700s" 276# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT. 277TcotN="now-43800s" 278# We can submit the DS now. 279TsbmN="now" 280keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 281CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) 282$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1 283cat template.db.in "${CSK}.key" > "$infile" 284private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 285$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 286 287# Step 4: 288# The DS has been submitted long enough ago to become OMNIPRESENT. 289setup step4.enable-dnssec.autosign 290# DS TTL: 2 hour (7200 seconds) 291# parent-propagation-delay: 1 hour (3600 seconds) 292# retire-safety: 20 minutes (1200 seconds) 293# Total aditional time: 12000 seconds 294# 44700 + 12000 = 56700 295TpubN="now-56700s" 296# 43800 + 12000 = 55800 297TcotN="now-55800s" 298TsbmN="now-12000s" 299keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" 300CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) 301$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 302cat template.db.in "${CSK}.key" > "$infile" 303private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 304$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 305setup step4.enable-dnssec.autosign 306 307# 308# The zones at zsk-prepub.autosign represent the various steps of a ZSK 309# Pre-Publication rollover. 310# 311 312# Step 1: 313# Introduce the first key. This will immediately be active. 314setup step1.zsk-prepub.autosign 315TactN="now" 316ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 317zsktimes="-P ${TactN} -A ${TactN}" 318KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 319ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 320$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 321$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 322cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 323private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 324private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 325$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 326 327# Step 2: 328# It is time to pre-publish the successor ZSK. 329setup step2.zsk-prepub.autosign 330# According to RFC 7583: 331# 332# Tpub(N+1) <= Tact(N) + Lzsk - Ipub 333# Ipub = Dprp + TTLkey (+publish-safety) 334# 335# |3| |4| |5| |6| 336# | | | | 337# Key N |<-------Lzsk------>| 338# | | | | 339# Key N+1 | |<-Ipub->|<-->| 340# | | | | 341# Key N Tact 342# Key N+1 Tpub Trdy Tact 343# 344# Tnow 345# 346# Lzsk: 30d 347# Dprp: 1h 348# TTLkey: 1h 349# publish-safety: 1d 350# Ipub: 26h 351# 352# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d 353# = now + 26h - 30d = now − 694h 354TactN="now-694h" 355ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 356zsktimes="-P ${TactN} -A ${TactN}" 357KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 358ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 359$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 360$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 361cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 362private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 363private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 364$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 365 366# Step 3: 367# After the publication interval has passed the DNSKEY of the successor ZSK 368# is OMNIPRESENT and the zone can thus be signed with the successor ZSK. 369setup step3.zsk-prepub.autosign 370# According to RFC 7583: 371# 372# Tpub(N+1) <= Tact(N) + Lzsk - Ipub 373# Tret(N) = Tact(N+1) = Tact(N) + Lzsk 374# Trem(N) = Tret(N) + Iret 375# Iret = Dsgn + Dprp + TTLsig (+retire-safety) 376# 377# |3| |4| |5| |6| |7| |8| 378# | | | | | | 379# Key N |<-------Lzsk------>|<-Iret->|<--->| 380# | | | | | | 381# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - 382# | | | | | | 383# Key N Tact Tret Tdea Trem 384# Key N+1 Tpub Trdy Tact 385# 386# Tnow 387# 388# Lzsk: 30d 389# Ipub: 26h 390# Dsgn: 1w 391# Dprp: 1h 392# TTLsig: 1d 393# retire-safety: 2d 394# Iret: 10d1h = 241h 395# 396# Tact(N) = Tnow - Lzsk = now - 30d 397# Tret(N) = now 398# Trem(N) = Tnow + Iret = now + 241h 399# Tpub(N+1) = Tnow - Ipub = now - 26h 400# Tret(N+1) = Tnow + Lzsk = now + 30d 401# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h 402# = now + 961h 403TactN="now-30d" 404TretN="now" 405TremN="now+241h" 406TpubN1="now-26h" 407TactN1="now" 408TretN1="now+30d" 409TremN1="now+961h" 410ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 411zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 412newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 413KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 414ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 415ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 416$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 417$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 418$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1 419# Set key rollover relationship. 420key_successor $ZSK1 $ZSK2 421# Sign zone. 422cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 423private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 424private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" 425private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 426$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 427 428# Step 4: 429# After the retire interval has passed the predecessor DNSKEY can be 430# removed from the zone. 431setup step4.zsk-prepub.autosign 432# According to RFC 7583: 433# 434# Tret(N) = Tact(N) + Lzsk 435# Tdea(N) = Tret(N) + Iret 436# 437# |3| |4| |5| |6| |7| |8| 438# | | | | | | 439# Key N |<-------Lzsk------>|<-Iret->|<--->| 440# | | | | | | 441# Key N+1 | |<-Ipub->|<-->|<---Lzsk---- - - 442# | | | | | | 443# Key N Tact Tret Tdea Trem 444# Key N+1 Tpub Trdy Tact 445# 446# Tnow 447# 448# Lzsk: 30d 449# Ipub: 26h 450# Iret: 241h 451# 452# Tact(N) = Tnow - Iret - Lzsk 453# = now - 241h - 30d = now - 241h - 720h 454# = now - 961h 455# Tret(N) = Tnow - Iret = now - 241h 456# Trem(N) = Tnow 457# Tpub(N+1) = Tnow - Iret - Ipub 458# = now - 241h - 26h 459# = now - 267h 460# Tact(N+1) = Tnow - Iret = Tret(N) 461# Tret(N+1) = Tnow - Iret + Lzsk 462# = now - 241h + 30d = now - 241h + 720h 463# = now + 479h 464# Trem(N+1) = Tnow + Lzsk = now + 30d 465TactN="now-961h" 466TretN="now-241h" 467TremN="now" 468TpubN1="now-267h" 469TactN1="${TretN}" 470TretN1="now+479h" 471TremN1="now+30d" 472ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 473zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 474newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 475KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 476ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 477ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 478$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 479$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1 480$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1 481# Set key rollover relationship. 482key_successor $ZSK1 $ZSK2 483# Sign zone. 484cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 485$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 486 487# Step 5: 488# The predecessor DNSKEY is removed long enough that is has become HIDDEN. 489setup step5.zsk-prepub.autosign 490# Subtract DNSKEY TTL from all the times (1h). 491# Tact(N) = now - 961h - 1h = now - 962h 492# Tret(N) = now - 241h - 1h = now - 242h 493# Tdea(N) = now - 2d - 1h = now - 49h 494# Trem(N) = now - 1h 495# Tpub(N+1) = now - 267h - 1h = now - 268h 496# Tact(N+1) = Tret(N) 497# Tret(N+1) = now + 479h - 1h = now + 478h 498# Trem(N+1) = now + 30d - 1h = now + 719h 499TactN="now-962h" 500TretN="now-242h" 501TremN="now-1h" 502TdeaN="now-49h" 503TpubN1="now-268h" 504TactN1="${TretN}" 505TretN1="now+478h" 506TremN1="now+719h" 507ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 508zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 509newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 510KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 511ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 512ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 513$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 514$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 515$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 516# Set key rollover relationship. 517key_successor $ZSK1 $ZSK2 518# Sign zone. 519cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 520private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 521private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" 522private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 523$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 524 525# Step 6: 526# The predecessor DNSKEY can be purged. 527setup step6.zsk-prepub.autosign 528# Subtract purge-keys interval from all the times (1h). 529# Tact(N) = now - 962h - 1h = now - 963h 530# Tret(N) = now - 242h - 1h = now - 243h 531# Tdea(N) = now - 49h - 1h = now - 50h 532# Trem(N) = now - 1h - 1h = now - 2h 533# Tpub(N+1) = now - 268h - 1h = now - 269h 534# Tact(N+1) = Tret(N) 535# Tret(N+1) = now + 478h - 1h = now + 477h 536# Trem(N+1) = now + 719h - 1h = now + 718h 537TactN="now-963h" 538TretN="now-243h" 539TremN="now-2h" 540TdeaN="now-50h" 541TpubN1="now-269h" 542TactN1="${TretN}" 543TretN1="now+477h" 544TremN1="now+718h" 545ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 546zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 547newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 548KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 549ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 550ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3) 551$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 552$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 553$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1 554# Set key rollover relationship. 555key_successor $ZSK1 $ZSK2 556# Sign zone. 557cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile" 558private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 559private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile" 560private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 561$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 562 563# 564# The zones at ksk-doubleksk.autosign represent the various steps of a KSK 565# Double-KSK rollover. 566# 567 568# Step 1: 569# Introduce the first key. This will immediately be active. 570setup step1.ksk-doubleksk.autosign 571TactN="now" 572ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 573zsktimes="-P ${TactN} -A ${TactN}" 574KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 575ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 576$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 577$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 578cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 579$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 580 581# Step 2: 582# It is time to submit the introduce the new KSK. 583setup step2.ksk-doubleksk.autosign 584# According to RFC 7583: 585# 586# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC 587# IpubC = DprpC + TTLkey (+publish-safety) 588# 589# |1| |2| |3| |4| 590# | | | | 591# Key N |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - - 592# | | | | 593# Key N+1 | | | | 594# | | | | 595# Key N Tpub Trdy Tsbm Tact 596# Key N+1 597# 598# (continued ...) 599# 600# |5| |6| |7| |8| |9| |10| 601# | | | | | | 602# Key N - - --------------Lksk------->|<-Iret->|<----->| 603# | | | | | | 604# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 605# | | | | | | 606# Key N Tret Tdea Trem 607# Key N+1 Tpub Trdy Tsbm Tact 608# 609# Tnow 610# 611# Lksk: 60d 612# Dreg: 1d 613# DprpC: 1h 614# TTLkey: 2h 615# publish-safety: 1d 616# IpubC: 27h 617# 618# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h 619# = now - 1440h + 27h = now - 1413h 620TactN="now-1413h" 621ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 622zsktimes="-P ${TactN} -A ${TactN}" 623KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 624ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 625$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 626$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 627cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 628private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 629private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 630$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 631 632# Step 3: 633# It is time to submit the DS. 634setup step3.ksk-doubleksk.autosign 635# According to RFC 7583: 636# 637# Tsbm(N+1) >= Trdy(N+1) 638# Tact(N+1) = Tsbm(N+1) + Dreg 639# Iret = DprpP + TTLds (+retire-safety) 640# 641# |5| |6| |7| |8| |9| |10| 642# | | | | | | 643# Key N - - --------------Lksk------->|<-Iret->|<----->| 644# | | | | | | 645# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 646# | | | | | | 647# Key N Tret Tdea Trem 648# Key N+1 Tpub Trdy Tsbm Tact 649# 650# Tnow 651# 652# Lksk: 60d 653# Dreg: N/A 654# DprpP: 1h 655# TTLds: 1h 656# retire-safety: 2d 657# Iret: 50h 658# DprpC: 1h 659# TTLkey: 2h 660# publish-safety: 1d 661# IpubC: 27h 662# 663# Tact(N) = Tnow + Lksk = now - 60d = now - 60d 664# Tret(N) = now 665# Trem(N) = Tnow + Iret = now + 50h 666# Tpub(N+1) = Tnow - IpubC = now - 27h 667# Tsbm(N+1) = now 668# Tact(N+1) = Tret(N) 669# Tret(N+1) = Tnow + Lksk = now + 60d 670# Trem(N+1) = Tnow + Lksk + Iret = now + 60d + 50h 671# = now + 1440h + 50h = 1490h 672TactN="now-60d" 673TretN="now" 674TremN="now+50h" 675TpubN1="now-27h" 676TsbmN1="now" 677TactN1="${TretN}" 678TretN1="now+60d" 679TremN1="now+1490h" 680ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 681newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 682zsktimes="-P ${TactN} -A ${TactN}" 683KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 684KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 685ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 686$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 687$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1 688$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 689# Set key rollover relationship. 