1#!/bin/sh -e 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, you can obtain one at https://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# shellcheck source=conf.sh 13. "$SYSTEMTESTTOP/conf.sh" 14 15echo_i "ns6/setup.sh" 16 17setup() { 18 zone="$1" 19 echo_i "setting up zone: $zone" 20 zonefile="${zone}.db" 21 infile="${zone}.db.infile" 22} 23 24# Make lines shorter by storing key states in environment variables. 25H="HIDDEN" 26R="RUMOURED" 27O="OMNIPRESENT" 28U="UNRETENTIVE" 29 30# The child zones (step1, step2) beneath these zones represent the various 31# steps of unsigning a zone. 32for zn in going-insecure.kasp going-insecure-dynamic.kasp 33do 34 # Step 1: 35 # Set up a zone with dnssec-policy that is going insecure. 36 setup step1.$zn 37 echo "$zone" >> zones 38 T="now-10d" 39 ksktimes="-P $T -A $T -P sync $T" 40 zsktimes="-P $T -A $T" 41 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 42 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 43 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 44 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 45 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 46 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 47 48 # Step 2: 49 # Set up a zone with dnssec-policy that is going insecure. Don't add 50 # this zone to the zones file, because this zone is no longer expected 51 # to be fully signed. 52 setup step2.$zn 53 # The DS was withdrawn from the parent zone 26 hours ago. 54 Trem="now-26h" 55 ksktimes="-P $T -A $T -P sync $T" 56 zsktimes="-P $T -A $T" 57 KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 58 ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2) 59 $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1 60 $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1 61 # Fake lifetime of old algorithm keys. 62 echo "Lifetime: 0" >> "${KSK}.state" 63 echo "Lifetime: 5184000" >> "${ZSK}.state" 64 cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 65 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile" 66 private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile" 67 $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 68done 69 70# This zone is going straight to "none" policy. This is undefined behavior. 71setup step1.going-straight-to-none.kasp 72echo "$zone" >> zones 73TactN="now" 74csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 75CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1) 76$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 77cat template.db.in "${CSK}.key" > "$infile" 78private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile" 79$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 80 81# 82# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK 83# algorithm rollover. 84# 85 86# Step 1: 87# Introduce the first key. This will immediately be active. 88setup step1.algorithm-roll.kasp 89echo "$zone" >> zones 90TactN="now" 91ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}" 92zsktimes="-P ${TactN} -A ${TactN}" 93KSK=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1) 94ZSK=$($KEYGEN -a RSASHA1 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2) 95$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1 96$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1 97cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile" 98private_type_record $zone 5 "$KSK" >> "$infile" 99private_type_record $zone 5 "$ZSK" >> "$infile" 100$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 101 102# Step 2: 103# After the publication interval has passed the DNSKEY is OMNIPRESENT. 104setup step2.algorithm-roll.kasp 105# The time passed since the new algorithm keys have been introduced is 3 hours. 106TactN="now-3h" 107TpubN1="now-3h" 108# Tsbm(N+1) = TpubN1 + Ipub = now + TTLsig + Dprp + publish-safety = 109# now - 3h + 6h + 1h + 1h = now + 5h 110TsbmN1="now+5h" 111ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 112zsk1times="-P ${TactN} -A ${TactN} -I now" 113ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 114zsk2times="-P ${TpubN1} -A ${TpubN1}" 115KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 116ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 117KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 118ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 119$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 120$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 121$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 122$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 123# Fake lifetime of old algorithm keys. 124echo "Lifetime: 0" >> "${KSK1}.state" 125echo "Lifetime: 0" >> "${ZSK1}.state" 126cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 127private_type_record $zone 5 "$KSK1" >> "$infile" 128private_type_record $zone 5 "$ZSK1" >> "$infile" 129private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 130private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 131$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 132 133# Step 3: 134# The zone signatures are also OMNIPRESENT. 135setup step3.algorithm-roll.kasp 136# The time passed since the new algorithm keys have been introduced is 9 hours. 137TactN="now-9h" 138TretN="now-6h" 139TpubN1="now-9h" 140TsbmN1="now-1h" 141ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 142zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 143ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 144zsk2times="-P ${TpubN1} -A ${TpubN1}" 145KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 146ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 147KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 148ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 149$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1 150$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 151$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1 152$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 153# Fake lifetime of old algorithm keys. 154echo "Lifetime: 0" >> "${KSK1}.state" 155echo "Lifetime: 0" >> "${ZSK1}.state" 156cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 157private_type_record $zone 5 "$KSK1" >> "$infile" 158private_type_record $zone 5 "$ZSK1" >> "$infile" 159private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 160private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 161$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 162 163# Step 4: 164# The DS is swapped and can become OMNIPRESENT. 165setup step4.algorithm-roll.kasp 166# The time passed since the DS has been swapped is 29 hours. 167TactN="now-38h" 168TretN="now-35h" 169TpubN1="now-38h" 170TsbmN1="now-30h" 171TactN1="now-29h" 172ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 173zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 174ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 175zsk2times="-P ${TpubN1} -A ${TpubN1}" 176KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 177ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 178KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 179ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 180$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 181$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1 182$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 183$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 184# Fake lifetime of old algorithm keys. 185echo "Lifetime: 0" >> "${KSK1}.state" 186echo "Lifetime: 0" >> "${ZSK1}.state" 187cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 188private_type_record $zone 5 "$KSK1" >> "$infile" 189private_type_record $zone 5 "$ZSK1" >> "$infile" 190private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 191private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 192$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 193 194# Step 5: 195# The DNSKEY is removed long enough to be HIDDEN. 196setup step5.algorithm-roll.kasp 197# The time passed since the DNSKEY has been removed is 2 hours. 