summaryrefslogtreecommitdiffstats
path: root/bin/tests/system/kasp
diff options
context:
space:
mode:
Diffstat (limited to 'bin/tests/system/kasp')
-rw-r--r--bin/tests/system/kasp/clean.sh1
-rw-r--r--bin/tests/system/kasp/ns3/named-fips.conf.in21
-rw-r--r--bin/tests/system/kasp/ns3/setup.sh774
-rw-r--r--bin/tests/system/kasp/ns4/setup.sh13
-rw-r--r--bin/tests/system/kasp/ns5/setup.sh13
-rw-r--r--bin/tests/system/kasp/ns6/setup.sh375
-rw-r--r--bin/tests/system/kasp/setup.sh44
-rw-r--r--bin/tests/system/kasp/tests.sh2487
8 files changed, 1890 insertions, 1838 deletions
diff --git a/bin/tests/system/kasp/clean.sh b/bin/tests/system/kasp/clean.sh
index db264c2..d31b53a 100644
--- a/bin/tests/system/kasp/clean.sh
+++ b/bin/tests/system/kasp/clean.sh
@@ -29,6 +29,7 @@ rm -f ns*/*.mkeys
rm -f ns*/zones ns*/*.db.infile
rm -f ns*/*.zsk1 ns*/*.zsk2
rm -f ns3/legacy-keys.*
+rm -rf ns3/keys/
rm -f *.created published.test* retired.test*
rm -f rndc.dnssec.*.out.* rndc.zonestatus.out.*
rm -f python.out.*
diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in
index a6e8b3a..8debcd2 100644
--- a/bin/tests/system/kasp/ns3/named-fips.conf.in
+++ b/bin/tests/system/kasp/ns3/named-fips.conf.in
@@ -49,6 +49,15 @@ zone "default.kasp" {
dnssec-policy "default";
};
+/* A zone with special characters. */
+zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp." {
+ type primary;
+ file "i-am.special.kasp.db";
+ check-names ignore;
+ inline-signing yes;
+ dnssec-policy "default";
+};
+
/* checkds: Zone with one KSK. */
zone "checkds-ksk.kasp" {
type primary;
@@ -146,6 +155,18 @@ zone "dynamic-inline-signing.kasp" {
inline-signing yes;
};
+/*
+ * A dynamic inline-signed zone with dnssec-policy with DNSSEC records in the
+ * raw version of the zone.
+ */
+zone "dynamic-signed-inline-signing.kasp" {
+ type primary;
+ file "dynamic-signed-inline-signing.kasp.db.signed";
+ key-directory "keys";
+ dnssec-policy "default";
+ allow-update { any; };
+};
+
/* An inline-signed zone with dnssec-policy. */
zone "inline-signing.kasp" {
type primary;
diff --git a/bin/tests/system/kasp/ns3/setup.sh b/bin/tests/system/kasp/ns3/setup.sh
index 8af40ed..41cf379 100644
--- a/bin/tests/system/kasp/ns3/setup.sh
+++ b/bin/tests/system/kasp/ns3/setup.sh
@@ -17,20 +17,20 @@
echo_i "ns3/setup.sh"
setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
- echo "$zone" >> zones
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ echo "$zone" >>zones
}
# Set in the key state files the Predecessor/Successor fields.
# Key $1 is the predecessor of key $2.
key_successor() {
- id1=$(keyfile_to_key_id "$1")
- id2=$(keyfile_to_key_id "$2")
- echo "Predecessor: ${id1}" >> "${2}.state"
- echo "Successor: ${id2}" >> "${1}.state"
+ id1=$(keyfile_to_key_id "$1")
+ id2=$(keyfile_to_key_id "$2")
+ echo "Predecessor: ${id1}" >>"${2}.state"
+ echo "Successor: ${id2}" >>"${1}.state"
}
# Make lines shorter by storing key states in environment variables.
@@ -43,94 +43,100 @@ U="UNRETENTIVE"
# Set up zones that will be initially signed.
#
for zn in default dnssec-keygen some-keys legacy-keys pregenerated \
- rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
- dynamic dynamic-inline-signing inline-signing \
- checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
- manual-rollover multisigner-model2
-do
- setup "${zn}.kasp"
- cp template.db.in "$zonefile"
+ rumoured rsasha256 rsasha512 ecdsa256 ecdsa384 \
+ dynamic dynamic-inline-signing inline-signing \
+ checkds-ksk checkds-doubleksk checkds-csk inherit unlimited \
+ manual-rollover multisigner-model2; do
+ setup "${zn}.kasp"
+ cp template.db.in "$zonefile"
done
#
+# Setup special zone
+#
+zone="i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
+echo_i "setting up zone: $zone"
+cp template.db.in "i-am.special.kasp.db"
+
+#
# Set up RSASHA1 based zones
#
-for zn in rsasha1 rsasha1-nsec3
-do
- if (cd ..; $SHELL ../testcrypto.sh -q RSASHA1)
- then
- setup "${zn}.kasp"
- cp template.db.in "$zonefile"
- else
- # don't add to zones.
- echo_i "setting up zone: ${zn}.kasp"
- cp template.db.in "${zn}.kasp.db"
- fi
+for zn in rsasha1 rsasha1-nsec3; do
+ if (
+ cd ..
+ $SHELL ../testcrypto.sh -q RSASHA1
+ ); then
+ setup "${zn}.kasp"
+ cp template.db.in "$zonefile"
+ else
+ # don't add to zones.
+ echo_i "setting up zone: ${zn}.kasp"
+ cp template.db.in "${zn}.kasp.db"
+ fi
done
if [ -f ../ed25519-supported.file ]; then
- setup "ed25519.kasp"
- cp template.db.in "$zonefile"
- cat ed25519.conf >> named.conf
+ setup "ed25519.kasp"
+ cp template.db.in "$zonefile"
+ cat ed25519.conf >>named.conf
fi
if [ -f ../ed448-supported.file ]; then
- setup "ed448.kasp"
- cp template.db.in "$zonefile"
- cat ed448.conf >> named.conf
+ setup "ed448.kasp"
+ cp template.db.in "$zonefile"
+ cat ed448.conf >>named.conf
fi
# Set up zones that stay unsigned.
-for zn in unsigned insecure max-zone-ttl
-do
- zone="${zn}.kasp"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
- cp template.db.in $infile
- cp template.db.in $zonefile
+for zn in unsigned insecure max-zone-ttl; do
+ zone="${zn}.kasp"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
+ cp template.db.in $infile
+ cp template.db.in $zonefile
done
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
+$KEYGEN -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1
zone="some-keys.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -a RSASHA256 -b 2048 -L 1234 $zone >keygen.out.$zone.1 2>&1
+$KEYGEN -G -a RSASHA256 -f KSK -L 1234 $zone >keygen.out.$zone.2 2>&1
zone="legacy-keys.kasp"
echo_i "setting up zone: $zone"
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.1)
-KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.2)
-echo $ZSK > legacy-keys.kasp.zsk
-echo $KSK > legacy-keys.kasp.ksk
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.1)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.2)
+echo $ZSK >legacy-keys.kasp.zsk
+echo $KSK >legacy-keys.kasp.ksk
# Predecessor keys:
Tact="now-9mo"
Tret="now-3mo"
-ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2> keygen.out.$zone.3)
-KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2> keygen.out.$zone.4)
-$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" > settime.out.$zone.1 2>&1
-$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" > settime.out.$zone.2 2>&1
+ZSK=$($KEYGEN -a RSASHA256 -b 2048 -L 1234 $zone 2>keygen.out.$zone.3)
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $zone 2>keygen.out.$zone.4)
+$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$ZSK" >settime.out.$zone.1 2>&1
+$SETTIME -P $Tact -A $Tact -I $Tret -D $Tret "$KSK" >settime.out.$zone.2 2>&1
zone="pregenerated.kasp"
echo_i "setting up zone: $zone"
-$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
-$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.1 2>&1
+$KEYGEN -G -k rsasha256 -l policies/kasp.conf $zone >keygen.out.$zone.2 2>&1
zone="multisigner-model2.kasp"
echo_i "setting up zone: $zone"
# Import the ZSK sets of the other providers into their DNSKEY RRset.
-ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.1)
-ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2> keygen.out.$zone.2)
+ZSK1=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.1)
+ZSK2=$($KEYGEN -K ../ -a $DEFAULT_ALGORITHM -L 3600 $zone 2>keygen.out.$zone.2)
# ZSK1 will be added to the unsigned zonefile.
-cat "../${ZSK1}.key" | grep -v ";.*" >> "${zone}.db"
-cat "../${ZSK1}.key" | grep -v ";.*" > "${zone}.zsk1"
+cat "../${ZSK1}.key" | grep -v ";.*" >>"${zone}.db"
+cat "../${ZSK1}.key" | grep -v ";.*" >"${zone}.zsk1"
rm -f "../${ZSK1}.*"
# ZSK2 will be used with a Dynamic Update.
-cat "../${ZSK2}.key" | grep -v ";.*" > "${zone}.zsk2"
+cat "../${ZSK2}.key" | grep -v ";.*" >"${zone}.zsk2"
rm -f "../${ZSK2}.*"
zone="rumoured.kasp"
@@ -138,12 +144,12 @@ echo_i "setting up zone: $zone"
Tpub="now"
Tact="now+1d"
keytimes="-P ${Tpub} -A ${Tact}"
-KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" > settime.out.$zone.2 2>&1
+KSK=$($KEYGEN -a RSASHA256 -f KSK -L 1234 $keytimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -b 3072 -L 1234 $keytimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a RSASHA256 -L 1234 $keytimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub "$ZSK2" >settime.out.$zone.2 2>&1
#
# Set up zones that are already signed.
@@ -154,78 +160,91 @@ setup manual-rollover.kasp
T="now-1d"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -PS -x -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+
+# We are signing the raw version of the zone here. This is unusual and not
+# common operation, but want to make sure that in such a case BIND 9 does not
+# schedule a resigning operation on the raw version. Add expired signatures so
+# a resign is imminent.
+setup dynamic-signed-inline-signing.kasp
+T="now-1d"
+csktimes="-P $T -A $T -P sync $T"
+CSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -d $O $T -k $O $T -z $O $T -r $O $T "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+cp $infile $zonefile
+$SIGNER -PS -z -x -s now-2w -e now-1mi -o $zone -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are set to expire long in the past, update immediately.
setup expired-sigs.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are still good, and can be reused.
setup fresh-sigs.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are still good, but not fresh enough, update immediately.
setup unfresh-sigs.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# These signatures are still good, but the private KSK is missing.
setup ksk-missing.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-echo "KSK: yes" >> "${KSK}".state
-echo "ZSK: no" >> "${KSK}".state
-echo "Lifetime: 63072000" >> "${KSK}".state # PT2Y
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+echo "KSK: yes" >>"${KSK}".state
+echo "ZSK: no" >>"${KSK}".state
+echo "Lifetime: 63072000" >>"${KSK}".state # PT2Y
rm -f "${KSK}".private
# These signatures are still good, but the private ZSK is missing.
@@ -233,18 +252,18 @@ setup zsk-missing.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-echo "KSK: no" >> "${ZSK}".state
-echo "ZSK: yes" >> "${ZSK}".state
-echo "Lifetime: 31536000" >> "${ZSK}".state # PT1Y
+$SIGNER -S -x -s now-1w -e now+1w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+echo "KSK: no" >>"${ZSK}".state
+echo "ZSK: yes" >>"${ZSK}".state
+echo "Lifetime: 31536000" >>"${ZSK}".state # PT1Y
rm -f "${ZSK}".private
# These signatures are already expired, and the private ZSK is retired.
@@ -252,16 +271,16 @@ setup zsk-retired.autosign
T="now-6mo"
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T -I now"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 300 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
+$SETTIME -s -g HIDDEN "$ZSK" >settime.out.$zone.3 2>&1
#
# The zones at enable-dnssec.autosign represent the various steps of the
@@ -289,12 +308,12 @@ TpubN="now-900s"
# Total: 43800 seconds
TsbmN="now+43800s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# The zone signatures have been published long enough to become OMNIPRESENT.
@@ -306,12 +325,12 @@ TcotN="now-43800s"
# We can submit the DS now.
TsbmN="now"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS has been submitted long enough ago to become OMNIPRESENT.
@@ -326,13 +345,12 @@ TpubN="now-56700s"
TcotN="now-55800s"
TsbmN="now-12000s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
-CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -P ds $TsbmN -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
-setup step4.enable-dnssec.autosign
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at zsk-prepub.autosign represent the various steps of a ZSK
@@ -345,15 +363,15 @@ setup step1.zsk-prepub.autosign
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to pre-publish the successor ZSK.
@@ -385,15 +403,15 @@ setup step2.zsk-prepub.autosign
TactN="now-694h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# After the publication interval has passed the DNSKEY of the successor ZSK
@@ -442,21 +460,21 @@ TremN1="now+961h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1 "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# After the retire interval has passed the predecessor DNSKEY can be
@@ -505,18 +523,18 @@ TremN1="now+30d"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $U $TretN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1 "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
cp $infile $zonefile
-$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
@@ -541,21 +559,21 @@ TremN1="now+719h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The predecessor DNSKEY can be purged.
@@ -580,21 +598,21 @@ TremN1="now+718h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" > settime.out.$zone.3 2>&1
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $newtimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TdeaN -z $H $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN "$ZSK2" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
-cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
@@ -607,13 +625,13 @@ setup step1.ksk-doubleksk.autosign
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to submit the introduce the new KSK.
@@ -657,15 +675,15 @@ setup step2.ksk-doubleksk.autosign
TactN="now-1413h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS.
@@ -718,21 +736,21 @@ TremN1="now+1490h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS should be swapped now.
@@ -779,21 +797,21 @@ TremN1="now+60d"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -D ds $TsbmN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -P ds $TsbmN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
@@ -818,21 +836,21 @@ TremN1="now+1442h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $U $TretN -r $U $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The predecessor DNSKEY can be purged.
@@ -857,21 +875,21 @@ TremN1="now+1441h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $H $TretN -r $H $TretN -d $H $TretN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at csk-roll.autosign represent the various steps of a CSK rollover
@@ -883,12 +901,12 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
setup step1.csk-roll.autosign
TactN="now"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to introduce the new CSK.
@@ -911,12 +929,12 @@ setup step2.csk-roll.autosign
# = now - 4464h + 3h = now - 4461h
TactN="now-4461h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS and to roll signatures.
@@ -960,18 +978,18 @@ TretN1="now+186d"
TremN1="now+5091h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# Some time later all the ZRRSIG records should be from the new CSK, and the
@@ -1007,18 +1025,18 @@ TretN1="now+4460h"
TremN1="now+5087h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TsbmN1 -z $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
@@ -1043,18 +1061,18 @@ TretN1="now+4458h"
TremN1="now+5085h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $U now-2h -d $H now-2h -z $U $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# After the retire interval has passed the predecessor DNSKEY can be
@@ -1087,18 +1105,18 @@ TretN1="now+3837h"
TremN1="now+186d"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $H $TremN -d $H $TremN -z $U $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $R $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 7:
# Some time later the predecessor DNSKEY enters the HIDDEN state.
@@ -1122,18 +1140,18 @@ TretN1="now+3835h"
TremN1="now+4462h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 8:
# The predecessor DNSKEY can be purged.
@@ -1157,18 +1175,18 @@ TretN1="now+3834h"
TremN1="now+4461h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TremN -r $H $TremN -d $H $TremN -z $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
@@ -1182,12 +1200,12 @@ $SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $i
setup step1.csk-roll2.autosign
TactN="now"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# It is time to introduce the new CSK.
@@ -1210,12 +1228,12 @@ setup step2.csk-roll2.autosign
# = now - 4464h + 3h = now - 4461h
TactN="now-4461h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# It is time to submit the DS and to roll signatures.
@@ -1259,18 +1277,18 @@ TretN1="now+186d"
TremN1="now+4634h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# Some time later all the ZRRSIG records should be from the new CSK, and the
@@ -1307,18 +1325,18 @@ TretN1="now+4426h"
TremN1="now+4429h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $U $TretN -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $R $TactN1 -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# Some time later the DS can be swapped and the old DNSKEY can be removed from
@@ -1344,18 +1362,18 @@ TretN1="now+4294h"
TremN1="now+4360h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $H now-133h -d $U $TsbmN1 -D ds $TsbmN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -z $O now-133h -d $R $TsbmN1 -P ds $TsbmN1 "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# Some time later the predecessor DNSKEY enters the HIDDEN state.
