Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
3f42cf2f
Commit
3f42cf2f
authored
Apr 02, 2008
by
Mark Andrews
Browse files
2349. [func] Provide incremental re-signing support for secure
dynamic zones. [RT
#1091
] back out incorrect branch rt1091 and apply correct branch rt1091a.
parent
60318da7
Changes
24
Hide whitespace changes
Inline
Side-by-side
bin/named/config.c
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.8
4
2008/0
1/22 23:28:04 tbox
Exp $ */
/* $Id: config.c,v 1.8
5
2008/0
4/02 02:37:41 marka
Exp $ */
/*! \file */
...
...
@@ -172,6 +172,9 @@ options {\n\
min-refresh-time 300;
\n
\
multi-master no;
\n
\
sig-validity-interval 30; /* days */
\n
\
sig-signing-nodes 100;
\n
\
sig-signing-signatures 10;
\n
\
sig-signing-type 65535;
\n
\
zone-statistics false;
\n
\
max-journal-size unlimited;
\n
\
ixfr-from-differences false;
\n
\
...
...
bin/named/named.conf.docbook
View file @
3f42cf2f
...
...
@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.3
6
2008/0
1
/02
23:47:01 tbox
Exp $ -->
<!-- $Id: named.conf.docbook,v 1.3
7
2008/0
4
/02
02:37:41 marka
Exp $ -->
<refentry>
<refentryinfo>
<date>
Aug 13, 2004
</date>
...
...
@@ -316,7 +316,12 @@ options {
max-refresh-time
<replaceable>
integer
</replaceable>
;
min-refresh-time
<replaceable>
integer
</replaceable>
;
multi-master
<replaceable>
boolean
</replaceable>
;
sig-validity-interval
<replaceable>
integer
</replaceable>
;
sig-re-signing-interval
<replaceable>
integer
</replaceable>
;
sig-signing-nodes
<replaceable>
integer
</replaceable>
;
sig-signing-signatures
<replaceable>
integer
</replaceable>
;
sig-signing-type
<replaceable>
integer
</replaceable>
;
transfer-source (
<replaceable>
ipv4_address
</replaceable>
| * )
<optional>
port (
<replaceable>
integer
</replaceable>
| * )
</optional>
;
...
...
bin/named/update.c
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.14
4
2008/04/0
1 23:47:10 tbox
Exp $ */
/* $Id: update.c,v 1.14
5
2008/04/0
2 02:37:41 marka
Exp $ */
#include <config.h>
...
...
@@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init
(
diff
->
mctx
,
&
temp_diff
);
temp_diff
.
resign
=
diff
->
resign
;
ISC_LIST_APPEND
(
temp_diff
.
tuples
,
*
tuple
,
link
);
/*
...
...
@@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdata_rrsig_t
rrsig
;
isc_boolean_t
found
;
fprintf
(
stderr
,
"del_keysigs
\n
"
);
dns_rdataset_init
(
&
rdataset
);
result
=
dns_db_findnode
(
db
,
name
,
ISC_FALSE
,
&
node
);
...
...
@@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_diff_init
(
client
->
mctx
,
&
affected
);
dns_diff_init
(
client
->
mctx
,
&
sig_diff
);
sig_diff
.
resign
=
dns_zone_getsigresigninginterval
(
zone
);
dns_diff_init
(
client
->
mctx
,
&
nsec_diff
);
dns_diff_init
(
client
->
mctx
,
&
nsec_mindiff
);
...
...
@@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
* Special case changes to the zone's DNSKEY records
* to support offline KSKs.
*/
fprintf
(
stderr
,
"delete signatures %u
\n
"
,
type
);
if
(
type
==
dns_rdatatype_dnskey
)
del_keysigs
(
db
,
newver
,
name
,
&
sig_diff
,
zone_keys
,
nkeys
);
...
...
