summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/kasp
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--bin/tests/system/kasp.sh1797
-rw-r--r--bin/tests/system/kasp/ns3/setup.sh753
-rw-r--r--bin/tests/system/kasp/ns4/setup.sh13
-rw-r--r--bin/tests/system/kasp/ns5/setup.sh13
-rw-r--r--bin/tests/system/kasp/ns6/setup.sh375
-rw-r--r--bin/tests/system/kasp/prereq.sh4
-rw-r--r--bin/tests/system/kasp/setup.sh43
-rw-r--r--bin/tests/system/kasp/tests.sh2460
8 files changed, 2719 insertions, 2739 deletions
diff --git a/bin/tests/system/kasp.sh b/bin/tests/system/kasp.sh
index d49baa3..929efff 100644
--- a/bin/tests/system/kasp.sh
+++ b/bin/tests/system/kasp.sh
@@ -69,70 +69,69 @@ VIEW3="C1Azf+gGPMmxrUg/WQINP6eV9Y0="
# STATE_STAT
key_key() {
- echo "${1}__${2}"
+ echo "${1}__${2}"
}
key_get() {
- eval "echo \${$(key_key "$1" "$2")}"
+ eval "echo \${$(key_key "$1" "$2")}"
}
key_set() {
- eval "$(key_key "$1" "$2")='$3'"
+ eval "$(key_key "$1" "$2")='$3'"
}
key_stat() {
- $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1"
+ $PERL -e 'print((stat @ARGV[0])[9] . "\n");' "$1"
}
# Save certain values in the KEY array.
-key_save()
-{
- # Save key id.
- key_set "$1" ID "$KEY_ID"
- # Save base filename.
- key_set "$1" BASEFILE "$BASE_FILE"
- # Save creation date.
- key_set "$1" CREATED "${KEY_CREATED}"
- # Save key change time.
- key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private")
- key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key")
- key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state")
+key_save() {
+ # Save key id.
+ key_set "$1" ID "$KEY_ID"
+ # Save base filename.
+ key_set "$1" BASEFILE "$BASE_FILE"
+ # Save creation date.
+ key_set "$1" CREATED "${KEY_CREATED}"
+ # Save key change time.
+ key_set "$1" PRIVKEY_STAT $(key_stat "${BASE_FILE}.private")
+ key_set "$1" PUBKEY_STAT $(key_stat "${BASE_FILE}.key")
+ key_set "$1" STATE_STAT $(key_stat "${BASE_FILE}.state")
}
# Clear key state.
#
# This will update either the KEY1, KEY2, or KEY3 array.
key_clear() {
- key_set "$1" "ID" 'no'
- key_set "$1" "IDPAD" 'no'
- key_set "$1" "EXPECT" 'no'
- key_set "$1" "ROLE" 'none'
- key_set "$1" "KSK" 'no'
- key_set "$1" "ZSK" 'no'
- key_set "$1" "FLAGS" '0'
- key_set "$1" "LIFETIME" 'none'
- key_set "$1" "ALG_NUM" '0'
- key_set "$1" "ALG_STR" 'none'
- key_set "$1" "ALG_LEN" '0'
- key_set "$1" "CREATED" '0'
- key_set "$1" "PUBLISHED" 'none'
- key_set "$1" "SYNCPUBLISH" 'none'
- key_set "$1" "ACTIVE" 'none'
- key_set "$1" "RETIRED" 'none'
- key_set "$1" "REVOKED" 'none'
- key_set "$1" "REMOVED" 'none'
- key_set "$1" "GOAL" 'none'
- key_set "$1" "STATE_DNSKEY" 'none'
- key_set "$1" "STATE_KRRSIG" 'none'
- key_set "$1" "STATE_ZRRSIG" 'none'
- key_set "$1" "STATE_DS" 'none'
- key_set "$1" "EXPECT_ZRRSIG" 'no'
- key_set "$1" "EXPECT_KRRSIG" 'no'
- key_set "$1" "LEGACY" 'no'
- key_set "$1" "PRIVATE" 'yes'
- key_set "$1" "PRIVKEY_STAT" '0'
- key_set "$1" "PUBKEY_STAT" '0'
- key_set "$1" "STATE_STAT" '0'
+ key_set "$1" "ID" 'no'
+ key_set "$1" "IDPAD" 'no'
+ key_set "$1" "EXPECT" 'no'
+ key_set "$1" "ROLE" 'none'
+ key_set "$1" "KSK" 'no'
+ key_set "$1" "ZSK" 'no'
+ key_set "$1" "FLAGS" '0'
+ key_set "$1" "LIFETIME" 'none'
+ key_set "$1" "ALG_NUM" '0'
+ key_set "$1" "ALG_STR" 'none'
+ key_set "$1" "ALG_LEN" '0'
+ key_set "$1" "CREATED" '0'
+ key_set "$1" "PUBLISHED" 'none'
+ key_set "$1" "SYNCPUBLISH" 'none'
+ key_set "$1" "ACTIVE" 'none'
+ key_set "$1" "RETIRED" 'none'
+ key_set "$1" "REVOKED" 'none'
+ key_set "$1" "REMOVED" 'none'
+ key_set "$1" "GOAL" 'none'
+ key_set "$1" "STATE_DNSKEY" 'none'
+ key_set "$1" "STATE_KRRSIG" 'none'
+ key_set "$1" "STATE_ZRRSIG" 'none'
+ key_set "$1" "STATE_DS" 'none'
+ key_set "$1" "EXPECT_ZRRSIG" 'no'
+ key_set "$1" "EXPECT_KRRSIG" 'no'
+ key_set "$1" "LEGACY" 'no'
+ key_set "$1" "PRIVATE" 'yes'
+ key_set "$1" "PRIVKEY_STAT" '0'
+ key_set "$1" "PUBKEY_STAT" '0'
+ key_set "$1" "STATE_STAT" '0'
}
# Start clear.
@@ -150,120 +149,120 @@ key_clear "KEY4"
# Call dig with default options.
_dig_with_opts() {
- if [ -n "$TSIG" ]; then
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
- else
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
- fi
+ if [ -n "$TSIG" ]; then
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+ else
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ fi
}
# RNDC.
_rndccmd() {
- "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+ "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
}
# Print IDs of keys used for generating RRSIG records for RRsets of type $1
# found in dig output file $2.
get_keys_which_signed() {
- _qtype=$1
- _output=$2
- # The key ID is the 11th column of the RRSIG record line.
- awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' < "$_output"
+ _qtype=$1
+ _output=$2
+ # The key ID is the 11th column of the RRSIG record line.
+ awk -v qt="$_qtype" '$4 == "RRSIG" && $5 == qt {print $11}' <"$_output"
}
# Get the key ids from key files for zone $2 in directory $1.
get_keyids() {
- _dir=$1
- _zone=$2
- _regex="K${_zone}.+*+*.key"
+ _dir=$1
+ _zone=$2
+ _regex="K${_zone}.+*+*.key"
- find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
+ find "${_dir}" -mindepth 1 -maxdepth 1 -name "${_regex}" | sed "s,$_dir/K${_zone}.+\([0-9]\{3\}\)+\([0-9]\{5\}\).key,\2,"
}
# By default log errors and don't quit immediately.
_log=1
_log_error() {
- test $_log -eq 1 && echo_i "error: $1"
- ret=$((ret+1))
+ test $_log -eq 1 && echo_i "error: $1"
+ ret=$((ret + 1))
}
disable_logerror() {
- _log=0
+ _log=0
}
enable_logerror() {
- _log=1
+ _log=1
}
# Set server key-directory ($1) and address ($2) for testing keys.
set_server() {
- DIR=$1
- SERVER=$2
+ DIR=$1
+ SERVER=$2
}
# Set zone name for testing keys.
set_zone() {
- ZONE=$1
- DYNAMIC="no"
+ ZONE=$1
+ DYNAMIC="no"
}
# By default zones are considered static.
# When testing dynamic zones, call 'set_dynamic' after 'set_zone'.
set_dynamic() {
- DYNAMIC="yes"
+ DYNAMIC="yes"
}
# Set policy settings (name $1, number of keys $2, dnskey ttl $3) for testing keys.
set_policy() {
- POLICY=$1
- NUM_KEYS=$2
- DNSKEY_TTL=$3
- CDS_DELETE="no"
+ POLICY=$1
+ NUM_KEYS=$2
+ DNSKEY_TTL=$3
+ CDS_DELETE="no"
}
# By default policies are considered to be secure.
# If a zone sets its policy to "insecure", call 'set_cdsdelete' to tell the
# system test to expect a CDS and CDNSKEY Delete record.
set_cdsdelete() {
- CDS_DELETE="yes"
+ CDS_DELETE="yes"
}
# Set key properties for testing keys.
# $1: Key to update (KEY1, KEY2, ...)
# $2: Value
set_keyrole() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "ROLE" "$2"
- key_set "$1" "KSK" "no"
- key_set "$1" "ZSK" "no"
- key_set "$1" "FLAGS" "0"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "ROLE" "$2"
+ key_set "$1" "KSK" "no"
+ key_set "$1" "ZSK" "no"
+ key_set "$1" "FLAGS" "0"
- test "$2" = "ksk" && key_set "$1" "KSK" "yes"
- test "$2" = "ksk" && key_set "$1" "FLAGS" "257"
+ test "$2" = "ksk" && key_set "$1" "KSK" "yes"
+ test "$2" = "ksk" && key_set "$1" "FLAGS" "257"
- test "$2" = "zsk" && key_set "$1" "ZSK" "yes"
- test "$2" = "zsk" && key_set "$1" "FLAGS" "256"
+ test "$2" = "zsk" && key_set "$1" "ZSK" "yes"
+ test "$2" = "zsk" && key_set "$1" "FLAGS" "256"
- test "$2" = "csk" && key_set "$1" "KSK" "yes"
- test "$2" = "csk" && key_set "$1" "ZSK" "yes"
- test "$2" = "csk" && key_set "$1" "FLAGS" "257"
+ test "$2" = "csk" && key_set "$1" "KSK" "yes"
+ test "$2" = "csk" && key_set "$1" "ZSK" "yes"
+ test "$2" = "csk" && key_set "$1" "FLAGS" "257"
}
set_keylifetime() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "LIFETIME" "$2"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "LIFETIME" "$2"
}
# The algorithm value consists of three parts:
# $2: Algorithm (number)
# $3: Algorithm (string-format)
# $4: Algorithm length
set_keyalgorithm() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "ALG_NUM" "$2"
- key_set "$1" "ALG_STR" "$3"
- key_set "$1" "ALG_LEN" "$4"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "ALG_NUM" "$2"
+ key_set "$1" "ALG_STR" "$3"
+ key_set "$1" "ALG_LEN" "$4"
}
set_keysigning() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "EXPECT_KRRSIG" "$2"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "EXPECT_KRRSIG" "$2"
}
set_zonesigning() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "EXPECT_ZRRSIG" "$2"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "EXPECT_ZRRSIG" "$2"
}
# Set key timing metadata. Set to "none" to unset.
@@ -271,8 +270,8 @@ set_zonesigning() {
# $2: Time to update (PUBLISHED, SYNCPUBLISH, ACTIVE, RETIRED, REVOKED, or REMOVED).
# $3: Value
set_keytime() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "$2" "$3"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "$2" "$3"
}
# Set key timing metadata to a value plus additional time.
@@ -281,12 +280,12 @@ set_keytime() {
# $3: Value
# $4: Additional time.
set_addkeytime() {
- if [ -x "$PYTHON" ]; then
- # Convert "%Y%m%d%H%M%S" format to epoch seconds.
- # Then, add the additional time (can be negative).
- _value=$3
- _plus=$4
- $PYTHON > python.out.$ZONE.$1.$2 <<EOF
+ if [ -x "$PYTHON" ]; then
+ # Convert "%Y%m%d%H%M%S" format to epoch seconds.
+ # Then, add the additional time (can be negative).
+ _value=$3
+ _plus=$4
+ $PYTHON >python.out.$ZONE.$1.$2 <<EOF
from datetime import datetime
from datetime import timedelta
_now = datetime.strptime("$_value", "%Y%m%d%H%M%S")
@@ -294,9 +293,9 @@ _delta = timedelta(seconds=$_plus)
_then = _now + _delta
print(_then.strftime("%Y%m%d%H%M%S"));
EOF
- # Set the expected timing metadata.
- key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2)
- fi
+ # Set the expected timing metadata.
+ key_set "$1" "$2" $(cat python.out.$ZONE.$1.$2)
+ fi
}
# Set key state metadata. Set to "none" to unset.
@@ -304,8 +303,8 @@ EOF
# $2: Key state to update (GOAL, STATE_DNSKEY, STATE_ZRRSIG, STATE_KRRSIG, or STATE_DS)
# $3: Value
set_keystate() {
- key_set "$1" "EXPECT" "yes"
- key_set "$1" "$2" "$3"
+ key_set "$1" "EXPECT" "yes"
+ key_set "$1" "$2" "$3"
}
# Check the key $1 with id $2.
@@ -319,312 +318,312 @@ set_keystate() {
# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
# KEY_CREATED (from the KEY_FILE)
check_key() {
- _dir="$DIR"
- _zone="$ZONE"
- _role=$(key_get "$1" ROLE)
- _key_idpad="$2"
- _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
- _alg_num=$(key_get "$1" ALG_NUM)
- _alg_numpad=$(printf "%03d" "$_alg_num")
- _alg_string=$(key_get "$1" ALG_STR)
- _length=$(key_get "$1" "ALG_LEN")
- _dnskey_ttl="$DNSKEY_TTL"
- _lifetime=$(key_get "$1" LIFETIME)
- _legacy=$(key_get "$1" LEGACY)
- _private=$(key_get "$1" PRIVATE)
- _flags=$(key_get "$1" FLAGS)
-
- _published=$(key_get "$1" PUBLISHED)
- _active=$(key_get "$1" ACTIVE)
- _retired=$(key_get "$1" RETIRED)
- _revoked=$(key_get "$1" REVOKED)
- _removed=$(key_get "$1" REMOVED)
-
- _goal=$(key_get "$1" GOAL)
- _state_dnskey=$(key_get "$1" STATE_DNSKEY)
- _state_zrrsig=$(key_get "$1" STATE_ZRRSIG)
- _state_krrsig=$(key_get "$1" STATE_KRRSIG)
- _state_ds=$(key_get "$1" STATE_DS)
-
- _ksk="no"
- _zsk="no"
- if [ "$_role" = "ksk" ]; then
- _ksk="yes"
- elif [ "$_role" = "zsk" ]; then
- _zsk="yes"
- elif [ "$_role" = "csk" ]; then
- _zsk="yes"
- _ksk="yes"
- fi
-
- _role2="none"
- if [ "$_flags" = "257" ]; then
- _role2="key-signing"
- elif [ "$_flags" = "256" ]; then
- _role2="zone-signing"
- fi
-
- BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
- KEY_FILE="${BASE_FILE}.key"
- PRIVATE_FILE="${BASE_FILE}.private"
- STATE_FILE="${BASE_FILE}.state"
- KEY_ID="${_key_id}"
-
- # Check file existence.
- [ -s "$KEY_FILE" ] || ret=1
- if [ "$_private" = "yes" ]; then
- [ -s "$PRIVATE_FILE" ] || ret=1
- fi
- if [ "$_legacy" = "no" ]; then
- [ -s "$STATE_FILE" ] || ret=1
- fi
- [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing"
- [ "$ret" -eq 0 ] || return
-
- # Retrieve creation date.
- grep "; Created:" "$KEY_FILE" > "${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE"
- KEY_CREATED=$(awk '{print $3}' < "${ZONE}.${KEY_ID}.${_alg_num}.created")
-
- if [ "$_private" = "yes" ]; then
- grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch created in $PRIVATE_FILE"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Generated: ${KEY_CREATED}" "$STATE_FILE" > /dev/null || _log_error "mismatch generated in $STATE_FILE"
- fi
-
- test $_log -eq 1 && echo_i "check key file $BASE_FILE"
-
- # Check the public key file.
- grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" > /dev/null || _log_error "mismatch top comment in $KEY_FILE"
- grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" > /dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE"
- # Now check the private key file.
- if [ "$_private" = "yes" ]; then
- grep "Private-key-format: v1.3" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch private key format in $PRIVATE_FILE"
- grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" > /dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE"
- fi
- # Now check the key state file.
- if [ "$_legacy" = "no" ]; then
- grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" > /dev/null || _log_error "mismatch top comment in $STATE_FILE"
- if [ "$_lifetime" = "none" ]; then
- grep "Lifetime: " "$STATE_FILE" > /dev/null && _log_error "unexpected lifetime in $STATE_FILE"
- else
- grep "Lifetime: ${_lifetime}" "$STATE_FILE" > /dev/null || _log_error "mismatch lifetime in $STATE_FILE"
- fi
- grep "Algorithm: ${_alg_num}" "$STATE_FILE" > /dev/null || _log_error "mismatch algorithm in $STATE_FILE"
- grep "Length: ${_length}" "$STATE_FILE" > /dev/null || _log_error "mismatch length in $STATE_FILE"
- grep "KSK: ${_ksk}" "$STATE_FILE" > /dev/null || _log_error "mismatch ksk in $STATE_FILE"
- grep "ZSK: ${_zsk}" "$STATE_FILE" > /dev/null || _log_error "mismatch zsk in $STATE_FILE"
-
- # Check key states.
- if [ "$_goal" = "none" ]; then
- grep "GoalState: " "$STATE_FILE" > /dev/null && _log_error "unexpected goal state in $STATE_FILE"
- else
- grep "GoalState: ${_goal}" "$STATE_FILE" > /dev/null || _log_error "mismatch goal state in $STATE_FILE"
- fi
-
- if [ "$_state_dnskey" = "none" ]; then
- grep "DNSKEYState: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey state in $STATE_FILE"
- grep "DNSKEYChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected dnskey change in $STATE_FILE"
- else
- grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey state in $STATE_FILE"
- grep "DNSKEYChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch dnskey change in $STATE_FILE"
- fi
-
- if [ "$_state_zrrsig" = "none" ]; then
- grep "ZRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig state in $STATE_FILE"
- grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected zrrsig change in $STATE_FILE"
- else
- grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig state in $STATE_FILE"
- grep "ZRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch zrrsig change in $STATE_FILE"
- fi
-
- if [ "$_state_krrsig" = "none" ]; then
- grep "KRRSIGState: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig state in $STATE_FILE"
- grep "KRRSIGChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected krrsig change in $STATE_FILE"
- else
- grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig state in $STATE_FILE"
- grep "KRRSIGChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch krrsig change in $STATE_FILE"
- fi
-
- if [ "$_state_ds" = "none" ]; then
- grep "DSState: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds state in $STATE_FILE"
- grep "DSChange: " "$STATE_FILE" > /dev/null && _log_error "unexpected ds change in $STATE_FILE"
- else
- grep "DSState: ${_state_ds}" "$STATE_FILE" > /dev/null || _log_error "mismatch ds state in $STATE_FILE"
- grep "DSChange: " "$STATE_FILE" > /dev/null || _log_error "mismatch ds change in $STATE_FILE"
- fi
- fi
+ _dir="$DIR"
+ _zone="$ZONE"
+ _role=$(key_get "$1" ROLE)
+ _key_idpad="$2"
+ _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
+ _alg_num=$(key_get "$1" ALG_NUM)
+ _alg_numpad=$(printf "%03d" "$_alg_num")
+ _alg_string=$(key_get "$1" ALG_STR)
+ _length=$(key_get "$1" "ALG_LEN")
+ _dnskey_ttl="$DNSKEY_TTL"
+ _lifetime=$(key_get "$1" LIFETIME)
+ _legacy=$(key_get "$1" LEGACY)
+ _private=$(key_get "$1" PRIVATE)
+ _flags=$(key_get "$1" FLAGS)
+
+ _published=$(key_get "$1" PUBLISHED)
+ _active=$(key_get "$1" ACTIVE)
+ _retired=$(key_get "$1" RETIRED)
+ _revoked=$(key_get "$1" REVOKED)
+ _removed=$(key_get "$1" REMOVED)
+
+ _goal=$(key_get "$1" GOAL)
+ _state_dnskey=$(key_get "$1" STATE_DNSKEY)
+ _state_zrrsig=$(key_get "$1" STATE_ZRRSIG)
+ _state_krrsig=$(key_get "$1" STATE_KRRSIG)
+ _state_ds=$(key_get "$1" STATE_DS)
+
+ _ksk="no"
+ _zsk="no"
+ if [ "$_role" = "ksk" ]; then
+ _ksk="yes"
+ elif [ "$_role" = "zsk" ]; then
+ _zsk="yes"
+ elif [ "$_role" = "csk" ]; then
+ _zsk="yes"
+ _ksk="yes"
+ fi
+
+ _role2="none"
+ if [ "$_flags" = "257" ]; then
+ _role2="key-signing"
+ elif [ "$_flags" = "256" ]; then
+ _role2="zone-signing"
+ fi
+
+ BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
+ KEY_FILE="${BASE_FILE}.key"
+ PRIVATE_FILE="${BASE_FILE}.private"
+ STATE_FILE="${BASE_FILE}.state"
+ KEY_ID="${_key_id}"
+
+ # Check file existence.
