setup.sh 50 KB
Newer Older
Matthijs Mekking's avatar
Matthijs Mekking committed
1 2 3 4 5 6 7 8 9 10 11 12
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.

# shellcheck source=conf.sh
13
. ../../conf.sh
Matthijs Mekking's avatar
Matthijs Mekking committed
14 15 16 17 18 19 20 21

echo_i "ns3/setup.sh"

setup() {
	zone="$1"
	echo_i "setting up zone: $zone"
	zonefile="${zone}.db"
	infile="${zone}.db.infile"
22
	echo "$zone" >> zones
Matthijs Mekking's avatar
Matthijs Mekking committed
23 24
}

Matthijs Mekking's avatar
Matthijs Mekking committed
25 26 27 28 29 30 31
private_type_record() {
	_zone=$1
	_algorithm=$2
	_keyfile=$3

	_id=$(keyfile_to_key_id "$_keyfile")

32
	printf "%s. 0 IN TYPE65534 %s 5 %02x%04x0000\n" "$_zone" "\\#" "$_algorithm" "$_id"
Matthijs Mekking's avatar
Matthijs Mekking committed
33 34
}

35 36 37 38 39 40 41 42
# Set in the key state files the Predecessor/Successor fields.
# Key $1 is the predecessor of key $2.
key_successor() {
	id1=$(keyfile_to_key_id "$1")
	id2=$(keyfile_to_key_id "$2")
	echo "Predecessor: ${id1}" >> "${2}.state"
	echo "Successor: ${id2}" >> "${1}.state"
}
Matthijs Mekking's avatar
Matthijs Mekking committed
43 44 45 46 47 48 49

# Make lines shorter by storing key states in environment variables.
H="HIDDEN"
R="RUMOURED"
O="OMNIPRESENT"
U="UNRETENTIVE"

Matthijs Mekking's avatar
Matthijs Mekking committed
50 51 52 53
#
# Set up zones that will be initially signed.
#
for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
54
	  rumoured rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 \
55
	  dynamic dynamic-inline-signing inline-signing \
56
	  inherit unlimited
Matthijs Mekking's avatar
Matthijs Mekking committed
57 58
do
	setup "${zn}.kasp"
59
	cp template.db.in "$zonefile"
Matthijs Mekking's avatar
Matthijs Mekking committed
60 61
done

62 63 64 65 66 67 68
# Set up zone that stays unsigned.
zone="unsigned.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
cp template.db.in $zonefile

Matthijs Mekking's avatar
Matthijs Mekking committed
69 70 71 72 73
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1

zone="some-keys.kasp"
74 75
$KEYGEN -G -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1
$KEYGEN -G -a RSASHA1 -f KSK  -L 1234 $zone > keygen.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
76 77 78 79 80 81

zone="legacy.kasp"
$KEYGEN -a RSASHA1 -b 2000 -L 1234 $zone > keygen.out.$zone.1 2>&1
$KEYGEN -a RSASHA1 -f KSK  -L 1234 $zone > keygen.out.$zone.2 2>&1

zone="pregenerated.kasp"
82 83
$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
$KEYGEN -G -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
84

85 86 87
zone="rumoured.kasp"
Tpub="now"
Tact="now+1d"
88 89 90 91 92 93 94
keytimes="-P ${Tpub} -A ${Tact}"
KSK=$($KEYGEN  -a RSASHA1 -f KSK  -L 1234 $keytimes $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a RSASHA1 -b 2000 -L 1234 $keytimes $zone 2> keygen.out.$zone.2)
ZSK2=$($KEYGEN -a RSASHA1         -L 1234 $keytimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $O -k $R $Tpub -r $R $Tpub -d $H $Tpub  "$KSK"  > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub              "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $R $Tpub -z $R $Tpub              "$ZSK2" > settime.out.$zone.2 2>&1
95

Matthijs Mekking's avatar
Matthijs Mekking committed
96 97 98 99 100 101 102
#
# Set up zones that are already signed.
#

# These signatures are set to expire long in the past, update immediately.
setup expired-sigs.autosign
T="now-6mo"
103 104 105 106 107 108
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
109
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
110 111
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
112 113 114 115 116
$SIGNER -PS -x -s now-2mo -e now-1mo -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# These signatures are still good, and can be reused.
setup fresh-sigs.autosign
T="now-6mo"
117 118 119 120 121 122
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
123
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
124 125
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
126 127 128 129 130
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# These signatures are still good, but not fresh enough, update immediately.
setup unfresh-sigs.autosign
T="now-6mo"
131 132 133 134 135 136
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
137
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
138 139
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
140 141 142 143 144
$SIGNER -S -x -s now-1w -e now+1w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# These signatures are already expired, and the private ZSK is missing.
setup zsk-missing.autosign
T="now-6mo"
145 146 147 148 149 150
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
151
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
152 153
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
154
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
155
rm -f "${ZSK}".private
Matthijs Mekking's avatar
Matthijs Mekking committed
156 157 158 159

# These signatures are already expired, and the private ZSK is retired.
setup zsk-retired.autosign
T="now-6mo"
160 161 162 163 164 165
ksktimes="-P $T -A $T -P sync $T"
zsktimes="-P $T -A $T -I now"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 300 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 300        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -d $O $T -k $O $T -r $O $T "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $T -z $O $T          "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
166
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
167 168
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
169
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
170
$SETTIME -s -g HIDDEN "$ZSK" > settime.out.$zone.3 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
171

172 173 174 175 176 177 178 179 180 181 182 183 184 185
#
# The zones at enable-dnssec.autosign represent the various steps of the
# initial signing of a zone.
#

# Step 1:
# This is an unsigned zone and named should perform the initial steps of
# introducing the DNSSEC records in the right order.
setup step1.enable-dnssec.autosign
cp template.db.in $zonefile

