1#!/bin/sh 2# 3# Copyright (C) Internet Systems Consortium, Inc. ("ISC") 4# 5# This Source Code Form is subject to the terms of the Mozilla Public 6# License, v. 2.0. If a copy of the MPL was not distributed with this 7# file, You can obtain one at http://mozilla.org/MPL/2.0/. 8# 9# See the COPYRIGHT file distributed with this work for additional 10# information regarding copyright ownership. 11 12# shellcheck source=conf.sh 13SYSTEMTESTTOP=.. 14. "$SYSTEMTESTTOP/conf.sh" 15 16start_time="$(TZ=UTC date +%s)" 17status=0 18n=0 19 20############################################################################### 21# Constants # 22############################################################################### 23DEFAULT_TTL=300 24 25############################################################################### 26# Query properties # 27############################################################################### 28TSIG="" 29SHA1="FrSt77yPTFx6hTs4i2tKLB9LmE0=" 30SHA224="hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==" 31SHA256="R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=" 32VIEW1="YPfMoAk6h+3iN8MDRQC004iSNHY=" 33VIEW2="4xILSZQnuO1UKubXHkYUsvBRPu8=" 34 35############################################################################### 36# Key properties # 37############################################################################### 38# ID 39# BASEFILE 40# EXPECT 41# ROLE 42# KSK 43# ZSK 44# LIFETIME 45# ALG_NUM 46# ALG_STR 47# ALG_LEN 48# CREATED 49# PUBLISHED 50# ACTIVE 51# RETIRED 52# REVOKED 53# REMOVED 54# GOAL 55# STATE_DNSKEY 56# STATE_ZRRSIG 57# STATE_KRRSIG 58# STATE_DS 59# EXPECT_ZRRSIG 60# EXPECT_KRRSIG 61# LEGACY 62 63key_key() { 64 echo "${1}__${2}" 65} 66 67key_get() { 68 eval "echo \${$(key_key "$1" "$2")}" 69} 70 71key_set() { 72 eval "$(key_key "$1" "$2")='$3'" 73} 74 75# Save certain values in the KEY array. 76key_save() 77{ 78 # Save key id. 79 key_set "$1" ID "$KEY_ID" 80 # Save base filename. 81 key_set "$1" BASEFILE "$BASE_FILE" 82 # Save creation date. 83 key_set "$1" CREATED "${KEY_CREATED}" 84} 85 86# Clear key state. 87# 88# This will update either the KEY1, KEY2, or KEY3 array. 89key_clear() { 90 key_set "$1" "ID" 'no' 91 key_set "$1" "IDPAD" 'no' 92 key_set "$1" "EXPECT" 'no' 93 key_set "$1" "ROLE" 'none' 94 key_set "$1" "KSK" 'no' 95 key_set "$1" "ZSK" 'no' 96 key_set "$1" "LIFETIME" 'none' 97 key_set "$1" "ALG_NUM" '0' 98 key_set "$1" "ALG_STR" 'none' 99 key_set "$1" "ALG_LEN" '0' 100 key_set "$1" "CREATED" '0' 101 key_set "$1" "PUBLISHED" 'none' 102 key_set "$1" "SYNCPUBLISH" 'none' 103 key_set "$1" "ACTIVE" 'none' 104 key_set "$1" "RETIRED" 'none' 105 key_set "$1" "REVOKED" 'none' 106 key_set "$1" "REMOVED" 'none' 107 key_set "$1" "GOAL" 'none' 108 key_set "$1" "STATE_DNSKEY" 'none' 109 key_set "$1" "STATE_KRRSIG" 'none' 110 key_set "$1" "STATE_ZRRSIG" 'none' 111 key_set "$1" "STATE_DS" 'none' 112 key_set "$1" "EXPECT_ZRRSIG" 'no' 113 key_set "$1" "EXPECT_KRRSIG" 'no' 114 key_set "$1" "LEGACY" 'no' 115} 116 117# Start clear. 118# There can be at most 4 keys at the same time during a rollover: 119# 2x KSK, 2x ZSK 120key_clear "KEY1" 121key_clear "KEY2" 122key_clear "KEY3" 123key_clear "KEY4" 124 125############################################################################### 126# Utilities # 127############################################################################### 128 129# Call dig with default options. 130dig_with_opts() { 131 if [ -n "$TSIG" ]; then 132 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@" 133 else 134 "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@" 135 fi 136} 137 138# RNDC. 139rndccmd() { 140 "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@" 141} 142 143# Print IDs of keys used for generating RRSIG records for RRsets of type $1 144# found in dig output file $2. 145get_keys_which_signed() { 146 _qtype=$1 147 _output=$2 148 # The key ID is the 11th column of the RRSIG record line. 149 awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$_output" 150} 151 152# Get the key ids from key files for zone $2 in directory $1. 153get_keyids() { 154 _dir=$1 155 _zone=$2 156 _regex="K${_zone}.+*+*.key" 157 158 find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2," 159} 160 161# By default log errors and don't quit immediately. 162_log=1 163log_error() { 164 test $_log -eq 1 && echo_i "error: $1" 165 ret=$((ret+1)) 166} 167# Set server key-directory ($1) and address ($2) for testing keys. 168set_server() { 169 DIR=$1 170 SERVER=$2 171} 172# Set zone name for testing keys. 173set_zone() { 174 ZONE=$1 175} 176# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys. 177set_policy() { 178 POLICY=$1 179 NUM_KEYS=$2 180 DNSKEY_TTL=$3 181} 182 183# Set key properties for testing keys. 184# $1: Key to update (KEY1, KEY2, ...) 185# $2: Value 186set_keyrole() { 187 key_set "$1" "EXPECT" "yes" 188 key_set "$1" "ROLE" "$2" 189 key_set "$1" "KSK" "no" 190 key_set "$1" "ZSK" "no" 191 test "$2" = "ksk" && key_set "$1" "KSK" "yes" 192 test "$2" = "zsk" && key_set "$1" "ZSK" "yes" 193 test "$2" = "csk" && key_set "$1" "KSK" "yes" 194 test "$2" = "csk" && key_set "$1" "ZSK" "yes" 195} 196set_keylifetime() { 197 key_set "$1" "EXPECT" "yes" 198 key_set "$1" "LIFETIME" "$2" 199} 200# The algorithm value consists of three parts: 201# $2: Algorithm (number) 202# $3: Algorithm (string-format) 203# $4: Algorithm length 204set_keyalgorithm() { 205 key_set "$1" "EXPECT" "yes" 206 key_set "$1" "ALG_NUM" "$2" 207 key_set "$1" "ALG_STR" "$3" 208 key_set "$1" "ALG_LEN" "$4" 209} 210set_keysigning() { 211 key_set "$1" "EXPECT" "yes" 212 key_set "$1" "EXPECT_KRRSIG" "$2" 213} 214set_zonesigning() { 215 key_set "$1" "EXPECT" "yes" 216 key_set "$1" "EXPECT_ZRRSIG" "$2" 217} 218 219# Set key timing metadata. Set to "none" to unset. 220# $1: Key to update (KEY1, KEY2, ...) 221# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). 222# $3: Value 223set_keytime() { 224 key_set "$1" "EXPECT" "yes" 225 key_set "$1" "$2" "$3" 226} 227 228# Set key timing metadata to a value plus additional time. 229# $1: Key to update (KEY1, KEY2, ...) 230# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED). 231# $3: Value 232# $4: Additional time. 233set_addkeytime() { 234 if [ -x "$PYTHON" ]; then 235 # Convert "%Y%m%d%H%M%S" format to epoch seconds. 236 # Then, add the additional time (can be negative). 237 _value=$3 238 _plus=$4 239 $PYTHON > python.out.$ZONE.$1.$2 <<EOF 240from datetime import datetime 241from datetime import timedelta 242_now = datetime.strptime("$_value", "%Y%m%d%H%M%S") 243_delta = timedelta(seconds=$_plus) 244_then = _now + _delta 245print(_then.strftime("%Y%m%d%H%M%S")); 246EOF 247 # Set the expected timing metadata. 248 key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2) 249 fi 250} 251 252# Set key state metadata. Set to "none" to unset. 253# $1: Key to update (KEY1, KEY2, ...) 254# $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS) 255# $3: Value 256set_keystate() { 257 key_set "$1" "EXPECT" "yes" 258 key_set "$1" "$2" "$3" 259} 260 261# Check the key $1 with id $2. 262# This requires environment variables to be set. 263# 264# This will set the following environment variables for testing: 265# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" 266# KEY_FILE="${BASE_FILE}.key" 267# PRIVATE_FILE="${BASE_FILE}.private" 268# STATE_FILE="${BASE_FILE}.state" 269# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') 270# KEY_CREATED (from the KEY_FILE) 271check_key() { 272 _dir="$DIR" 273 _zone="$ZONE" 274 _role=$(key_get "$1" ROLE) 275 _key_idpad="$2" 276 _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') 277 _alg_num=$(key_get "$1" ALG_NUM) 278 _alg_numpad=$(printf "%03d" "$_alg_num") 279 _alg_string=$(key_get "$1" ALG_STR) 280 _length=$(key_get "$1" "ALG_LEN") 281 _dnskey_ttl="$DNSKEY_TTL" 282 _lifetime=$(key_get "$1" LIFETIME) 283 _legacy=$(key_get "$1" LEGACY) 284 285 _published=$(key_get "$1" PUBLISHED) 286 _active=$(key_get "$1" ACTIVE) 287 _retired=$(key_get "$1" RETIRED) 288 _revoked=$(key_get "$1" REVOKED) 289 _removed=$(key_get "$1" REMOVED) 290 291 _goal=$(key_get "$1" GOAL) 292 _state_dnskey=$(key_get "$1" STATE_DNSKEY) 293 _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) 294 _state_krrsig=$(key_get "$1" STATE_KRRSIG) 295 _state_ds=$(key_get "$1" STATE_DS) 296 297 _ksk="no" 298 _zsk="no" 299 if [ "$_role" = "ksk" ]; then 300 _role2="key-signing" 301 _ksk="yes" 302 _flags="257" 303 elif [ "$_role" = "zsk" ]; then 304 _role2="zone-signing" 305 _zsk="yes" 306 _flags="256" 307 elif [ "$_role" = "csk" ]; then 308 _role2="key-signing" 309 _zsk="yes" 310 _ksk="yes" 311 _flags="257" 312 fi 313 314 BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" 315 KEY_FILE="${BASE_FILE}.key" 316 PRIVATE_FILE="${BASE_FILE}.private" 317 STATE_FILE="${BASE_FILE}.state" 318 KEY_ID="${_key_id}" 319 320 # Check file existence. 321 [ -s "$KEY_FILE" ] || ret=1 322 [ -s "$PRIVATE_FILE" ] || ret=1 323 if [ "$_legacy" == "no" ]; then 324 [ -s "$STATE_FILE" ] || ret=1 325 fi 326 [ "$ret" -eq 0 ] || log_error "${BASE_FILE} files missing" 327 [ "$ret" -eq 0 ] || return 328 329 # Retrieve creation date. 330 grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || log_error "mismatch created comment in $KEY_FILE" 331 KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created") 332 333 grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || log_error "mismatch created in $PRIVATE_FILE" 334 if [ "$_legacy" == "no" ]; then 335 grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || log_error "mismatch generated in $STATE_FILE" 336 fi 337 338 test $_log -eq 1 && echo_i "check key file $BASE_FILE" 339 340 # Check the public key file. 341 grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || log_error "mismatch top comment in $KEY_FILE" 342 grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || log_error "mismatch DNSKEY record in $KEY_FILE" 343 # Now check the private key file. 344 grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || log_error "mismatch private key format in $PRIVATE_FILE" 345 grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || log_error "mismatch algorithm in $PRIVATE_FILE" 346 # Now check the key state file. 347 if [ "$_legacy" == "no" ]; then 348 grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || log_error "mismatch top comment in $STATE_FILE" 349 if [ "$_lifetime" == "none" ]; then 350 grep "Lifetime: " "$STATE_FILE" > /dev/null && log_error "unexpected lifetime in $STATE_FILE" 351 else 352 grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || log_error "mismatch lifetime in $STATE_FILE" 353 fi 354 grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || log_error "mismatch algorithm in $STATE_FILE" 355 grep "Length: ${_length}" "$STATE_FILE" > /dev/null || log_error "mismatch length in $STATE_FILE" 356 grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || log_error "mismatch ksk in $STATE_FILE" 357 grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || log_error "mismatch zsk in $STATE_FILE" 358 359 # Check key states. 360 if [ "$_goal" = "none" ]; then 361 grep "GoalState: " "$STATE_FILE" > /dev/null && log_error "unexpected goal state in $STATE_FILE" 362 else 363 grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || log_error "mismatch goal state in $STATE_FILE" 364 fi 365 366 if [ "$_state_dnskey" = "none" ]; then 367 grep "DNSKEYState: " "$STATE_FILE" > /dev/null && log_error "unexpected dnskey state in $STATE_FILE" 368 grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && log_error "unexpected dnskey change in $STATE_FILE" 369 else 370 grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || log_error "mismatch dnskey state in $STATE_FILE" 371 grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || log_error "mismatch dnskey change in $STATE_FILE" 372 fi 373 374 if [ "$_state_zrrsig" = "none" ]; then 375 grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && log_error "unexpected zrrsig state in $STATE_FILE" 376 grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && log_error "unexpected zrrsig change in $STATE_FILE" 377 else 378 grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || log_error "mismatch zrrsig state in $STATE_FILE" 379 grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || log_error "mismatch zrrsig change in $STATE_FILE" 380 fi 381 382 if [ "$_state_krrsig" = "none" ]; then 383 grep "KRRSIGState: " "$STATE_FILE" > /dev/null && log_error "unexpected krrsig state in $STATE_FILE" 384 grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && log_error "unexpected krrsig change in $STATE_FILE" 385 else 386 grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || log_error "mismatch krrsig state in $STATE_FILE" 387 grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || log_error "mismatch krrsig change in $STATE_FILE" 388 fi 389 390 if [ "$_state_ds" = "none" ]; then 391 grep "DSState: " "$STATE_FILE" > /dev/null && log_error "unexpected ds state in $STATE_FILE" 392 grep "DSChange: " "$STATE_FILE" > /dev/null && log_error "unexpected ds change in $STATE_FILE" 393 else 394 grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || log_error "mismatch ds state in $STATE_FILE" 395 grep "DSChange: " "$STATE_FILE" > /dev/null || log_error "mismatch ds change in $STATE_FILE" 396 fi 397 fi 398} 399 400# Check the key timing metadata for key $1. 401check_timingmetadata() { 402 _dir="$DIR" 403 _zone="$ZONE" 404 _key_idpad=$(key_get "$1" ID) 405 _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') 406 _alg_num=$(key_get "$1" ALG_NUM) 407 _alg_numpad=$(printf "%03d" "$_alg_num") 408 409 _published=$(key_get "$1" PUBLISHED) 410 _active=$(key_get "$1" ACTIVE) 411 _retired=$(key_get "$1" RETIRED) 412 _revoked=$(key_get "$1" REVOKED) 413 _removed=$(key_get "$1" REMOVED) 414 415 _goal=$(key_get "$1" GOAL) 416 _state_dnskey=$(key_get "$1" STATE_DNSKEY) 417 _state_zrrsig=$(key_get "$1" STATE_ZRRSIG) 418 _state_krrsig=$(key_get "$1" STATE_KRRSIG) 419 _state_ds=$(key_get "$1" STATE_DS) 420 421 _base_file=$(key_get "$1" BASEFILE) 422 _key_file="${_base_file}.key" 423 _private_file="${_base_file}.private" 424 _state_file="${_base_file}.state" 425 426 _published=$(key_get "$1" PUBLISHED) 427 _syncpublish=$(key_get "$1" SYNCPUBLISH) 428 _active=$(key_get "$1" ACTIVE) 429 _retired=$(key_get "$1" RETIRED) 430 _revoked=$(key_get "$1" REVOKED) 431 _removed=$(key_get "$1" REMOVED) 432 433 # Check timing metadata. 434 n=$((n+1)) 435 echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)" 436 ret=0 437 438 if [ "$_published" = "none" ]; then 439 grep "; Publish:" "${_key_file}" > /dev/null && log_error "unexpected publish comment in ${_key_file}" 440 grep "Publish:" "${_private_file}" > /dev/null && log_error "unexpected publish in ${_private_file}" 441 if [ "$_legacy" == "no" ]; then 442 grep "Published: " "${_state_file}" > /dev/null && log_error "unexpected publish in ${_state_file}" 443 fi 444 else 445 grep "; Publish: $_published" "${_key_file}" > /dev/null || log_error "mismatch publish comment in ${_key_file} (expected ${_published})" 446 grep "Publish: $_published" "${_private_file}" > /dev/null || log_error "mismatch publish in ${_private_file} (expected ${_published})" 447 if [ "$_legacy" == "no" ]; then 448 grep "Published: $_published" "${_state_file}" > /dev/null || log_error "mismatch publish in ${_state_file} (expected ${_published})" 449 fi 450 fi 451 452 if [ "$_syncpublish" = "none" ]; then 453 grep "; SyncPublish:" "${_key_file}" > /dev/null && log_error "unexpected syncpublish comment in ${_key_file}" 454 grep "SyncPublish:" "${_private_file}" > /dev/null && log_error "unexpected syncpublish in ${_private_file}" 455 if [ "$_legacy" == "no" ]; then 456 grep "PublishCDS: " "${_state_file}" > /dev/null && log_error "unexpected syncpublish in ${_state_file}" 457 fi 458 else 459 grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})" 460 grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})" 461 if [ "$_legacy" == "no" ]; then 462 grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})" 463 fi 464 fi 465 466 if [ "$_active" = "none" ]; then 467 grep "; Activate:" "${_key_file}" > /dev/null && log_error "unexpected active comment in ${_key_file}" 468 grep "Activate:" "${_private_file}" > /dev/null && log_error "unexpected active in ${_private_file}" 469 if [ "$_legacy" == "no" ]; then 470 grep "Active: " "${_state_file}" > /dev/null && log_error "unexpected active in ${_state_file}" 471 fi 472 else 473 grep "; Activate: $_active" "${_key_file}" > /dev/null || log_error "mismatch active comment in ${_key_file} (expected ${_active})" 474 grep "Activate: $_active" "${_private_file}" > /dev/null || log_error "mismatch active in ${_private_file} (expected ${_active})" 475 if [ "$_legacy" == "no" ]; then 476 grep "Active: $_active" "${_state_file}" > /dev/null || log_error "mismatch active in ${_state_file} (expected ${_active})" 477 fi 478 fi 479 480 if [ "$_retired" = "none" ]; then 481 grep "; Inactive:" "${_key_file}" > /dev/null && log_error "unexpected retired comment in ${_key_file}" 482 grep "Inactive:" "${_private_file}" > /dev/null && log_error "unexpected retired in ${_private_file}" 483 if [ "$_legacy" == "no" ]; then 484 grep "Retired: " "${_state_file}" > /dev/null && log_error "unexpected retired in ${_state_file}" 485 fi 486 else 487 grep "; Inactive: $_retired" "${_key_file}" > /dev/null || log_error "mismatch retired comment in ${_key_file} (expected ${_retired})" 488 grep "Inactive: $_retired" "${_private_file}" > /dev/null || log_error "mismatch retired in ${_private_file} (expected ${_retired})" 489 if [ "$_legacy" == "no" ]; then 490 grep "Retired: $_retired" "${_state_file}" > /dev/null || log_error "mismatch retired in ${_state_file} (expected ${_retired})" 491 fi 492 fi 493 494 if [ "$_revoked" = "none" ]; then 495 grep "; Revoke:" "${_key_file}" > /dev/null && log_error "unexpected revoked comment in ${_key_file}" 496 grep "Revoke:" "${_private_file}" > /dev/null && log_error "unexpected revoked in ${_private_file}" 497 if [ "$_legacy" == "no" ]; then 498 grep "Revoked: " "${_state_file}" > /dev/null && log_error "unexpected revoked in ${_state_file}" 499 fi 500 else 501 grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})" 502 grep "Revoke: $_revoked" "${_private_file}" > /dev/null || log_error "mismatch revoked in ${_private_file} (expected ${_revoked})" 503 if [ "$_legacy" == "no" ]; then 504 grep "Revoked: $_revoked" "${_state_file}" > /dev/null || log_error "mismatch revoked in ${_state_file} (expected ${_revoked})" 505 fi 506 fi 507 508 if [ "$_removed" = "none" ]; then 509 grep "; Delete:" "${_key_file}" > /dev/null && log_error "unexpected removed comment in ${_key_file}" 510 grep "Delete:" "${_private_file}" > /dev/null && log_error "unexpected removed in ${_private_file}" 511 if [ "$_legacy" == "no" ]; then 512 grep "Removed: " "${_state_file}" > /dev/null && log_error "unexpected removed in ${_state_file}" 513 fi 514 else 515 grep "; Delete: $_removed" "${_key_file}" > /dev/null || log_error "mismatch removed comment in ${_key_file} (expected ${_removed})" 516 grep "Delete: $_removed" "${_private_file}" > /dev/null || log_error "mismatch removed in ${_private_file} (expected ${_removed})" 517 if [ "$_legacy" == "no" ]; then 518 grep "Removed: $_removed" "${_state_file}" > /dev/null || log_error "mismatch removed in ${_state_file} (expected ${_removed})" 519 fi 520 fi 521 522 test "$ret" -eq 0 || echo_i "failed" 523 status=$((status+ret)) 524} 525 526check_keytimes() { 527 # The script relies on Python to set keytimes. 528 if [ -x "$PYTHON" ]; then 529 530 if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 531 check_timingmetadata "KEY1" 532 fi 533 if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 534 check_timingmetadata "KEY2" 535 fi 536 if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 537 check_timingmetadata "KEY3" 538 fi 539 if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 540 check_timingmetadata "KEY4" 541 fi 542 fi 543} 544 545# Check the key with key id $1 and see if it is unused. 546# This requires environment variables to be set. 547# 548# This will set the following environment variables for testing: 549# BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" 550# KEY_FILE="${BASE_FILE}.key" 551# PRIVATE_FILE="${BASE_FILE}.private" 552# STATE_FILE="${BASE_FILE}.state" 553# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//') 554key_unused() { 555 _dir=$DIR 556 _zone=$ZONE 557 _key_idpad=$1 558 _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//') 559 _alg_num=$2 560 _alg_numpad=$(printf "%03d" "$_alg_num") 561 562 BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}" 563 KEY_FILE="${BASE_FILE}.key" 564 PRIVATE_FILE="${BASE_FILE}.private" 565 STATE_FILE="${BASE_FILE}.state" 566 KEY_ID="${_key_id}" 567 568 test $_log -eq 1 && echo_i "key unused $KEY_ID?" 569 570 # Check file existence. 571 [ -s "$KEY_FILE" ] || ret=1 572 [ -s "$PRIVATE_FILE" ] || ret=1 573 [ -s "$STATE_FILE" ] || ret=1 574 [ "$ret" -eq 0 ] || return 575 576 # Check timing metadata. 