@@ -1380,18 +1398,18 @@ TretN1="now+4292h"
TremN1="now+4358h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 7:
# The predecessor DNSKEY can be purged, but purge-keys is disabled.
@@ -1415,18 +1433,18 @@ TretN1="now+2134h"
TremN1="now+2200h"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
-CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TremN -z $H now-135h "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" >settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Test #2375, the "three is a crowd" bug, where a new key is introduced but the
# previous rollover has not finished yet. In other words, we have a key KEY2
@@ -1453,18 +1471,18 @@ TremN1="now+1490h"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN} -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
-ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.3)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.3 2>&1
+KSK1=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $newtimes $zone 2>keygen.out.$zone.2)
+ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.3)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.3 2>&1
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
-cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
+cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
diff --git a/bin/tests/system/kasp/ns4/setup.sh b/bin/tests/system/kasp/ns4/setup.sh
index 61b049d..c488bc4 100644
--- a/bin/tests/system/kasp/ns4/setup.sh
+++ b/bin/tests/system/kasp/ns4/setup.sh
@@ -20,13 +20,12 @@ echo_i "ns4/setup.sh"
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
- inherit.override override.override none.override \
- inherit.none override.none none.none
-do
- zone="$zn.signed"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- cp template.db.in $zonefile
+ inherit.override override.override none.override \
+ inherit.none override.none none.none; do
+ zone="$zn.signed"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ cp template.db.in $zonefile
done
cp example1.db.in example1.db
diff --git a/bin/tests/system/kasp/ns5/setup.sh b/bin/tests/system/kasp/ns5/setup.sh
index 59c7a41..47d2870 100644
--- a/bin/tests/system/kasp/ns5/setup.sh
+++ b/bin/tests/system/kasp/ns5/setup.sh
@@ -20,11 +20,10 @@ echo_i "ns5/setup.sh"
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
- inherit.override override.override none.override \
- inherit.none override.none none.none
-do
- zone="$zn.unsigned"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- cp template.db.in $zonefile
+ inherit.override override.override none.override \
+ inherit.none override.none none.none; do
+ zone="$zn.unsigned"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ cp template.db.in $zonefile
done
diff --git a/bin/tests/system/kasp/ns6/setup.sh b/bin/tests/system/kasp/ns6/setup.sh
index 6764f1b..1c2fd01 100644
--- a/bin/tests/system/kasp/ns6/setup.sh
+++ b/bin/tests/system/kasp/ns6/setup.sh
@@ -17,10 +17,10 @@
echo_i "ns6/setup.sh"
setup() {
- zone="$1"
- echo_i "setting up zone: $zone"
- zonefile="${zone}.db"
- infile="${zone}.db.infile"
+ zone="$1"
+ echo_i "setting up zone: $zone"
+ zonefile="${zone}.db"
+ infile="${zone}.db.infile"
}
# Make lines shorter by storing key states in environment variables.
@@ -31,57 +31,56 @@ U="UNRETENTIVE"
# The child zones (step1, step2) beneath these zones represent the various
# steps of unsigning a zone.
-for zn in going-insecure.kasp going-insecure-dynamic.kasp
-do
- # Step 1:
- # Set up a zone with dnssec-policy that is going insecure.
- setup step1.$zn
- echo "$zone" >> zones
- T="now-10d"
- ksktimes="-P $T -A $T -P sync $T"
- zsktimes="-P $T -A $T"
- KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
- ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
- cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
- cp $infile $zonefile
- $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+for zn in going-insecure.kasp going-insecure-dynamic.kasp; do
+ # Step 1:
+ # Set up a zone with dnssec-policy that is going insecure.
+ setup step1.$zn
+ echo "$zone" >>zones
+ T="now-10d"
+ ksktimes="-P $T -A $T -P sync $T"
+ zsktimes="-P $T -A $T"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
- # Step 2:
- # Set up a zone with dnssec-policy that is going insecure. Don't add
- # this zone to the zones file, because this zone is no longer expected
- # to be fully signed.
- setup step2.$zn
- # The DS was withdrawn from the parent zone 26 hours ago.
- Trem="now-26h"
- ksktimes="-P $T -A $T -P sync $T"
- zsktimes="-P $T -A $T"
- KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
- ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
- $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" > settime.out.$zone.1 2>&1
- $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" > settime.out.$zone.2 2>&1
- # Fake lifetime of old algorithm keys.
- echo "Lifetime: 0" >> "${KSK}.state"
- echo "Lifetime: 5184000" >> "${ZSK}.state"
- cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
- private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
- cp $infile $zonefile
- $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+ # Step 2:
+ # Set up a zone with dnssec-policy that is going insecure. Don't add
+ # this zone to the zones file, because this zone is no longer expected
+ # to be fully signed.
+ setup step2.$zn
+ # The DS was withdrawn from the parent zone 26 hours ago.
+ Trem="now-26h"
+ ksktimes="-P $T -A $T -P sync $T"
+ zsktimes="-P $T -A $T"
+ KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2>keygen.out.$zone.2)
+ $SETTIME -s -g $H -k $O $T -r $O $T -d $U $Trem -D ds $Trem "$KSK" >settime.out.$zone.1 2>&1
+ $SETTIME -s -g $H -k $O $T -z $O $T "$ZSK" >settime.out.$zone.2 2>&1
+ # Fake lifetime of old algorithm keys.
+ echo "Lifetime: 0" >>"${KSK}.state"
+ echo "Lifetime: 5184000" >>"${ZSK}.state"
+ cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >>"$infile"
+ private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >>"$infile"
+ cp $infile $zonefile
+ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
done
# This zone is going straight to "none" policy. This is undefined behavior.
setup step1.going-straight-to-none.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
TactN="now"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
-CSK=$($KEYGEN -k default $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >> "$infile"
+CSK=$($KEYGEN -k default $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN -r $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at algorithm-roll.kasp represent the various steps of a ZSK/KSK
@@ -91,19 +90,19 @@ $SIGNER -S -z -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $in
# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.algorithm-roll.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
TactN="now"
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
zsktimes="-P ${TactN} -A ${TactN}"
-KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
-ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
-cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
-private_type_record $zone 8 "$KSK" >> "$infile"
-private_type_record $zone 8 "$ZSK" >> "$infile"
+KSK=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksktimes $zone 2>keygen.out.$zone.1)
+ZSK=$($KEYGEN -a RSASHA256 -L 3600 $zsktimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN -z $O $TactN "$ZSK" >settime.out.$zone.2 2>&1
+cat template.db.in "${KSK}.key" "${ZSK}.key" >"$infile"
+private_type_record $zone 8 "$KSK" >>"$infile"
+private_type_record $zone 8 "$ZSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
@@ -118,24 +117,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
zsk1times="-P ${TactN} -A ${TactN} -I now"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# The zone signatures are also OMNIPRESENT.
@@ -149,24 +148,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS is swapped and can become OMNIPRESENT.
@@ -181,24 +180,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The DNSKEY is removed long enough to be HIDDEN.
@@ -214,24 +213,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The RRSIGs have been removed long enough to be HIDDEN.
@@ -248,24 +247,24 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
-KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
-ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
-KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
-ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
-$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" > settime.out.$zone.4 2>&1
+KSK1=$($KEYGEN -a RSASHA256 -L 3600 -f KSK $ksk1times $zone 2>keygen.out.$zone.1)
+ZSK1=$($KEYGEN -a RSASHA256 -L 3600 $zsk1times $zone 2>keygen.out.$zone.2)
+KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2>keygen.out.$zone.3)
+ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2>keygen.out.$zone.4)
+$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" >settime.out.$zone.2 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" >settime.out.$zone.3 2>&1
+$SETTIME -s -g $O -k $O $TpubN1 -z $R $TpubN1 "$ZSK2" >settime.out.$zone.4 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${KSK1}.state"
-echo "Lifetime: 0" >> "${ZSK1}.state"
-cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
-private_type_record $zone 8 "$KSK1" >> "$infile"
-private_type_record $zone 8 "$ZSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
+echo "Lifetime: 0" >>"${KSK1}.state"
+echo "Lifetime: 0" >>"${ZSK1}.state"
+cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" >"$infile"
+private_type_record $zone 8 "$KSK1" >>"$infile"
+private_type_record $zone 8 "$ZSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# The zones at csk-algorithm-roll.kasp represent the various steps of a CSK
@@ -275,15 +274,15 @@ $SIGNER -S -x -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infil
# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.csk-algorithm-roll.kasp
-echo "$zone" >> zones
+echo "$zone" >>zones
TactN="now"
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
-CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" > settime.out.$zone.1 2>&1
-cat template.db.in "${CSK}.key" > "$infile"
-private_type_record $zone 5 "$CSK" >> "$infile"
+CSK=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+$SETTIME -s -g $O -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK" >settime.out.$zone.1 2>&1
+cat template.db.in "${CSK}.key" >"$infile"
+private_type_record $zone 5 "$CSK" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 2:
# After the publication interval has passed the DNSKEY is OMNIPRESENT.
@@ -293,17 +292,17 @@ TactN="now-3h"
TpubN1="now-3h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 3:
# The zone signatures are also OMNIPRESENT.
@@ -315,17 +314,17 @@ TpubN1="now-9h"
TactN1="now-6h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $O $TactN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 4:
# The DS is swapped and can become OMNIPRESENT.
@@ -338,17 +337,17 @@ TactN1="now-35h"
TsubN1="now-29h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $O $TactN -r $O $TactN -z $O $TactN -d $U $TactN1 -D ds $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds $TsubN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 5:
# The DNSKEY is removed long enough to be HIDDEN.
@@ -362,17 +361,17 @@ TactN1="now-37h"
TsubN1="now-31h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $U $TremN -r $U $TremN -z $U $TremN -d $H $TremN "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
# Step 6:
# The RRSIGs have been removed long enough to be HIDDEN.
@@ -387,22 +386,22 @@ TactN1="now-44h"
TsubN1="now-38h"
csktimes="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
newtimes="-P ${TpubN1} -A ${TpubN1}"
-CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2> keygen.out.$zone.1)
-CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2> keygen.out.$zone.2)
-$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" > settime.out.$zone.1 2>&1
-$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" > settime.out.$zone.2 2>&1
+CSK1=$($KEYGEN -k csk-algoroll -l policies/csk1.conf $csktimes $zone 2>keygen.out.$zone.1)
+CSK2=$($KEYGEN -k csk-algoroll -l policies/csk2.conf $newtimes $zone 2>keygen.out.$zone.2)
+$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -z $U $TdeaN -d $H $TactN1 "$CSK1" >settime.out.$zone.1 2>&1
+$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2" >settime.out.$zone.2 2>&1
# Fake lifetime of old algorithm keys.
-echo "Lifetime: 0" >> "${CSK1}.state"
-cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
-private_type_record $zone 5 "$CSK1" >> "$infile"
-private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
+echo "Lifetime: 0" >>"${CSK1}.state"
+cat template.db.in "${CSK1}.key" "${CSK2}.key" >"$infile"
+private_type_record $zone 5 "$CSK1" >>"$infile"
+private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >>"$infile"
cp $infile $zonefile
-$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile > signer.out.$zone.1 2>&1
+$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O raw -f "${zonefile}.signed" $infile >signer.out.$zone.1 2>&1
#
# Reload testing
#
-echo "example" >> zones
+echo "example" >>zones
cp example.db.in example.db
setup "dynamic2inline.kasp"
diff --git a/bin/tests/system/kasp/setup.sh b/bin/tests/system/kasp/setup.sh
index 67cfa92..1d11ba9 100644
--- a/bin/tests/system/kasp/setup.sh
+++ b/bin/tests/system/kasp/setup.sh
@@ -19,62 +19,60 @@ set -e
$SHELL clean.sh
mkdir keys
+mkdir ns3/keys
copy_setports ns2/named.conf.in ns2/named.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1
-then
- copy_setports ns3/named-fips.conf.in ns3/named.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+ copy_setports ns3/named-fips.conf.in ns3/named.conf
else
- copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
- copy_setports ns3/named.conf.in ns3/named.conf
+ copy_setports ns3/named-fips.conf.in ns3/named-fips.conf
+ copy_setports ns3/named.conf.in ns3/named.conf
fi
copy_setports ns4/named.conf.in ns4/named.conf
copy_setports ns5/named.conf.in ns5/named.conf
copy_setports ns6/named.conf.in ns6/named.conf
if $SHELL ../testcrypto.sh ed25519; then
- echo "yes" > ed25519-supported.file
+ echo "yes" >ed25519-supported.file
fi
if $SHELL ../testcrypto.sh ed448; then
- echo "yes" > ed448-supported.file
+ echo "yes" >ed448-supported.file
fi
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
copy_setports ns3/policies/kasp-fips.conf.in ns3/policies/kasp-fips.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1
-then
- cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+ cp ns3/policies/kasp-fips.conf ns3/policies/kasp.conf
fi
copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
copy_setports ns6/policies/kasp-fips.conf.in ns6/policies/kasp-fips.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
-if ! $SHELL ../testcrypto.sh -q RSASHA1
-then
- cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
+if ! $SHELL ../testcrypto.sh -q RSASHA1; then
+ cp ns6/policies/kasp-fips.conf ns6/policies/kasp.conf
fi
# Setup zones
(
- cd ns2
- $SHELL setup.sh
+ cd ns2
+ $SHELL setup.sh
)
(
- cd ns3
- $SHELL setup.sh
+ cd ns3
+ $SHELL setup.sh
)
(
- cd ns4
- $SHELL setup.sh
+ cd ns4
+ $SHELL setup.sh
)
(
- cd ns5
- $SHELL setup.sh
+ cd ns5
+ $SHELL setup.sh
)
(
- cd ns6
- $SHELL setup.sh
+ cd ns6
+ $SHELL setup.sh
)
diff --git a/bin/tests/system/kasp/tests.sh b/bin/tests/system/kasp/tests.sh
index ddbbd32..611c717 100644
--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -29,22 +29,22 @@ n=0
# Call dig with default options.
dig_with_opts() {
- if [ -n "$TSIG" ]; then
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
- else
- "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
- fi
+ if [ -n "$TSIG" ]; then
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" -y "$TSIG" "$@"
+ else
+ "$DIG" +tcp +noadd +nosea +nostat +nocmd +dnssec -p "$PORT" "$@"
+ fi
}
# RNDC.
rndccmd() {
- "$RNDC" -c ../common/rndc.conf -p "$CONTROLPORT" -s "$@"
+ "$RNDC" -c ../_common/rndc.conf -p "$CONTROLPORT" -s "$@"
}
# Log error and increment failure rate.
log_error() {
- echo_i "error: $1"
- ret=$((ret+1))
+ echo_i "error: $1"
+ ret=$((ret + 1))
}
# Default next key event threshold. May be extended by wait periods.
@@ -61,93 +61,93 @@ set_zone "kasp"
set_policy "kasp" "4" "200"
set_server "keys" "10.53.0.1"
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-keygen -k' (configured policy) creates valid files ($n)"
ret=0
-$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
-lines=$(wc -l < "keygen.out.$POLICY.test$n")
+$KEYGEN -K keys -k "$POLICY" -l kasp.conf "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
+lines=$(wc -l <"keygen.out.$POLICY.test$n")
test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy kasp: $lines"
# Temporarily don't log errors because we are searching multiple files.
disable_logerror
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "31536000"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "31536000"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keyrole "KEY2" "ksk"
-set_keylifetime "KEY2" "31536000"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "31536000"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "2592000"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "2592000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "2048"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "yes"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "16070400"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "16070400"
set_keyalgorithm "KEY4" "8" "RSASHA256" "3072"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
lines=$(get_keyids "$DIR" "$ZONE" | wc -l)
test "$lines" -eq $NUM_KEYS || log_error "bad number of key ids"
ids=$(get_keyids "$DIR" "$ZONE")
for id in $ids; do
- # There are four key files with the same algorithm.
- # Check them until a match is found.
- ret=0 && check_key "KEY1" "$id"
- test "$ret" -eq 0 && continue
+ # There are four key files with the same algorithm.
+ # Check them until a match is found.
+ ret=0 && check_key "KEY1" "$id"
+ test "$ret" -eq 0 && continue
- ret=0 && check_key "KEY2" "$id"
- test "$ret" -eq 0 && continue
+ ret=0 && check_key "KEY2" "$id"
+ test "$ret" -eq 0 && continue
- ret=0 && check_key "KEY3" "$id"
- test "$ret" -eq 0 && continue
+ ret=0 && check_key "KEY3" "$id"
+ test "$ret" -eq 0 && continue
- ret=0 && check_key "KEY4" "$id"
+ ret=0 && check_key "KEY4" "$id"
- # If ret is still non-zero, non of the files matched.
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ # If ret is still non-zero, non of the files matched.
