diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh index 65907690db..8b1cdde60e 100644 --- a/bin/tests/system/kasp/clean.sh +++ b/bin/tests/system/kasp/clean.sh @@ -24,5 +24,5 @@ rm -f ns*/managed-keys.bind rm -f ns*/*.mkeys rm -f ns*/zones ns*/*.db.infile rm -f *.created published.test* retired.test* -rm -f rndc.dnssec.status.out.* +rm -f rndc.dnssec.*.out.* rm -f python.out.* diff --git a/bin/tests/system/kasp/ns3/policies/autosign.conf b/bin/tests/system/kasp/ns3/policies/autosign.conf index bafbe859ef..aa11f8b43d 100644 --- a/bin/tests/system/kasp/ns3/policies/autosign.conf +++ b/bin/tests/system/kasp/ns3/policies/autosign.conf @@ -126,6 +126,6 @@ dnssec-policy "csk-roll2" { max-zone-ttl 1d; parent-ds-ttl PT1H; - parent-registration-delay P1W; - parent-propagation-delay PT1H; + parent-registration-delay PT0S; + parent-propagation-delay P1W; }; diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh index b3c41d9c88..f75cd6e53a 100644 --- a/bin/tests/system/kasp/ns3/setup.sh +++ b/bin/tests/system/kasp/ns3/setup.sh @@ -221,23 +221,22 @@ setup step3.enable-dnssec.autosign # Step 4: # The DS has been submitted long enough ago to become OMNIPRESENT. setup step4.enable-dnssec.autosign -# DS TTL: 1 day (86400 seconds) -# parent-registration-delay: 1 day (86400 seconds) +# DS TTL: 2 hour (7200 seconds) # parent-propagation-delay: 1 hour (3600 seconds) # retire-safety: 20 minutes (1200 seconds) -# Total aditional time: 98400 seconds -# 44700 + 98400 = 143100 -TpubN="now-143100s" -# 43800 + 98400 = 142200 -TcotN="now-142200s" -TsbmN="now-98400s" +# Total aditional time: 12000 seconds +# 44700 + 12000 = 56700 +TpubN="now-56700s" +# 43800 + 12000 = 55800 +TcotN="now-55800s" +TsbmN="now-12000s" keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}" CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1) $SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 -setup step3.enable-dnssec.autosign +setup step4.enable-dnssec.autosign # # The zones at zsk-prepub.autosign represent the various steps of a ZSK @@ -547,7 +546,7 @@ setup step3.ksk-doubleksk.autosign # Tnow # # Lksk: 60d -# Dreg: 1d +# Dreg: N/A # DprpP: 1h # TTLds: 1h # retire-safety: 2d @@ -557,23 +556,23 @@ setup step3.ksk-doubleksk.autosign # publish-safety: 1d # IpubC: 27h # -# Tact(N) = Tnow + Dreg - Lksk = now + 1d - 60d = now - 59d -# Tret(N) = Tnow + Dreg = now + 1d -# Trem(N) = Tnow + Dreg + Iret = now + 1d + 50h = now + 74h +# Tact(N) = Tnow + Lksk = now - 60d = now - 60d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 50h # Tpub(N+1) = Tnow - IpubC = now - 27h # Tsbm(N+1) = now # Tact(N+1) = Tret(N) -# Tret(N+1) = Tnow + Dreg + Lksk = now + 1d + 60d = now + 61d -# Trem(N+1) = Tnow + Dreg + Lksk + Iret = now + 61d + 50h -# = now + 1464h + 50h = 1514h -TactN="now-59d" -TretN="now+1d" -TremN="now+74h" +# Tret(N+1) = Tnow + Lksk = now + 60d +# Trem(N+1) = Tnow + Lksk + Iret = now + 60d + 50h +# = now + 1440h + 50h = 1490h +TactN="now-60d" +TretN="now" +TremN="now+50h" TpubN1="now-27h" TsbmN1="now" TactN1="${TretN}" -TretN1="now+61d" -TremN1="now+1514h" +TretN1="now+60d" +TremN1="now+1490h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" @@ -597,7 +596,7 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step4.ksk-doubleksk.autosign # According to RFC 7583: # -# Tret(N) = Tsbm(N+1) + Dreg +# Tret(N) = Tsbm(N+1) # Tdea(N) = Tret(N) + Iret # Tact(N+1) = Tret(N) # @@ -613,24 +612,24 @@ setup step4.ksk-doubleksk.autosign # Tnow # # Lksk: 60d -# Dreg: 1d +# Dreg: N/A # Iret: 50h # # Tact(N) = Tnow - Lksk - Iret = now - 60d - 50h # = now - 1440h - 50h = now - 1490h # Tret(N) = Tnow - Iret = now - 50h # Trem(N) = Tnow -# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 50h - 1d - 27h -# = now - 101h -# Tsbm(N+1) = Tnow - Iret - Dreg = now - 50h - 1d = now - 74h +# Tpub(N+1) = Tnow - Iret - IpubC = now - 50h - 27h +# = now - 77h +# Tsbm(N+1) = Tnow - Iret = now - 50h # Tact(N+1) = Tret(N) # Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h # Trem(N+1) = Tnow + Lksk = now + 60d TactN="now-1490h" TretN="now-50h" TremN="now" -TpubN1="now-101h" -TsbmN1="now-74h" +TpubN1="now-77h" +TsbmN1="now-50h" TactN1="${TretN}" TretN1="now+1390h" TremN1="now+60d" @@ -657,21 +656,21 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer setup step5.ksk-doubleksk.autosign # Subtract DNSKEY TTL from all the times (2h). # Tact(N) = now - 1490h - 2h = now - 1492h -# Tret(N) = now - 52h - 2h = now - 52h +# Tret(N) = now - 50h - 2h = now - 52h # Trem(N) = now - 2h -# Tpub(N+1) = now - 101h - 2h = now - 103h -# Tsbm(N+1) = now - 74h - 2h = now - 76h +# Tpub(N+1) = now - 77h - 2h = now - 79h +# Tsbm(N+1) = now - 50h - 2h = now - 52h # Tact(N+1) = Tret(N) # Tret(N+1) = now + 1390h - 2h = now + 1388h # Trem(N+1) = now + 60d + 2h = now + 1442h TactN="now-1492h" TretN="now-52h" TremN="now-2h" -TpubN1="now-103h" -TsbmN1="now-76h" +TpubN1="now-79h" +TsbmN1="now-52h" TactN1="${TretN}" TretN1="now+1388h" -TremN1="now+1438h" +TremN1="now+1442h" ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}" newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}" zsktimes="-P ${TactN} -A ${TactN}" @@ -694,11 +693,6 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer # The zones at csk-roll.autosign represent the various steps of a CSK rollover # (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover). # -# -# The activation time for zone signing (ZSK) is different than for chain of -# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ -# instead of Tact and Tret. -# # Step 1: # Introduce the first key. This will immediately be active. @@ -715,28 +709,25 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # It is time to introduce the new CSK. setup step2.csk-roll.autosign # According to RFC 7583: -# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub +# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC +# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # IpubC = DprpC + TTLkey (+publish-safety) # Ipub = IpubC # Lcsk = Lksk = Lzsk # # Lcsk: 6mo (186d, 4464h) -# Dreg: 1d +# Dreg: N/A # DprpC: 1h # TTLkey: 1h # publish-safety: 1h # Ipub: 3h # -# Tact(N) = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1d -# = now - 4464h + 3h + 24h = now - 4437h -# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h -# = now - 4464h + 3h = now - 4461h -TactN="now-4437h" -TactZN="now-4461h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}" +# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h +# = now - 4464h + 3h = now - 4461h +TactN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -747,15 +738,15 @@ setup step3.csk-roll.autosign # According to RFC 7583: # # Tsbm(N+1) >= Trdy(N+1) -# KSK: Tact(N+1) = Tsbm(N+1) + Dreg -# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) +# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) # KSK: Iret = DprpP + TTLds (+retire-safety) # ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) # # Lcsk: 186d # Dprp: 1h # DprpP: 1h -# Dreg: 1d +# Dreg: N/A # Dsgn: 25d # TTLds: 1h # TTLsig: 1d @@ -764,37 +755,29 @@ setup step3.csk-roll.autosign # IretZ: 26d3h # Ipub: 3h # -# TactZ(N) = Tnow - Lcsk = now - 186d -# TretZ(N) = now -# Tact(N) = Tnow + Dreg - Lcsk = now + 1d - 186d = now - 185d -# Tret(N) = Tnow + Dreg = now + 1d -# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h -# Tpub(N+1) = Tnow - Ipub = now - 3h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = Tnow + Lcsk = now + 186d -# Tact(N+1) = Tret(N) -# Tret(N+1) = Tnow + Dreg + Lcsk = now + 1d + 186d = now + 187d -# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = -# = now + 5091h -TactZN="now-186d" -TretZN="now" -TactN="now-185d" -TretN="now+1d" +# Tact(N) = Tnow - Lcsk = now - 186d +# Tret(N) = now +# Trem(N) = Tnow + IretZ = now + 26d3h = now + 627h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lcsk = now + 186d = now + 186d +# Trem(N+1) = Tnow + Lcsk + IretZ = now + 186d + 26d3h = +# = now + 5091h +TactN="now-186d" +TretN="now" TremN="now+627h" TpubN1="now-3h" TsbmN1="now" -TactZN1="${TsbmN1}" -TretZN1="now+186d" TactN1="${TretN}" -TretN1="now+187d" +TretN1="now+186d" TremN1="now+5091h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -806,50 +789,40 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Step 4: # Some time later all the ZRRSIG records should be from the new CSK, and the # DS should be swapped. The ZRRSIG records are all replaced after IretZ -# (which is 26d3h). The DS is swapped after Dreg + Iret (which is 1d4h). +# (which is 26d3h). The DS is swapped after Iret (which is 4h). # In other words, the DS is swapped before all zone signatures are replaced. setup step4.csk-roll.autosign # According to RFC 7583: -# Trem(N) = TretZ(N) + IretZ -# Tnow = Tsbm(N+1) + Dreg + Iret +# Trem(N) = Tret(N) - Iret + IretZ +# Tnow = Tsbm(N+1) + Iret # # Lcsk: 186d # Iret: 4h # IretZ: 26d3h # -# TactZ(N) = Tnow - Iret - Dreg - Lcsk = now - 4h - 24h - 4464h -# = now - 4492h -# TretZ(N) = Tnow - Iret - Dreg = now - 4h - 1d = now - 28h -# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h -# Tret(N) = Tnow - Iret = now - 4h = now - 4h -# Trem(N) = Tnow - Iret - Dreg + IretZ = now - 4h - 1d + 26d3h -# = now + 24d23h = now + 599h -# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = Tnow - Iret - Dreg + Lcsk = now - 4h - 1d + 186d -# = now + 4436h -# Tact(N+1) = Tret(N) -# Tret(N+1) = Tnow - Iret + Lcsk = now + 6mo - 4h = now + 4460h -# Trem(N+1) = Tnow - Iret - Dreg + Lcsk + IretZ = now - 4h - 1d + 186d + 26d3h -# = now + 5063h -TactZN="now-4492h" -TretZN="now-28h" +# Tact(N) = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h +# Tret(N) = Tnow - Iret = now - 4h = now - 4h +# Trem(N) = Tnow - Iret + IretZ = now - 4h + 26d3h +# = now + 623h +# Tpub(N+1) = Tnow - Iret - IpubC = now - 4h - 3h = now - 7h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h +# Trem(N+1) = Tnow - Iret + Lcsk + IretZ = now - 4h + 186d + 26d3h +# = now + 5087h TactN="now-4468h" TretN="now-4h" -TremN="now+599h" -TpubN1="now-31h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+4436h" +TremN="now+623h" +TpubN1="now-7h" +TsbmN1="${TretN}" TactN1="${TretN}" TretN1="now+4460h" -TremN1="now+5063h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +TremN1="now+5087h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 @@ -864,36 +837,28 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # At this time these have all become hidden. setup step5.csk-roll.autosign # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). -# TactZ(N) = now - 4492h - 2h = now - 4494h -# TretZ(N) = now - 28h - 2h = now - 30h -# Tact(N) = now - 4468h - 2h = now - 4470h -# Tret(N) = now - 4h - 2h = now - 6h -# Trem(N) = now + 599h - 2h = now + 597h -# Tpub(N+1) = now - 31h - 2h = now - 33h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = now + 4436h - 2h = now + 4434h -# Tact(N+1) = Tret(N) -# Tret(N+1) = now + 4460h - 2h = now + 4458h -# Trem(N+1) = now + 5063h - 2h = now + 5061h -TactZN="now-4494h" -TretZN="now-30h" +# Tact(N) = now - 4468h - 2h = now - 4470h +# Tret(N) = now - 4h - 2h = now - 6h +# Trem(N) = now + 623h - 2h = now + 621h +# Tpub(N+1) = now - 7h - 2h = now - 9h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Trem(N+1) = now + 5087h - 2h = now + 5085h TactN="now-4470h" TretN="now-6h" -TremN="now+597h" -TpubN1="now-33h" -TsbmN1="now-30h" -TactZN1="${TsbmN1}" -TretZN1="now+4434h" +TremN="now+621h" +TpubN1="now-9h" +TsbmN1="${TretN}" TactN1="${TretN}" TretN1="now+4458h" -TremN1="now+5061h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +TremN1="now+5085h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $U now-2h -d $H now-2h -z $U $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -907,45 +872,35 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # removed from the zone. setup step6.csk-roll.autosign # According to RFC 7583: -# Trem(N) = TretZ(N) + IretZ -# TretZ(N) = TactZ(N) + Lcsk +# Trem(N) = Tret(N) + IretZ +# Tret(N) = Tact(N) + Lcsk # # Lcsk: 186d # Iret: 4h # IretZ: 26d3h # -# TactZ(N) = Tnow - IretZ - Lcsk = now - 627h - 186d -# = now - 627h - 4464h = now - 5091h -# TretZ(N) = Tnow - IretZ = now - 627h -# Tact(N) = Tnow - IretZ - Lcsk + Dreg = now - 627h - 186d + 1d = -# now - 627h - 4464h + 24h = now - 5067h -# Tret(N) = Tnow - IretZ + Dreg = now - 627h + 24h -# = Tnow - 603h -# Trem(N) = Tnow -# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h -# Tact(N+1) = Tret(N) -# Tret(N+1) = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h -# Trem(N+1) = Tnow + Lcsk = now + 186d -TactZN="now-5091h" -TretZN="now-627h" -TactN="now-5067h" -TretN="now-603h" +# Tact(N) = Tnow - IretZ - Lcsk = now - 627h - 186d +# = now - 627h - 4464h = now - 5091h +# Tret(N) = Tnow - IretZ = now - 627h +# Trem(N) = Tnow +# Tpub(N+1) = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h +# Trem(N+1) = Tnow + Lcsk = now + 186d +TactN="now-5091h" +TretN="now-627h" TremN="now" TpubN1="now-630h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+3837h" +TsbmN1="${TretN}" TactN1="${TretN}" -TretN1="now+4460h" +TretN1="now+3837h" TremN1="now+186d" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 @@ -959,36 +914,28 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the predecessor DNSKEY enters the HIDDEN state. setup step7.csk-roll.autosign # Subtract DNSKEY TTL plus zone propagation delay from all the times (2h). -# TactZ(N) = now - 5091h - 2h = now - 5093h -# TretZ(N) = now - 627h - 2h = now - 629h -# Tact(N) = now - 5067h - 2h = now - 5069h -# Tret(N) = now - 603h - 2h = now - 605h +# Tact(N) = now - 5091h - 2h = now - 5093h +# Tret(N) = now - 627h - 2h = now - 629h # Trem(N) = now - 2h # Tpub(N+1) = now - 630h - 2h = now - 632h -# Tsbm(N+1) = now - 627h - 2h = now - 629h -# TactZ(N+1) = Tsbm(N+1) -# TretZ(N+1) = now + 3837h - 2h = now + 3835h +# Tsbm(N+1) = Tret(N) # Tact(N+1) = Tret(N) -# Tret(N+1) = now + 4460h - 2h = now + 4458h +# Tret(N+1) = now + 3837h - 2h = now + 3835h # Trem(N+1) = now + 186d - 2h = now + 4462h -TactZN="now-5093h" -TretZN="now-629h" -TactN="now-5069h" -TretN="now-605h" +TactN="now-5093h" +TretN="now-629h" TremN="now-2h" TpubN1="now-632h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+3835h" +TsbmN1="${TretN}" TactN1="${TretN}" -TretN1="now+4458h" +TretN1="now+3835h" TremN1="now+4462h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -1003,11 +950,6 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # This scenario differs from the above one because the zone signatures (ZRRSIG) # are replaced with the new key sooner than the DS is swapped. # -# -# The activation time for zone signing (ZSK) is different than for chain of -# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ -# instead of Tact and Tret. -# # Step 1: # Introduce the first key. This will immediately be active. @@ -1024,28 +966,25 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # It is time to introduce the new CSK. setup step2.csk-roll2.autosign # According to RFC 7583: -# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC -# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub +# KSK: Tpub(N+1) <= Tact(N) + Lksk - IpubC +# ZSK: Tpub(N+1) <= Tact(N) + Lzsk - Ipub # IpubC = DprpC + TTLkey (+publish-safety) # Ipub = IpubC # Lcsk = Lksk = Lzsk # # Lcsk: 6mo (186d, 4464h) -# Dreg: 1w +# Dreg: N/A # DprpC: 1h # TTLkey: 1h # publish-safety: 1h # Ipub: 3h # -# Tact(N) = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1w -# = now - 4464h + 3h + 168h = now - 4293h -# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h +# Tact(N) = Tnow - Lcsk + Ipub = now - 186d + 3h # = now - 4464h + 3h = now - 4461h -TactN="now-4293h" -TactZN="now-4461h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}" +TactN="now-4461h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}" CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) -$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1 cat template.db.in "${CSK}.key" > "$infile" private_type_record $zone 13 "$CSK" >> "$infile" $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1 @@ -1056,54 +995,46 @@ setup step3.csk-roll2.autosign # According to RFC 7583: # # Tsbm(N+1) >= Trdy(N+1) -# KSK: Tact(N+1) = Tsbm(N+1) + Dreg -# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) +# KSK: Tact(N+1) = Tsbm(N+1) +# ZSK: Tact(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1) # KSK: Iret = DprpP + TTLds (+retire-safety) # ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety) # # Lcsk: 186d # Dprp: 1h -# DprpP: 1h -# Dreg: 1w +# DprpP: 1w +# Dreg: N/A # Dsgn: 12h # TTLds: 1h # TTLsig: 1d # retire-safety: 1h -# Iret: 3h +# Iret: 170h # IretZ: 38h # Ipub: 3h # -# TactZ(N) = Tnow - Lcsk = now - 186d -# TretZ(N) = now -# Tact(N) = Tnow + Dreg - Lcsk = now + 1w - 186d = now - 179d -# Tret(N) = Tnow + Dreg = now + 7d -# Trem(N) = Tnow + Dreg + Iret = now + 1w + 3h = now + 171h -# Tpub(N+1) = Tnow - Ipub = now - 3h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = Tnow + Lcsk = now + 186d -# Tact(N+1) = Tret(N) -# Tret(N+1) = Tnow + Lcsk + Dreg = now + 186d + 7d = now + 193d -# Trem(N+1) = Tnow + Lcsk + Dreg + Iret = now + 186d + 7d + 3h = -# = now + 193d + 3h = now + 4632h + 3h = now + 4635h -TactZN="now-186d" -TretZN="now" -TactN="now-179d" -TretN="now+7d" -TremN="now+171h" +# Tact(N) = Tnow - Lcsk = now - 186d +# Tret(N) = now +# Trem(N) = Tnow + Iret = now + 170h +# Tpub(N+1) = Tnow - Ipub = now - 3h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = Tnow + Lcsk = now + 186d +# Trem(N+1) = Tnow + Lcsk + Iret = now + 186d + 170h = +# = now + 4464h + 170h = now + 4634h +TactN="now-186d" +TretN="now" +TremN="now+170h" TpubN1="now-3h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+186d" +TsbmN1="${TretN}" TactN1="${TretN}" -TretN1="now+193d" -TremN1="now+4635h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +TretN1="now+186d" +TremN1="now+4634h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -1119,49 +1050,38 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # signatures are replaced before the DS is swapped. setup step4.csk-roll2.autosign # According to RFC 7583: -# Trem(N) = Tret(N) + Iret -# Tnow = TretZ(N) + IretZ +# Trem(N) = Tret(N) + IretZ # # Lcsk: 186d -# Dreg: 1w -# Iret: 3h +# Dreg: N/A +# Iret: 170h # IretZ: 38h # -# TactZ(N) = Tnow - IretZ = Lcsk = now - 38h - 186d +# Tact(N) = Tnow - IretZ = Lcsk = now - 38h - 186d # = now - 38h - 4464h = now - 4502h -# TretZ(N) = Tnow - IretZ = now - 38h -# Tact(N) = Tnow - IretZ - Lcsk + Dreg = now - 38h - 4464h + 168h -# = now - 4334h -# Tret(N) = Tnow - IretZ + Dreg = now - 38h + 168h = now + 130h -# Trem(N) = Tnow - IretZ + Dreg + Iret = now + 130h + 3h = now + 133h +# Tret(N) = Tnow - IretZ = now - 38h +# Trem(N) = Tnow - IretZ + Iret = now - 38h + 170h = now + 132h # Tpub(N+1) = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d -# = now + 4426h +# Tsbm(N+1) = Tret(N) # Tact(N+1) = Tret(N) -# Tret(N+1) = Tnow - IretZ + Dreg + Lcsk = now - 38h + 168h + 4464h -# = now + 4594h -# Trem(N+1) = Tnow - IretZ + Dreg + Lcsk + Iret -# = now + 4594h + 3h = now + 4597h -TactZN="now-4502h" -TretZN="now-38h" -TactN="now-4334h" -TretN="now+130h" -TremN="now+133h" +# Tret(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d +# = now + 4426h +# Trem(N+1) = Tnow - IretZ + Lcsk + Iret +# = now + 4426h + 3h = now + 4429h +TactN="now-4502h" +TretN="now-38h" +TremN="now+132h" TpubN1="now-41h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+4426h" +TsbmN1="${TretN}" TactN1="${TretN}" -TretN1="now+4594h" -TremN1="now+4597h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +TretN1="now+4426h" +TremN1="now+4429h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TretZN "$CSK1" > settime.out.$zone.1 2>&1 -$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TretN "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 # Sign zone. @@ -1174,37 +1094,29 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si # Some time later the DS can be swapped and the old DNSKEY can be removed from # the zone. setup step5.csk-roll2.autosign -# Subtract Dreg + Iret (171h) - IretZ (38h) = 133h. +# Subtract Iret (170h) - IretZ (38h) = 132h. # -# TactZ(N) = now - 4502h - 133h = now - 4635h -# TretZ(N) = now - 38h - 133h = now - 171h -# Tact(N) = now - 4334h = 133h = now - 4467h -# Tret(N) = now + 130h - 133h = now - 3h -# Trem(N) = now + 133h - 133h = now -# Tpub(N+1) = now - 41h - 133h = now - 174h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = now + 4426h - 133h = now + 4293h -# Tact(N+1) = Tret(N) -# Tret(N+1) = now + 4594h - 133h = now + 4461h -# Trem(N+1) = now + 4597h - 133h = now + 4464h = now + 186d -TactZN="now-4635h" -TretZN="now-171h" -TactN="now-4467h" -TretN="now-3h" +# Tact(N) = now - 4502h - 132h = now - 4634h +# Tret(N) = now - 38h - 132h = now - 170h +# Trem(N) = now + 132h - 132h = now +# Tpub(N+1) = now - 41h - 132h = now - 173h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4426h - 132h = now + 4294h +# Trem(N+1) = now + 4492h - 132h = now + 4360h +TactN="now-4634h" +TretN="now-170h" TremN="now" -TpubN1="now-174h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+4293h" +TpubN1="now-173h" +TsbmN1="${TretN}" TactN1="${TretN}" -TretN1="now+4461h" -TremN1="now+186d" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +TretN1="now+4294h" +TremN1="now+4360h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) -$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1 +$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1 $SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $O now-133h "$CSK2" > settime.out.$zone.2 2>&1 # Set key rollover relationship. key_successor $CSK1 $CSK2 @@ -1219,32 +1131,24 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > si setup step6.csk-roll2.autosign # Subtract DNSKEY TTL plus zone propagation delay (2h). # -# TactZ(N) = now - 4635h - 2h = now - 4637h -# TretZ(N) = now - 171h - 2h = now - 173h -# Tact(N) = now - 4467h - 2h = now - 4469h -# Tret(N) = now - 3h - 2h = now - 5h -# Trem(N) = now - 2h -# Tpub(N+1) = now - 174h - 2h = now - 176h -# Tsbm(N+1) = TretZ(N) -# TactZ(N+1) = TretZ(N) -# TretZ(N+1) = now + 4293h - 2h = now + 4291h -# Tact(N+1) = Tret(N) -# Tret(N+1) = now + 4461h - 2h = now + 4459h -# Trem(N+1) = now + 4464h - 2h = now + 4462h -TactZN="now-4637h" -TretZN="now-173h" -TactN="now-4469h" -TretN="now-5h" +# Tact(N) = now - 4634h - 2h = now - 4636h +# Tret(N) = now - 170h - 2h = now - 172h +# Trem(N) = now - 2h +# Tpub(N+1) = now - 173h - 2h = now - 175h +# Tsbm(N+1) = Tret(N) +# Tact(N+1) = Tret(N) +# Tret(N+1) = now + 4294h - 2h = now + 4292h +# Trem(N+1) = now + 4360h - 2h = now + 4358h +TactN="now-4636h" +TretN="now-172h" TremN="now-2h" -TpubN1="now-176h" -TsbmN1="${TretZN}" -TactZN1="${TretZN}" -TretZN1="now+4291h" +TpubN1="now-175h" +TsbmN1="${TretN}" TactN1="${TretN}" -TretN1="now+4459h" -TremN1="now+4462h" -csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN} -I ${TretZN} -D ${TremN}" -newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}" +TretN1="now+4292h" +TremN1="now+4358h" +csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}" +newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}" CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1) CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2) $SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1 diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh index a2dbda682d..ce53559052 100644 --- a/bin/tests/system/kasp/tests.sh +++ b/bin/tests/system/kasp/tests.sh @@ -928,19 +928,20 @@ check_keys() # DNSSEC records. check_dnssecstatus() { _server=$1 - _zone=$2 - _view=$3 + _policy=$2 + _zone=$3 + _view=$4 n=$((n+1)) - echo_i "check rndc dnssec -status output for ${_zone} ($n)" + echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)" ret=0 rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || log_error "rndc dnssec -status zone ${_zone} failed" - if [ "$POLICY" = "none" ]; then - grep "zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}" + if [ "$_policy" = "none" ]; then + grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}" else - grep "dnssec-policy: ${POLICY}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for zone ${_zone}" + grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for signed zone ${_zone}" if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "missing key $(key_get KEY1 ID) from dnssec status" fi @@ -959,6 +960,35 @@ check_dnssecstatus() { status=$((status+ret)) } +_loadkeys_on() { + _server=$1 + _dir=$2 + _zone=$3 + + nextpart $_dir/named.run > /dev/null + rndccmd $_server loadkeys $_zone in $_view > rndc.dnssec.loadkeys.out.$_zone.$n + wait_for_log 20 "zone ${_zone}/IN (signed): next key event" $_dir/named.run || return 1 +} + +# Tell named that the DS for the key in given zone has been seen in the +# parent (this does not actually has to be true, we just issue the command +# to make named believe it can continue with the rollover). +rndc_checkds() { + _server=$1 + _dir=$2 + _keyid=$3 + _when=$4 + _what=$5 + _zone=$6 + _view=$7 + + echo_i "calling checkds $_what key ${_keyid} zone ${_zone} ($n)" + + rndccmd $_server dnssec -checkds -key $_keyid -when $_when $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (key ${_keyid} when ${_when} what ${_what}) zone ${_zone} failed" + _loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)" +} + + # Check if RRset of type $1 in file $2 is signed with the right keys. # The right keys are the ones that expect a signature and matches the role $3. check_signatures() { @@ -1205,7 +1235,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -1247,7 +1277,7 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -1280,7 +1310,7 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -1308,13 +1338,199 @@ set_policy "default" "1" "3600" set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex check_subdomain dnssec_verify +# +# Zone: checkds-ksk.kasp. +# +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "checkds-ksk.kasp" +set_policy "checkds-ksk" "2" "303" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "zsk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "no" +set_zonesigning "KEY2" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +basefile=$(key_get KEY1 BASEFILE) + +n=$((n+1)) +echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" +grep "DSPublish: 20190102121314" "${basefile}.state" > /dev/null || log_error "DSPublish not set in ${basefile}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" +grep "DSRemoved: 20200102121314" "${basefile}.state" > /dev/null || log_error "DSRemoved not set in ${basefile}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: checkds-doubleksk.kasp. +# +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "checkds-doubleksk.kasp" +set_policy "checkds-doubleksk" "3" "303" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "ksk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "no" + +set_keyrole "KEY2" "ksk" +set_keylifetime "KEY2" "0" +set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY2" "yes" +set_zonesigning "KEY2" "no" + +set_keyrole "KEY3" "zsk" +set_keylifetime "KEY3" "0" +set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY3" "no" +set_zonesigning "KEY3" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +set_keystate "KEY2" "GOAL" "omnipresent" +set_keystate "KEY2" "STATE_DNSKEY" "rumoured" +set_keystate "KEY2" "STATE_KRRSIG" "rumoured" +set_keystate "KEY2" "STATE_DS" "hidden" + +set_keystate "KEY3" "GOAL" "omnipresent" +set_keystate "KEY3" "STATE_DNSKEY" "rumoured" +set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +basefile1=$(key_get KEY1 BASEFILE) +basefile2=$(key_get KEY2 BASEFILE) + +n=$((n+1)) +echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE" +grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE" +grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "20190102121314" "published" "$ZONE" +grep "DSPublish: 20190102121314" "${basefile1}.state" > /dev/null || log_error "DSPublish not set in ${basefile1}" +grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "20200102121314" "withdrawn" "$ZONE" +grep "DSRemoved: 20200102121314" "${basefile2}.state" > /dev/null || log_error "DSRemoved not set in ${basefile2}" +grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +# +# Zone: checkds-csk.kasp. +# +key_clear "KEY1" +key_clear "KEY2" +key_clear "KEY3" +key_clear "KEY4" + +set_zone "checkds-csk.kasp" +set_policy "checkds-csk" "1" "303" +set_server "ns3" "10.53.0.3" +# Key properties. +set_keyrole "KEY1" "csk" +set_keylifetime "KEY1" "0" +set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256" +set_keysigning "KEY1" "yes" +set_zonesigning "KEY1" "yes" +# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait. +set_keystate "KEY1" "GOAL" "omnipresent" +set_keystate "KEY1" "STATE_DNSKEY" "rumoured" +set_keystate "KEY1" "STATE_KRRSIG" "rumoured" +set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" +set_keystate "KEY1" "STATE_DS" "hidden" + +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" +check_apex +check_subdomain +dnssec_verify + +basefile=$(key_get KEY1 BASEFILE) + +n=$((n+1)) +echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE" +grep "DSPublish: 20190102121314" "${basefile}.state" || log_error "DSPublish not set in ${basefile}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + +n=$((n+1)) +echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)" +rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE" +grep "DSRemoved: 20200102121314" "${basefile}.state" || log_error "DSRemoved not set in ${basefile}" +test "$ret" -eq 0 || echo_i "failed" +status=$((status+ret)) + # Set keytimes for dnssec-policy with various algorithms. # These all use the same time values. set_keytimes_algorithm_policy() { @@ -1434,7 +1650,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1454,7 +1670,7 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -1478,7 +1694,7 @@ set_keystate "KEY1" "STATE_ZRRSIG" "rumoured" set_keystate "KEY1" "STATE_DS" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -1531,7 +1747,7 @@ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1547,7 +1763,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1563,7 +1779,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy "pregenerated" check_keytimes check_apex @@ -1579,7 +1795,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1597,7 +1813,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy "pregenerated" check_keytimes check_apex @@ -1614,7 +1830,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy # Activation date is a day later. set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400 @@ -1640,7 +1856,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1689,7 +1905,7 @@ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000" # Key timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1709,7 +1925,7 @@ set_keyalgorithm "KEY3" "8" "RSASHA256" "2000" # Key timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1729,7 +1945,7 @@ set_keyalgorithm "KEY3" "10" "RSASHA512" "2000" # Key timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1749,7 +1965,7 @@ set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256" # Key timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1769,7 +1985,7 @@ set_keyalgorithm "KEY3" "14" "ECDSAP384SHA384" "384" # Key timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_algorithm_policy check_keytimes check_apex @@ -1846,7 +2062,7 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_autosign_policy check_keytimes check_apex @@ -1904,7 +2120,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_autosign_policy check_keytimes check_apex @@ -1962,7 +2178,7 @@ set_server "ns3" "10.53.0.3" # Key properties, timings and states same as above. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_autosign_policy check_keytimes check_apex @@ -2003,7 +2219,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_autosign_policy # The old ZSK is retired. @@ -2058,7 +2274,7 @@ set_policy "none" "0" "0" set_server "ns2" "10.53.0.2" TSIG="" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2067,7 +2283,7 @@ set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2076,7 +2292,7 @@ set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2085,7 +2301,7 @@ set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2094,7 +2310,7 @@ set_policy "none" "0" "0" set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2103,7 +2319,7 @@ set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2112,7 +2328,7 @@ set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2121,7 +2337,7 @@ set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2130,7 +2346,7 @@ set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2139,7 +2355,7 @@ set_policy "none" "0" "0" set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_apex check_subdomain @@ -2166,7 +2382,7 @@ set_policy "default" "1" "3600" set_server "ns2" "10.53.0.2" TSIG="" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2178,7 +2394,7 @@ set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2190,7 +2406,7 @@ set_policy "default" "1" "3600" set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2202,7 +2418,7 @@ set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha1:sha1:$SHA1" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2214,7 +2430,7 @@ set_policy "default" "1" "3600" set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2240,7 +2456,7 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:sha1:$SHA1" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2253,7 +2469,7 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2266,7 +2482,7 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2279,7 +2495,7 @@ set_server "ns5" "10.53.0.5" TSIG="hmac-sha224:sha224:$SHA224" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2292,7 +2508,7 @@ set_server "ns5" "10.53.0.5" TSIG="hmac-sha256:sha256:$SHA256" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" set_keytimes_csk_policy check_keytimes check_apex @@ -2304,7 +2520,7 @@ set_server "ns4" "10.53.0.4" TSIG="hmac-sha1:keyforview1:$VIEW1" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" "example1" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example1" set_keytimes_csk_policy check_keytimes check_apex @@ -2323,7 +2539,7 @@ status=$((status+ret)) TSIG="hmac-sha1:keyforview2:$VIEW2" wait_for_nsec check_keys -check_dnssecstatus "$SERVER" "$ZONE" "example2" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2" check_apex dnssec_verify n=$((n+1)) @@ -2369,7 +2585,7 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The first key is immediately published and activated. created=$(key_get KEY1 CREATED) @@ -2426,7 +2642,7 @@ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent" set_keystate "KEY1" "STATE_KRRSIG" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was published and activated 900 seconds ago (with settime). created=$(key_get KEY1 CREATED) @@ -2450,18 +2666,25 @@ check_next_key_event 43800 set_zone "step3.enable-dnssec.autosign" set_policy "enable-dnssec" "1" "300" set_server "ns3" "10.53.0.3" -# The DS can be introduced. +# All signatures should be omnipresent. set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY1" "STATE_DS" "rumoured" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The key was published and activated 44700 seconds ago (with settime). created=$(key_get KEY1 CREATED) set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700 set_addkeytime "KEY1" "ACTIVE" "${created}" -44700 set_keytime "KEY1" "SYNCPUBLISH" "${created}" +check_keytimes + +# The DS can be introduced. We ignore any parent registration delay, so set +# the DS publish time to now ($created). +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "published" "$ZONE" +set_keystate "KEY1" "STATE_DS" "rumoured" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" check_keytimes check_apex @@ -2469,9 +2692,9 @@ check_subdomain dnssec_verify # Next key event is when the DS can move to the OMNIPRESENT state. This occurs -# when the parent registration and propagation delay have passed, plus the -# DS TTL and retire safety delay: 1d + 1h + 2h + 20m = 27h20m = 98400 seconds -check_next_key_event 98400 +# when the parent propagation delay have passed, plus the DS TTL and retire +# safety delay: 1h + 2h + 20m = 3h20m = 12000 seconds +check_next_key_event 12000 # # Zone: step4.enable-dnssec.autosign. @@ -2483,13 +2706,13 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# The key was published and activated 143100 seconds ago (with settime). +# The key was published and activated 56700 seconds ago (with settime). created=$(key_get KEY1 CREATED) -set_addkeytime "KEY1" "PUBLISHED" "${created}" -143100 -set_addkeytime "KEY1" "ACTIVE" "${created}" -143100 -set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -98400 +set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700 +set_addkeytime "KEY1" "ACTIVE" "${created}" -56700 +set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000 check_keytimes check_apex @@ -2576,7 +2799,7 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # These keys are immediately published and activated. rollover_predecessor_keytimes 0 @@ -2611,7 +2834,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "rumoured" set_keystate "KEY3" "STATE_ZRRSIG" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated 694 hours ago (2498400 seconds). rollover_predecessor_keytimes -2498400 @@ -2649,7 +2872,7 @@ set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" set_keystate "KEY3" "STATE_ZRRSIG" "rumoured" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys are activated 30 days ago (2592000 seconds). rollover_predecessor_keytimes -2592000 @@ -2691,7 +2914,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY3" "STATE_ZRRSIG" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys are activated 961 hours ago (3459600 seconds). rollover_predecessor_keytimes -3459600 @@ -2721,7 +2944,7 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys are activated 962 hours ago (3463200 seconds). rollover_predecessor_keytimes -3463200 @@ -2791,7 +3014,7 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # These keys are immediately published and activated. rollover_predecessor_keytimes 0 @@ -2801,11 +3024,10 @@ check_subdomain dnssec_verify # Next key event is when the successor KSK needs to be published. That is -# the KSK lifetime - prepublication time - DS registration delay. The -# prepublication time is DNSKEY TTL plus publish safety plus the zone -# propagation delay. For the ksk-doubleksk policy that means: -# 60d - (1d3h) - (1d) = 5000400 seconds. -check_next_key_event 5000400 +# the KSK lifetime - prepublication time. The prepublication time is +# DNSKEY TTL plus publish safety plus the zone propagation delay. +# For the ksk-doubleksk policy that means: 60d - (1d3h) = 5086800 seconds. +check_next_key_event 5086800 # # Zone: step2.ksk-doubleksk.autosign. @@ -2828,7 +3050,7 @@ set_keystate "KEY3" "STATE_KRRSIG" "rumoured" set_keystate "KEY3" "STATE_DS" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated 1413 hours ago (5086800 seconds). rollover_predecessor_keytimes -5086800 @@ -2842,11 +3064,7 @@ set_keytime "KEY3" "PUBLISHED" "${created}" # IpubC: 27h (97200 seconds) IpubC=97200 set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}" -# The new KSK becomes active after the registration delay. -# Dreg: 1d (86400 seconds) -Dreg=86400 -syncpub=$(key_get KEY3 SYNCPUBLISH) -set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes check_apex @@ -2864,26 +3082,33 @@ check_next_key_event 97200 set_zone "step3.ksk-doubleksk.autosign" set_policy "ksk-doubleksk" "3" "7200" set_server "ns3" "10.53.0.3" -# KSK (KEY1) DS will be removed, so it is UNRETENTIVE. -set_keystate "KEY1" "STATE_DS" "unretentive" -# New KSK (KEY3) has its DS submitted. + +# The DNSKEY RRset has become omnipresent. +# Check keys before we tell named that we saw the DS has been replaced. set_keystate "KEY3" "STATE_DNSKEY" "omnipresent" set_keystate "KEY3" "STATE_KRRSIG" "omnipresent" -set_keystate "KEY3" "STATE_DS" "rumoured" - check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# The old keys were activated 59 days ago (5097600 seconds). -rollover_predecessor_keytimes -5097600 +# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced. +# We ignore any parent registration delay, so set the DS publish time to now +# ($created). +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY3 ID) "${created}" "published" "$ZONE" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The old keys were activated 60 days ago (5184000 seconds). +rollover_predecessor_keytimes -5184000 # The new KSK is published 27 hours ago (97200 