577 grep "; Publish:" "$KEY_FILE" > /dev/null && log_error "unexpected publish comment in $KEY_FILE" 578 grep "; Activate:" "$KEY_FILE" > /dev/null && log_error "unexpected active comment in $KEY_FILE" 579 grep "; Inactive:" "$KEY_FILE" > /dev/null && log_error "unexpected retired comment in $KEY_FILE" 580 grep "; Revoke:" "$KEY_FILE" > /dev/null && log_error "unexpected revoked comment in $KEY_FILE" 581 grep "; Delete:" "$KEY_FILE" > /dev/null && log_error "unexpected removed comment in $KEY_FILE" 582 583 grep "Publish:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected publish in $PRIVATE_FILE" 584 grep "Activate:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected active in $PRIVATE_FILE" 585 grep "Inactive:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected retired in $PRIVATE_FILE" 586 grep "Revoke:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected revoked in $PRIVATE_FILE" 587 grep "Delete:" "$PRIVATE_FILE" > /dev/null && log_error "unexpected removed in $PRIVATE_FILE" 588 589 if [ "$_legacy" == "no" ]; then 590 grep "Published: " "$STATE_FILE" > /dev/null && log_error "unexpected publish in $STATE_FILE" 591 grep "Active: " "$STATE_FILE" > /dev/null && log_error "unexpected active in $STATE_FILE" 592 grep "Retired: " "$STATE_FILE" > /dev/null && log_error "unexpected retired in $STATE_FILE" 593 grep "Revoked: " "$STATE_FILE" > /dev/null && log_error "unexpected revoked in $STATE_FILE" 594 grep "Removed: " "$STATE_FILE" > /dev/null && log_error "unexpected removed in $STATE_FILE" 595 fi 596} 597 598# Test: dnssec-verify zone $1. 599dnssec_verify() 600{ 601 n=$((n+1)) 602 echo_i "dnssec-verify zone ${ZONE} ($n)" 603 ret=0 604 dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || log_error "dig ${ZONE} AXFR failed" 605 $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > /dev/null || log_error "dnssec verify zone $ZONE failed" 606 test "$ret" -eq 0 || echo_i "failed" 607 status=$((status+ret)) 608} 609 610# Wait for the zone to be signed. 611# The apex NSEC record indicates that it is signed. 612_wait_for_nsec() { 613 dig_with_opts "@${SERVER}" -y "$TSIG" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1 614 grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1 615 grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1 616 return 0 617} 618 619wait_for_nsec() { 620 n=$((n+1)) 621 ret=0 622 echo_i "wait for ${ZONE} to be signed ($n)" 623 retry_quiet 10 _wait_for_nsec || log_error "wait for ${ZONE} to be signed failed" 624 test "$ret" -eq 0 || echo_i "failed" 625 status=$((status+ret)) 626} 627 628# Default next key event threshold. May be extended by wait periods. 629next_key_event_threshold=100 630 631############################################################################### 632# Tests # 633############################################################################### 634 635# 636# dnssec-keygen 637# 638set_zone "kasp" 639set_policy "kasp" "4" "200" 640set_server "keys" "10.53.0.1" 641 642n=$((n+1)) 643echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)" 644ret=0 645$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 646lines=$(wc -l < "keygen.out.$POLICY.test$n") 647test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines" 648# Temporarily don't log errors because we are searching multiple files. 649_log=0 650 651# Key properties. 652set_keyrole "KEY1" "csk" 653set_keylifetime "KEY1" "31536000" 654set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 655set_keysigning "KEY1" "yes" 656set_zonesigning "KEY1" "yes" 657 658set_keyrole "KEY2" "ksk" 659set_keylifetime "KEY2" "31536000" 660set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 661set_keysigning "KEY2" "yes" 662set_zonesigning "KEY2" "no" 663 664set_keyrole "KEY3" "zsk" 665set_keylifetime "KEY3" "2592000" 666set_keyalgorithm "KEY3" "8" "RSASHA256" "1024" 667set_keysigning "KEY3" "no" 668set_zonesigning "KEY3" "yes" 669 670set_keyrole "KEY4" "zsk" 671set_keylifetime "KEY4" "16070400" 672set_keyalgorithm "KEY4" "8" "RSASHA256" "2000" 673set_keysigning "KEY4" "no" 674set_zonesigning "KEY4" "yes" 675 676lines=$(get_keyids "$DIR" "$ZONE" | wc -l) 677test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids" 678 679ids=$(get_keyids "$DIR" "$ZONE") 680for id in $ids; do 681 # There are four key files with the same algorithm. 682 # Check them until a match is found. 683 ret=0 && check_key "KEY1" "$id" 684 test "$ret" -eq 0 && continue 685 686 ret=0 && check_key "KEY2" "$id" 687 test "$ret" -eq 0 && continue 688 689 ret=0 && check_key "KEY3" "$id" 690 test "$ret" -eq 0 && continue 691 692 ret=0 && check_key "KEY4" "$id" 693 694 # If ret is still non-zero, non of the files matched. 695 test "$ret" -eq 0 || echo_i "failed" 696 status=$((status+ret)) 697done 698# Turn error logs on again. 699_log=1 700 701n=$((n+1)) 702echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)" 703ret=0 704set_zone "kasp" 705set_policy "default" "1" "3600" 706set_server "." "10.53.0.1" 707# Key properties. 708set_keyrole "KEY1" "csk" 709set_keylifetime "KEY1" "0" 710set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 711set_keysigning "KEY1" "yes" 712set_zonesigning "KEY1" "yes" 713 714key_clear "KEY2" 715key_clear "KEY3" 716key_clear "KEY4" 717 718$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1 719lines=$(wc -l < "keygen.out.$POLICY.test$n") 720test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines" 721ids=$(get_keyids "$DIR" "$ZONE") 722for id in $ids; do 723 check_key "KEY1" "$id" 724 test "$ret" -eq 0 && key_save KEY1 725 check_keytimes 726done 727test "$ret" -eq 0 || echo_i "failed" 728status=$((status+ret)) 729 730# 731# dnssec-settime 732# 733 734# These test builds upon the latest created key with dnssec-keygen and uses the 735# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE. 736CMP_FILE="${BASE_FILE}.cmp" 737n=$((n+1)) 738echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)" 739ret=0 740cp "$STATE_FILE" "$CMP_FILE" 741$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed" 742grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE" 743grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE" 744$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE" 745test "$ret" -eq 0 || echo_i "failed" 746status=$((status+ret)) 747 748n=$((n+1)) 749echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)" 750ret=0 751cp "$STATE_FILE" "$CMP_FILE" 752now=$(date +%Y%m%d%H%M%S) 753$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 754set_keystate "KEY1" "GOAL" "omnipresent" 755set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 756set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 757set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 758set_keystate "KEY1" "STATE_DS" "hidden" 759check_key "KEY1" "$id" 760test "$ret" -eq 0 && key_save KEY1 761set_keytime "KEY1" "PUBLISHED" "${now}" 762check_keytimes 763test "$ret" -eq 0 || echo_i "failed" 764status=$((status+ret)) 765 766n=$((n+1)) 767echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)" 768ret=0 769cp "$STATE_FILE" "$CMP_FILE" 770$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 771set_keystate "KEY1" "GOAL" "none" 772set_keystate "KEY1" "STATE_DNSKEY" "none" 773set_keystate "KEY1" "STATE_KRRSIG" "none" 774set_keystate "KEY1" "STATE_ZRRSIG" "none" 775set_keystate "KEY1" "STATE_DS" "none" 776check_key "KEY1" "$id" 777test "$ret" -eq 0 && key_save KEY1 778set_keytime "KEY1" "PUBLISHED" "none" 779check_keytimes 780test "$ret" -eq 0 || echo_i "failed" 781status=$((status+ret)) 782 783n=$((n+1)) 784echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)" 785ret=0 786cp "$STATE_FILE" "$CMP_FILE" 787now=$(date +%Y%m%d%H%M%S) 788$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed" 789set_keystate "KEY1" "GOAL" "hidden" 790set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 791set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 792set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 793set_keystate "KEY1" "STATE_DS" "omnipresent" 794check_key "KEY1" "$id" 795test "$ret" -eq 0 && key_save KEY1 796set_keytime "KEY1" "ACTIVE" "${now}" 797check_keytimes 798test "$ret" -eq 0 || echo_i "failed" 799status=$((status+ret)) 800 801# 802# named 803# 804 805# The NSEC record at the apex of the zone and its RRSIG records are 806# added as part of the last step in signing a zone. We wait for the 807# NSEC records to appear before proceeding with a counter to prevent 808# infinite loops if there is an error. 809n=$((n+1)) 810echo_i "waiting for kasp signing changes to take effect ($n)" 811 812_wait_for_done_apexnsec() { 813 while read -r zone 814 do 815 dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1 816 grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 817 grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1 818 done < ns3/zones 819 820 while read -r zone 821 do 822 dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1 823 grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 824 grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1 825 done < ns6/zones 826 827 return 0 828} 829retry_quiet 30 _wait_for_done_apexnsec || ret=1 830test "$ret" -eq 0 || echo_i "failed" 831status=$((status+ret)) 832 833next_key_event_threshold=$((next_key_event_threshold+i)) 834 835# Check keys for a configured zone. This verifies: 836# 1. The right number of keys exist in the key pool ($1). 837# 2. The right number of keys is active. Checks KEY1, KEY2, KEY3, and KEY4. 838# 839# It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly. 840# Found key identifiers are stored in the right key array. 841check_keys() 842{ 843 n=$((n+1)) 844 echo_i "check keys are created for zone ${ZONE} ($n)" 845 ret=0 846 847 echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)" 848 _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l) 849 test "$_numkeys" -eq "$NUM_KEYS" || log_error "bad number ($_numkeys) of key files for zone $ZONE (expected $NUM_KEYS)" 850 test "$ret" -eq 0 || echo_i "failed" 851 status=$((status+ret)) 852 853 # Temporarily don't log errors because we are searching multiple files. 854 _log=0 855 856 # Clear key ids. 857 key_set KEY1 ID "no" 858 key_set KEY2 ID "no" 859 key_set KEY3 ID "no" 860 key_set KEY4 ID "no" 861 862 # Check key files. 863 _ids=$(get_keyids "$DIR" "$ZONE") 864 for _id in $_ids; do 865 # There are three key files with the same algorithm. 866 # Check them until a match is found. 867 echo_i "check key id $_id" 868 869 if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 870 ret=0 871 check_key "KEY1" "$_id" 872 test "$ret" -eq 0 && key_save KEY1 && continue 873 fi 874 if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 875 ret=0 876 check_key "KEY2" "$_id" 877 test "$ret" -eq 0 && key_save KEY2 && continue 878 fi 879 if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 880 ret=0 881 check_key "KEY3" "$_id" 882 test "$ret" -eq 0 && key_save KEY3 && continue 883 fi 884 if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 885 ret=0 886 check_key "KEY4" "$_id" 887 test "$ret" -eq 0 && key_save KEY4 && continue 888 fi 889 890 # This may be an unused key. Assume algorithm of KEY1. 891 ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)" 892 test "$ret" -eq 0 && continue 893 894 # If ret is still non-zero, none of the files matched. 895 test "$ret" -eq 0 || echo_i "failed" 896 status=$((status+1)) 897 done 898 899 # Turn error logs on again. 900 _log=1 901 902 ret=0 903 if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 904 echo_i "KEY1 ID $(key_get KEY1 ID)" 905 test "no" = "$(key_get KEY1 ID)" && log_error "No KEY1 found for zone ${ZONE}" 906 fi 907 if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 908 echo_i "KEY2 ID $(key_get KEY2 ID)" 909 test "no" = "$(key_get KEY2 ID)" && log_error "No KEY2 found for zone ${ZONE}" 910 fi 911 if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 912 echo_i "KEY3 ID $(key_get KEY3 ID)" 913 test "no" = "$(key_get KEY3 ID)" && log_error "No KEY3 found for zone ${ZONE}" 914 fi 915 if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 916 echo_i "KEY4 ID $(key_get KEY4 ID)" 917 test "no" = "$(key_get KEY4 ID)" && log_error "No KEY4 found for zone ${ZONE}" 918 fi 919 test "$ret" -eq 0 || echo_i "failed" 920 status=$((status+ret)) 921} 922 923# Call rndc dnssec -status on server $1 for zone $2 and check output. 924# This is a loose verification, it just tests if the right policy 925# name is returned, and if all expected keys are listed. The rndc 926# dnssec -status output also lists whether a key is published, 927# used for signing, is retired, or is removed, and if not when 928# it is scheduled to do so, and it shows the states for the various 929# DNSSEC records. 930check_dnssecstatus() { 931 _server=$1 932 _zone=$2 933 _view=$3 934 935 n=$((n+1)) 936 echo_i "check rndc dnssec -status output for ${_zone} ($n)" 937 ret=0 938 939 rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || log_error "rndc dnssec -status zone ${_zone} failed" 940 941 if [ "$POLICY" = "none" ]; then 942 grep "zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}" 943 else 944 grep "dnssec-policy: ${POLICY}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}" 945 if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 946 grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status" 947 fi 948 if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 949 grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY2 ID) from dnssec status" 950 fi 951 if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 952 grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY3 ID) from dnssec status" 953 fi 954 if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 955 grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY4 ID) from dnssec status" 956 fi 957 fi 958 959 test "$ret" -eq 0 || echo_i "failed" 960 status=$((status+ret)) 961} 962 963# Check if RRset of type $1 in file $2 is signed with the right keys. 964# The right keys are the ones that expect a signature and matches the role $3. 965check_signatures() { 966 _qtype=$1 967 _file=$2 968 _role=$3 969 970 if [ "$_role" = "KSK" ]; then 971 _expect_type=EXPECT_KRRSIG 972 elif [ "$_role" = "ZSK" ]; then 973 _expect_type=EXPECT_ZRRSIG 974 fi 975 976 if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then 977 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY1 ID)" 978 elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 979 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY1 ID)" 980 fi 981 982 if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then 983 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY2 ID)" 984 elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 985 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY2 ID)" 986 fi 987 988 if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then 989 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY3 ID)" 990 elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 991 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY3 ID)" 992 fi 993 994 if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then 995 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null || log_error "${_qtype} RRset not signed with key $(key_get KEY4 ID)" 996 elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 997 get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null && log_error "${_qtype} RRset signed unexpectedly with key $(key_get KEY4 ID)" 998 fi 999} 1000 1001response_has_cds_for_key() ( 1002 awk -v zone="${ZONE%%.}." \ 1003 -v ttl="${DNSKEY_TTL}" \ 1004 -v qtype="CDS" \ 1005 -v keyid="$(key_get "${1}" ID)" \ 1006 -v keyalg="$(key_get "${1}" ALG_NUM)" \ 1007 -v hashalg="2" \ 1008 'BEGIN { ret=1; } 1009 $1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; } 1010 END { exit ret; }' \ 1011 "$2" 1012) 1013 1014response_has_cdnskey_for_key() ( 1015 awk -v zone="${ZONE%%.}." \ 1016 -v ttl="${DNSKEY_TTL}" \ 1017 -v qtype="CDNSKEY" \ 1018 -v flags="257" \ 1019 -v keyalg="$(key_get "${1}" ALG_NUM)" \ 1020 'BEGIN { ret=1; } 1021 $1 == zone && $2 == ttl && $4 == qtype && $5 == flags && $7 == keyalg { ret=0; exit; } 1022 END { exit ret; }' \ 1023 "$2" 1024) 1025 1026# Test CDS and CDNSKEY publication. 1027check_cds() { 1028 1029 n=$((n+1)) 1030 echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)" 1031 ret=0 1032 1033 dig_with_opts "$ZONE" "@${SERVER}" "CDS" > "dig.out.$DIR.test$n.cds" || log_error "dig ${ZONE} CDS failed" 1034 grep "status: NOERROR" "dig.out.$DIR.test$n.cds" > /dev/null || log_error "mismatch status in DNS response" 1035 1036 dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" > "dig.out.$DIR.test$n.cdnskey" || log_error "dig ${ZONE} CDNSKEY failed" 1037 grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" > /dev/null || log_error "mismatch status in DNS response" 1038 1039 if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then 1040 response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || log_error "missing CDS record in response for key $(key_get KEY1 ID)" 1041 check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" 1042 response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)" 1043 check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" 1044 elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 1045 response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && log_error "unexpected CDS record in response for key $(key_get KEY1 ID)" 1046 # KEY1 should not have an associated CDNSKEY, but there may be 1047 # one for another key. Since the CDNSKEY has no field for key 1048 # id, it is hard to check what key the CDNSKEY may belong to 1049 # so let's skip this check for now. 1050 fi 1051 1052 if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then 1053 response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || log_error "missing CDS record in response for key $(key_get KEY2 ID)" 1054 check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" 1055 response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)" 1056 check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" 1057 elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 1058 response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && log_error "unexpected CDS record in response for key $(key_get KEY2 ID)" 1059 # KEY2 should not have an associated CDNSKEY, but there may be 1060 # one for another key. Since the CDNSKEY has no field for key 1061 # id, it is hard to check what key the CDNSKEY may belong to 1062 # so let's skip this check for now. 1063 fi 1064 1065 if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then 1066 response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || log_error "missing CDS record in response for key $(key_get KEY3 ID)" 1067 check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" 1068 response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)" 1069 check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" 1070 elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 1071 response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && log_error "unexpected CDS record in response for key $(key_get KEY3 ID)" 1072 # KEY3 should not have an associated CDNSKEY, but there may be 1073 # one for another key. Since the CDNSKEY has no field for key 1074 # id, it is hard to check what key the CDNSKEY may belong to 1075 # so let's skip this check for now. 1076 fi 1077 1078 if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then 1079 response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || log_error "missing CDS record in response for key $(key_get KEY4 ID)" 1080 check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK" 1081 response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)" 1082 check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK" 1083 elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 1084 response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && log_error "unexpected CDS record in response for key $(key_get KEY4 ID)" 1085 # KEY4 should not have an associated CDNSKEY, but there may be 1086 # one for another key. Since the CDNSKEY has no field for key 1087 # id, it is hard to check what key the CDNSKEY may belong to 1088 # so let's skip this check for now. 1089 fi 1090 1091 test "$ret" -eq 0 || echo_i "failed" 1092 status=$((status+ret)) 1093} 1094 1095# Test the apex of a configured zone. This checks that the SOA and DNSKEY 1096# RRsets are signed correctly and with the appropriate keys. 1097check_apex() { 1098 # Test DNSKEY query. 1099 _qtype="DNSKEY" 1100 n=$((n+1)) 1101 echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" 1102 ret=0 1103 dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1104 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1105 1106 if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then 1107 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY1 ID)" 1108 check_signatures $_qtype "dig.out.$DIR.test$n" "KSK" 1109 numkeys=$((numkeys+1)) 1110 elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then 1111 grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY1 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY1 ID)" 1112 fi 1113 1114 if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then 1115 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY2 ID)" 1116 check_signatures $_qtype "dig.out.$DIR.test$n" "KSK" 1117 numkeys=$((numkeys+1)) 1118 elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then 1119 grep "${ZONE}\.*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY2 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY2 ID)" 1120 fi 1121 1122 if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then 1123 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY3 ID)" 1124 check_signatures $_qtype "dig.out.