• Matthijs Mekking's avatar
    Introduce keymgr in named · 7e7aa538
    Matthijs Mekking authored
    Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
    will run a key manager on the matching keys.  This will do a couple
    of things:
    
    1. Create keys when needed (in case of rollover for example)
       according to the set policy.
    
    2. Retire keys that are in excess of the policy.
    
    3. Maintain key states according to "Flexible and Robust Key
       Rollover" [1]. After key manager ran, key files will be saved to
       disk.
    
       [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
    
    KEY GENERATION
    
    Create keys according to DNSSEC policy.  Zones configured with
    'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
    to dnssec-keymgr) if not available.
    
    KEY ROLLOVER
    
    Rather than determining the desired state from timing metadata,
    add a key state goal.  Any keys that are created or picked from the
    key ring and selected to be a successor has its key state goal set
    to OMNIPRESENT (this key wants to be signing!). At the same time,
    a key that is being retired has its key state goal set to HIDDEN.
    
    The keymgr state machine with the three rules will make sure no
    introduction or withdrawal of DNSSEC records happens too soon.
    
    KEY TIMINGS
    
    All timings are based on RFC 7583.
    
    The keymgr will return when the next action is happening so
    that the zone can set the proper rekey event. Prior to this change
    the rekey event will run every hour by default (configurable),
    but with kasp we can determine exactly when we need to run again.
    
    The prepublication time is derived from policy.
    7e7aa538
copyrights 180 KB