# Step 2:
# The DNSKEY has been published long enough to become OMNIPRESENT.
setup step2.enable-dnssec.autosign
186 187 188 189
# DNSKEY TTL:             300 seconds
# zone-propagation-delay: 5 minutes (300 seconds)
# publish-safety:         5 minutes (300 seconds)
# Total:                  900 seconds
190
TpubN="now-900s"
191 192 193 194 195 196 197
# RRSIG TTL:              12 hour (43200 seconds)
# zone-propagation-delay: 5 minutes (300 seconds)
# retire-safety:          20 minutes (1200 seconds)
# Already passed time:    -900 seconds
# Total:                  43800 seconds
TsbmN="now+43800s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
198 199
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
$SETTIME -s -g $O -k $R $TpubN -r $R $TpubN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
200 201 202 203 204 205 206
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone 13 "$CSK" >> "$infile"
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 3:
# The zone signatures have been published long enough to become OMNIPRESENT.
setup step3.enable-dnssec.autosign
207
# Passed time since publications: 43800 + 900 = 44700 seconds.
208
TpubN="now-44700s"
209 210 211 212 213
# The key is secure for using in chain of trust when the DNSKEY is OMNIPRESENT.
TcotN="now-43800s"
# We can submit the DS now.
TsbmN="now"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
214
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
215
$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $H $TpubN -z $R $TpubN "$CSK" > settime.out.$zone.1 2>&1
216 217 218 219 220 221 222 223
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone 13 "$CSK" >> "$infile"
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
setup step3.enable-dnssec.autosign

# Step 4:
# The DS has been submitted long enough ago to become OMNIPRESENT.
setup step4.enable-dnssec.autosign
224 225 226 227 228 229
# DS TTL:                    1 day (86400 seconds)
# parent-registration-delay: 1 day (86400 seconds)
# parent-propagation-delay:  1 hour (3600 seconds)
# retire-safety:             20 minutes (1200 seconds)
# Total aditional time:      98400 seconds
# 44700 + 98400 = 143100
230
TpubN="now-143100s"
231 232 233 234
# 43800 + 98400 = 142200
TcotN="now-142200s"
TsbmN="now-98400s"
keytimes="-P ${TpubN} -P sync ${TsbmN} -A ${TpubN}"
235
CSK=$($KEYGEN -k enable-dnssec -l policies/autosign.conf $keytimes $zone 2> keygen.out.$zone.1)
236
$SETTIME -s -g $O -k $O $TcotN -r $O $TcotN -d $R $TsbmN -z $O $TsbmN "$CSK" > settime.out.$zone.1 2>&1
237 238 239 240 241
cat template.db.in "${CSK}.key" > "$infile"
private_type_record $zone 13 "$CSK" >> "$infile"
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
setup step3.enable-dnssec.autosign

Matthijs Mekking's avatar
Matthijs Mekking committed
242 243 244 245 246 247 248 249 250
#
# The zones at zsk-prepub.autosign represent the various steps of a ZSK
# Pre-Publication rollover.
#

# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.zsk-prepub.autosign
TactN="now"
251
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
252 253 254 255 256
zsktimes="-P ${TactN} -A ${TactN}"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
257
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
258 259
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
260 261 262 263 264
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 2:
# It is time to pre-publish the successor ZSK.
setup step2.zsk-prepub.autosign
265
# According to RFC 7583:
266
#
267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
# Ipub = Dprp + TTLkey (+publish-safety)
#
#                 |3|   |4|      |5|  |6|
#                  |     |        |    |
#   Key N          |<-------Lzsk------>|
#                  |     |        |    |
#   Key N+1        |     |<-Ipub->|<-->|
#                  |     |        |    |
#   Key N         Tact
#   Key N+1             Tpub     Trdy Tact
#
#                       Tnow
#
# Lzsk:           30d
# Dprp:           1h
# TTLkey:         1h
# publish-safety: 1d
# Ipub:           26h
#
# Tact(N) = Tnow + Ipub - Lzsk = now + 26h - 30d
#         = now + 26h - 30d = now − 694h
Matthijs Mekking's avatar
Matthijs Mekking committed
289
TactN="now-694h"
290
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
291 292 293 294 295
zsktimes="-P ${TactN} -A ${TactN}"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
296
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
297 298
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
299 300 301 302 303 304
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 3:
# After the publication interval has passed the DNSKEY of the successor ZSK
# is OMNIPRESENT and the zone can thus be signed with the successor ZSK.
setup step3.zsk-prepub.autosign
305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337
# According to RFC 7583:
#
# Tpub(N+1) <= Tact(N) + Lzsk - Ipub
# Tret(N) = Tact(N+1) = Tact(N) + Lzsk
# Trem(N) = Tret(N) + Iret
# Iret = Dsgn + Dprp + TTLsig (+retire-safety)
#
#                 |3|   |4|      |5|  |6|      |7|   |8|
#                  |     |        |    |        |     |
#   Key N          |<-------Lzsk------>|<-Iret->|<--->|
#                  |     |        |    |        |     |
#   Key N+1        |     |<-Ipub->|<-->|<---Lzsk---- - -
#                  |     |        |    |        |     |
#   Key N         Tact                Tret     Tdea  Trem
#   Key N+1             Tpub     Trdy Tact
#
#                                     Tnow
#
# Lzsk:          30d
# Ipub:          26h
# Dsgn:          1w
# Dprp:          1h
# TTLsig:        1d
# retire-safety: 2d
# Iret:          10d1h = 241h
#
# Tact(N)   = Tnow - Lzsk = now - 30d
# Tret(N)   = now
# Trem(N)   = Tnow + Iret = now + 241h
# Tpub(N+1) = Tnow - Ipub = now - 26h
# Tret(N+1) = Tnow + Lzsk = now + 30d
# Trem(N+1) = Tnow + Lzsk + Iret = now + 30d + 241h
#           = now + 961h
Matthijs Mekking's avatar
Matthijs Mekking committed
338
TactN="now-30d"
339 340
TretN="now"
TremN="now+241h"
Matthijs Mekking's avatar
Matthijs Mekking committed
341
TpubN1="now-26h"
342
TactN1="now"
Matthijs Mekking's avatar
Matthijs Mekking committed
343
TretN1="now+30d"
344 345 346 347
TremN1="now+961h"
ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
348 349 350 351 352
KSK=$($KEYGEN  -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $O -k $O $TactN  -r $O $TactN  -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $O $TactN  -z $O $TactN               "$ZSK1" > settime.out.$zone.2 2>&1
353
$SETTIME -s -g $O -k $R $TpubN1 -z $H $TpubN1              "$ZSK2" > settime.out.$zone.3 2>&1
354 355 356
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
357
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
358 359 360
private_type_record $zone 13 "$KSK"  >> "$infile"
private_type_record $zone 13 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
361 362 363 364 365 366
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 4:
# After the retire interval has passed the predecessor DNSKEY can be
# removed from the zone.
setup step4.zsk-prepub.autosign
367
# According to RFC 7583:
368
#
369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399
# Tret(N) = Tact(N) + Lzsk
# Tdea(N) = Tret(N) + Iret
#
#                 |3|   |4|      |5|  |6|      |7|   |8|
#                  |     |        |    |        |     |
#   Key N          |<-------Lzsk------>|<-Iret->|<--->|
#                  |     |        |    |        |     |
#   Key N+1        |     |<-Ipub->|<-->|<---Lzsk---- - -
#                  |     |        |    |        |     |
#   Key N         Tact                Tret     Tdea  Trem
#   Key N+1             Tpub     Trdy Tact
#
#                                                    Tnow
#
# Lzsk: 30d
# Ipub: 26h
# Iret: 241h
#
# Tact(N)   = Tnow - Iret - Lzsk
#           = now - 241h - 30d = now - 241h - 720h
#           = now - 961h
# Tret(N)   = Tnow - Iret = now - 241h
# Trem(N)   = Tnow
# Tpub(N+1) = Tnow - Iret - Ipub
#           = now - 241h - 26h
#           = now - 267h
# Tact(N+1) = Tnow - Iret = Tret(N)
# Tret(N+1) = Tnow - Iret + Lzsk
#           = now - 241h + 30d = now - 241h + 720h
#           = now + 479h
# Trem(N+1) = Tnow + Lzsk = now + 30d
Matthijs Mekking's avatar
Matthijs Mekking committed
400 401
TactN="now-961h"
TretN="now-241h"
402
TremN="now"
Matthijs Mekking's avatar
Matthijs Mekking committed
403 404 405
TpubN1="now-267h"
TactN1="${TretN}"
TretN1="now+479h"
406 407 408 409
TremN1="now+30d"
ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
410 411 412 413 414
KSK=$($KEYGEN  -a ECDSAP256SHA256 -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
ZSK2=$($KEYGEN -a ECDSAP256SHA256 -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $O -k $O $TactN  -r $O $TactN -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
$SETTIME -s -g $H -k $O $TactN  -z $U $TretN              "$ZSK1" > settime.out.$zone.2 2>&1
415
$SETTIME -s -g $O -k $O $TactN1 -z $R $TactN1             "$ZSK2" > settime.out.$zone.3 2>&1
416 417 418
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
419 420 421 422 423 424
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
$SIGNER -PS -x -s now-2w -e now-1mi -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
setup step5.zsk-prepub.autosign
425
# Subtract DNSKEY TTL from all the times (1h).
426 427 428 429 430 431 432 433
# Tact(N)   = now - 961h - 1h = now - 962h
# Tret(N)   = now - 241h - 1h = now - 242h
# Tdea(N)   = now - 2d - 1h = now - 49h
# Trem(N)   = now - 1h
# Tpub(N+1) = now - 267h - 1h = now - 268h
# Tact(N+1) = Tret(N)
# Tret(N+1) = now + 479h - 1h = now + 478h
# Trem(N+1) = now + 30d - 1h = now + 719h
Matthijs Mekking's avatar
Matthijs Mekking committed
434 435
TactN="now-962h"
TretN="now-242h"
436 437
TremN="now-1h"
TdeaN="now-49h"
Matthijs Mekking's avatar
Matthijs Mekking committed
438 439 440
TpubN1="now-268h"
TactN1="${TretN}"
TretN1="now+478h"
441 442 443 444
TremN1="now+719h"
ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}"
zsktimes="-P ${TactN}  -A ${TactN}  -I ${TretN}  -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -I ${TretN1} -D ${TremN1}"
445 446 447 448
KSK=$($KEYGEN  -a ECDSAP256SHA256  -L 3600 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK1=$($KEYGEN -a ECDSAP256SHA256  -L 3600        $zsktimes $zone 2> keygen.out.$zone.2)
ZSK2=$($KEYGEN -a ECDSAP256SHA256  -L 3600        $newtimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $O -k $O $TactN  -r $O $TactN -d $O $TactN "$KSK"  > settime.out.$zone.1 2>&1
449 450
$SETTIME -s -g $H -k $U $TdeaN  -z $H $TdeaN              "$ZSK1" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TactN1 -z $O $TdeaN              "$ZSK2" > settime.out.$zone.3 2>&1
451 452 453
# Set key rollover relationship.
key_successor $ZSK1 $ZSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
454
cat template.db.in "${KSK}.key" "${ZSK1}.key" "${ZSK2}.key" > "$infile"
455 456 457
private_type_record $zone 13 "$KSK"  >> "$infile"
private_type_record $zone 13 "$ZSK1" >> "$infile"
private_type_record $zone 13 "$ZSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
458 459 460 461 462 463 464 465 466 467 468
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