$DIR.test$n" "KSK" 1125 numkeys=$((numkeys+1)) 1126 elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then 1127 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY3 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY3 ID)" 1128 fi 1129 1130 if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then 1131 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response for key $(key_get KEY4 ID)" 1132 check_signatures $_qtype "dig.out.$DIR.test$n" "KSK" 1133 numkeys=$((numkeys+1)) 1134 elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then 1135 grep "${ZONE}\..*${DNSKEY_TTL}.*IN.*${_qtype}.*257.*.3.*$(key_get KEY4 ALG_NUM)" "dig.out.$DIR.test$n" > /dev/null && log_error "unexpected ${_qtype} record in response for key $(key_get KEY4 ID)" 1136 fi 1137 1138 lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) 1139 check_signatures $_qtype "dig.out.$DIR.test$n" "KSK" 1140 test "$ret" -eq 0 || echo_i "failed" 1141 status=$((status+ret)) 1142 1143 # Test SOA query. 1144 _qtype="SOA" 1145 n=$((n+1)) 1146 echo_i "check ${_qtype} rrset is signed correctly for zone ${ZONE} ($n)" 1147 ret=0 1148 dig_with_opts "$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1149 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1150 grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*" "dig.out.$DIR.test$n" > /dev/null || log_error "missing ${_qtype} record in response" 1151 lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) 1152 check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" 1153 test "$ret" -eq 0 || echo_i "failed" 1154 status=$((status+ret)) 1155 1156 # Test CDS and CDNSKEY publication. 1157 check_cds 1158} 1159 1160# Test an RRset below the apex and verify it is signed correctly. 1161check_subdomain() { 1162 _qtype="A" 1163 n=$((n+1)) 1164 echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)" 1165 ret=0 1166 dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || log_error "dig a.${ZONE} ${_qtype} failed" 1167 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1168 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || log_error "missing a.${ZONE} ${_qtype} record in response" 1169 lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l) 1170 check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK" 1171 test "$ret" -eq 0 || echo_i "failed" 1172 status=$((status+ret)) 1173} 1174 1175# 1176# Zone: default.kasp. 1177# 1178set_keytimes_csk_policy() { 1179 # The first key is immediately published and activated. 1180 created=$(key_get KEY1 CREATED) 1181 set_keytime "KEY1" "PUBLISHED" "${created}" 1182 set_keytime "KEY1" "ACTIVE" "${created}" 1183 # The DS can be published if the DNSKEY and RRSIG records are 1184 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 1185 # publish-safety (1h) plus zone-propagation-delay (300s) = 1186 # 86400 + 3600 + 300 = 90300. 1187 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300 1188 # Key lifetime is unlimited, so not setting RETIRED and REMOVED. 1189} 1190 1191# Check the zone with default kasp policy has loaded and is signed. 1192set_zone "default.kasp" 1193set_policy "default" "1" "3600" 1194set_server "ns3" "10.53.0.3" 1195# Key properties. 1196set_keyrole "KEY1" "csk" 1197set_keylifetime "KEY1" "0" 1198set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1199set_keysigning "KEY1" "yes" 1200set_zonesigning "KEY1" "yes" 1201# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 1202set_keystate "KEY1" "GOAL" "omnipresent" 1203set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1204set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1205set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 1206set_keystate "KEY1" "STATE_DS" "hidden" 1207 1208check_keys 1209check_dnssecstatus "$SERVER" "$ZONE" 1210set_keytimes_csk_policy 1211check_keytimes 1212check_apex 1213check_subdomain 1214dnssec_verify 1215 1216# Update zone. 1217n=$((n+1)) 1218echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 1219ret=0 1220cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 1221rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 1222 1223update_is_signed() { 1224 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 1225 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1226 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1227 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l) 1228 test "$lines" -eq 1 || return 1 1229 get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1 1230 1231 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1 1232 grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1 1233 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n".d > /dev/null || return 1 1234 lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l) 1235 test "$lines" -eq 1 || return 1 1236 get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1 1237} 1238 1239retry_quiet 10 update_is_signed || ret=1 1240test "$ret" -eq 0 || echo_i "failed" 1241status=$((status+ret)) 1242 1243# 1244# Zone: dynamic.kasp 1245# 1246set_zone "dynamic.kasp" 1247set_policy "default" "1" "3600" 1248set_server "ns3" "10.53.0.3" 1249# Key properties, timings and states same as above. 1250check_keys 1251check_dnssecstatus "$SERVER" "$ZONE" 1252set_keytimes_csk_policy 1253check_keytimes 1254check_apex 1255check_subdomain 1256dnssec_verify 1257 1258# Update zone with nsupdate. 1259n=$((n+1)) 1260echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)" 1261ret=0 1262( 1263echo zone ${ZONE} 1264echo server 10.53.0.3 "$PORT" 1265echo update del "a.${ZONE}" 300 A 10.0.0.1 1266echo update add "a.${ZONE}" 300 A 10.0.0.11 1267echo update add "d.${ZONE}" 300 A 10.0.0.4 1268echo send 1269) | $NSUPDATE 1270 1271retry_quiet 10 update_is_signed || ret=1 1272test "$ret" -eq 0 || echo_i "failed" 1273status=$((status+ret)) 1274 1275 1276# 1277# Zone: dynamic-inline-signing.kasp 1278# 1279set_zone "dynamic-inline-signing.kasp" 1280set_policy "default" "1" "3600" 1281set_server "ns3" "10.53.0.3" 1282# Key properties, timings and states same as above. 1283check_keys 1284check_dnssecstatus "$SERVER" "$ZONE" 1285set_keytimes_csk_policy 1286check_keytimes 1287check_apex 1288check_subdomain 1289dnssec_verify 1290 1291# Update zone with freeze/thaw. 1292n=$((n+1)) 1293echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)" 1294ret=0 1295rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed" 1296sleep 1 1297cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db" 1298rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed" 1299 1300retry_quiet 10 update_is_signed || ret=1 1301test "$ret" -eq 0 || echo_i "failed" 1302status=$((status+ret)) 1303 1304# 1305# Zone: inline-signing.kasp 1306# 1307set_zone "inline-signing.kasp" 1308set_policy "default" "1" "3600" 1309set_server "ns3" "10.53.0.3" 1310# Key properties, timings and states same as above. 1311check_keys 1312check_dnssecstatus "$SERVER" "$ZONE" 1313set_keytimes_csk_policy 1314check_keytimes 1315check_apex 1316check_subdomain 1317dnssec_verify 1318 1319# Set keytimes for dnssec-policy with various algorithms. 1320# These all use the same time values. 1321set_keytimes_algorithm_policy() { 1322 # The first KSK is immediately published and activated. 1323 created=$(key_get KEY1 CREATED) 1324 set_keytime "KEY1" "PUBLISHED" "${created}" 1325 set_keytime "KEY1" "ACTIVE" "${created}" 1326 # Key was pregenerated. 1327 if [ "$1" == "pregenerated" ]; then 1328 keyfile=$(key_get KEY1 BASEFILE) 1329 grep "; Publish:" "${keyfile}.key" > published.test${n}.key1 1330 published=$(awk '{print $3}' < published.test${n}.key1) 1331 set_keytime "KEY1" "PUBLISHED" "${published}" 1332 set_keytime "KEY1" "ACTIVE" "${published}" 1333 fi 1334 published=$(key_get KEY1 PUBLISHED) 1335 1336 # The DS can be published if the DNSKEY and RRSIG records are 1337 # OMNIPRESENT. This happens after max-zone-ttl (1d) plus 1338 # publish-safety (1h) plus zone-propagation-delay (300s) = 1339 # 86400 + 3600 + 300 = 90300. 1340 set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300 1341 # Key lifetime is 10 years, 315360000 seconds. 1342 set_addkeytime "KEY1" "RETIRED" "${published}" 315360000 1343 # The key is removed after the retire time plus DS TTL (1d), 1344 # parent propagation delay (1h), and retire safety (1h) = 1345 # 86400 + 3600 + 3600 = 93600. 1346 retired=$(key_get KEY1 RETIRED) 1347 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1348 1349 # The first ZSKs are immediately published and activated. 1350 created=$(key_get KEY2 CREATED) 1351 set_keytime "KEY2" "PUBLISHED" "${created}" 1352 set_keytime "KEY2" "ACTIVE" "${created}" 1353 # Key was pregenerated. 1354 if [ "$1" == "pregenerated" ]; then 1355 keyfile=$(key_get KEY2 BASEFILE) 1356 grep "; Publish:" "${keyfile}.key" > published.test${n}.key2 1357 published=$(awk '{print $3}' < published.test${n}.key2) 1358 set_keytime "KEY2" "PUBLISHED" "${published}" 1359 set_keytime "KEY2" "ACTIVE" "${published}" 1360 fi 1361 published=$(key_get KEY2 PUBLISHED) 1362 1363 # Key lifetime for KSK2 is 5 years, 157680000 seconds. 1364 set_addkeytime "KEY2" "RETIRED" "${published}" 157680000 1365 # The key is removed after the retire time plus max zone ttl (1d), zone 1366 # propagation delay (300s), retire safety (1h), and sign delay 1367 # (signature validity minus refresh, 9d) = 1368 # 86400 + 300 + 3600 + 777600 = 867900. 1369 retired=$(key_get KEY2 RETIRED) 1370 set_addkeytime "KEY2" "REMOVED" "${retired}" 867900 1371 1372 # Second ZSK (KEY3). 1373 created=$(key_get KEY3 CREATED) 1374 set_keytime "KEY3" "PUBLISHED" "${created}" 1375 set_keytime "KEY3" "ACTIVE" "${created}" 1376 # Key was pregenerated. 1377 if [ "$1" == "pregenerated" ]; then 1378 keyfile=$(key_get KEY3 BASEFILE) 1379 grep "; Publish:" "${keyfile}.key" > published.test${n}.key3 1380 published=$(awk '{print $3}' < published.test${n}.key3) 1381 set_keytime "KEY3" "PUBLISHED" "${published}" 1382 set_keytime "KEY3" "ACTIVE" "${published}" 1383 fi 1384 published=$(key_get KEY3 PUBLISHED) 1385 1386 # Key lifetime for KSK3 is 1 year, 31536000 seconds. 1387 set_addkeytime "KEY3" "RETIRED" "${published}" 31536000 1388 retired=$(key_get KEY3 RETIRED) 1389 set_addkeytime "KEY3" "REMOVED" "${retired}" 867900 1390} 1391 1392# 1393# Zone: rsasha1.kasp. 1394# 1395set_zone "rsasha1.kasp" 1396set_policy "rsasha1" "3" "1234" 1397set_server "ns3" "10.53.0.3" 1398# Key properties. 1399key_clear "KEY1" 1400set_keyrole "KEY1" "ksk" 1401set_keylifetime "KEY1" "315360000" 1402set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 1403set_keysigning "KEY1" "yes" 1404set_zonesigning "KEY1" "no" 1405 1406key_clear "KEY2" 1407set_keyrole "KEY2" "zsk" 1408set_keylifetime "KEY2" "157680000" 1409set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 1410set_keysigning "KEY2" "no" 1411set_zonesigning "KEY2" "yes" 1412 1413key_clear "KEY3" 1414set_keyrole "KEY3" "zsk" 1415set_keylifetime "KEY3" "31536000" 1416set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 1417set_keysigning "KEY3" "no" 1418set_zonesigning "KEY3" "yes" 1419 1420# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 1421# ZSK: DNSKEY, RRSIG (zsk) published. 1422set_keystate "KEY1" "GOAL" "omnipresent" 1423set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1424set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1425set_keystate "KEY1" "STATE_DS" "hidden" 1426 1427set_keystate "KEY2" "GOAL" "omnipresent" 1428set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1429set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1430 1431set_keystate "KEY3" "GOAL" "omnipresent" 1432set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 1433set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 1434# Three keys only. 1435key_clear "KEY4" 1436 1437check_keys 1438check_dnssecstatus "$SERVER" "$ZONE" 1439set_keytimes_algorithm_policy 1440check_keytimes 1441check_apex 1442check_subdomain 1443dnssec_verify 1444 1445# 1446# Zone: unsigned.kasp. 1447# 1448set_zone "unsigned.kasp" 1449set_policy "none" "0" "0" 1450set_server "ns3" "10.53.0.3" 1451 1452key_clear "KEY1" 1453key_clear "KEY2" 1454key_clear "KEY3" 1455key_clear "KEY4" 1456 1457check_keys 1458check_dnssecstatus "$SERVER" "$ZONE" 1459check_apex 1460check_subdomain 1461 1462# 1463# Zone: unlimited.kasp. 1464# 1465set_zone "unlimited.kasp" 1466set_policy "unlimited" "1" "1234" 1467set_server "ns3" "10.53.0.3" 1468# Key properties. 1469set_keyrole "KEY1" "csk" 1470set_keylifetime "KEY1" "0" 1471set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1472set_keysigning "KEY1" "yes" 1473set_zonesigning "KEY1" "yes" 1474# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. 1475set_keystate "KEY1" "GOAL" "omnipresent" 1476set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1477set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1478set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 1479set_keystate "KEY1" "STATE_DS" "hidden" 1480 1481check_keys 1482check_dnssecstatus "$SERVER" "$ZONE" 1483set_keytimes_csk_policy 1484check_keytimes 1485check_apex 1486check_subdomain 1487dnssec_verify 1488 1489# 1490# Zone: inherit.kasp. 1491# 1492set_zone "inherit.kasp" 1493set_policy "rsasha1" "3" "1234" 1494set_server "ns3" "10.53.0.3" 1495 1496# Key properties. 1497key_clear "KEY1" 1498set_keyrole "KEY1" "ksk" 1499set_keylifetime "KEY1" "315360000" 1500set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 1501set_keysigning "KEY1" "yes" 1502set_zonesigning "KEY1" "no" 1503 1504key_clear "KEY2" 1505set_keyrole "KEY2" "zsk" 1506set_keylifetime "KEY2" "157680000" 1507set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 1508set_keysigning "KEY2" "no" 1509set_zonesigning "KEY2" "yes" 1510 1511key_clear "KEY3" 1512set_keyrole "KEY3" "zsk" 1513set_keylifetime "KEY3" "31536000" 1514set_keyalgorithm "KEY3" "5" "RSASHA1" "2000" 1515set_keysigning "KEY3" "no" 1516set_zonesigning "KEY3" "yes" 1517# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait. 1518# ZSK: DNSKEY, RRSIG (zsk) published. 1519set_keystate "KEY1" "GOAL" "omnipresent" 1520set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 1521set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 1522set_keystate "KEY1" "STATE_DS" "hidden" 1523 1524set_keystate "KEY2" "GOAL" "omnipresent" 1525set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 1526set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 1527 1528set_keystate "KEY3" "GOAL" "omnipresent" 1529set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 1530set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 1531# Three keys only. 1532key_clear "KEY4" 1533 1534check_keys 1535check_dnssecstatus "$SERVER" "$ZONE" 1536set_keytimes_algorithm_policy 1537check_keytimes 1538check_apex 1539check_subdomain 1540dnssec_verify 1541 1542# 1543# Zone: dnssec-keygen.kasp. 1544# 1545set_zone "dnssec-keygen.kasp" 1546set_policy "rsasha1" "3" "1234" 1547set_server "ns3" "10.53.0.3" 1548# Key properties, timings and states same as above. 1549 1550check_keys 1551check_dnssecstatus "$SERVER" "$ZONE" 1552set_keytimes_algorithm_policy 1553check_keytimes 1554check_apex 1555check_subdomain 1556dnssec_verify 1557 1558# 1559# Zone: some-keys.kasp. 1560# 1561set_zone "some-keys.kasp" 1562set_policy "rsasha1" "3" "1234" 1563set_server "ns3" "10.53.0.3" 1564# Key properties, timings and states same as above. 1565 1566check_keys 1567check_dnssecstatus "$SERVER" "$ZONE" 1568set_keytimes_algorithm_policy "pregenerated" 1569check_keytimes 1570check_apex 1571check_subdomain 1572dnssec_verify 1573 1574# 1575# Zone: legacy-keys.kasp. 1576# 1577set_zone "legacy-keys.kasp" 1578set_policy "rsasha1" "3" "1234" 1579set_server "ns3" "10.53.0.3" 1580# Key properties, timings and states same as above. 1581 1582check_keys 1583check_dnssecstatus "$SERVER" "$ZONE" 1584set_keytimes_algorithm_policy 1585check_keytimes 1586check_apex 1587check_subdomain 1588dnssec_verify 1589 1590# 1591# Zone: pregenerated.kasp. 1592# 1593# There are more pregenerated keys than needed, hence the number of keys is 1594# six, not three. 1595set_zone "pregenerated.kasp" 1596set_policy "rsasha1" "6" "1234" 1597set_server "ns3" "10.53.0.3" 1598# Key properties, timings and states same as above. 1599 1600check_keys 1601check_dnssecstatus "$SERVER" "$ZONE" 1602set_keytimes_algorithm_policy "pregenerated" 1603check_keytimes 1604check_apex 1605check_subdomain 1606dnssec_verify 1607 1608# 1609# Zone: rumoured.kasp. 1610# 1611# There are three keys in rumoured state. 1612set_zone "rumoured.kasp" 1613set_policy "rsasha1" "3" "1234" 1614set_server "ns3" "10.53.0.3" 1615# Key properties, timings and states same as above. 1616 1617check_keys 1618check_dnssecstatus "$SERVER" "$ZONE" 1619set_keytimes_algorithm_policy 1620# Activation date is a day later. 1621set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 1622set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400 1623set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400 1624set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400 1625set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400 1626set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400 1627set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400 1628set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400 1629set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400 1630check_keytimes 1631check_apex 1632check_subdomain 1633dnssec_verify 1634 1635# 1636# Zone: secondary.kasp. 1637# 1638set_zone "secondary.kasp" 1639set_policy "rsasha1" "3" "1234" 1640set_server "ns3" "10.53.0.3" 1641# Key properties, timings and states same as above. 1642 1643check_keys 1644check_dnssecstatus "$SERVER" "$ZONE" 1645set_keytimes_algorithm_policy 1646check_keytimes 1647check_apex 1648check_subdomain 1649dnssec_verify 1650 1651# Update zone. 1652n=$((n+1)) 1653echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)" 1654ret=0 1655cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db 1656rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed" 1657 1658_wait_for_done_subdomains() { 1659 ret=0 1660 dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1 1661 grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1662 grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1 1663 check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK" 1664 if [ $ret -gt 0 ]; then return $ret; fi 1665 1666 dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1 1667 grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1668 grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1 1669 check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK" 1670 return $ret 1671} 1672retry_quiet 5 _wait_for_done_subdomains || ret=1 1673test "$ret" -eq 0 || echo_i "failed" 1674status=$((status+ret)) 1675 1676# TODO: we might want to test: 1677# - configuring a zone with too many active keys (should trigger retire). 1678# - configuring a zone with keys not matching the policy. 1679 1680# 1681# Zone: rsasha1-nsec3.kasp. 1682# 1683set_zone "rsasha1-nsec3.kasp" 1684set_policy "rsasha1-nsec3" "3" "1234" 1685set_server "ns3" "10.53.0.3" 1686# Key properties. 1687set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048" 1688set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048" 1689set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" 1690# Key timings and states same as above. 1691 1692check_keys 1693check_dnssecstatus "$SERVER" "$ZONE" 1694set_keytimes_algorithm_policy 1695check_keytimes 1696check_apex 1697check_subdomain 1698dnssec_verify 1699 1700# 1701# Zone: rsasha256.kasp. 1702# 1703set_zone "rsasha256.kasp" 1704set_policy "rsasha256" "3" "1234" 1705set_server "ns3" "10.53.0.3" 1706# Key properties. 1707set_keyalgorithm "KEY1" "8" "RSASHA256" "2048" 1708set_keyalgorithm "KEY2" "8" "RSASHA256" "2048" 1709set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" 1710# Key timings and states same as above. 1711 1712check_keys 1713check_dnssecstatus "$SERVER" "$ZONE" 1714set_keytimes_algorithm_policy 1715check_keytimes 1716check_apex 1717check_subdomain 1718dnssec_verify 1719 1720# 1721# Zone: rsasha512.kasp. 1722# 1723set_zone "rsasha512.kasp" 1724set_policy "rsasha512" "3" "1234" 1725set_server "ns3" "10.53.0.3" 1726# Key properties. 1727set_keyalgorithm "KEY1" "10" "RSASHA512" "2048" 1728set_keyalgorithm "KEY2" "10" "RSASHA512" "2048" 1729set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" 1730# Key timings and states same as above. 1731 1732check_keys 1733check_dnssecstatus "$SERVER" "$ZONE" 1734set_keytimes_algorithm_policy 1735check_keytimes 1736check_apex 1737check_subdomain 1738dnssec_verify 1739 1740# 1741# Zone: ecdsa256.kasp. 1742# 1743set_zone "ecdsa256.kasp" 1744set_policy "ecdsa256" "3" "1234" 1745set_server "ns3" "10.53.0.3" 1746# Key properties. 1747set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1748set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 1749set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 1750# Key timings and states same as above. 1751 1752check_keys 1753check_dnssecstatus "$SERVER" "$ZONE" 1754set_keytimes_algorithm_policy 1755check_keytimes 1756check_apex 1757check_subdomain 1758dnssec_verify 1759 1760# 1761# Zone: ecdsa512.kasp. 1762# 1763set_zone "ecdsa384.kasp" 1764set_policy "ecdsa384" "3" "1234" 1765set_server "ns3" "10.53.0.3" 1766# Key properties. 1767set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 1768set_keyalgorithm "KEY2" "14" "ECDSAP384SHA384" "384" 1769set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" 1770# Key timings and states same as above. 1771 1772check_keys 1773check_dnssecstatus "$SERVER" "$ZONE" 1774set_keytimes_algorithm_policy 1775check_keytimes 1776check_apex 1777check_subdomain 1778dnssec_verify 1779 1780# TODO: ED25519 and ED448. 