+ [ -s "$KEY_FILE" ] || ret=1
+ if [ "$_private" = "yes" ]; then
+ [ -s "$PRIVATE_FILE" ] || ret=1
+ fi
+ if [ "$_legacy" = "no" ]; then
+ [ -s "$STATE_FILE" ] || ret=1
+ fi
+ [ "$ret" -eq 0 ] || _log_error "${BASE_FILE} files missing"
+ [ "$ret" -eq 0 ] || return
+
+ # Retrieve creation date.
+ grep "; Created:" "$KEY_FILE" >"${ZONE}.${KEY_ID}.${_alg_num}.created" || _log_error "mismatch created comment in $KEY_FILE"
+ KEY_CREATED=$(awk '{print $3}' <"${ZONE}.${KEY_ID}.${_alg_num}.created")
+
+ if [ "$_private" = "yes" ]; then
+ grep "Created: ${KEY_CREATED}" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch created in $PRIVATE_FILE"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Generated: ${KEY_CREATED}" "$STATE_FILE" >/dev/null || _log_error "mismatch generated in $STATE_FILE"
+ fi
+
+ test $_log -eq 1 && echo_i "check key file $BASE_FILE"
+
+ # Check the public key file.
+ grep "This is a ${_role2} key, keyid ${_key_id}, for ${_zone}." "$KEY_FILE" >/dev/null || _log_error "mismatch top comment in $KEY_FILE"
+ grep "${_zone}\. ${_dnskey_ttl} IN DNSKEY ${_flags} 3 ${_alg_num}" "$KEY_FILE" >/dev/null || _log_error "mismatch DNSKEY record in $KEY_FILE"
+ # Now check the private key file.
+ if [ "$_private" = "yes" ]; then
+ grep "Private-key-format: v1.3" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch private key format in $PRIVATE_FILE"
+ grep "Algorithm: ${_alg_num} (${_alg_string})" "$PRIVATE_FILE" >/dev/null || _log_error "mismatch algorithm in $PRIVATE_FILE"
+ fi
+ # Now check the key state file.
+ if [ "$_legacy" = "no" ]; then
+ grep "This is the state of key ${_key_id}, for ${_zone}." "$STATE_FILE" >/dev/null || _log_error "mismatch top comment in $STATE_FILE"
+ if [ "$_lifetime" = "none" ]; then
+ grep "Lifetime: " "$STATE_FILE" >/dev/null && _log_error "unexpected lifetime in $STATE_FILE"
+ else
+ grep "Lifetime: ${_lifetime}" "$STATE_FILE" >/dev/null || _log_error "mismatch lifetime in $STATE_FILE"
+ fi
+ grep "Algorithm: ${_alg_num}" "$STATE_FILE" >/dev/null || _log_error "mismatch algorithm in $STATE_FILE"
+ grep "Length: ${_length}" "$STATE_FILE" >/dev/null || _log_error "mismatch length in $STATE_FILE"
+ grep "KSK: ${_ksk}" "$STATE_FILE" >/dev/null || _log_error "mismatch ksk in $STATE_FILE"
+ grep "ZSK: ${_zsk}" "$STATE_FILE" >/dev/null || _log_error "mismatch zsk in $STATE_FILE"
+
+ # Check key states.
+ if [ "$_goal" = "none" ]; then
+ grep "GoalState: " "$STATE_FILE" >/dev/null && _log_error "unexpected goal state in $STATE_FILE"
+ else
+ grep "GoalState: ${_goal}" "$STATE_FILE" >/dev/null || _log_error "mismatch goal state in $STATE_FILE"
+ fi
+
+ if [ "$_state_dnskey" = "none" ]; then
+ grep "DNSKEYState: " "$STATE_FILE" >/dev/null && _log_error "unexpected dnskey state in $STATE_FILE"
+ grep "DNSKEYChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected dnskey change in $STATE_FILE"
+ else
+ grep "DNSKEYState: ${_state_dnskey}" "$STATE_FILE" >/dev/null || _log_error "mismatch dnskey state in $STATE_FILE"
+ grep "DNSKEYChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch dnskey change in $STATE_FILE"
+ fi
+
+ if [ "$_state_zrrsig" = "none" ]; then
+ grep "ZRRSIGState: " "$STATE_FILE" >/dev/null && _log_error "unexpected zrrsig state in $STATE_FILE"
+ grep "ZRRSIGChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected zrrsig change in $STATE_FILE"
+ else
+ grep "ZRRSIGState: ${_state_zrrsig}" "$STATE_FILE" >/dev/null || _log_error "mismatch zrrsig state in $STATE_FILE"
+ grep "ZRRSIGChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch zrrsig change in $STATE_FILE"
+ fi
+
+ if [ "$_state_krrsig" = "none" ]; then
+ grep "KRRSIGState: " "$STATE_FILE" >/dev/null && _log_error "unexpected krrsig state in $STATE_FILE"
+ grep "KRRSIGChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected krrsig change in $STATE_FILE"
+ else
+ grep "KRRSIGState: ${_state_krrsig}" "$STATE_FILE" >/dev/null || _log_error "mismatch krrsig state in $STATE_FILE"
+ grep "KRRSIGChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch krrsig change in $STATE_FILE"
+ fi
+
+ if [ "$_state_ds" = "none" ]; then
+ grep "DSState: " "$STATE_FILE" >/dev/null && _log_error "unexpected ds state in $STATE_FILE"
+ grep "DSChange: " "$STATE_FILE" >/dev/null && _log_error "unexpected ds change in $STATE_FILE"
+ else
+ grep "DSState: ${_state_ds}" "$STATE_FILE" >/dev/null || _log_error "mismatch ds state in $STATE_FILE"
+ grep "DSChange: " "$STATE_FILE" >/dev/null || _log_error "mismatch ds change in $STATE_FILE"
+ fi
+ fi
}
# Check the key timing metadata for key $1.
check_timingmetadata() {
- _dir="$DIR"
- _zone="$ZONE"
- _key_idpad=$(key_get "$1" ID)
- _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
- _alg_num=$(key_get "$1" ALG_NUM)
- _alg_numpad=$(printf "%03d" "$_alg_num")
-
- _published=$(key_get "$1" PUBLISHED)
- _active=$(key_get "$1" ACTIVE)
- _retired=$(key_get "$1" RETIRED)
- _revoked=$(key_get "$1" REVOKED)
- _removed=$(key_get "$1" REMOVED)
-
- _goal=$(key_get "$1" GOAL)
- _state_dnskey=$(key_get "$1" STATE_DNSKEY)
- _state_zrrsig=$(key_get "$1" STATE_ZRRSIG)
- _state_krrsig=$(key_get "$1" STATE_KRRSIG)
- _state_ds=$(key_get "$1" STATE_DS)
-
- _base_file=$(key_get "$1" BASEFILE)
- _key_file="${_base_file}.key"
- _private_file="${_base_file}.private"
- _state_file="${_base_file}.state"
- _legacy=$(key_get "$1" LEGACY)
- _private=$(key_get "$1" PRIVATE)
-
- _published=$(key_get "$1" PUBLISHED)
- _syncpublish=$(key_get "$1" SYNCPUBLISH)
- _active=$(key_get "$1" ACTIVE)
- _retired=$(key_get "$1" RETIRED)
- _revoked=$(key_get "$1" REVOKED)
- _removed=$(key_get "$1" REMOVED)
-
- # Check timing metadata.
- n=$((n+1))
- echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)"
- ret=0
-
- if [ "$_published" = "none" ]; then
- grep "; Publish:" "${_key_file}" > /dev/null && _log_error "unexpected publish comment in ${_key_file}"
- if [ "$_private" = "yes" ]; then
- grep "Publish:" "${_private_file}" > /dev/null && _log_error "unexpected publish in ${_private_file}"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Published: " "${_state_file}" > /dev/null && _log_error "unexpected publish in ${_state_file}"
- fi
- else
- grep "; Publish: $_published" "${_key_file}" > /dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})"
- if [ "$_private" = "yes" ]; then
- grep "Publish: $_published" "${_private_file}" > /dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Published: $_published" "${_state_file}" > /dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})"
- fi
- fi
-
- if [ "$_syncpublish" = "none" ]; then
- grep "; SyncPublish:" "${_key_file}" > /dev/null && _log_error "unexpected syncpublish comment in ${_key_file}"
- if [ "$_private" = "yes" ]; then
- grep "SyncPublish:" "${_private_file}" > /dev/null && _log_error "unexpected syncpublish in ${_private_file}"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "PublishCDS: " "${_state_file}" > /dev/null && _log_error "unexpected syncpublish in ${_state_file}"
- fi
- else
- grep "; SyncPublish: $_syncpublish" "${_key_file}" > /dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})"
- if [ "$_private" = "yes" ]; then
- grep "SyncPublish: $_syncpublish" "${_private_file}" > /dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "PublishCDS: $_syncpublish" "${_state_file}" > /dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})"
- fi
- fi
-
- if [ "$_active" = "none" ]; then
- grep "; Activate:" "${_key_file}" > /dev/null && _log_error "unexpected active comment in ${_key_file}"
- if [ "$_private" = "yes" ]; then
- grep "Activate:" "${_private_file}" > /dev/null && _log_error "unexpected active in ${_private_file}"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Active: " "${_state_file}" > /dev/null && _log_error "unexpected active in ${_state_file}"
- fi
- else
- grep "; Activate: $_active" "${_key_file}" > /dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})"
- if [ "$_private" = "yes" ]; then
- grep "Activate: $_active" "${_private_file}" > /dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Active: $_active" "${_state_file}" > /dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})"
- fi
- fi
-
- if [ "$_retired" = "none" ]; then
- grep "; Inactive:" "${_key_file}" > /dev/null && _log_error "unexpected retired comment in ${_key_file}"
- if [ "$_private" = "yes" ]; then
- grep "Inactive:" "${_private_file}" > /dev/null && _log_error "unexpected retired in ${_private_file}"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Retired: " "${_state_file}" > /dev/null && _log_error "unexpected retired in ${_state_file}"
- fi
- else
- grep "; Inactive: $_retired" "${_key_file}" > /dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})"
- if [ "$_private" = "yes" ]; then
- grep "Inactive: $_retired" "${_private_file}" > /dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Retired: $_retired" "${_state_file}" > /dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})"
- fi
- fi
-
- if [ "$_revoked" = "none" ]; then
- grep "; Revoke:" "${_key_file}" > /dev/null && _log_error "unexpected revoked comment in ${_key_file}"
- if [ "$_private" = "yes" ]; then
- grep "Revoke:" "${_private_file}" > /dev/null && _log_error "unexpected revoked in ${_private_file}"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Revoked: " "${_state_file}" > /dev/null && _log_error "unexpected revoked in ${_state_file}"
- fi
- else
- grep "; Revoke: $_revoked" "${_key_file}" > /dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})"
- if [ "$_private" = "yes" ]; then
- grep "Revoke: $_revoked" "${_private_file}" > /dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Revoked: $_revoked" "${_state_file}" > /dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})"
- fi
- fi
-
- if [ "$_removed" = "none" ]; then
- grep "; Delete:" "${_key_file}" > /dev/null && _log_error "unexpected removed comment in ${_key_file}"
- if [ "$_private" = "yes" ]; then
- grep "Delete:" "${_private_file}" > /dev/null && _log_error "unexpected removed in ${_private_file}"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Removed: " "${_state_file}" > /dev/null && _log_error "unexpected removed in ${_state_file}"
- fi
- else
- grep "; Delete: $_removed" "${_key_file}" > /dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})"
- if [ "$_private" = "yes" ]; then
- grep "Delete: $_removed" "${_private_file}" > /dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})"
- fi
- if [ "$_legacy" = "no" ]; then
- grep "Removed: $_removed" "${_state_file}" > /dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})"
- fi
- fi
-
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ _dir="$DIR"
+ _zone="$ZONE"
+ _key_idpad=$(key_get "$1" ID)
+ _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
+ _alg_num=$(key_get "$1" ALG_NUM)
+ _alg_numpad=$(printf "%03d" "$_alg_num")
+
+ _published=$(key_get "$1" PUBLISHED)
+ _active=$(key_get "$1" ACTIVE)
+ _retired=$(key_get "$1" RETIRED)
+ _revoked=$(key_get "$1" REVOKED)
+ _removed=$(key_get "$1" REMOVED)
+
+ _goal=$(key_get "$1" GOAL)
+ _state_dnskey=$(key_get "$1" STATE_DNSKEY)
+ _state_zrrsig=$(key_get "$1" STATE_ZRRSIG)
+ _state_krrsig=$(key_get "$1" STATE_KRRSIG)
+ _state_ds=$(key_get "$1" STATE_DS)
+
+ _base_file=$(key_get "$1" BASEFILE)
+ _key_file="${_base_file}.key"
+ _private_file="${_base_file}.private"
+ _state_file="${_base_file}.state"
+ _legacy=$(key_get "$1" LEGACY)
+ _private=$(key_get "$1" PRIVATE)
+
+ _published=$(key_get "$1" PUBLISHED)
+ _syncpublish=$(key_get "$1" SYNCPUBLISH)
+ _active=$(key_get "$1" ACTIVE)
+ _retired=$(key_get "$1" RETIRED)
+ _revoked=$(key_get "$1" REVOKED)
+ _removed=$(key_get "$1" REMOVED)
+
+ # Check timing metadata.
+ n=$((n + 1))
+ echo_i "check key timing metadata for key $1 id ${_key_id} zone ${ZONE} ($n)"
+ ret=0
+
+ if [ "$_published" = "none" ]; then
+ grep "; Publish:" "${_key_file}" >/dev/null && _log_error "unexpected publish comment in ${_key_file}"
+ if [ "$_private" = "yes" ]; then
+ grep "Publish:" "${_private_file}" >/dev/null && _log_error "unexpected publish in ${_private_file}"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Published: " "${_state_file}" >/dev/null && _log_error "unexpected publish in ${_state_file}"
+ fi
+ else
+ grep "; Publish: $_published" "${_key_file}" >/dev/null || _log_error "mismatch publish comment in ${_key_file} (expected ${_published})"
+ if [ "$_private" = "yes" ]; then
+ grep "Publish: $_published" "${_private_file}" >/dev/null || _log_error "mismatch publish in ${_private_file} (expected ${_published})"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Published: $_published" "${_state_file}" >/dev/null || _log_error "mismatch publish in ${_state_file} (expected ${_published})"
+ fi
+ fi
+
+ if [ "$_syncpublish" = "none" ]; then
+ grep "; SyncPublish:" "${_key_file}" >/dev/null && _log_error "unexpected syncpublish comment in ${_key_file}"
+ if [ "$_private" = "yes" ]; then
+ grep "SyncPublish:" "${_private_file}" >/dev/null && _log_error "unexpected syncpublish in ${_private_file}"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "PublishCDS: " "${_state_file}" >/dev/null && _log_error "unexpected syncpublish in ${_state_file}"
+ fi
+ else
+ grep "; SyncPublish: $_syncpublish" "${_key_file}" >/dev/null || _log_error "mismatch syncpublish comment in ${_key_file} (expected ${_syncpublish})"
+ if [ "$_private" = "yes" ]; then
+ grep "SyncPublish: $_syncpublish" "${_private_file}" >/dev/null || _log_error "mismatch syncpublish in ${_private_file} (expected ${_syncpublish})"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "PublishCDS: $_syncpublish" "${_state_file}" >/dev/null || _log_error "mismatch syncpublish in ${_state_file} (expected ${_syncpublish})"
+ fi
+ fi
+
+ if [ "$_active" = "none" ]; then
+ grep "; Activate:" "${_key_file}" >/dev/null && _log_error "unexpected active comment in ${_key_file}"
+ if [ "$_private" = "yes" ]; then
+ grep "Activate:" "${_private_file}" >/dev/null && _log_error "unexpected active in ${_private_file}"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Active: " "${_state_file}" >/dev/null && _log_error "unexpected active in ${_state_file}"
+ fi
+ else
+ grep "; Activate: $_active" "${_key_file}" >/dev/null || _log_error "mismatch active comment in ${_key_file} (expected ${_active})"
+ if [ "$_private" = "yes" ]; then
+ grep "Activate: $_active" "${_private_file}" >/dev/null || _log_error "mismatch active in ${_private_file} (expected ${_active})"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Active: $_active" "${_state_file}" >/dev/null || _log_error "mismatch active in ${_state_file} (expected ${_active})"
+ fi
+ fi
+
+ if [ "$_retired" = "none" ]; then
+ grep "; Inactive:" "${_key_file}" >/dev/null && _log_error "unexpected retired comment in ${_key_file}"
+ if [ "$_private" = "yes" ]; then
+ grep "Inactive:" "${_private_file}" >/dev/null && _log_error "unexpected retired in ${_private_file}"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Retired: " "${_state_file}" >/dev/null && _log_error "unexpected retired in ${_state_file}"
+ fi
+ else
+ grep "; Inactive: $_retired" "${_key_file}" >/dev/null || _log_error "mismatch retired comment in ${_key_file} (expected ${_retired})"
+ if [ "$_private" = "yes" ]; then
+ grep "Inactive: $_retired" "${_private_file}" >/dev/null || _log_error "mismatch retired in ${_private_file} (expected ${_retired})"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Retired: $_retired" "${_state_file}" >/dev/null || _log_error "mismatch retired in ${_state_file} (expected ${_retired})"
+ fi
+ fi
+
+ if [ "$_revoked" = "none" ]; then
+ grep "; Revoke:" "${_key_file}" >/dev/null && _log_error "unexpected revoked comment in ${_key_file}"
+ if [ "$_private" = "yes" ]; then
+ grep "Revoke:" "${_private_file}" >/dev/null && _log_error "unexpected revoked in ${_private_file}"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Revoked: " "${_state_file}" >/dev/null && _log_error "unexpected revoked in ${_state_file}"
+ fi
+ else
+ grep "; Revoke: $_revoked" "${_key_file}" >/dev/null || _log_error "mismatch revoked comment in ${_key_file} (expected ${_revoked})"
+ if [ "$_private" = "yes" ]; then
+ grep "Revoke: $_revoked" "${_private_file}" >/dev/null || _log_error "mismatch revoked in ${_private_file} (expected ${_revoked})"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Revoked: $_revoked" "${_state_file}" >/dev/null || _log_error "mismatch revoked in ${_state_file} (expected ${_revoked})"
+ fi
+ fi
+
+ if [ "$_removed" = "none" ]; then
+ grep "; Delete:" "${_key_file}" >/dev/null && _log_error "unexpected removed comment in ${_key_file}"
+ if [ "$_private" = "yes" ]; then
+ grep "Delete:" "${_private_file}" >/dev/null && _log_error "unexpected removed in ${_private_file}"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Removed: " "${_state_file}" >/dev/null && _log_error "unexpected removed in ${_state_file}"
+ fi
+ else
+ grep "; Delete: $_removed" "${_key_file}" >/dev/null || _log_error "mismatch removed comment in ${_key_file} (expected ${_removed})"
+ if [ "$_private" = "yes" ]; then
+ grep "Delete: $_removed" "${_private_file}" >/dev/null || _log_error "mismatch removed in ${_private_file} (expected ${_removed})"
+ fi
+ if [ "$_legacy" = "no" ]; then
+ grep "Removed: $_removed" "${_state_file}" >/dev/null || _log_error "mismatch removed in ${_state_file} (expected ${_removed})"
+ fi
+ fi
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
check_keytimes() {
- # The script relies on Python to set keytimes.