@@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
static
isc_result_t
add_signing_records
(
dns_db_t
*
db
,
dns_name_t
*
name
,
dns_dbversion_t
*
ver
,
dns_diff_t
*
diff
)
dns_rdatatype_t
privatetype
,
dns_diff_t
*
diff
)
{
isc_result_t
result
=
ISC_R_SUCCESS
;
dns_difftuple_t
*
tuple
,
*
newtuple
=
NULL
;
...
...
@@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
buf
[
3
]
=
0
;
rdata
.
data
=
buf
;
rdata
.
length
=
sizeof
(
buf
);
rdata
.
type
=
0xFFFF
;
/* XXXMPA make user settable */
rdata
.
type
=
privatetype
;
rdata
.
rdclass
=
tuple
->
rdata
.
rdclass
;
CHECK
(
dns_difftuple_create
(
diff
->
mctx
,
DNS_DIFFOP_ADD
,
name
,
...
...
@@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
* "Unlike traditional dynamic update, the client
* is forbidden from updating NSEC records."
*/
if
(
dns_db_is
dns
sec
(
db
))
{
if
(
dns_db_issec
ure
(
db
))
{
if
(
rdata
.
type
==
dns_rdatatype_nsec
)
{
FAILC
(
DNS_R_REFUSED
,
"explicit NSEC updates are not allowed "
"in secure zones"
);
}
else
if
(
rdata
.
type
==
dns_rdatatype_rrsig
&&
!
dns_name_equal
(
name
,
zonename
))
{
}
else
if
(
rdata
.
type
==
dns_rdatatype_rrsig
&&
!
dns_name_equal
(
name
,
zonename
))
{
FAILC
(
DNS_R_REFUSED
,
"explicit RRSIG updates are currently "
"not supported in secure zones except "
"at the apex
.
"
);
"at the apex"
);
}
}
...
...
@@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
CHECK
(
remove_orphaned_ds
(
db
,
ver
,
&
diff
));
CHECK
(
add_signing_records
(
db
,
zonename
,
ver
,
&
diff
));
CHECK
(
add_signing_records
(
db
,
zonename
,
ver
,
dns_zone_getprivatetype
(
zone
),
&
diff
));
CHECK
(
rrset_exists
(
db
,
ver
,
zonename
,
dns_rdatatype_dnskey
,
0
,
&
has_dnskey
));
...
...
bin/named/zoneconf.c
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.14
2
2008/0
1/18 23:46:57 tbox
Exp $ */
/* $Id: zoneconf.c,v 1.14
3
2008/0
4/02 02:37:41 marka
Exp $ */
/*% */
...
...
@@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_boolean_t
warn
=
ISC_FALSE
,
ignore
=
ISC_FALSE
;
isc_boolean_t
ixfrdiff
;
dns_masterformat_t
masterformat
;
int
seconds
;
i
=
0
;
if
(
zconfig
!=
NULL
)
{
...
...
@@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"sig-validity-interval"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setsigvalidityinterval
(
zone
,
cfg_obj_asuint32
(
obj
)
*
86400
);
{
const
cfg_obj_t
*
validity
,
*
resign
;
validity
=
cfg_tuple_get
(
obj
,
"validity"
);
seconds
=
cfg_obj_asuint32
(
validity
)
*
86400
;
dns_zone_setsigvalidityinterval
(
zone
,
seconds
);
resign
=
cfg_tuple_get
(
obj
,
"re-sign"
);
if
(
cfg_obj_isvoid
(
resign
))
{
seconds
/=
4
;
}
else
{
if
(
seconds
>
7
*
86400
)
seconds
=
cfg_obj_asuint32
(
resign
)
*
86400
;
else
seconds
=
cfg_obj_asuint32
(
resign
)
*
3600
;
}
dns_zone_setsigresigninginterval
(
zone
,
seconds
);
}
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"key-directory"
,
&
obj
);
...
...
@@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
RETERR
(
dns_zone_setkeydirectory
(
zone
,
filename
));
}
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"sig-signing-signatures"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setsignatures
(
zone
,
cfg_obj_asuint32
(
obj
));
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"sig-signing-nodes"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setnodes
(
zone
,
cfg_obj_asuint32
(
obj
));
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"sig-signing-type"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setprivatetype
(
zone
,
cfg_obj_asuint32
(
obj
));
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"update-check-ksk"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_UPDATECHECKKSK
,
cfg_obj_asboolean
(
obj
));
}
else
if
(
ztype
==
dns_zone_slave
)
{
RETERR
(
configure_zone_acl
(
zconfig
,
vconfig
,
config
,
"allow-update-forwarding"
,
ac
,
zone
,
dns_zone_setforwardacl
,
dns_zone_clearforwardacl
));
}
/*%
* Primary master functionality.
*/
if
(
ztype
==
dns_zone_master
)
{
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"check-wildcard"
,
&
obj
);
if
(
result
==
ISC_R_SUCCESS
)
...
...
@@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST
(
0
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_WARNSRVCNAME
,
warn
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_IGNORESRVCNAME
,
ignore
);
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"update-check-ksk"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setoption
(
zone
,
DNS_ZONEOPT_UPDATECHECKKSK
,
cfg_obj_asboolean
(
obj
));
}
/*
* Configure update-related options. These apply to
* primary masters only.
*/
if
(
ztype
==
dns_zone_master
)
{
dns_acl_t
*
updateacl
;
RETERR
(
configure_zone_acl
(
zconfig
,
vconfig
,
config
,
"allow-update"
,
ac
,
zone
,
dns_zone_setupdateacl
,
dns_zone_clearupdateacl
));
updateacl
=
dns_zone_getupdateacl
(
zone
);
if
(
updateacl
!=
NULL
&&
dns_acl_isinsecure
(
updateacl
))
isc_log_write
(
ns_g_lctx
,
DNS_LOGCATEGORY_SECURITY
,
NS_LOGMODULE_SERVER
,
ISC_LOG_WARNING
,
"zone '%s' allows updates by IP "
"address, which is insecure"
,
zname
);
RETERR
(
configure_zone_ssutable
(
zoptions
,
zone
));
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"sig-validity-interval"
,
&
obj
);
INSIST
(
result
==
ISC_R_SUCCESS
);
dns_zone_setsigvalidityinterval
(
zone
,
cfg_obj_asuint32
(
obj
)
*
86400
);
obj
=
NULL
;
result
=
ns_config_get
(
maps
,
"key-directory"
,
&
obj
);
if
(
result
==
ISC_R_SUCCESS
)
{
filename
=
cfg_obj_asstring
(
obj
);
if
(
!
isc_file_isabsolute
(
filename
))
{
cfg_obj_log
(
obj
,
ns_g_lctx
,
ISC_LOG_ERROR
,
"key-directory '%s' "
"is not absolute"
,
filename
);
return
(
ISC_R_FAILURE
);
}
RETERR
(
dns_zone_setkeydirectory
(
zone
,
filename
));
}
}
else
if
(
ztype
==
dns_zone_slave
)
{
RETERR
(
configure_zone_acl
(
zconfig
,
vconfig
,
config
,
"allow-update-forwarding"
,
ac
,
zone
,
dns_zone_setforwardacl
,
dns_zone_clearforwardacl
));
}
/*
...
...
bin/nsupdate/nsupdate.c
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.15
8
2008/04/0
1
0
1
:37:
2
4 marka Exp $ */
/* $Id: nsupdate.c,v 1.15
9
2008/04/0
2
0
2
:37:4
1
marka Exp $ */
/*! \file */
...
...
@@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
result
=
dns_message_gettemprdata
(
updatemsg
,
&
rdata
);
check_result
(
result
,
"dns_message_gettemprdata"
);
rdata
->
data
=
NULL
;
rdata
->
length
=
0
;
dns_rdata_init
(
rdata
);
if
(
isrrset
&&
ispositive
)
{
retval
=
parse_rdata
(
&
cmdline
,
rdataclass
,
rdatatype
,
...
...
@@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
result
=
dns_message_gettemprdata
(
updatemsg
,
&
rdata
);
check_result
(
result
,
"dns_message_gettemprdata"
);
rdata
->
rdclass
=
0
;
rdata
->
type
=
0
;
rdata
->
data
=
NULL
;
rdata
->
length
=
0
;
dns_rdata_init
(
rdata
);
/*
* If this is an add, read the TTL and verify that it's in range.
...
...
bin/tests/system/lwresd/lwtest.c
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: lwtest.c,v 1.3
1
2008/0
1/14 23:46:56 tbox
Exp $ */
/* $Id: lwtest.c,v 1.3
2
2008/0
4/02 02:37:42 marka
Exp $ */
#include <config.h>
...
...
@@ -764,7 +764,7 @@ main(void) {
test_getrrsetbyname
(
"a.example1."
,
1
,
1
,
1
,
0
,
1
);
test_getrrsetbyname
(
"e.example1."
,
1
,
1
,
1
,
1
,
1
);
test_getrrsetbyname
(
"e.example1."
,
1
,
255
,
1
,
1
,
0
);
test_getrrsetbyname
(
"e.example1."
,
1
,
46
,
1
,
0
,
1
);
test_getrrsetbyname
(
"e.example1."
,
1
,
46
,
2
,
0
,
1
);
test_getrrsetbyname
(
""
,
1
,
1
,
0
,
0
,
0
);
if
(
fails
==
0
)
...
...
bin/tests/system/lwresd/ns1/e.example1.db
0 → 100644
View file @
3f42cf2f
; File written on Wed Mar 5 10:20:40 2008
; dnssec_signzone version 9.3.4-P1
e.example1. 300 IN SOA mname1. . (
2002082210 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
300 RRSIG SOA 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KtYwrnKM7Tu53BNf8XuTix53r9kDdCneJ1X7
xklFbp4YjRKC3NhwVK9PFe0jdHOkIDMtrwxn
n7/Rp07xIyURqw== )
300 NS ns.e.example1.
300 RRSIG NS 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KBPx3XmNl4swVPdwuUEFuzZedMSfsyK2a0Fu
o2wBnbCuS7G7DtfW9690lP/eTyixLOIwlFLQ
MrjN3+XgpkdgIw== )
300 A 10.0.1.1
300 RRSIG A 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KYlxMQUvv8DQtVgS23lNL5tFYmRppJ7vTgH3
btvgKbyHxW/04ewRsgCa82iu3iJipdEhKM11
ALkRNhqL7frnig== )
3600 NSEC ns.e.example1. A NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 5 2 3600 20010101000000 (
20000101000000 14043 e.example1.
azSgagb7bldM06qSZg8nDZWOY2FbqeZY0/T8
nC+6VhCs7YTfNvXynLWmvmpqL7gVT6/O+Yi2
2lmdntld7GORrQ== )
300 DNSKEY 256 3 5 (
AwEAAcvAUMfH7wA0z077fJaF7RMrxAFyvo0/
7aAL4d2/yA5TqTaUCVnJtE+XgGO34kH9mwae
we+Nyv2kRWDeLl6nhGk=
) ; key id = 14043
300 RRSIG DNSKEY 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
BQFWOHopXuBNdzcopkdl1YVKGF0QvIaYpywM
fcpG5gi+sy9EoTofQ1UGsLOjU3nFXCvJFG4K
1gUhzEEti440/g== )
ns.e.example1. 300 IN A 10.53.0.1
300 RRSIG A 5 3 300 20010101000000 (
20000101000000 14043 e.example1.
cYPzsWNQ/eL4h2lihKRjKT2jhGpOqV9woGJA
/Jstx2iethOAvYtgY22CsAbCUr/6E4bSgBZR
TMoC604cNdFzIw== )
3600 NSEC e.example1. A RRSIG NSEC
3600 RRSIG NSEC 5 3 3600 20010101000000 (
20000101000000 14043 e.example1.
J8Md544zDLP4GjyAtkjH/rSFvpzXY/7bgJRS
YDoARwFQRmlrJvavXEjqElb2fTQqlNNz1cal
QROz/WJ3GLwOWw== )
bin/tests/system/lwresd/ns1/example1.db
View file @
3f42cf2f
...
...
@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example1.db,v 1.1
7
200
7
/0
6/19 23:47:04 tbox
Exp $
; $Id: example1.db,v 1.1
8
200
8
/0
4/02 02:37:42 marka
Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
...
...
@@ -32,7 +32,4 @@ a3 CNAME nowhere
b AAAA eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
8.8.7.7 DNAME net
0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR dname
e A 10.0.1.1
RRSIG A 1 1 300 20001202003412 (
20001102003412 1 example. abcd )
e NS ns.e
bin/tests/system/lwresd/ns1/named.conf
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
*
PERFORMANCE
OF
THIS
SOFTWARE
.
*/
/* $
Id
:
named
.
conf
,
v
1
.
19
200
7
/
0
6
/
19
23
:
47
:
04
tbox
Exp
$ */
/* $
Id
:
named
.
conf
,
v
1
.
20
200
8
/
0
4
/
02
02
:
37
:
42
marka
Exp
$ */
controls
{ /*
empty
*/ };
...
...
@@ -43,6 +43,11 @@ zone "example1." {
file
"example1.db"
;
};
zone
"e.example1."
{
type
master
;
file
"e.example1.db"
;
};
zone
"example2."
{
type
master
;
file
"example2.db"
;
...
...
doc/arm/Bv9ARM-book.xml
View file @
3f42cf2f
...
...
@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.34
7
2008/0
3/31 14:42:50 fdupont
Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.34
8
2008/0
4/02 02:37:42 marka
Exp $ -->
<book
xmlns:xi=
"http://www.w3.org/2001/XInclude"
>
<title>
BIND 9 Administrator Reference Manual
</title>
...
...
@@ -4553,6 +4553,10 @@ category notify { null; };
<optional>
max-ncache-ttl
<replaceable>
number
</replaceable>
;
</optional>
<optional>
max-cache-ttl
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-validity-interval
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-re-signing-interval
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-signing-nodes
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-signing-signatures
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-signing-type
<replaceable>
number
</replaceable>
;
</optional>
<optional>
min-roots
<replaceable>
number
</replaceable>
;
</optional>
<optional>
use-ixfr
<replaceable>
yes_or_no
</replaceable>
;
</optional>
<optional>
provide-ixfr
<replaceable>
yes_or_no
</replaceable>
;
</optional>
...
...
@@ -7256,22 +7260,76 @@ query-source-v6 address * port *;
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-validity-interval
</command></term>
<listitem>
<para>
Specifies the number of days into the
future when DNSSEC signatures automatically generated as a
result
of dynamic updates (
<xref
linkend=
"dynamic_update"
/>
)
will expire. The default is
<literal>
30
</literal>
days.
The maximum value is 10 years (3660 days). The signature
inception time is unconditionally set to one hour before the
current time
to allow for a limited amount of clock skew.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-validity-interval
</command></term>
<listitem>
<para>
Specifies the number of days into the future when
DNSSEC signatures automatically generated as a
result of dynamic updates (
<xref
linkend=
"dynamic_update"
/>
) will expire. There
is a optional second field which specifies how
long before expiry that the signatures will be
regenerated. If not specified the signatures will
be regenerated at 1/4 of base interval. The second
field is specified in days if the base interval is
greater than 7 days otherwise it is specified in hours.
The default base interval is
<literal>
30
</literal>
days
giving a re-signing interval of 7 1/2 days . The maximum
values are 10 years (3660 days).
</para>
<para>
The signature inception time is unconditionally
set to one hour before the current time to allow
for a limited amount of clock skew.
