1#!/bin/sh -e 2 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# SPDX-License-Identifier: MPL-2.0 6# 7# This Source Code Form is subject to the terms of the Mozilla Public 8# License, v. 2.0. If a copy of the MPL was not distributed with this 9# file, you can obtain one at https://mozilla.org/MPL/2.0/. 10# 11# See the COPYRIGHT file distributed with this work for additional 12# information regarding copyright ownership. 13 14# shellcheck source=conf.sh 15. ../../conf.sh 16 17echo_i "ns6/setup.sh" 18 19setup() { 20 zone="$1" 21 echo_i "setting up zone: $zone" 22 zonefile="${zone}.db" 23 infile="${zone}.db.infile" 24} 25 26# Make lines shorter by storing key states in environment variables. 27H="HIDDEN" 28R="RUMOURED" 29O="OMNIPRESENT" 30U="UNRETENTIVE" 31 32# The child zones (step1, step2) beneath these zones represent the various 33# steps of unsigning a zone. 34for zn in going-insecure.kasp going-insecure-dynamic.kasp; do 35 # Step 1: 36 # Set up a zone with dnssec-policy that is going insecure. 37 setup step1.$zn 38 echo "$zone" >>zones 39 T="now-10d" 40 ksktimes="-P $T -A $T -P sync $T" 41 zsktimes="-P $T -A $T" 42 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 43 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 44 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 45 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 46 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 47 cp $infile $zonefile 48 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 49 50 # Step 2: 51 # Set up a zone with dnssec-policy that is going insecure. Don't add 52 # this zone to the zones file, because this zone is no longer expected 53 # to be fully signed. 54 setup step2.$zn 55 # The DS was withdrawn from the parent zone 26 hours ago. 56 Trem="now-26h" 57 ksktimes="-P $T -A $T -P sync $T" 58 zsktimes="-P $T -A $T" 59 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 60 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2) 61 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1 62 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1 63 # Fake lifetime of old algorithm keys. 64 echo "Lifetime: 0" >>"${KSK}.state" 65 echo "Lifetime: 5184000" >>"${ZSK}.state" 66 cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 67 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile" 68 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile" 69 cp $infile $zonefile 70 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 71done 72 73# This zone is going straight to "none" policy. This is undefined behavior. 74setup step1.going-straight-to-none.kasp 75echo "$zone" >>zones 76TactN="now" 77csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 78CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1) 79$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 80cat template.db.in "${CSK}.key" >"$infile" 81private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile" 82cp $infile $zonefile 83$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 84 85# 86# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 87# algorithm rollover. 88# 89 90# Step 1: 91# Introduce the first key. This will immediately be active. 92setup step1.algorithm-roll.kasp 93echo "$zone" >>zones 94TactN="now" 95ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 96zsktimes="-P ${TactN} -A ${TactN}" 97KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1) 98ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2) 99$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1 100$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1 101cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile" 102private_type_record $zone 8 "$KSK" >>"$infile" 103private_type_record $zone 8 "$ZSK" >>"$infile" 104cp $infile $zonefile 105$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 106 107# Step 2: 108# After the publication interval has passed the DNSKEY is OMNIPRESENT. 109setup step2.algorithm-roll.kasp 110# The time passed since the new algorithm keys have been introduced is 3 hours. 111TactN="now-3h" 112TpubN1="now-3h" 113# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 114# now - 3h + 6h + 1h + 1h = now + 5h 115TsbmN1="now+5h" 116ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 117zsk1times="-P ${TactN} -A ${TactN} -I now" 118ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 119zsk2times="-P ${TpubN1} -A ${TpubN1}" 120KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 121ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 122KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 123ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 124$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 125$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 126$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 127$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 128# Fake lifetime of old algorithm keys. 129echo "Lifetime: 0" >>"${KSK1}.state" 130echo "Lifetime: 0" >>"${ZSK1}.state" 131cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 132private_type_record $zone 8 "$KSK1" >>"$infile" 133private_type_record $zone 8 "$ZSK1" >>"$infile" 134private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 135private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 136cp $infile $zonefile 137$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 138 139# Step 3: 140# The zone signatures are also OMNIPRESENT. 141setup step3.algorithm-roll.kasp 142# The time passed since the new algorithm keys have been introduced is 9 hours. 