Commit 1567524a authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Merge branch '1749-rndc-dnssec-rollover' into 'main'

Resolve "rndc trigger rollover"

Closes #1749

See merge request isc-projects/bind9!4004
parents b7c9a80d 78c09f56
5515. [func] Add 'rndc dnssec -rollover' command to trigger a
manual rollover for a specific key. [GL #1749]
5514. [bug] Fix KASP expected key size for Ed25519 and Ed448.
[GL #2171]
......
......@@ -14595,10 +14595,14 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
dns_kasp_t *kasp = NULL;
dns_dnsseckeylist_t keys;
dns_dnsseckey_t *key;
char *ptr;
char *ptr, *zonetext = NULL;
const char *msg = NULL;
/* variables for -checkds */
bool checkds = false, dspublish = false, use_keyid = false;
bool checkds = false, dspublish = false;
/* variables for -rollover */
bool rollover = false;
/* variables for -key */
bool use_keyid = false;
dns_keytag_t keyid = 0;
uint8_t algorithm = 0;
/* variables for -status */
......@@ -14629,9 +14633,15 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
if (strcasecmp(ptr, "-status") == 0) {
status = true;
} else if (strcasecmp(ptr, "-rollover") == 0) {
rollover = true;
} else if (strcasecmp(ptr, "-checkds") == 0) {
checkds = true;
} else {
CHECK(DNS_R_SYNTAX);
}
if (rollover || checkds) {
/* Check for options */
for (;;) {
ptr = next_token(lex, text);
......@@ -14678,7 +14688,7 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
} else if (ptr[0] == '-') {
msg = "Unknown option";
CHECK(DNS_R_SYNTAX);
} else {
} else if (checkds) {
/*
* No arguments provided, so we must be
* parsing "published|withdrawn".
......@@ -14688,20 +14698,29 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
} else if (strcasecmp(ptr, "withdrawn") != 0) {
CHECK(DNS_R_SYNTAX);
}
} else if (rollover) {
/*
* No arguments provided, so we must be
* parsing the zone.
*/
zonetext = ptr;
}
break;
}
if (rollover && !use_keyid) {
msg = "Key id is required when scheduling rollover";
CHECK(DNS_R_SYNTAX);
}
if (algorithm > 0 && !use_keyid) {
msg = "Key id is required when setting algorithm";
CHECK(DNS_R_SYNTAX);
}
} else {
CHECK(DNS_R_SYNTAX);
}
/* Get zone. */
CHECK(zone_from_args(server, lex, NULL, &zone, NULL, text, false));
CHECK(zone_from_args(server, lex, zonetext, &zone, NULL, text, false));
if (zone == NULL) {
msg = "Zone not found";
CHECK(ISC_R_UNEXPECTEDEND);
......@@ -14747,14 +14766,15 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
char whenbuf[80];
isc_time_set(&timewhen, when, 0);
isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
isc_result_t ret;
LOCK(&kasp->lock);
if (use_keyid) {
result = dns_keymgr_checkds_id(kasp, &keys, dir, when,
dspublish, keyid,
result = dns_keymgr_checkds_id(kasp, &keys, dir, now,
when, dspublish, keyid,
(unsigned int)algorithm);
} else {
result = dns_keymgr_checkds(kasp, &keys, dir, when,
result = dns_keymgr_checkds(kasp, &keys, dir, now, when,
dspublish);
}
UNLOCK(&kasp->lock);
......@@ -14777,16 +14797,54 @@ named_server_dnssec(named_server_t *server, isc_lex_t *lex,
CHECK(putstr(text, "since "));
CHECK(putstr(text, whenbuf));
break;
case ISC_R_NOTFOUND:
CHECK(putstr(text, "No matching KSK found"));
break;
case ISC_R_FAILURE:
case DNS_R_TOOMANYKEYS:
CHECK(putstr(text,
"Error: multiple possible KSKs found, "
"Error: multiple possible keys found, "
"retry command with -key id"));
break;
default:
CHECK(putstr(text, "Error executing checkds command"));
ret = result;
CHECK(putstr(text,
"Error executing checkds command: "));
CHECK(putstr(text, isc_result_totext(ret)));
break;
}
} else if (rollover) {
/*
* Manually rollover a key.