#
# The zones at ksk-doubleksk.autosign represent the various steps of a KSK
# Double-KSK rollover.
#

# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.ksk-doubleksk.autosign
TactN="now"
469
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
470 471 472 473 474
zsktimes="-P ${TactN} -A ${TactN}"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O              -k $O $TactN -z $O $TactN "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
475 476 477 478 479 480
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 2:
# It is time to submit the introduce the new KSK.
setup step2.ksk-doubleksk.autosign
481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516
# According to RFC 7583:
#
# Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
# IpubC = DprpC + TTLkey (+publish-safety)
#
#                       |1|       |2|   |3|      |4|
#                        |         |     |        |
#       Key N            |<-IpubC->|<--->|<-Dreg->|<-----Lksk--- - -
#                        |         |     |        |
#       Key N+1          |         |     |        |
#                        |         |     |        |
#       Key N           Tpub      Trdy  Tsbm     Tact
#       Key N+1
#
#               (continued ...)
#
#                   |5|       |6|   |7|      |8|      |9|    |10|
#                    |         |     |        |        |       |
#       Key N   - - --------------Lksk------->|<-Iret->|<----->|
#                    |         |     |        |        |       |
#       Key N+1      |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
#                    |         |     |        |        |       |
#       Key N                                Tret     Tdea    Trem
#       Key N+1     Tpub      Trdy  Tsbm     Tact
#
#                   Tnow
#
# Lksk:           60d
# Dreg:           1d
# DprpC:          1h
# TTLkey:         2h
# publish-safety: 1d
# IpubC:          27h
#
# Tact(N) = Tnow - Lksk + Dreg + IpubC = now - 60d + 27h
#         = now - 1440h + 27h = now - 1413h
Matthijs Mekking's avatar
Matthijs Mekking committed
517
TactN="now-1413h"
518
ksktimes="-P ${TactN} -A ${TactN} -P sync ${TactN}"
519 520 521 522 523
zsktimes="-P ${TactN} -A ${TactN}"
KSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
ZSK=$($KEYGEN -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.2)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN "$KSK" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TactN -z $O $TactN              "$ZSK" > settime.out.$zone.2 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
524
cat template.db.in "${KSK}.key" "${ZSK}.key" > "$infile"
525 526
private_type_record $zone 13 "$KSK" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
527 528 529 530 531
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 3:
# It is time to submit the DS.
setup step3.ksk-doubleksk.autosign
532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568
# According to RFC 7583:
#
# Tsbm(N+1) >= Trdy(N+1)
# Tact(N+1) = Tsbm(N+1) + Dreg
# Iret = DprpP + TTLds (+retire-safety)
#
#                   |5|       |6|   |7|      |8|      |9|    |10|
#                    |         |     |        |        |       |
#       Key N   - - --------------Lksk------->|<-Iret->|<----->|
#                    |         |     |        |        |       |
#       Key N+1      |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
#                    |         |     |        |        |       |
#       Key N                                Tret     Tdea    Trem
#       Key N+1     Tpub      Trdy  Tsbm     Tact
#
#                                   Tnow
#
# Lksk:           60d
# Dreg:           1d
# DprpP:          1h
# TTLds:          1h
# retire-safety:  2d
# Iret:           50h
# DprpC:          1h
# TTLkey:         2h
# publish-safety: 1d
# IpubC:          27h
#
# Tact(N)    = Tnow + Dreg - Lksk = now + 1d - 60d = now - 59d
# Tret(N)    = Tnow + Dreg = now + 1d
# Trem(N)    = Tnow + Dreg + Iret = now + 1d + 50h = now + 74h
# Tpub(N+1)  = Tnow - IpubC = now - 27h
# Tsbm(N+1)  = now
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = Tnow + Dreg + Lksk = now + 1d + 60d = now + 61d
# Trem(N+1)  = Tnow + Dreg + Lksk + Iret = now + 61d + 50h
#            = now + 1464h + 50h = 1514h
Matthijs Mekking's avatar
Matthijs Mekking committed
569 570
TactN="now-59d"
TretN="now+1d"
571
TremN="now+74h"
Matthijs Mekking's avatar
Matthijs Mekking committed
572
TpubN1="now-27h"
573 574
TsbmN1="now"
TactN1="${TretN}"
Matthijs Mekking's avatar
Matthijs Mekking committed
575
TretN1="now+61d"
576 577 578
TremN1="now+1514h"
ksktimes="-P ${TactN}  -A ${TactN}  -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TactN1} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
579 580 581 582 583
zsktimes="-P ${TactN}  -A ${TactN}"
KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
ZSK=$($KEYGEN  -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $H -k $O $TactN   -r $O $TactN  -d $O $TactN  "$KSK1" > settime.out.$zone.1 2>&1
584 585
$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 "$KSK2" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TactN   -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
586 587 588
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
589
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
590 591 592
private_type_record $zone 13 "$KSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
593 594 595 596 597
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 4:
# The DS should be swapped now.
setup step4.ksk-doubleksk.autosign
598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628
# According to RFC 7583:
#
# Tret(N)   = Tsbm(N+1) + Dreg
# Tdea(N)   = Tret(N) + Iret
# Tact(N+1) = Tret(N)
#
#                   |5|       |6|   |7|      |8|      |9|    |10|
#                    |         |     |        |        |       |
#       Key N   - - --------------Lksk------->|<-Iret->|<----->|
#                    |         |     |        |        |       |
#       Key N+1      |<-IpubC->|<--->|<-Dreg->|<--------Lksk----- - -
#                    |         |     |        |        |       |
#       Key N                                Tret     Tdea    Trem
#       Key N+1     Tpub      Trdy  Tsbm     Tact
#
#                                                             Tnow
#
# Lksk: 60d
# Dreg: 1d
# Iret: 50h
#
# Tact(N)   = Tnow - Lksk - Iret = now - 60d - 50h
#           = now - 1440h - 50h = now - 1490h
# Tret(N)   = Tnow - Iret = now - 50h
# Trem(N)   = Tnow
# Tpub(N+1) = Tnow - Iret - Dreg - IpubC = now - 50h - 1d - 27h
#           = now - 101h
# Tsbm(N+1) = Tnow - Iret - Dreg = now - 50h - 1d = now - 74h
# Tact(N+1) = Tret(N)
# Tret(N+1) = Tnow + Lksk - Iret = now + 60d - 50h = now + 1390h
# Trem(N+1) = Tnow + Lksk = now + 60d
Matthijs Mekking's avatar
Matthijs Mekking committed
629 630
TactN="now-1490h"
TretN="now-50h"
631
TremN="now"
Matthijs Mekking's avatar
Matthijs Mekking committed
632 633 634 635
TpubN1="now-101h"
TsbmN1="now-74h"
TactN1="${TretN}"
TretN1="now+1390h"
636 637 638
TremN1="now+60d"
ksktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
639 640 641 642 643
zsktimes="-P ${TactN}  -A ${TactN}"
KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
ZSK=$($KEYGEN  -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $H -k $O $TactN  -r $O $TactN  -d $U $TsbmN1 "$KSK1" > settime.out.$zone.1 2>&1
644 645
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 "$KSK2" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TactN  -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
646 647 648
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
649
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
650 651 652
private_type_record $zone 13 "$KSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
653 654 655 656 657
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 5:
# The predecessor DNSKEY is removed long enough that is has become HIDDEN.
setup step5.ksk-doubleksk.autosign
658
# Subtract DNSKEY TTL from all the times (2h).
659 660 661 662 663 664 665 666
# Tact(N)   = now - 1490h - 2h = now - 1492h
# Tret(N)   = now - 52h - 2h = now - 52h
# Trem(N)   = now - 2h
# Tpub(N+1) = now - 101h - 2h = now - 103h
# Tsbm(N+1) = now - 74h - 2h = now - 76h
# Tact(N+1) = Tret(N)
# Tret(N+1) = now + 1390h - 2h = now + 1388h
# Trem(N+1) = now + 60d + 2h = now + 1442h
Matthijs Mekking's avatar
Matthijs Mekking committed
667 668
TactN="now-1492h"
TretN="now-52h"
669 670 671
TremN="now-2h"
TpubN1="now-103h"
TsbmN1="now-76h"
Matthijs Mekking's avatar
Matthijs Mekking committed
672 673
TactN1="${TretN}"
TretN1="now+1388h"
674 675 676
TremN1="now+1438h"
ksktimes="-P ${TactN}  -A ${TactN} -P sync ${TactN}  -I ${TretN}  -D ${TremN}"
newtimes="-P ${TpubN1} -A ${TretN} -P sync ${TsbmN1} -I ${TretN1} -D ${TremN1}"
677 678 679 680 681
zsktimes="-P ${TactN}  -A ${TactN}"
KSK1=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $ksktimes $zone 2> keygen.out.$zone.1)
KSK2=$($KEYGEN -a ECDSAP256SHA256 -L 7200 -f KSK $newtimes $zone 2> keygen.out.$zone.2)
ZSK=$($KEYGEN  -a ECDSAP256SHA256 -L 7200        $zsktimes $zone 2> keygen.out.$zone.3)
$SETTIME -s -g $H -k $U $TretN  -r $U $TretN  -d $H $TretN  "$KSK1" > settime.out.$zone.1 2>&1
682 683
$SETTIME -s -g $O -k $O $TactN1 -r $O $TactN1 -d $O $TactN1 "$KSK2" > settime.out.$zone.2 2>&1
$SETTIME -s -g $O -k $O $TactN  -z $O $TactN                "$ZSK"  > settime.out.$zone.3 2>&1
684 685 686
# Set key rollover relationship.
key_successor $KSK1 $KSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
687
cat template.db.in "${KSK1}.key" "${KSK2}.key" "${ZSK}.key" > "$infile"
688 689 690
private_type_record $zone 13 "$KSK1" >> "$infile"
private_type_record $zone 13 "$KSK2" >> "$infile"
private_type_record $zone 13 "$ZSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
691
$SIGNER -S -x -s now-1h -e now+2w -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
692 693 694 695 696