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
done
# Turn error logs on again.
enable_logerror
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-keygen -k' (default policy) creates valid files ($n)"
ret=0
set_zone "kasp"
set_policy "default" "1" "3600"
set_server "." "10.53.0.1"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
-$KEYGEN -G -k "$POLICY" "$ZONE" > "keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
-lines=$(wc -l < "keygen.out.$POLICY.test$n")
+$KEYGEN -G -k "$POLICY" "$ZONE" >"keygen.out.$POLICY.test$n" 2>/dev/null || ret=1
+lines=$(wc -l <"keygen.out.$POLICY.test$n")
test "$lines" -eq $NUM_KEYS || log_error "wrong number of keys created for policy default: $lines"
ids=$(get_keyids "$DIR" "$ZONE")
for id in $ids; do
- check_key "KEY1" "$id"
- test "$ret" -eq 0 && key_save KEY1
- check_keytimes
+ check_key "KEY1" "$id"
+ test "$ret" -eq 0 && key_save KEY1
+ check_keytimes
done
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# dnssec-settime
@@ -156,69 +156,69 @@ status=$((status+ret))
# These test builds upon the latest created key with dnssec-keygen and uses the
# environment variables BASE_FILE, KEY_FILE, PRIVATE_FILE and STATE_FILE.
CMP_FILE="${BASE_FILE}.cmp"
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime' by default does not edit key state file ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
-$SETTIME -P +3600 "$BASE_FILE" > /dev/null || log_error "settime failed"
-grep "; Publish: " "$KEY_FILE" > /dev/null || log_error "mismatch published in $KEY_FILE"
-grep "Publish: " "$PRIVATE_FILE" > /dev/null || log_error "mismatch published in $PRIVATE_FILE"
+$SETTIME -P +3600 "$BASE_FILE" >/dev/null || log_error "settime failed"
+grep "; Publish: " "$KEY_FILE" >/dev/null || log_error "mismatch published in $KEY_FILE"
+grep "Publish: " "$PRIVATE_FILE" >/dev/null || log_error "mismatch published in $PRIVATE_FILE"
diff "$CMP_FILE" "$STATE_FILE" || log_error "unexpected file change in $STATE_FILE"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime -s' also sets publish time metadata and states in key state file ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
now=$(date +%Y%m%d%H%M%S)
-$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
-set_keystate "KEY1" "GOAL" "omnipresent"
+$SETTIME -s -P "$now" -g "omnipresent" -k "rumoured" "$now" -z "omnipresent" "$now" -r "rumoured" "$now" -d "hidden" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_key "KEY1" "$id"
test "$ret" -eq 0 && key_save KEY1
-set_keytime "KEY1" "PUBLISHED" "${now}"
+set_keytime "KEY1" "PUBLISHED" "${now}"
check_keytimes
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime -s' also unsets publish time metadata and states in key state file ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
-$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
-set_keystate "KEY1" "GOAL" "none"
+$SETTIME -s -P "none" -g "none" -k "none" "$now" -z "none" "$now" -r "none" "$now" -d "none" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL" "none"
set_keystate "KEY1" "STATE_DNSKEY" "none"
set_keystate "KEY1" "STATE_KRRSIG" "none"
set_keystate "KEY1" "STATE_ZRRSIG" "none"
-set_keystate "KEY1" "STATE_DS" "none"
+set_keystate "KEY1" "STATE_DS" "none"
check_key "KEY1" "$id"
test "$ret" -eq 0 && key_save KEY1
-set_keytime "KEY1" "PUBLISHED" "none"
+set_keytime "KEY1" "PUBLISHED" "none"
check_keytimes
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "check that 'dnssec-settime -s' also sets active time metadata and states in key state file (uppercase) ($n)"
ret=0
cp "$STATE_FILE" "$CMP_FILE"
now=$(date +%Y%m%d%H%M%S)
-$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" > /dev/null || log_error "settime failed"
-set_keystate "KEY1" "GOAL" "hidden"
+$SETTIME -s -A "$now" -g "HIDDEN" -k "UNRETENTIVE" "$now" -z "UNRETENTIVE" "$now" -r "OMNIPRESENT" "$now" -d "OMNIPRESENT" "$now" "$BASE_FILE" >/dev/null || log_error "settime failed"
+set_keystate "KEY1" "GOAL" "hidden"
set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
check_key "KEY1" "$id"
test "$ret" -eq 0 && key_save KEY1
-set_keytime "KEY1" "ACTIVE" "${now}"
+set_keytime "KEY1" "ACTIVE" "${now}"
check_keytimes
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# named
@@ -228,53 +228,51 @@ status=$((status+ret))
# added as part of the last step in signing a zone. We wait for the
# NSEC records to appear before proceeding with a counter to prevent
# infinite loops if there is an error.
-n=$((n+1))
+n=$((n + 1))
echo_i "waiting for kasp signing changes to take effect ($n)"
_wait_for_done_apexnsec() {
- while read -r zone
- do
- dig_with_opts "$zone" @10.53.0.3 nsec > "dig.out.ns3.test$n.$zone" || return 1
- grep "NS SOA" "dig.out.ns3.test$n.$zone" > /dev/null || return 1
- grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" > /dev/null || return 1
- done < ns3/zones
-
- while read -r zone
- do
- dig_with_opts "$zone" @10.53.0.6 nsec > "dig.out.ns6.test$n.$zone" || return 1
- grep "NS SOA" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
- grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" > /dev/null || return 1
- done < ns6/zones
-
- return 0
+ while read -r zone; do
+ dig_with_opts "$zone" @10.53.0.3 nsec >"dig.out.ns3.test$n.$zone" || return 1
+ grep "NS SOA" "dig.out.ns3.test$n.$zone" >/dev/null || return 1
+ grep "$zone\..*IN.*RRSIG" "dig.out.ns3.test$n.$zone" >/dev/null || return 1
+ done <ns3/zones
+
+ while read -r zone; do
+ dig_with_opts "$zone" @10.53.0.6 nsec >"dig.out.ns6.test$n.$zone" || return 1
+ grep "NS SOA" "dig.out.ns6.test$n.$zone" >/dev/null || return 1
+ grep "$zone\..*IN.*RRSIG" "dig.out.ns6.test$n.$zone" >/dev/null || return 1
+ done <ns6/zones
+
+ return 0
}
retry_quiet 30 _wait_for_done_apexnsec || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Test max-zone-ttl rejects zones with too high TTL.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that max-zone-ttl rejects zones with too high TTL ($n)"
ret=0
set_zone "max-zone-ttl.kasp"
-grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" > /dev/null || ret=1
+grep "loading from master file ${ZONE}.db failed: out of range" "ns3/named.run" >/dev/null || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: default.kasp.
#
set_keytimes_csk_policy() {
- # The first key is immediately published and activated.
- created=$(key_get KEY1 CREATED)
- set_keytime "KEY1" "PUBLISHED" "${created}"
- set_keytime "KEY1" "ACTIVE" "${created}"
- # The DS can be published if the DNSKEY and RRSIG records are
- # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
- # publish-safety (1h) plus zone-propagation-delay (300s) =
- # 86400 + 3600 + 300 = 90300.
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
- # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
+ # The first key is immediately published and activated.
+ created=$(key_get KEY1 CREATED)
+ set_keytime "KEY1" "PUBLISHED" "${created}"
+ set_keytime "KEY1" "ACTIVE" "${created}"
+ # The DS can be published if the DNSKEY and RRSIG records are
+ # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
+ # publish-safety (1h) plus zone-propagation-delay (300s) =
+ # 86400 + 3600 + 300 = 90300.
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 90300
+ # Key lifetime is unlimited, so not setting RETIRED and REMOVED.
}
# Check the zone with default kasp policy has loaded and is signed.
@@ -282,17 +280,17 @@ set_zone "default.kasp"
set_policy "default" "1" "3600"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -304,7 +302,7 @@ dnssec_verify
# Trigger a keymgr run. Make sure the key files are not touched if there are
# no modifications to the key metadata.
-n=$((n+1))
+n=$((n + 1))
echo_i "make sure key files are untouched if metadata does not change ($n)"
ret=0
basefile=$(key_get KEY1 BASEFILE)
@@ -312,8 +310,8 @@ privkey_stat=$(key_get KEY1 PRIVKEY_STAT)
pubkey_stat=$(key_get KEY1 PUBKEY_STAT)
state_stat=$(key_get KEY1 STATE_STAT)
-nextpart $DIR/named.run > /dev/null
-rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+nextpart $DIR/named.run >/dev/null
+rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
privkey_stat2=$(key_stat "${basefile}.private")
pubkey_stat2=$(key_stat "${basefile}.key")
@@ -322,14 +320,14 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta
test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "again ($n)"
ret=0
-nextpart $DIR/named.run > /dev/null
-rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+nextpart $DIR/named.run >/dev/null
+rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "keymgr: $ZONE done" $DIR/named.run
privkey_stat2=$(key_stat "${basefile}.private")
pubkey_stat2=$(key_stat "${basefile}.key")
@@ -338,41 +336,41 @@ test "$privkey_stat" = "$privkey_stat2" || log_error "wrong private key file sta
test "$pubkey_stat" = "$pubkey_stat2" || log_error "wrong public key file stat (expected $pubkey_stat got $pubkey_stat2)"
test "$state_stat" = "$state_stat2" || log_error "wrong state file stat (expected $state_stat got $state_stat2)"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Update zone.
-n=$((n+1))
+n=$((n + 1))
echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
ret=0
cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
-rndccmd 10.53.0.3 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
+rndccmd 10.53.0.3 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed"
update_is_signed() {
- ip_a=$1
- ip_d=$2
-
- if [ "$ip_a" != "-" ]; then
- dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
- test "$lines" -eq 1 || return 1
- get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" > /dev/null || return 1
- fi
-
- if [ "$ip_d" != "-" ]; then
- dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n".d || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n".d > /dev/null || return 1
- grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d > /dev/null || return 1
- lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
- test "$lines" -eq 1 || return 1
- get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" > /dev/null || return 1
- fi
+ ip_a=$1
+ ip_d=$2
+
+ if [ "$ip_a" != "-" ]; then
+ dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_a}" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ lines=$(get_keys_which_signed A "dig.out.$DIR.test$n.a" | wc -l)
+ test "$lines" -eq 1 || return 1
+ get_keys_which_signed A "dig.out.$DIR.test$n.a" | grep "^${KEY_ID}$" >/dev/null || return 1
+ fi
+
+ if [ "$ip_d" != "-" ]; then
+ dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n".d || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n".d >/dev/null || return 1
+ grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*${ip_d}" "dig.out.$DIR.test$n".d >/dev/null || return 1
+ lines=$(get_keys_which_signed A "dig.out.$DIR.test$n".d | wc -l)
+ test "$lines" -eq 1 || return 1
+ get_keys_which_signed A "dig.out.$DIR.test$n".d | grep "^${KEY_ID}$" >/dev/null || return 1
+ fi
}
retry_quiet 10 update_is_signed "10.0.0.11" "10.0.0.44" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Move the private key file, a rekey event should not introduce replacement
# keys.
@@ -380,11 +378,11 @@ ret=0
echo_i "test that if private key files are inaccessible this doesn't trigger a rollover ($n)"
basefile=$(key_get KEY1 BASEFILE)
mv "${basefile}.private" "${basefile}.offline"
-rndccmd 10.53.0.3 loadkeys "$ZONE" > /dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
+rndccmd 10.53.0.3 loadkeys "$ZONE" >/dev/null || log_error "rndc loadkeys zone ${ZONE} failed"
wait_for_log 3 "offline, policy default" $DIR/named.run || ret=1
mv "${basefile}.offline" "${basefile}.private"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Nothing has changed.
check_keys
@@ -396,6 +394,16 @@ check_subdomain
dnssec_verify
#
+# A zone with special characters.
+#
+set_zone "i-am.\":\;?&[]\@!\$*+,|=\.\(\)special.kasp."
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+# It is non-trivial to adapt the tests to deal with all possible different
+# escaping characters, so we will just try to verify the zone.
+dnssec_verify
+
+#
# Zone: dynamic.kasp
#
set_zone "dynamic.kasp"
@@ -412,51 +420,51 @@ check_subdomain
dnssec_verify
# Update zone with nsupdate.
-n=$((n+1))
+n=$((n + 1))
echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
ret=0
(
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
-echo update del "a.${ZONE}" 300 A 10.0.0.1
-echo update add "a.${ZONE}" 300 A 10.0.0.101
-echo update add "d.${ZONE}" 300 A 10.0.0.4
-echo send
+ echo zone ${ZONE}
+ echo server 10.53.0.3 "$PORT"
+ echo update del "a.${ZONE}" 300 A 10.0.0.1
+ echo update add "a.${ZONE}" 300 A 10.0.0.101
+ echo update add "d.${ZONE}" 300 A 10.0.0.4
+ echo send
) | $NSUPDATE
retry_quiet 10 update_is_signed "10.0.0.101" "10.0.0.4" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Update zone with nsupdate (reverting the above change).
-n=$((n+1))
+n=$((n + 1))
echo_i "nsupdate zone and check that new record is signed for zone ${ZONE} ($n)"
ret=0
(
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
-echo update add "a.${ZONE}" 300 A 10.0.0.1
-echo update del "a.${ZONE}" 300 A 10.0.0.101
-echo update del "d.${ZONE}" 300 A 10.0.0.4
-echo send
+ echo zone ${ZONE}
+ echo server 10.53.0.3 "$PORT"
+ echo update add "a.${ZONE}" 300 A 10.0.0.1
+ echo update del "a.${ZONE}" 300 A 10.0.0.101
+ echo update del "d.${ZONE}" 300 A 10.0.0.4
+ echo send
) | $NSUPDATE
retry_quiet 10 update_is_signed "10.0.0.1" "-" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Update zone with freeze/thaw.
-n=$((n+1))
+n=$((n + 1))
echo_i "modify zone file and check that new record is signed for zone ${ZONE} ($n)"
ret=0
-rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed"
sleep 1
-echo "d.${ZONE}. 300 A 10.0.0.44" >> "${DIR}/${ZONE}.db"
-rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+echo "d.${ZONE}. 300 A 10.0.0.44" >>"${DIR}/${ZONE}.db"
+rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed"
retry_quiet 10 update_is_signed "10.0.0.1" "10.0.0.44" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: dynamic-inline-signing.kasp
@@ -475,17 +483,34 @@ check_subdomain
dnssec_verify
# Update zone with freeze/thaw.
-n=$((n+1))
+n=$((n + 1))
echo_i "modify unsigned zone file and check that new record is signed for zone ${ZONE} ($n)"
ret=0
-rndccmd 10.53.0.3 freeze "$ZONE" > /dev/null || log_error "rndc freeze zone ${ZONE} failed"
+rndccmd 10.53.0.3 freeze "$ZONE" >/dev/null || log_error "rndc freeze zone ${ZONE} failed"
sleep 1
cp "${DIR}/template2.db.in" "${DIR}/${ZONE}.db"
-rndccmd 10.53.0.3 thaw "$ZONE" > /dev/null || log_error "rndc thaw zone ${ZONE} failed"
+rndccmd 10.53.0.3 thaw "$ZONE" >/dev/null || log_error "rndc thaw zone ${ZONE} failed"
retry_quiet 10 update_is_signed || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
+
+#
+# Zone: dynamic-signed-inline-signing.kasp
+#
+set_zone "dynamic-signed-inline-signing.kasp"
+set_dynamic
+set_policy "default" "1" "3600"
+set_server "ns3" "10.53.0.3"
+dnssec_verify
+# Ensure no zone_resigninc for the unsigned version of the zone is triggered.
+n=$((n + 1))
+echo_i "check if resigning the raw version of the zone is prevented for zone ${ZONE} ($n)"
+ret=0
+grep "zone_resigninc: zone $ZONE/IN (unsigned): enter" $DIR/named.run && ret=1
+grep "error reading K$ZONE" $DIR/named.run && ret=1
+test "$ret" -eq 0 || echo_i "failed"
+status=$((status + ret))
#
# Zone: inline-signing.kasp
@@ -514,24 +539,24 @@ set_zone "checkds-ksk.kasp"
set_policy "checkds-ksk" "2" "303"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
@@ -544,33 +569,33 @@ dnssec_verify
basefile=$(key_get KEY1 BASEFILE)
_wait_for_metadata() {
- _expr=$1
- _file=$2
- grep "$_expr" $_file > /dev/null || return 1
- return 0
+ _expr=$1
+ _file=$2
+ grep "$_expr" $_file >/dev/null || return 1
+ return 0
}
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: $now" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
# DS State should be forced into RUMOURED.
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
check_keys
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
now=$(date +%Y%m%d%H%M%S)
rndc_checkds "$SERVER" "$DIR" "-" "$now" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: $now" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
# DS State should be forced into UNRETENTIVE.
-set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY1" "STATE_DS" "unretentive"
check_keys
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: checkds-doubleksk.kasp.
@@ -584,35 +609,35 @@ set_zone "checkds-doubleksk.kasp"
set_policy "checkds-doubleksk" "3" "303"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "ksk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
@@ -625,53 +650,53 @@ dnssec_verify
basefile1=$(key_get KEY1 BASEFILE)
basefile2=$(key_get KEY2 BASEFILE)
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds published does not set DSPublish for zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "published" "$ZONE"
-grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
-grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "withdrawn" "$ZONE"
-grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
-grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds published does not set DSPublish for zone $ZONE (wrong algorithm) ($n)"
-rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
-grep "DSPublish:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
-grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg 8 "published" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSPublish:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdrawn does not set DSRemoved for zone $ZONE (wrong algorithm) ($n)"
-rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" > rndc.dnssec.checkds.out.$ZONE.$n
-grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
-grep "DSRemoved:" "${basefile2}.state" > /dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
+rndccmd "$SERVER" dnssec -checkds -key $(key_get KEY1 ID) -alg RSASHA256 "withdrawn" "$ZONE" >rndc.dnssec.checkds.out.$ZONE.$n
+grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile2}.state" >/dev/null && log_error "DSRemoved incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds published -key correctly sets DSPublish for key $(key_get KEY1 ID) zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" KEY1 "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile1}.state" || log_error "bad DSPublish in ${basefile1}.state"
-grep "DSPublish:" "${basefile2}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
+grep "DSPublish:" "${basefile2}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile2}"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdrawn -key correctly sets DSRemoved for key $(key_get KEY2 ID) zone $ZONE (multiple KSK) ($n)"
rndc_checkds "$SERVER" "$DIR" KEY2 "20200102121314" "withdrawn" "$ZONE"
-grep "DSRemoved:" "${basefile1}.state" > /dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
+grep "DSRemoved:" "${basefile1}.state" >/dev/null && log_error "DSPublish incorrectly set in ${basefile1}"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile2}.state" || log_error "bad DSRemoved in ${basefile2}.state"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: checkds-csk.kasp.
@@ -685,17 +710,17 @@ set_zone "checkds-csk.kasp"
set_policy "checkds-csk" "1" "303"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -705,147 +730,146 @@ dnssec_verify
basefile=$(key_get KEY1 BASEFILE)
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds publish correctly sets DSPublish for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20190102121314" "published" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSPublish: 20190102121314" "${basefile}.state" || log_error "bad DSPublish in ${basefile}.state"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "checkds withdraw correctly sets DSRemoved for zone $ZONE ($n)"
rndc_checkds "$SERVER" "$DIR" "-" "20200102121314" "withdrawn" "$ZONE"
retry_quiet 3 _wait_for_metadata "DSRemoved: 20200102121314" "${basefile}.state" || log_error "bad DSRemoved in ${basefile}.state"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Set keytimes for dnssec-policy with various algorithms.
# These all use the same time values.
set_keytimes_algorithm_policy() {
- # The first KSK is immediately published and activated.
- created=$(key_get KEY1 CREATED)
- set_keytime "KEY1" "PUBLISHED" "${created}"
- set_keytime "KEY1" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY1 BASEFILE)
- grep "; Publish:" "${keyfile}.key" > published.test${n}.key1
- published=$(awk '{print $3}' < published.test${n}.key1)
- set_keytime "KEY1" "PUBLISHED" "${published}"
- set_keytime "KEY1" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY1 PUBLISHED)
-
- # The DS can be published if the DNSKEY and RRSIG records are
- # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
- # publish-safety (1h) plus zone-propagation-delay (300s) =
- # 86400 + 3600 + 300 = 90300.
- set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
- # Key lifetime is 10 years, 315360000 seconds.
- set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
- # The key is removed after the retire time plus DS TTL (1d),
- # parent propagation delay (1h), and retire safety (1h) =
- # 86400 + 3600 + 3600 = 93600.
- retired=$(key_get KEY1 RETIRED)
- set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
- # The first ZSKs are immediately published and activated.
- created=$(key_get KEY2 CREATED)
- set_keytime "KEY2" "PUBLISHED" "${created}"
- set_keytime "KEY2" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY2 BASEFILE)
- grep "; Publish:" "${keyfile}.key" > published.test${n}.key2
- published=$(awk '{print $3}' < published.test${n}.key2)
- set_keytime "KEY2" "PUBLISHED" "${published}"
- set_keytime "KEY2" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY2 PUBLISHED)
-
- # Key lifetime for KSK2 is 5 years, 157680000 seconds.
- set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
- # The key is removed after the retire time plus max zone ttl (1d), zone
- # propagation delay (300s), retire safety (1h), and sign delay
- # (signature validity minus refresh, 9d) =
- # 86400 + 300 + 3600 + 777600 = 867900.
- retired=$(key_get KEY2 RETIRED)
- set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
-
- # Second ZSK (KEY3).
- created=$(key_get KEY3 CREATED)
- set_keytime "KEY3" "PUBLISHED" "${created}"
- set_keytime "KEY3" "ACTIVE" "${created}"
- # Key was pregenerated.
- if [ "$1" = "pregenerated" ]; then
- keyfile=$(key_get KEY3 BASEFILE)
- grep "; Publish:" "${keyfile}.key" > published.test${n}.key3
- published=$(awk '{print $3}' < published.test${n}.key3)
- set_keytime "KEY3" "PUBLISHED" "${published}"
- set_keytime "KEY3" "ACTIVE" "${published}"
- fi
- published=$(key_get KEY3 PUBLISHED)
-
- # Key lifetime for KSK3 is 1 year, 31536000 seconds.
- set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
- retired=$(key_get KEY3 RETIRED)
- set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
+ # The first KSK is immediately published and activated.
+ created=$(key_get KEY1 CREATED)
+ set_keytime "KEY1" "PUBLISHED" "${created}"
+ set_keytime "KEY1" "ACTIVE" "${created}"
+ # Key was pregenerated.
+ if [ "$1" = "pregenerated" ]; then
+ keyfile=$(key_get KEY1 BASEFILE)
+ grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
+ published=$(awk '{print $3}' <published.test${n}.key1)
+ set_keytime "KEY1" "PUBLISHED" "${published}"
+ set_keytime "KEY1" "ACTIVE" "${published}"
+ fi
+ published=$(key_get KEY1 PUBLISHED)
+
+ # The DS can be published if the DNSKEY and RRSIG records are
+ # OMNIPRESENT. This happens after max-zone-ttl (1d) plus
+ # publish-safety (1h) plus zone-propagation-delay (300s) =
+ # 86400 + 3600 + 300 = 90300.
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
+ # Key lifetime is 10 years, 315360000 seconds.
+ set_addkeytime "KEY1" "RETIRED" "${published}" 315360000
+ # The key is removed after the retire time plus DS TTL (1d),
+ # parent propagation delay (1h), and retire safety (1h) =
+ # 86400 + 3600 + 3600 = 93600.
+ retired=$(key_get KEY1 RETIRED)
+ set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+
+ # The first ZSKs are immediately published and activated.
+ created=$(key_get KEY2 CREATED)
+ set_keytime "KEY2" "PUBLISHED" "${created}"
+ set_keytime "KEY2" "ACTIVE" "${created}"
+ # Key was pregenerated.
+ if [ "$1" = "pregenerated" ]; then
+ keyfile=$(key_get KEY2 BASEFILE)
+ grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
+ published=$(awk '{print $3}' <published.test${n}.key2)
+ set_keytime "KEY2" "PUBLISHED" "${published}"
+ set_keytime "KEY2" "ACTIVE" "${published}"
+ fi
+ published=$(key_get KEY2 PUBLISHED)
+
+ # Key lifetime for KSK2 is 5 years, 157680000 seconds.
+ set_addkeytime "KEY2" "RETIRED" "${published}" 157680000
+ # The key is removed after the retire time plus max zone ttl (1d), zone
+ # propagation delay (300s), retire safety (1h), and sign delay
+ # (signature validity minus refresh, 9d) =
+ # 86400 + 300 + 3600 + 777600 = 867900.
+ retired=$(key_get KEY2 RETIRED)
+ set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
+
+ # Second ZSK (KEY3).
+ created=$(key_get KEY3 CREATED)
+ set_keytime "KEY3" "PUBLISHED" "${created}"
+ set_keytime "KEY3" "ACTIVE" "${created}"
+ # Key was pregenerated.
+ if [ "$1" = "pregenerated" ]; then
+ keyfile=$(key_get KEY3 BASEFILE)
+ grep "; Publish:" "${keyfile}.key" >published.test${n}.key3
+ published=$(awk '{print $3}' <published.test${n}.key3)
+ set_keytime "KEY3" "PUBLISHED" "${published}"
+ set_keytime "KEY3" "ACTIVE" "${published}"
+ fi
+ published=$(key_get KEY3 PUBLISHED)
+
+ # Key lifetime for KSK3 is 1 year, 31536000 seconds.
+ set_addkeytime "KEY3" "RETIRED" "${published}" 31536000
+ retired=$(key_get KEY3 RETIRED)
+ set_addkeytime "KEY3" "REMOVED" "${retired}" 867900
}
#
# Zone: rsasha1.kasp.
#
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
- set_zone "rsasha1.kasp"
- set_policy "rsasha1" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- key_clear "KEY1"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "315360000"
- set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- key_clear "KEY2"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "157680000"
- set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- key_clear "KEY3"
- set_keyrole "KEY3" "zsk"
- set_keylifetime "KEY3" "31536000"
- set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
- set_keysigning "KEY3" "no"
- set_zonesigning "KEY3" "yes"
-
- # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
- # ZSK: DNSKEY, RRSIG (zsk) published.
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
- set_keystate "KEY1" "STATE_DS" "hidden"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-
- set_keystate "KEY3" "GOAL" "omnipresent"
- set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
- set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
- # Three keys only.
- key_clear "KEY4"
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+ set_zone "rsasha1.kasp"
+ set_policy "rsasha1" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ key_clear "KEY1"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "315360000"
+ set_keyalgorithm "KEY1" "5" "RSASHA1" "2048"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ key_clear "KEY2"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "157680000"
+ set_keyalgorithm "KEY2" "5" "RSASHA1" "2048"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ key_clear "KEY3"
+ set_keyrole "KEY3" "zsk"
+ set_keylifetime "KEY3" "31536000"
+ set_keyalgorithm "KEY3" "5" "RSASHA1" "2000"
+ set_keysigning "KEY3" "no"
+ set_zonesigning "KEY3" "yes"
+
+ # KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
+ # ZSK: DNSKEY, RRSIG (zsk) published.
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
+ set_keystate "KEY1" "STATE_DS" "hidden"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+
+ set_keystate "KEY3" "GOAL" "omnipresent"
+ set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+ set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+ # Three keys only.
+ key_clear "KEY4"
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
#
@@ -865,12 +889,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
check_apex
check_subdomain
# Make sure the zone file is untouched.
-n=$((n+1))
+n=$((n + 1))
echo_i "Make sure the zonefile for zone ${ZONE} is not edited ($n)"
ret=0
diff "${DIR}/${ZONE}.db.infile" "${DIR}/${ZONE}.db" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Zone: insecure.kasp.
@@ -896,17 +920,17 @@ set_zone "unlimited.kasp"
set_policy "unlimited" "1" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -924,38 +948,38 @@ set_policy "rsasha256" "3" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "315360000"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "315360000"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "157680000"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "157680000"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
+key_clear "KEY3"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "8" "RSASHA256" "3072"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "yes"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
# Three keys only.
@@ -1032,15 +1056,15 @@ check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
set_keytimes_algorithm_policy
# Activation date is a day later.
-set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
-set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
-set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
-set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
-set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
-set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
-set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
-set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
-set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
+set_addkeytime "KEY1" "ACTIVE" $(key_get KEY1 ACTIVE) 86400
+set_addkeytime "KEY1" "RETIRED" $(key_get KEY1 RETIRED) 86400
+set_addkeytime "KEY1" "REMOVED" $(key_get KEY1 REMOVED) 86400
+set_addkeytime "KEY2" "ACTIVE" $(key_get KEY2 ACTIVE) 86400
+set_addkeytime "KEY2" "RETIRED" $(key_get KEY2 RETIRED) 86400
+set_addkeytime "KEY2" "REMOVED" $(key_get KEY2 REMOVED) 86400
+set_addkeytime "KEY3" "ACTIVE" $(key_get KEY3 ACTIVE) 86400
+set_addkeytime "KEY3" "RETIRED" $(key_get KEY3 RETIRED) 86400
+set_addkeytime "KEY3" "REMOVED" $(key_get KEY3 REMOVED) 86400
check_keytimes
check_apex
check_subdomain
@@ -1063,29 +1087,29 @@ check_subdomain
dnssec_verify
# Update zone.
-n=$((n+1))
+n=$((n + 1))
echo_i "check that we correctly sign the zone after IXFR for zone ${ZONE} ($n)"
ret=0
cp ns2/secondary.kasp.db.in2 ns2/secondary.kasp.db
-rndccmd 10.53.0.2 reload "$ZONE" > /dev/null || log_error "rndc reload zone ${ZONE} failed"
+rndccmd 10.53.0.2 reload "$ZONE" >/dev/null || log_error "rndc reload zone ${ZONE} failed"
_wait_for_done_subdomains() {
- ret=0
- dig_with_opts "a.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.a" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" > /dev/null || return 1
- check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
- if [ $ret -gt 0 ]; then return $ret; fi
-
- dig_with_opts "d.${ZONE}" "@${SERVER}" A > "dig.out.$DIR.test$n.d" || return 1
- grep "status: NOERROR" "dig.out.$DIR.test$n.d" > /dev/null || return 1
- grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" > /dev/null || return 1
- check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
- return $ret
+ ret=0
+ dig_with_opts "a.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.a" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ grep "a.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.11" "dig.out.$DIR.test$n.a" >/dev/null || return 1
+ check_signatures $_qtype "dig.out.$DIR.test$n.a" "ZSK"
+ if [ $ret -gt 0 ]; then return $ret; fi
+
+ dig_with_opts "d.${ZONE}" "@${SERVER}" A >"dig.out.$DIR.test$n.d" || return 1
+ grep "status: NOERROR" "dig.out.$DIR.test$n.d" >/dev/null || return 1
+ grep "d.${ZONE}\..*${DEFAULT_TTL}.*IN.*A.*10\.0\.0\.4" "dig.out.$DIR.test$n.d" >/dev/null || return 1
+ check_signatures $_qtype "dig.out.$DIR.test$n.d" "ZSK"
+ return $ret
}
retry_quiet 5 _wait_for_done_subdomains || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# TODO: we might want to test:
# - configuring a zone with too many active keys (should trigger retire).
@@ -1094,24 +1118,23 @@ status=$((status+ret))
#
# Zone: rsasha1-nsec3.kasp.
#
-if $SHELL ../testcrypto.sh -q RSASHA1
-then
- set_zone "rsasha1-nsec3.kasp"
- set_policy "rsasha1-nsec3" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
- set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
- set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+if $SHELL ../testcrypto.sh -q RSASHA1; then
+ set_zone "rsasha1-nsec3.kasp"
+ set_policy "rsasha1-nsec3" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "7" "NSEC3RSASHA1" "2048"
+ set_keyalgorithm "KEY2" "7" "NSEC3RSASHA1" "2048"
+ set_keyalgorithm "KEY3" "7" "NSEC3RSASHA1" "2000"
+ # Key timings and states same as above.
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
#
@@ -1198,77 +1221,77 @@ dnssec_verify
# Zone: ed25519.kasp.
#
if [ -f ed25519-supported.file ]; then
- set_zone "ed25519.kasp"
- set_policy "ed25519" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "15" "ED25519" "256"
- set_keyalgorithm "KEY2" "15" "ED25519" "256"
- set_keyalgorithm "KEY3" "15" "ED25519" "256"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+ set_zone "ed25519.kasp"
+ set_policy "ed25519" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "15" "ED25519" "256"
+ set_keyalgorithm "KEY2" "15" "ED25519" "256"
+ set_keyalgorithm "KEY3" "15" "ED25519" "256"
+ # Key timings and states same as above.
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
#
# Zone: ed448.kasp.
#
if [ -f ed448-supported.file ]; then
- set_zone "ed448.kasp"
- set_policy "ed448" "3" "1234"
- set_server "ns3" "10.53.0.3"
- # Key properties.
- set_keyalgorithm "KEY1" "16" "ED448" "456"
- set_keyalgorithm "KEY2" "16" "ED448" "456"
- set_keyalgorithm "KEY3" "16" "ED448" "456"
- # Key timings and states same as above.
-
- check_keys
- check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
- set_keytimes_algorithm_policy
- check_keytimes
- check_apex
- check_subdomain
- dnssec_verify
+ set_zone "ed448.kasp"
+ set_policy "ed448" "3" "1234"
+ set_server "ns3" "10.53.0.3"
+ # Key properties.
+ set_keyalgorithm "KEY1" "16" "ED448" "456"
+ set_keyalgorithm "KEY2" "16" "ED448" "456"
+ set_keyalgorithm "KEY3" "16" "ED448" "456"
+ # Key timings and states same as above.
+
+ check_keys
+ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
+ set_keytimes_algorithm_policy
+ check_keytimes
+ check_apex
+ check_subdomain
+ dnssec_verify
fi
# Set key times for 'autosign' policy.
set_keytimes_autosign_policy() {
- # The KSK was published six months ago (with settime).
- created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
- set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
- set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
- # Key lifetime is 2 years, 63072000 seconds.
- active=$(key_get KEY1 ACTIVE)
- set_addkeytime "KEY1" "RETIRED" "${active}" 63072000
- # The key is removed after the retire time plus DS TTL (1d),
- # parent propagation delay (1h), retire safety (1h) =
- # 86400 + 3600 + 3600 = 93600
- retired=$(key_get KEY1 RETIRED)
- set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
-
- # The ZSK was published six months ago (with settime).
- created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
- set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
- # Key lifetime for KSK2 is 1 year, 31536000 seconds.
- active=$(key_get KEY2 ACTIVE)
- set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
- # The key is removed after the retire time plus:
- # TTLsig (RRSIG TTL): 1 day (86400 seconds)
- # Dprp (propagation delay): 5 minutes (300 seconds)
- # retire-safety: 1 hour (3600 seconds)
- # Dsgn (sign delay): 7 days (604800 seconds)
- # Iret: 695100 seconds.
- retired=$(key_get KEY2 RETIRED)
- set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
+ # The KSK was published six months ago (with settime).
+ created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${created}" -15552000
+ set_addkeytime "KEY1" "ACTIVE" "${created}" -15552000
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -15552000
+ # Key lifetime is 2 years, 63072000 seconds.
+ active=$(key_get KEY1 ACTIVE)
+ set_addkeytime "KEY1" "RETIRED" "${active}" 63072000
+ # The key is removed after the retire time plus DS TTL (1d),
+ # parent propagation delay (1h), retire safety (1h) =
+ # 86400 + 3600 + 3600 = 93600
+ retired=$(key_get KEY1 RETIRED)
+ set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+
+ # The ZSK was published six months ago (with settime).
+ created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${created}" -15552000
+ set_addkeytime "KEY2" "ACTIVE" "${created}" -15552000
+ # Key lifetime for KSK2 is 1 year, 31536000 seconds.
+ active=$(key_get KEY2 ACTIVE)
+ set_addkeytime "KEY2" "RETIRED" "${active}" 31536000
+ # The key is removed after the retire time plus:
+ # TTLsig (RRSIG TTL): 1 day (86400 seconds)
+ # Dprp (propagation delay): 5 minutes (300 seconds)
+ # retire-safety: 1 hour (3600 seconds)
+ # Dsgn (sign delay): 7 days (604800 seconds)
+ # Iret: 695100 seconds.
+ retired=$(key_get KEY2 RETIRED)
+ set_addkeytime "KEY2" "REMOVED" "${retired}" 695100
}
#
@@ -1278,27 +1301,27 @@ set_zone "expired-sigs.autosign"
set_policy "autosign" "2" "300"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "63072000"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "63072000"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "31536000"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "31536000"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# Both KSK and ZSK stay OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# Expect only two keys.
@@ -1315,42 +1338,39 @@ dnssec_verify
# Verify all signatures have been refreshed.
check_rrsig_refresh() {
- # Apex.
- _qtypes="DNSKEY SOA NS NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- # If this exact RRSIG is also in the zone file it is not refreshed.
- _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
- grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
-
- # Below apex.
- _labels="a b c ns3"
- for _label in $_labels;
- do
- _qtypes="A NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
- grep "${_rrsig}" "${DIR}/${ZONE}.db" > /dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
- done
+ # Apex.
+ _qtypes="DNSKEY SOA NS NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ # If this exact RRSIG is also in the zone file it is not refreshed.
+ _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
+ grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+
+ # Below apex.
+ _labels="a b c ns3"
+ for _label in $_labels; do
+ _qtypes="A NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_label} ${_qtype} rrsig is refreshed correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ _rrsig=$(cat "rrsig.out.$ZONE.$_qtype")
+ grep "${_rrsig}" "${DIR}/${ZONE}.db" >/dev/null && log_error "RRSIG (${_qtype}) not refreshed in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+ done
}
check_rrsig_refresh
@@ -1373,45 +1393,42 @@ dnssec_verify
# Verify signature reuse.
check_rrsig_reuse() {
- # Apex.
- _qtypes="NS NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- # If this exact RRSIG is also in the signed zone file it is not refreshed.
- _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype")
- $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null
- grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
-
- # Below apex.
- _labels="a b c ns3"
- for _label in $_labels;
- do
- _qtypes="A NSEC"
- for _qtype in $_qtypes
- do
- n=$((n+1))
- echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
- ret=0
- dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" > "dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
- grep "status: NOERROR" "dig.out.$DIR.test$n" > /dev/null || log_error "mismatch status in DNS response"
- grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" > "rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
- # If this exact RRSIG is also in the signed zone file it is not refreshed.
- _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' < "rrsig.out.$ZONE.$_qtype")
- $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" > /dev/null
- grep "${_rrsig}" zone.out.${ZONE}.test$n > /dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
- done
- done
+ # Apex.
+ _qtypes="NS NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "$ZONE" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ # If this exact RRSIG is also in the signed zone file it is not refreshed.
+ _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
+ $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
+ grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+
+ # Below apex.
+ _labels="a b c ns3"
+ for _label in $_labels; do
+ _qtypes="A NSEC"
+ for _qtype in $_qtypes; do
+ n=$((n + 1))
+ echo_i "check ${_label} ${_qtype} rrsig is reused correctly for zone ${ZONE} ($n)"
+ ret=0
+ dig_with_opts "${_label}.${ZONE}" "@${SERVER}" "$_qtype" >"dig.out.$DIR.test$n" || log_error "dig ${_label}.${ZONE} ${_qtype} failed"
+ grep "status: NOERROR" "dig.out.$DIR.test$n" >/dev/null || log_error "mismatch status in DNS response"
+ grep "${ZONE}\..*IN.*RRSIG.*${_qtype}.*${ZONE}" "dig.out.$DIR.test$n" >"rrsig.out.$ZONE.$_qtype" || log_error "missing RRSIG (${_qtype}) record in response"
+ # If this exact RRSIG is also in the signed zone file it is not refreshed.
+ _rrsig=$(awk '{print $5, $6, $7, $8, $9, $10, $11, $12, $13, $14;}' <"rrsig.out.$ZONE.$_qtype")
+ $CHECKZONE -f raw -F text -s full -o zone.out.${ZONE}.test$n "${ZONE}" "${DIR}/${ZONE}.db.signed" >/dev/null
+ grep "${_rrsig}" zone.out.${ZONE}.test$n >/dev/null || log_error "RRSIG (${_qtype}) not reused in zone ${ZONE}"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
+ done
+ done
}
check_rrsig_reuse
@@ -1486,19 +1503,19 @@ set_zone "zsk-retired.autosign"
set_policy "autosign" "3" "300"
set_server "ns3" "10.53.0.3"
# The third key is not yet expected to be signing.
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "31536000"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "31536000"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no"
# The ZSK goal is set to HIDDEN but records stay OMNIPRESENT until the new ZSK
# is active.
-set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "hidden"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# A new ZSK should be introduced, so expect a key with goal OMNIPRESENT,
# the DNSKEY introduced (RUMOURED) and the signatures HIDDEN.
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
@@ -1508,24 +1525,24 @@ set_keytimes_autosign_policy
# The old ZSK is retired.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
-set_addkeytime "KEY2" "REMOVED" "${created}" 695100
+set_keytime "KEY2" "RETIRED" "${created}"
+set_addkeytime "KEY2" "REMOVED" "${created}" 695100
# The new ZSK is immediately published.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
# And becomes active after Ipub:
# DNSKEY TTL: 300 seconds
# zone-propagation-delay 5 minutes (300 seconds)
# publish-safety: 1 hour (3600 seconds)
# Ipub: 4200 seconds
published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "ACTIVE" "${published}" 4200
+set_addkeytime "KEY3" "ACTIVE" "${published}" 4200
# Lzsk: 1 year (31536000 seconds)
active=$(key_get KEY3 ACTIVE)
-set_addkeytime "KEY3" "RETIRED" "${active}" 31536000
+set_addkeytime "KEY3" "RETIRED" "${active}" 31536000
# Iret: 695100 seconds.
retired=$(key_get KEY3 RETIRED)
-set_addkeytime "KEY3" "REMOVED" "${retired}" 695100
+set_addkeytime "KEY3" "REMOVED" "${retired}" 695100
check_keytimes
check_apex
@@ -1543,27 +1560,27 @@ set_policy "migrate-to-dnssec-policy" "4" "1234"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "16070400"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "16070400"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "16070400"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# KSK: DNSKEY, RRSIG (ksk) published. DS needs to wait.
# ZSK: DNSKEY, RRSIG (zsk) published.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
# Two keys only.
@@ -1575,7 +1592,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Make sure the correct legacy keys were used (and not the removed predecessor
# keys).
-n=$((n+1))
+n=$((n + 1))
echo_i "check correct keys were used when migrating zone ${ZONE} to dnssec-policy ($n)"
ret=0
kskfile=$(cat ns3/legacy-keys.kasp.ksk)
@@ -1587,42 +1604,42 @@ basefile=$(key_get KEY2 BASEFILE)
echo_i "filename: $basefile (expect $zskfile)"
test "$DIR/$zskfile" = "$basefile" || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# KSK times.
created=$(key_get KEY1 CREATED)
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Publish:" "${keyfile}.key" > published.test${n}.key1
-published=$(awk '{print $3}' < published.test${n}.key1)
+grep "; Publish:" "${keyfile}.key" >published.test${n}.key1
+published=$(awk '{print $3}' <published.test${n}.key1)
set_keytime "KEY1" "PUBLISHED" "${published}"
-set_keytime "KEY1" "ACTIVE" "${published}"
+set_keytime "KEY1" "ACTIVE" "${published}"
published=$(key_get KEY1 PUBLISHED)
# The DS can be published if the DNSKEY and RRSIG records are OMNIPRESENT.
# This happens after max-zone-ttl (1d) plus publish-safety (1h) plus
# zone-propagation-delay (300s) = 86400 + 3600 + 300 = 90300.
set_addkeytime "KEY1" "SYNCPUBLISH" "${published}" 90300
# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
+set_addkeytime "KEY1" "RETIRED" "${published}" 16070400
# The key is removed after the retire time plus DS TTL (1d), parent
# propagation delay (1h), and retire safety (1h) = 86400 + 3600 + 3600 = 93600.
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
# ZSK times.
created=$(key_get KEY2 CREATED)
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Publish:" "${keyfile}.key" > published.test${n}.key2
-published=$(awk '{print $3}' < published.test${n}.key2)
+grep "; Publish:" "${keyfile}.key" >published.test${n}.key2
+published=$(awk '{print $3}' <published.test${n}.key2)
set_keytime "KEY2" "PUBLISHED" "${published}"
-set_keytime "KEY2" "ACTIVE" "${published}"
+set_keytime "KEY2" "ACTIVE" "${published}"
published=$(key_get KEY2 PUBLISHED)
# Key lifetime is 6 months, 315360000 seconds.
-set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
+set_addkeytime "KEY2" "RETIRED" "${published}" 16070400
# The key is removed after the retire time plus max zone ttl (1d), zone
# propagation delay (300s), retire safety (1h), and sign delay (signature
# validity minus refresh, 9d) = 86400 + 300 + 3600 + 777600 = 867900.
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
+set_addkeytime "KEY2" "REMOVED" "${retired}" 867900
check_keytimes
check_apex
@@ -1745,17 +1762,17 @@ check_subdomain
# ns4/inherit.override.signed
# ns5/override.inherit.signed
# ns5/inherit.override.signed
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
set_zone "signed.tld"
set_policy "default" "1" "3600"
@@ -1824,11 +1841,11 @@ dnssec_verify
# ns5/override.override.unsigned
# ns5/override.none.unsigned
# ns4/example.net (both views)
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "14" "ECDSAP384SHA384" "384"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
set_zone "inherit.inherit.signed"
set_policy "test" "1" "3600"
@@ -1907,23 +1924,23 @@ check_keytimes
check_apex
dnssec_verify
# check zonestatus
-n=$((n+1))
+n=$((n + 1))
echo_i "check $ZONE (view example1) zonestatus ($n)"
ret=0
check_isdynamic "$SERVER" "$ZONE" "example1" || log_error "zone not dynamic"
check_inlinesigning "$SERVER" "$ZONE" "example1" && log_error "inline-signing enabled, expected disabled"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# check subdomain
-n=$((n+1))
+n=$((n + 1))
echo_i "check TXT example.net (view example1) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view1" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
TSIG="$DEFAULT_HMAC:keyforview2:$VIEW2"
wait_for_nsec
@@ -1932,23 +1949,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example2"
check_apex
dnssec_verify
# check zonestatus
-n=$((n+1))
+n=$((n + 1))
echo_i "check $ZONE (view example2) zonestatus ($n)"
ret=0
check_isdynamic "$SERVER" "$ZONE" "example2" && log_error "zone dynamic, but not expected"
check_inlinesigning "$SERVER" "$ZONE" "example2" || log_error "inline-signing disabled, expected enabled"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# check subdomain
-n=$((n+1))
+n=$((n + 1))
echo_i "check TXT example.net (view example2) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
TSIG="$DEFAULT_HMAC:keyforview3:$VIEW3"
wait_for_nsec
@@ -1957,23 +1974,23 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE" "example3"
check_apex
dnssec_verify
# check zonestatus
-n=$((n+1))
+n=$((n + 1))
echo_i "check $ZONE (view example3) zonestatus ($n)"
ret=0
check_isdynamic "$SERVER" "$ZONE" "example3" && log_error "zone dynamic, but not expected"
check_inlinesigning "$SERVER" "$ZONE" "example3" || log_error "inline-signing disabled, expected enabled"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# check subdomain
-n=$((n+1))
+n=$((n + 1))
echo_i "check TXT example.net (view example3) rrset is signed correctly ($n)"
ret=0
-dig_with_opts "view.${ZONE}" "@${SERVER}" TXT > "dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
-grep "status: NOERROR" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "mismatch status in DNS response"
-grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" > /dev/null || log_error "missing view.${ZONE} TXT record in response"
+dig_with_opts "view.${ZONE}" "@${SERVER}" TXT >"dig.out.$DIR.test$n.txt" || log_error "dig view.${ZONE} TXT failed"
+grep "status: NOERROR" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "mismatch status in DNS response"
+grep "view.${ZONE}\..*${DEFAULT_TTL}.*IN.*TXT.*view2" "dig.out.$DIR.test$n.txt" >/dev/null || log_error "missing view.${ZONE} TXT record in response"
check_signatures TXT "dig.out.$DIR.test$n.txt" "ZSK"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
# Clear TSIG.
TSIG=""
@@ -1990,23 +2007,23 @@ key_clear "KEY3"
key_clear "KEY4"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
@@ -2018,27 +2035,27 @@ dnssec_verify
# Check that the ZSKs from the other provider are published.
zsks_are_published() {
- dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY > "dig.out.$DIR.test$n" || return 1
- # We should have three ZSKs.
- lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
- test "$lines" -eq 3 || return 1
- # And one KSK.
- lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
- test "$lines" -eq 1 || return 1
+ dig_with_opts +short "$ZONE" "@${SERVER}" DNSKEY >"dig.out.$DIR.test$n" || return 1
+ # We should have three ZSKs.
+ lines=$(grep "256 3 13" dig.out.$DIR.test$n | wc -l)
+ test "$lines" -eq 3 || return 1
+ # And one KSK.
+ lines=$(grep "257 3 13" dig.out.$DIR.test$n | wc -l)
+ test "$lines" -eq 1 || return 1
}
-n=$((n+1))
+n=$((n + 1))
echo_i "update zone with ZSK from another provider for zone ${ZONE} ($n)"
ret=0
(
-echo zone ${ZONE}
-echo server 10.53.0.3 "$PORT"
-echo update add $(cat "${DIR}/${ZONE}.zsk2")
-echo send
+ echo zone ${ZONE}
+ echo server 10.53.0.3 "$PORT"
+ echo update add $(cat "${DIR}/${ZONE}.zsk2")
+ echo send
) | $NSUPDATE
retry_quiet 10 zsks_are_published || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing manual rollover.
@@ -2051,24 +2068,24 @@ key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# Key properties.
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# During set up everything was set to OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
@@ -2077,12 +2094,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The first keys were published and activated a day ago.
