2349. [func] Provide incremental re-signing support for secure

                        dynamic zones. [RT #1091]

back out incorrect branch rt1091 and apply correct branch rt1091a.

bin/named/config.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: config.c,v 1.84 2008/01/22 23:28:04 tbox Exp $ */
+/* $Id: config.c,v 1.85 2008/04/02 02:37:41 marka Exp $ */
 
 /*! \file */
 
@@ -172,6 +172,9 @@ options {\n\
 	min-refresh-time 300;\n\
 	multi-master no;\n\
 	sig-validity-interval 30; /* days */\n\
+	sig-signing-nodes 100;\n\
+	sig-signing-signatures 10;\n\
+	sig-signing-type 65535;\n\
 	zone-statistics false;\n\
 	max-journal-size unlimited;\n\
 	ixfr-from-differences false;\n\

bin/named/named.conf.docbook

@@ -17,7 +17,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- $Id: named.conf.docbook,v 1.36 2008/01/02 23:47:01 tbox Exp $ -->
+<!-- $Id: named.conf.docbook,v 1.37 2008/04/02 02:37:41 marka Exp $ -->
 <refentry>
   <refentryinfo>
     <date>Aug 13, 2004</date>
@@ -316,7 +316,12 @@ options {
 	max-refresh-time <replaceable>integer</replaceable>;
 	min-refresh-time <replaceable>integer</replaceable>;
 	multi-master <replaceable>boolean</replaceable>;
+
 	sig-validity-interval <replaceable>integer</replaceable>;
+	sig-re-signing-interval <replaceable>integer</replaceable>;
+	sig-signing-nodes <replaceable>integer</replaceable>;
+	sig-signing-signatures <replaceable>integer</replaceable>;
+	sig-signing-type <replaceable>integer</replaceable>;
 
 	transfer-source ( <replaceable>ipv4_address</replaceable> | * )
 		<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;

bin/named/update.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: update.c,v 1.144 2008/04/01 23:47:10 tbox Exp $ */
+/* $Id: update.c,v 1.145 2008/04/02 02:37:41 marka Exp $ */
 
 #include <config.h>
 
@@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
 	 * Create a singleton diff.
 	 */
 	dns_diff_init(diff->mctx, &temp_diff);
+	temp_diff.resign = diff->resign;
 	ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
 
 	/*
@@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
 	dns_rdata_rrsig_t rrsig;
 	isc_boolean_t found;
 
-fprintf(stderr, "del_keysigs\n");
-
 	dns_rdataset_init(&rdataset);
 
 	result = dns_db_findnode(db, name, ISC_FALSE, &node);
@@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 	dns_diff_init(client->mctx, &affected);
 
 	dns_diff_init(client->mctx, &sig_diff);
+	sig_diff.resign = dns_zone_getsigresigninginterval(zone);
 	dns_diff_init(client->mctx, &nsec_diff);
 	dns_diff_init(client->mctx, &nsec_mindiff);
 
@@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
 			 * Special case changes to the zone's DNSKEY records
 			 * to support offline KSKs.
 			 */
-fprintf(stderr, "delete signatures %u\n", type);
 			if (type == dns_rdatatype_dnskey)
 				del_keysigs(db, newver, name, &sig_diff,
 					    zone_keys, nkeys);
@@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
 
 static isc_result_t
 add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
-		    dns_diff_t *diff)
+		    dns_rdatatype_t privatetype, dns_diff_t *diff)
 {
 	isc_result_t result = ISC_R_SUCCESS;
 	dns_difftuple_t *tuple, *newtuple = NULL;
@@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
 		buf[3] = 0;
 		rdata.data = buf;
 		rdata.length = sizeof(buf);
-		rdata.type = 0xFFFF;	/* XXXMPA make user settable */
+		rdata.type = privatetype;
 		rdata.rdclass = tuple->rdata.rdclass;
 
 		CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
@@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
 		 * "Unlike traditional dynamic update, the client
 		 * is forbidden from updating NSEC records."
 		 */
-		if (dns_db_isdnssec(db)) {
+		if (dns_db_issecure(db)) {
 			if (rdata.type == dns_rdatatype_nsec) {
 				FAILC(DNS_R_REFUSED,
 				      "explicit NSEC updates are not allowed "
 				      "in secure zones");
-			}
-			else if (rdata.type == dns_rdatatype_rrsig &&
-				 !dns_name_equal(name, zonename)) {
+			} else if (rdata.type == dns_rdatatype_rrsig &&
+				   !dns_name_equal(name, zonename)) {
 				FAILC(DNS_R_REFUSED,
 				      "explicit RRSIG updates are currently "
 				      "not supported in secure zones except "
-				      "at the apex.");
+				      "at the apex");
 			}
 		}
 