#
# The zones at csk-roll.autosign represent the various steps of a CSK rollover
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
#
697 698 699 700 701
#
# The activation time for zone signing (ZSK) is different than for chain of
# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ
# instead of Tact and Tret.
#
Matthijs Mekking's avatar
Matthijs Mekking committed
702 703 704 705 706

# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.csk-roll.autosign
TactN="now"
707
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
708 709
CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
710
cat template.db.in "${CSK}.key" > "$infile"
711
private_type_record $zone 13 "$CSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
712 713 714 715 716
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 2:
# It is time to introduce the new CSK.
setup step2.csk-roll.autosign
717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734
# According to RFC 7583:
# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub
# IpubC = DprpC + TTLkey (+publish-safety)
# Ipub  = IpubC
# Lcsk = Lksk = Lzsk
#
# Lcsk:           6mo (186d, 4464h)
# Dreg:           1d
# DprpC:          1h
# TTLkey:         1h
# publish-safety: 1h
# Ipub:           3h
#
# Tact(N)  = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1d
#          = now - 4464h + 3h + 24h = now - 4437h
# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h
#          = now - 4464h + 3h = now - 4461h
Matthijs Mekking's avatar
Matthijs Mekking committed
735
TactN="now-4437h"
736 737
TactZN="now-4461h"
csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}"
738
CSK=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
739
$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
740
cat template.db.in "${CSK}.key" > "$infile"
741
private_type_record $zone 13 "$CSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
742 743 744 745 746
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 3:
# It is time to submit the DS and to roll signatures.
setup step3.csk-roll.autosign
747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781
# According to RFC 7583:
#
# Tsbm(N+1) >= Trdy(N+1)
# KSK: Tact(N+1)  = Tsbm(N+1) + Dreg
# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
# KSK: Iret  = DprpP + TTLds (+retire-safety)
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
#
# Lcsk:           186d
# Dprp:           1h
# DprpP:          1h
# Dreg:           1d
# Dsgn:           25d
# TTLds:          1h
# TTLsig:         1d
# retire-safety:  2h
# Iret:           4h
# IretZ:          26d3h
# Ipub:           3h
#
# TactZ(N)   = Tnow - Lcsk = now - 186d
# TretZ(N)   = now
# Tact(N)    = Tnow + Dreg - Lcsk = now + 1d - 186d = now - 185d
# Tret(N)    = Tnow + Dreg = now + 1d
# Trem(N)    = Tnow + IretZ = now + 26d3h = now + 627h
# Tpub(N+1)  = Tnow - Ipub = now - 3h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = Tnow + Lcsk = now + 186d
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = Tnow + Dreg + Lcsk = now + 1d + 186d = now + 187d
# Trem(N+1)  = Tnow + Lcsk + IretZ = now + 186d + 26d3h =
#            = now + 5091h
TactZN="now-186d"
TretZN="now"
Matthijs Mekking's avatar
Matthijs Mekking committed
782 783
TactN="now-185d"
TretN="now+1d"
784
TremN="now+627h"
Matthijs Mekking's avatar
Matthijs Mekking committed
785
TpubN1="now-3h"
786 787 788 789
TsbmN1="now"
TactZN1="${TsbmN1}"
TretZN1="now+186d"
TactN1="${TretN}"
Matthijs Mekking's avatar
Matthijs Mekking committed
790
TretN1="now+187d"
791 792 793
TremN1="now+5091h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
794 795
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
796
$SETTIME -s -g $H -k $O $TactZN  -r $O $TactZN -d $O $TactN  -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1
797
$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
798 799 800
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
801
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
802 803
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
804 805 806 807
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 4:
# Some time later all the ZRRSIG records should be from the new CSK, and the
808 809 810
# DS should be swapped.  The ZRRSIG records are all replaced after IretZ
# (which is 26d3h).  The DS is swapped after Dreg + Iret (which is 1d4h).
# In other words, the DS is swapped before all zone signatures are replaced.
Matthijs Mekking's avatar
Matthijs Mekking committed
811
setup step4.csk-roll.autosign
812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837
# According to RFC 7583:
# Trem(N)    = TretZ(N) + IretZ
# Tnow       = Tsbm(N+1) + Dreg + Iret
#
# Lcsk:   186d
# Iret:   4h
# IretZ:  26d3h
#
# TactZ(N)   = Tnow - Iret - Dreg - Lcsk = now - 4h - 24h - 4464h
#            = now - 4492h
# TretZ(N)   = Tnow - Iret - Dreg = now - 4h - 1d = now - 28h
# Tact(N)    = Tnow - Iret - Lcsk = now - 4h - 186d = now - 4468h
# Tret(N)    = Tnow - Iret = now - 4h = now - 4h
# Trem(N)    = Tnow - Iret - Dreg + IretZ = now - 4h - 1d + 26d3h
#            = now + 24d23h = now + 599h
# Tpub(N+1)  = Tnow - Iret - Dreg - IpubC = now - 4h - 1d - 3h = now - 31h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = Tnow - Iret - Dreg + Lcsk = now - 4h - 1d + 186d
#            = now + 4436h
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = Tnow - Iret + Lcsk = now + 6mo - 4h = now + 4460h
# Trem(N+1)  = Tnow - Iret - Dreg + Lcsk + IretZ = now - 4h - 1d + 186d + 26d3h
#	     = now + 5063h
TactZN="now-4492h"
TretZN="now-28h"
Matthijs Mekking's avatar
Matthijs Mekking committed
838 839
TactN="now-4468h"
TretN="now-4h"
840
TremN="now+599h"
Matthijs Mekking's avatar
Matthijs Mekking committed
841
TpubN1="now-31h"
842 843 844
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+4436h"
Matthijs Mekking's avatar
Matthijs Mekking committed
845 846