- if [ -x "$PYTHON" ]; then
-
- if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- check_timingmetadata "KEY1"
- fi
- if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- check_timingmetadata "KEY2"
- fi
- if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- check_timingmetadata "KEY3"
- fi
- if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- check_timingmetadata "KEY4"
- fi
- fi
+ # The script relies on Python to set keytimes.
+ if [ -x "$PYTHON" ]; then
+
+ if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ check_timingmetadata "KEY1"
+ fi
+ if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ check_timingmetadata "KEY2"
+ fi
+ if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ check_timingmetadata "KEY3"
+ fi
+ if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ check_timingmetadata "KEY4"
+ fi
+ fi
}
# Check the key with key id $1 and see if it is unused.
@@ -637,141 +636,140 @@ check_keytimes() {
# STATE_FILE="${BASE_FILE}.state"
# KEY_ID=$(echo $1 | sed 's/^0\{0,4\}//')
key_unused() {
- _dir=$DIR
- _zone=$ZONE
- _key_idpad=$1
- _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
- _alg_num=$2
- _alg_numpad=$(printf "%03d" "$_alg_num")
-
- BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
- KEY_FILE="${BASE_FILE}.key"
- PRIVATE_FILE="${BASE_FILE}.private"
- STATE_FILE="${BASE_FILE}.state"
- KEY_ID="${_key_id}"
-
- test $_log -eq 1 && echo_i "key unused $KEY_ID?"
-
- # Check file existence.
- [ -s "$KEY_FILE" ] || ret=1
- [ -s "$PRIVATE_FILE" ] || ret=1
- [ -s "$STATE_FILE" ] || ret=1
- [ "$ret" -eq 0 ] || return
-
- # Treat keys that have been removed from the zone as unused.
- _check_removed=1
- grep "; Created:" "$KEY_FILE" > created.key-${KEY_ID}.test${n} || _check_removed=0
- grep "; Delete:" "$KEY_FILE" > unused.key-${KEY_ID}.test${n} || _check_removed=0
- if [ "$_check_removed" -eq 1 ]; then
- _created=$(awk '{print $3}' < created.key-${KEY_ID}.test${n})
- _removed=$(awk '{print $3}' < unused.key-${KEY_ID}.test${n})
- [ "$_removed" -le "$_created" ] && return
- fi
-
- # If no timing metadata is set, this key is unused.
- grep "; Publish:" "$KEY_FILE" > /dev/null && _log_error "unexpected publish comment in $KEY_FILE"
- grep "; Activate:" "$KEY_FILE" > /dev/null && _log_error "unexpected active comment in $KEY_FILE"
- grep "; Inactive:" "$KEY_FILE" > /dev/null && _log_error "unexpected retired comment in $KEY_FILE"
- grep "; Revoke:" "$KEY_FILE" > /dev/null && _log_error "unexpected revoked comment in $KEY_FILE"
- grep "; Delete:" "$KEY_FILE" > /dev/null && _log_error "unexpected removed comment in $KEY_FILE"
-
- grep "Publish:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected publish in $PRIVATE_FILE"
- grep "Activate:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected active in $PRIVATE_FILE"
- grep "Inactive:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected retired in $PRIVATE_FILE"
- grep "Revoke:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected revoked in $PRIVATE_FILE"
- grep "Delete:" "$PRIVATE_FILE" > /dev/null && _log_error "unexpected removed in $PRIVATE_FILE"
-
- grep "Published: " "$STATE_FILE" > /dev/null && _log_error "unexpected publish in $STATE_FILE"
- grep "Active: " "$STATE_FILE" > /dev/null && _log_error "unexpected active in $STATE_FILE"
- grep "Retired: " "$STATE_FILE" > /dev/null && _log_error "unexpected retired in $STATE_FILE"
- grep "Revoked: " "$STATE_FILE" > /dev/null && _log_error "unexpected revoked in $STATE_FILE"
- grep "Removed: " "$STATE_FILE" > /dev/null && _log_error "unexpected removed in $STATE_FILE"
+ _dir=$DIR
+ _zone=$ZONE
+ _key_idpad=$1
+ _key_id=$(echo "$_key_idpad" | sed 's/^0\{0,4\}//')
+ _alg_num=$2
+ _alg_numpad=$(printf "%03d" "$_alg_num")
+
+ BASE_FILE="${_dir}/K${_zone}.+${_alg_numpad}+${_key_idpad}"
+ KEY_FILE="${BASE_FILE}.key"
+ PRIVATE_FILE="${BASE_FILE}.private"
+ STATE_FILE="${BASE_FILE}.state"
+ KEY_ID="${_key_id}"
+
+ test $_log -eq 1 && echo_i "key unused $KEY_ID?"
+
+ # Check file existence.
+ [ -s "$KEY_FILE" ] || ret=1
+ [ -s "$PRIVATE_FILE" ] || ret=1
+ [ -s "$STATE_FILE" ] || ret=1
+ [ "$ret" -eq 0 ] || return
+
+ # Treat keys that have been removed from the zone as unused.
+ _check_removed=1
+ grep "; Created:" "$KEY_FILE" >created.key-${KEY_ID}.test${n} || _check_removed=0
+ grep "; Delete:" "$KEY_FILE" >unused.key-${KEY_ID}.test${n} || _check_removed=0
+ if [ "$_check_removed" -eq 1 ]; then
+ _created=$(awk '{print $3}' <created.key-${KEY_ID}.test${n})
+ _removed=$(awk '{print $3}' <unused.key-${KEY_ID}.test${n})
+ [ "$_removed" -le "$_created" ] && return
+ fi
+
+ # If no timing metadata is set, this key is unused.
+ grep "; Publish:" "$KEY_FILE" >/dev/null && _log_error "unexpected publish comment in $KEY_FILE"
+ grep "; Activate:" "$KEY_FILE" >/dev/null && _log_error "unexpected active comment in $KEY_FILE"
+ grep "; Inactive:" "$KEY_FILE" >/dev/null && _log_error "unexpected retired comment in $KEY_FILE"
+ grep "; Revoke:" "$KEY_FILE" >/dev/null && _log_error "unexpected revoked comment in $KEY_FILE"
+ grep "; Delete:" "$KEY_FILE" >/dev/null && _log_error "unexpected removed comment in $KEY_FILE"
+
+ grep "Publish:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected publish in $PRIVATE_FILE"
+ grep "Activate:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected active in $PRIVATE_FILE"
+ grep "Inactive:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected retired in $PRIVATE_FILE"
+ grep "Revoke:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected revoked in $PRIVATE_FILE"
+ grep "Delete:" "$PRIVATE_FILE" >/dev/null && _log_error "unexpected removed in $PRIVATE_FILE"
+
+ grep "Published: " "$STATE_FILE" >/dev/null && _log_error "unexpected publish in $STATE_FILE"
+ grep "Active: " "$STATE_FILE" >/dev/null && _log_error "unexpected active in $STATE_FILE"
+ grep "Retired: " "$STATE_FILE" >/dev/null && _log_error "unexpected retired in $STATE_FILE"
+ grep "Revoked: " "$STATE_FILE" >/dev/null && _log_error "unexpected revoked in $STATE_FILE"
+ grep "Removed: " "$STATE_FILE" >/dev/null && _log_error "unexpected removed in $STATE_FILE"
}
# Test: dnssec-verify zone $1.
-dnssec_verify()
-{
- n=$((n+1))
- echo_i "dnssec-verify zone ${ZONE} ($n)"
- ret=0
- _dig_with_opts "$ZONE" "@${SERVER}" AXFR > dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed"
- $VERIFY -z -o "$ZONE" dig.out.axfr.test$n > verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+dnssec_verify() {
+ n=$((n + 1))
+ echo_i "dnssec-verify zone ${ZONE} ($n)"
+ ret=0
+ _dig_with_opts "$ZONE" "@${SERVER}" AXFR >dig.out.axfr.test$n || _log_error "dig ${ZONE} AXFR failed"
+ $VERIFY -z -o "$ZONE" dig.out.axfr.test$n >verify.out.$ZONE.test$n || _log_error "dnssec verify zone $ZONE failed"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Wait for the zone to be signed.
# The apex NSEC record indicates that it is signed.
_wait_for_nsec() {
- _dig_with_opts "@${SERVER}" "$ZONE" NSEC > "dig.out.nsec.test$n" || return 1
- grep "NS SOA" "dig.out.nsec.test$n" > /dev/null || return 1
- grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" > /dev/null || return 1
- return 0
+ _dig_with_opts "@${SERVER}" "$ZONE" NSEC >"dig.out.nsec.test$n" || return 1
+ grep "NS SOA" "dig.out.nsec.test$n" >/dev/null || return 1
+ grep "${ZONE}\..*IN.*RRSIG" "dig.out.nsec.test$n" >/dev/null || return 1
+ return 0
}
wait_for_nsec() {
- n=$((n+1))
- ret=0
- echo_i "wait for ${ZONE} to be signed ($n)"
- retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ n=$((n + 1))
+ ret=0
+ echo_i "wait for ${ZONE} to be signed ($n)"
+ retry_quiet 10 _wait_for_nsec || _log_error "wait for ${ZONE} to be signed failed"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
check_numkeys() {
- _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
- test "$_numkeys" -eq "$NUM_KEYS" || return 1
- return 0
+ _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
+ test "$_numkeys" -eq "$NUM_KEYS" || return 1
+ return 0
}
_check_keys() {
- ret=0
- _ret=0
-
- # Clear key ids.
- key_set KEY1 ID "no"
- key_set KEY2 ID "no"
- key_set KEY3 ID "no"
- key_set KEY4 ID "no"
-
- # Check key files.
- _ids=$(get_keyids "$DIR" "$ZONE")
- for _id in $_ids; do
- # There are multiple key files with the same algorithm.
- # Check them until a match is found.
- ret=0
- echo_i "check key id $_id"
-
- if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- ret=0
- check_key "KEY1" "$_id"
- test "$ret" -eq 0 && key_save KEY1 && continue
- fi
- if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- ret=0
- check_key "KEY2" "$_id"
- test "$ret" -eq 0 && key_save KEY2 && continue
- fi
- if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- ret=0
- check_key "KEY3" "$_id"
- test "$ret" -eq 0 && key_save KEY3 && continue
- fi
- if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- ret=0
- check_key "KEY4" "$_id"
- test "$ret" -eq 0 && key_save KEY4 && continue
- fi
-
- # This may be an unused key. Assume algorithm of KEY1.
- ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)"
- test "$ret" -eq 0 && continue
-
- # If ret is still non-zero, none of the files matched.
- echo_i "failed"
- _ret=1
- done
-
- return $_ret
+ ret=0
+ _ret=0
+
+ # Clear key ids.
+ key_set KEY1 ID "no"
+ key_set KEY2 ID "no"
+ key_set KEY3 ID "no"
+ key_set KEY4 ID "no"
+
+ # Check key files.
+ _ids=$(get_keyids "$DIR" "$ZONE")
+ for _id in $_ids; do
+ # There are multiple key files with the same algorithm.
+ # Check them until a match is found.
+ ret=0
+ echo_i "check key id $_id"
+
+ if [ "no" = "$(key_get KEY1 ID)" ] && [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ ret=0
+ check_key "KEY1" "$_id"
+ test "$ret" -eq 0 && key_save KEY1 && continue
+ fi
+ if [ "no" = "$(key_get KEY2 ID)" ] && [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ ret=0
+ check_key "KEY2" "$_id"
+ test "$ret" -eq 0 && key_save KEY2 && continue
+ fi
+ if [ "no" = "$(key_get KEY3 ID)" ] && [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ ret=0
+ check_key "KEY3" "$_id"
+ test "$ret" -eq 0 && key_save KEY3 && continue
+ fi
+ if [ "no" = "$(key_get KEY4 ID)" ] && [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ ret=0
+ check_key "KEY4" "$_id"
+ test "$ret" -eq 0 && key_save KEY4 && continue
+ fi
+
+ # This may be an unused key. Assume algorithm of KEY1.
+ ret=0 && key_unused "$_id" "$(key_get KEY1 ALG_NUM)"
+ test "$ret" -eq 0 && continue
+
+ # If ret is still non-zero, none of the files matched.
+ echo_i "failed"
+ _ret=1
+ done
+
+ return $_ret
}
# Check keys for a configured zone. This verifies:
@@ -781,47 +779,47 @@ _check_keys() {
# It is expected that KEY1, KEY2, KEY3, and KEY4 arrays are set correctly.
# Found key identifiers are stored in the right key array.
check_keys() {
- n=$((n+1))
- echo_i "check keys are created for zone ${ZONE} ($n)"
- ret=0
-
- echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)"
- retry_quiet 10 check_numkeys || ret=1
- if [ $ret -ne 0 ]; then
- _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
- _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)"
- status=$((status+ret))
- fi
-
- # Temporarily don't log errors because we are searching multiple files.
- disable_logerror
-
- retry_quiet 3 _check_keys || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
-
- # Turn error logs on again.
- enable_logerror
-
- ret=0
- if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- echo_i "KEY1 ID $(key_get KEY1 ID)"
- test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}"
- fi
- if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- echo_i "KEY2 ID $(key_get KEY2 ID)"
- test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}"
- fi
- if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- echo_i "KEY3 ID $(key_get KEY3 ID)"
- test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}"
- fi
- if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- echo_i "KEY4 ID $(key_get KEY4 ID)"
- test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}"
- fi
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ n=$((n + 1))
+ echo_i "check keys are created for zone ${ZONE} ($n)"
+ ret=0
+
+ echo_i "check number of keys for zone ${ZONE} in dir ${DIR} ($n)"
+ retry_quiet 10 check_numkeys || ret=1
+ if [ $ret -ne 0 ]; then
+ _numkeys=$(get_keyids "$DIR" "$ZONE" | wc -l)
+ _log_error "bad number of key files ($_numkeys) for zone $ZONE (expected $NUM_KEYS)"
+ status=$((status + ret))
+ fi
+
+ # Temporarily don't log errors because we are searching multiple files.
+ disable_logerror
+
+ retry_quiet 3 _check_keys || ret=1
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+
+ # Turn error logs on again.
+ enable_logerror
+
+ ret=0
+ if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ echo_i "KEY1 ID $(key_get KEY1 ID)"
+ test "no" = "$(key_get KEY1 ID)" && _log_error "No KEY1 found for zone ${ZONE}"
+ fi
+ if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ echo_i "KEY2 ID $(key_get KEY2 ID)"
+ test "no" = "$(key_get KEY2 ID)" && _log_error "No KEY2 found for zone ${ZONE}"
+ fi
+ if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ echo_i "KEY3 ID $(key_get KEY3 ID)"
+ test "no" = "$(key_get KEY3 ID)" && _log_error "No KEY3 found for zone ${ZONE}"
+ fi
+ if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ echo_i "KEY4 ID $(key_get KEY4 ID)"
+ test "no" = "$(key_get KEY4 ID)" && _log_error "No KEY4 found for zone ${ZONE}"
+ fi
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Call rndc dnssec -status on server $1 for zone $3 in view $4 with policy $2
@@ -832,407 +830,406 @@ check_keys() {
# it is scheduled to do so, and it shows the states for the various
# DNSSEC records.
check_dnssecstatus() {
- _server=$1
- _policy=$2
- _zone=$3
- _view=$4
-
- n=$((n+1))
- echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)"
- ret=0
-
- _rndccmd $_server dnssec -status $_zone in $_view > rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed"
-
- if [ "$_policy" = "none" ]; then
- grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n > /dev/null || log_error "bad dnssec status for unsigned zone ${_zone}"
- else
- grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "bad dnssec status for signed zone ${_zone}"
- if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status"
- fi
- if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status"
- fi
- if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status"
- fi
- if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n > /dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status"
- fi
- fi
-
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ _server=$1
+ _policy=$2
+ _zone=$3
+ _view=$4
+
+ n=$((n + 1))
+ echo_i "check rndc dnssec -status output for ${_zone} (policy: $_policy) ($n)"
+ ret=0
+
+ _rndccmd $_server dnssec -status $_zone in $_view >rndc.dnssec.status.out.$_zone.$n || _log_error "rndc dnssec -status zone ${_zone} failed"
+
+ if [ "$_policy" = "none" ]; then
+ grep "Zone does not have dnssec-policy" rndc.dnssec.status.out.$_zone.$n >/dev/null || log_error "bad dnssec status for unsigned zone ${_zone}"
+ else
+ grep "dnssec-policy: ${_policy}" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "bad dnssec status for signed zone ${_zone}"
+ if [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY1 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY1 ID) from dnssec status"
+ fi
+ if [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY2 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY2 ID) from dnssec status"
+ fi
+ if [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY3 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY3 ID) from dnssec status"
+ fi
+ if [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ grep "key: $(key_get KEY4 ID)" rndc.dnssec.status.out.$_zone.$n >/dev/null || _log_error "missing key $(key_get KEY4 ID) from dnssec status"
+ fi
+ fi
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
# inline-signing is enabled.
check_inlinesigning() {
- _server=$1
- _zone=$2
- _view=$3
+ _server=$1
+ _zone=$2
+ _view=$3
- _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
- grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+ _rndccmd $_server zonestatus $_zone in $_view >rndc.zonestatus.out.$_zone.$n || return 1
+ grep "inline signing: yes" rndc.zonestatus.out.$_zone.$n >/dev/null || return 1
}
# Call rndc zonestatus on server $1 for zone $2 in view $3 and check output if
# the zone is dynamic.
check_isdynamic() {
- _server=$1
- _zone=$2
- _view=$3
+ _server=$1
+ _zone=$2
+ _view=$3
- _rndccmd $_server zonestatus $_zone in $_view > rndc.zonestatus.out.$_zone.$n || return 1
- grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n > /dev/null || return 1
+ _rndccmd $_server zonestatus $_zone in $_view >rndc.zonestatus.out.$_zone.$n || return 1
+ grep "dynamic: yes" rndc.zonestatus.out.$_zone.$n >/dev/null || return 1
}
# Check if RRset of type $1 in file $2 is signed with the right keys.
# The right keys are the ones that expect a signature and matches the role $3.
_check_signatures() {
- _qtype=$1
- _file=$2
- _role=$3
-
- numsigs=0
-
- if [ "$_role" = "KSK" ]; then
- _expect_type=EXPECT_KRRSIG
- elif [ "$_role" = "ZSK" ]; then
- _expect_type=EXPECT_ZRRSIG
- fi
-
- if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null || return 1
- numsigs=$((numsigs+1))
- elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" > /dev/null && return 1
- fi
-
- if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null || return 1
- numsigs=$((numsigs+1))
- elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" > /dev/null && return 1
- fi
-
- if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null || return 1
- numsigs=$((numsigs+1))
- elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" > /dev/null && return 1
- fi
-
- if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null || return 1
- numsigs=$((numsigs+1))
- elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" > /dev/null && return 1
- fi
-
- lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l)
- test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)"
- test "$lines" -eq "$numsigs" || return 1
-
- return 0
+ _qtype=$1
+ _file=$2
+ _role=$3
+
+ numsigs=0
+
+ if [ "$_role" = "KSK" ]; then
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_role" = "ZSK" ]; then
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get KEY1 "$_expect_type")" = "yes" ] && [ "$(key_get KEY1 "$_role")" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null || return 1
+ numsigs=$((numsigs + 1))
+ elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY1 ID)$" >/dev/null && return 1
+ fi
+
+ if [ "$(key_get KEY2 "$_expect_type")" = "yes" ] && [ "$(key_get KEY2 "$_role")" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null || return 1
+ numsigs=$((numsigs + 1))
+ elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY2 ID)$" >/dev/null && return 1
+ fi
+
+ if [ "$(key_get KEY3 "$_expect_type")" = "yes" ] && [ "$(key_get KEY3 "$_role")" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null || return 1
+ numsigs=$((numsigs + 1))
+ elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY3 ID)$" >/dev/null && return 1
+ fi
+
+ if [ "$(key_get KEY4 "$_expect_type")" = "yes" ] && [ "$(key_get KEY4 "$_role")" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null || return 1
+ numsigs=$((numsigs + 1))
+ elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ get_keys_which_signed "$_qtype" "$_file" | grep "^$(key_get KEY4 ID)$" >/dev/null && return 1
+ fi
+
+ lines=$(get_keys_which_signed "${_qtype}" "${_file}" | wc -l)
+ test "$lines" -eq "$numsigs" || echo_i "bad number of signatures for $_qtype (got $lines, expected $numsigs)"
+ test "$lines" -eq "$numsigs" || return 1
+
+ return 0
}
check_signatures() {
- retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed"
+ retry_quiet 3 _check_signatures $1 $2 $3 || _log_error "RRset $1 in zone $ZONE incorrectly signed"
}
response_has_cds_for_key() (
- awk -v zone="${ZONE%%.}." \
- -v ttl="${DNSKEY_TTL}" \
- -v qtype="CDS" \
- -v keyid="$(key_get "${1}" ID)" \
- -v keyalg="$(key_get "${1}" ALG_NUM)" \
- -v hashalg="2" \
- 'BEGIN { ret=1; }
+ awk -v zone="${ZONE%%.}." \
+ -v ttl="${DNSKEY_TTL}" \
+ -v qtype="CDS" \
+ -v keyid="$(key_get "${1}" ID)" \
+ -v keyalg="$(key_get "${1}" ALG_NUM)" \
+ -v hashalg="2" \
+ 'BEGIN { ret=1; }
$1 == zone && $2 == ttl && $4 == qtype && $5 == keyid && $6 == keyalg && $7 == hashalg { ret=0; exit; }
END { exit ret; }' \
- "$2"
+ "$2"
)
response_has_cdnskey_for_key() (
- awk -v zone="${ZONE%%.}." \
- -v ttl="${DNSKEY_TTL}" \
- -v qtype="CDNSKEY" \
- -v flags="$(key_get "${1}" FLAGS)" \
- -v keyalg="$(key_get "${1}" ALG_NUM)" \
- 'BEGIN { ret=1; }
+ awk -v zone="${ZONE%%.}." \
+ -v ttl="${DNSKEY_TTL}" \
+ -v qtype="CDNSKEY" \
+ -v flags="$(key_get "${1}" FLAGS)" \
+ -v keyalg="$(key_get "${1}" ALG_NUM)" \
+ 'BEGIN { ret=1; }
$1 == zone && $2 == ttl && $4 == qtype && $5 == flags && $7 == keyalg { ret=0; exit; }
END { exit ret; }' \
- "$2"
+ "$2"
)
# Test CDS and CDNSKEY publication.
check_cds() {
- n=$((n+1))
- echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)"
- ret=0
-
- _checksig=0
-
- _dig_with_opts "$ZONE" "@${SERVER}" "CDS" > "dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "mismatch status in DNS response"
-
- _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" > "dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "mismatch status in DNS response"
-
- if [ "$CDS_DELETE" = "no" ]; then
- grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null && _log_error "unexpected CDS DELETE record in DNS response"
- grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response"
- else
- grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" > /dev/null || _log_error "missing CDS DELETE record in DNS response"
- grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" > /dev/null || _log_error "missing CDNSKEY DELETE record in DNS response"
- _checksig=1
- fi
-
- if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then
- response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)"
- response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)"
- _checksig=1
- elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)"
- # KEY1 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
- fi
-
- if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then
- response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)"
- response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)"
- _checksig=1
- elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)"
- # KEY2 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
- fi
-
- if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then
- response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)"
- response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)"
- _checksig=1
- elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)"
- # KEY3 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
- fi
-
- if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then
- response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)"
- response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)"
- _checksig=1
- elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)"
- # KEY4 should not have an associated CDNSKEY, but there may be
- # one for another key. Since the CDNSKEY has no field for key
- # id, it is hard to check what key the CDNSKEY may belong to
- # so let's skip this check for now.
- fi
-
- test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK"
- test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK"
-
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ n=$((n + 1))
+ echo_i "check CDS and CDNSKEY rrset are signed correctly for zone ${ZONE} ($n)"
+ ret=0
+
+ _checksig=0
+
+ _dig_with_opts "$ZONE" "@${SERVER}" "CDS" >"dig.out.$DIR.test$n.cds" || _log_error "dig ${ZONE} CDS failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n.cds" >/dev/null || _log_error "mismatch status in DNS response"
+
+ _dig_with_opts "$ZONE" "@${SERVER}" "CDNSKEY" >"dig.out.$DIR.test$n.cdnskey" || _log_error "dig ${ZONE} CDNSKEY failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n.cdnskey" >/dev/null || _log_error "mismatch status in DNS response"
+
+ if [ "$CDS_DELETE" = "no" ]; then
+ grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" >/dev/null && _log_error "unexpected CDS DELETE record in DNS response"
+ grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" >/dev/null && _log_error "unexpected CDNSKEY DELETE record in DNS response"
+ else
+ grep "CDS.*0 0 0 00" "dig.out.$DIR.test$n.cds" >/dev/null || _log_error "missing CDS DELETE record in DNS response"
+ grep "CDNSKEY.*0 3 0 AA==" "dig.out.$DIR.test$n.cdnskey" >/dev/null || _log_error "missing CDNSKEY DELETE record in DNS response"
+ _checksig=1
+ fi
+
+ if [ "$(key_get KEY1 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DS)" = "omnipresent" ]; then
+ response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY1 ID)"
+ response_has_cdnskey_for_key KEY1 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY1 ID)"
+ _checksig=1
+ elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ response_has_cds_for_key KEY1 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY1 ID)"
+ # KEY1 should not have an associated CDNSKEY, but there may be
+ # one for another key. Since the CDNSKEY has no field for key
+ # id, it is hard to check what key the CDNSKEY may belong to
+ # so let's skip this check for now.
+ fi
+
+ if [ "$(key_get KEY2 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DS)" = "omnipresent" ]; then
+ response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY2 ID)"
+ response_has_cdnskey_for_key KEY2 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY2 ID)"
+ _checksig=1
+ elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ response_has_cds_for_key KEY2 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY2 ID)"
+ # KEY2 should not have an associated CDNSKEY, but there may be
+ # one for another key. Since the CDNSKEY has no field for key
+ # id, it is hard to check what key the CDNSKEY may belong to
+ # so let's skip this check for now.
+ fi
+
+ if [ "$(key_get KEY3 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DS)" = "omnipresent" ]; then
+ response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY3 ID)"
+ response_has_cdnskey_for_key KEY3 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY3 ID)"
+ _checksig=1
+ elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ response_has_cds_for_key KEY3 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY3 ID)"
+ # KEY3 should not have an associated CDNSKEY, but there may be
+ # one for another key. Since the CDNSKEY has no field for key
+ # id, it is hard to check what key the CDNSKEY may belong to
+ # so let's skip this check for now.
+ fi
+
+ if [ "$(key_get KEY4 STATE_DS)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DS)" = "omnipresent" ]; then
+ response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" || _log_error "missing CDS record in response for key $(key_get KEY4 ID)"
+ response_has_cdnskey_for_key KEY4 "dig.out.$DIR.test$n.cdnskey" || _log_error "missing CDNSKEY record in response for key $(key_get KEY4 ID)"
+ _checksig=1
+ elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ response_has_cds_for_key KEY4 "dig.out.$DIR.test$n.cds" && _log_error "unexpected CDS record in response for key $(key_get KEY4 ID)"
+ # KEY4 should not have an associated CDNSKEY, but there may be
+ # one for another key. Since the CDNSKEY has no field for key
+ # id, it is hard to check what key the CDNSKEY may belong to
+ # so let's skip this check for now.
+ fi
+
+ test "$_checksig" -eq 0 || check_signatures "CDS" "dig.out.$DIR.test$n.cds" "KSK"
+ test "$_checksig" -eq 0 || check_signatures "CDNSKEY" "dig.out.$DIR.test$n.cdnskey" "KSK"
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
_find_dnskey() {
- _owner="${ZONE}."
- _alg="$(key_get $1 ALG_NUM)"
- _flags="$(key_get $1 FLAGS)"
- _key_file="$(key_get $1 BASEFILE).key"
+ _owner="${ZONE}."
+ _alg="$(key_get $1 ALG_NUM)"
+ _flags="$(key_get $1 FLAGS)"
+ _key_file="$(key_get $1 BASEFILE).key"
- awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' < "$_key_file"
+ awk '$1 == "'"$_owner"'" && $2 == "'"$DNSKEY_TTL"'" && $3 == "IN" && $4 == "DNSKEY" && $5 == "'"$_flags"'" && $6 == "3" && $7 == "'"$_alg"'" { print $8 }' <"$_key_file"
}
-
# Test DNSKEY query.
_check_apex_dnskey() {
- _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" > "dig.out.$DIR.test$n" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || return 1
-
- _checksig=0
-
- if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
- _pubkey=$(_find_dnskey KEY1)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
- _checksig=1
- elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
- _pubkey=$(_find_dnskey KEY1)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
- fi
-
- if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then
- _pubkey=$(_find_dnskey KEY2)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
- _checksig=1
- elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
- _pubkey=$(_find_dnskey KEY2)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
- fi
-
- if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then
- _pubkey=$(_find_dnskey KEY3)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
- _checksig=1
- elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
- _pubkey=$(_find_dnskey KEY3)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
- fi
-
- if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then
- _pubkey=$(_find_dnskey KEY4)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null || return 1
- _checksig=1
- elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
- _pubkey=$(_find_dnskey KEY4)
- test -z "$_pubkey" && return 1
- grep -F "$_pubkey" "dig.out.$DIR.test$n" > /dev/null && return 1
- fi
-
- test "$_checksig" -eq 0 && return 0
-
- _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1
-
- return 0
+ _dig_with_opts "$ZONE" "@${SERVER}" "DNSKEY" >"dig.out.$DIR.test$n" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || return 1
+
+ _checksig=0
+
+ if [ "$(key_get KEY1 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY1 STATE_DNSKEY)" = "omnipresent" ]; then
+ _pubkey=$(_find_dnskey KEY1)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1
+ _checksig=1
+ elif [ "$(key_get KEY1 EXPECT)" = "yes" ]; then
+ _pubkey=$(_find_dnskey KEY1)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1
+ fi
+
+ if [ "$(key_get KEY2 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY2 STATE_DNSKEY)" = "omnipresent" ]; then
+ _pubkey=$(_find_dnskey KEY2)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1
+ _checksig=1
+ elif [ "$(key_get KEY2 EXPECT)" = "yes" ]; then
+ _pubkey=$(_find_dnskey KEY2)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1
+ fi
+
+ if [ "$(key_get KEY3 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY3 STATE_DNSKEY)" = "omnipresent" ]; then
+ _pubkey=$(_find_dnskey KEY3)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1
+ _checksig=1
+ elif [ "$(key_get KEY3 EXPECT)" = "yes" ]; then
+ _pubkey=$(_find_dnskey KEY3)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1
+ fi
+
+ if [ "$(key_get KEY4 STATE_DNSKEY)" = "rumoured" ] || [ "$(key_get KEY4 STATE_DNSKEY)" = "omnipresent" ]; then
+ _pubkey=$(_find_dnskey KEY4)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null || return 1
+ _checksig=1
+ elif [ "$(key_get KEY4 EXPECT)" = "yes" ]; then
+ _pubkey=$(_find_dnskey KEY4)
+ test -z "$_pubkey" && return 1
+ grep -F "$_pubkey" "dig.out.$DIR.test$n" >/dev/null && return 1
+ fi
+
+ test "$_checksig" -eq 0 && return 0
+
+ _check_signatures "DNSKEY" "dig.out.$DIR.test$n" "KSK" || return 1
+
+ return 0
}
# Test the apex of a configured zone. This checks that the SOA and DNSKEY
# RRsets are signed correctly and with the appropriate keys.
check_apex() {
- # Test DNSKEY query.
- n=$((n+1))
- echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
- ret=0
- retry_quiet 10 _check_apex_dnskey || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
-
- # We retry the DNSKEY query for at most ten seconds to avoid test
- # failures due to timing issues. If the DNSKEY query check passes this
- # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY)
- # don't need to be retried quietly.
-
- # Test SOA query.
- n=$((n+1))
- echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)"
- ret=0
- _dig_with_opts "$ZONE" "@${SERVER}" "SOA" > "dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response"
- grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing SOA record in response"
- check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
-
- # Test CDS and CDNSKEY publication.
- check_cds
+ # Test DNSKEY query.
+ n=$((n + 1))
+ echo_i "check DNSKEY rrset is signed correctly for zone ${ZONE} ($n)"
+ ret=0
+ retry_quiet 10 _check_apex_dnskey || ret=1
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+
+ # We retry the DNSKEY query for at most ten seconds to avoid test
+ # failures due to timing issues. If the DNSKEY query check passes this
+ # means the zone is resigned and further apex checks (SOA, CDS, CDNSKEY)
+ # don't need to be retried quietly.
+
+ # Test SOA query.
+ n=$((n + 1))
+ echo_i "check SOA rrset is signed correctly for zone ${ZONE} ($n)"
+ ret=0
+ _dig_with_opts "$ZONE" "@${SERVER}" "SOA" >"dig.out.$DIR.test$n" || _log_error "dig ${ZONE} SOA failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*${DEFAULT_TTL}.*IN.*SOA.*" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing SOA record in response"
+ check_signatures "SOA" "dig.out.$DIR.test$n" "ZSK"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+
+ # Test CDS and CDNSKEY publication.
+ check_cds
}
# Test an RRset below the apex and verify it is signed correctly.
check_subdomain() {
- _qtype="A"
- n=$((n+1))
- echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)"
- ret=0
- _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype > "dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || _log_error "mismatch status in DNS response"
- grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" > /dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response"
- lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l)
- check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ _qtype="A"
+ n=$((n + 1))
+ echo_i "check ${_qtype} a.${ZONE} rrset is signed correctly for zone ${ZONE} ($n)"
+ ret=0
+ _dig_with_opts "a.$ZONE" "@${SERVER}" $_qtype >"dig.out.$DIR.test$n" || _log_error "dig a.${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || _log_error "mismatch status in DNS response"
+ grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*${_qtype}.*10\.0\.0\.1" "dig.out.$DIR.test$n" >/dev/null || _log_error "missing a.${ZONE} ${_qtype} record in response"
+ lines=$(get_keys_which_signed $_qtype "dig.out.$DIR.test$n" | wc -l)
+ check_signatures $_qtype "dig.out.$DIR.test$n" "ZSK"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Check if "CDS/CDNSKEY Published" is logged.
check_cdslog() {
- _dir=$1
- _zone=$2
- _key=$3
+ _dir=$1
+ _zone=$2
+ _key=$3
- _alg=$(key_get $_key ALG_STR)
- _id=$(key_get $_key ID)
+ _alg=$(key_get $_key ALG_STR)
+ _id=$(key_get $_key ID)
- n=$((n+1))
- echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "check CDS/CDNSKEY publication is logged in ${_dir}/named.run for key ${_zone}/${_alg}/${_id} ($n)"
+ ret=0
- grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
- grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" > /dev/null || ret=1
+ grep "CDS for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" >/dev/null || ret=1
+ grep "CDNSKEY for key ${_zone}/${_alg}/${_id} is now published" "${_dir}/named.run" >/dev/null || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Tell named that the DS for the key in given zone has been seen in the
# parent (this does not actually has to be true, we just issue the command
# to make named believe it can continue with the rollover).
rndc_checkds() {
- _server=$1
- _dir=$2
- _key=$3
- _when=$4
- _what=$5
- _zone=$6
- _view=$7
-
- _keycmd=""
- if [ "${_key}" != "-" ]; then
- _keyid=$(key_get $_key ID)
- _keycmd=" -key ${_keyid}"
- fi
-
- _whencmd=""
- if [ "${_when}" != "now" ]; then
- _whencmd=" -when ${_when}"
- fi
-
- n=$((n+1))
- echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)"
- ret=0
-
- _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed"
-
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ _server=$1
+ _dir=$2
+ _key=$3
+ _when=$4
+ _what=$5
+ _zone=$6
+ _view=$7
+
+ _keycmd=""
+ if [ "${_key}" != "-" ]; then
+ _keyid=$(key_get $_key ID)
+ _keycmd=" -key ${_keyid}"
+ fi
+
+ _whencmd=""
+ if [ "${_when}" != "now" ]; then
+ _whencmd=" -when ${_when}"
+ fi
+
+ n=$((n + 1))
+ echo_i "calling rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} in ${_view} ($n)"
+ ret=0
+
+ _rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view >rndc.dnssec.checkds.out.$_zone.$n || _log_error "rndc dnssec -checkds${_keycmd}${_whencmd} ${_what} zone ${_zone} failed"
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Tell named to schedule a key rollover.
rndc_rollover() {
- _server=$1
- _dir=$2
- _keyid=$3
- _when=$4
- _zone=$5
- _view=$6
-
- _whencmd=""
- if [ "${_when}" != "now" ]; then
- _whencmd="-when ${_when}"
- fi
-
- n=$((n+1))
- echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
- ret=0
-
- _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
-
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ _server=$1
+ _dir=$2
+ _keyid=$3
+ _when=$4
+ _zone=$5
+ _view=$6
+
+ _whencmd=""
+ if [ "${_when}" != "now" ]; then
+ _whencmd="-when ${_when}"
+ fi
+
+ n=$((n + 1))
+ echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
+ ret=0
+
+ _rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view >rndc.dnssec.rollover.out.$_zone.$n || _log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
+
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 8682f54..41949b7 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -17,20 +17,20 @@
echo_i "ns3/setup.sh"
setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
- echo "$zone" >> zones
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ echo "$zone" >>zones
}
# Set in the key state files the Predecessor/Successor fields.
# Key $1 is the predecessor of key $2.
key_successor() {
- id1=$(keyfile_to_key_id "$1")
- id2=$(keyfile_to_key_id "$2")
- echo "Predecessor: ${id1}" >> "${2}.state"
- echo "Successor: ${id2}" >> "${1}.state"
+ id1=$(keyfile_to_key_id "$1")
+ id2=$(keyfile_to_key_id "$2")
+ echo "Predecessor: ${id1}" >>"${2}.state"
+ echo "Successor: ${id2}" >>"${1}.state"
}
# Make lines shorter by storing key states in environment variables.
@@ -43,94 +43,93 @@ U="UNRETENTIVE"
# Set up zones that will be initially signed.
#
for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
- rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
- dynamic dynamic-inline-signing inline-signing \
- checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
- manual-rollover multisigner-model2
-do
- setup "${zn}.kasp"
- cp template.db.in "$zonefile"
+ rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
+ dynamic dynamic-inline-signing inline-signing \
+ checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
+ manual-rollover multisigner-model2; do
+ setup "${zn}.kasp"
+ cp template.db.in "$zonefile"
done
#
# Set up RSASHA1 based zones
#
-for zn in rsasha1 rsasha1-nsec3
-do
- if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
- then
- setup "${zn}.kasp"
- cp template.db.in "$zonefile"
- else
- # don't add to zones.