143TactN="now-9h" 144TretN="now-6h" 145TpubN1="now-9h" 146TsbmN1="now-1h" 147ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 148zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 149ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 150zsk2times="-P ${TpubN1} -A ${TpubN1}" 151KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 152ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 153KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 154ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 155$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1 156$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 157$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1 158$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 159# Fake lifetime of old algorithm keys. 160echo "Lifetime: 0" >>"${KSK1}.state" 161echo "Lifetime: 0" >>"${ZSK1}.state" 162cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 163private_type_record $zone 8 "$KSK1" >>"$infile" 164private_type_record $zone 8 "$ZSK1" >>"$infile" 165private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 166private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 167cp $infile $zonefile 168$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 169 170# Step 4: 171# The DS is swapped and can become OMNIPRESENT. 172setup step4.algorithm-roll.kasp 173# The time passed since the DS has been swapped is 29 hours. 174TactN="now-38h" 175TretN="now-35h" 176TpubN1="now-38h" 177TsbmN1="now-30h" 178TactN1="now-29h" 179ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 180zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 181ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 182zsk2times="-P ${TpubN1} -A ${TpubN1}" 183KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 184ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 185KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 186ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 187$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 188$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1 189$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 190$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 191# Fake lifetime of old algorithm keys. 192echo "Lifetime: 0" >>"${KSK1}.state" 193echo "Lifetime: 0" >>"${ZSK1}.state" 194cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 195private_type_record $zone 8 "$KSK1" >>"$infile" 196private_type_record $zone 8 "$ZSK1" >>"$infile" 197private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 198private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 199cp $infile $zonefile 200$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 201 202# Step 5: 203# The DNSKEY is removed long enough to be HIDDEN. 204setup step5.algorithm-roll.kasp 205# The time passed since the DNSKEY has been removed is 2 hours. 206TactN="now-40h" 207TretN="now-37h" 208TremN="now-2h" 209TpubN1="now-40h" 210TsbmN1="now-32h" 211TactN1="now-31h" 212ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 213zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 214ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 215zsk2times="-P ${TpubN1} -A ${TpubN1}" 216KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 217ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 218KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 219ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 220$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 221$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1 222$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 223$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 224# Fake lifetime of old algorithm keys. 225echo "Lifetime: 0" >>"${KSK1}.state" 226echo "Lifetime: 0" >>"${ZSK1}.state" 227cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 228private_type_record $zone 8 "$KSK1" >>"$infile" 229private_type_record $zone 8 "$ZSK1" >>"$infile" 230private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 231private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 232cp $infile $zonefile 233$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 234 235# Step 6: 236# The RRSIGs have been removed long enough to be HIDDEN. 237setup step6.algorithm-roll.kasp 238# Additional time passed: 7h. 239TactN="now-47h" 240TretN="now-44h" 241TremN="now-7h" 242TpubN1="now-47h" 243TsbmN1="now-39h" 244TactN1="now-38h" 245TdeaN="now-9h" 246ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 247zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 248ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 249zsk2times="-P ${TpubN1} -A ${TpubN1}" 250KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1) 251ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2) 252KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3) 253ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4) 254$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1 255$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1 256$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1 257$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1 258# Fake lifetime of old algorithm keys. 259echo "Lifetime: 0" >>"${KSK1}.state" 260echo "Lifetime: 0" >>"${ZSK1}.state" 261cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile" 262private_type_record $zone 8 "$KSK1" >>"$infile" 263private_type_record $zone 8 "$ZSK1" >>"$infile" 264private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile" 265private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile" 266cp $infile $zonefile 267$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 268 269# 270# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 271# algorithm rollover. 