-
Matthijs Mekking authored
Add a key manager to named. If a 'dnssec-policy' is set, 'named' will run a key manager on the matching keys. This will do a couple of things: 1. Create keys when needed (in case of rollover for example) according to the set policy. 2. Retire keys that are in excess of the policy. 3. Maintain key states according to "Flexible and Robust Key Rollover" [1]. After key manager ran, key files will be saved to disk. [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf KEY GENERATION Create keys according to DNSSEC policy. Zones configured with 'dnssec-policy' will allow 'named' to create DNSSEC keys (similar to dnssec-keymgr) if not available. KEY ROLLOVER Rather than determining the desired state from timing metadata, add a key state goal. Any keys that are created or picked from the key ring and selected to be a successor has its key state goal set to OMNIPRESENT (this key wants to be signing!). At the same time, a key that is being retired has its key state goal set to HIDDEN. The keymgr state machine with the three rules will make sure no introduction or withdrawal of DNSSEC records happens too soon. KEY TIMINGS All timings are based on RFC 7583. The keymgr will return when the next action is happening so that the zone can set the proper rekey event. Prior to this change the rekey event will run every hour by default (configurable), but with kasp we can determine exactly when we need to run again. The prepublication time is derived from policy.
7e7aa538