1781 1782# Set key times for 'autosign' policy. 1783set_keytimes_autosign_policy() { 1784 # The KSK was published six months ago (with settime). 1785 created=$(key_get KEY1 CREATED) 1786 set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000 1787 set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000 1788 set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000 1789 # Key lifetime is 2 years, 63072000 seconds. 1790 active=$(key_get KEY1 ACTIVE) 1791 set_addkeytime "KEY1" "RETIRED" "${active}" 63072000 1792 # The key is removed after the retire time plus DS TTL (1d), 1793 # parent propagation delay (1h), retire safety (1h) = 1794 # 86400 + 3600 + 3600 = 93600 1795 retired=$(key_get KEY1 RETIRED) 1796 set_addkeytime "KEY1" "REMOVED" "${retired}" 93600 1797 1798 # The ZSK was published six months ago (with settime). 1799 created=$(key_get KEY2 CREATED) 1800 set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000 1801 set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000 1802 # Key lifetime for KSK2 is 1 year, 31536000 seconds. 1803 active=$(key_get KEY2 ACTIVE) 1804 set_addkeytime "KEY2" "RETIRED" "${active}" 31536000 1805 # The key is removed after the retire time plus: 1806 # TTLsig (RRSIG TTL): 1 day (86400 seconds) 1807 # Dprp (propagation delay): 5 minutes (300 seconds) 1808 # retire-safety: 1 hour (3600 seconds) 1809 # Dsgn (sign delay): 7 days (604800 seconds) 1810 # Iret: 695100 seconds. 1811 retired=$(key_get KEY2 RETIRED) 1812 set_addkeytime "KEY2" "REMOVED" "${retired}" 695100 1813} 1814 1815# 1816# Zone: expired-sigs.autosign. 1817# 1818set_zone "expired-sigs.autosign" 1819set_policy "autosign" "2" "300" 1820set_server "ns3" "10.53.0.3" 1821# Key properties. 1822key_clear "KEY1" 1823set_keyrole "KEY1" "ksk" 1824set_keylifetime "KEY1" "63072000" 1825set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 1826set_keysigning "KEY1" "yes" 1827set_zonesigning "KEY1" "no" 1828 1829key_clear "KEY2" 1830set_keyrole "KEY2" "zsk" 1831set_keylifetime "KEY2" "31536000" 1832set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 1833set_keysigning "KEY2" "no" 1834set_zonesigning "KEY2" "yes" 1835 1836# Both KSK and ZSK stay OMNIPRESENT. 1837set_keystate "KEY1" "GOAL" "omnipresent" 1838set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 1839set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 1840set_keystate "KEY1" "STATE_DS" "omnipresent" 1841 1842set_keystate "KEY2" "GOAL" "omnipresent" 1843set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1844set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 1845# Expect only two keys. 1846key_clear "KEY3" 1847key_clear "KEY4" 1848 1849check_keys 1850check_dnssecstatus "$SERVER" "$ZONE" 1851set_keytimes_autosign_policy 1852check_keytimes 1853check_apex 1854check_subdomain 1855dnssec_verify 1856 1857# Verify all signatures have been refreshed. 1858check_rrsig_refresh() { 1859 # Apex. 1860 _qtypes="DNSKEY SOA NS NSEC" 1861 for _qtype in $_qtypes 1862 do 1863 n=$((n+1)) 1864 echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1865 ret=0 1866 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1867 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1868 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1869 # If this exact RRSIG is also in the zone file it is not refreshed. 1870 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1871 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1872 test "$ret" -eq 0 || echo_i "failed" 1873 status=$((status+ret)) 1874 done 1875 1876 # Below apex. 1877 _labels="a b c ns3" 1878 for _label in $_labels; 1879 do 1880 _qtypes="A NSEC" 1881 for _qtype in $_qtypes 1882 do 1883 n=$((n+1)) 1884 echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)" 1885 ret=0 1886 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1887 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1888 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1889 _rrsig=$(cat "rrsig.out.$ZONE.$_qtype") 1890 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}" 1891 test "$ret" -eq 0 || echo_i "failed" 1892 status=$((status+ret)) 1893 done 1894 done 1895} 1896 1897check_rrsig_refresh 1898 1899# 1900# Zone: fresh-sigs.autosign. 1901# 1902set_zone "fresh-sigs.autosign" 1903set_policy "autosign" "2" "300" 1904set_server "ns3" "10.53.0.3" 1905# Key properties, timings and states same as above. 1906 1907check_keys 1908check_dnssecstatus "$SERVER" "$ZONE" 1909set_keytimes_autosign_policy 1910check_keytimes 1911check_apex 1912check_subdomain 1913dnssec_verify 1914 1915# Verify signature reuse. 1916check_rrsig_reuse() { 1917 # Apex. 1918 _qtypes="NS NSEC" 1919 for _qtype in $_qtypes 1920 do 1921 n=$((n+1)) 1922 echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1923 ret=0 1924 dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed" 1925 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1926 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1927 # If this exact RRSIG is also in the zone file it is not refreshed. 1928 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1929 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1930 test "$ret" -eq 0 || echo_i "failed" 1931 status=$((status+ret)) 1932 done 1933 1934 # Below apex. 1935 _labels="a b c ns3" 1936 for _label in $_labels; 1937 do 1938 _qtypes="A NSEC" 1939 for _qtype in $_qtypes 1940 do 1941 n=$((n+1)) 1942 echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)" 1943 ret=0 1944 dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed" 1945 grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response" 1946 grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response" 1947 _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype") 1948 grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}" 1949 test "$ret" -eq 0 || echo_i "failed" 1950 status=$((status+ret)) 1951 done 1952 done 1953} 1954 1955check_rrsig_reuse 1956 1957# 1958# Zone: unfresh-sigs.autosign. 1959# 1960set_zone "unfresh-sigs.autosign" 1961set_policy "autosign" "2" "300" 1962set_server "ns3" "10.53.0.3" 1963# Key properties, timings and states same as above. 1964 1965check_keys 1966check_dnssecstatus "$SERVER" "$ZONE" 1967set_keytimes_autosign_policy 1968check_keytimes 1969check_apex 1970check_subdomain 1971dnssec_verify 1972check_rrsig_refresh 1973 1974# 1975# Zone: zsk-missing.autosign. 1976# 1977set_zone "zsk-missing.autosign" 1978set_policy "autosign" "2" "300" 1979set_server "ns3" "10.53.0.3" 1980# Key properties, timings and states same as above. 1981# TODO. 1982 1983# 1984# Zone: zsk-retired.autosign. 1985# 1986set_zone "zsk-retired.autosign" 1987set_policy "autosign" "3" "300" 1988set_server "ns3" "10.53.0.3" 1989# The third key is not yet expected to be signing. 1990set_keyrole "KEY3" "zsk" 1991set_keylifetime "KEY3" "31536000" 1992set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 1993set_keysigning "KEY3" "no" 1994set_zonesigning "KEY3" "no" 1995# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK 1996# is active. 1997set_keystate "KEY2" "GOAL" "hidden" 1998set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 1999set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2000# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT, 2001# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN. 2002set_keystate "KEY3" "GOAL" "omnipresent" 2003set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2004set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 2005 2006check_keys 2007check_dnssecstatus "$SERVER" "$ZONE" 2008set_keytimes_autosign_policy 2009 2010# The old ZSK is retired. 2011created=$(key_get KEY2 CREATED) 2012set_keytime "KEY2" "RETIRED" "${created}" 2013set_addkeytime "KEY2" "REMOVED" "${created}" 695100 2014# The new ZSK is immediately published. 2015created=$(key_get KEY3 CREATED) 2016set_keytime "KEY3" "PUBLISHED" "${created}" 2017# And becomes active after Ipub: 2018# DNSKEY TTL: 300 seconds 2019# zone-propagation-delay 5 minutes (300 seconds) 2020# publish-safety: 1 hour (3600 seconds) 2021# Ipub: 4200 seconds 2022published=$(key_get KEY3 PUBLISHED) 2023set_addkeytime "KEY3" "ACTIVE" "${published}" 4200 2024# Lzsk: 1 year (31536000 seconds) 2025active=$(key_get KEY3 ACTIVE) 2026set_addkeytime "KEY3" "RETIRED" "${active}" 31536000 2027# Iret: 695100 seconds. 2028retired=$(key_get KEY3 RETIRED) 2029set_addkeytime "KEY3" "REMOVED" "${retired}" 695100 2030 2031check_keytimes 2032check_apex 2033check_subdomain 2034dnssec_verify 2035check_rrsig_refresh 2036 2037# 2038# Test dnssec-policy inheritance. 2039# 2040 2041# These zones should be unsigned: 2042# ns2/unsigned.tld 2043# ns4/none.inherit.signed 2044# ns4/none.override.signed 2045# ns4/inherit.none.signed 2046# ns4/none.none.signed 2047# ns5/inherit.inherit.unsigned 2048# ns5/none.inherit.unsigned 2049# ns5/none.override.unsigned 2050# ns5/inherit.none.unsigned 2051# ns5/none.none.unsigned 2052key_clear "KEY1" 2053key_clear "KEY2" 2054key_clear "KEY3" 2055key_clear "KEY4" 2056 2057set_zone "unsigned.tld" 2058set_policy "none" "0" "0" 2059set_server "ns2" "10.53.0.2" 2060TSIG="" 2061check_keys 2062check_dnssecstatus "$SERVER" "$ZONE" 2063check_apex 2064check_subdomain 2065 2066set_zone "none.inherit.signed" 2067set_policy "none" "0" "0" 2068set_server "ns4" "10.53.0.4" 2069TSIG="hmac-sha1:sha1:$SHA1" 2070check_keys 2071check_dnssecstatus "$SERVER" "$ZONE" 2072check_apex 2073check_subdomain 2074 2075set_zone "none.override.signed" 2076set_policy "none" "0" "0" 2077set_server "ns4" "10.53.0.4" 2078TSIG="hmac-sha224:sha224:$SHA224" 2079check_keys 2080check_dnssecstatus "$SERVER" "$ZONE" 2081check_apex 2082check_subdomain 2083 2084set_zone "inherit.none.signed" 2085set_policy "none" "0" "0" 2086set_server "ns4" "10.53.0.4" 2087TSIG="hmac-sha256:sha256:$SHA256" 2088check_keys 2089check_dnssecstatus "$SERVER" "$ZONE" 2090check_apex 2091check_subdomain 2092 2093set_zone "none.none.signed" 2094set_policy "none" "0" "0" 2095set_server "ns4" "10.53.0.4" 2096TSIG="hmac-sha256:sha256:$SHA256" 2097check_keys 2098check_dnssecstatus "$SERVER" "$ZONE" 2099check_apex 2100check_subdomain 2101 2102set_zone "inherit.inherit.unsigned" 2103set_policy "none" "0" "0" 2104set_server "ns5" "10.53.0.5" 2105TSIG="hmac-sha1:sha1:$SHA1" 2106check_keys 2107check_dnssecstatus "$SERVER" "$ZONE" 2108check_apex 2109check_subdomain 2110 2111set_zone "none.inherit.unsigned" 2112set_policy "none" "0" "0" 2113set_server "ns5" "10.53.0.5" 2114TSIG="hmac-sha1:sha1:$SHA1" 2115check_keys 2116check_dnssecstatus "$SERVER" "$ZONE" 2117check_apex 2118check_subdomain 2119 2120set_zone "none.override.unsigned" 2121set_policy "none" "0" "0" 2122set_server "ns5" "10.53.0.5" 2123TSIG="hmac-sha224:sha224:$SHA224" 2124check_keys 2125check_dnssecstatus "$SERVER" "$ZONE" 2126check_apex 2127check_subdomain 2128 2129set_zone "inherit.none.unsigned" 2130set_policy "none" "0" "0" 2131set_server "ns5" "10.53.0.5" 2132TSIG="hmac-sha256:sha256:$SHA256" 2133check_keys 2134check_dnssecstatus "$SERVER" "$ZONE" 2135check_apex 2136check_subdomain 2137 2138set_zone "none.none.unsigned" 2139set_policy "none" "0" "0" 2140set_server "ns5" "10.53.0.5" 2141TSIG="hmac-sha256:sha256:$SHA256" 2142check_keys 2143check_dnssecstatus "$SERVER" "$ZONE" 2144check_apex 2145check_subdomain 2146 2147# These zones should be signed with the default policy: 2148# ns2/signed.tld 2149# ns4/override.inherit.signed 2150# ns4/inherit.override.signed 2151# ns5/override.inherit.signed 2152# ns5/inherit.override.signed 2153set_keyrole "KEY1" "csk" 2154set_keylifetime "KEY1" "0" 2155set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 2156set_keysigning "KEY1" "yes" 2157set_zonesigning "KEY1" "yes" 2158 2159set_keystate "KEY1" "GOAL" "omnipresent" 2160set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 2161set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 2162set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 2163set_keystate "KEY1" "STATE_DS" "hidden" 2164 2165set_zone "signed.tld" 2166set_policy "default" "1" "3600" 2167set_server "ns2" "10.53.0.2" 2168TSIG="" 2169check_keys 2170check_dnssecstatus "$SERVER" "$ZONE" 2171set_keytimes_csk_policy 2172check_keytimes 2173check_apex 2174check_subdomain 2175dnssec_verify 2176 2177set_zone "override.inherit.signed" 2178set_policy "default" "1" "3600" 2179set_server "ns4" "10.53.0.4" 2180TSIG="hmac-sha1:sha1:$SHA1" 2181check_keys 2182check_dnssecstatus "$SERVER" "$ZONE" 2183set_keytimes_csk_policy 2184check_keytimes 2185check_apex 2186check_subdomain 2187dnssec_verify 2188 2189set_zone "inherit.override.signed" 2190set_policy "default" "1" "3600" 2191set_server "ns4" "10.53.0.4" 2192TSIG="hmac-sha224:sha224:$SHA224" 2193check_keys 2194check_dnssecstatus "$SERVER" "$ZONE" 2195set_keytimes_csk_policy 2196check_keytimes 2197check_apex 2198check_subdomain 2199dnssec_verify 2200 2201set_zone "override.inherit.unsigned" 2202set_policy "default" "1" "3600" 2203set_server "ns5" "10.53.0.5" 2204TSIG="hmac-sha1:sha1:$SHA1" 2205check_keys 2206check_dnssecstatus "$SERVER" "$ZONE" 2207set_keytimes_csk_policy 2208check_keytimes 2209check_apex 2210check_subdomain 2211dnssec_verify 2212 2213set_zone "inherit.override.unsigned" 2214set_policy "default" "1" "3600" 2215set_server "ns5" "10.53.0.5" 2216TSIG="hmac-sha224:sha224:$SHA224" 2217check_keys 2218check_dnssecstatus "$SERVER" "$ZONE" 2219set_keytimes_csk_policy 2220check_keytimes 2221check_apex 2222check_subdomain 2223dnssec_verify 2224 2225# These zones should be signed with the test policy: 2226# ns4/inherit.inherit.signed 2227# ns4/override.override.signed 2228# ns4/override.none.signed 2229# ns5/override.override.unsigned 2230# ns5/override.none.unsigned 2231# ns4/example.net (both views) 2232set_keyrole "KEY1" "csk" 2233set_keylifetime "KEY1" "0" 2234set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384" 2235set_keysigning "KEY1" "yes" 2236set_zonesigning "KEY1" "yes" 2237 2238set_zone "inherit.inherit.signed" 2239set_policy "test" "1" "3600" 2240set_server "ns4" "10.53.0.4" 2241TSIG="hmac-sha1:sha1:$SHA1" 2242wait_for_nsec 2243check_keys 2244check_dnssecstatus "$SERVER" "$ZONE" 2245set_keytimes_csk_policy 2246check_keytimes 2247check_apex 2248check_subdomain 2249dnssec_verify 2250 2251set_zone "override.override.signed" 2252set_policy "test" "1" "3600" 2253set_server "ns4" "10.53.0.4" 2254TSIG="hmac-sha224:sha224:$SHA224" 2255wait_for_nsec 2256check_keys 2257check_dnssecstatus "$SERVER" "$ZONE" 2258set_keytimes_csk_policy 2259check_keytimes 2260check_apex 2261check_subdomain 2262dnssec_verify 2263 2264set_zone "override.none.signed" 2265set_policy "test" "1" "3600" 2266set_server "ns4" "10.53.0.4" 2267TSIG="hmac-sha256:sha256:$SHA256" 2268wait_for_nsec 2269check_keys 2270check_dnssecstatus "$SERVER" "$ZONE" 2271set_keytimes_csk_policy 2272check_keytimes 2273check_apex 2274check_subdomain 2275dnssec_verify 2276 2277set_zone "override.override.unsigned" 2278set_policy "test" "1" "3600" 2279set_server "ns5" "10.53.0.5" 2280TSIG="hmac-sha224:sha224:$SHA224" 2281wait_for_nsec 2282check_keys 2283check_dnssecstatus "$SERVER" "$ZONE" 2284set_keytimes_csk_policy 2285check_keytimes 2286check_apex 2287check_subdomain 2288dnssec_verify 2289 2290set_zone "override.none.unsigned" 2291set_policy "test" "1" "3600" 2292set_server "ns5" "10.53.0.5" 2293TSIG="hmac-sha256:sha256:$SHA256" 2294wait_for_nsec 2295check_keys 2296check_dnssecstatus "$SERVER" "$ZONE" 2297set_keytimes_csk_policy 2298check_keytimes 2299check_apex 2300check_subdomain 2301dnssec_verify 2302 2303set_zone "example.net" 2304set_server "ns4" "10.53.0.4" 2305TSIG="hmac-sha1:keyforview1:$VIEW1" 2306wait_for_nsec 2307check_keys 2308check_dnssecstatus "$SERVER" "$ZONE" "example1" 2309set_keytimes_csk_policy 2310check_keytimes 2311check_apex 2312dnssec_verify 2313n=$((n+1)) 2314# check subdomain 2315echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)" 2316ret=0 2317dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 2318grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 2319grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 2320check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 2321test "$ret" -eq 0 || echo_i "failed" 2322status=$((status+ret)) 2323 2324TSIG="hmac-sha1:keyforview2:$VIEW2" 2325wait_for_nsec 2326check_keys 2327check_dnssecstatus "$SERVER" "$ZONE" "example2" 2328check_apex 2329dnssec_verify 2330n=$((n+1)) 2331# check subdomain 2332echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)" 2333ret=0 2334dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed" 2335grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response" 2336grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response" 2337check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK" 2338test "$ret" -eq 0 || echo_i "failed" 2339status=$((status+ret)) 2340 2341# Clear TSIG. 2342TSIG="" 2343 2344# 2345# Testing DNSSEC introduction. 2346# 2347 2348# 2349# Zone: step1.enable-dnssec.autosign. 2350# 2351set_zone "step1.enable-dnssec.autosign" 2352set_policy "enable-dnssec" "1" "300" 2353set_server "ns3" "10.53.0.3" 2354# Key properties. 2355key_clear "KEY1" 2356set_keyrole "KEY1" "csk" 2357set_keylifetime "KEY1" "0" 2358set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 2359set_keysigning "KEY1" "yes" 2360set_zonesigning "KEY1" "yes" 2361# The DNSKEY and signatures are introduced first, the DS remains hidden. 2362set_keystate "KEY1" "GOAL" "omnipresent" 2363set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 2364set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 2365set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" 2366set_keystate "KEY1" "STATE_DS" "hidden" 2367# This policy lists only one key (CSK). 2368key_clear "KEY2" 2369key_clear "KEY3" 2370key_clear "KEY4" 2371 2372check_keys 2373check_dnssecstatus "$SERVER" "$ZONE" 2374 2375# The first key is immediately published and activated. 2376created=$(key_get KEY1 CREATED) 2377set_keytime "KEY1" "PUBLISHED" "${created}" 2378set_keytime "KEY1" "ACTIVE" "${created}" 2379# The DS can be published if the DNSKEY and RRSIG records are 2380# OMNIPRESENT. This happens after max-zone-ttl (12h) plus 2381# publish-safety (5m) plus zone-propagation-delay (5m) = 2382# 43200 + 300 + 300 = 43800. 2383set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2384# Key lifetime is unlimited, so not setting RETIRED and REMOVED. 2385 2386check_keytimes 2387check_apex 2388check_subdomain 2389dnssec_verify 2390 2391check_next_key_event() { 2392 _expect=$1 2393 2394 n=$((n+1)) 2395 echo_i "check next key event for zone ${ZONE} ($n)" 2396 ret=0 2397 grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || log_error "no next key event for zone ${ZONE}" 2398 2399 # Get the latest next key event. 2400 _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1) 2401 2402 # The next key event time must within threshold of the 2403 # expected time. 2404 _expectmin=$((_expect-next_key_event_threshold)) 2405 _expectmax=$((_expect+next_key_event_threshold)) 2406 2407 test $_expectmin -le "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})" 2408 test $_expectmax -ge "$_time" || log_error "bad next key event time ${_time} for zone ${ZONE} (expect ${_expect})" 2409 2410 test "$ret" -eq 0 || echo_i "failed" 2411 status=$((status+ret)) 2412} 2413 2414# Next key event is when the DNSKEY RRset becomes OMNIPRESENT: DNSKEY TTL plus 2415# publish safety plus the zone propagation delay: 900 seconds. 2416check_next_key_event 900 2417 2418# 2419# Zone: step2.enable-dnssec.autosign. 2420# 2421set_zone "step2.enable-dnssec.autosign" 2422set_policy "enable-dnssec" "1" "300" 2423set_server "ns3" "10.53.0.3" 2424# The DNSKEY is omnipresent, but the zone signatures not yet. 2425# Thus, the DS remains hidden. 2426set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2427set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2428 2429check_keys 2430check_dnssecstatus "$SERVER" "$ZONE" 2431 2432# The key was published and activated 900 seconds ago (with settime). 2433created=$(key_get KEY1 CREATED) 2434set_addkeytime "KEY1" "PUBLISHED" "${created}" -900 2435set_addkeytime "KEY1" "ACTIVE" "${created}" -900 2436set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800 2437 2438check_keytimes 2439check_apex 2440check_subdomain 2441dnssec_verify 2442 2443# Next key event is when the zone signatures become OMNIPRESENT: max-zone-ttl 2444# plus zone propagation delay plus retire safety minus the already elapsed 2445# 900 seconds: 12h + 300s + 20m - 900 = 44700 - 900 = 43800 seconds 2446check_next_key_event 43800 2447 2448# 2449# Zone: step3.enable-dnssec.autosign. 2450# 2451set_zone "step3.enable-dnssec.autosign" 2452set_policy "enable-dnssec" "1" "300" 2453set_server "ns3" "10.53.0.3" 2454# The DS can be introduced. 2455set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 2456set_keystate "KEY1" "STATE_DS" "rumoured" 2457 2458check_keys 2459check_dnssecstatus "$SERVER" "$ZONE" 2460 2461# The key was published and activated 44700 seconds ago (with settime). 2462created=$(key_get KEY1 CREATED) 2463set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 2464set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 2465set_keytime "KEY1" "SYNCPUBLISH" "${created}" 2466 2467check_keytimes 2468check_apex 2469check_subdomain 2470dnssec_verify 2471 2472# Next key event is when the DS can move to the OMNIPRESENT state. This occurs 2473# when the parent registration and propagation delay have passed, plus the 2474# DS TTL and retire safety delay: 1d + 1h + 2h + 20m = 27h20m = 98400 seconds 2475check_next_key_event 98400 2476 2477# 2478# Zone: step4.enable-dnssec.autosign. 2479# 2480set_zone "step4.enable-dnssec.autosign" 2481set_policy "enable-dnssec" "1" "300" 2482set_server "ns3" "10.53.0.3" 2483# The DS is omnipresent. 2484set_keystate "KEY1" "STATE_DS" "omnipresent" 2485 2486check_keys 2487check_dnssecstatus "$SERVER" "$ZONE" 2488 2489# The key was published and activated 143100 seconds ago (with settime). 2490created=$(key_get KEY1 CREATED) 2491set_addkeytime "KEY1" "PUBLISHED" "${created}" -143100 2492set_addkeytime "KEY1" "ACTIVE" "${created}" -143100 2493set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400 2494 2495check_keytimes 2496check_apex 2497check_subdomain 2498dnssec_verify 2499 2500# Next key event is never, the zone dnssec-policy has been established. So we 2501# fall back to the default loadkeys interval. 2502check_next_key_event 3600 2503 2504# 2505# Testing ZSK Pre-Publication rollover. 2506# 2507 2508# Policy parameters. 2509# Lksk: 2 years (63072000 seconds) 2510# Lzsk: 30 days (2592000 seconds) 2511# Iret(KSK): DS TTL (1d) + DprpP (1h) + retire-safety (2d) 2512# Iret(KSK): 3d1h (262800 seconds) 2513# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2514# Iret(ZSK): 10d1h (867600 seconds) 2515Lksk=63072000 2516Lzsk=2592000 2517IretKSK=262800 2518IretZSK=867600 2519 2520# 2521# Zone: step1.zsk-prepub.autosign. 2522# 2523set_zone "step1.zsk-prepub.autosign" 2524set_policy "zsk-prepub" "2" "3600" 2525set_server "ns3" "10.53.0.3" 2526 2527set_retired_removed() { 2528 _Lkey=$2 2529 _Iret=$3 2530 2531 _active=$(key_get $1 ACTIVE) 2532 set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}" 2533 _retired=$(key_get $1 RETIRED) 2534 set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}" 2535} 2536 2537rollover_predecessor_keytimes() { 2538 _addtime=$1 2539 2540 _created=$(key_get KEY1 CREATED) 2541 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" 2542 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" 2543 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" 2544 [ "$Lksk" == 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}" 2545 2546 _created=$(key_get KEY2 CREATED) 2547 set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}" 2548 set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}" 2549 [ "$Lzsk" == 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}" 2550} 2551 2552# Key properties. 2553key_clear "KEY1" 2554set_keyrole "KEY1" "ksk" 2555set_keylifetime "KEY1" "${Lksk}" 2556set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 2557set_keysigning "KEY1" "yes" 2558set_zonesigning "KEY1" "no" 2559 2560key_clear "KEY2" 2561set_keyrole "KEY2" "zsk" 2562set_keylifetime "KEY2" "${Lzsk}" 2563set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 2564set_keysigning "KEY2" "no" 2565set_zonesigning "KEY2" "yes" 2566# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2567set_keystate "KEY1" "GOAL" "omnipresent" 2568set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2569set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2570set_keystate "KEY1" "STATE_DS" "omnipresent" 2571 2572set_keystate "KEY2" "GOAL" "omnipresent" 2573set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2574set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2575# Initially only two keys. 2576key_clear "KEY3" 2577key_clear "KEY4" 2578 2579check_keys 2580check_dnssecstatus "$SERVER" "$ZONE" 2581 2582# These keys are immediately published and activated. 2583rollover_predecessor_keytimes 0 2584check_keytimes 2585check_apex 2586check_subdomain 2587dnssec_verify 2588 2589# Next key event is when the successor ZSK needs to be published. That is 2590# the ZSK lifetime - prepublication time. The prepublication time is DNSKEY 2591# TTL plus publish safety plus the zone propagation delay. For the 2592# zsk-prepub policy that means: 30d - 3600s + 1d + 1h = 2498400 seconds. 2593check_next_key_event 2498400 2594 2595# 2596# Zone: step2.zsk-prepub.autosign. 2597# 2598set_zone "step2.zsk-prepub.autosign" 2599set_policy "zsk-prepub" "3" "3600" 2600set_server "ns3" "10.53.0.3" 2601# New ZSK (KEY3) is prepublished, but not yet signing. 2602key_clear "KEY3" 2603set_keyrole "KEY3" "zsk" 2604set_keylifetime "KEY3" "${Lzsk}" 2605set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 2606set_keysigning "KEY3" "no" 2607set_zonesigning "KEY3" "no" 2608# Key states. 2609set_keystate "KEY2" "GOAL" "hidden" 2610set_keystate "KEY3" "GOAL" "omnipresent" 2611set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2612set_keystate "KEY3" "STATE_ZRRSIG" "hidden" 2613 2614check_keys 2615check_dnssecstatus "$SERVER" "$ZONE" 2616 2617# The old keys were activated 694 hours ago (2498400 seconds). 2618rollover_predecessor_keytimes -2498400 2619# The new ZSK is published now. 2620created=$(key_get KEY3 CREATED) 2621set_keytime "KEY3" "PUBLISHED" "${created}" 2622# The new ZSK becomes active when the DNSKEY is OMNIPRESENT. 2623# Ipub: TTLkey (1h) + Dprp (1h) + publish-safety (1d) 2624# Ipub: 26 hour (93600 seconds). 2625IpubZSK=93600 2626set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubZSK}" 2627set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2628check_keytimes 2629check_apex 2630check_subdomain 2631dnssec_verify 2632 2633# Next key event is when the successor ZSK becomes OMNIPRESENT. That is the 2634# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2635# the zsk-prepub policy, this means: 3600s + 1h + 1d = 93600 seconds. 2636check_next_key_event 93600 2637 2638# 2639# Zone: step3.zsk-prepub.autosign. 2640# 2641set_zone "step3.zsk-prepub.autosign" 2642set_policy "zsk-prepub" "3" "3600" 2643set_server "ns3" "10.53.0.3" 2644# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE. 2645# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2646set_zonesigning "KEY2" "no" 2647set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 2648set_zonesigning "KEY3" "yes" 2649set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2650set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" 2651 2652check_keys 2653check_dnssecstatus "$SERVER" "$ZONE" 2654 2655# The old keys are activated 30 days ago (2592000 seconds). 2656rollover_predecessor_keytimes -2592000 2657# The new ZSK is published 26 hours ago (93600 seconds). 2658created=$(key_get KEY3 CREATED) 2659set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600 2660set_keytime "KEY3" "ACTIVE" "${created}" 2661set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2662check_keytimes 2663check_apex 2664# Subdomain still has good signatures of ZSK (KEY2). 2665# Set expected zone signing on for KEY2 and off for KEY3, 2666# testing whether signatures which are still valid are being reused. 2667set_zonesigning "KEY2" "yes" 2668set_zonesigning "KEY3" "no" 2669check_subdomain 2670# Restore the expected zone signing properties. 2671set_zonesigning "KEY2" "no" 2672set_zonesigning "KEY3" "yes" 2673dnssec_verify 2674 2675# Next key event is when all the RRSIG records have been replaced with 2676# signatures of the new ZSK, in other words when ZRRSIG becomes OMNIPRESENT. 2677# That is Dsgn plus the maximum zone TTL plus the zone propagation delay plus 2678# retire-safety. For the zsk-prepub policy that means: 1w (because 2w validity 2679# and refresh within a week) + 1d + 1h + 2d = 10d1h = 867600 seconds. 2680check_next_key_event 867600 2681 2682# 2683# Zone: step4.zsk-prepub.autosign. 2684# 2685set_zone "step4.zsk-prepub.autosign" 2686set_policy "zsk-prepub" "3" "3600" 2687set_server "ns3" "10.53.0.3" 2688# ZSK (KEY2) DNSKEY is no longer needed. 2689# ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED. 2690set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 2691set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 2692set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" 2693 2694check_keys 2695check_dnssecstatus "$SERVER" "$ZONE" 2696 2697# The old keys are activated 961 hours ago (3459600 seconds). 2698rollover_predecessor_keytimes -3459600 2699# The new ZSK is published 267 hours ago (961200 seconds). 2700created=$(key_get KEY3 CREATED) 2701set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200 2702published=$(key_get KEY3 PUBLISHED) 2703set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2704set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2705check_keytimes 2706check_apex 2707check_subdomain 2708dnssec_verify 2709 2710# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2711# DNSKEY TTL plus zone propagation delay. For the zsk-prepub policy this is: 2712# 3600s + 1h = 7200s 2713check_next_key_event 7200 2714 2715# 2716# Zone: step5.zsk-prepub.autosign. 2717# 2718set_zone "step5.zsk-prepub.autosign" 2719set_policy "zsk-prepub" "3" "3600" 2720set_server "ns3" "10.53.0.3" 2721# ZSK (KEY2) DNSKEY is now completely HIDDEN and removed. 2722set_keystate "KEY2" "STATE_DNSKEY" "hidden" 2723 2724check_keys 2725check_dnssecstatus "$SERVER" "$ZONE" 2726 2727# The old keys are activated 962 hours ago (3463200 seconds). 2728rollover_predecessor_keytimes -3463200 2729# The new ZSK is published 268 hours ago (964800 seconds). 2730created=$(key_get KEY3 CREATED) 2731set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800 2732published=$(key_get KEY3 PUBLISHED) 2733set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}" 2734set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}" 2735check_keytimes 2736check_apex 2737check_subdomain 2738dnssec_verify 2739 2740# Next key event is when the new successor needs to be published. This is the 2741# ZSK lifetime minus Iret minus Ipub minus DNSKEY TTL. For the zsk-prepub 2742# policy this is: 30d - 867600s - 93600s - 3600s = 1627200 seconds. 2743check_next_key_event 1627200 2744 2745# 2746# Testing KSK Double-KSK rollover. 2747# 2748 2749# Policy parameters. 2750# Lksk: 60 days (16070400 seconds) 2751# Lzsk: 1 year (31536000 seconds) 2752# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2d) 2753# Iret(KSK): 50h (180000 seconds) 2754# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (1w) + retire-safety (2d) 2755# Iret(ZSK): 10d1h (867600 seconds) 2756Lksk=5184000 2757Lzsk=31536000 2758IretKSK=180000 2759IretZSK=867600 2760 2761# 2762# Zone: step1.ksk-doubleksk.autosign. 2763# 2764set_zone "step1.ksk-doubleksk.autosign" 2765set_policy "ksk-doubleksk" "2" "7200" 2766set_server "ns3" "10.53.0.3" 2767# Key properties. 2768key_clear "KEY1" 2769set_keyrole "KEY1" "ksk" 2770set_keylifetime "KEY1" "${Lksk}" 2771set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 2772set_keysigning "KEY1" "yes" 2773set_zonesigning "KEY1" "no" 2774 2775key_clear "KEY2" 2776set_keyrole "KEY2" "zsk" 2777set_keylifetime "KEY2" "${Lzsk}" 2778set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 2779set_keysigning "KEY2" "no" 2780set_zonesigning "KEY2" "yes" 2781# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 2782set_keystate "KEY1" "GOAL" "omnipresent" 2783set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 2784set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 2785set_keystate "KEY1" "STATE_DS" "omnipresent" 2786 2787set_keystate "KEY2" "GOAL" "omnipresent" 2788set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 2789set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 2790# Initially only two keys. 2791key_clear "KEY3" 2792key_clear "KEY4" 2793 2794check_keys 2795check_dnssecstatus "$SERVER" "$ZONE" 2796 2797# These keys are immediately published and activated. 2798rollover_predecessor_keytimes 0 2799check_keytimes 2800check_apex 2801check_subdomain 2802dnssec_verify 2803 2804# Next key event is when the successor KSK needs to be published. That is 2805# the KSK lifetime - prepublication time - DS registration delay. The 2806# prepublication time is DNSKEY TTL plus publish safety plus the zone 2807# propagation delay. For the ksk-doubleksk policy that means: 2808# 60d - (1d3h) - (1d) = 5000400 seconds. 2809check_next_key_event 5000400 2810 2811# 2812# Zone: step2.ksk-doubleksk.autosign. 2813# 2814set_zone "step2.ksk-doubleksk.autosign" 2815set_policy "ksk-doubleksk" "3" "7200" 2816set_server "ns3" "10.53.0.3" 2817# New KSK (KEY3) is prepublished (and signs DNSKEY RRset). 2818key_clear "KEY3" 2819set_keyrole "KEY3" "ksk" 2820set_keylifetime "KEY3" "${Lksk}" 2821set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 2822set_keysigning "KEY3" "yes" 2823set_zonesigning "KEY3" "no" 2824# Key states. 2825set_keystate "KEY1" "GOAL" "hidden" 2826set_keystate "KEY3" "GOAL" "omnipresent" 2827set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 2828set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 2829set_keystate "KEY3" "STATE_DS" "hidden" 2830 2831check_keys 2832check_dnssecstatus "$SERVER" "$ZONE" 2833 2834# The old keys were activated 1413 hours ago (5086800 seconds). 2835rollover_predecessor_keytimes -5086800 2836# The new KSK is published now. 2837created=$(key_get KEY3 CREATED) 2838set_keytime "KEY3" "PUBLISHED" "${created}" 2839# The new KSK should publish the CDS after the prepublication time. 2840# TTLkey: 2h 2841# DprpC: 1h 2842# publish-safety: 1d 2843# IpubC: 27h (97200 seconds) 2844IpubC=97200 2845set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" 2846# The new KSK becomes active after the registration delay. 2847# Dreg: 1d (86400 seconds) 2848Dreg=86400 2849syncpub=$(key_get KEY3 SYNCPUBLISH) 2850set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" 2851set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2852check_keytimes 2853check_apex 2854check_subdomain 2855dnssec_verify 2856 2857# Next key event is when the successor KSK becomes OMNIPRESENT. That is the 2858# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 2859# the ksk-doubleksk policy, this means: 7200s + 1h + 1d = 97200 seconds. 2860check_next_key_event 97200 2861 2862# 2863# Zone: step3.ksk-doubleksk.autosign. 2864# 2865set_zone "step3.ksk-doubleksk.autosign" 2866set_policy "ksk-doubleksk" "3" "7200" 2867set_server "ns3" "10.53.0.3" 2868# KSK (KEY1) DS will be removed, so it is UNRETENTIVE. 2869set_keystate "KEY1" "STATE_DS" "unretentive" 2870# New KSK (KEY3) has its DS submitted. 2871set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 2872set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 2873set_keystate "KEY3" "STATE_DS" "rumoured" 2874 2875check_keys 2876check_dnssecstatus "$SERVER" "$ZONE" 2877 2878# The old keys were activated 59 days ago (5097600 seconds). 2879rollover_predecessor_keytimes -5097600 2880# The new KSK is published 27 hours ago (97200 seconds). 2881created=$(key_get KEY3 CREATED) 2882set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 2883# The new KSK CDS is published now. 2884set_keytime "KEY3" "SYNCPUBLISH" "${created}" 2885# The new KSK becomes active Dreg (1d) later. 2886syncpub=$(key_get KEY3 SYNCPUBLISH) 2887set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" 2888set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2889check_keytimes 2890check_apex 2891check_subdomain 2892dnssec_verify 2893 2894# Next key event is when the predecessor DS has been replaced with the 2895# successor DS and enough time has passed such that the all validators that 2896# have this DS RRset cached only know about the successor DS. This is the 2897# registration delay plus the retire interval, which is the parent 2898# propagation delay plus the DS TTL plus the retire-safety. For the 2899# ksk-double-ksk policy this means: 1d + 1h + 3600s + 2d = 3d2h = 2900# 266400 seconds. 2901check_next_key_event 266400 2902 2903# 2904# Zone: step4.ksk-doubleksk.autosign. 2905# 2906set_zone "step4.ksk-doubleksk.autosign" 2907set_policy "ksk-doubleksk" "3" "7200" 2908set_server "ns3" "10.53.0.3" 2909# KSK (KEY1) DNSKEY can be removed. 2910set_keysigning "KEY1" "no" 2911set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 2912set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 2913set_keystate "KEY1" "STATE_DS" "hidden" 2914# New KSK (KEY3) DS is now OMNIPRESENT. 2915set_keystate "KEY3" "STATE_DS" "omnipresent" 2916 2917check_keys 2918check_dnssecstatus "$SERVER" "$ZONE" 2919 2920# The old keys were activated 1490 hours ago (5364000 seconds). 2921rollover_predecessor_keytimes -5364000 2922# The new KSK is published 101 hours ago (363600 seconds). 2923created=$(key_get KEY3 CREATED) 2924set_addkeytime "KEY3" "PUBLISHED" "${created}" -363600 2925published=$(key_get KEY3 PUBLISHED) 2926set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2927syncpub=$(key_get KEY3 SYNCPUBLISH) 2928set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" 2929set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2930check_keytimes 2931check_apex 2932check_subdomain 2933dnssec_verify 2934 2935# Next key event is when the DNSKEY enters the HIDDEN state. This is the 2936# DNSKEY TTL plus zone propagation delay. For the ksk-doubleksk policy this is: 2937# 7200s + 1h = 10800s 2938check_next_key_event 10800 2939 2940# 2941# Zone: step5.ksk-doubleksk.autosign. 2942# 2943set_zone "step5.ksk-doubleksk.autosign" 2944set_policy "ksk-doubleksk" "3" "7200" 2945set_server "ns3" "10.53.0.3" 2946# KSK (KEY1) DNSKEY is now HIDDEN. 2947set_keystate "KEY1" "STATE_DNSKEY" "hidden" 2948set_keystate "KEY1" "STATE_KRRSIG" "hidden" 2949 2950check_keys 2951check_dnssecstatus "$SERVER" "$ZONE" 2952 2953# The old KSK is activated 1492 hours ago (5371200 seconds). 2954rollover_predecessor_keytimes -5371200 2955# The new KSK is published 103 hours ago (370800 seconds). 2956created=$(key_get KEY3 CREATED) 2957set_addkeytime "KEY3" "PUBLISHED" "${created}" -370800 2958published=$(key_get KEY3 PUBLISHED) 2959set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" 2960syncpub=$(key_get KEY3 SYNCPUBLISH) 2961set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" 2962set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" 2963check_keytimes 2964check_apex 2965check_subdomain 2966dnssec_verify 2967 2968# Next key event is when the new successor needs to be published. This is the 2969# KSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL. For the 2970# ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h = 2971# 5184000 - 97200 - 86400 - 180000 - 7200 = 4813200 seconds. 2972check_next_key_event 4813200 2973 2974# 2975# Testing CSK key rollover (1). 2976# 2977 2978# Policy parameters. 2979# Lcsk: 186 days (5184000 seconds) 2980# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (2h) 2981# Iret(KSK): 4h (14400 seconds) 2982# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (25d) + retire-safety (2h) 2983# Iret(ZSK): 26d3h (2257200 seconds) 2984Lcsk=16070400 2985IretKSK=14400 2986IretZSK=2257200 2987IretCSK=$IretZSK 2988 2989csk_rollover_predecessor_keytimes() { 2990 _addksktime=$1 2991 _addzsktime=$2 2992 2993 _created=$(key_get KEY1 CREATED) 2994 set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addksktime}" 2995 set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}" 2996 set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addzsktime}" 2997 [ "$Lcsk" == 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" 2998} 2999 3000# 3001# Zone: step1.csk-roll.autosign. 3002# 3003set_zone "step1.csk-roll.autosign" 3004set_policy "csk-roll" "1" "3600" 3005set_server "ns3" "10.53.0.3" 3006# Key properties. 3007key_clear "KEY1" 3008set_keyrole "KEY1" "csk" 3009set_keylifetime "KEY1" "${Lcsk}" 3010set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3011set_keysigning "KEY1" "yes" 3012set_zonesigning "KEY1" "yes" 3013# The CSK (KEY1) starts in OMNIPRESENT. 3014set_keystate "KEY1" "GOAL" "omnipresent" 3015set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3016set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3017set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3018set_keystate "KEY1" "STATE_DS" "omnipresent" 3019# Initially only one key. 3020key_clear "KEY2" 3021key_clear "KEY3" 3022key_clear "KEY4" 3023 3024check_keys 3025check_dnssecstatus "$SERVER" "$ZONE" 3026 3027# This key is immediately published and activated. 3028csk_rollover_predecessor_keytimes 0 0 3029check_keytimes 3030check_apex 3031check_subdomain 3032dnssec_verify 3033 3034# Next key event is when the successor CSK needs to be published. 3035# This is Lcsk - Ipub - Dreg. 3036# Lcsk: 186d (16070400 seconds) 3037# Ipub: 3h (10800 seconds) 3038check_next_key_event 16059600 3039 3040# 3041# Zone: step2.csk-roll.autosign. 3042# 3043set_zone "step2.csk-roll.autosign" 3044set_policy "csk-roll" "2" "3600" 3045set_server "ns3" "10.53.0.3" 3046# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 3047key_clear "KEY2" 3048set_keyrole "KEY2" "csk" 3049set_keylifetime "KEY2" "16070400" 3050set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 3051set_keysigning "KEY2" "yes" 3052set_zonesigning "KEY2" "no" 3053# Key states. 3054set_keystate "KEY1" "GOAL" "hidden" 3055set_keystate "KEY2" "GOAL" "omnipresent" 3056set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 3057set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 3058set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 3059set_keystate "KEY2" "STATE_DS" "hidden" 3060 3061check_keys 3062check_dnssecstatus "$SERVER" "$ZONE" 3063 3064# This key was activated 4437 hours ago (15973200 seconds) 3065# and started signing 4461 hours ago (16059600 seconds). 3066csk_rollover_predecessor_keytimes -15973200 -16059600 3067# The new CSK is published now. 3068created=$(key_get KEY2 CREATED) 3069set_keytime "KEY2" "PUBLISHED" "${created}" 3070# The new CSK should publish the CDS after the prepublication time. 3071# Ipub: 3 hour (10800 seconds) 3072Ipub="10800" 3073set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 3074set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 3075set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3076check_keytimes 3077check_apex 3078check_subdomain 3079dnssec_verify 3080 3081# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 3082# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 3083# the csk-roll policy, this means 3 hours = 10800 seconds. 3084check_next_key_event 10800 3085 3086# 3087# Zone: step3.csk-roll.autosign. 3088# 3089set_zone "step3.csk-roll.autosign" 3090set_policy "csk-roll" "2" "3600" 3091set_server "ns3" "10.53.0.3" 3092# Swap zone signing role. 3093set_zonesigning "KEY1" "no" 3094set_zonesigning "KEY2" "yes" 3095# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. 3096set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3097set_keystate "KEY1" "STATE_DS" "unretentive" 3098# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG 3099# are in RUMOURED state. 3100set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3101set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3102set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3103set_keystate "KEY2" "STATE_DS" "rumoured" 3104 3105check_keys 3106check_dnssecstatus "$SERVER" "$ZONE" 3107 3108# This key was activated 185 days ago (15984000 seconds) 3109# and started signing 186 days ago (16070400 seconds). 3110csk_rollover_predecessor_keytimes -15984000 -16070400 3111# The new CSK is published three hours ago, CDS must be published now. 3112# Also signatures are being introduced now. 3113created=$(key_get KEY2 CREATED) 3114set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3115set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3116set_keytime "KEY2" "ACTIVE" "${created}" 3117set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3118check_keytimes 3119check_apex 3120# Subdomain still has good signatures of old CSK (KEY1). 3121# Set expected zone signing on for KEY1 and off for KEY2, 3122# testing whether signatures which are still valid are being reused. 3123set_zonesigning "KEY1" "yes" 3124set_zonesigning "KEY2" "no" 3125check_subdomain 3126# Restore the expected zone signing properties. 3127set_zonesigning "KEY1" "no" 3128set_zonesigning "KEY2" "yes" 3129dnssec_verify 3130 3131# Next key event is when the predecessor DS has been replaced with the 3132# successor DS and enough time has passed such that the all validators that 3133# have this DS RRset cached only know about the successor DS. This is the 3134# registration delay plus the retire interval, which is the parent 3135# propagation delay plus the DS TTL plus the retire-safety. For the 3136# csk-roll policy this means: 1d + 1h + 1h + 2h = 1d4h = 100800 seconds. 3137check_next_key_event 100800 3138 3139# 3140# Zone: step4.csk-roll.autosign. 3141# 3142set_zone "step4.csk-roll.autosign" 3143set_policy "csk-roll" "2" "3600" 3144set_server "ns3" "10.53.0.3" 3145# The old CSK (KEY1) is no longer signing the DNSKEY RRset. 3146set_keysigning "KEY1" "no" 3147# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public 3148# but can remove the KRRSIG records. 3149set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3150set_keystate "KEY1" "STATE_DS" "hidden" 3151# The new CSK (KEY2) DS is now OMNIPRESENT. 3152set_keystate "KEY2" "STATE_DS" "omnipresent" 3153 3154check_keys 3155check_dnssecstatus "$SERVER" "$ZONE" 3156 3157# This key was activated 4468 hours ago (16084800 seconds) 3158# and started signing 4492 hours ago (16171200 seconds). 3159csk_rollover_predecessor_keytimes -16084800 -16171200 3160# The new CSK started signing 1d4h ago (100800 seconds). 3161created=$(key_get KEY2 CREATED) 3162set_addkeytime "KEY2" "ACTIVE" "${created}" -100800 3163set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -100800 3164syncpub=$(key_get KEY2 SYNCPUBLISH) 3165set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3166set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3167check_keytimes 3168check_apex 3169check_subdomain 3170dnssec_verify 3171 3172# Next key event is when the KRRSIG enters the HIDDEN state. This is the 3173# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3174# 1h + 1h = 7200 seconds. 3175check_next_key_event 7200 3176 3177# 3178# Zone: step5.csk-roll.autosign. 3179# 3180set_zone "step5.csk-roll.autosign" 3181set_policy "csk-roll" "2" "3600" 3182set_server "ns3" "10.53.0.3" 3183# The old CSK (KEY1) KRRSIG records are now all hidden. 3184set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3185 3186check_keys 3187check_dnssecstatus "$SERVER" "$ZONE" 3188 3189# This key was activated 4470 hours ago (16092000 seconds) 3190# and started signing 4494 hours ago (16178400 seconds). 3191csk_rollover_predecessor_keytimes -16092000 -16178400 3192# The new CSK started signing 1d6h ago (108000 seconds). 3193created=$(key_get KEY2 CREATED) 3194set_addkeytime "KEY2" "ACTIVE" "${created}" -108000 3195set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -108000 3196syncpub=$(key_get KEY2 SYNCPUBLISH) 3197set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3198set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3199check_keytimes 3200check_apex 3201check_subdomain 3202dnssec_verify 3203 3204# Next key event is when the DNSKEY can be removed. This is when all ZRRSIG 3205# records have been replaced with signatures of the new CSK. We have 3206# calculated the interval to be 26d3h of which 1d4h (Dreg + Iret(KSK)) plus 3207# 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in 3208# 26d3h - 1d4h - 2h = 597h = 2149200 seconds. 3209check_next_key_event 2149200 3210 3211# 3212# Zone: step6.csk-roll.autosign. 3213# 3214set_zone "step6.csk-roll.autosign" 3215set_policy "csk-roll" "2" "3600" 3216set_server "ns3" "10.53.0.3" 3217# The old CSK (KEY1) ZRRSIG records are now all hidden (so the DNSKEY can 3218# be removed). 3219set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3220set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3221# The new CSK (KEY2) is now fully OMNIPRESENT. 3222set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3223 3224check_keys 3225check_dnssecstatus "$SERVER" "$ZONE" 3226 3227# This key was activated 5067 hours ago (18241200 seconds) 3228# and started signing 5091 hours ago (18327600 seconds). 3229csk_rollover_predecessor_keytimes -18241200 -18327600 3230# The new CSK is activated 627 hours ago (2257200 seconds). 3231created=$(key_get KEY2 CREATED) 3232set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 3233set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200 3234syncpub=$(key_get KEY2 SYNCPUBLISH) 3235set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3236set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3237check_keytimes 3238check_apex 3239check_subdomain 3240dnssec_verify 3241 3242# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3243# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3244# 1h + 1h = 7200 seconds. 3245check_next_key_event 7200 3246 3247# 3248# Zone: step7.csk-roll.autosign. 3249# 3250set_zone "step7.csk-roll.autosign" 3251set_policy "csk-roll" "2" "3600" 3252set_server "ns3" "10.53.0.3" 3253# The old CSK (KEY1) is now completely HIDDEN. 3254set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3255 3256check_keys 3257check_dnssecstatus "$SERVER" "$ZONE" 3258 3259# This key was activated 5069 hours ago (18248400 seconds) 3260# and started signing 5093 hours ago (18334800 seconds). 3261csk_rollover_predecessor_keytimes -18248400 -18334800 3262# The new CSK is activated 629 hours ago (2264400 seconds). 3263created=$(key_get KEY2 CREATED) 3264set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 3265set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400 3266syncpub=$(key_get KEY2 SYNCPUBLISH) 3267set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" 3268set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3269check_keytimes 3270check_apex 3271check_subdomain 3272dnssec_verify 3273 3274# Next key event is when the new successor needs to be published. 3275# This is the Lcsk, minus time passed since the key started signing, 3276# minus the prepublication time. 3277# Lcsk: 186d (16070400 seconds) 3278# Time passed: 629h (2264400 seconds) 3279# Ipub: 3h (10800 seconds) 3280check_next_key_event 13795200 3281 3282# 3283# Testing CSK key rollover (2). 3284# 3285 3286# Policy parameters. 3287# Lcsk: 186 days (16070400 seconds) 3288# Dreg: : 1w (604800 seconds) 3289# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (1h) 3290# Iret(KSK): 3h (10800 seconds) 3291# Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) 3292# Iret(ZSK): 38h (136800 seconds) 3293Lcsk=16070400 3294Dreg=604800 3295IretKSK=10800 3296IretZSK=136800 3297IretCSK=$((Dreg+IretKSK)) 3298 3299# 3300# Zone: step1.csk-roll2.autosign. 3301# 3302set_zone "step1.csk-roll2.autosign" 3303set_policy "csk-roll2" "1" "3600" 3304set_server "ns3" "10.53.0.3" 3305# Key properties. 3306key_clear "KEY1" 3307set_keyrole "KEY1" "csk" 3308set_keylifetime "KEY1" "16070400" 3309set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3310set_keysigning "KEY1" "yes" 3311set_zonesigning "KEY1" "yes" 3312# The CSK (KEY1) starts in OMNIPRESENT. 3313set_keystate "KEY1" "GOAL" "omnipresent" 3314set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3315set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3316set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3317set_keystate "KEY1" "STATE_DS" "omnipresent" 3318# Initially only one key. 3319key_clear "KEY2" 3320key_clear "KEY3" 3321key_clear "KEY4" 3322 3323check_keys 3324check_dnssecstatus "$SERVER" "$ZONE" 3325 3326# This key is immediately published and activated. 3327csk_rollover_predecessor_keytimes 0 0 3328check_keytimes 3329check_apex 3330check_subdomain 3331dnssec_verify 3332 3333# Next key event is when the successor CSK needs to be published. 3334# This is Lcsk - Ipub - Dreg. 3335# Lcsk: 186d (16070400 seconds) 3336# Ipub: 3h (10800 seconds) 3337check_next_key_event 16059600 3338 3339# 3340# Zone: step2.csk-roll2.autosign. 3341# 3342set_zone "step2.csk-roll2.autosign" 3343set_policy "csk-roll2" "2" "3600" 3344set_server "ns3" "10.53.0.3" 3345# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets). 3346key_clear "KEY2" 3347set_keyrole "KEY2" "csk" 3348set_keylifetime "KEY2" "16070400" 3349set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 3350set_keysigning "KEY2" "yes" 3351set_zonesigning "KEY2" "no" 3352# Key states. 3353set_keystate "KEY1" "GOAL" "hidden" 3354set_keystate "KEY2" "GOAL" "omnipresent" 3355set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 3356set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 3357set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 3358set_keystate "KEY2" "STATE_DS" "hidden" 3359 3360check_keys 3361check_dnssecstatus "$SERVER" "$ZONE" 3362 3363# This key was activated 4293 hours ago (15454800 seconds) 3364# and started signing 4461 hours ago (16059600 seconds). 3365csk_rollover_predecessor_keytimes -15454800 -16059600 3366# The new CSK is published now. 3367created=$(key_get KEY2 CREATED) 3368set_keytime "KEY2" "PUBLISHED" "${created}" 3369# The new CSK should publish the CDS after the prepublication time. 3370# Ipub: 3 hour (10800 seconds) 3371Ipub="10800" 3372set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 3373set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}" 3374set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3375 3376check_apex 3377check_subdomain 3378dnssec_verify 3379 3380# Next key event is when the successor CSK becomes OMNIPRESENT. That is the 3381# DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For 3382# the csk-roll2 policy, this means 3 hours = 10800 seconds. 3383check_next_key_event 10800 3384 3385# 3386# Zone: step3.csk-roll2.autosign. 3387# 3388set_zone "step3.csk-roll2.autosign" 3389set_policy "csk-roll2" "2" "3600" 3390set_server "ns3" "10.53.0.3" 3391# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. 3392set_zonesigning "KEY1" "no" 3393set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 3394set_keystate "KEY1" "STATE_DS" "unretentive" 3395# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG 3396# are in RUMOURED state. 3397set_zonesigning "KEY2" "yes" 3398set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3399set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 3400set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3401set_keystate "KEY2" "STATE_DS" "rumoured" 3402 3403check_keys 3404check_dnssecstatus "$SERVER" "$ZONE" 3405 3406# This key was activated 179 days ago (15465600 seconds) 3407# and started signing 186 days ago (16070400 seconds). 3408csk_rollover_predecessor_keytimes -15465600 -16070400 3409# The new CSK is published three hours ago, CDS must be published now. 3410# Also signatures are being introduced now. 3411created=$(key_get KEY2 CREATED) 3412set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}" 3413set_keytime "KEY2" "SYNCPUBLISH" "${created}" 3414set_keytime "KEY2" "ACTIVE" "${created}" 3415set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3416check_keytimes 3417check_apex 3418# Subdomain still has good signatures of old CSK (KEY1). 3419# Set expected zone signing on for KEY1 and off for KEY2, 3420# testing whether signatures which are still valid are being reused. 3421set_zonesigning "KEY1" "yes" 3422set_zonesigning "KEY2" "no" 3423check_subdomain 3424# Restore the expected zone signing properties. 3425set_zonesigning "KEY1" "no" 3426set_zonesigning "KEY2" "yes" 3427dnssec_verify 3428 3429# Next key event is when the predecessor ZRRSIG records have been replaced 3430# with that of the successor and enough time has passed such that the all 3431# validators that have such signed RRsets in cache only know about the 3432# successor signatures. This is the retire interval: Dsgn plus the 3433# maximum zone TTL plus the zone propagation delay plus retire-safety. For the 3434# csk-roll2 policy that means: 12h (because 1d validity and refresh within 3435# 12 hours) + 1d + 1h + 1h = 38h = 136800 seconds. 3436check_next_key_event 136800 3437 3438# 3439# Zone: step4.csk-roll2.autosign. 3440# 3441set_zone "step4.csk-roll2.autosign" 3442set_policy "csk-roll2" "2" "3600" 3443set_server "ns3" "10.53.0.3" 3444# The old CSK (KEY1) ZRRSIG is now HIDDEN. 3445set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 3446# The new CSK (KEY2) ZRRSIG is now OMNIPRESENT. 3447set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3448 3449check_keys 3450check_dnssecstatus "$SERVER" "$ZONE" 3451 3452# This key was activated 4334 hours ago (15602400 seconds) 3453# and started signing 4502 hours ago (16207200 seconds). 3454csk_rollover_predecessor_keytimes -15602400 -16207200 3455# The new CSK was published 41 hours (147600 seconds) ago. 3456created=$(key_get KEY2 CREATED) 3457set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 3458published=$(key_get KEY2 PUBLISHED) 3459set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3460set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3461set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3462check_keytimes 3463check_apex 3464check_subdomain 3465dnssec_verify 3466 3467# Next key event is when the predecessor DS has been replaced with the 3468# successor DS and enough time has passed such that the all validators that 3469# have this DS RRset cached only know about the successor DS. This is the 3470# registration delay plus the retire interval, which is the parent 3471# propagation delay plus the DS TTL plus the retire-safety. For the 3472# csk-roll2 policy this means: 1w + 1h + 1h + 1h = 171h = 615600 seconds. 3473# However, 136800 seconds have passed already, so 478800 seconds left. 3474check_next_key_event 478800 3475 3476# 3477# Zone: step5.csk-roll2.autosign. 3478# 3479set_zone "step5.csk-roll2.autosign" 3480set_policy "csk-roll2" "2" "3600" 3481set_server "ns3" "10.53.0.3" 3482# The old CSK (KEY1) DNSKEY can be removed. 3483set_keysigning "KEY1" "no" 3484set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 3485set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 3486set_keystate "KEY1" "STATE_DS" "hidden" 3487# The new CSK (KEY2) is now fully OMNIPRESENT. 3488set_keystate "KEY2" "STATE_DS" "omnipresent" 3489 3490check_keys 3491check_dnssecstatus "$SERVER" "$ZONE" 3492 3493# This key was activated 4467 hours ago (16081200 seconds) 3494# and started signing 4635 hours ago (16686000 seconds). 3495csk_rollover_predecessor_keytimes -16081200 -16686000 3496# The new CSK was published 174 hours (626400 seconds) ago. 3497created=$(key_get KEY2 CREATED) 3498set_addkeytime "KEY2" "PUBLISHED" "${created}" -626400 3499published=$(key_get KEY2 PUBLISHED) 3500set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3501set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3502set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3503check_keytimes 3504check_apex 3505check_subdomain 3506dnssec_verify 3507 3508# Next key event is when the DNSKEY enters the HIDDEN state. This is the 3509# DNSKEY TTL plus zone propagation delay. For the csk-roll policy this is: 3510# 1h + 1h = 7200 seconds. 3511check_next_key_event 7200 3512 3513# 3514# Zone: step6.csk-roll2.autosign. 3515# 3516set_zone "step6.csk-roll2.autosign" 3517set_policy "csk-roll2" "2" "3600" 3518set_server "ns3" "10.53.0.3" 3519# The old CSK (KEY1) is now completely HIDDEN. 3520set_keystate "KEY1" "STATE_DNSKEY" "hidden" 3521set_keystate "KEY1" "STATE_KRRSIG" "hidden" 3522 3523check_keys 3524check_dnssecstatus "$SERVER" "$ZONE" 3525 3526# This key was activated 4469 hours ago (16088400 seconds) 3527# and started signing 4637 hours ago (16693200 seconds). 3528csk_rollover_predecessor_keytimes -16088400 -16693200 3529# The new CSK was published 176 hours (633600 seconds) ago. 3530created=$(key_get KEY2 CREATED) 3531set_addkeytime "KEY2" "PUBLISHED" "${created}" -633600 3532published=$(key_get KEY2 PUBLISHED) 3533set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 3534set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" 3535set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" 3536check_keytimes 3537check_apex 3538check_subdomain 3539dnssec_verify 3540 3541# Next key event is when the new successor needs to be published. 3542# This is the Lcsk, minus time passed since the key was published. 3543# Lcsk: 186d (16070400 seconds) 3544# Time passed: 176h (633600 seconds) 3545check_next_key_event 15436800 3546 3547# 3548# Testing algorithm rollover. 3549# 3550 3551# 3552# Zone: step1.algorithm-roll.kasp 3553# 3554set_zone "step1.algorithm-roll.kasp" 3555set_policy "rsasha1" "2" "3600" 3556set_server "ns6" "10.53.0.6" 3557# Key properties. 3558key_clear "KEY1" 3559set_keyrole "KEY1" "ksk" 3560set_keylifetime "KEY1" "0" 3561set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3562set_keysigning "KEY1" "yes" 3563set_zonesigning "KEY1" "no" 3564 3565key_clear "KEY2" 3566set_keyrole "KEY2" "zsk" 3567set_keylifetime "KEY2" "0" 3568set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 3569set_keysigning "KEY2" "no" 3570set_zonesigning "KEY2" "yes" 3571key_clear "KEY3" 3572key_clear "KEY4" 3573 3574# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT. 3575set_keystate "KEY1" "GOAL" "omnipresent" 3576set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3577set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3578set_keystate "KEY1" "STATE_DS" "omnipresent" 3579 3580set_keystate "KEY2" "GOAL" "omnipresent" 3581set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3582set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3583 3584check_keys 3585check_dnssecstatus "$SERVER" "$ZONE" 3586 3587# These keys are immediately published and activated. 3588Lksk=0 3589Lzsk=0 3590IretKSK=0 3591IretZSK=0 3592rollover_predecessor_keytimes 0 3593check_keytimes 3594check_apex 3595check_subdomain 3596dnssec_verify 3597 3598# Next key event is when the successor keys need to be published. 3599# Since the lifetime of the keys are unlimited, so default to loadkeys 3600# interval. 3601check_next_key_event 3600 3602 3603# 3604# Zone: step1.csk-algorithm-roll.kasp 3605# 3606set_zone "step1.csk-algorithm-roll.kasp" 3607set_policy "csk-algoroll" "1" "3600" 3608set_server "ns6" "10.53.0.6" 3609# Key properties. 3610key_clear "KEY1" 3611set_keyrole "KEY1" "csk" 3612set_keylifetime "KEY1" "0" 3613set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3614set_keysigning "KEY1" "yes" 3615set_zonesigning "KEY1" "yes" 3616key_clear "KEY2" 3617key_clear "KEY3" 3618key_clear "KEY4" 3619# The CSK (KEY1) starts in OMNIPRESENT. 3620set_keystate "KEY1" "GOAL" "omnipresent" 3621set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3622set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3623set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 3624set_keystate "KEY1" "STATE_DS" "omnipresent" 3625 3626check_keys 3627check_dnssecstatus "$SERVER" "$ZONE" 3628 3629# This key is immediately published and activated. 3630Lcsk=0 3631IretCSK=0 3632csk_rollover_predecessor_keytimes 0 0 3633check_keytimes 3634check_apex 3635check_subdomain 3636dnssec_verify 3637 3638# Next key event is when the successor keys need to be published. 3639# Since the lifetime of the keys are unlimited, so default to loadkeys 3640# interval. 3641check_next_key_event 3600 3642 3643# 3644# Testing good migration. 3645# 3646set_zone "migrate.kasp" 3647set_policy "none" "2" "7200" 3648set_server "ns6" "10.53.0.6" 3649 3650init_migration_match() { 3651 key_clear "KEY1" 3652 key_set "KEY1" "LEGACY" "yes" 3653 set_keyrole "KEY1" "ksk" 3654 set_keylifetime "KEY1" "0" 3655 set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" 3656 set_keysigning "KEY1" "yes" 3657 set_zonesigning "KEY1" "no" 3658 3659 key_clear "KEY2" 3660 key_set "KEY2" "LEGACY" "yes" 3661 set_keyrole "KEY2" "zsk" 3662 set_keylifetime "KEY2" "5184000" 3663 set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 3664 set_keysigning "KEY2" "no" 3665 set_zonesigning "KEY2" "yes" 3666 3667 key_clear "KEY3" 3668 key_clear "KEY4" 3669 3670 set_keystate "KEY1" "GOAL" "omnipresent" 3671 set_keystate "KEY1" "STATE_DNSKEY" "rumoured" 3672 set_keystate "KEY1" "STATE_KRRSIG" "rumoured" 3673 set_keystate "KEY1" "STATE_DS" "rumoured" 3674 3675 set_keystate "KEY2" "GOAL" "omnipresent" 3676 set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 3677 set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 3678} 3679init_migration_match 3680 3681# Make sure the zone is signed with legacy keys. 3682check_keys 3683check_dnssecstatus "$SERVER" "$ZONE" 3684 3685# These keys are immediately published and activated. 3686rollover_predecessor_keytimes 0 3687check_keytimes 3688check_apex 3689check_subdomain 3690dnssec_verify 3691 3692# Remember legacy key tags. 3693_migrate_ksk=$(key_get KEY1 ID) 3694_migrate_zsk=$(key_get KEY2 ID) 3695 3696# 3697# Testing migration with unmatched existing keys (different algorithm). 3698# 3699set_zone "migrate-nomatch-algnum.kasp" 3700set_policy "none" "2" "300" 3701set_server "ns6" "10.53.0.6" 3702 3703init_migration_nomatch_algnum() { 3704 key_clear "KEY1" 3705 key_set "KEY1" "LEGACY" "yes" 3706 set_keyrole "KEY1" "ksk" 3707 set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 3708 set_keysigning "KEY1" "yes" 3709 set_zonesigning "KEY1" "no" 3710 3711 key_clear "KEY2" 3712 key_set "KEY2" "LEGACY" "yes" 3713 set_keyrole "KEY2" "zsk" 3714 set_keyalgorithm "KEY2" "5" "RSASHA1" "1024" 3715 set_keysigning "KEY2" "no" 3716 set_zonesigning "KEY2" "yes" 3717 3718 key_clear "KEY3" 3719 key_clear "KEY4" 3720 3721 set_keystate "KEY1" "GOAL" "omnipresent" 3722 set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3723 set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3724 set_keystate "KEY1" "STATE_DS" "omnipresent" 3725 3726 set_keystate "KEY2" "GOAL" "omnipresent" 3727 set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3728 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3729} 3730init_migration_nomatch_algnum 3731 3732# Make sure the zone is signed with legacy keys. 3733check_keys 3734check_dnssecstatus "$SERVER" "$ZONE" 3735 3736# The KSK is immediately published and activated. 3737# -P : now-3900s 3738# -P sync: now-24h 3739# -A : now-3900s 3740created=$(key_get KEY1 CREATED) 3741set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 3742set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 3743set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 3744# The ZSK is immediately published and activated. 3745# -P: now-12h 3746# -A: now-12h 3747created=$(key_get KEY2 CREATED) 3748set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 3749set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 3750check_keytimes 3751check_apex 3752check_subdomain 3753dnssec_verify 3754 3755# Remember legacy key tags. 3756_migratenomatch_algnum_ksk=$(key_get KEY1 ID) 3757_migratenomatch_algnum_zsk=$(key_get KEY2 ID) 3758 3759# 3760# Testing migration with unmatched existing keys (different length). 3761# 3762set_zone "migrate-nomatch-alglen.kasp" 3763set_policy "none" "2" "300" 3764set_server "ns6" "10.53.0.6" 3765 3766init_migration_nomatch_alglen() { 3767 key_clear "KEY1" 3768 key_set "KEY1" "LEGACY" "yes" 3769 set_keyrole "KEY1" "ksk" 3770 set_keyalgorithm "KEY1" "5" "RSASHA1" "1024" 3771 set_keysigning "KEY1" "yes" 3772 set_zonesigning "KEY1" "no" 3773 3774 key_clear "KEY2" 3775 key_set "KEY2" "LEGACY" "yes" 3776 set_keyrole "KEY2" "zsk" 3777 set_keyalgorithm "KEY2" "5" "RSASHA1" "1024" 3778 set_keysigning "KEY2" "no" 3779 set_zonesigning "KEY2" "yes" 3780 3781 key_clear "KEY3" 3782 key_clear "KEY4" 3783 3784 set_keystate "KEY1" "GOAL" "omnipresent" 3785 set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 3786 set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 3787 set_keystate "KEY1" "STATE_DS" "omnipresent" 3788 3789 set_keystate "KEY2" "GOAL" "omnipresent" 3790 set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 3791 set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 3792} 3793init_migration_nomatch_alglen 3794 3795# Make sure the zone is signed with legacy keys. 3796check_keys 3797check_dnssecstatus "$SERVER" "$ZONE" 3798 3799# The KSK is immediately published and activated. 3800# -P : now-3900s 3801# -P sync: now-24h 3802# -A : now-3900s 3803created=$(key_get KEY1 CREATED) 3804set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 3805set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 3806set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 3807# The ZSK is immediately published and activated. 3808# -P: now-12h 3809# -A: now-12h 3810created=$(key_get KEY2 CREATED) 3811set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 3812set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 3813check_keytimes 3814check_apex 3815check_subdomain 3816dnssec_verify 3817 3818# Remember legacy key tags. 3819_migratenomatch_alglen_ksk=$(key_get KEY1 ID) 3820_migratenomatch_alglen_zsk=$(key_get KEY2 ID) 3821 3822# Reconfig dnssec-policy (triggering algorithm roll and other dnssec-policy 3823# changes). 3824echo_i "reconfig dnssec-policy to trigger algorithm rollover" 3825copy_setports ns6/named2.conf.in ns6/named.conf 3826rndc_reconfig ns6 10.53.0.6 3827 3828# Calculate time passed to correctly check for next key events. 3829now="$(TZ=UTC date +%s)" 3830time_passed=$((now-start_time)) 3831echo_i "${time_passed} seconds passed between start of tests and reconfig" 3832 3833# Wait until we have seen "zone_rekey done:" message for this key. 3834_wait_for_done_signing() { 3835 _zone=$1 3836 3837 _ksk=$(key_get $2 KSK) 3838 _zsk=$(key_get $2 ZSK) 3839 if [ "$_ksk" = "yes" ]; then 3840 _role="KSK" 3841 _expect_type=EXPECT_KRRSIG 3842 elif [ "$_zsk" = "yes" ]; then 3843 _role="ZSK" 3844 _expect_type=EXPECT_ZRRSIG 3845 fi 3846 3847 if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then 3848 _keyid=$(key_get $2 ID) 3849 _keyalg=$(key_get $2 ALG_STR) 3850 echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}" 3851 grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1 3852 fi 3853 3854 return 0 3855} 3856 3857wait_for_done_signing() { 3858 n=$((n+1)) 3859 echo_i "wait for zone ${ZONE} is done signing ($n)" 3860 ret=0 3861 3862 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1 3863 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1 3864 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1 3865 retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1 3866 3867 test "$ret" -eq 0 || echo_i "failed" 3868 status=$((status+ret)) 3869} 3870 3871# 3872# Testing migration. 3873# 3874set_zone "migrate.kasp" 3875set_policy "migrate" "2" "7200" 3876set_server "ns6" "10.53.0.6" 3877 3878# Key properties, timings and metadata should be the same as legacy keys above. 3879# However, because the zsk has a lifetime, kasp will set the retired time. 3880init_migration_match 3881key_set "KEY1" "LEGACY" "no" 3882key_set "KEY2" "LEGACY" "no" 3883 3884check_keys 3885wait_for_done_signing 3886check_dnssecstatus "$SERVER" "$ZONE" 3887 3888rollover_predecessor_keytimes 0 3889# Key now has lifetime of 60 days (5184000 seconds). 3890# The key is removed after Iret = TTLsig + Dprp + Dsgn + retire-safety. 3891# TTLsig: 1d (86400 seconds) 3892# Dprp: 5m (300 seconds) 3893# Dsgn: 9d (777600 seconds) 3894# retire-safety: 1h (3600 seconds) 3895# IretZSK: 10d65m (867900 seconds) 3896IretZSK=867900 3897Lzsk=5184000 3898active=$(key_get KEY2 ACTIVE) 3899set_addkeytime "KEY2" "RETIRED" "${active}" "${Lzsk}" 3900retired=$(key_get KEY2 RETIRED) 3901set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 3902check_keytimes 3903check_apex 3904check_subdomain 3905dnssec_verify 3906 3907# Check key tags, should be the same. 3908n=$((n+1)) 3909echo_i "check that of zone ${ZONE} migration to dnssec-policy uses the same keys ($n)" 3910ret=0 3911[ $_migrate_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 3912[ $_migrate_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 3913status=$((status+ret)) 3914 3915# Test migration to dnssec-policy, existing keys do not match key algorithm. 3916set_zone "migrate-nomatch-algnum.kasp" 3917set_policy "migrate-nomatch-algnum" "4" "300" 3918set_server "ns6" "10.53.0.6" 3919 3920# The legacy keys need to be retired, but otherwise stay present until the 3921# new keys are omnipresent, and can be used to construct a chain of trust. 3922init_migration_nomatch_algnum 3923 3924key_set "KEY1" "LEGACY" "no" 3925set_keystate "KEY1" "GOAL" "hidden" 3926 3927key_set "KEY2" "LEGACY" "no" 3928set_keystate "KEY2" "GOAL" "hidden" 3929 3930set_keyrole "KEY3" "ksk" 3931set_keylifetime "KEY3" "0" 3932set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 3933set_keysigning "KEY3" "yes" 3934set_zonesigning "KEY3" "no" 3935 3936set_keyrole "KEY4" "zsk" 3937set_keylifetime "KEY4" "5184000" 3938set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 3939set_keysigning "KEY4" "no" 3940set_zonesigning "KEY4" "yes" 3941 3942set_keystate "KEY3" "GOAL" "omnipresent" 3943set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 3944set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 3945set_keystate "KEY3" "STATE_DS" "hidden" 3946 3947set_keystate "KEY4" "GOAL" "omnipresent" 3948set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 3949set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" 3950 3951check_keys 3952wait_for_done_signing 3953check_dnssecstatus "$SERVER" "$ZONE" 3954 3955# KSK must be retired since it no longer matches the policy. 3956# -P : now-3900s 3957# -P sync: now-24h 3958# -A : now-3900s 3959# The key is removed after the retire interval: 3960# IretKSK = TTLds + DprpP + retire_safety. 3961# TTLds: 2h (7200 seconds) 3962# Dprp: 1h (3600 seconds) 3963# retire-safety: 1h (3600 seconds) 3964# IretKSK: 4h (14400 seconds) 3965IretKSK=14400 3966created=$(key_get KEY1 CREATED) 3967set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 3968set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 3969set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 3970keyfile=$(key_get KEY1 BASEFILE) 3971grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 3972retired=$(awk '{print $3}' < retired.test${n}.ksk) 3973set_keytime "KEY1" "RETIRED" "${retired}" 3974set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 3975 3976# ZSK must be retired since it no longer matches the policy. 3977# -P: now-12h 3978# -A: now-12h 3979# The key is removed after the retire interval: 3980# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. 3981# TTLsig: 11h (39600 seconds) 3982# Dprp: 1h (3600 seconds) 3983# Dsgn: 9d (777600 seconds) 3984# retire-safety: 1h (3600 seconds) 3985# IretZSK: 9d13h (824400 seconds) 3986IretZSK=824400 3987Lzsk=5184000 3988created=$(key_get KEY2 CREATED) 3989set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 3990set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 3991keyfile=$(key_get KEY2 BASEFILE) 3992grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk 3993retired=$(awk '{print $3}' < retired.test${n}.zsk) 3994set_keytime "KEY2" "RETIRED" "${retired}" 3995set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 3996 3997# The new KSK is immediately published and activated. 3998created=$(key_get KEY3 CREATED) 3999set_keytime "KEY3" "PUBLISHED" "${created}" 4000set_keytime "KEY3" "ACTIVE" "${created}" 4001# It takes TTLsig + Dprp + publish-safety hours to propagate 4002# the zone. 4003# TTLsig: 11h (39600 seconds) 4004# Dprp: 1h (3600 seconds) 4005# publish-safety: 1h (3600 seconds) 4006# Ipub: 13h (46800 seconds) 4007Ipub=46800 4008set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 4009 4010# The ZSK is immediately published and activated. 4011created=$(key_get KEY4 CREATED) 4012set_keytime "KEY4" "PUBLISHED" "${created}" 4013set_keytime "KEY4" "ACTIVE" "${created}" 4014active=$(key_get KEY4 ACTIVE) 4015set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" 4016retired=$(key_get KEY4 RETIRED) 4017set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" 4018check_keytimes 4019check_apex 4020check_subdomain 4021dnssec_verify 4022 4023# Check key tags, should be the same. 4024n=$((n+1)) 4025echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" 4026ret=0 4027[ $_migratenomatch_algnum_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 4028[ $_migratenomatch_algnum_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 4029status=$((status+ret)) 4030 4031# Test migration to dnssec-policy, existing keys do not match key length. 4032set_zone "migrate-nomatch-alglen.kasp" 4033set_policy "migrate-nomatch-alglen" "4" "300" 4034set_server "ns6" "10.53.0.6" 4035 4036# The legacy keys need to be retired, but otherwise stay present until the 4037# new keys are omnipresent, and can be used to construct a chain of trust. 4038init_migration_nomatch_alglen 4039 4040key_set "KEY1" "LEGACY" "no" 4041set_keystate "KEY1" "GOAL" "hidden" 4042 4043key_set "KEY2" "LEGACY" "no" 4044set_keystate "KEY2" "GOAL" "hidden" 4045 4046set_keyrole "KEY3" "ksk" 4047set_keylifetime "KEY3" "0" 4048set_keyalgorithm "KEY3" "5" "RSASHA1" "2048" 4049set_keysigning "KEY3" "yes" 4050set_zonesigning "KEY3" "no" 4051 4052set_keyrole "KEY4" "zsk" 4053set_keylifetime "KEY4" "5184000" 4054set_keyalgorithm "KEY4" "5" "RSASHA1" "2048" 4055set_keysigning "KEY4" "no" 4056# This key is considered to be prepublished, so it is not yet signing. 4057set_zonesigning "KEY4" "no" 4058 4059set_keystate "KEY3" "GOAL" "omnipresent" 4060set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 4061set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 4062set_keystate "KEY3" "STATE_DS" "hidden" 4063 4064set_keystate "KEY4" "GOAL" "omnipresent" 4065set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 4066set_keystate "KEY4" "STATE_ZRRSIG" "hidden" 4067 4068check_keys 4069wait_for_done_signing 4070check_dnssecstatus "$SERVER" "$ZONE" 4071 4072# KSK must be retired since it no longer matches the policy. 4073# -P : now-3900s 4074# -P sync: now-24h 4075# -A : now-3900s 4076# The key is removed after the retire interval: 4077# IretKSK = TTLds + DprpP + retire_safety. 4078# TTLds: 2h (7200 seconds) 4079# Dprp: 1h (3600 seconds) 4080# retire-safety: 1h (3600 seconds) 4081# IretKSK: 4h (14400 seconds) 4082IretKSK=14400 4083created=$(key_get KEY1 CREATED) 4084set_addkeytime "KEY1" "PUBLISHED" "${created}" -3900 4085set_addkeytime "KEY1" "ACTIVE" "${created}" -3900 4086set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400 4087keyfile=$(key_get KEY1 BASEFILE) 4088grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4089retired=$(awk '{print $3}' < retired.test${n}.ksk) 4090set_keytime "KEY1" "RETIRED" "${retired}" 4091set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4092 4093# ZSK must be retired since it no longer matches the policy. 4094# -P: now-12h 4095# -A: now-12h 4096# The key is removed after the retire interval: 4097# IretZSK = TTLsig + Dprp + Dsgn + retire-safety. 4098# TTLsig: 11h (39600 seconds) 4099# Dprp: 1h (3600 seconds) 4100# Dsgn: 9d (777600 seconds) 4101# publish-safety: 1h (3600 seconds) 4102# IretZSK: 9d13h (824400 seconds) 4103IretZSK=824400 4104Lzsk=5184000 4105created=$(key_get KEY2 CREATED) 4106set_addkeytime "KEY2" "PUBLISHED" "${created}" -43200 4107set_addkeytime "KEY2" "ACTIVE" "${created}" -43200 4108keyfile=$(key_get KEY2 BASEFILE) 4109grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk 4110retired=$(awk '{print $3}' < retired.test${n}.zsk) 4111set_keytime "KEY2" "RETIRED" "${retired}" 4112set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4113 4114# The new KSK is immediately published and activated. 4115created=$(key_get KEY3 CREATED) 4116set_keytime "KEY3" "PUBLISHED" "${created}" 4117set_keytime "KEY3" "ACTIVE" "${created}" 4118# It takes TTLsig + Dprp + publish-safety hours to propagate 4119# the zone. 4120# TTLsig: 11h (39600 seconds) 4121# Dprp: 1h (3600 seconds) 4122# publish-safety: 1h (3600 seconds) 4123# Ipub: 13h (46800 seconds) 4124Ipub=46800 4125set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 4126 4127# The ZSK is immediately published and activated. 4128created=$(key_get KEY4 CREATED) 4129set_keytime "KEY4" "PUBLISHED" "${created}" 4130set_keytime "KEY4" "ACTIVE" "${created}" 4131active=$(key_get KEY4 ACTIVE) 4132set_addkeytime "KEY4" "RETIRED" "${active}" "${Lzsk}" 4133retired=$(key_get KEY4 RETIRED) 4134set_addkeytime "KEY4" "REMOVED" "${retired}" "${IretZSK}" 4135check_keytimes 4136check_apex 4137check_subdomain 4138dnssec_verify 4139 4140# Check key tags, should be the same. 4141n=$((n+1)) 4142echo_i "check that of zone ${ZONE} migration to dnssec-policy keeps existing keys ($n)" 4143ret=0 4144[ $_migratenomatch_alglen_ksk == $(key_get KEY1 ID) ] || log_error "mismatch ksk tag" 4145[ $_migratenomatch_alglen_zsk == $(key_get KEY2 ID) ] || log_error "mismatch zsk tag" 4146status=$((status+ret)) 4147 4148# 4149# Testing KSK/ZSK algorithm rollover. 4150# 4151 4152# Policy parameters. 4153# Lksk: unlimited 4154# Lzsk: unlimited 4155Lksk=0 4156Lzsk=0 4157 4158# 4159# Zone: step1.algorithm-roll.kasp 4160# 4161set_zone "step1.algorithm-roll.kasp" 4162set_policy "ecdsa256" "4" "3600" 4163set_server "ns6" "10.53.0.6" 4164# Old RSASHA1 keys. 4165key_clear "KEY1" 4166set_keyrole "KEY1" "ksk" 4167set_keylifetime "KEY1" "0" 4168set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 4169set_keysigning "KEY1" "yes" 4170set_zonesigning "KEY1" "no" 4171 4172key_clear "KEY2" 4173set_keyrole "KEY2" "zsk" 4174set_keylifetime "KEY2" "0" 4175set_keyalgorithm "KEY2" "5" "RSASHA1" "2048" 4176set_keysigning "KEY2" "no" 4177set_zonesigning "KEY2" "yes" 4178# New ECDSAP256SHA256 keys. 4179key_clear "KEY3" 4180set_keyrole "KEY3" "ksk" 4181set_keylifetime "KEY3" "0" 4182set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" 4183set_keysigning "KEY3" "yes" 4184set_zonesigning "KEY3" "no" 4185 4186key_clear "KEY4" 4187set_keyrole "KEY4" "zsk" 4188set_keylifetime "KEY4" "0" 4189set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256" 4190set_keysigning "KEY4" "no" 4191set_zonesigning "KEY4" "yes" 4192# The RSAHSHA1 keys are outroducing. 4193set_keystate "KEY1" "GOAL" "hidden" 4194set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4195set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4196set_keystate "KEY1" "STATE_DS" "omnipresent" 4197set_keystate "KEY2" "GOAL" "hidden" 4198set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4199set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4200 4201# The ECDSAP256SHA256 keys are introducing. 4202set_keystate "KEY3" "GOAL" "omnipresent" 4203set_keystate "KEY3" "STATE_DNSKEY" "rumoured" 4204set_keystate "KEY3" "STATE_KRRSIG" "rumoured" 4205set_keystate "KEY3" "STATE_DS" "hidden" 4206set_keystate "KEY4" "GOAL" "omnipresent" 4207set_keystate "KEY4" "STATE_DNSKEY" "rumoured" 4208set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" 4209 4210check_keys 4211wait_for_done_signing 4212check_dnssecstatus "$SERVER" "$ZONE" 4213 4214# The old keys are published and activated. 4215rollover_predecessor_keytimes 0 4216 4217# KSK must be retired since it no longer matches the policy. 4218keyfile=$(key_get KEY1 BASEFILE) 4219grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4220retired=$(awk '{print $3}' < retired.test${n}.ksk) 4221set_keytime "KEY1" "RETIRED" "${retired}" 4222# The key is removed after the retire interval: 4223# IretKSK = TTLds + DprpP + retire-safety 4224# TTLds: 2h (7200 seconds) 4225# DprpP: 1h (3600 seconds) 4226# retire-safety: 2h (7200 seconds) 4227# IretKSK: 5h (18000 seconds) 4228IretKSK=18000 4229set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4230 4231# ZSK must be retired since it no longer matches the policy. 4232keyfile=$(key_get KEY2 BASEFILE) 4233grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk 4234retired=$(awk '{print $3}' < retired.test${n}.zsk) 4235set_keytime "KEY2" "RETIRED" "${retired}" 4236# The key is removed after the retire interval: 4237# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4238# TTLsig: 6h (21600 seconds) 4239# Dprp: 1h (3600 seconds) 4240# Dsgn: 25d (2160000 seconds) 4241# retire-safety: 2h (7200 seconds) 4242# IretZSK: 25d9h (2192400 seconds) 4243IretZSK=2192400 4244set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4245 4246# The new KSK is published and activated. 4247created=$(key_get KEY3 CREATED) 4248set_keytime "KEY3" "PUBLISHED" "${created}" 4249set_keytime "KEY3" "ACTIVE" "${created}" 4250# It takes TTLsig + Dprp + publish-safety hours to propagate 4251# the zone. 4252# TTLsig: 6h (39600 seconds) 4253# Dprp: 1h (3600 seconds) 4254# publish-safety: 1h (3600 seconds) 4255# Ipub: 8h (28800 seconds) 4256Ipub=28800 4257set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}" 4258 4259# The new ZSK is published and activated. 4260created=$(key_get KEY4 CREATED) 4261set_keytime "KEY4" "PUBLISHED" "${created}" 4262set_keytime "KEY4" "ACTIVE" "${created}" 4263 4264check_keytimes 4265check_apex 4266check_subdomain 4267dnssec_verify 4268 4269# Next key event is when the ecdsa256 keys have been propagated. 4270# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4271# 3 times an hour: 10800 seconds. 4272check_next_key_event 10800 4273 4274# 4275# Zone: step2.algorithm-roll.kasp 4276# 4277set_zone "step2.algorithm-roll.kasp" 4278set_policy "ecdsa256" "4" "3600" 4279set_server "ns6" "10.53.0.6" 4280# The RSAHSHA1 keys are outroducing, but need to stay present until the new 4281# algorithm chain of trust has been established. Thus the properties, timings 4282# and states of the KEY1 and KEY2 are the same as above. 4283# 4284# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4285# but the zone signatures are not. 4286set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" 4287set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" 4288set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" 4289 4290check_keys 4291wait_for_done_signing 4292check_dnssecstatus "$SERVER" "$ZONE" 4293 4294# The old keys were activated three hours ago (10800 seconds). 4295rollover_predecessor_keytimes -10800 4296 4297# KSK must be retired since it no longer matches the policy. 4298created=$(key_get KEY1 CREATED) 4299set_keytime "KEY1" "RETIRED" "${created}" 4300set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}" 4301 4302# ZSK must be retired since it no longer matches the policy. 4303created=$(key_get KEY2 CREATED) 4304set_keytime "KEY2" "RETIRED" "${created}" 4305set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}" 4306 4307# The new keys are published 3 hours ago. 4308created=$(key_get KEY3 CREATED) 4309set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800 4310set_addkeytime "KEY3" "ACTIVE" "${created}" -10800 4311published=$(key_get KEY3 PUBLISHED) 4312set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}" 4313 4314created=$(key_get KEY4 CREATED) 4315set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800 4316set_addkeytime "KEY4" "ACTIVE" "${created}" -10800 4317 4318check_keytimes 4319check_apex 4320check_subdomain 4321dnssec_verify 4322 4323# Next key event is when all zone signatures are signed with the new 4324# algorithm. This is the max-zone-ttl plus zone propagation delay 4325# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4326# (the time it took to make the DNSKEY omnipresent), so the next event 4327# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4328# false positives on slow platforms by subtracting the number of seconds 4329# which passed between key creation and invoking 'rndc reconfig'. 4330next_time=$((21600-time_passed)) 4331check_next_key_event $next_time 4332 4333# 4334# Zone: step3.algorithm-roll.kasp 4335# 4336set_zone "step3.algorithm-roll.kasp" 4337set_policy "ecdsa256" "4" "3600" 4338set_server "ns6" "10.53.0.6" 4339# The RSAHSHA1 keys are outroducing, and it is time to swap the DS. 4340set_keystate "KEY1" "STATE_DS" "unretentive" 4341# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures 4342# are now omnipresent, so the DS can be introduced. 4343set_keystate "KEY3" "STATE_DS" "rumoured" 4344set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" 4345 4346check_keys 4347wait_for_done_signing 4348check_dnssecstatus "$SERVER" "$ZONE" 4349 4350# The old keys were activated 9 hours ago (32400 seconds) 4351# and retired 6 hours ago (21600 seconds). 4352rollover_predecessor_keytimes -32400 4353 4354created=$(key_get KEY1 CREATED) 4355set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4356retired=$(key_get KEY1 RETIRED) 4357set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4358 4359created=$(key_get KEY2 CREATED) 4360set_addkeytime "KEY2" "RETIRED" "${created}" -21600 4361retired=$(key_get KEY2 RETIRED) 4362set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4363 4364# The new keys are published 9 hours ago. 4365created=$(key_get KEY3 CREATED) 4366set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400 4367set_addkeytime "KEY3" "ACTIVE" "${created}" -32400 4368published=$(key_get KEY3 PUBLISHED) 4369set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4370 4371created=$(key_get KEY4 CREATED) 4372set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400 4373set_addkeytime "KEY4" "ACTIVE" "${created}" -32400 4374 4375check_keytimes 4376check_apex 4377check_subdomain 4378dnssec_verify 4379 4380# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4381# parent registration delay, parent propagation delay, retire safety delay, 4382# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds. 4383check_next_key_event 104400 4384 4385# 4386# Zone: step4.algorithm-roll.kasp 4387# 4388set_zone "step4.algorithm-roll.kasp" 4389set_policy "ecdsa256" "4" "3600" 4390set_server "ns6" "10.53.0.6" 4391# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4392set_keysigning "KEY1" "no" 4393set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4394set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4395set_keystate "KEY1" "STATE_DS" "hidden" 4396 4397set_zonesigning "KEY2" "no" 4398set_keystate "KEY2" "GOAL" "hidden" 4399set_keystate "KEY2" "STATE_DNSKEY" "unretentive" 4400set_keystate "KEY2" "STATE_ZRRSIG" "unretentive" 4401# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4402set_keystate "KEY3" "STATE_DS" "omnipresent" 4403 4404check_keys 4405wait_for_done_signing 4406check_dnssecstatus "$SERVER" "$ZONE" 4407 4408# The old keys were activated 38 hours ago (136800 seconds) 4409# and retired 35 hours ago (126000 seconds). 4410rollover_predecessor_keytimes -136800 4411 4412created=$(key_get KEY1 CREATED) 4413set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4414retired=$(key_get KEY1 RETIRED) 4415set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4416 4417created=$(key_get KEY2 CREATED) 4418set_addkeytime "KEY2" "RETIRED" "${created}" -126000 4419retired=$(key_get KEY2 RETIRED) 4420set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4421 4422# The new keys are published 38 hours ago. 4423created=$(key_get KEY3 CREATED) 4424set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800 4425set_addkeytime "KEY3" "ACTIVE" "${created}" -136800 4426published=$(key_get KEY3 PUBLISHED) 4427set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4428 4429created=$(key_get KEY4 CREATED) 4430set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800 4431set_addkeytime "KEY4" "ACTIVE" "${created}" -136800 4432 4433check_keytimes 4434check_apex 4435check_subdomain 4436dnssec_verify 4437 4438# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4439# DNSKEY TTL plus zone propagation delay (2h). 4440check_next_key_event 7200 4441 4442# 4443# Zone: step5.algorithm-roll.kasp 4444# 4445set_zone "step5.algorithm-roll.kasp" 4446set_policy "ecdsa256" "4" "3600" 4447set_server "ns6" "10.53.0.6" 4448# The DNSKEY becomes HIDDEN. 4449set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4450set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4451set_keystate "KEY2" "STATE_DNSKEY" "hidden" 4452 4453check_keys 4454wait_for_done_signing 4455check_dnssecstatus "$SERVER" "$ZONE" 4456 4457# The old keys were activated 40 hours ago (144000 seconds) 4458# and retired 35 hours ago (133200 seconds). 4459rollover_predecessor_keytimes -144000 4460 4461created=$(key_get KEY1 CREATED) 4462set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4463retired=$(key_get KEY1 RETIRED) 4464set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4465 4466created=$(key_get KEY2 CREATED) 4467set_addkeytime "KEY2" "RETIRED" "${created}" -133200 4468retired=$(key_get KEY2 RETIRED) 4469set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4470 4471# The new keys are published 40 hours ago. 4472created=$(key_get KEY3 CREATED) 4473set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000 4474set_addkeytime "KEY3" "ACTIVE" "${created}" -144000 4475published=$(key_get KEY3 PUBLISHED) 4476set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4477 4478created=$(key_get KEY4 CREATED) 4479set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000 4480set_addkeytime "KEY4" "ACTIVE" "${created}" -144000 4481 4482check_keytimes 4483check_apex 4484check_subdomain 4485dnssec_verify 4486 4487# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4488# after the max-zone-ttl plus zone propagation delay plus retire safety 4489# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4490# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4491# false positives on slow platforms by subtracting the number of seconds 4492# which passed between key creation and invoking 'rndc reconfig'. 4493next_time=$((25200-time_passed)) 4494check_next_key_event $next_time 4495 4496# 4497# Zone: step6.algorithm-roll.kasp 4498# 4499set_zone "step6.algorithm-roll.kasp" 4500set_policy "ecdsa256" "4" "3600" 4501set_server "ns6" "10.53.0.6" 4502# The old zone signatures (KEY2) should now also be HIDDEN. 4503set_keystate "KEY2" "STATE_ZRRSIG" "hidden" 4504 4505check_keys 4506wait_for_done_signing 4507check_dnssecstatus "$SERVER" "$ZONE" 4508 4509# The old keys were activated 47 hours ago (169200 seconds) 4510# and retired 34 hours ago (158400 seconds). 4511rollover_predecessor_keytimes -169200 4512 4513created=$(key_get KEY1 CREATED) 4514set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4515retired=$(key_get KEY1 RETIRED) 4516set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}" 4517 4518created=$(key_get KEY2 CREATED) 4519set_addkeytime "KEY2" "RETIRED" "${created}" -158400 4520retired=$(key_get KEY2 RETIRED) 4521set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}" 4522 4523# The new keys are published 47 hours ago. 4524created=$(key_get KEY3 CREATED) 4525set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200 4526set_addkeytime "KEY3" "ACTIVE" "${created}" -169200 4527published=$(key_get KEY3 PUBLISHED) 4528set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub} 4529 4530created=$(key_get KEY4 CREATED) 4531set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200 4532set_addkeytime "KEY4" "ACTIVE" "${created}" -169200 4533 4534check_keytimes 4535check_apex 4536check_subdomain 4537dnssec_verify 4538 4539# Next key event is never since we established the policy and the keys have 4540# an unlimited lifetime. Fallback to the default loadkeys interval. 4541check_next_key_event 3600 4542 4543# 4544# Testing CSK algorithm rollover. 4545# 4546 4547# Policy parameters. 4548# Lcsk: unlimited 4549Lcksk=0 4550 4551# 4552# Zone: step1.csk-algorithm-roll.kasp 4553# 4554set_zone "step1.csk-algorithm-roll.kasp" 4555set_policy "csk-algoroll" "2" "3600" 4556set_server "ns6" "10.53.0.6" 4557# Old RSASHA1 key. 4558key_clear "KEY1" 4559set_keyrole "KEY1" "csk" 4560set_keylifetime "KEY1" "0" 4561set_keyalgorithm "KEY1" "5" "RSASHA1" "2048" 4562set_keysigning "KEY1" "yes" 4563set_zonesigning "KEY1" "yes" 4564# New ECDSAP256SHA256 key. 4565key_clear "KEY2" 4566set_keyrole "KEY2" "csk" 4567set_keylifetime "KEY2" "0" 4568set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" 4569set_keysigning "KEY2" "yes" 4570set_zonesigning "KEY2" "yes" 4571key_clear "KEY3" 4572key_clear "KEY4" 4573# The RSAHSHA1 key is outroducing. 4574set_keystate "KEY1" "GOAL" "hidden" 4575set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" 4576set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" 4577set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" 4578set_keystate "KEY1" "STATE_DS" "omnipresent" 4579# The ECDSAP256SHA256 key is introducing. 4580set_keystate "KEY2" "GOAL" "omnipresent" 4581set_keystate "KEY2" "STATE_DNSKEY" "rumoured" 4582set_keystate "KEY2" "STATE_KRRSIG" "rumoured" 4583set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" 4584set_keystate "KEY2" "STATE_DS" "hidden" 4585 4586check_keys 4587wait_for_done_signing 4588check_dnssecstatus "$SERVER" "$ZONE" 4589 4590# CSK must be retired since it no longer matches the policy. 4591csk_rollover_predecessor_keytimes 0 0 4592keyfile=$(key_get KEY1 BASEFILE) 4593grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk 4594retired=$(awk '{print $3}' < retired.test${n}.ksk) 4595set_keytime "KEY1" "RETIRED" "${retired}" 4596# The key is removed after the retire interval: 4597# IretZSK = TTLsig + Dprp + Dsgn + retire-safety 4598# TTLsig: 6h (21600 seconds) 4599# Dprp: 1h (3600 seconds) 4600# Dsgn: 25d (2160000 seconds) 4601# retire-safety: 2h (7200 seconds) 4602# IretZSK: 25d9h (2192400 seconds) 4603IretCSK=2192400 4604set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4605 4606# The new CSK is published and activated. 4607created=$(key_get KEY2 CREATED) 4608set_keytime "KEY2" "PUBLISHED" "${created}" 4609set_keytime "KEY2" "ACTIVE" "${created}" 4610# It takes TTLsig + Dprp + publish-safety hours to propagate 4611# the zone. 4612# TTLsig: 6h (39600 seconds) 4613# Dprp: 1h (3600 seconds) 4614# publish-safety: 1h (3600 seconds) 4615# Ipub: 8h (28800 seconds) 4616Ipub=28800 4617set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}" 4618 4619check_keytimes 4620check_apex 4621check_subdomain 4622dnssec_verify 4623 4624# Next key event is when the new key has been propagated. 4625# This is the DNSKEY TTL plus publish safety plus zone propagation delay: 4626# 3 times an hour: 10800 seconds. 4627check_next_key_event 10800 4628 4629# 4630# Zone: step2.csk-algorithm-roll.kasp 4631# 4632set_zone "step2.csk-algorithm-roll.kasp" 4633set_policy "csk-algoroll" "2" "3600" 4634set_server "ns6" "10.53.0.6" 4635# The RSAHSHA1 key is outroducing, but need to stay present until the new 4636# algorithm chain of trust has been established. Thus the properties, timings 4637# and states of KEY1 is the same as above. 4638# 4639# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset is omnipresent, 4640# but the zone signatures are not. 4641set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" 4642set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" 4643 4644check_keys 4645wait_for_done_signing 4646check_dnssecstatus "$SERVER" "$ZONE" 4647 4648# The old key was activated three hours ago (10800 seconds). 4649csk_rollover_predecessor_keytimes -10800 -10800 4650 4651# CSK must be retired since it no longer matches the policy. 4652created=$(key_get KEY1 CREATED) 4653set_keytime "KEY1" "RETIRED" "${created}" 4654set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}" 4655 4656# The new key was published 3 hours ago. 4657created=$(key_get KEY2 CREATED) 4658set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800 4659set_addkeytime "KEY2" "ACTIVE" "${created}" -10800 4660published=$(key_get KEY2 PUBLISHED) 4661set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4662 4663check_keytimes 4664check_apex 4665check_subdomain 4666dnssec_verify 4667 4668# Next key event is when all zone signatures are signed with the new 4669# algorithm. This is the max-zone-ttl plus zone propagation delay 4670# plus retire safety: 6h + 1h + 2h. But three hours have already passed 4671# (the time it took to make the DNSKEY omnipresent), so the next event 4672# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent 4673# false positives on slow platforms by subtracting the number of seconds 4674# which passed between key creation and invoking 'rndc reconfig'. 4675next_time=$((21600-time_passed)) 4676check_next_key_event $next_time 4677 4678# 4679# Zone: step3.csk-algorithm-roll.kasp 4680# 4681set_zone "step3.csk-algorithm-roll.kasp" 4682set_policy "csk-algoroll" "2" "3600" 4683set_server "ns6" "10.53.0.6" 4684# The RSAHSHA1 key is outroducing, and it is time to swap the DS. 4685set_keystate "KEY1" "STATE_DS" "unretentive" 4686# The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures 4687# are now omnipresent, so the DS can be introduced. 4688set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" 4689set_keystate "KEY2" "STATE_DS" "rumoured" 4690 4691check_keys 4692wait_for_done_signing 4693check_dnssecstatus "$SERVER" "$ZONE" 4694 4695# The old key was activated 9 hours ago (10800 seconds) 4696# and retired 6 hours ago (21600 seconds). 4697csk_rollover_predecessor_keytimes -32400 -32400 4698created=$(key_get KEY1 CREATED) 4699set_addkeytime "KEY1" "RETIRED" "${created}" -21600 4700retired=$(key_get KEY1 RETIRED) 4701set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4702 4703# The new key was published 9 hours ago. 4704created=$(key_get KEY2 CREATED) 4705set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400 4706set_addkeytime "KEY2" "ACTIVE" "${created}" -32400 4707published=$(key_get KEY2 PUBLISHED) 4708set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" 4709 4710check_keytimes 4711check_apex 4712check_subdomain 4713dnssec_verify 4714 4715# Next key event is when the DS becomes OMNIPRESENT. This happens after the 4716# parent registration delay, parent propagation delay, retire safety delay, 4717# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds. 4718check_next_key_event 104400 4719 4720# 4721# Zone: step4.csk-algorithm-roll.kasp 4722# 4723set_zone "step4.csk-algorithm-roll.kasp" 4724set_policy "csk-algoroll" "2" "3600" 4725set_server "ns6" "10.53.0.6" 4726# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records. 4727set_keysigning "KEY1" "no" 4728set_zonesigning "KEY1" "no" 4729set_keystate "KEY1" "STATE_DNSKEY" "unretentive" 4730set_keystate "KEY1" "STATE_KRRSIG" "unretentive" 4731set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" 4732set_keystate "KEY1" "STATE_DS" "hidden" 4733# The ECDSAP256SHA256 DS is now OMNIPRESENT. 4734set_keystate "KEY2" "STATE_DS" "omnipresent" 4735 4736check_keys 4737wait_for_done_signing 4738check_dnssecstatus "$SERVER" "$ZONE" 4739 4740# The old key was activated 38 hours ago (136800 seconds) 4741# and retired 35 hours ago (126000 seconds). 4742csk_rollover_predecessor_keytimes -136800 -136800 4743created=$(key_get KEY1 CREATED) 4744set_addkeytime "KEY1" "RETIRED" "${created}" -126000 4745retired=$(key_get KEY1 RETIRED) 4746set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4747 4748# The new key was published 38 hours ago. 4749created=$(key_get KEY2 CREATED) 4750set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800 4751set_addkeytime "KEY2" "ACTIVE" "${created}" -136800 4752published=$(key_get KEY2 PUBLISHED) 4753set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4754 4755check_keytimes 4756check_apex 4757check_subdomain 4758dnssec_verify 4759 4760# Next key event is when the old DNSKEY becomes HIDDEN. This happens after the 4761# DNSKEY TTL plus zone propagation delay (2h). 4762check_next_key_event 7200 4763 4764# 4765# Zone: step5.csk-algorithm-roll.kasp 4766# 4767set_zone "step5.csk-algorithm-roll.kasp" 4768set_policy "csk-algoroll" "2" "3600" 4769set_server "ns6" "10.53.0.6" 4770# The DNSKEY becomes HIDDEN. 4771set_keystate "KEY1" "STATE_DNSKEY" "hidden" 4772set_keystate "KEY1" "STATE_KRRSIG" "hidden" 4773 4774check_keys 4775wait_for_done_signing 4776check_dnssecstatus "$SERVER" "$ZONE" 4777 4778# The old key was activated 40 hours ago (144000 seconds) 4779# and retired 37 hours ago (133200 seconds). 4780csk_rollover_predecessor_keytimes -144000 -144000 4781created=$(key_get KEY1 CREATED) 4782set_addkeytime "KEY1" "RETIRED" "${created}" -133200 4783retired=$(key_get KEY1 RETIRED) 4784set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4785 4786# The new key was published 40 hours ago. 4787created=$(key_get KEY2 CREATED) 4788set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000 4789set_addkeytime "KEY2" "ACTIVE" "${created}" -144000 4790published=$(key_get KEY2 PUBLISHED) 4791set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4792 4793check_keytimes 4794check_apex 4795check_subdomain 4796dnssec_verify 4797 4798# Next key event is when the RSASHA1 signatures become HIDDEN. This happens 4799# after the max-zone-ttl plus zone propagation delay plus retire safety 4800# (6h + 1h + 2h) minus the time already passed since the UNRETENTIVE state has 4801# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent 4802# false positives on slow platforms by subtracting the number of seconds 4803# which passed between key creation and invoking 'rndc reconfig'. 4804next_time=$((25200-time_passed)) 4805check_next_key_event $next_time 4806 4807# 4808# Zone: step6.csk-algorithm-roll.kasp 4809# 4810set_zone "step6.csk-algorithm-roll.kasp" 4811set_policy "csk-algoroll" "2" "3600" 4812set_server "ns6" "10.53.0.6" 4813# The zone signatures should now also be HIDDEN. 4814set_keystate "KEY1" "STATE_ZRRSIG" "hidden" 4815 4816check_keys 4817wait_for_done_signing 4818check_dnssecstatus "$SERVER" "$ZONE" 4819 4820# The old keys were activated 47 hours ago (169200 seconds) 4821# and retired 44 hours ago (158400 seconds). 4822csk_rollover_predecessor_keytimes -169200 -169200 4823created=$(key_get KEY1 CREATED) 4824set_addkeytime "KEY1" "RETIRED" "${created}" -158400 4825retired=$(key_get KEY1 RETIRED) 4826set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}" 4827 4828# The new key was published 47 hours ago. 4829created=$(key_get KEY2 CREATED) 4830set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200 4831set_addkeytime "KEY2" "ACTIVE" "${created}" -169200 4832published=$(key_get KEY2 PUBLISHED) 4833set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub} 4834 4835check_keytimes 4836check_apex 4837check_subdomain 4838dnssec_verify 4839 4840# Next key event is never since we established the policy and the keys have 4841# an unlimited lifetime. Fallback to the default loadkeys interval. 4842check_next_key_event 3600 4843 4844echo_i "exit status: $status" 4845[ $status -eq 0 ] || exit 1 4846