690key_successor $KSK1 $KSK2 691# Sign zone. 692cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 693private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 694private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 695private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 696$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 697 698# Step 4: 699# The DS should be swapped now. 700setup step4.ksk-doubleksk.autosign 701# According to RFC 7583: 702# 703# Tret(N) = Tsbm(N+1) 704# Tdea(N) = Tret(N) + Iret 705# Tact(N+1) = Tret(N) 706# 707# |5| |6| |7| |8| |9| |10| 708# | | | | | | 709# Key N - - --------------Lksk------->|<-Iret->|<----->| 710# | | | | | | 711# Key N+1 |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - - 712# | | | | | | 713# Key N Tret Tdea Trem 714# Key N+1 Tpub Trdy Tsbm Tact 715# 716# Tnow 717# 718# Lksk: 60d 719# Dreg: N/A 720# Iret: 50h 721# 722# Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h 723# = now - 1440h - 50h = now - 1490h 724# Tret(N) = Tnow - Iret = now - 50h 725# Trem(N) = Tnow 726# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h 727# = now - 77h 728# Tsbm(N+1) = Tnow - Iret = now - 50h 729# Tact(N+1) = Tret(N) 730# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h 731# Trem(N+1) = Tnow + Lksk = now + 60d 732TactN="now-1490h" 733TretN="now-50h" 734TremN="now" 735TpubN1="now-77h" 736TsbmN1="now-50h" 737TactN1="${TretN}" 738TretN1="now+1390h" 739TremN1="now+60d" 740ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 741newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 742zsktimes="-P ${TactN} -A ${TactN}" 743KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 744KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 745ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 746$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1 747$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1 748$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 749# Set key rollover relationship. 750key_successor $KSK1 $KSK2 751# Sign zone. 752cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 753private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 754private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 755private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 756$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 757 758# Step 5: 759# The predecessor DNSKEY is removed long enough that is has become HIDDEN. 760setup step5.ksk-doubleksk.autosign 761# Subtract DNSKEY TTL from all the times (2h). 762# Tact(N) = now - 1490h - 2h = now - 1492h 763# Tret(N) = now - 50h - 2h = now - 52h 764# Trem(N) = now - 2h 765# Tpub(N+1) = now - 77h - 2h = now - 79h 766# Tsbm(N+1) = now - 50h - 2h = now - 52h 767# Tact(N+1) = Tret(N) 768# Tret(N+1) = now + 1390h - 2h = now + 1388h 769# Trem(N+1) = now + 60d - 2h = now + 1442h 770TactN="now-1492h" 771TretN="now-52h" 772TremN="now-2h" 773TpubN1="now-79h" 774TsbmN1="now-52h" 775TactN1="${TretN}" 776TretN1="now+1388h" 777TremN1="now+1442h" 778ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 779newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 780zsktimes="-P ${TactN} -A ${TactN}" 781KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 782KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 783ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 784$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 785$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 786$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 787# Set key rollover relationship. 788key_successor $KSK1 $KSK2 789# Sign zone. 790cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 791private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 792private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 793private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 794$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 795 796# Step 6: 797# The predecessor DNSKEY can be purged. 798setup step6.ksk-doubleksk.autosign 799# Subtract purge-keys interval from all the times (1h). 800# Tact(N) = now - 1492h - 1h = now - 1493h 801# Tret(N) = now - 52h - 1h = now - 53h 802# Trem(N) = now - 2h - 1h = now - 3h 803# Tpub(N+1) = now - 79h - 1h = now - 80h 804# Tsbm(N+1) = now - 52h - 1h = now - 53h 805# Tact(N+1) = Tret(N) 806# Tret(N+1) = now + 1388h - 1h = now + 1387h 807# Trem(N+1) = now + 1442h - 1h = now + 1441h 808TactN="now-1493h" 809TretN="now-53h" 810TremN="now-3h" 811TpubN1="now-80h" 812TsbmN1="now-53h" 813TactN1="${TretN}" 814TretN1="now+1387h" 815TremN1="now+1441h" 816ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" 817newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" 818zsktimes="-P ${TactN} -A ${TactN}" 819KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 820KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2) 821ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3) 822$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1 823$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1 824$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1 825# Set key rollover relationship. 826key_successor $KSK1 $KSK2 827# Sign zone. 828cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile" 829private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile" 830private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 831private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 832$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 833 834# 835# The zones at csk-roll.autosign represent the various steps of a CSK rollover 836# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). 837# 838 839# Step 1: 840# Introduce the first key. This will immediately be active. 841setup step1.csk-roll.autosign 842TactN="now" 843csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 844CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 845$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 846cat template.db.in "${CSK}.key" > "$infile" 847private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 848$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 849 850# Step 2: 851# It is time to introduce the new CSK. 852setup step2.csk-roll.autosign 853# According to RFC 7583: 854# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC 855# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub 856# IpubC = DprpC + TTLkey (+publish-safety) 857# Ipub = IpubC 858# Lcsk = Lksk = Lzsk 859# 860# Lcsk: 6mo (186d, 4464h) 861# Dreg: N/A 862# DprpC: 1h 863# TTLkey: 1h 864# publish-safety: 1h 865# Ipub: 3h 866# 867# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h 868# = now - 4464h + 3h = now - 4461h 869TactN="now-4461h" 870csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 871CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 872$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 873cat template.db.in "${CSK}.key" > "$infile" 874private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 875$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 876 877# Step 3: 878# It is time to submit the DS and to roll signatures. 879setup step3.csk-roll.autosign 880# According to RFC 7583: 881# 882# Tsbm(N+1) >= Trdy(N+1) 883# KSK: Tact(N+1) = Tsbm(N+1) 884# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) 885# KSK: Iret = DprpP + TTLds (+retire-safety) 886# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) 887# 888# Lcsk: 186d 889# Dprp: 1h 890# DprpP: 1h 891# Dreg: N/A 892# Dsgn: 25d 893# TTLds: 1h 894# TTLsig: 1d 895# retire-safety: 2h 896# Iret: 4h 897# IretZ: 26d3h 898# Ipub: 3h 899# 900# Tact(N) = Tnow - Lcsk = now - 186d 901# Tret(N) = now 902# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h 903# Tpub(N+1) = Tnow - Ipub = now - 3h 904# Tsbm(N+1) = Tret(N) 905# Tact(N+1) = Tret(N) 906# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d 907# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = 908# = now + 5091h 909TactN="now-186d" 910TretN="now" 911TremN="now+627h" 912TpubN1="now-3h" 913TsbmN1="now" 914TactN1="${TretN}" 915TretN1="now+186d" 916TremN1="now+5091h" 917csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 918newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 919CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 920CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 921$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 922$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 923# Set key rollover relationship. 924key_successor $CSK1 $CSK2 925# Sign zone. 926cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 927private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 928private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 929$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 930 931# Step 4: 932# Some time later all the ZRRSIG records should be from the new CSK, and the 933# DS should be swapped. The ZRRSIG records are all replaced after IretZ 934# (which is 26d3h). The DS is swapped after Iret (which is 4h). 935# In other words, the DS is swapped before all zone signatures are replaced. 936setup step4.csk-roll.autosign 937# According to RFC 7583: 938# Trem(N) = Tret(N) - Iret + IretZ 939# Tnow = Tsbm(N+1) + Iret 940# 941# Lcsk: 186d 942# Iret: 4h 943# IretZ: 26d3h 944# 945# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h 946# Tret(N) = Tnow - Iret = now - 4h = now - 4h 947# Trem(N) = Tnow - Iret + IretZ = now - 4h + 26d3h 948# = now + 623h 949# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h 950# Tsbm(N+1) = Tret(N) 951# Tact(N+1) = Tret(N) 952# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h 953# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h 954# = now + 5087h 955TactN="now-4468h" 956TretN="now-4h" 957TremN="now+623h" 958TpubN1="now-7h" 959TsbmN1="${TretN}" 960TactN1="${TretN}" 961TretN1="now+4460h" 962TremN1="now+5087h" 963csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 964newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 965CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 966CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 967$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 968$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 969# Set key rollover relationship. 970key_successor $CSK1 $CSK2 971# Sign zone. 972cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 973private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 974private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 975$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 976 977# Step 5: 978# After the DS is swapped in step 4, also the KRRSIG records can be removed. 979# At this time these have all become hidden. 980setup step5.csk-roll.autosign 981# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). 982# Tact(N) = now - 4468h - 2h = now - 4470h 983# Tret(N) = now - 4h - 2h = now - 6h 984# Trem(N) = now + 623h - 2h = now + 621h 985# Tpub(N+1) = now - 7h - 2h = now - 9h 986# Tsbm(N+1) = Tret(N) 987# Tact(N+1) = Tret(N) 988# Tret(N+1) = now + 4460h - 2h = now + 4458h 989# Trem(N+1) = now + 5087h - 2h = now + 5085h 990TactN="now-4470h" 991TretN="now-6h" 992TremN="now+621h" 993TpubN1="now-9h" 994TsbmN1="${TretN}" 995TactN1="${TretN}" 996TretN1="now+4458h" 997TremN1="now+5085h" 998csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 999newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1000CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1001CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1002$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 1003$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 1004# Set key rollover relationship. 1005key_successor $CSK1 $CSK2 1006# Sign zone. 1007cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1008private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1009private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1010$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1011 1012# Step 6: 1013# After the retire interval has passed the predecessor DNSKEY can be 1014# removed from the zone. 1015setup step6.csk-roll.autosign 1016# According to RFC 7583: 1017# Trem(N) = Tret(N) + IretZ 1018# Tret(N) = Tact(N) + Lcsk 1019# 1020# Lcsk: 186d 1021# Iret: 4h 1022# IretZ: 26d3h 1023# 1024# Tact(N) = Tnow - IretZ - Lcsk = now - 627h - 186d 1025# = now - 627h - 4464h = now - 5091h 1026# Tret(N) = Tnow - IretZ = now - 627h 1027# Trem(N) = Tnow 1028# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h 1029# Tsbm(N+1) = Tret(N) 1030# Tact(N+1) = Tret(N) 1031# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h 1032# Trem(N+1) = Tnow + Lcsk = now + 186d 1033TactN="now-5091h" 1034TretN="now-627h" 1035TremN="now" 1036TpubN1="now-630h" 1037TsbmN1="${TretN}" 1038TactN1="${TretN}" 1039TretN1="now+3837h" 1040TremN1="now+186d" 1041csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1042newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1043CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1044CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1045$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 1046$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 1047# Set key rollover relationship. 1048key_successor $CSK1 $CSK2 1049# Sign zone. 1050cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1051private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1052private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1053$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1054 1055# Step 7: 1056# Some time later the predecessor DNSKEY enters the HIDDEN state. 1057setup step7.csk-roll.autosign 1058# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). 1059# Tact(N) = now - 5091h - 2h = now - 5093h 1060# Tret(N) = now - 627h - 2h = now - 629h 1061# Trem(N) = now - 2h 1062# Tpub(N+1) = now - 630h - 2h = now - 632h 1063# Tsbm(N+1) = Tret(N) 1064# Tact(N+1) = Tret(N) 1065# Tret(N+1) = now + 3837h - 2h = now + 3835h 1066# Trem(N+1) = now + 186d - 2h = now + 4462h 1067TactN="now-5093h" 1068TretN="now-629h" 1069TremN="now-2h" 1070TpubN1="now-632h" 1071TsbmN1="${TretN}" 1072TactN1="${TretN}" 1073TretN1="now+3835h" 1074TremN1="now+4462h" 1075csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1076newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1077CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1078CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1079$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 1080$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 1081# Set key rollover relationship. 1082key_successor $CSK1 $CSK2 1083# Sign zone. 1084cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1085private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1086private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1087$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1088 1089# Step 8: 1090# The predecessor DNSKEY can be purged. 1091setup step8.csk-roll.autosign 1092# Subtract purge-keys interval from all the times (1h). 1093# Tact(N) = now - 5093h - 1h = now - 5094h 1094# Tret(N) = now - 629h - 1h = now - 630h 1095# Trem(N) = now - 2h - 1h = now - 3h 1096# Tpub(N+1) = now - 632h - 1h = now - 633h 1097# Tsbm(N+1) = Tret(N) 1098# Tact(N+1) = Tret(N) 1099# Tret(N+1) = now + 3835h - 1h = now + 3834h 1100# Trem(N+1) = now + 4462h - 1h = now + 4461h 1101TactN="now-5094h" 1102TretN="now-630h" 1103TremN="now-3h" 1104TpubN1="now-633h" 1105TsbmN1="${TretN}" 1106TactN1="${TretN}" 1107TretN1="now+3834h" 1108TremN1="now+4461h" 1109csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1110newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1111CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1112CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1113$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 1114$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 1115# Set key rollover relationship. 1116key_successor $CSK1 $CSK2 1117# Sign zone. 1118cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1119private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1120private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1121$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1122 1123# 1124# The zones at csk-roll2.autosign represent the various steps of a CSK rollover 1125# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). 1126# This scenario differs from the above one because the zone signatures (ZRRSIG) 1127# are replaced with the new key sooner than the DS is swapped. 1128# 1129 1130# Step 1: 1131# Introduce the first key. This will immediately be active. 1132setup step1.csk-roll2.autosign 1133TactN="now" 1134csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 1135CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1136$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 1137cat template.db.in "${CSK}.key" > "$infile" 1138private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 1139$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1140 1141# Step 2: 1142# It is time to introduce the new CSK. 1143setup step2.csk-roll2.autosign 1144# According to RFC 7583: 1145# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC 1146# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub 1147# IpubC = DprpC + TTLkey (+publish-safety) 1148# Ipub = IpubC 1149# Lcsk = Lksk = Lzsk 1150# 1151# Lcsk: 6mo (186d, 4464h) 1152# Dreg: N/A 1153# DprpC: 1h 1154# TTLkey: 1h 1155# publish-safety: 1h 1156# Ipub: 3h 1157# 1158# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h 1159# = now - 4464h + 3h = now - 4461h 1160TactN="now-4461h" 1161csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 1162CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1163$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 1164cat template.db.in "${CSK}.key" > "$infile" 1165private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 1166$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1167 1168# Step 3: 1169# It is time to submit the DS and to roll signatures. 1170setup step3.csk-roll2.autosign 1171# According to RFC 7583: 1172# 1173# Tsbm(N+1) >= Trdy(N+1) 1174# KSK: Tact(N+1) = Tsbm(N+1) 1175# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) 1176# KSK: Iret = DprpP + TTLds (+retire-safety) 1177# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) 1178# 1179# Lcsk: 186d 1180# Dprp: 1h 1181# DprpP: 1w 1182# Dreg: N/A 1183# Dsgn: 12h 1184# TTLds: 1h 1185# TTLsig: 1d 1186# retire-safety: 1h 1187# Iret: 170h 1188# IretZ: 38h 1189# Ipub: 3h 1190# 1191# Tact(N) = Tnow - Lcsk = now - 186d 1192# Tret(N) = now 1193# Trem(N) = Tnow + Iret = now + 170h 1194# Tpub(N+1) = Tnow - Ipub = now - 3h 1195# Tsbm(N+1) = Tret(N) 1196# Tact(N+1) = Tret(N) 1197# Tret(N+1) = Tnow + Lcsk = now + 186d 1198# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h = 1199# = now + 4464h + 170h = now + 4634h 1200TactN="now-186d" 1201TretN="now" 1202TremN="now+170h" 1203TpubN1="now-3h" 1204TsbmN1="${TretN}" 1205TactN1="${TretN}" 1206TretN1="now+186d" 1207TremN1="now+4634h" 1208csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1209newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1210CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1211CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1212$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 1213$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 1214# Set key rollover relationship. 1215key_successor $CSK1 $CSK2 1216# Sign zone. 1217cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1218private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1219private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1220$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1221 1222# Step 4: 1223# Some time later all the ZRRSIG records should be from the new CSK, and the 1224# DS should be swapped. The ZRRSIG records are all replaced after IretZ (38h). 1225# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone 1226# signatures are replaced before the DS is swapped. 1227setup step4.csk-roll2.autosign 1228# According to RFC 7583: 1229# Trem(N) = Tret(N) + IretZ 1230# 1231# Lcsk: 186d 1232# Dreg: N/A 1233# Iret: 170h 1234# IretZ: 38h 1235# 1236# Tact(N) = Tnow - IretZ = Lcsk = now - 38h - 186d 1237# = now - 38h - 4464h = now - 4502h 1238# Tret(N) = Tnow - IretZ = now - 38h 1239# Trem(N) = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h 1240# Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h 1241# Tsbm(N+1) = Tret(N) 1242# Tact(N+1) = Tret(N) 1243# Tret(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d 1244# = now + 4426h 1245# Trem(N+1) = Tnow - IretZ + Lcsk + Iret 1246# = now + 4426h + 3h = now + 4429h 1247TactN="now-4502h" 1248TretN="now-38h" 1249TremN="now+132h" 1250TpubN1="now-41h" 1251TsbmN1="${TretN}" 1252TactN1="${TretN}" 1253TretN1="now+4426h" 1254TremN1="now+4429h" 1255csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1256newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1257CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1258CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1259$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 1260$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 1261# Set key rollover relationship. 