Commit 1f0d6296 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

kasp: Expose more key timings

When doing rollover in a timely manner we need to have access to the
relevant kasp configured durations.

Most of these are simple get functions, but 'dns_kasp_signdelay'
will calculate the maximum time that is needed with this policy to
resign the complete zone (taking into account the refresh interval
and signature validity).

Introduce parent-propagation-delay, parent-registration-delay,
parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
parent dcf79ce6
......@@ -1016,11 +1016,16 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>ttlval</replaceable>;
keys { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;
publish-safety <replaceable>duration</replaceable>;
retire-safety <replaceable>duration</replaceable>;
signatures-refresh <replaceable>duration</replaceable>;
signatures-validity <replaceable>duration</replaceable>;
signatures-validity-dnskey <replaceable>duration</replaceable>;
zone-max-ttl <replaceable>duration</replaceable>;
zone-propagation-delay <replaceable>duration</replaceable>;
};
</literallayout>
</refsection>
......
......@@ -11151,6 +11151,83 @@ example.com CNAME rpz-tcp-only.
</listitem>
</varlistentry>
<varlistentry>
<term><command>zone-max-ttl</command></term>
<listitem>
<para>
Like <command>max-zone-ttl</command>, specifies the maximum
permissible TTL value in seconds. When loading a zone file
using a <option>masterfile-format</option> or
<constant>text</constant> or <constant>raw</constant>,
any record encountered with a TTL higher than
<option>zone-max-ttl</option> will be capped to the maximum
permissible TTL value.
</para>
<para>
This is needed in DNSSEC-maintained zones because when
rolling to a new DNSKEY, the old key needs to remain
available until RRSIG records have expired from
caches. The <option>zone-max-ttl</option> option guarantees
that the largest TTL in the zone will be no higher than the
set value.
</para>
<para>
(NOTE: Because <constant>map</constant>-format files
load directly into memory, this option cannot be
used with them.)
</para>
<para>
The default value is <constant>PT24H</constant> (24 hours).
A <option>zone-max-ttl</option> of zero is treated as if
the default value is in use.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>zone-propagation-delay</command></term>
<listitem>
<para>
The expected propagation delay from when a zone is updated
and when the new version of the zone is served by all its
name servers. Default is <constant>PT5M</constant> (5 minutes).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>parent-ds-ttl</command></term>
<listitem>
<para>
The TTL of the DS RRset that the parent uses. Default is
<constant>PT1H</constant> (1 hour).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>parent-propagation-delay</command></term>
<listitem>
<para>
The expected propagation delay from when the parent zone is
updated and when the new version of the parent zone is served
by all its name servers. Default is
<constant>PT1H</constant> (1 hour).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>parent-registration-delay</command></term>
<listitem>
<para>
The expected registration delay from when a DS RRset change
is requested and when the DS RRset has been updated in the
parent zone. Default is <constant>P1D</constant> (1 day).
</para>
</listitem>
</varlistentry>
</variablelist>
</section>
......
......@@ -15,11 +15,16 @@
<command>dnssec-policy</command> <replaceable>string</replaceable> {
<command>dnskey-ttl</command> <replaceable>ttlval</replaceable>;
<command>keys</command> { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
<command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
<command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
<command>parent-registration-delay</command> <replaceable>duration</replaceable>;
<command>publish-safety</command> <replaceable>duration</replaceable>;
<command>retire-safety</command> <replaceable>duration</replaceable>;
<command>signatures-refresh</command> <replaceable>duration</replaceable>;
<command>signatures-validity</command> <replaceable>duration</replaceable>;
<command>signatures-validity-dnskey</command> <replaceable>duration</replaceable>;
<command>zone-max-ttl</command> <replaceable>duration</replaceable>;
<command>zone-propagation-delay</command> <replaceable>duration</replaceable>;
};
</programlisting>
......@@ -29,11 +29,16 @@ dnssec-policy <string> {
dnskey-ttl <ttlval>;
keys { ( csk | ksk | zsk ) key-directory <duration> <string>
[ <integer> ]; ... };
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
parent-registration-delay <duration>;
publish-safety <duration>;
retire-safety <duration>;
signatures-refresh <duration>;
signatures-validity <duration>;
signatures-validity-dnskey <duration>;
zone-max-ttl <duration>;
zone-propagation-delay <duration>;
}; // may occur multiple times
dyndb <string> <quoted_string> {
......