seconds). created=$(key_get KEY3 CREATED) set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200 # The new KSK CDS is published now. set_keytime "KEY3" "SYNCPUBLISH" "${created}" -# The new KSK becomes active Dreg (1d) later. syncpub=$(key_get KEY3 SYNCPUBLISH) -set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_keytime "KEY3" "ACTIVE" "${syncpub}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes check_apex @@ -2893,11 +3118,10 @@ dnssec_verify # Next key event is when the predecessor DS has been replaced with the # successor DS and enough time has passed such that the all validators that # have this DS RRset cached only know about the successor DS. This is the -# registration delay plus the retire interval, which is the parent -# propagation delay plus the DS TTL plus the retire-safety. For the -# ksk-double-ksk policy this means: 1d + 1h + 3600s + 2d = 3d2h = -# 266400 seconds. -check_next_key_event 266400 +# the retire interval, which is the parent propagation delay plus the DS TTL +# plus the retire-safety. For the ksk-double-ksk policy this means: +# 1h + 3600s + 2d = 2d2h = 180000 seconds. +check_next_key_event 180000 # # Zone: step4.ksk-doubleksk.autosign. @@ -2914,17 +3138,17 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated 1490 hours ago (5364000 seconds). rollover_predecessor_keytimes -5364000 -# The new KSK is published 101 hours ago (363600 seconds). +# The new KSK is published 77 hours ago (277200 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -363600 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" syncpub=$(key_get KEY3 SYNCPUBLISH) -set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_keytime "KEY3" "ACTIVE" "${syncpub}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes check_apex @@ -2947,17 +3171,17 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old KSK is activated 1492 hours ago (5371200 seconds). rollover_predecessor_keytimes -5371200 -# The new KSK is published 103 hours ago (370800 seconds). +# The new KSK is published 79 hours ago (284400 seconds). created=$(key_get KEY3 CREATED) -set_addkeytime "KEY3" "PUBLISHED" "${created}" -370800 +set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400 published=$(key_get KEY3 PUBLISHED) set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}" syncpub=$(key_get KEY3 SYNCPUBLISH) -set_addkeytime "KEY3" "ACTIVE" "${syncpub}" "${Dreg}" +set_keytime "KEY3" "ACTIVE" "${syncpub}" set_retired_removed "KEY3" "${Lksk}" "${IretKSK}" check_keytimes check_apex @@ -2965,10 +3189,10 @@ check_subdomain dnssec_verify # Next key event is when the new successor needs to be published. This is the -# KSK lifetime minus Ipub minus Dreg minus Iret minus DNSKEY TTL. For the +# KSK lifetime minus Ipub minus Iret minus DNSKEY TTL. For the # ksk-doubleksk this is: 60d - 1d3h - 1d - 2d2h - 2h = -# 5184000 - 97200 - 86400 - 180000 - 7200 = 4813200 seconds. -check_next_key_event 4813200 +# 5184000 - 97200 - 180000 - 7200 = 4813200 seconds. +check_next_key_event 4899600 # # Testing CSK key rollover (1). @@ -2986,13 +3210,12 @@ IretZSK=2257200 IretCSK=$IretZSK csk_rollover_predecessor_keytimes() { - _addksktime=$1 - _addzsktime=$2 + _addtime=$1 _created=$(key_get KEY1 CREATED) - set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addksktime}" - set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addzsktime}" - set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addzsktime}" + set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}" + set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}" [ "$Lcsk" == 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}" } @@ -3021,10 +3244,10 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # This key is immediately published and activated. -csk_rollover_predecessor_keytimes 0 0 +csk_rollover_predecessor_keytimes 0 check_keytimes check_apex check_subdomain @@ -3058,11 +3281,10 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_DS" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 4437 hours ago (15973200 seconds) -# and started signing 4461 hours ago (16059600 seconds). -csk_rollover_predecessor_keytimes -15973200 -16059600 +# This key was activated 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -16059600 # The new CSK is published now. created=$(key_get KEY2 CREATED) set_keytime "KEY2" "PUBLISHED" "${created}" @@ -3091,22 +3313,27 @@ set_server "ns3" "10.53.0.3" # Swap zone signing role. set_zonesigning "KEY1" "no" set_zonesigning "KEY2" "yes" -# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. +# CSK (KEY1) will be removed, so moving to UNRETENTIVE. set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "unretentive" -# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG -# are in RUMOURED state. +# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED. set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY2" "STATE_DS" "rumoured" - check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 185 days ago (15984000 seconds) -# and started signing 186 days ago (16070400 seconds). -csk_rollover_predecessor_keytimes -15984000 -16070400 +# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. +# We ignore any parent registration delay, so set the DS publish time to now +# ($created). +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "published" "$ZONE" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# This key was activated 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -16070400 # The new CSK is published three hours ago, CDS must be published now. # Also signatures are being introduced now. created=$(key_get KEY2 CREATED) @@ -3130,10 +3357,10 @@ dnssec_verify # Next key event is when the predecessor DS has been replaced with the # successor DS and enough time has passed such that the all validators that # have this DS RRset cached only know about the successor DS. This is the -# registration delay plus the retire interval, which is the parent -# propagation delay plus the DS TTL plus the retire-safety. For the -# csk-roll policy this means: 1d + 1h + 1h + 2h = 1d4h = 100800 seconds. -check_next_key_event 100800 +# the retire interval, which is the parent propagation delay plus the DS TTL +# plus the retire-safety. For the csk-roll policy this means: +# 1h + 1h + 2h = 4h = 14400 seconds. +check_next_key_event 14400 # # Zone: step4.csk-roll.autosign. @@ -3151,15 +3378,14 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # This key was activated 4468 hours ago (16084800 seconds) -# and started signing 4492 hours ago (16171200 seconds). -csk_rollover_predecessor_keytimes -16084800 -16171200 -# The new CSK started signing 1d4h ago (100800 seconds). +csk_rollover_predecessor_keytimes -16084800 +# The new CSK started signing 4h ago (14400 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -100800 -set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -100800 +set_addkeytime "KEY2" "ACTIVE" "${created}" -14400 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400 syncpub=$(key_get KEY2 SYNCPUBLISH) set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" @@ -3183,15 +3409,14 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 4470 hours ago (16092000 seconds) -# and started signing 4494 hours ago (16178400 seconds). -csk_rollover_predecessor_keytimes -16092000 -16178400 -# The new CSK started signing 1d6h ago (108000 seconds). +# This key was activated 4470 hours ago (16092000 seconds). +csk_rollover_predecessor_keytimes -16092000 +# The new CSK started signing 6h ago (21600 seconds). created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "ACTIVE" "${created}" -108000 -set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -108000 +set_addkeytime "KEY2" "ACTIVE" "${created}" -21600 +set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600 syncpub=$(key_get KEY2 SYNCPUBLISH) set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}" set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}" @@ -3202,10 +3427,10 @@ dnssec_verify # Next key event is when the DNSKEY can be removed. This is when all ZRRSIG # records have been replaced with signatures of the new CSK. We have -# calculated the interval to be 26d3h of which 1d4h (Dreg + Iret(KSK)) plus +# calculated the interval to be 26d3h of which 4h (Iret(KSK)) plus # 2h (DNSKEY TTL + Dprp) have already passed. So next key event is in -# 26d3h - 1d4h - 2h = 597h = 2149200 seconds. -check_next_key_event 2149200 +# 26d3h - 4h - 2h = 621h = 2235600 seconds. +check_next_key_event 2235600 # # Zone: step6.csk-roll.autosign. @@ -3221,11 +3446,10 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 5067 hours ago (18241200 seconds) -# and started signing 5091 hours ago (18327600 seconds). -csk_rollover_predecessor_keytimes -18241200 -18327600 +# This key was activated 5091 hours ago (18327600 seconds). +csk_rollover_predecessor_keytimes -18327600 # The new CSK is activated 627 hours ago (2257200 seconds). created=$(key_get KEY2 CREATED) set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200 @@ -3253,11 +3477,10 @@ set_server "ns3" "10.53.0.3" set_keystate "KEY1" "STATE_DNSKEY" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 5069 hours ago (18248400 seconds) -# and started signing 5093 hours ago (18334800 seconds). -csk_rollover_predecessor_keytimes -18248400 -18334800 +# This key was activated 5093 hours ago (18334800 seconds). +csk_rollover_predecessor_keytimes -18334800 # The new CSK is activated 629 hours ago (2264400 seconds). created=$(key_get KEY2 CREATED) set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400 @@ -3284,16 +3507,15 @@ check_next_key_event 13795200 # Policy parameters. # Lcsk: 186 days (16070400 seconds) -# Dreg: : 1w (604800 seconds) -# Iret(KSK): DS TTL (1h) + DprpP (1h) + retire-safety (1h) -# Iret(KSK): 3h (10800 seconds) +# Dreg: N/A +# Iret(KSK): DS TTL (1h) + DprpP (1w) + retire-safety (1h) +# Iret(KSK): 170h (61200 seconds) # Iret(ZSK): RRSIG TTL (1d) + Dprp (1h) + Dsgn (12h) + retire-safety (1h) # Iret(ZSK): 38h (136800 seconds) Lcsk=16070400 -Dreg=604800 -IretKSK=10800 +IretKSK=612000 IretZSK=136800 -IretCSK=$((Dreg+IretKSK)) +IretCSK=$IretKSK # # Zone: step1.csk-roll2.autosign. @@ -3320,19 +3542,20 @@ key_clear "KEY3" key_clear "KEY4" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # This key is immediately published and activated. -csk_rollover_predecessor_keytimes 0 0 +csk_rollover_predecessor_keytimes 0 check_keytimes check_apex check_subdomain dnssec_verify # Next key event is when the successor CSK needs to be published. -# This is Lcsk - Ipub - Dreg. -# Lcsk: 186d (16070400 seconds) -# Ipub: 3h (10800 seconds) +# This is Lcsk - Ipub. +# Lcsk: 186d (16070400 seconds) +# Ipub: 3h (10800 seconds) +# Total: 186d3h (16059600 seconds) check_next_key_event 16059600 # @@ -3357,11 +3580,10 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_DS" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 4293 hours ago (15454800 seconds) -# and started signing 4461 hours ago (16059600 seconds). -csk_rollover_predecessor_keytimes -15454800 -16059600 +# This key was activated 4461 hours ago (16059600 seconds). +csk_rollover_predecessor_keytimes -16059600 # The new CSK is published now. created=$(key_get KEY2 CREATED) set_keytime "KEY2" "PUBLISHED" "${created}" @@ -3378,7 +3600,7 @@ dnssec_verify # Next key event is when the successor CSK becomes OMNIPRESENT. That is the # DNSKEY TTL plus the zone propagation delay, plus the publish-safety. For -# the csk-roll2 policy, this means 3 hours = 10800 seconds. +# the csk-roll2 policy, this means 3h hours = 10800 seconds. check_next_key_event 10800 # @@ -3387,24 +3609,29 @@ check_next_key_event 10800 set_zone "step3.csk-roll2.autosign" set_policy "csk-roll2" "2" "3600" set_server "ns3" "10.53.0.3" -# CSK (KEY1) DS and ZRRSIG will be removed, so it is UNRETENTIVE. +# CSK (KEY1) can be removed, so move to UNRETENTIVE. set_zonesigning "KEY1" "no" set_keystate "KEY1" "STATE_ZRRSIG" "unretentive" -set_keystate "KEY1" "STATE_DS" "unretentive" -# New CSK (KEY2) has its DS submitted, and is signing, so the DS and ZRRSIG -# are in RUMOURED state. +# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state. set_zonesigning "KEY2" "yes" set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "rumoured" -set_keystate "KEY2" "STATE_DS" "rumoured" - check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 179 days ago (15465600 seconds) -# and started signing 186 days ago (16070400 seconds). -csk_rollover_predecessor_keytimes -15465600 -16070400 +# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. +# We ignore any parent registration delay, so set the DS publish time to now +# ($created). +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "published" "$ZONE" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# This key was activated 186 days ago (16070400 seconds). +csk_rollover_predecessor_keytimes -16070400 # The new CSK is published three hours ago, CDS must be published now. # Also signatures are being introduced now. created=$(key_get KEY2 CREATED) @@ -3446,11 +3673,10 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 4334 hours ago (15602400 seconds) -# and started signing 4502 hours ago (16207200 seconds). -csk_rollover_predecessor_keytimes -15602400 -16207200 +# This key was activated 4502 hours ago (16207200 seconds). +csk_rollover_predecessor_keytimes -16207200 # The new CSK was published 41 hours (147600 seconds) ago. created=$(key_get KEY2 CREATED) set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600 @@ -3468,9 +3694,9 @@ dnssec_verify # have this DS RRset cached only know about the successor DS. This is the # registration delay plus the retire interval, which is the parent # propagation delay plus the DS TTL plus the retire-safety. For the -# csk-roll2 policy this means: 1w + 1h + 1h + 1h = 171h = 615600 seconds. +# csk-roll2 policy this means: 1w + 1h + 1h = 170h = 612000 seconds. # However, 136800 seconds have passed already, so 478800 seconds left. -check_next_key_event 478800 +check_next_key_event 475200 # # Zone: step5.csk-roll2.autosign. @@ -3487,14 +3713,13 @@ set_keystate "KEY1" "STATE_DS" "hidden" set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 4467 hours ago (16081200 seconds) -# and started signing 4635 hours ago (16686000 seconds). -csk_rollover_predecessor_keytimes -16081200 -16686000 -# The new CSK was published 174 hours (626400 seconds) ago. +# This key was activated 4634 hours ago (16682400 seconds). +csk_rollover_predecessor_keytimes -16682400 +# The new CSK was published 173 hours (622800 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -626400 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" @@ -3520,14 +3745,13 @@ set_keystate "KEY1" "STATE_DNSKEY" "hidden" set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# This key was activated 4469 hours ago (16088400 seconds) -# and started signing 4637 hours ago (16693200 seconds). -csk_rollover_predecessor_keytimes -16088400 -16693200 -# The new CSK was published 176 hours (633600 seconds) ago. +# This key was activated 4636 hours ago (16689600 seconds). +csk_rollover_predecessor_keytimes -16689600 +# The new CSK was published 175 hours (630000 seconds) ago. created=$(key_get KEY2 CREATED) -set_addkeytime "KEY2" "PUBLISHED" "${created}" -633600 +set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000 published=$(key_get KEY2 PUBLISHED) set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}" set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}" @@ -3540,8 +3764,8 @@ dnssec_verify # Next key event is when the new successor needs to be published. # This is the Lcsk, minus time passed since the key was published. # Lcsk: 186d (16070400 seconds) -# Time passed: 176h (633600 seconds) -check_next_key_event 15436800 +# Time passed: 175h (630000 seconds) +check_next_key_event 15440400 # # Testing algorithm rollover. @@ -3581,7 +3805,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent" set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # These keys are immediately published and activated. Lksk=0 @@ -3623,12 +3847,12 @@ set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent" set_keystate "KEY1" "STATE_DS" "omnipresent" check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # This key is immediately published and activated. Lcsk=0 IretCSK=0 -csk_rollover_predecessor_keytimes 0 0 +csk_rollover_predecessor_keytimes 0 check_keytimes check_apex check_subdomain @@ -3679,7 +3903,7 @@ init_migration_match # Make sure the zone is signed with legacy keys. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # These keys are immediately published and activated. rollover_predecessor_keytimes 0 @@ -3730,7 +3954,7 @@ init_migration_nomatch_algnum # Make sure the zone is signed with legacy keys. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The KSK is immediately published and activated. # -P : now-3900s @@ -3793,7 +4017,7 @@ init_migration_nomatch_alglen # Make sure the zone is signed with legacy keys. check_keys -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The KSK is immediately published and activated. # -P : now-3900s @@ -3882,7 +4106,7 @@ key_set "KEY2" "LEGACY" "no" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" rollover_predecessor_keytimes 0 # Key now has lifetime of 60 days (5184000 seconds). @@ -3949,7 +4173,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # KSK must be retired since it no longer matches the policy. # -P : now-3900s @@ -4066,7 +4290,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "hidden" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # KSK must be retired since it no longer matches the policy. # -P : now-3900s @@ -4208,7 +4432,7 @@ set_keystate "KEY4" "STATE_ZRRSIG" "rumoured" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys are published and activated. rollover_predecessor_keytimes 0 @@ -4288,7 +4512,7 @@ set_keystate "KEY4" "STATE_DNSKEY" "omnipresent" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated three hours ago (10800 seconds). rollover_predecessor_keytimes -10800 @@ -4335,19 +4559,25 @@ check_next_key_event $next_time set_zone "step3.algorithm-roll.kasp" set_policy "ecdsa256" "4" "3600" set_server "ns6" "10.53.0.6" -# The RSAHSHA1 keys are outroducing, and it is time to swap the DS. -set_keystate "KEY1" "STATE_DS" "unretentive" -# The ECDSAP256SHA256 keys are introducing. The DNSKEY RRset and all signatures -# are now omnipresent, so the DS can be introduced. -set_keystate "KEY3" "STATE_DS" "rumoured" +# The ECDSAP256SHA256 keys are introducing. set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent" +check_keys +wait_for_done_signing +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# It is time to swap the DS. +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY3 ID) "${created}" "published" "$ZONE" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY3" "STATE_DS" "rumoured" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# The old keys were activated 9 hours ago (32400 seconds) -# and retired 6 hours ago (21600 seconds). +# The old keys were activated 9 hours ago (32400 seconds). rollover_predecessor_keytimes -32400 created=$(key_get KEY1 CREATED) @@ -4377,9 +4607,9 @@ check_subdomain dnssec_verify # Next key event is when the DS becomes OMNIPRESENT. This happens after the -# parent registration delay, parent propagation delay, retire safety delay, -# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds. -check_next_key_event 104400 +# parent propagation delay, retire safety delay, and DS TTL: +# 1h + 2h + 2h = 5h = 18000 seconds. +check_next_key_event 18000 # # Zone: step4.algorithm-roll.kasp @@ -4402,10 +4632,9 @@ set_keystate "KEY3" "STATE_DS" "omnipresent" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# The old keys were activated 38 hours ago (136800 seconds) -# and retired 35 hours ago (126000 seconds). +# The old keys were activated 38 hours ago (136800 seconds). rollover_predecessor_keytimes -136800 created=$(key_get KEY1 CREATED) @@ -4451,7 +4680,7 @@ set_keystate "KEY2" "STATE_DNSKEY" "hidden" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated 40 hours ago (144000 seconds) # and retired 35 hours ago (133200 seconds). @@ -4503,7 +4732,7 @@ set_keystate "KEY2" "STATE_ZRRSIG" "hidden" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated 47 hours ago (169200 seconds) # and retired 34 hours ago (158400 seconds). @@ -4584,10 +4813,10 @@ set_keystate "KEY2" "STATE_DS" "hidden" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # CSK must be retired since it no longer matches the policy. -csk_rollover_predecessor_keytimes 0 0 +csk_rollover_predecessor_keytimes 0 keyfile=$(key_get KEY1 BASEFILE) grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk retired=$(awk '{print $3}' < retired.test${n}.ksk) @@ -4642,10 +4871,10 @@ set_keystate "KEY2" "STATE_KRRSIG" "omnipresent" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old key was activated three hours ago (10800 seconds). -csk_rollover_predecessor_keytimes -10800 -10800 +csk_rollover_predecessor_keytimes -10800 # CSK must be retired since it no longer matches the policy. created=$(key_get KEY1 CREATED) @@ -4681,19 +4910,27 @@ set_zone "step3.csk-algorithm-roll.kasp" set_policy "csk-algoroll" "2" "3600" set_server "ns6" "10.53.0.6" # The RSAHSHA1 key is outroducing, and it is time to swap the DS. -set_keystate "KEY1" "STATE_DS" "unretentive" # The ECDSAP256SHA256 key is introducing. The DNSKEY RRset and all signatures # are now omnipresent, so the DS can be introduced. set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent" -set_keystate "KEY2" "STATE_DS" "rumoured" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" -# The old key was activated 9 hours ago (10800 seconds) -# and retired 6 hours ago (21600 seconds). -csk_rollover_predecessor_keytimes -32400 -32400 +# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced. +# We ignore any parent registration delay, so set the DS publish time to now +# ($created). +rndc_checkds "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "withdrawn" "$ZONE" +rndc_checkds "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "published" "$ZONE" +set_keystate "KEY1" "STATE_DS" "unretentive" +set_keystate "KEY2" "STATE_DS" "rumoured" +check_keys +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" + +# The old key was activated 9 hours ago (32400 seconds) +# and was retired 6 hours ago (21600 seconds). +csk_rollover_predecessor_keytimes -32400 created=$(key_get KEY1 CREATED) set_addkeytime "KEY1" "RETIRED" "${created}" -21600 retired=$(key_get KEY1 RETIRED) @@ -4712,9 +4949,9 @@ check_subdomain dnssec_verify # Next key event is when the DS becomes OMNIPRESENT. This happens after the -# parent registration delay, parent propagation delay, retire safety delay, -# and DS TTL: 24h + 1h + 2h + 2h = 29h = 104400 seconds. -check_next_key_event 104400 +# parent propagation delay, retire safety delay, and DS TTL: +# 1h + 2h + 2h = 5h = 18000 seconds. +check_next_key_event 18000 # # Zone: step4.csk-algorithm-roll.kasp @@ -4734,11 +4971,11 @@ set_keystate "KEY2" "STATE_DS" "omnipresent" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old key was activated 38 hours ago (136800 seconds) # and retired 35 hours ago (126000 seconds). -csk_rollover_predecessor_keytimes -136800 -136800 +csk_rollover_predecessor_keytimes -136800 created=$(key_get KEY1 CREATED) set_addkeytime "KEY1" "RETIRED" "${created}" -126000 retired=$(key_get KEY1 RETIRED) @@ -4772,11 +5009,11 @@ set_keystate "KEY1" "STATE_KRRSIG" "hidden" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old key was activated 40 hours ago (144000 seconds) # and retired 37 hours ago (133200 seconds). -csk_rollover_predecessor_keytimes -144000 -144000 +csk_rollover_predecessor_keytimes -144000 created=$(key_get KEY1 CREATED) set_addkeytime "KEY1" "RETIRED" "${created}" -133200 retired=$(key_get KEY1 RETIRED) @@ -4814,11 +5051,11 @@ set_keystate "KEY1" "STATE_ZRRSIG" "hidden" check_keys wait_for_done_signing -check_dnssecstatus "$SERVER" "$ZONE" +check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" # The old keys were activated 47 hours ago (169200 seconds) # and retired 44 hours ago (158400 seconds). -csk_rollover_predecessor_keytimes -169200 -169200 +csk_rollover_predecessor_keytimes -169200 created=$(key_get KEY1 CREATED) set_addkeytime "KEY1" "RETIRED" "${created}" -158400 retired=$(key_get KEY1 RETIRED)