TactN1="${TretN}"
TretN1="now+4460h"
847 848 849
TremN1="now+5063h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
850 851
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
852
$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
853 854 855 856
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
857
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
858 859
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
860 861 862 863 864 865
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 5:
# After the DS is swapped in step 4, also the KRRSIG records can be removed.
# At this time these have all become hidden.
setup step5.csk-roll.autosign
866
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
867 868 869 870 871 872 873 874 875 876 877 878 879 880
# TactZ(N)   = now - 4492h - 2h = now - 4494h
# TretZ(N)   = now - 28h - 2h = now - 30h
# Tact(N)    = now - 4468h - 2h = now - 4470h
# Tret(N)    = now - 4h - 2h = now - 6h
# Trem(N)    = now + 599h - 2h = now + 597h
# Tpub(N+1)  = now - 31h - 2h = now - 33h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = now + 4436h - 2h = now + 4434h
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = now + 4460h - 2h = now + 4458h
# Trem(N+1)  = now + 5063h - 2h = now + 5061h
TactZN="now-4494h"
TretZN="now-30h"
Matthijs Mekking's avatar
Matthijs Mekking committed
881 882
TactN="now-4470h"
TretN="now-6h"
883
TremN="now+597h"
Matthijs Mekking's avatar
Matthijs Mekking committed
884 885
TpubN1="now-33h"
TsbmN1="now-30h"
886 887
TactZN1="${TsbmN1}"
TretZN1="now+4434h"
Matthijs Mekking's avatar
Matthijs Mekking committed
888 889
TactN1="${TretN}"
TretN1="now+4458h"
890 891 892
TremN1="now+5061h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
893 894
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
895 896
$SETTIME -s -g $H -k $O $TactZN -r $U now-2h  -d $H now-2h -z $U $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O now-2h -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
897 898 899
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
900
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
901 902
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
903 904 905 906 907 908
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 6:
# After the retire interval has passed the predecessor DNSKEY can be
# removed from the zone.
setup step6.csk-roll.autosign
909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936
# According to RFC 7583:
# Trem(N) = TretZ(N) + IretZ
# TretZ(N) = TactZ(N) + Lcsk
#
# Lcsk:   186d
# Iret:   4h
# IretZ:  26d3h
#
# TactZ(N)   = Tnow - IretZ - Lcsk = now - 627h - 186d
#            = now - 627h - 4464h = now - 5091h
# TretZ(N)   = Tnow - IretZ = now - 627h
# Tact(N)    = Tnow - IretZ - Lcsk + Dreg = now - 627h - 186d + 1d =
#              now - 627h - 4464h + 24h = now - 5067h
# Tret(N)    = Tnow - IretZ + Dreg = now - 627h + 24h
#            = Tnow - 603h
# Trem(N)    = Tnow
# Tpub(N+1)  = Tnow - IretZ - Ipub = now - 627h - 3h = now - 630h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 627h + 186d = now + 3837h
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = Tnow - Iret + Lcsk = now - 4h + 186d = now + 4460h
# Trem(N+1)  = Tnow + Lcsk = now + 186d
TactZN="now-5091h"
TretZN="now-627h"
TactN="now-5067h"
TretN="now-603h"
TremN="now"
Matthijs Mekking's avatar
Matthijs Mekking committed
937
TpubN1="now-630h"
938 939 940
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+3837h"
Matthijs Mekking's avatar
Matthijs Mekking committed
941
TactN1="${TretN}"
942 943 944 945
TretN1="now+4460h"
TremN1="now+186d"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
946 947
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
948 949
$SETTIME -s -g $H -k $O $TactZN -r $H $TremN  -d $H $TremN  -z $U $TsbmN1 "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN  -z $R $TsbmN1 "$CSK2" > settime.out.$zone.2 2>&1
950 951 952
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
953
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
954 955
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
956 957 958 959 960
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 7:
# Some time later the predecessor DNSKEY enters the HIDDEN state.
setup step7.csk-roll.autosign
961
# Subtract DNSKEY TTL plus zone propagation delay from all the times (2h).
962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978
# TactZ(N) = now - 5091h - 2h = now - 5093h
# TretZ(N) = now - 627h - 2h  = now - 629h
# Tact(N)  = now - 5067h - 2h = now - 5069h
# Tret(N)  = now - 603h - 2h  = now - 605h
# Trem(N) = now - 2h
# Tpub(N+1) = now - 630h - 2h = now - 632h
# Tsbm(N+1) = now - 627h - 2h = now - 629h
# TactZ(N+1) = Tsbm(N+1)
# TretZ(N+1) = now + 3837h - 2h = now + 3835h
# Tact(N+1) = Tret(N)
# Tret(N+1) = now + 4460h - 2h = now + 4458h
# Trem(N+1) = now + 186d - 2h = now + 4462h
TactZN="now-5093h"
TretZN="now-629h"
TactN="now-5069h"
TretN="now-605h"
TremN="now-2h"
Matthijs Mekking's avatar
Matthijs Mekking committed
979
TpubN1="now-632h"
980 981 982
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+3835h"
Matthijs Mekking's avatar
Matthijs Mekking committed
983
TactN1="${TretN}"
984 985 986 987
TretN1="now+4458h"
TremN1="now+4462h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
988 989
CSK1=$($KEYGEN -k csk-roll -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
990 991
$SETTIME -s -g $H -k $U $TremN  -r $H $TremN  -d $H $TremN  -z $H $TactZN1 "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TactN1 -z $O $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
992 993 994
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
995
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
996 997
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
998 999 1000 1001 1002 1003 1004 1005
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

#
# The zones at csk-roll2.autosign represent the various steps of a CSK rollover
# (which is essentially a ZSK Pre-Publication / KSK Double-KSK rollover).
# This scenario differs from the above one because the zone signatures (ZRRSIG)
# are replaced with the new key sooner than the DS is swapped.
#
1006 1007 1008 1009 1010
#
# The activation time for zone signing (ZSK) is different than for chain of
# trust validation (KSK). Therefor, for zone signing we use TactZ and TretZ
# instead of Tact and Tret.
#
Matthijs Mekking's avatar
Matthijs Mekking committed
1011 1012 1013 1014 1015

# Step 1:
# Introduce the first key. This will immediately be active.
setup step1.csk-roll2.autosign
TactN="now"
1016
csktimes="-P ${TactN} -P sync ${TactN} -A ${TactN}"
1017 1018
CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
$SETTIME -s -g $O -k $O $TactN -r $O $TactN -d $O $TactN -z $O $TactN "$CSK" > settime.out.$zone.1 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
1019
cat template.db.in "${CSK}.key" > "$infile"
1020
private_type_record $zone 13 "$CSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
1021 1022 1023 1024 1025
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 2:
# It is time to introduce the new CSK.
setup step2.csk-roll2.autosign
1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046
# According to RFC 7583:
# KSK: Tpub(N+1) <= Tact(N) + Lksk - Dreg - IpubC
# ZSK: Tpub(N+1) <= TactZ(N) + Lzsk - Ipub
# IpubC = DprpC + TTLkey (+publish-safety)
# Ipub  = IpubC
# Lcsk = Lksk = Lzsk
#
# Lcsk:           6mo (186d, 4464h)
# Dreg:           1w
# DprpC:          1h
# TTLkey:         1h
# publish-safety: 1h
# Ipub:           3h
#
# Tact(N)  = Tnow - Lcsk + Ipub + Dreg = now - 186d + 3h + 1w
#          = now - 4464h + 3h + 168h = now - 4293h
# TactZ(N) = Tnow - Lcsk + IpubC = now - 186d + 3h
#          = now - 4464h + 3h = now - 4461h
TactN="now-4293h"
TactZN="now-4461h"
csktimes="-P ${TactN} -P sync ${TactZN} -A ${TactZN}"
1047
CSK=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
1048
$SETTIME -s -g $O -k $O $TactZN -r $O $TactZN -d $O $TactN -z $O $TactZN "$CSK" > settime.out.$zone.1 2>&1
Matthijs Mekking's avatar
Matthijs Mekking committed
1049
cat template.db.in "${CSK}.key" > "$infile"
1050
private_type_record $zone 13 "$CSK" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
1051 1052 1053 1054 1055
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 3:
# It is time to submit the DS and to roll signatures.
setup step3.csk-roll2.autosign
1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090
# According to RFC 7583:
#
# Tsbm(N+1) >= Trdy(N+1)
# KSK: Tact(N+1)  = Tsbm(N+1) + Dreg
# ZSK: TactZ(N+1) = Tpub(N+1) + Ipub = Tsbm(N+1)
# KSK: Iret  = DprpP + TTLds (+retire-safety)
# ZSK: IretZ = Dsgn + Dprp + TTLsig (+retire-safety)
#
# Lcsk:           186d
# Dprp:           1h
# DprpP:          1h
# Dreg:           1w
# Dsgn:           12h
# TTLds:          1h
# TTLsig:         1d
# retire-safety:  1h
# Iret:           3h
# IretZ:          38h
# Ipub:           3h
#
# TactZ(N)   = Tnow - Lcsk = now - 186d
# TretZ(N)   = now
# Tact(N)    = Tnow + Dreg - Lcsk = now + 1w - 186d = now - 179d
# Tret(N)    = Tnow + Dreg = now + 7d
# Trem(N)    = Tnow + Dreg + Iret = now + 1w + 3h = now + 171h
# Tpub(N+1)  = Tnow - Ipub = now - 3h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = Tnow + Lcsk = now + 186d
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = Tnow + Lcsk + Dreg = now + 186d + 7d = now + 193d
# Trem(N+1)  = Tnow + Lcsk + Dreg + Iret = now + 186d + 7d + 3h =
#            = now + 193d + 3h = now + 4632h + 3h = now + 4635h
TactZN="now-186d"
TretZN="now"
Matthijs Mekking's avatar
Matthijs Mekking committed
1091
TactN="now-179d"
1092 1093
TretN="now+7d"
TremN="now+171h"
Matthijs Mekking's avatar
Matthijs Mekking committed
1094
TpubN1="now-3h"
1095 1096 1097 1098
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+186d"
TactN1="${TretN}"
Matthijs Mekking's avatar
Matthijs Mekking committed
1099
TretN1="now+193d"
1100 1101 1102
TremN1="now+4635h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
1103 1104
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
1105
$SETTIME -s -g $H -k $O $TactZN  -r $O $TactZN -d $O $TactN  -z $O $TactZN "$CSK1" > settime.out.$zone.1 2>&1
1106 1107 1108 1109
$SETTIME -s -g $O -k $R $TpubN1  -r $R $TpubN1 -d $H $TpubN1 -z $H $TpubN1 "$CSK2" > settime.out.$zone.2 2>&1
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
1110
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
1111 1112
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
1113 1114 1115 1116
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 4:
# Some time later all the ZRRSIG records should be from the new CSK, and the
1117 1118 1119
# DS should be swapped.  The ZRRSIG records are all replaced after IretZ (38h).
# The DS is swapped after Dreg + Iret (1w3h). In other words, the zone
# signatures are replaced before the DS is swapped.
Matthijs Mekking's avatar
Matthijs Mekking committed
1120
setup step4.csk-roll2.autosign
1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151
# According to RFC 7583:
# Trem(N)    = Tret(N) + Iret
# Tnow       = TretZ(N) + IretZ
#
# Lcsk:   186d
# Dreg:   1w
# Iret:   3h
# IretZ:  38h
#
# TactZ(N)   = Tnow - IretZ = Lcsk = now - 38h - 186d
#            = now - 38h - 4464h = now - 4502h
# TretZ(N)   = Tnow - IretZ = now - 38h
# Tact(N)    = Tnow - IretZ - Lcsk + Dreg = now - 38h - 4464h + 168h
#            = now - 4334h
# Tret(N)    = Tnow - IretZ + Dreg = now - 38h + 168h = now + 130h
# Trem(N)    = Tnow - IretZ + Dreg + Iret = now + 130h + 3h = now + 133h
# Tpub(N+1)  = Tnow - IretZ - IpubC = now - 38h - 3h = now - 41h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = Tnow - IretZ + Lcsk = now - 38h + 186d
#            = now + 4426h
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = Tnow - IretZ + Dreg + Lcsk = now - 38h + 168h + 4464h
#            = now + 4594h
# Trem(N+1)  = Tnow - IretZ + Dreg + Lcsk + Iret
#            = now + 4594h + 3h = now + 4597h
TactZN="now-4502h"
TretZN="now-38h"
TactN="now-4334h"
TretN="now+130h"
TremN="now+133h"
Matthijs Mekking's avatar
Matthijs Mekking committed
1152
TpubN1="now-41h"
1153 1154 1155
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+4426h"
Matthijs Mekking's avatar
Matthijs Mekking committed
1156
TactN1="${TretN}"
1157 1158 1159 1160
TretN1="now+4594h"
TremN1="now+4597h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
1161 1162
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
1163 1164
$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $U $TretZN  "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $R $TactZN1 "$CSK2" > settime.out.$zone.2 2>&1
1165 1166 1167
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
1168
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
1169 1170
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
1171 1172 1173 1174 1175 1176
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 5:
# Some time later the DS can be swapped and the old DNSKEY can be removed from
# the zone.
setup step5.csk-roll2.autosign
1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199
# Subtract Dreg + Iret (171h) - IretZ (38h) = 133h.
#
# TactZ(N)   = now - 4502h - 133h = now - 4635h
# TretZ(N)   = now - 38h - 133h = now - 171h
# Tact(N)    = now - 4334h = 133h = now - 4467h
# Tret(N)    = now + 130h - 133h = now - 3h
# Trem(N)    = now + 133h - 133h = now
# Tpub(N+1)  = now - 41h - 133h = now - 174h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = now + 4426h - 133h = now + 4293h
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = now + 4594h - 133h = now + 4461h
# Trem(N+1)  = now + 4597h - 133h = now + 4464h = now + 186d
TactZN="now-4635h"
TretZN="now-171h"
TactN="now-4467h"
TretN="now-3h"
TremN="now"
TpubN1="now-174h"
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+4293h"
Matthijs Mekking's avatar
Matthijs Mekking committed
1200
TactN1="${TretN}"
1201 1202 1203 1204
TretN1="now+4461h"
TremN1="now+186d"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
1205 1206
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
1207 1208
$SETTIME -s -g $H -k $O $TactZN -r $O $TactZN -d $U $TsbmN1 -z $H now-133h "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $R $TsbmN1 -z $O now-133h "$CSK2" > settime.out.$zone.2 2>&1
1209 1210 1211
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
1212
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
1213 1214
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
1215 1216 1217 1218 1219
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1

# Step 6:
# Some time later the predecessor DNSKEY enters the HIDDEN state.
setup step6.csk-roll2.autosign
1220
# Subtract DNSKEY TTL plus zone propagation delay (2h).
1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242
#
# TactZ(N)   = now - 4635h - 2h = now - 4637h
# TretZ(N)   = now - 171h - 2h = now - 173h
# Tact(N)    = now - 4467h - 2h = now - 4469h
# Tret(N)    = now - 3h - 2h = now - 5h
# Trem(N)    = now - 2h
# Tpub(N+1)  = now - 174h - 2h = now - 176h
# Tsbm(N+1)  = TretZ(N)
# TactZ(N+1) = TretZ(N)
# TretZ(N+1) = now + 4293h - 2h = now + 4291h
# Tact(N+1)  = Tret(N)
# Tret(N+1)  = now + 4461h - 2h = now + 4459h
# Trem(N+1)  = now + 4464h - 2h = now + 4462h
TactZN="now-4637h"
TretZN="now-173h"
TactN="now-4469h"
TretN="now-5h"
TremN="now-2h"
TpubN1="now-176h"
TsbmN1="${TretZN}"
TactZN1="${TretZN}"
TretZN1="now+4291h"
Matthijs Mekking's avatar
Matthijs Mekking committed
1243
TactN1="${TretN}"
1244 1245 1246 1247
TretN1="now+4459h"
TremN1="now+4462h"
csktimes="-P ${TactN}  -P sync ${TactZN} -A ${TactZN}  -I ${TretZN}  -D ${TremN}"
newtimes="-P ${TpubN1} -P sync ${TsbmN1} -A ${TactZN1} -I ${TretZN1} -D ${TremN1}"
1248 1249
CSK1=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $csktimes $zone 2> keygen.out.$zone.1)
CSK2=$($KEYGEN -k csk-roll2 -l policies/autosign.conf $newtimes $zone 2> keygen.out.$zone.2)
1250 1251
$SETTIME -s -g $H -k $U $TremN  -r $U $TremN  -d $H $TremN -z $H now-135h "$CSK1" > settime.out.$zone.1 2>&1
$SETTIME -s -g $O -k $O $TsbmN1 -r $O $TsbmN1 -d $O $TremN -z $O now-135h "$CSK2" > settime.out.$zone.2 2>&1
1252 1253 1254
# Set key rollover relationship.
key_successor $CSK1 $CSK2
# Sign zone.
Matthijs Mekking's avatar
Matthijs Mekking committed
1255
cat template.db.in "${CSK1}.key" "${CSK2}.key" > "$infile"
1256 1257
private_type_record $zone 13 "$CSK1" >> "$infile"
private_type_record $zone 13 "$CSK2" >> "$infile"
Matthijs Mekking's avatar
Matthijs Mekking committed
1258
$SIGNER -S -z -x -s now-1h -e now+30d -o $zone -O full -f $zonefile $infile > signer.out.$zone.1 2>&1