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -86400
set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -86400
-set_addkeytime "KEY1" "ACTIVE" "${created}" -86400
+set_addkeytime "KEY1" "ACTIVE" "${created}" -86400
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -86400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -86400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -86400
# Key lifetimes are unlimited, so not setting RETIRED and REMOVED.
check_keytimes
check_apex
@@ -2091,16 +2108,16 @@ dnssec_verify
# Schedule KSK rollover in six months (15552000 seconds).
active=$(key_get KEY1 ACTIVE)
-set_addkeytime "KEY1" "RETIRED" "${active}" 15552000
+set_addkeytime "KEY1" "RETIRED" "${active}" 15552000
retired=$(key_get KEY1 RETIRED)
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${retired}" "$ZONE"
# Rollover starts in six months, but lifetime is set to six months plus
# prepublication duration = 15552000 + 7500 = 15559500 seconds.
-set_keylifetime "KEY1" "15559500"
-set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
+set_keylifetime "KEY1" "15559500"
+set_addkeytime "KEY1" "RETIRED" "${active}" 15559500
retired=$(key_get KEY1 RETIRED)
# Retire interval of this policy is 26h (93600 seconds).
-set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
+set_addkeytime "KEY1" "REMOVED" "${retired}" 93600
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -2114,21 +2131,21 @@ set_policy "manual-rollover" "3" "3600"
set_keystate "KEY1" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
-set_keylifetime "KEY1" "93900"
+set_keylifetime "KEY1" "93900"
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
+set_keytime "KEY1" "RETIRED" "${created}"
rndc_rollover "$SERVER" "$DIR" $(key_get KEY1 ID) "${created}" "$ZONE"
# New key is introduced.
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -2141,18 +2158,18 @@ set_policy "manual-rollover" "4" "3600"
set_keystate "KEY2" "GOAL" "hidden"
# This key was activated one day ago, so lifetime is set to 1d plus
# prepublication duration (7500 seconds) = 93900 seconds.
-set_keylifetime "KEY2" "93900"
+set_keylifetime "KEY2" "93900"
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
+set_keytime "KEY2" "RETIRED" "${created}"
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
# New key is introduced.
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "0"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "0"
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY.
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "no" # not yet, first prepublish DNSKEY.
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "hidden"
@@ -2163,13 +2180,13 @@ check_subdomain
dnssec_verify
# Try to schedule a ZSK rollover for an inactive key (should fail).
-n=$((n+1))
+n=$((n + 1))
echo_i "check that rndc dnssec -rollover fails if key is inactive ($n)"
ret=0
-rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" > rndc.dnssec.rollover.out.$ZONE.$n || ret=1
-grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n > /dev/null || log_error "bad error message"
+rndccmd "$SERVER" dnssec -rollover -key $(key_get KEY4 ID) "$ZONE" >rndc.dnssec.rollover.out.$ZONE.$n || ret=1
+grep "key is not actively signing" rndc.dnssec.rollover.out.$ZONE.$n >/dev/null || log_error "bad error message"
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
#
# Testing DNSSEC introduction.
@@ -2182,18 +2199,18 @@ set_zone "step1.enable-dnssec.autosign"
set_policy "enable-dnssec" "1" "300"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# The DNSKEY and signatures are introduced first, the DS remains hidden.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# This policy lists only one key (CSK).
key_clear "KEY2"
key_clear "KEY3"
@@ -2205,13 +2222,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${created}"
-set_keytime "KEY1" "ACTIVE" "${created}"
+set_keytime "KEY1" "PUBLISHED" "${created}"
+set_keytime "KEY1" "ACTIVE" "${created}"
# - The DS can be published if the DNSKEY and RRSIG records are
# OMNIPRESENT. This happens after max-zone-ttl (12h) plus
# publish-safety (5m) plus zone-propagation-delay (5m) =
# 43200 + 300 + 300 = 43800.
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
# - Key lifetime is unlimited, so not setting RETIRED and REMOVED.
# Various signing policy checks.
@@ -2221,37 +2238,37 @@ check_subdomain
dnssec_verify
_check_next_key_event() {
- _expect=$1
+ _expect=$1
- grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" > "keyevent.out.$ZONE.test$n" || return 1
+ grep "zone ${ZONE}.*: next key event in .* seconds" "${DIR}/named.run" >"keyevent.out.$ZONE.test$n" || return 1
- # Get the latest next key event.
- if [ "${DYNAMIC}" = "yes" ]; then
- _time=$(awk '{print $9}' < "keyevent.out.$ZONE.test$n" | tail -1)
- else
- # inline-signing zone adds "(signed)"
- _time=$(awk '{print $10}' < "keyevent.out.$ZONE.test$n" | tail -1)
- fi
+ # Get the latest next key event.
+ if [ "${DYNAMIC}" = "yes" ]; then
+ _time=$(awk '{print $9}' <"keyevent.out.$ZONE.test$n" | tail -1)
+ else
+ # inline-signing zone adds "(signed)"
+ _time=$(awk '{print $10}' <"keyevent.out.$ZONE.test$n" | tail -1)
+ fi
- # The next key event time must within threshold of the
- # expected time.
- _expectmin=$((_expect-next_key_event_threshold))
- _expectmax=$((_expect+next_key_event_threshold))
+ # The next key event time must within threshold of the
+ # expected time.
+ _expectmin=$((_expect - next_key_event_threshold))
+ _expectmax=$((_expect + next_key_event_threshold))
- test $_expectmin -le "$_time" || return 1
- test $_expectmax -ge "$_time" || return 1
+ test $_expectmin -le "$_time" || return 1
+ test $_expectmax -ge "$_time" || return 1
- return 0
+ return 0
}
check_next_key_event() {
- n=$((n+1))
- echo_i "check next key event for zone ${ZONE} ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "check next key event for zone ${ZONE} ($n)"
+ ret=0
- retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ retry_quiet 3 _check_next_key_event $1 || log_error "bad next key event time for zone ${ZONE} (expect ${_expect})"
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
@@ -2277,9 +2294,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The key was published and activated 900 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
-set_addkeytime "KEY1" "ACTIVE" "${created}" -900
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -900
+set_addkeytime "KEY1" "ACTIVE" "${created}" -900
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" 43800
# Continue signing policy checks.
check_keytimes
@@ -2300,7 +2317,7 @@ set_policy "enable-dnssec" "1" "300"
set_server "ns3" "10.53.0.3"
# All signatures should be omnipresent, so the DS can be submitted.
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -2309,9 +2326,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The key was published and activated 44700 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
-set_keytime "KEY1" "SYNCPUBLISH" "${created}"
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -44700
+set_addkeytime "KEY1" "ACTIVE" "${created}" -44700
+set_keytime "KEY1" "SYNCPUBLISH" "${created}"
# Continue signing policy checks.
check_keytimes
@@ -2345,9 +2362,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# Set expected key times:
# - The key was published and activated 56700 seconds ago (with settime).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700
-set_addkeytime "KEY1" "ACTIVE" "${created}" -56700
-set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000
+set_addkeytime "KEY1" "PUBLISHED" "${created}" -56700
+set_addkeytime "KEY1" "ACTIVE" "${created}" -56700
+set_addkeytime "KEY1" "SYNCPUBLISH" "${created}" -12000
# Continue signing policy checks.
check_keytimes
@@ -2383,51 +2400,51 @@ set_policy "zsk-prepub" "2" "3600"
set_server "ns3" "10.53.0.3"
set_retired_removed() {
- _Lkey=$2
- _Iret=$3
+ _Lkey=$2
+ _Iret=$3
- _active=$(key_get $1 ACTIVE)
- set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
- _retired=$(key_get $1 RETIRED)
- set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
+ _active=$(key_get $1 ACTIVE)
+ set_addkeytime "${1}" "RETIRED" "${_active}" "${_Lkey}"
+ _retired=$(key_get $1 RETIRED)
+ set_addkeytime "${1}" "REMOVED" "${_retired}" "${_Iret}"
}
rollover_predecessor_keytimes() {
- _addtime=$1
-
- _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
-
- _created=$(key_get KEY2 CREATED)
- set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
+ _addtime=$1
+
+ _created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lksk" = 0 ] || set_retired_removed "KEY1" "${Lksk}" "${IretKSK}"
+
+ _created=$(key_get KEY2 CREATED)
+ set_addkeytime "KEY2" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY2" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lzsk" = 0 ] || set_retired_removed "KEY2" "${Lzsk}" "${IretZSK}"
}
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "${Lksk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "${Lksk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "${Lzsk}"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "${Lzsk}"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# Initially only two keys.
@@ -2457,15 +2474,15 @@ set_zone "step2.zsk-prepub.autosign"
set_policy "zsk-prepub" "3" "3600"
set_server "ns3" "10.53.0.3"
# New ZSK (KEY3) is prepublished, but not yet signing.
-key_clear "KEY3"
-set_keyrole "KEY3" "zsk"
-set_keylifetime "KEY3" "${Lzsk}"
+key_clear "KEY3"
+set_keyrole "KEY3" "zsk"
+set_keylifetime "KEY3" "${Lzsk}"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "no"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "no"
+set_zonesigning "KEY3" "no"
# Key states.
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_ZRRSIG" "hidden"
@@ -2505,11 +2522,11 @@ set_policy "zsk-prepub" "3" "3600"
set_server "ns3" "10.53.0.3"
# ZSK (KEY2) no longer is actively signing, RRSIG state in UNRETENTIVE.
# New ZSK (KEY3) is now actively signing, RRSIG state in RUMOURED.
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-set_zonesigning "KEY3" "yes"
-set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY3" "yes"
+set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY3" "STATE_ZRRSIG" "rumoured"
# Various signing policy checks.
check_keys
@@ -2520,8 +2537,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -2592000
# - The new ZSK is published 26 hours ago (93600 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -93600
+set_keytime "KEY3" "ACTIVE" "${created}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -2530,12 +2547,12 @@ check_apex
# Subdomain still has good signatures of ZSK (KEY2).
# Set expected zone signing on for KEY2 and off for KEY3,
# testing whether signatures which are still valid are being reused.
-set_zonesigning "KEY2" "yes"
-set_zonesigning "KEY3" "no"
+set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY3" "no"
check_subdomain
# Restore the expected zone signing properties.
-set_zonesigning "KEY2" "no"
-set_zonesigning "KEY3" "yes"
+set_zonesigning "KEY2" "no"
+set_zonesigning "KEY3" "yes"
dnssec_verify
# Next key event is when all the RRSIG records have been replaced with
@@ -2566,9 +2583,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -3459600
# - The new ZSK is published 267 hours ago (961200 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -961200
published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
+set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -2600,9 +2617,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -3463200
# - The new ZSK is published 268 hours ago (964800 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -964800
published=$(key_get KEY3 PUBLISHED)
-set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
+set_addkeytime "KEY3" "ACTIVE" "${published}" "${IpubZSK}"
set_retired_removed "KEY3" "${Lzsk}" "${IretZSK}"
# Continue signing policy checks.
@@ -2655,26 +2672,26 @@ set_zone "step1.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "2" "7200"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "${Lksk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "${Lksk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "${Lzsk}"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "${Lzsk}"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# Both KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# Initially only two keys.
@@ -2704,18 +2721,18 @@ set_zone "step2.ksk-doubleksk.autosign"
set_policy "ksk-doubleksk" "3" "7200"
set_server "ns3" "10.53.0.3"
# New KSK (KEY3) is prepublished (and signs DNSKEY RRset).
-key_clear "KEY3"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "${Lksk}"
+key_clear "KEY3"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "${Lksk}"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
# Key states.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY3" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -2726,7 +2743,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -5086800
# - The new KSK is published now.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
# The new KSK should publish the CDS after the prepublication time.
# TTLkey: 2h
# DprpC: 1h
@@ -2734,7 +2751,7 @@ set_keytime "KEY3" "PUBLISHED" "${created}"
# IpubC: 27h (97200 seconds)
IpubC=97200
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${IpubC}"
-set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}"
+set_addkeytime "KEY3" "ACTIVE" "${created}" "${IpubC}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
# Continue signing policy checks.
@@ -2760,8 +2777,8 @@ set_server "ns3" "10.53.0.3"
set_keystate "KEY3" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY3" "STATE_KRRSIG" "omnipresent"
# The old DS (KEY1) can be withdrawn and the new DS (KEY3) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY3" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY3" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -2774,9 +2791,9 @@ check_cdslog "$DIR" "$ZONE" KEY3
rollover_predecessor_keytimes -5184000
# - The new KSK is published 27 hours ago (97200 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -97200
# - The new KSK CDS is published now.
-set_keytime "KEY3" "SYNCPUBLISH" "${created}"
+set_keytime "KEY3" "SYNCPUBLISH" "${created}"
syncpub=$(key_get KEY3 SYNCPUBLISH)
set_keytime "KEY3" "ACTIVE" "${syncpub}"
set_retired_removed "KEY3" "${Lksk}" "${IretKSK}"
@@ -2789,7 +2806,7 @@ dnssec_verify
# We ignore any parent registration delay, so set the DS publish time to now.
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
# Next key event is when the predecessor DS has been replaced with the
# successor DS and enough time has passed such that the all validators that
# have this DS RRset cached only know about the successor DS. This is the
@@ -2806,11 +2823,11 @@ set_policy "ksk-doubleksk" "3" "7200"
set_server "ns3" "10.53.0.3"
# KSK (KEY1) DNSKEY can be removed.
set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
# New KSK (KEY3) DS is now OMNIPRESENT.
-set_keystate "KEY3" "STATE_DS" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -2821,7 +2838,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -5364000
# - The new KSK is published 77 hours ago (277200 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -277200
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
syncpub=$(key_get KEY3 SYNCPUBLISH)
@@ -2858,7 +2875,7 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -5371200
# - The new KSK is published 79 hours ago (284400 seconds).
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -284400
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${IpubC}"
syncpub=$(key_get KEY3 SYNCPUBLISH)
@@ -2909,13 +2926,13 @@ IretZSK=2257200
IretCSK=$IretZSK
csk_rollover_predecessor_keytimes() {
- _addtime=$1
+ _addtime=$1
- _created=$(key_get KEY1 CREATED)
- set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
- set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
- [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
+ _created=$(key_get KEY1 CREATED)
+ set_addkeytime "KEY1" "PUBLISHED" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "SYNCPUBLISH" "${_created}" "${_addtime}"
+ set_addkeytime "KEY1" "ACTIVE" "${_created}" "${_addtime}"
+ [ "$Lcsk" = 0 ] || set_retired_removed "KEY1" "${Lcsk}" "${IretCSK}"
}
#
@@ -2925,18 +2942,18 @@ set_zone "step1.csk-roll.autosign"
set_policy "csk-roll" "1" "3600"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "${Lcsk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "${Lcsk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# Initially only one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -2965,19 +2982,19 @@ set_zone "step2.csk-roll.autosign"
set_policy "csk-roll" "2" "3600"
set_server "ns3" "10.53.0.3"
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "16070400"
+key_clear "KEY2"
+set_keyrole "KEY2" "csk"
+set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
# Key states.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -2988,12 +3005,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16059600
# - The new CSK is published now.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "PUBLISHED" "${created}"
# - The new CSK should publish the CDS after the prepublication time.
# Ipub: 3 hour (10800 seconds)
Ipub="10800"
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3014,8 +3031,8 @@ set_zone "step3.csk-roll.autosign"
set_policy "csk-roll" "2" "3600"
set_server "ns3" "10.53.0.3"
# Swap zone signing role.
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
# CSK (KEY1) will be removed, so moving to UNRETENTIVE.
set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
# New CSK (KEY2) DNSKEY is OMNIPRESENT, so moving ZRRSIG to RUMOURED.
@@ -3023,8 +3040,8 @@ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -3037,10 +3054,10 @@ check_cdslog "$DIR" "$ZONE" KEY2
csk_rollover_predecessor_keytimes -16070400
# - The new CSK is published three hours ago, CDS must be published now.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
-set_keytime "KEY2" "SYNCPUBLISH" "${created}"
+set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
+set_keytime "KEY2" "SYNCPUBLISH" "${created}"
# - Also signatures are being introduced now.
-set_keytime "KEY2" "ACTIVE" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3049,17 +3066,17 @@ check_apex
# Subdomain still has good signatures of old CSK (KEY1).
# Set expected zone signing on for KEY1 and off for KEY2,
# testing whether signatures which are still valid are being reused.
-set_zonesigning "KEY1" "yes"
-set_zonesigning "KEY2" "no"
+set_zonesigning "KEY1" "yes"
+set_zonesigning "KEY2" "no"
check_subdomain
# Restore the expected zone signing properties.
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
dnssec_verify
# We ignore any parent registration delay, so set the DS publish time to now.
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
# Next key event is when the predecessor DS has been replaced with the
# successor DS and enough time has passed such that the all validators that
# have this DS RRset cached only know about the successor DS. This is the
@@ -3079,9 +3096,9 @@ set_keysigning "KEY1" "no"
# The old CSK (KEY1) DS is hidden. We still need to keep the DNSKEY public
# but can remove the KRRSIG records.
set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# The new CSK (KEY2) DS is now OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -3092,10 +3109,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16084800
# - The new CSK started signing 4h ago (14400 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -14400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -14400
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -14400
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3127,10 +3144,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16092000
# - The new CSK started signing 6h ago (21600 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -21600
+set_addkeytime "KEY2" "ACTIVE" "${created}" -21600
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -21600
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3168,10 +3185,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -18327600
# - The new CSK is activated 627 hours ago (2257200 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -2257200
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2257200
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3203,10 +3220,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -18334800