272# 273 274# Step 1: 275# Introduce the first key. This will immediately be active. 276setup step1.csk-algorithm-roll.kasp 277echo "$zone" >>zones 278TactN="now" 279csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 280CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 281$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1 282cat template.db.in "${CSK}.key" >"$infile" 283private_type_record $zone 5 "$CSK" >>"$infile" 284cp $infile $zonefile 285$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 286 287# Step 2: 288# After the publication interval has passed the DNSKEY is OMNIPRESENT. 289setup step2.csk-algorithm-roll.kasp 290# The time passed since the new algorithm keys have been introduced is 3 hours. 291TactN="now-3h" 292TpubN1="now-3h" 293csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 294newtimes="-P ${TpubN1} -A ${TpubN1}" 295CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 296CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 297$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 298$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 299# Fake lifetime of old algorithm keys. 300echo "Lifetime: 0" >>"${CSK1}.state" 301cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 302private_type_record $zone 5 "$CSK1" >>"$infile" 303private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 304cp $infile $zonefile 305$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 306 307# Step 3: 308# The zone signatures are also OMNIPRESENT. 309setup step3.csk-algorithm-roll.kasp 310# The time passed since the new algorithm keys have been introduced is 9 hours. 311TactN="now-9h" 312TretN="now-6h" 313TpubN1="now-9h" 314TactN1="now-6h" 315csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 316newtimes="-P ${TpubN1} -A ${TpubN1}" 317CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 318CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 319$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1 320$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1 321# Fake lifetime of old algorithm keys. 322echo "Lifetime: 0" >>"${CSK1}.state" 323cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 324private_type_record $zone 5 "$CSK1" >>"$infile" 325private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 326cp $infile $zonefile 327$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 328 329# Step 4: 330# The DS is swapped and can become OMNIPRESENT. 331setup step4.csk-algorithm-roll.kasp 332# The time passed since the DS has been swapped is 29 hours. 333TactN="now-38h" 334TretN="now-35h" 335TpubN1="now-38h" 336TactN1="now-35h" 337TsubN1="now-29h" 338csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 339newtimes="-P ${TpubN1} -A ${TpubN1}" 340CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 341CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 342$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 343$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1 344# Fake lifetime of old algorithm keys. 345echo "Lifetime: 0" >>"${CSK1}.state" 346cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 347private_type_record $zone 5 "$CSK1" >>"$infile" 348private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 349cp $infile $zonefile 350$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 351 352# Step 5: 353# The DNSKEY is removed long enough to be HIDDEN. 354setup step5.csk-algorithm-roll.kasp 355# The time passed since the DNSKEY has been removed is 2 hours. 356TactN="now-40h" 357TretN="now-37h" 358TremN="now-2h" 359TpubN1="now-40h" 360TactN1="now-37h" 361TsubN1="now-31h" 362csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 363newtimes="-P ${TpubN1} -A ${TpubN1}" 364CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 365CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 366$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1 367$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1 368# Fake lifetime of old algorithm keys. 369echo "Lifetime: 0" >>"${CSK1}.state" 370cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 371private_type_record $zone 5 "$CSK1" >>"$infile" 372private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 373cp $infile $zonefile 374$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 375 376# Step 6: 377# The RRSIGs have been removed long enough to be HIDDEN. 378setup step6.csk-algorithm-roll.kasp 379# Additional time passed: 7h. 380TactN="now-47h" 381TretN="now-44h" 382TdeaN="now-9h" 383TremN="now-7h" 384TpubN1="now-47h" 385TactN1="now-44h" 386TsubN1="now-38h" 387csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 388newtimes="-P ${TpubN1} -A ${TpubN1}" 389CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1) 390CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2) 391$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1 392$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1 393# Fake lifetime of old algorithm keys. 394echo "Lifetime: 0" >>"${CSK1}.state" 395cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile" 396private_type_record $zone 5 "$CSK1" >>"$infile" 397private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile" 398cp $infile $zonefile 399$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1 400 401# 402# Reload testing 403# 404echo "example" >>zones 405cp example.db.in example.db 406 407setup "dynamic2inline.kasp" 408cp template.db.in $zonefile 409