......@@ -81,6 +81,15 @@ struct dns_kasp {
uint32_t publish_safety;
uint32_t retire_safety;
/* Zone settings */
dns_ttl_t zone_max_ttl;
time_t zone_propagation_delay;
/* Parent settings */
dns_ttl_t parent_ds_ttl;
time_t parent_propagation_delay;
time_t parent_registration_delay;
// TODO: The rest of the KASP configuration
};
......@@ -92,8 +101,13 @@ struct dns_kasp {
#define DNS_KASP_SIG_VALIDITY (86400*14)
#define DNS_KASP_SIG_VALIDITY_DNSKEY (86400*14)
#define DNS_KASP_KEY_TTL (3600)
#define DNS_KASP_DS_TTL (3600)
#define DNS_KASP_PUBLISH_SAFETY (300)
#define DNS_KASP_RETIRE_SAFETY (300)
#define DNS_KASP_ZONE_MAXTTL (86400)
#define DNS_KASP_ZONE_PROPDELAY (300)
#define DNS_KASP_PARENT_PROPDELAY (3600)
#define DNS_KASP_PARENT_REGDELAY (86400)
/* Key roles */
#define DNS_KASP_KEY_ROLE_KSK 0x01
......@@ -194,6 +208,53 @@ dns_kasp_getname(dns_kasp_t *kasp);
*\li name of 'kasp'.
*/
time_t
dns_kasp_signdelay(dns_kasp_t *kasp);
/*%<
* Get the delay that is needed to ensure that all existing RRsets have been
* re-signed with a successor key. This is the signature validity minus the
* signature refresh time (that indicates how far before signature expiry an
* RRSIG should be refreshed).
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li signature refresh interval.
*/
time_t
dns_kasp_sigrefresh(dns_kasp_t *kasp);
/*%<
* Get signature refresh interval.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li signature refresh interval.
*/
time_t
dns_kasp_sigvalidity(dns_kasp_t *kasp);
time_t
dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp);
/*%<
* Get signature validity.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li signature validity.
*/
dns_ttl_t
dns_kasp_dnskeyttl(dns_kasp_t *kasp);
/*%<
......@@ -208,6 +269,104 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp);
*\li DNSKEY TTL.
*/
time_t
dns_kasp_publishsafety(dns_kasp_t *kasp);
/*%<
* Get publish safety interval.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Publish safety interval.
*/
time_t
dns_kasp_retiresafety(dns_kasp_t *kasp);
/*%<
* Get retire safety interval.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Retire safety interval.
*/
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp);
/*%<
* Get maximum zone TTL.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Maximum zone TTL.
*/
time_t
dns_kasp_zonepropagationdelay(dns_kasp_t *kasp);
/*%<
* Get zone propagation delay.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Zone propagation delay.
*/
dns_ttl_t
dns_kasp_dsttl(dns_kasp_t *kasp);
/*%<
* Get DS TTL (should match that of the parent DS record).
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Expected parent DS TTL.
*/
time_t
dns_kasp_parentpropagationdelay(dns_kasp_t *kasp);
/*%<
* Get parent zone propagation delay.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Parent zone propagation delay.
*/
time_t
dns_kasp_parentregistrationdelay(dns_kasp_t *kasp);
/*%<
* Get parent registration delay for submitting new DS.
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li Parent registration delay.
*/
isc_result_t
dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp);
/*%<
......