# - The new CSK is activated 629 hours ago (2264400 seconds).
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -2264400
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" -2264400
syncpub=$(key_get KEY2 SYNCPUBLISH)
-set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
+set_addkeytime "KEY2" "PUBLISHED" "${syncpub}" "-${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3262,18 +3279,18 @@ set_zone "step1.csk-roll2.autosign"
set_policy "csk-roll2" "1" "3600"
set_server "ns3" "10.53.0.3"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "16070400"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "16070400"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# Initially only one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -3303,19 +3320,19 @@ set_zone "step2.csk-roll2.autosign"
set_policy "csk-roll2" "2" "3600"
set_server "ns3" "10.53.0.3"
# New CSK (KEY2) is prepublished (signs DNSKEY RRset, but not yet other RRsets).
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "16070400"
+key_clear "KEY2"
+set_keyrole "KEY2" "csk"
+set_keylifetime "KEY2" "16070400"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
# Key states.
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "hidden"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -3326,12 +3343,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16059600
# - The new CSK is published now.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "PUBLISHED" "${created}"
# - The new CSK should publish the CDS after the prepublication time.
# - Ipub: 3 hour (10800 seconds)
Ipub="10800"
set_addkeytime "KEY2" "SYNCPUBLISH" "${created}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${created}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3351,16 +3368,16 @@ set_zone "step3.csk-roll2.autosign"
set_policy "csk-roll2" "2" "3600"
set_server "ns3" "10.53.0.3"
# CSK (KEY1) can be removed, so move to UNRETENTIVE.
-set_zonesigning "KEY1" "no"
-set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY1" "no"
+set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
# New CSK (KEY2) DNSKEY is OMNIPRESENT, so move ZRRSIG to RUMOURED state.
-set_zonesigning "KEY2" "yes"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
+set_zonesigning "KEY2" "yes"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -3373,10 +3390,10 @@ check_cdslog "$DIR" "$ZONE" KEY2
csk_rollover_predecessor_keytimes -16070400
# - The new CSK is published three hours ago, CDS must be published now.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
-set_keytime "KEY2" "SYNCPUBLISH" "${created}"
+set_addkeytime "KEY2" "PUBLISHED" "${created}" "-${Ipub}"
+set_keytime "KEY2" "SYNCPUBLISH" "${created}"
# - Also signatures are being introduced now.
-set_keytime "KEY2" "ACTIVE" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3385,12 +3402,12 @@ check_apex
# Subdomain still has good signatures of old CSK (KEY1).
# Set expected zone signing on for KEY1 and off for KEY2,
# testing whether signatures which are still valid are being reused.
-set_zonesigning "KEY1" "yes"
-set_zonesigning "KEY2" "no"
+set_zonesigning "KEY1" "yes"
+set_zonesigning "KEY2" "no"
check_subdomain
# Restore the expected zone signing properties.
-set_zonesigning "KEY1" "no"
-set_zonesigning "KEY2" "yes"
+set_zonesigning "KEY1" "no"
+set_zonesigning "KEY2" "yes"
dnssec_verify
# We ignore any parent registration delay, so set the DS publish time to now.
@@ -3406,8 +3423,8 @@ rndc_checkds "$SERVER" "$DIR" KEY2 "now" "published" "$ZONE"
# positives on slow platforms by subtracting the number of seconds which
# passed between key creation and invoking 'rndc dnssec -checkds'.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
-next_time=$((136800-time_passed))
+time_passed=$((now - start_time))
+next_time=$((136800 - time_passed))
check_next_key_event $next_time
#
@@ -3430,10 +3447,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16207200
# - The new CSK was published 41 hours (147600 seconds) ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -147600
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3458,12 +3475,12 @@ set_zone "step5.csk-roll2.autosign"
set_policy "csk-roll2" "2" "3600"
set_server "ns3" "10.53.0.3"
# The old CSK (KEY1) DNSKEY can be removed.
-set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
# The new CSK (KEY2) is now fully OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -3474,10 +3491,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16682400
# - The new CSK was published 173 hours (622800 seconds) ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -622800
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3510,10 +3527,10 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -16689600
# - The new CSK was published 175 hours (630000 seconds) ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -630000
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
-set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
+set_addkeytime "KEY2" "ACTIVE" "${published}" "${Ipub}"
set_retired_removed "KEY2" "${Lcsk}" "${IretCSK}"
# Continue signing policy checks.
@@ -3556,39 +3573,39 @@ Lzsk=31536000
IretKSK=180000
IretZSK=867600
# KSK (KEY1) is outgoing.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "${Lksk}"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "${Lksk}"
set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
-set_keystate "KEY1" "GOAL" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
+set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "unretentive"
# KSK (KEY2) is incoming.
-key_clear "KEY2"
-set_keyrole "KEY2" "ksk"
-set_keylifetime "KEY2" "${Lksk}"
+key_clear "KEY2"
+set_keyrole "KEY2" "ksk"
+set_keylifetime "KEY2" "${Lksk}"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "GOAL" "omnipresent"
-set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY2" "STATE_KRRSIG" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# We will introduce the third KSK shortly.
-key_clear "KEY3"
+key_clear "KEY3"
# ZSK (KEY4).
-key_clear "KEY4"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "${Lzsk}"
+key_clear "KEY4"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "${Lzsk}"
set_keyalgorithm "KEY4" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
-set_keystate "KEY4" "GOAL" "omnipresent"
-set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
-set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
+set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY4" "STATE_DNSKEY" "omnipresent"
+set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
# Run preliminary tests.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3598,7 +3615,7 @@ dnssec_verify
# Roll over KEY2.
# Set expected key lifetime, which is DNSKEY TTL plus the zone propagation delay,
# plus the publish-safety: 7200s + 1h + 1d = 97200 seconds.
-set_keylifetime "KEY2" "97200"
+set_keylifetime "KEY2" "97200"
created=$(key_get KEY2 CREATED)
rndc_rollover "$SERVER" "$DIR" $(key_get KEY2 ID) "${created}" "$ZONE"
# Update expected number of keys and key states.
@@ -3606,15 +3623,15 @@ set_keystate "KEY2" "GOAL" "hidden"
set_policy "ksk-doubleksk" "4" "7200"
CDNSKEY="no"
# New KSK (KEY3) is introduced.
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "${Lksk}"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "${Lksk}"
set_keyalgorithm "KEY3" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
-set_keystate "KEY3" "GOAL" "omnipresent"
-set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
-set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
+set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
+set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
+set_keystate "KEY3" "STATE_DS" "hidden"
# Run tests again. We now expect four keys (3x KSK, 1x ZSK).
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3627,22 +3644,22 @@ set_zone "dynamic2inline.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# The CSK is rumoured.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3665,29 +3682,29 @@ set_zone "step1.algorithm-roll.kasp"
set_policy "rsasha256" "2" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
key_clear "KEY3"
key_clear "KEY4"
# The KSK (KEY1) and ZSK (KEY2) start in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
@@ -3713,21 +3730,21 @@ set_zone "step1.csk-algorithm-roll.kasp"
set_policy "csk-algoroll" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# The CSK (KEY1) starts in OMNIPRESENT.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -3770,31 +3787,31 @@ IretKSK=93600
IretZSK=867900
init_migration_insecure() {
- key_clear "KEY1"
- set_keyrole "KEY1" "ksk"
- set_keylifetime "KEY1" "${Lksk}"
- set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
- set_keysigning "KEY1" "yes"
- set_zonesigning "KEY1" "no"
-
- set_keystate "KEY1" "GOAL" "omnipresent"
- set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
- set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
- set_keystate "KEY1" "STATE_DS" "omnipresent"
-
- key_clear "KEY2"
- set_keyrole "KEY2" "zsk"
- set_keylifetime "KEY2" "${Lzsk}"
- set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
- set_keysigning "KEY2" "no"
- set_zonesigning "KEY2" "yes"
-
- set_keystate "KEY2" "GOAL" "omnipresent"
- set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
- set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
-
- key_clear "KEY3"
- key_clear "KEY4"
+ key_clear "KEY1"
+ set_keyrole "KEY1" "ksk"
+ set_keylifetime "KEY1" "${Lksk}"
+ set_keyalgorithm "KEY1" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+ set_keysigning "KEY1" "yes"
+ set_zonesigning "KEY1" "no"
+
+ set_keystate "KEY1" "GOAL" "omnipresent"
+ set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
+ set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
+ set_keystate "KEY1" "STATE_DS" "omnipresent"
+
+ key_clear "KEY2"
+ set_keyrole "KEY2" "zsk"
+ set_keylifetime "KEY2" "${Lzsk}"
+ set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
+ set_keysigning "KEY2" "no"
+ set_zonesigning "KEY2" "yes"
+
+ set_keystate "KEY2" "GOAL" "omnipresent"
+ set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
+ set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
+
+ key_clear "KEY3"
+ key_clear "KEY4"
}
init_migration_insecure
@@ -3837,17 +3854,17 @@ set_zone "step1.going-straight-to-none.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# This policy only has one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -3858,8 +3875,8 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# The first key is immediately published and activated.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "PUBLISHED" "${created}"
-set_keytime "KEY1" "ACTIVE" "${created}"
+set_keytime "KEY1" "PUBLISHED" "${created}"
+set_keytime "KEY1" "ACTIVE" "${created}"
set_keytime "KEY1" "SYNCPUBLISH" "${created}"
# Key lifetime is unlimited, so not setting RETIRED and REMOVED.
check_keytimes
@@ -3876,45 +3893,45 @@ rndc_reconfig ns6 10.53.0.6
# Calculate time passed to correctly check for next key events.
now="$(TZ=UTC date +%s)"
-time_passed=$((now-start_time))
+time_passed=$((now - start_time))
echo_i "${time_passed} seconds passed between start of tests and reconfig"
# Wait until we have seen "zone_rekey done:" message for this key.
_wait_for_done_signing() {
- _zone=$1
-
- _ksk=$(key_get $2 KSK)
- _zsk=$(key_get $2 ZSK)
- if [ "$_ksk" = "yes" ]; then
- _role="KSK"
- _expect_type=EXPECT_KRRSIG
- elif [ "$_zsk" = "yes" ]; then
- _role="ZSK"
- _expect_type=EXPECT_ZRRSIG
- fi
-
- if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
- _keyid=$(key_get $2 ID)
- _keyalg=$(key_get $2 ALG_STR)
- echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
- grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" > /dev/null || return 1
- fi
-
- return 0
+ _zone=$1
+
+ _ksk=$(key_get $2 KSK)
+ _zsk=$(key_get $2 ZSK)
+ if [ "$_ksk" = "yes" ]; then
+ _role="KSK"
+ _expect_type=EXPECT_KRRSIG
+ elif [ "$_zsk" = "yes" ]; then
+ _role="ZSK"
+ _expect_type=EXPECT_ZRRSIG
+ fi
+
+ if [ "$(key_get ${2} $_expect_type)" = "yes" ] && [ "$(key_get $2 $_role)" = "yes" ]; then
+ _keyid=$(key_get $2 ID)
+ _keyalg=$(key_get $2 ALG_STR)
+ echo_i "wait for zone ${_zone} is done signing with $2 ${_zone}/${_keyalg}/${_keyid}"
+ grep "zone_rekey done: key ${_keyid}/${_keyalg}" "${DIR}/named.run" >/dev/null || return 1
+ fi
+
+ return 0
}
wait_for_done_signing() {
- n=$((n+1))
- echo_i "wait for zone ${ZONE} is done signing ($n)"
- ret=0
+ n=$((n + 1))
+ echo_i "wait for zone ${ZONE} is done signing ($n)"
+ ret=0
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
- retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY1 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY2 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY3 || ret=1
+ retry_quiet 30 _wait_for_done_signing ${ZONE} KEY4 || ret=1
- test "$ret" -eq 0 || echo_i "failed"
- status=$((status+ret))
+ test "$ret" -eq 0 || echo_i "failed"
+ status=$((status + ret))
}
# Test dynamic zones that switch to inline-signing.
@@ -3922,22 +3939,22 @@ set_zone "dynamic2inline.kasp"
set_policy "default" "1" "3600"
set_server "ns6" "10.53.0.6"
# Key properties.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
key_clear "KEY2"
key_clear "KEY3"
key_clear "KEY4"
# The CSK is rumoured.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "rumoured"
set_keystate "KEY1" "STATE_KRRSIG" "rumoured"
set_keystate "KEY1" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
@@ -3995,14 +4012,14 @@ set_server "ns6" "10.53.0.6"
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
-set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keysigning "KEY1" "no"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY2" "no"
# Various signing policy checks.
check_keys
@@ -4063,14 +4080,14 @@ set_server "ns6" "10.53.0.6"
# The DS is long enough removed from the zone to be considered HIDDEN.
# This means the DNSKEY and the KSK signatures can be removed.
-set_keystate "KEY1" "STATE_DS" "hidden"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DS" "hidden"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keysigning "KEY1" "no"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
-set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_zonesigning "KEY2" "no"
# Various signing policy checks.
check_keys
@@ -4093,17 +4110,17 @@ set_server "ns6" "10.53.0.6"
# The zone will go bogus after signatures expire, but remains validly signed for now.
# Key properties.
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# DNSKEY, RRSIG (ksk), RRSIG (zsk) are published. DS needs to wait.
-set_keystate "KEY1" "GOAL" "omnipresent"
+set_keystate "KEY1" "GOAL" "omnipresent"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# This policy only has one key.
key_clear "KEY2"
key_clear "KEY3"
@@ -4131,47 +4148,47 @@ set_zone "step1.algorithm-roll.kasp"
set_policy "ecdsa256" "4" "3600"
set_server "ns6" "10.53.0.6"
# Old RSASHA1 keys.
-key_clear "KEY1"
-set_keyrole "KEY1" "ksk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "ksk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "no"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "no"
-key_clear "KEY2"
-set_keyrole "KEY2" "zsk"
-set_keylifetime "KEY2" "0"
+key_clear "KEY2"
+set_keyrole "KEY2" "zsk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "8" "RSASHA256" "2048"
-set_keysigning "KEY2" "no"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "no"
+set_zonesigning "KEY2" "yes"
# New ECDSAP256SHA256 keys.
-key_clear "KEY3"
-set_keyrole "KEY3" "ksk"
-set_keylifetime "KEY3" "0"
+key_clear "KEY3"
+set_keyrole "KEY3" "ksk"
+set_keylifetime "KEY3" "0"
set_keyalgorithm "KEY3" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY3" "yes"
-set_zonesigning "KEY3" "no"
+set_keysigning "KEY3" "yes"
+set_zonesigning "KEY3" "no"
-key_clear "KEY4"
-set_keyrole "KEY4" "zsk"
-set_keylifetime "KEY4" "0"
+key_clear "KEY4"
+set_keyrole "KEY4" "zsk"
+set_keylifetime "KEY4" "0"
set_keyalgorithm "KEY4" "13" "ECDSAP256SHA256" "256"
-set_keysigning "KEY4" "no"
-set_zonesigning "KEY4" "yes"
+set_keysigning "KEY4" "no"
+set_zonesigning "KEY4" "yes"
# The RSAHSHA1 keys are outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY1" "GOAL" "hidden"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
-set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "GOAL" "hidden"
set_keystate "KEY2" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The ECDSAP256SHA256 keys are introducing.