*/
char whenbuf[80];
isc_time_set(&timewhen, when, 0);
isc_time_formattimestamp(&timewhen, whenbuf, sizeof(whenbuf));
isc_result_t ret;
LOCK(&kasp->lock);
result = dns_keymgr_rollover(kasp, &keys, dir, now, when, keyid,
(unsigned int)algorithm);
UNLOCK(&kasp->lock);
switch (result) {
case ISC_R_SUCCESS:
if (use_keyid) {
char tagbuf[6];
snprintf(tagbuf, sizeof(tagbuf), "%u", keyid);
CHECK(putstr(text, "Key "));
CHECK(putstr(text, tagbuf));
CHECK(putstr(text, ": "));
}
CHECK(putstr(text, "Rollover scheduled on "));
CHECK(putstr(text, whenbuf));
break;
case DNS_R_TOOMANYKEYS:
CHECK(putstr(text,
"Error: multiple possible keys found, "
"retry command with -alg algorithm"));
break;
default:
ret = result;
CHECK(putstr(text,
"Error executing rollover command: "));
CHECK(putstr(text, isc_result_totext(ret)));
break;
}
}
......
......@@ -111,12 +111,15 @@ command is one of the following:\n\
Add zone to given view. Requires allow-new-zones option.\n\
delzone [-clean] zone [class [view]]\n\
Removes zone from given view.\n\
dnssec -checkds [-key id [-alg algorithm] [-when time] (published|withdrawn) zone [class [view]]\n\
dnssec -checkds [-key id [-alg algorithm]] [-when time] (published|withdrawn) zone [class [view]]\n\
Mark the DS record for the KSK of the given zone as seen\n\
in the parent. If the zone has multiple KSKs, select a\n\
specific key by providing the keytag with -key id and\n\
optionally the key's algorithm with -alg algorithm.\n\
Requires the zone to have a dnssec-policy.\n\
dnssec -rollover -key id [-alg algorithm] [-when time] zone [class [view]]\n\
Rollover key with id of the given zone. Requires the zone\n\
to have a dnssec-policy.\n\
dnssec -status zone [class [view]]\n\
Show the DNSSEC signing state for the specified zone.\n\
Requires the zone to have a dnssec-policy.\n\
......
......@@ -161,13 +161,19 @@ Currently supported commands are:
See also ``rndc addzone`` and ``rndc modzone``.
``dnssec`` ( **-status** | **-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )) *zone* [*class* [*view*]]
``dnssec`` ( **-status** |
**-rollover** **-key** id [**-alg** *algorithm*] [**-when** *time*] |
**-checkds** [**-key** *id* [**-alg** *algorithm*]] [**-when** *time*] ( *published* | *withdrawn* )
) *zone* [*class* [*view*]]
This command allows you to interact with the "dnssec-policy" of a given
zone.
``rndc dnssec -status`` show the DNSSEC signing state for the specified
zone.
``rndc dnssec -rollover`` allows you to schedule key rollover for a
specific key (overriding the original key lifetime).
``rndc dnssec -checkds`` will let ``named`` know that the DS for the given
key has been seen published into or withdrawn from the parent. This is
required in order to complete a KSK rollover. If the ``-key id`` argument
......
......@@ -16,6 +16,7 @@ rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
rm -rf ./keys/
rm -f dig.out* rrsig.out.* keyevent.out.*
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
rm -f ns*/policies/*.conf
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
......
......@@ -73,6 +73,13 @@ zone "unlimited.kasp" {
dnssec-policy "unlimited";
};
/* Manual rollover. */
zone "manual-rollover.kasp" {
type primary;
file "manual-rollover.kasp.db";
dnssec-policy "manual-rollover";
};
/* A master zone with dnssec-policy, no keys created. */
zone "rsasha1.kasp" {
type primary;
......
......@@ -18,8 +18,8 @@ dnssec-policy "autosign" {
dnskey-ttl 300;
keys {
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
};
};
......@@ -39,7 +39,7 @@ dnssec-policy "enable-dnssec" {
parent-ds-ttl 2h;
keys {
csk lifetime unlimited algorithm 13;
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM_NUMBER@;
};
};
......@@ -54,8 +54,8 @@ dnssec-policy "zsk-prepub" {
retire-safety P2D;
keys {
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P30D algorithm 13;
ksk key-directory lifetime P2Y algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P30D algorithm @DEFAULT_ALGORITHM@;
};
zone-propagation-delay PT1H;
......@@ -73,8 +73,8 @@ dnssec-policy "ksk-doubleksk" {
retire-safety P2D;
keys {
ksk key-directory lifetime P60D algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P1Y algorithm @DEFAULT_ALGORITHM@;
};
zone-propagation-delay PT1H;
......@@ -95,7 +95,7 @@ dnssec-policy "csk-roll" {
retire-safety 2h;
keys {
csk key-directory lifetime P6M algorithm 13;
csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
};
zone-propagation-delay 1h;
......@@ -116,7 +116,7 @@ dnssec-policy "csk-roll2" {
retire-safety 1h;
keys {
csk key-directory lifetime P6M algorithm 13;
csk key-directory lifetime P6M algorithm @DEFAULT_ALGORITHM@;
};
zone-propagation-delay PT1H;
......
......@@ -13,7 +13,16 @@ dnssec-policy "unlimited" {
dnskey-ttl 1234;
keys {
csk key-directory lifetime unlimited algorithm 13;
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
dnssec-policy "manual-rollover" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
......@@ -81,8 +90,8 @@ dnssec-policy "checkds-ksk" {
dnskey-ttl 303;
keys {
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime unlimited algorithm 13;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
......@@ -90,9 +99,9 @@ dnssec-policy "checkds-doubleksk" {
dnskey-ttl 303;
keys {
ksk key-directory lifetime unlimited algorithm 13;
ksk key-directory lifetime unlimited algorithm 13;
zsk key-directory lifetime unlimited algorithm 13;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
......@@ -100,6 +109,6 @@ dnssec-policy "checkds-csk" {
dnskey-ttl 303;
keys {
csk key-directory lifetime unlimited algorithm 13;
csk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
};
This diff is collapsed.
......@@ -15,7 +15,7 @@ dnssec-policy "csk-algoroll" {
signatures-validity-dnskey 30d;
keys {
csk lifetime unlimited algorithm 13;
csk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
};
dnskey-ttl 1h;
......
......@@ -51,8 +51,8 @@ dnssec-policy "migrate" {
dnskey-ttl 7200;
keys {
ksk key-directory lifetime unlimited algorithm ECDSAP256SHA256;
zsk key-directory lifetime P60D algorithm ECDSAP256SHA256;
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime P60D algorithm @DEFAULT_ALGORITHM@;
};
};
......
......@@ -43,11 +43,11 @@ setup migrate.kasp
echo "$zone" >> zones
ksktimes="-P now -A now -P sync now"
zsktimes="-P now -A now"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
KSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a $DEFAULT_ALGORITHM -L 7200 $zsktimes $zone 2> keygen.out.$zone.2)
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Set up a zone with auto-dnssec maintain to migrate to dnssec-policy, but this
......@@ -120,10 +120,10 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I now"
zsk1times="-P ${TactN} -A ${TactN} -I now"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
......@@ -134,8 +134,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 3:
......@@ -150,10 +150,10 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $O $TactN "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.3 2>&1
......@@ -164,8 +164,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 4:
......@@ -181,10 +181,10 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $O $TactN -r $O $TactN -d $U $TactN1 -D ds $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $O $TactN -z $O $TactN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $R $TactN1 -P ds $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
......@@ -195,8 +195,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 5:
......@@ -213,10 +213,10 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $U $TremN -r $U $TremN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $U $TremN -z $U $TremN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
......@@ -227,8 +227,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 6:
......@@ -246,10 +246,10 @@ ksk1times="-P ${TactN} -A ${TactN} -P sync ${TactN} -I ${TretN}"
zsk1times="-P ${TactN} -A ${TactN} -I ${TretN}"