- echo_i "setting up zone: ${zn}.kasp"
- cp template.db.in "${zn}.kasp.db"
- fi
+for zn in rsasha1 rsasha1-nsec3; do
+ if (
+ cd ..
+ $SHELL ../testcrypto.sh -q RSASHA1
+ ); then
+ setup "${zn}.kasp"
+ cp template.db.in "$zonefile"
+ else
+ # don't add to zones.
+ echo_i "setting up zone: ${zn}.kasp"
+ cp template.db.in "${zn}.kasp.db"
+ fi
done
if [ -f ../ed25519-supported.file ]; then
- setup "ed25519.kasp"
- cp template.db.in "$zonefile"
- cat ed25519.conf >> named.conf
+ setup "ed25519.kasp"
+ cp template.db.in "$zonefile"
+ cat ed25519.conf >>named.conf
fi
if [ -f ../ed448-supported.file ]; then
- setup "ed448.kasp"
- cp template.db.in "$zonefile"
- cat ed448.conf >> named.conf
+ setup "ed448.kasp"
+ cp template.db.in "$zonefile"
+ cat ed448.conf >>named.conf
fi
# Set up zones that stay unsigned.
-for zn in unsigned insecure max-zone-ttl
-do
- zone="${zn}.kasp"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
- cp template.db.in $infile
- cp template.db.in $zonefile
+for zn in unsigned insecure max-zone-ttl; do
+ zone="${zn}.kasp"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in $infile
+ cp template.db.in $zonefile
done
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1
zone="some-keys.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone >keygen.out.$zone.1 2>&1
+$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone >keygen.out.$zone.2 2>&1
zone="legacy-keys.kasp"
echo_i "setting up zone: $zone"
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
-KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
-echo $ZSK > legacy-keys.kasp.zsk
-echo $KSK > legacy-keys.kasp.ksk
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.1)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.2)
+echo $ZSK >legacy-keys.kasp.zsk
+echo $KSK >legacy-keys.kasp.ksk
# Predecessor keys:
Tact="now-9mo"
Tret="now-3mo"
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
-KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
-$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1
-$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.3)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.4)
+$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" >settime.out.$zone.1 2>&1
+$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" >settime.out.$zone.2 2>&1
zone="pregenerated.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1
zone="multisigner-model2.kasp"
echo_i "setting up zone: $zone"
# Import the ZSK sets of the other providers into their DNSKEY RRset.
-ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1)
-ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2)
+ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.1)
+ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.2)
# ZSK1 will be added to the unsigned zonefile.
-cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db"
-cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1"
+cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db"
+cat "../${ZSK1}.key" | grep -v ";.*" >"${zone}.zsk1"
rm -f "../${ZSK1}.*"
# ZSK2 will be used with a Dynamic Update.
-cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2"
+cat "../${ZSK2}.key" | grep -v ";.*" >"${zone}.zsk2"
rm -f "../${ZSK2}.*"
zone="rumoured.kasp"
@@ -138,12 +137,12 @@ echo_i "setting up zone: $zone"
Tpub="now"
Tact="now+1d"
keytimes="-P ${Tpub} -A ${Tact}"
-KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" >settime.out.$zone.2 2>&1
#
# Set up zones that are already signed.
@@ -154,78 +153,78 @@ setup manual-rollover.kasp
T="now-1d"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are set to expire long in the past, update immediately.
setup expired-sigs.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are still good, and can be reused.
setup fresh-sigs.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are still good, but not fresh enough, update immediately.
setup unfresh-sigs.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are still good, but the private KSK is missing.
setup ksk-missing.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-echo "KSK: yes" >> "${KSK}".state
-echo "ZSK: no" >> "${KSK}".state
-echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+echo "KSK: yes" >>"${KSK}".state
+echo "ZSK: no" >>"${KSK}".state
+echo "Lifetime: 63072000" >>"${KSK}".state # PT2Y
rm -f "${KSK}".private
# These signatures are still good, but the private ZSK is missing.
@@ -233,18 +232,18 @@ setup zsk-missing.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-echo "KSK: no" >> "${ZSK}".state
-echo "ZSK: yes" >> "${ZSK}".state
-echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+echo "KSK: no" >>"${ZSK}".state
+echo "ZSK: yes" >>"${ZSK}".state
+echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y
rm -f "${ZSK}".private
# These signatures are already expired, and the private ZSK is retired.
@@ -252,16 +251,16 @@ setup zsk-retired.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T -I now"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+$SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1
#
# The zones at enable-dnssec.autosign represent the various steps of the
@@ -289,12 +288,12 @@ TpubN="now-900s"
# Total: 43800 seconds
TsbmN="now+43800s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# The zone signatures have been published long enough to become OMNIPRESENT.
@@ -306,12 +305,12 @@ TcotN="now-43800s"
# We can submit the DS now.
TsbmN="now"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS has been submitted long enough ago to become OMNIPRESENT.
@@ -326,12 +325,12 @@ TpubN="now-56700s"
TcotN="now-55800s"
TsbmN="now-12000s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
setup step4.enable-dnssec.autosign
#
@@ -345,15 +344,15 @@ setup step1.zsk-prepub.autosign
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to pre-publish the successor ZSK.
@@ -385,15 +384,15 @@ setup step2.zsk-prepub.autosign
TactN="now-694h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# After the publication interval has passed the DNSKEY of the successor ZSK
@@ -442,21 +441,21 @@ TremN1="now+961h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# After the retire interval has passed the predecessor DNSKEY can be
@@ -505,18 +504,18 @@ TremN1="now+30d"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
@@ -541,21 +540,21 @@ TremN1="now+719h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The predecessor DNSKEY can be purged.
@@ -580,21 +579,21 @@ TremN1="now+718h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
@@ -607,13 +606,13 @@ setup step1.ksk-doubleksk.autosign
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to submit the introduce the new KSK.
@@ -657,15 +656,15 @@ setup step2.ksk-doubleksk.autosign
TactN="now-1413h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS.
@@ -718,21 +717,21 @@ TremN1="now+1490h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS should be swapped now.
@@ -779,21 +778,21 @@ TremN1="now+60d"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
@@ -818,21 +817,21 @@ TremN1="now+1442h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The predecessor DNSKEY can be purged.
@@ -857,21 +856,21 @@ TremN1="now+1441h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at csk-roll.autosign represent the various steps of a CSK rollover
@@ -883,12 +882,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
setup step1.csk-roll.autosign
TactN="now"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to introduce the new CSK.
@@ -911,12 +910,12 @@ setup step2.csk-roll.autosign
# = now - 4464h + 3h = now - 4461h
TactN="now-4461h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS and to roll signatures.
@@ -960,18 +959,18 @@ TretN1="now+186d"
TremN1="now+5091h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# Some time later all the ZRRSIG records should be from the new CSK, and the
@@ -1007,18 +1006,18 @@ TretN1="now+4460h"
TremN1="now+5087h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
@@ -1043,18 +1042,18 @@ TretN1="now+4458h"
TremN1="now+5085h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# After the retire interval has passed the predecessor DNSKEY can be
@@ -1087,18 +1086,18 @@ TretN1="now+3837h"
TremN1="now+186d"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 7:
# Some time later the predecessor DNSKEY enters the HIDDEN state.
@@ -1122,18 +1121,18 @@ TretN1="now+3835h"
TremN1="now+4462h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 8:
# The predecessor DNSKEY can be purged.
@@ -1157,18 +1156,18 @@ TretN1="now+3834h"
TremN1="now+4461h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
@@ -1182,12 +1181,12 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
setup step1.csk-roll2.autosign
TactN="now"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to introduce the new CSK.
@@ -1210,12 +1209,12 @@ setup step2.csk-roll2.autosign
# = now - 4464h + 3h = now - 4461h
TactN="now-4461h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS and to roll signatures.
@@ -1259,18 +1258,18 @@ TretN1="now+186d"
TremN1="now+4634h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# Some time later all the ZRRSIG records should be from the new CSK, and the
@@ -1307,18 +1306,18 @@ TretN1="now+4426h"
TremN1="now+4429h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# Some time later the DS can be swapped and the old DNSKEY can be removed from
@@ -1344,18 +1343,18 @@ TretN1="now+4294h"
TremN1="now+4360h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# Some time later the predecessor DNSKEY enters the HIDDEN state.
@@ -1380,18 +1379,18 @@ TretN1="now+4292h"
TremN1="now+4358h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 7:
# The predecessor DNSKEY can be purged, but purge-keys is disabled.
@@ -1415,18 +1414,18 @@ TretN1="now+2134h"
TremN1="now+2200h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Test #2375, the "three is a crowd" bug, where a new key is introduced but the
# previous rollover has not finished yet. In other words, we have a key KEY2
@@ -1453,18 +1452,18 @@ TremN1="now+1490h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh
index 45cb5b3..58d696a 100644
--- a/bin/tests/system/kasp/ns4/setup.sh
+++ b/bin/tests/system/kasp/ns4/setup.sh
@@ -20,13 +20,12 @@ echo_i "ns4/setup.sh"
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
- inherit.override override.override none.override \
- inherit.none override.none none.none
-do
- zone="$zn.signed"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- cp template.db.in $zonefile
+ inherit.override override.override none.override \
+ inherit.none override.none none.none; do
+ zone="$zn.signed"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ cp template.db.in $zonefile
done
cp example1.db.in example1.db
diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh
index e51af06..fb00a25 100644
--- a/bin/tests/system/kasp/ns5/setup.sh
+++ b/bin/tests/system/kasp/ns5/setup.sh
@@ -20,11 +20,10 @@ echo_i "ns5/setup.sh"
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
- inherit.override override.override none.override \
- inherit.none override.none none.none
-do
- zone="$zn.unsigned"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- cp template.db.in $zonefile
+ inherit.override override.override none.override \
+ inherit.none override.none none.none; do
+ zone="$zn.unsigned"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ cp template.db.in $zonefile
done
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 3a18750..dacdbec 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -17,10 +17,10 @@
echo_i "ns6/setup.sh"
setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
}
# Make lines shorter by storing key states in environment variables.
@@ -31,57 +31,56 @@ U="UNRETENTIVE"
# The child zones (step1, step2) beneath these zones represent the various
# steps of unsigning a zone.
-for zn in going-insecure.kasp going-insecure-dynamic.kasp
-do
- # Step 1:
- # Set up a zone with dnssec-policy that is going insecure.
- setup step1.$zn
- echo "$zone" >> zones
- T="now-10d"
- ksktimes="-P $T -A $T -P sync $T"
- zsktimes="-P $T -A $T"
- KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
- ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
- cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
- cp $infile $zonefile
- $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+for zn in going-insecure.kasp going-insecure-dynamic.kasp; do
+ # Step 1:
+ # Set up a zone with dnssec-policy that is going insecure.
+ setup step1.$zn
+ echo "$zone" >>zones
+ T="now-10d"
+ ksktimes="-P $T -A $T -P sync $T"
+ zsktimes="-P $T -A $T"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
- # Step 2:
- # Set up a zone with dnssec-policy that is going insecure. Don't add
- # this zone to the zones file, because this zone is no longer expected
- # to be fully signed.
- setup step2.$zn
- # The DS was withdrawn from the parent zone 26 hours ago.
- Trem="now-26h"
- ksktimes="-P $T -A $T -P sync $T"
- zsktimes="-P $T -A $T"
- KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
- ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
- $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1
- $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
- # Fake lifetime of old algorithm keys.
- echo "Lifetime: 0" >> "${KSK}.state"
- echo "Lifetime: 5184000" >> "${ZSK}.state"
- cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
- cp $infile $zonefile
- $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+ # Step 2:
+ # Set up a zone with dnssec-policy that is going insecure. Don't add
+ # this zone to the zones file, because this zone is no longer expected
+ # to be fully signed.
+ setup step2.$zn
+ # The DS was withdrawn from the parent zone 26 hours ago.
+ Trem="now-26h"
+ ksktimes="-P $T -A $T -P sync $T"
+ zsktimes="-P $T -A $T"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK}.state"
+ echo "Lifetime: 5184000" >>"${ZSK}.state"
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
done
# This zone is going straight to "none" policy. This is undefined behavior.
setup step1.going-straight-to-none.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
TactN="now"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
-CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
@@ -91,19 +90,19 @@ $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.algorithm-roll.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 8 "$KSK" >> "$infile"
-private_type_record $zone 8 "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 8 "$KSK" >>"$infile"
+private_type_record $zone 8 "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
@@ -118,24 +117,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
zsk1times="-P ${TactN} -A ${TactN} -I now"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# The zone signatures are also OMNIPRESENT.
@@ -149,24 +148,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS is swapped and can become OMNIPRESENT.
@@ -181,24 +180,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The DNSKEY is removed long enough to be HIDDEN.
@@ -214,24 +213,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The RRSIGs have been removed long enough to be HIDDEN.
@@ -248,24 +247,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
@@ -275,15 +274,15 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.csk-algorithm-roll.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
TactN="now"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone 5 "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone 5 "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
@@ -293,17 +292,17 @@ TactN="now-3h"
TpubN1="now-3h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# The zone signatures are also OMNIPRESENT.
@@ -315,17 +314,17 @@ TpubN1="now-9h"
TactN1="now-6h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS is swapped and can become OMNIPRESENT.
@@ -338,17 +337,17 @@ TactN1="now-35h"
TsubN1="now-29h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The DNSKEY is removed long enough to be HIDDEN.
@@ -362,17 +361,17 @@ TactN1="now-37h"
TsubN1="now-31h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The RRSIGs have been removed long enough to be HIDDEN.
@@ -387,22 +386,22 @@ TactN1="now-44h"
TsubN1="now-38h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# Reload testing
#
-echo "example" >> zones
+echo "example" >>zones
cp example.db.in example.db
setup "dynamic2inline.kasp"
diff --git a/bin/tests/system/kasp/prereq.sh b/bin/tests/system/kasp/prereq.sh
index 9c5d879..a460a18 100644
--- a/bin/tests/system/kasp/prereq.sh
+++ b/bin/tests/system/kasp/prereq.sh
@@ -15,7 +15,7 @@ SYSTEMTESTTOP=..
. $SYSTEMTESTTOP/conf.sh
if ! test -n "$PYTHON"; then
- echo_i "This test requires Python."
- exit 1
+ echo_i "This test requires Python."
+ exit 1
fi
exit 0
diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh
index d3f4329..af3bd53 100644
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@@ -21,60 +21,57 @@ $SHELL clean.sh
mkdir keys
copy_setports ns2/named.conf.in ns2/named.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1
-then
- copy_setports ns3/named-fips.conf.in ns3/named.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+ copy_setports ns3/named-fips.conf.in ns3/named.conf
else
- copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
- copy_setports ns3/named.conf.in ns3/named.conf
+ copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
+ copy_setports ns3/named.conf.in ns3/named.conf
fi
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
if $SHELL ../testcrypto.sh ed25519; then
- echo "yes" > ed25519-supported.file
+ echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
- echo "yes" > ed448-supported.file
+ echo "yes" >ed448-supported.file
fi
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1
-then
- cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+ cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
fi
copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1
-then
- cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+ cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
fi
# Setup zones
(
- cd ns2
- $SHELL setup.sh
+ cd ns2
+ $SHELL setup.sh
)
(
- cd ns3
- $SHELL setup.sh
+ cd ns3
+ $SHELL setup.sh
)
(
- cd ns4
- $SHELL setup.sh
+ cd ns4
+ $SHELL setup.sh
)
(
- cd ns5
- $SHELL setup.sh
+ cd ns5
+ $SHELL setup.sh
)
(
- cd ns6
- $SHELL setup.sh
+ cd ns6
+ $SHELL setup.sh
)
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index 4d3bda7..9f94b01 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -28,22 +28,22 @@ n=0
# Call dig with default options.
dig_with_opts() {
- if [ -n "$TSIG" ]; then
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
- else
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
- fi
+ if [ -n "$TSIG" ]; then
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+ else
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ fi
}
# RNDC.
rndccmd() {
- "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
+ "$RNDC" -c "$SYSTEMTESTTOP/common/rndc.conf" -p "$CONTROLPORT" -s "$@"
}
# Log error and increment failure rate.
log_error() {
- echo_i "error: $1"
- ret=$((ret+1))
+ echo_i "error: $1"
+ ret=$((ret + 1))
}
# Default next key event threshold. May be extended by wait periods.
@@ -60,93 +60,93 @@ set_zone "kasp"
set_policy "kasp" "4" "200"
set_server "keys" "10.53.0.1"
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)"
ret=0
-$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
-lines=$(wc -l < "keygen.out.$POLICY.test$n")
+$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
+lines=$(wc -l <"keygen.out.$POLICY.test$n")
test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines"
# Temporarily don't log errors because we are searching multiple files.
disable_logerror
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "31536000"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "31536000"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keyrole "KEY2" "ksk"
-set_keylifetime "KEY2" "31536000"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "31536000"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "2592000"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "2592000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "yes"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "16070400"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "16070400"
set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
lines=$(get_keyids "$DIR" "$ZONE" | wc -l)
test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids"
ids=$(get_keyids "$DIR" "$ZONE")
for id in $ids; do
- # There are four key files with the same algorithm.
- # Check them until a match is found.
- ret=0 && check_key "KEY1" "$id"
- test "$ret" -eq 0 && continue
+ # There are four key files with the same algorithm.
+ # Check them until a match is found.
+ ret=0 && check_key "KEY1" "$id"
+ test "$ret" -eq 0 && continue
- ret=0 && check_key "KEY2" "$id"
- test "$ret" -eq 0 && continue
+ ret=0 && check_key "KEY2" "$id"
+ test "$ret" -eq 0 && continue
- ret=0 && check_key "KEY3" "$id"
- test "$ret" -eq 0 && continue
+ ret=0 && check_key "KEY3" "$id"
+ test "$ret" -eq 0 && continue
- ret=0 && check_key "KEY4" "$id"
+ ret=0 && check_key "KEY4" "$id"
- # If ret is still non-zero, non of the files matched.
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ # If ret is still non-zero, non of the files matched.
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
done
# Turn error logs on again.
enable_logerror
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
set_zone "kasp"
set_policy "default" "1" "3600"
set_server "." "10.53.0.1"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
-$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
-lines=$(wc -l < "keygen.out.$POLICY.test$n")
+$KEYGEN -G -k "$POLICY" "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
+lines=$(wc -l <"keygen.out.$POLICY.test$n")
test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines"
ids=$(get_keyids "$DIR" "$ZONE")
for id in $ids; do
- check_key "KEY1" "$id"
- test "$ret" -eq 0 && key_save KEY1
- check_keytimes
+ check_key "KEY1" "$id"
+ test "$ret" -eq 0 && key_save KEY1
+ check_keytimes
done
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# dnssec-settime
@@ -155,69 +155,69 @@ status=$((status+ret))
# These test builds upon the latest created key with dnssec-keygen and uses the
# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE.