@@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
 
 		CHECK(remove_orphaned_ds(db, ver, &diff));
 
-		CHECK(add_signing_records(db, zonename, ver, &diff));
+		CHECK(add_signing_records(db, zonename, ver,
+					  dns_zone_getprivatetype(zone),
+					  &diff));
 
 		CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
 				   0, &has_dnskey));

bin/named/zoneconf.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: zoneconf.c,v 1.142 2008/01/18 23:46:57 tbox Exp $ */
+/* $Id: zoneconf.c,v 1.143 2008/04/02 02:37:41 marka Exp $ */
 
 /*% */
 
@@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 	isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
 	isc_boolean_t ixfrdiff;
 	dns_masterformat_t masterformat;
+	int seconds;
 
 	i = 0;
 	if (zconfig != NULL) {
@@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 		obj = NULL;
 		result = ns_config_get(maps, "sig-validity-interval", &obj);
 		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
+		{
+			const cfg_obj_t *validity, *resign;
+
+			validity = cfg_tuple_get(obj, "validity");
+			seconds = cfg_obj_asuint32(validity) * 86400;
+			dns_zone_setsigvalidityinterval(zone, seconds);
+
+			resign = cfg_tuple_get(obj, "re-sign");
+			if (cfg_obj_isvoid(resign)) {
+				seconds /= 4;
+			} else {
+				if (seconds > 7 * 86400)
+					seconds = cfg_obj_asuint32(resign) *
+							86400;
+				else
+					seconds = cfg_obj_asuint32(resign) *
+							3600;
+			}
+			dns_zone_setsigresigninginterval(zone, seconds);
+		}
 
 		obj = NULL;
 		result = ns_config_get(maps, "key-directory", &obj);
@@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			RETERR(dns_zone_setkeydirectory(zone, filename));
 		}
 
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-signatures", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-nodes", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "sig-signing-type", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
+
+		obj = NULL;
+		result = ns_config_get(maps, "update-check-ksk", &obj);
+		INSIST(result == ISC_R_SUCCESS);
+		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
+				   cfg_obj_asboolean(obj));
+
+	} else if (ztype == dns_zone_slave) {
+		RETERR(configure_zone_acl(zconfig, vconfig, config,
+					  "allow-update-forwarding", ac, zone,
+					  dns_zone_setforwardacl,
+					  dns_zone_clearforwardacl));
+	}
+
+
+	/*%
+	 * Primary master functionality.
+	 */
+	if (ztype == dns_zone_master) {
 		obj = NULL;
 		result = ns_config_get(maps, "check-wildcard", &obj);
 		if (result == ISC_R_SUCCESS)
@@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
 			INSIST(0);
 		dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
 		dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
-
-		obj = NULL;
-		result = ns_config_get(maps, "update-check-ksk", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
-				   cfg_obj_asboolean(obj));
-	}
-
-	/*
-	 * Configure update-related options.  These apply to
-	 * primary masters only.
-	 */
-	if (ztype == dns_zone_master) {
-		dns_acl_t *updateacl;
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update", ac, zone,
-					  dns_zone_setupdateacl,
-					  dns_zone_clearupdateacl));
-
-		updateacl = dns_zone_getupdateacl(zone);
-		if (updateacl != NULL  && dns_acl_isinsecure(updateacl))
-			isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
-				      NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
-				      "zone '%s' allows updates by IP "
-				      "address, which is insecure",
-				      zname);
-
-		RETERR(configure_zone_ssutable(zoptions, zone));
-
-		obj = NULL;
-		result = ns_config_get(maps, "sig-validity-interval", &obj);
-		INSIST(result == ISC_R_SUCCESS);
-		dns_zone_setsigvalidityinterval(zone,
-						cfg_obj_asuint32(obj) * 86400);
-
-		obj = NULL;
-		result = ns_config_get(maps, "key-directory", &obj);
-		if (result == ISC_R_SUCCESS) {
-			filename = cfg_obj_asstring(obj);
-			if (!isc_file_isabsolute(filename)) {
-				cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
-					    "key-directory '%s' "
-					    "is not absolute", filename);
-				return (ISC_R_FAILURE);
-			}
-			RETERR(dns_zone_setkeydirectory(zone, filename));
-		}
-
-	} else if (ztype == dns_zone_slave) {
-		RETERR(configure_zone_acl(zconfig, vconfig, config,
-					  "allow-update-forwarding", ac, zone,
-					  dns_zone_setforwardacl,
-					  dns_zone_clearforwardacl));
 	}
 
 	/*

bin/nsupdate/nsupdate.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: nsupdate.c,v 1.158 2008/04/01 01:37:24 marka Exp $ */
+/* $Id: nsupdate.c,v 1.159 2008/04/02 02:37:41 marka Exp $ */
 
 /*! \file */
 
@@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
 	result = dns_message_gettemprdata(updatemsg, &rdata);
 	check_result(result, "dns_message_gettemprdata");
 
-	rdata->data = NULL;
-	rdata->length = 0;
+	dns_rdata_init(rdata);
 
 	if (isrrset && ispositive) {
 		retval = parse_rdata(&cmdline, rdataclass, rdatatype,
@@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
 	result = dns_message_gettemprdata(updatemsg, &rdata);
 	check_result(result, "dns_message_gettemprdata");
 
-	rdata->rdclass = 0;
-	rdata->type = 0;
-	rdata->data = NULL;
-	rdata->length = 0;
+	dns_rdata_init(rdata);
 
 	/*
 	 * If this is an add, read the TTL and verify that it's in range.

bin/tests/system/lwresd/lwtest.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: lwtest.c,v 1.31 2008/01/14 23:46:56 tbox Exp $ */
+/* $Id: lwtest.c,v 1.32 2008/04/02 02:37:42 marka Exp $ */
 
 #include <config.h>
 
@@ -764,7 +764,7 @@ main(void) {
 	test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
 	test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1);
 	test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0);
-	test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1);
+	test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
 	test_getrrsetbyname("", 1, 1, 0, 0, 0);
 
 	if (fails == 0)

bin/tests/system/lwresd/ns1/e.example1.db

+; File written on Wed Mar  5 10:20:40 2008
+; dnssec_signzone version 9.3.4-P1
+e.example1.		300	IN SOA	mname1. . (
+					2002082210 ; serial
+					20         ; refresh (20 seconds)
+					20         ; retry (20 seconds)
+					1814400    ; expire (3 weeks)
+					3600       ; minimum (1 hour)
+					)
+			300	RRSIG	SOA 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					KtYwrnKM7Tu53BNf8XuTix53r9kDdCneJ1X7
+					xklFbp4YjRKC3NhwVK9PFe0jdHOkIDMtrwxn
+					n7/Rp07xIyURqw== )
+			300	NS	ns.e.example1.
+			300	RRSIG	NS 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					KBPx3XmNl4swVPdwuUEFuzZedMSfsyK2a0Fu
+					o2wBnbCuS7G7DtfW9690lP/eTyixLOIwlFLQ
+					MrjN3+XgpkdgIw== )
+			300	A	10.0.1.1
+			300	RRSIG	A 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					KYlxMQUvv8DQtVgS23lNL5tFYmRppJ7vTgH3
+					btvgKbyHxW/04ewRsgCa82iu3iJipdEhKM11
+					ALkRNhqL7frnig== )
+			3600	NSEC	ns.e.example1. A NS SOA RRSIG NSEC DNSKEY
+			3600	RRSIG	NSEC 5 2 3600 20010101000000 (
+					20000101000000 14043 e.example1.
+					azSgagb7bldM06qSZg8nDZWOY2FbqeZY0/T8
+					nC+6VhCs7YTfNvXynLWmvmpqL7gVT6/O+Yi2
+					2lmdntld7GORrQ== )
+			300	DNSKEY	256 3 5 (
+					AwEAAcvAUMfH7wA0z077fJaF7RMrxAFyvo0/
+					7aAL4d2/yA5TqTaUCVnJtE+XgGO34kH9mwae
+					we+Nyv2kRWDeLl6nhGk=
+					) ; key id = 14043
+			300	RRSIG	DNSKEY 5 2 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					BQFWOHopXuBNdzcopkdl1YVKGF0QvIaYpywM
+					fcpG5gi+sy9EoTofQ1UGsLOjU3nFXCvJFG4K
+					1gUhzEEti440/g== )
+ns.e.example1.		300	IN A	10.53.0.1
+			300	RRSIG	A 5 3 300 20010101000000 (
+					20000101000000 14043 e.example1.
+					cYPzsWNQ/eL4h2lihKRjKT2jhGpOqV9woGJA
+					/Jstx2iethOAvYtgY22CsAbCUr/6E4bSgBZR
+					TMoC604cNdFzIw== )
+			3600	NSEC	e.example1. A RRSIG NSEC
+			3600	RRSIG	NSEC 5 3 3600 20010101000000 (
+					20000101000000 14043 e.example1.
+					J8Md544zDLP4GjyAtkjH/rSFvpzXY/7bgJRS
+					YDoARwFQRmlrJvavXEjqElb2fTQqlNNz1cal
+					QROz/WJ3GLwOWw== )

bin/tests/system/lwresd/ns1/example1.db

@@ -13,7 +13,7 @@
 ; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 ; PERFORMANCE OF THIS SOFTWARE.
 
-; $Id: example1.db,v 1.17 2007/06/19 23:47:04 tbox Exp $
+; $Id: example1.db,v 1.18 2008/04/02 02:37:42 marka Exp $
 
 $TTL 300	; 5 minutes
 @			IN SOA	mname1. . (
@@ -32,7 +32,4 @@ a3			CNAME	nowhere
 b			AAAA	eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
 8.8.7.7			DNAME	net
 0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR     dname
-e			A	10.0.1.1
-			RRSIG	A 1 1 300 20001202003412 (
-				20001102003412 1 example. abcd )
-
+e			NS	ns.e

bin/tests/system/lwresd/ns1/named.conf

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: named.conf,v 1.19 2007/06/19 23:47:04 tbox Exp $ */
+/* $Id: named.conf,v 1.20 2008/04/02 02:37:42 marka Exp $ */
 
 controls { /* empty */ };
 
@@ -43,6 +43,11 @@ zone "example1." {
 	file "example1.db";
 };
 
+zone "e.example1." {
+	type master;
+	file "e.example1.db";
+};
+
 zone "example2." {
 	type master;
 	file "example2.db";

doc/arm/Bv9ARM-book.xml

@@ -18,7 +18,7 @@
  - PERFORMANCE OF THIS SOFTWARE.
 -->
 
-<!-- File: $Id: Bv9ARM-book.xml,v 1.347 2008/03/31 14:42:50 fdupont Exp $ -->
+<!-- File: $Id: Bv9ARM-book.xml,v 1.348 2008/04/02 02:37:42 marka Exp $ -->
 <book xmlns:xi="http://www.w3.org/2001/XInclude">
   <title>BIND 9 Administrator Reference Manual</title>
 
@@ -4553,6 +4553,10 @@ category notify { null; };
     <optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
     <optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
     <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> min-roots <replaceable>number</replaceable>; </optional>
     <optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
@@ -7256,22 +7260,76 @@ query-source-v6 address * port *;
               </listitem>
             </varlistentry>
 
-            <varlistentry>
-              <term><command>sig-validity-interval</command></term>
-              <listitem>
-                <para>
-                  Specifies the number of days into the
-                  future when DNSSEC signatures automatically generated as a
-                  result
-                  of dynamic updates (<xref linkend="dynamic_update"/>)
-                  will expire. The default is <literal>30</literal> days.
-                  The maximum value is 10 years (3660 days). The signature
-                  inception time is unconditionally set to one hour before the
-                  current time
-                  to allow for a limited amount of clock skew.
-                </para>
-              </listitem>
-            </varlistentry>
+	    <varlistentry>
+	      <term><command>sig-validity-interval</command></term>
+	      <listitem>
+		<para>
+		  Specifies the number of days into the future when
+		  DNSSEC signatures automatically generated as a
+		  result of dynamic updates (<xref
+		  linkend="dynamic_update"/>) will expire.  There
+		  is a optional second field which specifies how
+		  long before expiry that the signatures will be
+		  regenerated.  If not specified the signatures will
+		  be regenerated at 1/4 of base interval.  The second
+		  field is specified in days if the base interval is
+		  greater than 7 days otherwise it is specified in hours.
+		  The default base interval is <literal>30</literal> days
+		  giving a re-signing interval of 7 1/2 days .  The maximum
+		  values are 10 years (3660 days).
+		</para>
+		<para>
+		  The signature inception time is unconditionally
+		  set to one hour before the current time to allow
+		  for a limited amount of clock skew.
+		</para>
+		<para>
+		  The <command>sig-validity-interval</command>
+		  should be, at least, several multiples of the SOA
+		  expire interval to allow for reasonable interaction
+		  between the various timer and expiry dates.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-nodes</command></term>
+	      <listitem>
+		<para>
+		  Specify the number of maximum number nodes to be
+		  examined in each quantum when signing a zone with
+		  a new DNSKEY. The default is
+		  <literal>100</literal>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-signatures</command></term>
+	      <listitem>
+		<para>
+		  Specify a threshold number of signatures that
+		  will terminate processing a quantum when signing
+		  a zone with a new DNSKEY.  The default is
+		  <literal>10</literal>.
+		</para>
+	      </listitem>
+	    </varlistentry>
+
+	    <varlistentry>
+	      <term><command>sig-signing-type</command></term>
+	      <listitem>
+		<para>
+		  Specify a private rdata type to be used when generating
+		  key signing records.  The default is
+		  <literal>65535</literal>.
+		</para>
+		<para>
+		  It is expected that this parameter may be removed
+		  in a future version once there is a standard type.
+		</para>
+	      </listitem>
+	    </varlistentry>
 