......@@ -53,6 +53,13 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp)
kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
kasp->parent_registration_delay = DNS_KASP_PARENT_REGDELAY;
// TODO: The rest of the KASP configuration
kasp->magic = DNS_KASP_MAGIC;
......@@ -117,6 +124,34 @@ dns_kasp_thaw(dns_kasp_t *kasp) {
kasp->frozen = false;
}
time_t
dns_kasp_signdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return (kasp->signatures_validity - kasp->signatures_refresh);
}
time_t
dns_kasp_sigrefresh(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->signatures_refresh;
}
time_t
dns_kasp_sigvalidity(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->signatures_validity;
}
time_t
dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->signatures_validity_dnskey;
}
dns_ttl_t
dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
......@@ -124,6 +159,55 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
return kasp->dnskey_ttl;
}
time_t
dns_kasp_publishsafety(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->publish_safety;
}
time_t
dns_kasp_retiresafety(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->retire_safety;
}
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->zone_max_ttl;
}
time_t
dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->zone_propagation_delay;
}
dns_ttl_t
dns_kasp_dsttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->parent_ds_ttl;
}
time_t
dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->parent_propagation_delay;
}
time_t
dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return kasp->parent_registration_delay;
}
isc_result_t
dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp)
{
......
......@@ -413,10 +413,11 @@ dns_journal_rollforward
dns_journal_set_sourceserial
dns_journal_write_transaction
dns_journal_writediff
dns_kasp_create
dns_kasp_attach
dns_kasp_create
dns_kasp_detach
dns_kasp_dnskeyttl
dns_kasp_dsttl
dns_kasp_freeze
dns_kasp_getname
dns_kasp_key_algorithm
......@@ -426,7 +427,17 @@ dns_kasp_key_ksk
dns_kasp_key_lifetime
dns_kasp_key_size
dns_kasp_key_zsk
dns_kasp_parentpropagationdelay
dns_kasp_parentregistrationdelay
dns_kasp_publishsafety
dns_kasp_retiresafety
dns_kasp_signdelay
dns_kasp_sigrefresh
dns_kasp_sigvalidity
dns_kasp_sigvalidity_dnskey
dns_kasp_thaw
dns_kasp_zonemaxttl
dns_kasp_zonepropagationdelay
dns_kasplist_find
dns_keydata_fromdnskey
dns_keydata_todnskey
......
......@@ -192,6 +192,25 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
}
ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys)));
/* Configuration: Zone settings */
kasp->zone_max_ttl = get_duration(maps, "zone-max-ttl",
DNS_KASP_ZONE_MAXTTL);
kasp->zone_propagation_delay = get_duration(maps,
"zone-propagation-delay",
DNS_KASP_ZONE_PROPDELAY);
/* Configuration: Parent settings */
kasp->parent_ds_ttl = get_duration(maps, "parent-ds-ttl",
DNS_KASP_DS_TTL);
kasp->parent_propagation_delay = get_duration(
maps,
"parent-propagation-delay",
DNS_KASP_PARENT_PROPDELAY);
kasp->parent_registration_delay = get_duration(
maps,
"parent-registration-delay",
DNS_KASP_PARENT_REGDELAY);
// TODO: Rest of the configuration
/* Success: Attach the kasp to the pointer and return. */
......
......@@ -2068,6 +2068,11 @@ dnssecpolicy_clauses[] = {
{ "signatures-refresh", &cfg_type_duration, 0 },
{ "signatures-validity", &cfg_type_duration, 0 },
{ "signatures-validity-dnskey", &cfg_type_duration, 0 },
{ "zone-max-ttl", &cfg_type_duration, 0 },
{ "zone-propagation-delay", &cfg_type_duration, 0 },
{ "parent-ds-ttl", &cfg_type_duration, 0 },
{ "parent-propagation-delay", &cfg_type_duration, 0 },
{ "parent-registration-delay", &cfg_type_duration, 0 },
{ NULL, NULL, 0 }
};
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment