1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# shellcheck source=conf.sh 13. "$SYSTEMTESTTOP/conf.sh" 14 15echo_i "ns6/setup.sh" 16 17setup() { 18 zone="$1" 19 echo_i "setting up zone: $zone" 20 zonefile="${zone}.db" 21 infile="${zone}.db.infile" 22} 23 24private_type_record() { 25 _zone=$1 26 _algorithm=$2 27 _keyfile=$3 28 29 _id=$(keyfile_to_key_id "$_keyfile") 30 31 printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id" 32} 33 34 35# Make lines shorter by storing key states in environment variables. 36H="HIDDEN" 37R="RUMOURED" 38O="OMNIPRESENT" 39U="UNRETENTIVE" 40 41# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy. 42setup migrate.kasp 43echo "$zone" >> zones 44ksktimes="-P now -A now -P sync now" 45zsktimes="-P now -A now" 46KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 47ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 48cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 49private_type_record $zone 13 "$KSK" >> "$infile" 50private_type_record $zone 13 "$ZSK" >> "$infile" 51$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 52 53# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 54# time the existing keys do not match the policy. The existing keys are 55# RSASHA1 keys, and will be migrated to a dnssec-policy that dictates 56# ECDSAP256SHA256 keys. 57setup migrate-nomatch-algnum.kasp 58echo "$zone" >> zones 59Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT 60Tkey="now-3900s" # DNSKEY TTL + propagation delay 61Tsig="now-12h" # Zone's maximum TTL + propagation delay 62ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 63zsktimes="-P ${Tsig} -A ${Tsig}" 64KSK=$($KEYGEN -a RSASHA1 -b 2048 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 65ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 66cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 67private_type_record $zone 5 "$KSK" >> "$infile" 68private_type_record $zone 5 "$ZSK" >> "$infile" 69$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 70 71# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this 72# time the existing keys do not match the policy. The existing keys are 73# 1024 bits RSASHA1 keys, and will be migrated to a dnssec-policy that 74# dictates 2048 bits RSASHA1 keys. 75setup migrate-nomatch-alglen.kasp 76echo "$zone" >> zones 77Tds="now-24h" # Time according to dnssec-policy that DS will be OMNIPRESENT 78Tkey="now-3900s" # DNSKEY TTL + propagation delay 79Tsig="now-12h" # Zone's maximum TTL + propagation delay 80ksktimes="-P ${Tkey} -A ${Tkey} -P sync ${Tds}" 81zsktimes="-P ${Tsig} -A ${Tsig}" 82KSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 83ZSK=$($KEYGEN -a RSASHA1 -b 1024 -L 300 $zsktimes $zone 2> keygen.out.$zone.2) 84cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 85private_type_record $zone 5 "$KSK" >> "$infile" 86private_type_record $zone 5 "$ZSK" >> "$infile" 87$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 88 89# 90# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 91# algorithm rollover. 92# 93 94# Step 1: 95# Introduce the first key. This will immediately be active. 96setup step1.algorithm-roll.kasp 97echo "$zone" >> zones 98TactN="now" 99ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 100zsktimes="-P ${TactN} -A ${TactN}" 101KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 102ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 103$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 104$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 105cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 106private_type_record $zone 5 "$KSK" >> "$infile" 107private_type_record $zone 5 "$ZSK" >> "$infile" 108$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 109 110# Step 2: 111# After the publication interval has passed the DNSKEY is OMNIPRESENT. 112setup step2.algorithm-roll.kasp 113# The time passed since the new algorithm keys have been introduced is 3 hours. 114TactN="now-3h" 115TpubN1="now-3h" 116# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 117# now - 3h + 6h + 1h + 1h = now + 5h 118TsbmN1="now+5h" 119ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 120zsk1times="-P ${TactN} -A ${TactN} -I now" 121ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 122zsk2times="-P ${TpubN1} -A ${TpubN1}" 123KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 124ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 125KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 126ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 127$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 128$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 129$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 130$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 131# Fake lifetime of old algorithm keys. 132echo "Lifetime: 0" >> "${KSK1}.state" 133echo "Lifetime: 0" >> "${ZSK1}.state" 134cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 135private_type_record $zone 5 "$KSK1" >> "$infile" 136private_type_record $zone 5 "$ZSK1" >> "$infile" 137private_type_record $zone 13 "$KSK2" >> "$infile" 138private_type_record $zone 13 "$ZSK2" >> "$infile" 139$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 140 141# Step 3: 142# The zone signatures are also OMNIPRESENT. 143setup step3.algorithm-roll.kasp 144# The time passed since the new algorithm keys have been introduced is 9 hours. 145TactN="now-9h" 146TretN="now-6h" 147TpubN1="now-9h" 148TsbmN1="now-1h" 149ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 150zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 151ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 152zsk2times="-P ${TpubN1} -A ${TpubN1}" 153KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 154ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 155KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 156ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 157$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 158$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 159$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 160$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 161# Fake lifetime of old algorithm keys. 162echo "Lifetime: 0" >> "${KSK1}.state" 163echo "Lifetime: 0" >> "${ZSK1}.state" 164cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 165private_type_record $zone 5 "$KSK1" >> "$infile" 166private_type_record $zone 5 "$ZSK1" >> "$infile" 167private_type_record $zone 13 "$KSK2" >> "$infile" 168private_type_record $zone 13 "$ZSK2" >> "$infile" 169$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 170 171# Step 4: 172# The DS is swapped and can become OMNIPRESENT. 173setup step4.algorithm-roll.kasp 174# The time passed since the DS has been swapped is 29 hours. 175TactN="now-38h" 176TretN="now-35h" 177TpubN1="now-38h" 178TsbmN1="now-30h" 179TactN1="now-29h" 180ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 181zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 182ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 183zsk2times="-P ${TpubN1} -A ${TpubN1}" 184KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 185ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 186KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 187ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 188$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 189$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 190$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 191$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 192# Fake lifetime of old algorithm keys. 193echo "Lifetime: 0" >> "${KSK1}.state" 194echo "Lifetime: 0" >> "${ZSK1}.state" 195cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 196private_type_record $zone 5 "$KSK1" >> "$infile" 197private_type_record $zone 5 "$ZSK1" >> "$infile" 198private_type_record $zone 13 "$KSK2" >> "$infile" 199private_type_record $zone 13 "$ZSK2" >> "$infile" 200$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 201 202# Step 5: 203# The DNSKEY is removed long enough to be HIDDEN. 204setup step5.algorithm-roll.kasp 205# The time passed since the DNSKEY has been removed is 2 hours. 206TactN="now-40h" 207TretN="now-37h" 208TremN="now-2h" 209TpubN1="now-40h" 210TsbmN1="now-32h" 211TactN1="now-31h" 212ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 213zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 214ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 215zsk2times="-P ${TpubN1} -A ${TpubN1}" 216KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 217ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 218KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 219ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 220$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 221$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 222$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 223$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 224# Fake lifetime of old algorithm keys. 225echo "Lifetime: 0" >> "${KSK1}.state" 226echo "Lifetime: 0" >> "${ZSK1}.state" 227cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 228private_type_record $zone 5 "$KSK1" >> "$infile" 229private_type_record $zone 5 "$ZSK1" >> "$infile" 230private_type_record $zone 13 "$KSK2" >> "$infile" 231private_type_record $zone 13 "$ZSK2" >> "$infile" 232$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 233 234# Step 6: 235# The RRSIGs have been removed long enough to be HIDDEN. 236setup step6.algorithm-roll.kasp 237# Additional time passed: 7h. 238TactN="now-47h" 239TretN="now-44h" 240TremN="now-7h" 241TpubN1="now-47h" 242TsbmN1="now-39h" 243TactN1="now-38h" 244TdeaN="now-9h" 245ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 246zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 247ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 248zsk2times="-P ${TpubN1} -A ${TpubN1}" 249KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 250ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 251KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 252ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 253$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 254$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 255$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 256$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 257# Fake lifetime of old algorithm keys. 258echo "Lifetime: 0" >> "${KSK1}.state" 259echo "Lifetime: 0" >> "${ZSK1}.state" 260cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 261private_type_record $zone 5 "$KSK1" >> "$infile" 262private_type_record $zone 5 "$ZSK1" >> "$infile" 263private_type_record $zone 13 "$KSK2" >> "$infile" 264private_type_record $zone 13 "$ZSK2" >> "$infile" 265$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 266 267# 268# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 269# algorithm rollover. 270# 271 272# Step 1: 273# Introduce the first key. This will immediately be active. 274setup step1.csk-algorithm-roll.kasp 275echo "$zone" >> zones 276TactN="now" 277csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 278CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 279$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 280cat template.db.in "${CSK}.key" > "$infile" 281private_type_record $zone 5 "$CSK" >> "$infile" 282$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 283 284# Step 2: 285# After the publication interval has passed the DNSKEY is OMNIPRESENT. 286setup step2.csk-algorithm-roll.kasp 287# The time passed since the new algorithm keys have been introduced is 3 hours. 288TactN="now-3h" 289TpubN1="now-3h" 290csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 291newtimes="-P ${TpubN1} -A ${TpubN1}" 292CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 293CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 294$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 295$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 296# Fake lifetime of old algorithm keys. 297echo "Lifetime: 0" >> "${CSK1}.state" 298cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 299private_type_record $zone 5 "$CSK1" >> "$infile" 300private_type_record $zone 13 "$CSK2" >> "$infile" 301$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 302 303# Step 3: 304# The zone signatures are also OMNIPRESENT. 305setup step3.csk-algorithm-roll.kasp 306# The time passed since the new algorithm keys have been introduced is 9 hours. 307TactN="now-9h" 308TretN="now-6h" 309TpubN1="now-9h" 310TactN1="now-6h" 311csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 312newtimes="-P ${TpubN1} -A ${TpubN1}" 313CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 314CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 315$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 316$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 317# Fake lifetime of old algorithm keys. 318echo "Lifetime: 0" >> "${CSK1}.state" 319cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 320private_type_record $zone 5 "$CSK1" >> "$infile" 321private_type_record $zone 13 "$CSK2" >> "$infile" 322$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 323 324# Step 4: 325# The DS is swapped and can become OMNIPRESENT. 326setup step4.csk-algorithm-roll.kasp 327# The time passed since the DS has been swapped is 29 hours. 328TactN="now-38h" 329TretN="now-35h" 330TpubN1="now-38h" 331TactN1="now-35h" 332TsubN1="now-29h" 333csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 334newtimes="-P ${TpubN1} -A ${TpubN1}" 335CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 336CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 337$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 338$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 339# Fake lifetime of old algorithm keys. 340echo "Lifetime: 0" >> "${CSK1}.state" 341cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 342private_type_record $zone 5 "$CSK1" >> "$infile" 343private_type_record $zone 13 "$CSK2" >> "$infile" 344$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 345 346# Step 5: 347# The DNSKEY is removed long enough to be HIDDEN. 348setup step5.csk-algorithm-roll.kasp 349# The time passed since the DNSKEY has been removed is 2 hours. 350TactN="now-40h" 351TretN="now-37h" 352TremN="now-2h" 353TpubN1="now-40h" 354TactN1="now-37h" 355TsubN1="now-31h" 356csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 357newtimes="-P ${TpubN1} -A ${TpubN1}" 358CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 359CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 360$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 361$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 362# Fake lifetime of old algorithm keys. 363echo "Lifetime: 0" >> "${CSK1}.state" 364cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 365private_type_record $zone 5 "$CSK1" >> "$infile" 366private_type_record $zone 13 "$CSK2" >> "$infile" 367$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 368 369# Step 6: 370# The RRSIGs have been removed long enough to be HIDDEN. 371setup step6.csk-algorithm-roll.kasp 372# Additional time passed: 7h. 373TactN="now-47h" 374TretN="now-44h" 375TdeaN="now-9h" 376TremN="now-7h" 377TpubN1="now-47h" 378TactN1="now-44h" 379TsubN1="now-38h" 380csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 381newtimes="-P ${TpubN1} -A ${TpubN1}" 382CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 383CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 384$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 385$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 386# Fake lifetime of old algorithm keys. 387echo "Lifetime: 0" >> "${CSK1}.state" 388cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 389private_type_record $zone 5 "$CSK1" >> "$infile" 390private_type_record $zone 13 "$CSK2" >> "$infile" 391$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 392