             <varlistentry>
               <term><command>min-refresh-time</command></term>
@@ -8384,6 +8442,10 @@ view "external" {
     <optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
     <optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
     <optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
+    <optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
     <optional> database <replaceable>string</replaceable> ; </optional>
     <optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
     <optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
@@ -9131,6 +9193,46 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
                 </listitem>
               </varlistentry>
 
+              <varlistentry>
+                <term><command>sig-re-signing-interval</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-re-signing-interval</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-nodes</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-signatures</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
+              <varlistentry>
+                <term><command>sig-signing-type</command></term>
+                <listitem>
+                  <para>
+                    See the description of
+                    <command>sig-signing-type</command> in <xref linkend="tuning"/>.
+                  </para>
+                </listitem>
+              </varlistentry>
+
               <varlistentry>
                 <term><command>transfer-source</command></term>
                 <listitem>

lib/bind9/check.c

@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: check.c,v 1.90 2008/04/01 01:37:24 marka Exp $ */
+/* $Id: check.c,v 1.91 2008/04/02 02:37:42 marka Exp $ */
 
 /*! \file */
 
@@ -508,6 +508,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	isc_result_t tresult;
 	unsigned int i;
 	const cfg_obj_t *obj = NULL;
+	const cfg_obj_t *resignobj = NULL;
 	const cfg_listelt_t *element;
 	isc_symtab_t *symtab = NULL;
 	dns_fixedname_t fixed;
@@ -523,7 +524,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 	{ "max-transfer-idle-out", 60, 28 * 24 * 60 },	/* 28 days */
 	{ "max-transfer-time-in", 60, 28 * 24 * 60 },	/* 28 days */
 	{ "max-transfer-time-out", 60, 28 * 24 * 60 },	/* 28 days */
-	{ "sig-validity-interval", 86400, 10 * 366 },	/* 10 years */
 	{ "statistics-interval", 60, 28 * 24 * 60 },	/* 28 days */
 	};
 
@@ -551,6 +551,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
 			result = ISC_R_RANGE;
 		}
 	}
+
+	obj = NULL;
+	cfg_map_get(options, "sig-validity-interval", &obj);
+	if (obj != NULL) {
+		isc_uint32_t validity, resign = 0;
+
+		validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
+		resignobj = cfg_tuple_get(obj, "re-sign");
+		if (!cfg_obj_isvoid(resignobj))
+			resign = cfg_obj_asuint32(resignobj);
+
+		if (validity > 3660 || validity == 0) { /* 10 years */
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "%s '%u' is out of range (1..3660)",
+				    "sig-validity-interval", validity);
+			result = ISC_R_RANGE;
+		}
+
+		if (!cfg_obj_isvoid(resignobj)) {
+			if (resign > 3660 || resign == 0) { /* 10 years */
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "%s '%u' is out of range (1..3660)",
+					    "sig-validity-interval (re-sign)",
+					    validity);
+				result = ISC_R_RANGE;
+			} else if ((validity > 7 && validity < resign) ||
+				   (validity <= 7 && validity * 24 < resign)) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "validity interval (%u days) "
+					    "less than re-signing interval "
+					    "(%u %s)", validity, resign,
+					    (validity > 7) ? "days" : "hours");
+				result = ISC_R_RANGE;
+			}
+		}