ksk2times="-P ${TpubN1} -A ${TpubN1} -P sync ${TsbmN1}"
zsk2times="-P ${TpubN1} -A ${TpubN1}"
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
KSK1=$($KEYGEN -a RSASHA1 -L 3600 -f KSK $ksk1times $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -L 3600 $zsk1times $zone 2> keygen.out.$zone.2)
KSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 -f KSK $ksk2times $zone 2> keygen.out.$zone.3)
ZSK2=$($KEYGEN -a $DEFAULT_ALGORITHM -L 3600 $zsk2times $zone 2> keygen.out.$zone.4)
$SETTIME -s -g $H -k $H $TremN -r $U $TdeaN -d $H $TactN1 "$KSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $H $TremN -z $U $TdeaN "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TpubN1 -r $O $TpubN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.3 2>&1
......@@ -260,8 +260,8 @@ echo "Lifetime: 0" >> "${ZSK1}.state"
cat template.db.in "${KSK1}.key" "${ZSK1}.key" "${KSK2}.key" "${ZSK2}.key" > "$infile"
private_type_record $zone 5 "$KSK1" >> "$infile"
private_type_record $zone 5 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$KSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$ZSK2" >> "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
#
......@@ -297,7 +297,7 @@ $SETTIME -s -g $O -k $R $TpubN1 -r $R $TpubN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2
echo "Lifetime: 0" >> "${CSK1}.state"
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
private_type_record $zone 5 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 3:
......@@ -318,7 +318,7 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $R $TpubN1 -d $H $TpubN1 "$CSK2
echo "Lifetime: 0" >> "${CSK1}.state"
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
private_type_record $zone 5 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 4:
......@@ -340,7 +340,7 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $R $TsubN1 -P ds
echo "Lifetime: 0" >> "${CSK1}.state"
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
private_type_record $zone 5 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 5:
......@@ -363,7 +363,7 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TremN "$CSK2
echo "Lifetime: 0" >> "${CSK1}.state"
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
private_type_record $zone 5 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
# Step 6:
......@@ -387,5 +387,5 @@ $SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -z $O $TsubN1 -d $O $TactN1 "$CSK2
echo "Lifetime: 0" >> "${CSK1}.state"
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
private_type_record $zone 5 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
private_type_record $zone $DEFAULT_ALGORITHM_NUMBER "$CSK2" >> "$infile"
$SIGNER -S -x -z -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
......@@ -33,6 +33,13 @@ if $SHELL ../testcrypto.sh ed448; then
echo "yes" > ed448-supported.file
fi
copy_setports ns3/policies/autosign.conf.in ns3/policies/autosign.conf
copy_setports ns3/policies/kasp.conf.in ns3/policies/kasp.conf
copy_setports ns6/policies/csk1.conf.in ns6/policies/csk1.conf
copy_setports ns6/policies/csk2.conf.in ns6/policies/csk2.conf
copy_setports ns6/policies/kasp.conf.in ns6/policies/kasp.conf
# Setup zones
(
cd ns2
......
......@@ -1201,7 +1201,7 @@ check_cdslog() {
}
#
# rndc dnssec -checkds
# Utility to call after 'rndc dnssec -checkds|-rollover'.
#
_loadkeys_on() {
_server=$1
......@@ -1236,10 +1236,42 @@ rndc_checkds() {
_whencmd="-when ${_when}"
fi
echo_i "calling checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
n=$((n+1))
echo_i "calling rndc dnssec -checkds ${_keycmd} ${_whencmd} ${_what} zone ${_zone} ($n)"
ret=0
rndccmd $_server dnssec -checkds $_keycmd $_whencmd $_what $_zone in $_view > rndc.dnssec.checkds.out.$_zone.$n || log_error "rndc dnssec -checkds (${_keycmd} ${_whencmd} ${_what} zone ${_zone} failed"
_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
}
# Tell named to schedule a key rollover.
rndc_rollover() {
_server=$1
_dir=$2
_keyid=$3
_when=$4
_zone=$5
_view=$6
_whencmd=""
if [ "${_when}" != "now" ]; then
_whencmd="-when ${_when}"
fi
n=$((n+1))
echo_i "calling rndc dnssec -rollover key ${_keyid} ${_whencmd} zone ${_zone} ($n)"
ret=0
rndccmd $_server dnssec -rollover -key $_keyid $_whencmd $_zone in $_view > rndc.dnssec.rollover.out.$_zone.$n || log_error "rndc dnssec -rollover (key ${_keyid} when ${_when}) zone ${_zone} failed"
_loadkeys_on $_server $_dir $_zone || log_error "loadkeys zone ${_zone} failed ($n)"
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
}
#
......@@ -2655,6 +2687,137 @@ status=$((status+ret))
# Clear TSIG.