</para>
<para>
The
<command>
sig-validity-interval
</command>
should be, at least, several multiples of the SOA
expire interval to allow for reasonable interaction
between the various timer and expiry dates.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-signing-nodes
</command></term>
<listitem>
<para>
Specify the number of maximum number nodes to be
examined in each quantum when signing a zone with
a new DNSKEY. The default is
<literal>
100
</literal>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-signing-signatures
</command></term>
<listitem>
<para>
Specify a threshold number of signatures that
will terminate processing a quantum when signing
a zone with a new DNSKEY. The default is
<literal>
10
</literal>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-signing-type
</command></term>
<listitem>
<para>
Specify a private rdata type to be used when generating
key signing records. The default is
<literal>
65535
</literal>
.
</para>
<para>
It is expected that this parameter may be removed
in a future version once there is a standard type.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
min-refresh-time
</command></term>
...
...
@@ -8384,6 +8442,10 @@ view "external" {
<optional>
notify-source-v6 (
<replaceable>
ip6_addr
</replaceable>
|
<constant>
*
</constant>
)
<optional>
port
<replaceable>
ip_port
</replaceable></optional>
;
</optional>
<optional>
zone-statistics
<replaceable>
yes_or_no
</replaceable>
;
</optional>
<optional>
sig-validity-interval
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-re-signing-interval
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-signing-nodes
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-signing-signatures
<replaceable>
number
</replaceable>
;
</optional>
<optional>
sig-signing-type
<replaceable>
number
</replaceable>
;
</optional>
<optional>
database
<replaceable>
string
</replaceable>
;
</optional>
<optional>
min-refresh-time
<replaceable>
number
</replaceable>
;
</optional>
<optional>
max-refresh-time
<replaceable>
number
</replaceable>
;
</optional>
...
...
@@ -9131,6 +9193,46 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-re-signing-interval
</command></term>
<listitem>
<para>
See the description of
<command>
sig-re-signing-interval
</command>
in
<xref
linkend=
"tuning"
/>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-signing-nodes
</command></term>
<listitem>
<para>
See the description of
<command>
sig-signing-nodes
</command>
in
<xref
linkend=
"tuning"
/>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-signing-signatures
</command></term>
<listitem>
<para>
See the description of
<command>
sig-signing-signatures
</command>
in
<xref
linkend=
"tuning"
/>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
sig-signing-type
</command></term>
<listitem>
<para>
See the description of
<command>
sig-signing-type
</command>
in
<xref
linkend=
"tuning"
/>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>
transfer-source
</command></term>
<listitem>
...
...
lib/bind9/check.c
View file @
3f42cf2f
...
...
@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.9
0
2008/04/0
1
0
1
:37:
2
4 marka Exp $ */
/* $Id: check.c,v 1.9
1
2008/04/0
2
0
2
:37:4
2
marka Exp $ */
/*! \file */
...
...
@@ -508,6 +508,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
isc_result_t
tresult
;
unsigned
int
i
;
const
cfg_obj_t
*
obj
=
NULL
;
const
cfg_obj_t
*
resignobj
=
NULL
;
const
cfg_listelt_t
*
element
;
isc_symtab_t
*
symtab
=
NULL
;
dns_fixedname_t
fixed
;
...
...
@@ -523,7 +524,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
{
"max-transfer-idle-out"
,
60
,
28
*
24
*
60
},
/* 28 days */
{
"max-transfer-time-in"
,
60
,
28
*
24
*
60
},
/* 28 days */
{
"max-transfer-time-out"
,
60
,
28
*
24
*
60
},
/* 28 days */
{
"sig-validity-interval"
,
86400
,
10
*
366
},
/* 10 years */
{
"statistics-interval"
,
60
,
28
*
24
*
60
},
/* 28 days */
};
...
...
@@ -551,6 +551,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
result
=
ISC_R_RANGE
;
}
}
obj
=
NULL
;
cfg_map_get
(
options
,
"sig-validity-interval"
,
&
obj
);
if
(
obj
!=
NULL
)
{
isc_uint32_t
validity
,
resign
=
0
;
validity
=
cfg_obj_asuint32
(
cfg_tuple_get
(
obj
,
"validity"
));
resignobj
=
cfg_tuple_get
(
obj
,
"re-sign"
);
if
(
!
cfg_obj_isvoid
(
resignobj
))