-set_keystate "KEY3" "GOAL" "omnipresent"
+set_keystate "KEY3" "GOAL" "omnipresent"
set_keystate "KEY3" "STATE_DNSKEY" "rumoured"
set_keystate "KEY3" "STATE_KRRSIG" "rumoured"
-set_keystate "KEY3" "STATE_DS" "hidden"
-set_keystate "KEY4" "GOAL" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "hidden"
+set_keystate "KEY4" "GOAL" "omnipresent"
set_keystate "KEY4" "STATE_DNSKEY" "rumoured"
set_keystate "KEY4" "STATE_ZRRSIG" "rumoured"
@@ -4185,9 +4202,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes 0
# - KSK must be retired since it no longer matches the policy.
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
# - The key is removed after the retire interval:
# IretKSK = TTLds + DprpP + retire-safety
# TTLds: 2h (7200 seconds)
@@ -4195,12 +4212,12 @@ set_keytime "KEY1" "RETIRED" "${retired}"
# retire-safety: 2h (7200 seconds)
# IretKSK: 5h (18000 seconds)
IretKSK=18000
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
keyfile=$(key_get KEY2 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.zsk
-retired=$(awk '{print $3}' < retired.test${n}.zsk)
-set_keytime "KEY2" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.zsk
+retired=$(awk '{print $3}' <retired.test${n}.zsk)
+set_keytime "KEY2" "RETIRED" "${retired}"
# - The key is removed after the retire interval:
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
# TTLsig: 6h (21600 seconds)
@@ -4209,11 +4226,11 @@ set_keytime "KEY2" "RETIRED" "${retired}"
# retire-safety: 2h (7200 seconds)
# IretZSK: 25d9h (2192400 seconds)
IretZSK=2192400
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new KSK is published and activated.
created=$(key_get KEY3 CREATED)
-set_keytime "KEY3" "PUBLISHED" "${created}"
-set_keytime "KEY3" "ACTIVE" "${created}"
+set_keytime "KEY3" "PUBLISHED" "${created}"
+set_keytime "KEY3" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 6h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -4223,8 +4240,8 @@ Ipub=28800
set_addkeytime "KEY3" "SYNCPUBLISH" "${created}" "${Ipub}"
# - The new ZSK is published and activated.
created=$(key_get KEY4 CREATED)
-set_keytime "KEY4" "PUBLISHED" "${created}"
-set_keytime "KEY4" "ACTIVE" "${created}"
+set_keytime "KEY4" "PUBLISHED" "${created}"
+set_keytime "KEY4" "ACTIVE" "${created}"
# Continue signing policy checks.
check_keytimes
@@ -4263,22 +4280,22 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -10800
# - KSK must be retired since it no longer matches the policy.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
+set_keytime "KEY1" "RETIRED" "${created}"
set_addkeytime "KEY1" "REMOVED" "${created}" "${IretKSK}"
# - ZSK must be retired since it no longer matches the policy.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "RETIRED" "${created}"
+set_keytime "KEY2" "RETIRED" "${created}"
set_addkeytime "KEY2" "REMOVED" "${created}" "${IretZSK}"
# - The new keys are published 3 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -10800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -10800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -10800
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" "${Ipub}"
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -10800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -10800
# Continue signing policy checks.
check_keytimes
@@ -4293,7 +4310,7 @@ dnssec_verify
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600-time_passed))
+next_time=$((21600 - time_passed))
check_next_key_event $next_time
#
@@ -4305,8 +4322,8 @@ set_server "ns6" "10.53.0.6"
# The ECDSAP256SHA256 keys are introducing.
set_keystate "KEY4" "STATE_ZRRSIG" "omnipresent"
# The DS can be swapped.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY3" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY3" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -4320,24 +4337,24 @@ check_cdslog "$DIR" "$ZONE" KEY3
rollover_predecessor_keytimes -32400
# - And retired 6 hours ago (21600 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -21600
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -21600
+set_addkeytime "KEY2" "RETIRED" "${created}" -21600
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new keys are published 9 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -32400
+set_addkeytime "KEY3" "ACTIVE" "${created}" -32400
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -32400
+set_addkeytime "KEY4" "ACTIVE" "${created}" -32400
# Continue signing policy checks.
check_keytimes
@@ -4348,7 +4365,7 @@ dnssec_verify
# Tell named we "saw" the parent swap the DS and see if the next key event is
# scheduled at the correct time.
rndc_checkds "$SERVER" "$DIR" KEY1 "now" "withdrawn" "$ZONE"
-rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
+rndc_checkds "$SERVER" "$DIR" KEY3 "now" "published" "$ZONE"
# Next key event is when the DS becomes OMNIPRESENT. This happens after the
# parent propagation delay, retire safety delay, and DS TTL:
# 1h + 2h + 2h = 5h = 18000 seconds.
@@ -4361,17 +4378,17 @@ set_zone "step4.algorithm-roll.kasp"
set_policy "ecdsa256" "4" "3600"
set_server "ns6" "10.53.0.6"
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
-
-set_zonesigning "KEY2" "no"
-set_keystate "KEY2" "GOAL" "hidden"
-set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
+set_keysigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
+
+set_zonesigning "KEY2" "no"
+set_keystate "KEY2" "GOAL" "hidden"
+set_keystate "KEY2" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY2" "STATE_ZRRSIG" "unretentive"
# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY3" "STATE_DS" "omnipresent"
+set_keystate "KEY3" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -4383,25 +4400,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -136800
# - And retired 35 hours ago (126000 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -126000
+set_addkeytime "KEY2" "RETIRED" "${created}" -126000
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# - The new keys are published 38 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY3" "ACTIVE" "${created}" -136800
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY4" "ACTIVE" "${created}" -136800
# Continue signing policy checks.
check_keytimes
@@ -4434,25 +4451,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -144000
# - And retired 37 hours ago (133200 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -133200
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -133200
+set_addkeytime "KEY2" "RETIRED" "${created}" -133200
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# The new keys are published 40 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -144000
+set_addkeytime "KEY3" "ACTIVE" "${created}" -144000
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -144000
+set_addkeytime "KEY4" "ACTIVE" "${created}" -144000
# Continue signing policy checks.
check_keytimes
@@ -4466,7 +4483,7 @@ dnssec_verify
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200-time_passed))
+next_time=$((25200 - time_passed))
check_next_key_event $next_time
#
@@ -4488,25 +4505,25 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
rollover_predecessor_keytimes -169200
# - And retired 44 hours ago (158400 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -158400
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretKSK}"
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "RETIRED" "${created}" -158400
+set_addkeytime "KEY2" "RETIRED" "${created}" -158400
retired=$(key_get KEY2 RETIRED)
-set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
+set_addkeytime "KEY2" "REMOVED" "${retired}" "${IretZSK}"
# The new keys are published 47 hours ago.
created=$(key_get KEY3 CREATED)
-set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY3" "PUBLISHED" "${created}" -169200
+set_addkeytime "KEY3" "ACTIVE" "${created}" -169200
published=$(key_get KEY3 PUBLISHED)
set_addkeytime "KEY3" "SYNCPUBLISH" "${published}" ${Ipub}
created=$(key_get KEY4 CREATED)
-set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY4" "PUBLISHED" "${created}" -169200
+set_addkeytime "KEY4" "ACTIVE" "${created}" -169200
# Continue signing policy checks.
check_keytimes
@@ -4533,33 +4550,33 @@ set_zone "step1.csk-algorithm-roll.kasp"
set_policy "csk-algoroll" "2" "3600"
set_server "ns6" "10.53.0.6"
# Old RSASHA1 key.
-key_clear "KEY1"
-set_keyrole "KEY1" "csk"
-set_keylifetime "KEY1" "0"
+key_clear "KEY1"
+set_keyrole "KEY1" "csk"
+set_keylifetime "KEY1" "0"
set_keyalgorithm "KEY1" "8" "RSASHA256" "2048"
-set_keysigning "KEY1" "yes"
-set_zonesigning "KEY1" "yes"
+set_keysigning "KEY1" "yes"
+set_zonesigning "KEY1" "yes"
# New ECDSAP256SHA256 key.
-key_clear "KEY2"
-set_keyrole "KEY2" "csk"
-set_keylifetime "KEY2" "0"
+key_clear "KEY2"
+set_keyrole "KEY2" "csk"
+set_keylifetime "KEY2" "0"
set_keyalgorithm "KEY2" "$DEFAULT_ALGORITHM_NUMBER" "$DEFAULT_ALGORITHM" "$DEFAULT_BITS"
-set_keysigning "KEY2" "yes"
-set_zonesigning "KEY2" "yes"
+set_keysigning "KEY2" "yes"
+set_zonesigning "KEY2" "yes"
key_clear "KEY3"
key_clear "KEY4"
# The RSAHSHA1 key is outroducing.
-set_keystate "KEY1" "GOAL" "hidden"
+set_keystate "KEY1" "GOAL" "hidden"
set_keystate "KEY1" "STATE_DNSKEY" "omnipresent"
set_keystate "KEY1" "STATE_KRRSIG" "omnipresent"
set_keystate "KEY1" "STATE_ZRRSIG" "omnipresent"
-set_keystate "KEY1" "STATE_DS" "omnipresent"
+set_keystate "KEY1" "STATE_DS" "omnipresent"
# The ECDSAP256SHA256 key is introducing.
-set_keystate "KEY2" "GOAL" "omnipresent"
+set_keystate "KEY2" "GOAL" "omnipresent"
set_keystate "KEY2" "STATE_DNSKEY" "rumoured"
set_keystate "KEY2" "STATE_KRRSIG" "rumoured"
set_keystate "KEY2" "STATE_ZRRSIG" "rumoured"
-set_keystate "KEY2" "STATE_DS" "hidden"
+set_keystate "KEY2" "STATE_DS" "hidden"
# Various signing policy checks.
check_keys
@@ -4570,9 +4587,9 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
# - CSK must be retired since it no longer matches the policy.
csk_rollover_predecessor_keytimes 0
keyfile=$(key_get KEY1 BASEFILE)
-grep "; Inactive:" "${keyfile}.key" > retired.test${n}.ksk
-retired=$(awk '{print $3}' < retired.test${n}.ksk)
-set_keytime "KEY1" "RETIRED" "${retired}"
+grep "; Inactive:" "${keyfile}.key" >retired.test${n}.ksk
+retired=$(awk '{print $3}' <retired.test${n}.ksk)
+set_keytime "KEY1" "RETIRED" "${retired}"
# - The key is removed after the retire interval:
# IretZSK = TTLsig + Dprp + Dsgn + retire-safety
# TTLsig: 6h (21600 seconds)
@@ -4581,11 +4598,11 @@ set_keytime "KEY1" "RETIRED" "${retired}"
# retire-safety: 2h (7200 seconds)
# IretZSK: 25d9h (2192400 seconds)
IretCSK=2192400
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new CSK is published and activated.
created=$(key_get KEY2 CREATED)
-set_keytime "KEY2" "PUBLISHED" "${created}"
-set_keytime "KEY2" "ACTIVE" "${created}"
+set_keytime "KEY2" "PUBLISHED" "${created}"
+set_keytime "KEY2" "ACTIVE" "${created}"
# - It takes TTLsig + Dprp + publish-safety hours to propagate the zone.
# TTLsig: 6h (39600 seconds)
# Dprp: 1h (3600 seconds)
@@ -4630,12 +4647,12 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -10800
# - CSK must be retired since it no longer matches the policy.
created=$(key_get KEY1 CREATED)
-set_keytime "KEY1" "RETIRED" "${created}"
+set_keytime "KEY1" "RETIRED" "${created}"
set_addkeytime "KEY1" "REMOVED" "${created}" "${IretCSK}"
# - The new key was published 3 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -10800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -10800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -10800
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
@@ -4652,7 +4669,7 @@ dnssec_verify
# should be scheduled in 6 hour: 21600 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((21600-time_passed))
+next_time=$((21600 - time_passed))
check_next_key_event $next_time
#
@@ -4666,8 +4683,8 @@ set_server "ns6" "10.53.0.6"
# are now omnipresent, so the DS can be introduced.
set_keystate "KEY2" "STATE_ZRRSIG" "omnipresent"
# The old DS (KEY1) can be withdrawn and the new DS (KEY2) can be introduced.
-set_keystate "KEY1" "STATE_DS" "unretentive"
-set_keystate "KEY2" "STATE_DS" "rumoured"
+set_keystate "KEY1" "STATE_DS" "unretentive"
+set_keystate "KEY2" "STATE_DS" "rumoured"
# Various signing policy checks.
check_keys
@@ -4681,13 +4698,13 @@ check_cdslog "$DIR" "$ZONE" KEY2
csk_rollover_predecessor_keytimes -32400
# - And was retired 6 hours ago (21600 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -21600
+set_addkeytime "KEY1" "RETIRED" "${created}" -21600
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 9 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
-set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -32400
+set_addkeytime "KEY2" "ACTIVE" "${created}" -32400
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" "${Ipub}"
@@ -4712,14 +4729,14 @@ set_zone "step4.csk-algorithm-roll.kasp"
set_policy "csk-algoroll" "2" "3600"
set_server "ns6" "10.53.0.6"
# The old DS is HIDDEN, we can remove the old algorithm DNSKEY/RRSIG records.
-set_keysigning "KEY1" "no"
-set_zonesigning "KEY1" "no"
-set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
-set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
-set_keystate "KEY1" "STATE_DS" "hidden"
+set_keysigning "KEY1" "no"
+set_zonesigning "KEY1" "no"
+set_keystate "KEY1" "STATE_DNSKEY" "unretentive"
+set_keystate "KEY1" "STATE_KRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_ZRRSIG" "unretentive"
+set_keystate "KEY1" "STATE_DS" "hidden"
# The ECDSAP256SHA256 DS is now OMNIPRESENT.
-set_keystate "KEY2" "STATE_DS" "omnipresent"
+set_keystate "KEY2" "STATE_DS" "omnipresent"
# Various signing policy checks.
check_keys
@@ -4731,13 +4748,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -136800
# - And retired 35 hours ago (126000 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -126000
+set_addkeytime "KEY1" "RETIRED" "${created}" -126000
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 38 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
-set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -136800
+set_addkeytime "KEY2" "ACTIVE" "${created}" -136800
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@@ -4771,13 +4788,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -144000
# - And retired 37 hours ago (133200 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -133200
+set_addkeytime "KEY1" "RETIRED" "${created}" -133200
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 40 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
-set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -144000
+set_addkeytime "KEY2" "ACTIVE" "${created}" -144000
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@@ -4793,7 +4810,7 @@ dnssec_verify
# been reached (2h): 9h - 2h = 7h = 25200 seconds. Prevent intermittent
# false positives on slow platforms by subtracting the number of seconds
# which passed between key creation and invoking 'rndc reconfig'.
-next_time=$((25200-time_passed))
+next_time=$((25200 - time_passed))
check_next_key_event $next_time
#
@@ -4815,13 +4832,13 @@ check_dnssecstatus "$SERVER" "$POLICY" "$ZONE"
csk_rollover_predecessor_keytimes -169200
# - And retired 44 hours ago (158400 seconds).
created=$(key_get KEY1 CREATED)
-set_addkeytime "KEY1" "RETIRED" "${created}" -158400
+set_addkeytime "KEY1" "RETIRED" "${created}" -158400
retired=$(key_get KEY1 RETIRED)
-set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
+set_addkeytime "KEY1" "REMOVED" "${retired}" "${IretCSK}"
# - The new key was published 47 hours ago.
created=$(key_get KEY2 CREATED)
-set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
-set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
+set_addkeytime "KEY2" "PUBLISHED" "${created}" -169200
+set_addkeytime "KEY2" "ACTIVE" "${created}" -169200
published=$(key_get KEY2 PUBLISHED)
set_addkeytime "KEY2" "SYNCPUBLISH" "${published}" ${Ipub}
@@ -4836,48 +4853,48 @@ dnssec_verify
check_next_key_event 3600
_check_soa_ttl() {
- dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa2 || return 1
- soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1)
- soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2)
- ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1)
- ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2)
- test ${soa1:-1000} -lt ${soa2:-0} || return 1
- test ${ttl1:-0} -eq $1 || return 1
- test ${ttl2:-0} -eq $2 || return 1
+ dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa2 || return 1
+ soa1=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa1)
+ soa2=$(awk '$4 == "SOA" { print $7 }' dig.out.ns6.test$n.soa2)
+ ttl1=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa1)
+ ttl2=$(awk '$4 == "SOA" { print $2 }' dig.out.ns6.test$n.soa2)
+ test ${soa1:-1000} -lt ${soa2:-0} || return 1
+ test ${ttl1:-0} -eq $1 || return 1
+ test ${ttl2:-0} -eq $2 || return 1
}
-n=$((n+1))
+n=$((n + 1))
echo_i "Check that 'rndc reload' of just the serial updates the signed instance ($n)"
TSIG=
ret=0
-dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1
+dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1
cp ns6/example2.db.in ns6/example.db || ret=1
-nextpart ns6/named.run > /dev/null
+nextpart ns6/named.run >/dev/null
rndccmd 10.53.0.6 reload || ret=1
wait_for_log 3 "all zones loaded" ns6/named.run
# Check that the SOA SERIAL increases and check the TTLs (should be 300 as
# defined in ns6/example2.db.in).
retry_quiet 10 _check_soa_ttl 300 300 || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
-n=$((n+1))
+n=$((n + 1))
echo_i "Check that restart with zone changes and deleted journal works ($n)"
TSIG=
ret=0
-dig_with_opts @10.53.0.6 example SOA > dig.out.ns6.test$n.soa1 || ret=1
+dig_with_opts @10.53.0.6 example SOA >dig.out.ns6.test$n.soa1 || ret=1
stop_server --use-rndc --port ${CONTROLPORT} ns6
# TTL of all records change from 300 to 400
cp ns6/example3.db.in ns6/example.db || ret=1
rm ns6/example.db.jnl
-nextpart ns6/named.run > /dev/null
+nextpart ns6/named.run >/dev/null
start_server --noclean --restart --port ${PORT} ns6
wait_for_log 3 "all zones loaded" ns6/named.run
# Check that the SOA SERIAL increases and check the TTLs (should be changed
# from 300 to 400 as defined in ns6/example3.db.in).
retry_quiet 10 _check_soa_ttl 300 400 || ret=1
test "$ret" -eq 0 || echo_i "failed"
-status=$((status+ret))
+status=$((status + ret))
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1