CMP_FILE="${BASE_FILE}.cmp"
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
-$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed"
-grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE"
-grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE"
+$SETTIME -P +3600 "$BASE_FILE" >/dev/null || log_error "settime failed"
+grep "; Publish: " "$KEY_FILE" >/dev/null || log_error "mismatch published in $KEY_FILE"
+grep "Publish: " "$PRIVATE_FILE" >/dev/null || log_error "mismatch published in $PRIVATE_FILE"
$DIFF "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
now=$(date +%Y%m%d%H%M%S)
-$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
-set_keystate "KEY1" "GOAL" "omnipresent"
+$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_key "KEY1" "$id"
test "$ret" -eq 0 && key_save KEY1
-set_keytime "KEY1" "PUBLISHED" "${now}"
+set_keytime "KEY1" "PUBLISHED" "${now}"
check_keytimes
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
-$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
-set_keystate "KEY1" "GOAL" "none"
+$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL" "none"
set_keystate "KEY1" "STATE_DNSKEY" "none"
set_keystate "KEY1" "STATE_KRRSIG" "none"
set_keystate "KEY1" "STATE_ZRRSIG" "none"
-set_keystate "KEY1" "STATE_DS" "none"
+set_keystate "KEY1" "STATE_DS" "none"
check_key "KEY1" "$id"
test "$ret" -eq 0 && key_save KEY1
-set_keytime "KEY1" "PUBLISHED" "none"
+set_keytime "KEY1" "PUBLISHED" "none"
check_keytimes
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
now=$(date +%Y%m%d%H%M%S)
-$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
-set_keystate "KEY1" "GOAL" "hidden"
+$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL" "hidden"
set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
check_key "KEY1" "$id"
test "$ret" -eq 0 && key_save KEY1
-set_keytime "KEY1" "ACTIVE" "${now}"
+set_keytime "KEY1" "ACTIVE" "${now}"
check_keytimes
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# named
@@ -227,53 +227,51 @@ status=$((status+ret))
# added as part of the last step in signing a zone. We wait for the
# NSEC records to appear before proceeding with a counter to prevent
# infinite loops if there is an error.
-n=$((n+1))
+n=$((n + 1))
echo_i "waiting for kasp signing changes to take effect ($n)"
_wait_for_done_apexnsec() {
- while read -r zone
- do
- dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1
- grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1
- grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1
- done < ns3/zones
-
- while read -r zone
- do
- dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1
- grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
- grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
- done < ns6/zones
-
- return 0
+ while read -r zone; do
+ dig_with_opts "$zone" @10.53.0.3 nsec >"dig.out.ns3.test$n.$zone" || return 1
+ grep "NS SOA" "dig.out.ns3.test$n.$zone" >/dev/null || return 1
+ grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" >/dev/null || return 1
+ done <ns3/zones
+
+ while read -r zone; do
+ dig_with_opts "$zone" @10.53.0.6 nsec >"dig.out.ns6.test$n.$zone" || return 1
+ grep "NS SOA" "dig.out.ns6.test$n.$zone" >/dev/null || return 1
+ grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" >/dev/null || return 1
+ done <ns6/zones
+
+ return 0
}
retry_quiet 30 _wait_for_done_apexnsec || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Test max-zone-ttl rejects zones with too high TTL.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
ret=0
set_zone "max-zone-ttl.kasp"
-grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: default.kasp.
#
set_keytimes_csk_policy() {
- # The first key is immediately published and activated.
- created=$(key_get KEY1 CREATED)
- set_keytime "KEY1" "PUBLISHED" "${created}"
- set_keytime "KEY1" "ACTIVE" "${created}"
- # The DS can be published if the DNSKEY and RRSIG records are
- # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
- # publish-safety (1h) plus zone-propagation-delay (300s) =
- # 86400 + 3600 + 300 = 90300.
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
- # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
+ # The first key is immediately published and activated.
+ created=$(key_get KEY1 CREATED)
+ set_keytime "KEY1" "PUBLISHED" "${created}"
+ set_keytime "KEY1" "ACTIVE" "${created}"
+ # The DS can be published if the DNSKEY and RRSIG records are
+ # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
+ # publish-safety (1h) plus zone-propagation-delay (300s) =
+ # 86400 + 3600 + 300 = 90300.
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
+ # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
}
# Check the zone with default kasp policy has loaded and is signed.
@@ -281,17 +279,17 @@ set_zone "default.kasp"
set_policy "default" "1" "3600"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -303,7 +301,7 @@ dnssec_verify
# Trigger a keymgr run. Make sure the key files are not touched if there are
# no modifications to the key metadata.
-n=$((n+1))
+n=$((n + 1))
echo_i "make sure key files are untouched if metadata does not change ($n)"
ret=0
basefile=$(key_get KEY1 BASEFILE)
@@ -311,8 +309,8 @@ privkey_stat=$(key_get KEY1 PRIVKEY_STAT)
pubkey_stat=$(key_get KEY1 PUBKEY_STAT)
state_stat=$(key_get KEY1 STATE_STAT)
-nextpart $DIR/named.run > /dev/null
-rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+nextpart $DIR/named.run >/dev/null
+rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
privkey_stat2=$(key_stat "${basefile}.private")
pubkey_stat2=$(key_stat "${basefile}.key")
@@ -321,14 +319,14 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta
test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "again ($n)"
ret=0
-nextpart $DIR/named.run > /dev/null
-rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+nextpart $DIR/named.run >/dev/null
+rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
privkey_stat2=$(key_stat "${basefile}.private")
pubkey_stat2=$(key_stat "${basefile}.key")
@@ -337,41 +335,41 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta
test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Update zone.
-n=$((n+1))
+n=$((n + 1))
echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
ret=0
cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
-rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
+rndccmd 10.53.0.3 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed"
update_is_signed() {
- ip_a=$1
- ip_d=$2
-
- if [ "$ip_a" != "-" ]; then
- dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
- test "$lines" -eq 1 || return 1
- get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1
- fi
-
- if [ "$ip_d" != "-" ]; then
- dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1
- grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1
- lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
- test "$lines" -eq 1 || return 1
- get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1
- fi
+ ip_a=$1
+ ip_d=$2
+
+ if [ "$ip_a" != "-" ]; then
+ dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
+ test "$lines" -eq 1 || return 1
+ get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" >/dev/null || return 1
+ fi
+
+ if [ "$ip_d" != "-" ]; then
+ dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n".d || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n".d >/dev/null || return 1
+ grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d >/dev/null || return 1
+ lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
+ test "$lines" -eq 1 || return 1
+ get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" >/dev/null || return 1
+ fi
}
retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Move the private key file, a rekey event should not introduce replacement
# keys.
@@ -379,11 +377,11 @@ ret=0
echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)"
basefile=$(key_get KEY1 BASEFILE)
mv "${basefile}.private" "${basefile}.offline"
-rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1
mv "${basefile}.offline" "${basefile}.private"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Nothing has changed.
check_keys
@@ -411,51 +409,51 @@ check_subdomain
dnssec_verify
# Update zone with nsupdate.
-n=$((n+1))
+n=$((n + 1))
echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
ret=0
(
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
-echo update del "a.${ZONE}" 300 A 10.0.0.1
-echo update add "a.${ZONE}" 300 A 10.0.0.101
-echo update add "d.${ZONE}" 300 A 10.0.0.4
-echo send
+ echo zone ${ZONE}
+ echo server 10.53.0.3 "$PORT"
+ echo update del "a.${ZONE}" 300 A 10.0.0.1
+ echo update add "a.${ZONE}" 300 A 10.0.0.101
+ echo update add "d.${ZONE}" 300 A 10.0.0.4
+ echo send
) | $NSUPDATE
retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Update zone with nsupdate (reverting the above change).
-n=$((n+1))
+n=$((n + 1))
echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
ret=0
(
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
-echo update add "a.${ZONE}" 300 A 10.0.0.1
-echo update del "a.${ZONE}" 300 A 10.0.0.101
-echo update del "d.${ZONE}" 300 A 10.0.0.4
-echo send
+ echo zone ${ZONE}
+ echo server 10.53.0.3 "$PORT"
+ echo update add "a.${ZONE}" 300 A 10.0.0.1
+ echo update del "a.${ZONE}" 300 A 10.0.0.101
+ echo update del "d.${ZONE}" 300 A 10.0.0.4
+ echo send
) | $NSUPDATE
retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Update zone with freeze/thaw.
-n=$((n+1))
+n=$((n + 1))
echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)"
ret=0
-rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed"
sleep 1
-echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db"
-rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+echo "d.${ZONE}. 300 A 10.0.0.44" >>"${DIR}/${ZONE}.db"
+rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed"
retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: dynamic-inline-signing.kasp
@@ -474,17 +472,17 @@ check_subdomain
dnssec_verify
# Update zone with freeze/thaw.
-n=$((n+1))
+n=$((n + 1))
echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
ret=0
-rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed"
sleep 1
cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
-rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed"
retry_quiet 10 update_is_signed || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: inline-signing.kasp
@@ -513,24 +511,24 @@ set_zone "checkds-ksk.kasp"
set_policy "checkds-ksk" "2" "303"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
@@ -543,33 +541,33 @@ dnssec_verify
basefile=$(key_get KEY1 BASEFILE)
_wait_for_metadata() {
- _expr=$1
- _file=$2
- grep "$_expr" $_file > /dev/null || return 1
- return 0
+ _expr=$1
+ _file=$2
+ grep "$_expr" $_file >/dev/null || return 1
+ return 0
}
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
# DS State should be forced into RUMOURED.
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
# DS State should be forced into UNRETENTIVE.
-set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY1" "STATE_DS" "unretentive"
check_keys
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: checkds-doubleksk.kasp.
@@ -583,35 +581,35 @@ set_zone "checkds-doubleksk.kasp"
set_policy "checkds-doubleksk" "3" "303"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "ksk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
@@ -624,53 +622,53 @@ dnssec_verify
basefile1=$(key_get KEY1 BASEFILE)
basefile2=$(key_get KEY2 BASEFILE)
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE"
-grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
-grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE"
-grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
-grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)"
-rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
-grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
-grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)"
-rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
-grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
-grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state"
-grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE"
-grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: checkds-csk.kasp.
@@ -684,17 +682,17 @@ set_zone "checkds-csk.kasp"
set_policy "checkds-csk" "1" "303"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -704,147 +702,146 @@ dnssec_verify
basefile=$(key_get KEY1 BASEFILE)
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Set keytimes for dnssec-policy with various algorithms.
# These all use the same time values.
set_keytimes_algorithm_policy() {
- # The first KSK is immediately published and activated.
- created=$(key_get KEY1 CREATED)
- set_keytime "KEY1" "PUBLISHED" "${created}"
- set_keytime "KEY1" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY1 BASEFILE)
- grep "; Publish:" "${keyfile}.key" > published.test${n}.key1
- published=$(awk '{print $3}' < published.test${n}.key1)
- set_keytime "KEY1" "PUBLISHED" "${published}"
- set_keytime "KEY1" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY1 PUBLISHED)
-
- # The DS can be published if the DNSKEY and RRSIG records are
- # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
- # publish-safety (1h) plus zone-propagation-delay (300s) =
- # 86400 + 3600 + 300 = 90300.
- set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
- # Key lifetime is 10 years, 315360000 seconds.
- set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
- # The key is removed after the retire time plus DS TTL (1d),
- # parent propagation delay (1h), and retire safety (1h) =
- # 86400 + 3600 + 3600 = 93600.
- retired=$(key_get KEY1 RETIRED)
- set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
- # The first ZSKs are immediately published and activated.
- created=$(key_get KEY2 CREATED)
- set_keytime "KEY2" "PUBLISHED" "${created}"
- set_keytime "KEY2" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY2 BASEFILE)
- grep "; Publish:" "${keyfile}.key" > published.test${n}.key2
- published=$(awk '{print $3}' < published.test${n}.key2)
- set_keytime "KEY2" "PUBLISHED" "${published}"
- set_keytime "KEY2" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY2 PUBLISHED)
-
- # Key lifetime for KSK2 is 5 years, 157680000 seconds.
- set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
- # The key is removed after the retire time plus max zone ttl (1d), zone
- # propagation delay (300s), retire safety (1h), and sign delay
- # (signature validity minus refresh, 9d) =
- # 86400 + 300 + 3600 + 777600 = 867900.
- retired=$(key_get KEY2 RETIRED)
- set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
-
- # Second ZSK (KEY3).
- created=$(key_get KEY3 CREATED)
- set_keytime "KEY3" "PUBLISHED" "${created}"
- set_keytime "KEY3" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY3 BASEFILE)
- grep "; Publish:" "${keyfile}.key" > published.test${n}.key3
- published=$(awk '{print $3}' < published.test${n}.key3)
- set_keytime "KEY3" "PUBLISHED" "${published}"
- set_keytime "KEY3" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY3 PUBLISHED)
-
- # Key lifetime for KSK3 is 1 year, 31536000 seconds.
- set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
- retired=$(key_get KEY3 RETIRED)
- set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
+ # The first KSK is immediately published and activated.
+ created=$(key_get KEY1 CREATED)
+ set_keytime "KEY1" "PUBLISHED" "${created}"
+ set_keytime "KEY1" "ACTIVE" "${created}"
+ # Key was pregenerated.
+ if [ "$1" = "pregenerated" ]; then
+ keyfile=$(key_get KEY1 BASEFILE)
+ grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
+ published=$(awk '{print $3}' <published.test${n}.key1)
+ set_keytime "KEY1" "PUBLISHED" "${published}"
+ set_keytime "KEY1" "ACTIVE" "${published}"
+ fi
+ published=$(key_get KEY1 PUBLISHED)
+
+ # The DS can be published if the DNSKEY and RRSIG records are
+ # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
+ # publish-safety (1h) plus zone-propagation-delay (300s) =
+ # 86400 + 3600 + 300 = 90300.
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+ # Key lifetime is 10 years, 315360000 seconds.
+ set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
+ # The key is removed after the retire time plus DS TTL (1d),
+ # parent propagation delay (1h), and retire safety (1h) =
+ # 86400 + 3600 + 3600 = 93600.
+ retired=$(key_get KEY1 RETIRED)
+ set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+
+ # The first ZSKs are immediately published and activated.
+ created=$(key_get KEY2 CREATED)
+ set_keytime "KEY2" "PUBLISHED" "${created}"
+ set_keytime "KEY2" "ACTIVE" "${created}"
+ # Key was pregenerated.
+ if [ "$1" = "pregenerated" ]; then
+ keyfile=$(key_get KEY2 BASEFILE)
+ grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
+ published=$(awk '{print $3}' <published.test${n}.key2)
+ set_keytime "KEY2" "PUBLISHED" "${published}"
+ set_keytime "KEY2" "ACTIVE" "${published}"
+ fi
+ published=$(key_get KEY2 PUBLISHED)
+
+ # Key lifetime for KSK2 is 5 years, 157680000 seconds.
+ set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
+ # The key is removed after the retire time plus max zone ttl (1d), zone
+ # propagation delay (300s), retire safety (1h), and sign delay
+ # (signature validity minus refresh, 9d) =
+ # 86400 + 300 + 3600 + 777600 = 867900.
+ retired=$(key_get KEY2 RETIRED)
+ set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
+
+ # Second ZSK (KEY3).
+ created=$(key_get KEY3 CREATED)
+ set_keytime "KEY3" "PUBLISHED" "${created}"
+ set_keytime "KEY3" "ACTIVE" "${created}"
+ # Key was pregenerated.
+ if [ "$1" = "pregenerated" ]; then
+ keyfile=$(key_get KEY3 BASEFILE)
+ grep "; Publish:" "${keyfile}.key" >published.test${n}.key3
+ published=$(awk '{print $3}' <published.test${n}.key3)
+ set_keytime "KEY3" "PUBLISHED" "${published}"
+ set_keytime "KEY3" "ACTIVE" "${published}"
+ fi
+ published=$(key_get KEY3 PUBLISHED)
+
+ # Key lifetime for KSK3 is 1 year, 31536000 seconds.
+ set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
+ retired=$(key_get KEY3 RETIRED)
+ set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
}
#
# Zone: rsasha1.kasp.
#
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
- set_zone "rsasha1.kasp"
- set_policy "rsasha1" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- key_clear "KEY1"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "315360000"
- set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "157680000"
- set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- set_keyrole "KEY3" "zsk"
- set_keylifetime "KEY3" "31536000"
- set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
- set_keysigning "KEY3" "no"
- set_zonesigning "KEY3" "yes"
-
- # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
- # ZSK: DNSKEY, RRSIG (zsk) published.
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
- set_keystate "KEY1" "STATE_DS" "hidden"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-
- set_keystate "KEY3" "GOAL" "omnipresent"
- set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
- # Three keys only.
- key_clear "KEY4"
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+ set_zone "rsasha1.kasp"
+ set_policy "rsasha1" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ key_clear "KEY1"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "315360000"
+ set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "157680000"
+ set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ set_keyrole "KEY3" "zsk"
+ set_keylifetime "KEY3" "31536000"
+ set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+ set_keysigning "KEY3" "no"
+ set_zonesigning "KEY3" "yes"
+
+ # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+ # ZSK: DNSKEY, RRSIG (zsk) published.
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+ set_keystate "KEY1" "STATE_DS" "hidden"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+ set_keystate "KEY3" "GOAL" "omnipresent"
+ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+ # Three keys only.
+ key_clear "KEY4"
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
#
@@ -864,12 +861,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_apex
check_subdomain
# Make sure the zone file is untouched.
-n=$((n+1))
+n=$((n + 1))
echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)"
ret=0
diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: insecure.kasp.
@@ -895,17 +892,17 @@ set_zone "unlimited.kasp"
set_policy "unlimited" "1" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -923,38 +920,38 @@ set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "315360000"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "315360000"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "157680000"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "157680000"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
+key_clear "KEY3"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
# Three keys only.
@@ -1031,15 +1028,15 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
# Activation date is a day later.
-set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
-set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
-set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
-set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
-set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
-set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
-set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
-set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
-set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
+set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
+set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
+set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
+set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
+set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
+set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
+set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
+set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
+set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
check_keytimes
check_apex
check_subdomain
@@ -1062,29 +1059,29 @@ check_subdomain
dnssec_verify
# Update zone.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)"
ret=0
cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db
-rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
+rndccmd 10.53.0.2 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed"
_wait_for_done_subdomains() {
- ret=0
- dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
- if [ $ret -gt 0 ]; then return $ret; fi
-
- dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1
- grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1
- check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
- return $ret
+ ret=0
+ dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
+ if [ $ret -gt 0 ]; then return $ret; fi
+
+ dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.d" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n.d" >/dev/null || return 1
+ grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" >/dev/null || return 1
+ check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
+ return $ret
}
retry_quiet 5 _wait_for_done_subdomains || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# TODO: we might want to test:
# - configuring a zone with too many active keys (should trigger retire).
@@ -1093,24 +1090,23 @@ status=$((status+ret))
#
# Zone: rsasha1-nsec3.kasp.
#
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
- set_zone "rsasha1-nsec3.kasp"
- set_policy "rsasha1-nsec3" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
- set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
- set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+ set_zone "rsasha1-nsec3.kasp"
+ set_policy "rsasha1-nsec3" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
+ set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
+ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
+ # Key timings and states same as above.
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
#
@@ -1197,77 +1193,77 @@ dnssec_verify
# Zone: ed25519.kasp.
#
if [ -f ed25519-supported.file ]; then
- set_zone "ed25519.kasp"
- set_policy "ed25519" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "15" "ED25519" "256"
- set_keyalgorithm "KEY2" "15" "ED25519" "256"
- set_keyalgorithm "KEY3" "15" "ED25519" "256"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+ set_zone "ed25519.kasp"
+ set_policy "ed25519" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "15" "ED25519" "256"
+ set_keyalgorithm "KEY2" "15" "ED25519" "256"
+ set_keyalgorithm "KEY3" "15" "ED25519" "256"
+ # Key timings and states same as above.
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
#
# Zone: ed448.kasp.
#
if [ -f ed448-supported.file ]; then
- set_zone "ed448.kasp"
- set_policy "ed448" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "16" "ED448" "456"
- set_keyalgorithm "KEY2" "16" "ED448" "456"
- set_keyalgorithm "KEY3" "16" "ED448" "456"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+ set_zone "ed448.kasp"
+ set_policy "ed448" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "16" "ED448" "456"
+ set_keyalgorithm "KEY2" "16" "ED448" "456"
+ set_keyalgorithm "KEY3" "16" "ED448" "456"
+ # Key timings and states same as above.