1262key_successor $CSK1 $CSK2 1263# Sign zone. 1264cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1265private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1266private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1267$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1268 1269# Step 5: 1270# Some time later the DS can be swapped and the old DNSKEY can be removed from 1271# the zone. 1272setup step5.csk-roll2.autosign 1273# Subtract Iret (170h) - IretZ (38h) = 132h. 1274# 1275# Tact(N) = now - 4502h - 132h = now - 4634h 1276# Tret(N) = now - 38h - 132h = now - 170h 1277# Trem(N) = now + 132h - 132h = now 1278# Tpub(N+1) = now - 41h - 132h = now - 173h 1279# Tsbm(N+1) = Tret(N) 1280# Tact(N+1) = Tret(N) 1281# Tret(N+1) = now + 4426h - 132h = now + 4294h 1282# Trem(N+1) = now + 4492h - 132h = now + 4360h 1283TactN="now-4634h" 1284TretN="now-170h" 1285TremN="now" 1286TpubN1="now-173h" 1287TsbmN1="${TretN}" 1288TactN1="${TretN}" 1289TretN1="now+4294h" 1290TremN1="now+4360h" 1291csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1292newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1293CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1294CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1295$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 1296$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 1297# Set key rollover relationship. 1298key_successor $CSK1 $CSK2 1299# Sign zone. 1300cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1301private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1302private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1303$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1304 1305# Step 6: 1306# Some time later the predecessor DNSKEY enters the HIDDEN state. 1307setup step6.csk-roll2.autosign 1308# Subtract DNSKEY TTL plus zone propagation delay (2h). 1309# 1310# Tact(N) = now - 4634h - 2h = now - 4636h 1311# Tret(N) = now - 170h - 2h = now - 172h 1312# Trem(N) = now - 2h 1313# Tpub(N+1) = now - 173h - 2h = now - 175h 1314# Tsbm(N+1) = Tret(N) 1315# Tact(N+1) = Tret(N) 1316# Tret(N+1) = now + 4294h - 2h = now + 4292h 1317# Trem(N+1) = now + 4360h - 2h = now + 4358h 1318TactN="now-4636h" 1319TretN="now-172h" 1320TremN="now-2h" 1321TpubN1="now-175h" 1322TsbmN1="${TretN}" 1323TactN1="${TretN}" 1324TretN1="now+4292h" 1325TremN1="now+4358h" 1326csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1327newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1328CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1329CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1330$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 1331$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 1332# Set key rollover relationship. 1333key_successor $CSK1 $CSK2 1334# Sign zone. 1335cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1336private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1337private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1338$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1339 1340# Step 7: 1341# The predecessor DNSKEY can be purged, but purge-keys is disabled. 1342setup step7.csk-roll2.autosign 1343# Subtract 90 days (default, 2160h) from all the times. 1344# Tact(N) = now - 4636h - 2160h = now - 6796h 1345# Tret(N) = now - 172h - 2160h = now - 2332h 1346# Trem(N) = now - 2h - 2160h = now - 2162h 1347# Tpub(N+1) = now - 175h - 2160h = now - 2335h 1348# Tsbm(N+1) = Tret(N) 1349# Tact(N+1) = Tret(N) 1350# Tret(N+1) = now + 4294h - 2160h = now + 2134h 1351# Trem(N+1) = now + 4360h - 2160h = now + 2200h 1352TactN="now-6796h" 1353TretN="now-2332h" 1354TremN="now-2162h" 1355TpubN1="now-2335h" 1356TsbmN1="${TretN}" 1357TactN1="${TretN}" 1358TretN1="now+2134h" 1359TremN1="now+2200h" 1360csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" 1361newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" 1362CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) 1363CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) 1364$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 1365$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1 1366# Set key rollover relationship. 1367key_successor $CSK1 $CSK2 1368# Sign zone. 1369cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 1370private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile" 1371private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 1372$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 1373