198TactN="now-40h" 199TretN="now-37h" 200TremN="now-2h" 201TpubN1="now-40h" 202TsbmN1="now-32h" 203TactN1="now-31h" 204ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 205zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 206ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 207zsk2times="-P ${TpubN1} -A ${TpubN1}" 208KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 209ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 210KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 211ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 212$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 213$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1 214$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 215$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 216# Fake lifetime of old algorithm keys. 217echo "Lifetime: 0" >> "${KSK1}.state" 218echo "Lifetime: 0" >> "${ZSK1}.state" 219cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 220private_type_record $zone 5 "$KSK1" >> "$infile" 221private_type_record $zone 5 "$ZSK1" >> "$infile" 222private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 223private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 224$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 225 226# Step 6: 227# The RRSIGs have been removed long enough to be HIDDEN. 228setup step6.algorithm-roll.kasp 229# Additional time passed: 7h. 230TactN="now-47h" 231TretN="now-44h" 232TremN="now-7h" 233TpubN1="now-47h" 234TsbmN1="now-39h" 235TactN1="now-38h" 236TdeaN="now-9h" 237ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 238zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}" 239ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}" 240zsk2times="-P ${TpubN1} -A ${TpubN1}" 241KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1) 242ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2) 243KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3) 244ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4) 245$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1 246$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1 247$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1 248$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1 249# Fake lifetime of old algorithm keys. 250echo "Lifetime: 0" >> "${KSK1}.state" 251echo "Lifetime: 0" >> "${ZSK1}.state" 252cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile" 253private_type_record $zone 5 "$KSK1" >> "$infile" 254private_type_record $zone 5 "$ZSK1" >> "$infile" 255private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile" 256private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile" 257$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 258 259# 260# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK 261# algorithm rollover. 262# 263 264# Step 1: 265# Introduce the first key. This will immediately be active. 266setup step1.csk-algorithm-roll.kasp 267echo "$zone" >> zones 268TactN="now" 269csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" 270CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 271$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1 272cat template.db.in "${CSK}.key" > "$infile" 273private_type_record $zone 5 "$CSK" >> "$infile" 274$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 275 276# Step 2: 277# After the publication interval has passed the DNSKEY is OMNIPRESENT. 278setup step2.csk-algorithm-roll.kasp 279# The time passed since the new algorithm keys have been introduced is 3 hours. 280TactN="now-3h" 281TpubN1="now-3h" 282csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now" 283newtimes="-P ${TpubN1} -A ${TpubN1}" 284CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 285CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 286$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 287$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 288# Fake lifetime of old algorithm keys. 289echo "Lifetime: 0" >> "${CSK1}.state" 290cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 291private_type_record $zone 5 "$CSK1" >> "$infile" 292private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 293$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 294 295# Step 3: 296# The zone signatures are also OMNIPRESENT. 297setup step3.csk-algorithm-roll.kasp 298# The time passed since the new algorithm keys have been introduced is 9 hours. 299TactN="now-9h" 300TretN="now-6h" 301TpubN1="now-9h" 302TactN1="now-6h" 303csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 304newtimes="-P ${TpubN1} -A ${TpubN1}" 305CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 306CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 307$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 308$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 309# Fake lifetime of old algorithm keys. 310echo "Lifetime: 0" >> "${CSK1}.state" 311cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 312private_type_record $zone 5 "$CSK1" >> "$infile" 313private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 314$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 315 316# Step 4: 317# The DS is swapped and can become OMNIPRESENT. 318setup step4.csk-algorithm-roll.kasp 319# The time passed since the DS has been swapped is 29 hours. 320TactN="now-38h" 321TretN="now-35h" 322TpubN1="now-38h" 323TactN1="now-35h" 324TsubN1="now-29h" 325csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 326newtimes="-P ${TpubN1} -A ${TpubN1}" 327CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 328CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 329$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 330$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1 331# Fake lifetime of old algorithm keys. 332echo "Lifetime: 0" >> "${CSK1}.state" 333cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 334private_type_record $zone 5 "$CSK1" >> "$infile" 335private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 336$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 337 338# Step 5: 339# The DNSKEY is removed long enough to be HIDDEN. 340setup step5.csk-algorithm-roll.kasp 341# The time passed since the DNSKEY has been removed is 2 hours. 342TactN="now-40h" 343TretN="now-37h" 344TremN="now-2h" 345TpubN1="now-40h" 346TactN1="now-37h" 347TsubN1="now-31h" 348csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 349newtimes="-P ${TpubN1} -A ${TpubN1}" 350CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 351CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 352$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1 353$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1 354# Fake lifetime of old algorithm keys. 355echo "Lifetime: 0" >> "${CSK1}.state" 356cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 357private_type_record $zone 5 "$CSK1" >> "$infile" 358private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 359$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 360 361# Step 6: 362# The RRSIGs have been removed long enough to be HIDDEN. 363setup step6.csk-algorithm-roll.kasp 364# Additional time passed: 7h. 365TactN="now-47h" 366TretN="now-44h" 367TdeaN="now-9h" 368TremN="now-7h" 369TpubN1="now-47h" 370TactN1="now-44h" 371TsubN1="now-38h" 372csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}" 373newtimes="-P ${TpubN1} -A ${TpubN1}" 374CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1) 375CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2) 376$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 377$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 378# Fake lifetime of old algorithm keys. 379echo "Lifetime: 0" >> "${CSK1}.state" 380cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile" 381private_type_record $zone 5 "$CSK1" >> "$infile" 382private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile" 383$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 384 385# 386# Reload testing 387# 388echo "example" >> zones 389cp example.db.in example.db 390