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
# Set key times for 'autosign' policy.
set_keytimes_autosign_policy() {
- # The KSK was published six months ago (with settime).
- created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
- set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
- # Key lifetime is 2 years, 63072000 seconds.
- active=$(key_get KEY1 ACTIVE)
- set_addkeytime "KEY1" "RETIRED" "${active}" 63072000
- # The key is removed after the retire time plus DS TTL (1d),
- # parent propagation delay (1h), retire safety (1h) =
- # 86400 + 3600 + 3600 = 93600
- retired=$(key_get KEY1 RETIRED)
- set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
- # The ZSK was published six months ago (with settime).
- created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
- set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
- # Key lifetime for KSK2 is 1 year, 31536000 seconds.
- active=$(key_get KEY2 ACTIVE)
- set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
- # The key is removed after the retire time plus:
- # TTLsig (RRSIG TTL): 1 day (86400 seconds)
- # Dprp (propagation delay): 5 minutes (300 seconds)
- # retire-safety: 1 hour (3600 seconds)
- # Dsgn (sign delay): 7 days (604800 seconds)
- # Iret: 695100 seconds.
- retired=$(key_get KEY2 RETIRED)
- set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
+ # The KSK was published six months ago (with settime).
+ created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
+ set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
+ # Key lifetime is 2 years, 63072000 seconds.
+ active=$(key_get KEY1 ACTIVE)
+ set_addkeytime "KEY1" "RETIRED" "${active}" 63072000
+ # The key is removed after the retire time plus DS TTL (1d),
+ # parent propagation delay (1h), retire safety (1h) =
+ # 86400 + 3600 + 3600 = 93600
+ retired=$(key_get KEY1 RETIRED)
+ set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+
+ # The ZSK was published six months ago (with settime).
+ created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
+ set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
+ # Key lifetime for KSK2 is 1 year, 31536000 seconds.
+ active=$(key_get KEY2 ACTIVE)
+ set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
+ # The key is removed after the retire time plus:
+ # TTLsig (RRSIG TTL): 1 day (86400 seconds)
+ # Dprp (propagation delay): 5 minutes (300 seconds)
+ # retire-safety: 1 hour (3600 seconds)
+ # Dsgn (sign delay): 7 days (604800 seconds)
+ # Iret: 695100 seconds.
+ retired=$(key_get KEY2 RETIRED)
+ set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
}
#
@@ -1277,27 +1273,27 @@ set_zone "expired-sigs.autosign"
set_policy "autosign" "2" "300"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "63072000"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "63072000"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "31536000"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "31536000"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# Both KSK and ZSK stay OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# Expect only two keys.
@@ -1314,42 +1310,39 @@ dnssec_verify
# Verify all signatures have been refreshed.
check_rrsig_refresh() {
- # Apex.
- _qtypes="DNSKEY SOA NS NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- # If this exact RRSIG is also in the zone file it is not refreshed.
- _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
- grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
-
- # Below apex.
- _labels="a b c ns3"
- for _label in $_labels;
- do
- _qtypes="A NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
- grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
- done
+ # Apex.
+ _qtypes="DNSKEY SOA NS NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ # If this exact RRSIG is also in the zone file it is not refreshed.
+ _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
+ grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+
+ # Below apex.
+ _labels="a b c ns3"
+ for _label in $_labels; do
+ _qtypes="A NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
+ grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+ done
}
check_rrsig_refresh
@@ -1372,45 +1365,42 @@ dnssec_verify
# Verify signature reuse.
check_rrsig_reuse() {
- # Apex.
- _qtypes="NS NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- # If this exact RRSIG is also in the signed zone file it is not refreshed.
- _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype")
- $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null
- grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
-
- # Below apex.
- _labels="a b c ns3"
- for _label in $_labels;
- do
- _qtypes="A NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- # If this exact RRSIG is also in the signed zone file it is not refreshed.
- _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype")
- $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null
- grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
- done
+ # Apex.
+ _qtypes="NS NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ # If this exact RRSIG is also in the signed zone file it is not refreshed.
+ _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
+ $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
+ grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+
+ # Below apex.
+ _labels="a b c ns3"
+ for _label in $_labels; do
+ _qtypes="A NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ # If this exact RRSIG is also in the signed zone file it is not refreshed.
+ _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
+ $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
+ grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+ done
}
check_rrsig_reuse
@@ -1485,19 +1475,19 @@ set_zone "zsk-retired.autosign"
set_policy "autosign" "3" "300"
set_server "ns3" "10.53.0.3"
# The third key is not yet expected to be signing.
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no"
# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
# is active.
-set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "hidden"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT,
# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN.
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
@@ -1507,24 +1497,24 @@ set_keytimes_autosign_policy
# The old ZSK is retired.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
-set_addkeytime "KEY2" "REMOVED" "${created}" 695100
+set_keytime "KEY2" "RETIRED" "${created}"
+set_addkeytime "KEY2" "REMOVED" "${created}" 695100
# The new ZSK is immediately published.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
# And becomes active after Ipub:
# DNSKEY TTL: 300 seconds
# zone-propagation-delay 5 minutes (300 seconds)
# publish-safety: 1 hour (3600 seconds)
# Ipub: 4200 seconds
published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "ACTIVE" "${published}" 4200
+set_addkeytime "KEY3" "ACTIVE" "${published}" 4200
# Lzsk: 1 year (31536000 seconds)
active=$(key_get KEY3 ACTIVE)
-set_addkeytime "KEY3" "RETIRED" "${active}" 31536000
+set_addkeytime "KEY3" "RETIRED" "${active}" 31536000
# Iret: 695100 seconds.
retired=$(key_get KEY3 RETIRED)
-set_addkeytime "KEY3" "REMOVED" "${retired}" 695100
+set_addkeytime "KEY3" "REMOVED" "${retired}" 695100
check_keytimes
check_apex
@@ -1542,27 +1532,27 @@ set_policy "migrate-to-dnssec-policy" "4" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "16070400"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "16070400"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "16070400"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
# Two keys only.
@@ -1574,7 +1564,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Make sure the correct legacy keys were used (and not the removed predecessor
# keys).
-n=$((n+1))
+n=$((n + 1))
echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)"
ret=0
kskfile=$(cat ns3/legacy-keys.kasp.ksk)
@@ -1586,42 +1576,42 @@ basefile=$(key_get KEY2 BASEFILE)
echo_i "filename: $basefile (expect $zskfile)"
test "$DIR/$zskfile" = "$basefile" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# KSK times.
created=$(key_get KEY1 CREATED)
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Publish:" "${keyfile}.key" > published.test${n}.key1
-published=$(awk '{print $3}' < published.test${n}.key1)
+grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
+published=$(awk '{print $3}' <published.test${n}.key1)
set_keytime "KEY1" "PUBLISHED" "${published}"
-set_keytime "KEY1" "ACTIVE" "${published}"
+set_keytime "KEY1" "ACTIVE" "${published}"
published=$(key_get KEY1 PUBLISHED)
# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
+set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
# The key is removed after the retire time plus DS TTL (1d), parent
# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600.
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
# ZSK times.
created=$(key_get KEY2 CREATED)
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Publish:" "${keyfile}.key" > published.test${n}.key2
-published=$(awk '{print $3}' < published.test${n}.key2)
+grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
+published=$(awk '{print $3}' <published.test${n}.key2)
set_keytime "KEY2" "PUBLISHED" "${published}"
-set_keytime "KEY2" "ACTIVE" "${published}"
+set_keytime "KEY2" "ACTIVE" "${published}"
published=$(key_get KEY2 PUBLISHED)
# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
+set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
# The key is removed after the retire time plus max zone ttl (1d), zone
# propagation delay (300s), retire safety (1h), and sign delay (signature
# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900.
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
+set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
check_keytimes
check_apex
@@ -1744,17 +1734,17 @@ check_subdomain
# ns4/inherit.override.signed
# ns5/override.inherit.signed
# ns5/inherit.override.signed
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
set_zone "signed.tld"
set_policy "default" "1" "3600"
@@ -1823,11 +1813,11 @@ dnssec_verify
# ns5/override.override.unsigned
# ns5/override.none.unsigned
# ns4/example.net (both views)
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
set_zone "inherit.inherit.signed"
set_policy "test" "1" "3600"
@@ -1906,23 +1896,23 @@ check_keytimes
check_apex
dnssec_verify
# check zonestatus
-n=$((n+1))
+n=$((n + 1))
echo_i "check $ZONE (view example1) zonestatus ($n)"
ret=0
check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# check subdomain
-n=$((n+1))
+n=$((n + 1))
echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
wait_for_nsec
@@ -1931,23 +1921,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
check_apex
dnssec_verify
# check zonestatus
-n=$((n+1))
+n=$((n + 1))
echo_i "check $ZONE (view example2) zonestatus ($n)"
ret=0
check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# check subdomain
-n=$((n+1))
+n=$((n + 1))
echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
wait_for_nsec
@@ -1956,23 +1946,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
check_apex
dnssec_verify
# check zonestatus
-n=$((n+1))
+n=$((n + 1))
echo_i "check $ZONE (view example3) zonestatus ($n)"
ret=0
check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# check subdomain
-n=$((n+1))
+n=$((n + 1))
echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Clear TSIG.
TSIG=""
@@ -1989,23 +1979,23 @@ key_clear "KEY3"
key_clear "KEY4"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
@@ -2017,27 +2007,27 @@ dnssec_verify
# Check that the ZSKs from the other provider are published.
zsks_are_published() {
- dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
- # We should have three ZSKs.
- lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
- test "$lines" -eq 3 || return 1
- # And one KSK.
- lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
- test "$lines" -eq 1 || return 1
+ dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY >"dig.out.$DIR.test$n" || return 1
+ # We should have three ZSKs.
+ lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
+ test "$lines" -eq 3 || return 1
+ # And one KSK.
+ lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
+ test "$lines" -eq 1 || return 1
}
-n=$((n+1))
+n=$((n + 1))
echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)"
ret=0
(
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
-echo update add $(cat "${DIR}/${ZONE}.zsk2")
-echo send
+ echo zone ${ZONE}
+ echo server 10.53.0.3 "$PORT"
+ echo update add $(cat "${DIR}/${ZONE}.zsk2")
+ echo send
) | $NSUPDATE
retry_quiet 10 zsks_are_published || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing manual rollover.
@@ -2050,24 +2040,24 @@ key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# During set up everything was set to OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
@@ -2076,12 +2066,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The first keys were published and activated a day ago.
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
-set_addkeytime "KEY1" "ACTIVE" "${created}" -86400
+set_addkeytime "KEY1" "ACTIVE" "${created}" -86400
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -86400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -86400
# Key lifetimes are unlimited, so not setting RETIRED and REMOVED.
check_keytimes
check_apex
@@ -2090,16 +2080,16 @@ dnssec_verify
# Schedule KSK rollover in six months (15552000 seconds).
active=$(key_get KEY1 ACTIVE)
-set_addkeytime "KEY1" "RETIRED" "${active}" 15552000
+set_addkeytime "KEY1" "RETIRED" "${active}" 15552000
retired=$(key_get KEY1 RETIRED)
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE"
# Rollover starts in six months, but lifetime is set to six months plus
# prepublication duration = 15552000 + 7500 = 15559500 seconds.
-set_keylifetime "KEY1" "15559500"
-set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
+set_keylifetime "KEY1" "15559500"
+set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
retired=$(key_get KEY1 RETIRED)
# Retire interval of this policy is 26h (93600 seconds).
-set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -2113,21 +2103,21 @@ set_policy "manual-rollover" "3" "3600"
set_keystate "KEY1" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
-set_keylifetime "KEY1" "93900"
+set_keylifetime "KEY1" "93900"
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
+set_keytime "KEY1" "RETIRED" "${created}"
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE"
# New key is introduced.
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -2140,18 +2130,18 @@ set_policy "manual-rollover" "4" "3600"
set_keystate "KEY2" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
-set_keylifetime "KEY2" "93900"
+set_keylifetime "KEY2" "93900"
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
+set_keytime "KEY2" "RETIRED" "${created}"
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
# New key is introduced.
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "0"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "0"
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY.
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY.
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
@@ -2162,13 +2152,13 @@ check_subdomain
dnssec_verify
# Try to schedule a ZSK rollover for an inactive key (should fail).
-n=$((n+1))
+n=$((n + 1))
echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
ret=0
-rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n
-grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" >rndc.dnssec.rollover.out.$ZONE.$n
+grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n >/dev/null || log_error "bad error message"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing DNSSEC introduction.
@@ -2181,18 +2171,18 @@ set_zone "step1.enable-dnssec.autosign"
set_policy "enable-dnssec" "1" "300"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# The DNSKEY and signatures are introduced first, the DS remains hidden.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# This policy lists only one key (CSK).
key_clear "KEY2"
key_clear "KEY3"
@@ -2204,13 +2194,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${created}"
-set_keytime "KEY1" "ACTIVE" "${created}"
+set_keytime "KEY1" "PUBLISHED" "${created}"
+set_keytime "KEY1" "ACTIVE" "${created}"
# - The DS can be published if the DNSKEY and RRSIG records are
# OMNIPRESENT. This happens after max-zone-ttl (12h) plus
# publish-safety (5m) plus zone-propagation-delay (5m) =
# 43200 + 300 + 300 = 43800.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
# - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
# Various signing policy checks.
@@ -2220,37 +2210,37 @@ check_subdomain
dnssec_verify
_check_next_key_event() {
- _expect=$1
+ _expect=$1
- grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1
+ grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" >"keyevent.out.$ZONE.test$n" || return 1
- # Get the latest next key event.
- if [ "${DYNAMIC}" = "yes" ]; then
- _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1)
- else
- # inline-signing zone adds "(signed)"
- _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1)
- fi
+ # Get the latest next key event.
+ if [ "${DYNAMIC}" = "yes" ]; then
+ _time=$(awk '{print $9}' <"keyevent.out.$ZONE.test$n" | tail -1)
+ else
+ # inline-signing zone adds "(signed)"
+ _time=$(awk '{print $10}' <"keyevent.out.$ZONE.test$n" | tail -1)
+ fi
- # The next key event time must within threshold of the
- # expected time.
- _expectmin=$((_expect-next_key_event_threshold))
- _expectmax=$((_expect+next_key_event_threshold))
+ # The next key event time must within threshold of the
+ # expected time.
+ _expectmin=$((_expect - next_key_event_threshold))
+ _expectmax=$((_expect + next_key_event_threshold))
- test $_expectmin -le "$_time" || return 1
- test $_expectmax -ge "$_time" || return 1
+ test $_expectmin -le "$_time" || return 1
+ test $_expectmax -ge "$_time" || return 1
- return 0
+ return 0
}
check_next_key_event() {
- n=$((n+1))
- echo_i "check next key event for zone ${ZONE} ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "check next key event for zone ${ZONE} ($n)"
+ ret=0
- retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
@@ -2276,9 +2266,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The key was published and activated 900 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
# Continue signing policy checks.
check_keytimes
@@ -2299,7 +2289,7 @@ set_policy "enable-dnssec" "1" "300"
set_server "ns3" "10.53.0.3"
# All signatures should be omnipresent, so the DS can be submitted.
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -2308,9 +2298,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The key was published and activated 44700 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
-set_keytime "KEY1" "SYNCPUBLISH" "${created}"
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
+set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
+set_keytime "KEY1" "SYNCPUBLISH" "${created}"
# Continue signing policy checks.
check_keytimes
@@ -2344,9 +2334,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The key was published and activated 56700 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -56700
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700
+set_addkeytime "KEY1" "ACTIVE" "${created}" -56700
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000
# Continue signing policy checks.
check_keytimes
@@ -2382,51 +2372,51 @@ set_policy "zsk-prepub" "2" "3600"
set_server "ns3" "10.53.0.3"
set_retired_removed() {
- _Lkey=$2
- _Iret=$3
+ _Lkey=$2
+ _Iret=$3
- _active=$(key_get $1 ACTIVE)
- set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
- _retired=$(key_get $1 RETIRED)
- set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+ _active=$(key_get $1 ACTIVE)
+ set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
+ _retired=$(key_get $1 RETIRED)
+ set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
}
rollover_predecessor_keytimes() {
- _addtime=$1
-
- _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
-
- _created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+ _addtime=$1
+
+ _created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+
+ _created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
}
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "${Lksk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "${Lksk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "${Lzsk}"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "${Lzsk}"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# Initially only two keys.
@@ -2456,15 +2446,15 @@ set_zone "step2.zsk-prepub.autosign"
set_policy "zsk-prepub" "3" "3600"
set_server "ns3" "10.53.0.3"
# New ZSK (KEY3) is prepublished, but not yet signing.
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "${Lzsk}"
+key_clear "KEY3"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "${Lzsk}"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no"
# Key states.
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
@@ -2504,11 +2494,11 @@ set_policy "zsk-prepub" "3" "3600"
set_server "ns3" "10.53.0.3"
# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-set_zonesigning "KEY3" "yes"
-set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY3" "yes"
+set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
# Various signing policy checks.
check_keys
@@ -2519,8 +2509,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -2592000
# - The new ZSK is published 26 hours ago (93600 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600
+set_keytime "KEY3" "ACTIVE" "${created}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -2529,12 +2519,12 @@ check_apex
# Subdomain still has good signatures of ZSK (KEY2).
# Set expected zone signing on for KEY2 and off for KEY3,
# testing whether signatures which are still valid are being reused.
-set_zonesigning "KEY2" "yes"
-set_zonesigning "KEY3" "no"
+set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY3" "no"
check_subdomain
# Restore the expected zone signing properties.
-set_zonesigning "KEY2" "no"
-set_zonesigning "KEY3" "yes"
+set_zonesigning "KEY2" "no"
+set_zonesigning "KEY3" "yes"
dnssec_verify
# Next key event is when all the RRSIG records have been replaced with
@@ -2565,9 +2555,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -3459600
# - The new ZSK is published 267 hours ago (961200 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200
published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
+set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -2599,9 +2589,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -3463200
# - The new ZSK is published 268 hours ago (964800 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800
published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
+set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -2654,26 +2644,26 @@ set_zone "step1.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "2" "7200"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "${Lksk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "${Lksk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "${Lzsk}"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "${Lzsk}"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# Initially only two keys.
@@ -2703,18 +2693,18 @@ set_zone "step2.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "3" "7200"
set_server "ns3" "10.53.0.3"
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
-key_clear "KEY3"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "${Lksk}"
+key_clear "KEY3"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "${Lksk}"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
# Key states.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -2725,7 +2715,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -5086800
# - The new KSK is published now.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
# The new KSK should publish the CDS after the prepublication time.
# TTLkey: 2h
# DprpC: 1h
@@ -2733,7 +2723,7 @@ set_keytime "KEY3" "PUBLISHED" "${created}"
# IpubC: 27h (97200 seconds)
IpubC=97200
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}"
-set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}"
+set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
# Continue signing policy checks.
@@ -2759,8 +2749,8 @@ set_server "ns3" "10.53.0.3"
set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY3" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY3" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -2773,9 +2763,9 @@ check_cdslog "$DIR" "$ZONE" KEY3
rollover_predecessor_keytimes -5184000
# - The new KSK is published 27 hours ago (97200 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200
# - The new KSK CDS is published now.
-set_keytime "KEY3" "SYNCPUBLISH" "${created}"
+set_keytime "KEY3" "SYNCPUBLISH" "${created}"
syncpub=$(key_get KEY3 SYNCPUBLISH)
set_keytime "KEY3" "ACTIVE" "${syncpub}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
@@ -2788,7 +2778,7 @@ dnssec_verify
# We ignore any parent registration delay, so set the DS publish time to now.
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
# Next key event is when the predecessor DS has been replaced with the
# successor DS and enough time has passed such that the all validators that
# have this DS RRset cached only know about the successor DS. This is the
@@ -2805,11 +2795,11 @@ set_policy "ksk-doubleksk" "3" "7200"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY can be removed.
set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
# New KSK (KEY3) DS is now OMNIPRESENT.
-set_keystate "KEY3" "STATE_DS" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -2820,7 +2810,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -5364000
# - The new KSK is published 77 hours ago (277200 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
syncpub=$(key_get KEY3 SYNCPUBLISH)
@@ -2857,7 +2847,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -5371200
# - The new KSK is published 79 hours ago (284400 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
syncpub=$(key_get KEY3 SYNCPUBLISH)
@@ -2908,13 +2898,13 @@ IretZSK=2257200
IretCSK=$IretZSK
csk_rollover_predecessor_keytimes() {
- _addtime=$1
+ _addtime=$1
- _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
+ _created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
}
#
@@ -2924,18 +2914,18 @@ set_zone "step1.csk-roll.autosign"
set_policy "csk-roll" "1" "3600"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "${Lcsk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "${Lcsk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# Initially only one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -2964,19 +2954,19 @@ set_zone "step2.csk-roll.autosign"
set_policy "csk-roll" "2" "3600"
set_server "ns3" "10.53.0.3"
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "16070400"
+key_clear "KEY2"
+set_keyrole "KEY2" "csk"
+set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
# Key states.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -2987,12 +2977,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16059600
# - The new CSK is published now.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "PUBLISHED" "${created}"
# - The new CSK should publish the CDS after the prepublication time.
# Ipub: 3 hour (10800 seconds)
Ipub="10800"
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3013,8 +3003,8 @@ set_zone "step3.csk-roll.autosign"
set_policy "csk-roll" "2" "3600"
set_server "ns3" "10.53.0.3"
# Swap zone signing role.
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
# CSK (KEY1) will be removed, so moving to UNRETENTIVE.
set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED.
@@ -3022,8 +3012,8 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -3036,10 +3026,10 @@ check_cdslog "$DIR" "$ZONE" KEY2
csk_rollover_predecessor_keytimes -16070400
# - The new CSK is published three hours ago, CDS must be published now.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
-set_keytime "KEY2" "SYNCPUBLISH" "${created}"
+set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
+set_keytime "KEY2" "SYNCPUBLISH" "${created}"
# - Also signatures are being introduced now.
-set_keytime "KEY2" "ACTIVE" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3048,17 +3038,17 @@ check_apex
# Subdomain still has good signatures of old CSK (KEY1).
# Set expected zone signing on for KEY1 and off for KEY2,
# testing whether signatures which are still valid are being reused.
-set_zonesigning "KEY1" "yes"
-set_zonesigning "KEY2" "no"
+set_zonesigning "KEY1" "yes"
+set_zonesigning "KEY2" "no"
check_subdomain
# Restore the expected zone signing properties.
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
dnssec_verify
# We ignore any parent registration delay, so set the DS publish time to now.
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
# Next key event is when the predecessor DS has been replaced with the
# successor DS and enough time has passed such that the all validators that
# have this DS RRset cached only know about the successor DS. This is the
@@ -3078,9 +3068,9 @@ set_keysigning "KEY1" "no"
# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public
# but can remove the KRRSIG records.
set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# The new CSK (KEY2) DS is now OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -3091,10 +3081,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16084800
# - The new CSK started signing 4h ago (14400 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -14400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -14400
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3126,10 +3116,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16092000
# - The new CSK started signing 6h ago (21600 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -21600
+set_addkeytime "KEY2" "ACTIVE" "${created}" -21600
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3167,10 +3157,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -18327600
# - The new CSK is activated 627 hours ago (2257200 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3202,10 +3192,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -18334800
# - The new CSK is activated 629 hours ago (2264400 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3261,18 +3251,18 @@ set_zone "step1.csk-roll2.autosign"
set_policy "csk-roll2" "1" "3600"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "16070400"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "16070400"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# Initially only one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -3302,19 +3292,19 @@ set_zone "step2.csk-roll2.autosign"
set_policy "csk-roll2" "2" "3600"
set_server "ns3" "10.53.0.3"
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "16070400"
+key_clear "KEY2"
+set_keyrole "KEY2" "csk"
+set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
# Key states.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -3325,12 +3315,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16059600
# - The new CSK is published now.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "PUBLISHED" "${created}"
# - The new CSK should publish the CDS after the prepublication time.
# - Ipub: 3 hour (10800 seconds)
Ipub="10800"
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3350,16 +3340,16 @@ set_zone "step3.csk-roll2.autosign"
set_policy "csk-roll2" "2" "3600"
set_server "ns3" "10.53.0.3"
# CSK (KEY1) can be removed, so move to UNRETENTIVE.
-set_zonesigning "KEY1" "no"
-set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY1" "no"
+set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state.
-set_zonesigning "KEY2" "yes"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+set_zonesigning "KEY2" "yes"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -3372,10 +3362,10 @@ check_cdslog "$DIR" "$ZONE" KEY2
csk_rollover_predecessor_keytimes -16070400
# - The new CSK is published three hours ago, CDS must be published now.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
-set_keytime "KEY2" "SYNCPUBLISH" "${created}"
+set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
+set_keytime "KEY2" "SYNCPUBLISH" "${created}"
# - Also signatures are being introduced now.
-set_keytime "KEY2" "ACTIVE" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3384,12 +3374,12 @@ check_apex
# Subdomain still has good signatures of old CSK (KEY1).
# Set expected zone signing on for KEY1 and off for KEY2,
# testing whether signatures which are still valid are being reused.
-set_zonesigning "KEY1" "yes"
-set_zonesigning "KEY2" "no"
+set_zonesigning "KEY1" "yes"
+set_zonesigning "KEY2" "no"
check_subdomain
# Restore the expected zone signing properties.
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
dnssec_verify
# We ignore any parent registration delay, so set the DS publish time to now.
@@ -3405,8 +3395,8 @@ rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
# positives on slow platforms by subtracting the number of seconds which
# passed between key creation and invoking 'rndc dnssec -checkds'.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
-next_time=$((136800-time_passed))
+time_passed=$((now - start_time))
+next_time=$((136800 - time_passed))
check_next_key_event $next_time
#
@@ -3429,10 +3419,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16207200
# - The new CSK was published 41 hours (147600 seconds) ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3457,12 +3447,12 @@ set_zone "step5.csk-roll2.autosign"
set_policy "csk-roll2" "2" "3600"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) DNSKEY can be removed.
-set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
# The new CSK (KEY2) is now fully OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -3473,10 +3463,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16682400
# - The new CSK was published 173 hours (622800 seconds) ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3509,10 +3499,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16689600
# - The new CSK was published 175 hours (630000 seconds) ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3555,39 +3545,39 @@ Lzsk=31536000
IretKSK=180000
IretZSK=867600
# KSK (KEY1) is outgoing.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "${Lksk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "${Lksk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "unretentive"
# KSK (KEY2) is incoming.
-key_clear "KEY2"
-set_keyrole "KEY2" "ksk"
-set_keylifetime "KEY2" "${Lksk}"
+key_clear "KEY2"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "${Lksk}"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# We will introduce the third KSK shortly.
-key_clear "KEY3"
+key_clear "KEY3"
# ZSK (KEY4).
-key_clear "KEY4"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "${Lzsk}"
+key_clear "KEY4"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "${Lzsk}"
set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
-set_keystate "KEY4" "GOAL" "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
+set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
# Run preliminary tests.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3597,7 +3587,7 @@ dnssec_verify
# Roll over KEY2.
# Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay,
# plus the publish-safety: 7200s + 1h + 1d = 97200 seconds.
-set_keylifetime "KEY2" "97200"
+set_keylifetime "KEY2" "97200"
created=$(key_get KEY2 CREATED)
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
# Update expected number of keys and key states.
@@ -3605,15 +3595,15 @@ set_keystate "KEY2" "GOAL" "hidden"
set_policy "ksk-doubleksk" "4" "7200"
CDNSKEY="no"
# New KSK (KEY3) is introduced.
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "${Lksk}"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "${Lksk}"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS" "hidden"
# Run tests again. We now expect four keys (3x KSK, 1x ZSK).
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3626,22 +3616,22 @@ set_zone "dynamic2inline.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# The CSK is rumoured.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3664,29 +3654,29 @@ set_zone "step1.algorithm-roll.kasp"
set_policy "rsasha256" "2" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
key_clear "KEY3"
key_clear "KEY4"
# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
@@ -3712,21 +3702,21 @@ set_zone "step1.csk-algorithm-roll.kasp"
set_policy "csk-algoroll" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -3769,31 +3759,31 @@ IretKSK=93600
IretZSK=867900
init_migration_insecure() {
- key_clear "KEY1"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "${Lksk}"
- set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
- set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
- set_keystate "KEY1" "STATE_DS" "omnipresent"
-
- key_clear "KEY2"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "${Lzsk}"
- set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
- set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-
- key_clear "KEY3"
- key_clear "KEY4"
+ key_clear "KEY1"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "${Lksk}"
+ set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+ set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+ set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+ key_clear "KEY2"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "${Lzsk}"
+ set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
}
init_migration_insecure
@@ -3836,17 +3826,17 @@ set_zone "step1.going-straight-to-none.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# This policy only has one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -3857,8 +3847,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${created}"
-set_keytime "KEY1" "ACTIVE" "${created}"
+set_keytime "KEY1" "PUBLISHED" "${created}"
+set_keytime "KEY1" "ACTIVE" "${created}"
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
check_keytimes
@@ -3875,45 +3865,45 @@ rndc_reconfig ns6 10.53.0.6
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
# Wait until we have seen "zone_rekey done:" message for this key.
_wait_for_done_signing() {
- _zone=$1
-
- _ksk=$(key_get $2 KSK)
- _zsk=$(key_get $2 ZSK)
- if [ "$_ksk" = "yes" ]; then
- _role="KSK"
- _expect_type=EXPECT_KRRSIG
- elif [ "$_zsk" = "yes" ]; then
- _role="ZSK"
- _expect_type=EXPECT_ZRRSIG
- fi
-
- if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
- _keyid=$(key_get $2 ID)
- _keyalg=$(key_get $2 ALG_STR)
- echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
- grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
- fi
-
- return 0
+ _zone=$1
+
+ _ksk=$(key_get $2 KSK)
+ _zsk=$(key_get $2 ZSK)
+ if [ "$_ksk" = "yes" ]; then
+ _role="KSK"
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_zsk" = "yes" ]; then
+ _role="ZSK"
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+ _keyid=$(key_get $2 ID)
+ _keyalg=$(key_get $2 ALG_STR)
+ echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+ grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
+ fi
+
+ return 0
}
wait_for_done_signing() {
- n=$((n+1))
- echo_i "wait for zone ${ZONE} is done signing ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "wait for zone ${ZONE} is done signing ($n)"
+ ret=0
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Test dynamic zones that switch to inline-signing.
@@ -3921,22 +3911,22 @@ set_zone "dynamic2inline.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# The CSK is rumoured.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3994,14 +3984,14 @@ set_server "ns6" "10.53.0.6"
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
-set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keysigning "KEY1" "no"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY2" "no"
# Various signing policy checks.
check_keys
@@ -4062,14 +4052,14 @@ set_server "ns6" "10.53.0.6"
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
-set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keysigning "KEY1" "no"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY2" "no"
# Various signing policy checks.
check_keys
@@ -4092,17 +4082,17 @@ set_server "ns6" "10.53.0.6"
# The zone will go bogus after signatures expire, but remains validly signed for now.
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# This policy only has one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -4130,47 +4120,47 @@ set_zone "step1.algorithm-roll.kasp"
set_policy "ecdsa256" "4" "3600"
set_server "ns6" "10.53.0.6"
# Old RSASHA1 keys.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# New ECDSAP256SHA256 keys.
-key_clear "KEY3"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+key_clear "KEY3"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-key_clear "KEY4"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "0"
+key_clear "KEY4"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "0"
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
# The RSAHSHA1 keys are outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY1" "GOAL" "hidden"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "GOAL" "hidden"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The ECDSAP256SHA256 keys are introducing.
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
@@ -4184,9 +4174,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes 0
# - KSK must be retired since it no longer matches the policy.
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
# - The key is removed after the retire interval:
# IretKSK = TTLds + DprpP + retire-safety
# TTLds: 2h (7200 seconds)
@@ -4194,12 +4184,12 @@ set_keytime "KEY1" "RETIRED" "${retired}"
# retire-safety: 2h (7200 seconds)
# IretKSK: 5h (18000 seconds)
IretKSK=18000
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
# - The key is removed after the retire interval:
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
# TTLsig: 6h (21600 seconds)
@@ -4208,11 +4198,11 @@ set_keytime "KEY2" "RETIRED" "${retired}"
# retire-safety: 2h (7200 seconds)
# IretZSK: 25d9h (2192400 seconds)
IretZSK=2192400
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 6h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -4222,8 +4212,8 @@ Ipub=28800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The new ZSK is published and activated.
created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
# Continue signing policy checks.
check_keytimes
@@ -4262,22 +4252,22 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -10800
# - KSK must be retired since it no longer matches the policy.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
+set_keytime "KEY1" "RETIRED" "${created}"
set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
+set_keytime "KEY2" "RETIRED" "${created}"
set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}"
# - The new keys are published 3 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -10800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -10800
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}"
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
# Continue signing policy checks.
check_keytimes
@@ -4292,7 +4282,7 @@ dnssec_verify
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600-time_passed))
+next_time=$((21600 - time_passed))
check_next_key_event $next_time
#
@@ -4304,8 +4294,8 @@ set_server "ns6" "10.53.0.6"
# The ECDSAP256SHA256 keys are introducing.
set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
# The DS can be swapped.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY3" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY3" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -4319,24 +4309,24 @@ check_cdslog "$DIR" "$ZONE" KEY3
rollover_predecessor_keytimes -32400
# - And retired 6 hours ago (21600 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -21600
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -21600
+set_addkeytime "KEY2" "RETIRED" "${created}" -21600
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new keys are published 9 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
+set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
+set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
# Continue signing policy checks.
check_keytimes
@@ -4347,7 +4337,7 @@ dnssec_verify
# Tell named we "saw" the parent swap the DS and see if the next key event is
# scheduled at the correct time.
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
# Next key event is when the DS becomes OMNIPRESENT. This happens after the
# parent propagation delay, retire safety delay, and DS TTL:
# 1h + 2h + 2h = 5h = 18000 seconds.
@@ -4360,17 +4350,17 @@ set_zone "step4.algorithm-roll.kasp"
set_policy "ecdsa256" "4" "3600"
set_server "ns6" "10.53.0.6"
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
+
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY3" "STATE_DS" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -4382,25 +4372,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -136800
# - And retired 35 hours ago (126000 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
+set_addkeytime "KEY2" "RETIRED" "${created}" -126000
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new keys are published 38 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
# Continue signing policy checks.
check_keytimes
@@ -4433,25 +4423,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -144000
# - And retired 37 hours ago (133200 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -133200
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -133200
+set_addkeytime "KEY2" "RETIRED" "${created}" -133200
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# The new keys are published 40 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
+set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
+set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
# Continue signing policy checks.
check_keytimes
@@ -4465,7 +4455,7 @@ dnssec_verify
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200-time_passed))
+next_time=$((25200 - time_passed))
check_next_key_event $next_time
#
@@ -4487,25 +4477,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -169200
# - And retired 44 hours ago (158400 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -158400
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -158400
+set_addkeytime "KEY2" "RETIRED" "${created}" -158400
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# The new keys are published 47 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
+set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
+set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
# Continue signing policy checks.
check_keytimes
@@ -4532,33 +4522,33 @@ set_zone "step1.csk-algorithm-roll.kasp"
set_policy "csk-algoroll" "2" "3600"
set_server "ns6" "10.53.0.6"
# Old RSASHA1 key.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# New ECDSAP256SHA256 key.
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "0"
+key_clear "KEY2"
+set_keyrole "KEY2" "csk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "yes"
key_clear "KEY3"
key_clear "KEY4"
# The RSAHSHA1 key is outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY1" "GOAL" "hidden"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# The ECDSAP256SHA256 key is introducing.
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -4569,9 +4559,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# - CSK must be retired since it no longer matches the policy.
csk_rollover_predecessor_keytimes 0
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
# - The key is removed after the retire interval:
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
# TTLsig: 6h (21600 seconds)
@@ -4580,11 +4570,11 @@ set_keytime "KEY1" "RETIRED" "${retired}"
# retire-safety: 2h (7200 seconds)
# IretZSK: 25d9h (2192400 seconds)
IretCSK=2192400
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new CSK is published and activated.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
+set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 6h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -4629,12 +4619,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -10800
# - CSK must be retired since it no longer matches the policy.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
+set_keytime "KEY1" "RETIRED" "${created}"
set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}"
# - The new key was published 3 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -10800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -10800
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
@@ -4651,7 +4641,7 @@ dnssec_verify
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600-time_passed))
+next_time=$((21600 - time_passed))
check_next_key_event $next_time
#
@@ -4665,8 +4655,8 @@ set_server "ns6" "10.53.0.6"
# are now omnipresent, so the DS can be introduced.
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -4680,13 +4670,13 @@ check_cdslog "$DIR" "$ZONE" KEY2
csk_rollover_predecessor_keytimes -32400
# - And was retired 6 hours ago (21600 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -21600
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 9 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
@@ -4711,14 +4701,14 @@ set_zone "step4.csk-algorithm-roll.kasp"
set_policy "csk-algoroll" "2" "3600"
set_server "ns6" "10.53.0.6"
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_zonesigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keysigning "KEY1" "no"
+set_zonesigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -4730,13 +4720,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -136800
# - And retired 35 hours ago (126000 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 38 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@@ -4770,13 +4760,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -144000
# - And retired 37 hours ago (133200 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -133200
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 40 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
+set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@@ -4792,7 +4782,7 @@ dnssec_verify
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200-time_passed))
+next_time=$((25200 - time_passed))
check_next_key_event $next_time
#
@@ -4814,13 +4804,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -169200
# - And retired 44 hours ago (158400 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -158400
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 47 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@@ -4835,48 +4825,48 @@ dnssec_verify
check_next_key_event 3600
_check_soa_ttl() {
- dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1
- soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1)
- soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2)
- ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1)
- ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2)
- test ${soa1:-1000} -lt ${soa2:-0} || return 1
- test ${ttl1:-0} -eq $1 || return 1
- test ${ttl2:-0} -eq $2 || return 1
+ dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa2 || return 1
+ soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1)
+ soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2)
+ ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1)
+ ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2)
+ test ${soa1:-1000} -lt ${soa2:-0} || return 1
+ test ${ttl1:-0} -eq $1 || return 1
+ test ${ttl2:-0} -eq $2 || return 1
}
-n=$((n+1))
+n=$((n + 1))
echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
TSIG=
ret=0
-dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1
+dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1
cp ns6/example2.db.in ns6/example.db || ret=1
-nextpart ns6/named.run > /dev/null
+nextpart ns6/named.run >/dev/null
rndccmd 10.53.0.6 reload || ret=1
wait_for_log 3 "all zones loaded" ns6/named.run
# Check that the SOA SERIAL increases and check the TTLs (should be 300 as
# defined in ns6/example2.db.in).
retry_quiet 10 _check_soa_ttl 300 300 || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "Check that restart with zone changes and deleted journal works ($n)"
TSIG=
ret=0
-dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1
+dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1
stop_server --use-rndc --port ${CONTROLPORT} ns6
# TTL of all records change from 300 to 400
cp ns6/example3.db.in ns6/example.db || ret=1
rm ns6/example.db.jnl
-nextpart ns6/named.run > /dev/null
+nextpart ns6/named.run >/dev/null
start_server --noclean --restart --port ${PORT} ns6
wait_for_log 3 "all zones loaded" ns6/named.run
# Check that the SOA SERIAL increases and check the TTLs (should be changed
# from 300 to 400 as defined in ns6/example3.db.in).
retry_quiet 10 _check_soa_ttl 300 400 || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-26 16:11:22 +0000