Commit 09990672 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Update zoneconf to use kasp config

If a zone has a dnssec-policy set, use signature validity,
dnskey signature validity, and signature refresh from
dnssec-policy.

Zones configured with 'dnssec-policy' will allow 'named' to create
DNSSEC keys (similar to dnssec-keymgr) if not available.
parent 7e7aa538
......@@ -1500,38 +1500,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false;
bool sigvalinsecs;
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
} else {
obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
} else {
seconds *= 3600;
}
} else {
seconds = cfg_obj_asuint32(resign) * 3600;
seconds = cfg_obj_asuint32(resign);
}
} else {
seconds = cfg_obj_asuint32(resign);
dns_zone_setsigresigninginterval(zone, seconds);
}
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "key-directory", &obj);
......@@ -1560,12 +1574,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
......@@ -1576,7 +1598,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (result == ISC_R_SUCCESS) {
if (dns_zone_getkasp(zone) != NULL) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) {
allow = true;
......@@ -1589,6 +1615,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_UNREACHABLE();
}
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment