Commit 3f42cf2f authored by Mark Andrews's avatar Mark Andrews

2349. [func] Provide incremental re-signing support for secure

                        dynamic zones. [RT #1091]

back out incorrect branch rt1091 and apply correct branch rt1091a.
parent 60318da7
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: config.c,v 1.84 2008/01/22 23:28:04 tbox Exp $ */
/* $Id: config.c,v 1.85 2008/04/02 02:37:41 marka Exp $ */
/*! \file */
......@@ -172,6 +172,9 @@ options {\n\
min-refresh-time 300;\n\
multi-master no;\n\
sig-validity-interval 30; /* days */\n\
sig-signing-nodes 100;\n\
sig-signing-signatures 10;\n\
sig-signing-type 65535;\n\
zone-statistics false;\n\
max-journal-size unlimited;\n\
ixfr-from-differences false;\n\
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: named.conf.docbook,v 1.36 2008/01/02 23:47:01 tbox Exp $ -->
<!-- $Id: named.conf.docbook,v 1.37 2008/04/02 02:37:41 marka Exp $ -->
<refentry>
<refentryinfo>
<date>Aug 13, 2004</date>
......@@ -316,7 +316,12 @@ options {
max-refresh-time <replaceable>integer</replaceable>;
min-refresh-time <replaceable>integer</replaceable>;
multi-master <replaceable>boolean</replaceable>;
sig-validity-interval <replaceable>integer</replaceable>;
sig-re-signing-interval <replaceable>integer</replaceable>;
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
transfer-source ( <replaceable>ipv4_address</replaceable> | * )
<optional> port ( <replaceable>integer</replaceable> | * ) </optional>;
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: update.c,v 1.144 2008/04/01 23:47:10 tbox Exp $ */
/* $Id: update.c,v 1.145 2008/04/02 02:37:41 marka Exp $ */
#include <config.h>
......@@ -322,6 +322,7 @@ do_one_tuple(dns_difftuple_t **tuple, dns_db_t *db, dns_dbversion_t *ver,
* Create a singleton diff.
*/
dns_diff_init(diff->mctx, &temp_diff);
temp_diff.resign = diff->resign;
ISC_LIST_APPEND(temp_diff.tuples, *tuple, link);
/*
......@@ -1842,8 +1843,6 @@ del_keysigs(dns_db_t *db, dns_dbversion_t *ver, dns_name_t *name,
dns_rdata_rrsig_t rrsig;
isc_boolean_t found;
fprintf(stderr, "del_keysigs\n");
dns_rdataset_init(&rdataset);
result = dns_db_findnode(db, name, ISC_FALSE, &node);
......@@ -1944,6 +1943,7 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
dns_diff_init(client->mctx, &affected);
dns_diff_init(client->mctx, &sig_diff);
sig_diff.resign = dns_zone_getsigresigninginterval(zone);
dns_diff_init(client->mctx, &nsec_diff);
dns_diff_init(client->mctx, &nsec_mindiff);
......@@ -2037,7 +2037,6 @@ update_signatures(ns_client_t *client, dns_zone_t *zone, dns_db_t *db,
* Special case changes to the zone's DNSKEY records
* to support offline KSKs.
*/
fprintf(stderr, "delete signatures %u\n", type);
if (type == dns_rdatatype_dnskey)
del_keysigs(db, newver, name, &sig_diff,
zone_keys, nkeys);
......@@ -2547,7 +2546,7 @@ check_mx(ns_client_t *client, dns_zone_t *zone,
static isc_result_t
add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
dns_diff_t *diff)
dns_rdatatype_t privatetype, dns_diff_t *diff)
{
isc_result_t result = ISC_R_SUCCESS;
dns_difftuple_t *tuple, *newtuple = NULL;
......@@ -2579,7 +2578,7 @@ add_signing_records(dns_db_t *db, dns_name_t *name, dns_dbversion_t *ver,
buf[3] = 0;
rdata.data = buf;
rdata.length = sizeof(buf);
rdata.type = 0xFFFF; /* XXXMPA make user settable */
rdata.type = privatetype;
rdata.rdclass = tuple->rdata.rdclass;
CHECK(dns_difftuple_create(diff->mctx, DNS_DIFFOP_ADD, name,
......@@ -2812,18 +2811,17 @@ update_action(isc_task_t *task, isc_event_t *event) {
* "Unlike traditional dynamic update, the client
* is forbidden from updating NSEC records."
*/
if (dns_db_isdnssec(db)) {
if (dns_db_issecure(db)) {
if (rdata.type == dns_rdatatype_nsec) {
FAILC(DNS_R_REFUSED,
"explicit NSEC updates are not allowed "
"in secure zones");
}
else if (rdata.type == dns_rdatatype_rrsig &&
!dns_name_equal(name, zonename)) {
} else if (rdata.type == dns_rdatatype_rrsig &&
!dns_name_equal(name, zonename)) {
FAILC(DNS_R_REFUSED,
"explicit RRSIG updates are currently "
"not supported in secure zones except "
"at the apex.");
"at the apex");
}
}
......@@ -3113,7 +3111,9 @@ update_action(isc_task_t *task, isc_event_t *event) {
CHECK(remove_orphaned_ds(db, ver, &diff));
CHECK(add_signing_records(db, zonename, ver, &diff));
CHECK(add_signing_records(db, zonename, ver,
dns_zone_getprivatetype(zone),
&diff));
CHECK(rrset_exists(db, ver, zonename, dns_rdatatype_dnskey,
0, &has_dnskey));
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: zoneconf.c,v 1.142 2008/01/18 23:46:57 tbox Exp $ */
/* $Id: zoneconf.c,v 1.143 2008/04/02 02:37:41 marka Exp $ */
/*% */
......@@ -365,6 +365,7 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
isc_boolean_t warn = ISC_FALSE, ignore = ISC_FALSE;
isc_boolean_t ixfrdiff;
dns_masterformat_t masterformat;
int seconds;
i = 0;
if (zconfig != NULL) {
......@@ -665,8 +666,26 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone,
cfg_obj_asuint32(obj) * 86400);
{
const cfg_obj_t *validity, *resign;
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity) * 86400;
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else {
if (seconds > 7 * 86400)
seconds = cfg_obj_asuint32(resign) *
86400;
else
seconds = cfg_obj_asuint32(resign) *
3600;
}
dns_zone_setsigresigninginterval(zone, seconds);
}
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
......@@ -681,6 +700,39 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
RETERR(dns_zone_setkeydirectory(zone, filename));
}
obj = NULL;
result = ns_config_get(maps, "sig-signing-signatures", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsignatures(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "sig-signing-nodes", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setnodes(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "sig-signing-type", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setprivatetype(zone, cfg_obj_asuint32(obj));
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
dns_zone_setforwardacl,
dns_zone_clearforwardacl));
}
/*%
* Primary master functionality.
*/
if (ztype == dns_zone_master) {
obj = NULL;
result = ns_config_get(maps, "check-wildcard", &obj);
if (result == ISC_R_SUCCESS)
......@@ -739,59 +791,6 @@ ns_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(0);
dns_zone_setoption(zone, DNS_ZONEOPT_WARNSRVCNAME, warn);
dns_zone_setoption(zone, DNS_ZONEOPT_IGNORESRVCNAME, ignore);
obj = NULL;
result = ns_config_get(maps, "update-check-ksk", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
}
/*
* Configure update-related options. These apply to
* primary masters only.
*/
if (ztype == dns_zone_master) {
dns_acl_t *updateacl;
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update", ac, zone,
dns_zone_setupdateacl,
dns_zone_clearupdateacl));
updateacl = dns_zone_getupdateacl(zone);
if (updateacl != NULL && dns_acl_isinsecure(updateacl))
isc_log_write(ns_g_lctx, DNS_LOGCATEGORY_SECURITY,
NS_LOGMODULE_SERVER, ISC_LOG_WARNING,
"zone '%s' allows updates by IP "
"address, which is insecure",
zname);
RETERR(configure_zone_ssutable(zoptions, zone));
obj = NULL;
result = ns_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS);
dns_zone_setsigvalidityinterval(zone,
cfg_obj_asuint32(obj) * 86400);
obj = NULL;
result = ns_config_get(maps, "key-directory", &obj);
if (result == ISC_R_SUCCESS) {
filename = cfg_obj_asstring(obj);
if (!isc_file_isabsolute(filename)) {
cfg_obj_log(obj, ns_g_lctx, ISC_LOG_ERROR,
"key-directory '%s' "
"is not absolute", filename);
return (ISC_R_FAILURE);
}
RETERR(dns_zone_setkeydirectory(zone, filename));
}
} else if (ztype == dns_zone_slave) {
RETERR(configure_zone_acl(zconfig, vconfig, config,
"allow-update-forwarding", ac, zone,
dns_zone_setforwardacl,
dns_zone_clearforwardacl));
}
/*
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: nsupdate.c,v 1.158 2008/04/01 01:37:24 marka Exp $ */
/* $Id: nsupdate.c,v 1.159 2008/04/02 02:37:41 marka Exp $ */
/*! \file */
......@@ -1126,8 +1126,7 @@ make_prereq(char *cmdline, isc_boolean_t ispositive, isc_boolean_t isrrset) {
result = dns_message_gettemprdata(updatemsg, &rdata);
check_result(result, "dns_message_gettemprdata");
rdata->data = NULL;
rdata->length = 0;
dns_rdata_init(rdata);
if (isrrset && ispositive) {
retval = parse_rdata(&cmdline, rdataclass, rdatatype,
......@@ -1446,10 +1445,7 @@ update_addordelete(char *cmdline, isc_boolean_t isdelete) {
result = dns_message_gettemprdata(updatemsg, &rdata);
check_result(result, "dns_message_gettemprdata");
rdata->rdclass = 0;
rdata->type = 0;
rdata->data = NULL;
rdata->length = 0;
dns_rdata_init(rdata);
/*
* If this is an add, read the TTL and verify that it's in range.
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: lwtest.c,v 1.31 2008/01/14 23:46:56 tbox Exp $ */
/* $Id: lwtest.c,v 1.32 2008/04/02 02:37:42 marka Exp $ */
#include <config.h>
......@@ -764,7 +764,7 @@ main(void) {
test_getrrsetbyname("a.example1.", 1, 1, 1, 0, 1);
test_getrrsetbyname("e.example1.", 1, 1, 1, 1, 1);
test_getrrsetbyname("e.example1.", 1, 255, 1, 1, 0);
test_getrrsetbyname("e.example1.", 1, 46, 1, 0, 1);
test_getrrsetbyname("e.example1.", 1, 46, 2, 0, 1);
test_getrrsetbyname("", 1, 1, 0, 0, 0);
if (fails == 0)
......
; File written on Wed Mar 5 10:20:40 2008
; dnssec_signzone version 9.3.4-P1
e.example1. 300 IN SOA mname1. . (
2002082210 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
300 RRSIG SOA 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KtYwrnKM7Tu53BNf8XuTix53r9kDdCneJ1X7
xklFbp4YjRKC3NhwVK9PFe0jdHOkIDMtrwxn
n7/Rp07xIyURqw== )
300 NS ns.e.example1.
300 RRSIG NS 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KBPx3XmNl4swVPdwuUEFuzZedMSfsyK2a0Fu
o2wBnbCuS7G7DtfW9690lP/eTyixLOIwlFLQ
MrjN3+XgpkdgIw== )
300 A 10.0.1.1
300 RRSIG A 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
KYlxMQUvv8DQtVgS23lNL5tFYmRppJ7vTgH3
btvgKbyHxW/04ewRsgCa82iu3iJipdEhKM11
ALkRNhqL7frnig== )
3600 NSEC ns.e.example1. A NS SOA RRSIG NSEC DNSKEY
3600 RRSIG NSEC 5 2 3600 20010101000000 (
20000101000000 14043 e.example1.
azSgagb7bldM06qSZg8nDZWOY2FbqeZY0/T8
nC+6VhCs7YTfNvXynLWmvmpqL7gVT6/O+Yi2
2lmdntld7GORrQ== )
300 DNSKEY 256 3 5 (
AwEAAcvAUMfH7wA0z077fJaF7RMrxAFyvo0/
7aAL4d2/yA5TqTaUCVnJtE+XgGO34kH9mwae
we+Nyv2kRWDeLl6nhGk=
) ; key id = 14043
300 RRSIG DNSKEY 5 2 300 20010101000000 (
20000101000000 14043 e.example1.
BQFWOHopXuBNdzcopkdl1YVKGF0QvIaYpywM
fcpG5gi+sy9EoTofQ1UGsLOjU3nFXCvJFG4K
1gUhzEEti440/g== )
ns.e.example1. 300 IN A 10.53.0.1
300 RRSIG A 5 3 300 20010101000000 (
20000101000000 14043 e.example1.
cYPzsWNQ/eL4h2lihKRjKT2jhGpOqV9woGJA
/Jstx2iethOAvYtgY22CsAbCUr/6E4bSgBZR
TMoC604cNdFzIw== )
3600 NSEC e.example1. A RRSIG NSEC
3600 RRSIG NSEC 5 3 3600 20010101000000 (
20000101000000 14043 e.example1.
J8Md544zDLP4GjyAtkjH/rSFvpzXY/7bgJRS
YDoARwFQRmlrJvavXEjqElb2fTQqlNNz1cal
QROz/WJ3GLwOWw== )
......@@ -13,7 +13,7 @@
; OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
; PERFORMANCE OF THIS SOFTWARE.
; $Id: example1.db,v 1.17 2007/06/19 23:47:04 tbox Exp $
; $Id: example1.db,v 1.18 2008/04/02 02:37:42 marka Exp $
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
......@@ -32,7 +32,4 @@ a3 CNAME nowhere
b AAAA eeee:eeee:eeee:eeee:ffff:ffff:ffff:ffff
8.8.7.7 DNAME net
0.0.f.f.e.e.d.d.c.c.b.b.a.a.9.9.net PTR dname
e A 10.0.1.1
RRSIG A 1 1 300 20001202003412 (
20001102003412 1 example. abcd )
e NS ns.e
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: named.conf,v 1.19 2007/06/19 23:47:04 tbox Exp $ */
/* $Id: named.conf,v 1.20 2008/04/02 02:37:42 marka Exp $ */
controls { /* empty */ };
......@@ -43,6 +43,11 @@ zone "example1." {
file "example1.db";
};
zone "e.example1." {
type master;
file "e.example1.db";
};
zone "example2." {
type master;
file "example2.db";
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- File: $Id: Bv9ARM-book.xml,v 1.347 2008/03/31 14:42:50 fdupont Exp $ -->
<!-- File: $Id: Bv9ARM-book.xml,v 1.348 2008/04/02 02:37:42 marka Exp $ -->
<book xmlns:xi="http://www.w3.org/2001/XInclude">
<title>BIND 9 Administrator Reference Manual</title>
......@@ -4553,6 +4553,10 @@ category notify { null; };
<optional> max-ncache-ttl <replaceable>number</replaceable>; </optional>
<optional> max-cache-ttl <replaceable>number</replaceable>; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> min-roots <replaceable>number</replaceable>; </optional>
<optional> use-ixfr <replaceable>yes_or_no</replaceable> ; </optional>
<optional> provide-ixfr <replaceable>yes_or_no</replaceable>; </optional>
......@@ -7256,22 +7260,76 @@ query-source-v6 address * port *;
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-validity-interval</command></term>
<listitem>
<para>
Specifies the number of days into the
future when DNSSEC signatures automatically generated as a
result
of dynamic updates (<xref linkend="dynamic_update"/>)
will expire. The default is <literal>30</literal> days.
The maximum value is 10 years (3660 days). The signature
inception time is unconditionally set to one hour before the
current time
to allow for a limited amount of clock skew.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-validity-interval</command></term>
<listitem>
<para>
Specifies the number of days into the future when
DNSSEC signatures automatically generated as a
result of dynamic updates (<xref
linkend="dynamic_update"/>) will expire. There
is a optional second field which specifies how
long before expiry that the signatures will be
regenerated. If not specified the signatures will
be regenerated at 1/4 of base interval. The second
field is specified in days if the base interval is
greater than 7 days otherwise it is specified in hours.
The default base interval is <literal>30</literal> days
giving a re-signing interval of 7 1/2 days . The maximum
values are 10 years (3660 days).
</para>
<para>
The signature inception time is unconditionally
set to one hour before the current time to allow
for a limited amount of clock skew.
</para>
<para>
The <command>sig-validity-interval</command>
should be, at least, several multiples of the SOA
expire interval to allow for reasonable interaction
between the various timer and expiry dates.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-nodes</command></term>
<listitem>
<para>
Specify the number of maximum number nodes to be
examined in each quantum when signing a zone with
a new DNSKEY. The default is
<literal>100</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-signatures</command></term>
<listitem>
<para>
Specify a threshold number of signatures that
will terminate processing a quantum when signing
a zone with a new DNSKEY. The default is
<literal>10</literal>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-type</command></term>
<listitem>
<para>
Specify a private rdata type to be used when generating
key signing records. The default is
<literal>65535</literal>.
</para>
<para>
It is expected that this parameter may be removed
in a future version once there is a standard type.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>min-refresh-time</command></term>
......@@ -8384,6 +8442,10 @@ view "external" {
<optional> notify-source-v6 (<replaceable>ip6_addr</replaceable> | <constant>*</constant>) <optional>port <replaceable>ip_port</replaceable></optional> ; </optional>
<optional> zone-statistics <replaceable>yes_or_no</replaceable> ; </optional>
<optional> sig-validity-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-re-signing-interval <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-nodes <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-signatures <replaceable>number</replaceable> ; </optional>
<optional> sig-signing-type <replaceable>number</replaceable> ; </optional>
<optional> database <replaceable>string</replaceable> ; </optional>
<optional> min-refresh-time <replaceable>number</replaceable> ; </optional>
<optional> max-refresh-time <replaceable>number</replaceable> ; </optional>
......@@ -9131,6 +9193,46 @@ zone <replaceable>zone_name</replaceable> <optional><replaceable>class</replacea
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-re-signing-interval</command></term>
<listitem>
<para>
See the description of
<command>sig-re-signing-interval</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-nodes</command></term>
<listitem>
<para>
See the description of
<command>sig-signing-nodes</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-signatures</command></term>
<listitem>
<para>
See the description of
<command>sig-signing-signatures</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>sig-signing-type</command></term>
<listitem>
<para>
See the description of
<command>sig-signing-type</command> in <xref linkend="tuning"/>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><command>transfer-source</command></term>
<listitem>
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: check.c,v 1.90 2008/04/01 01:37:24 marka Exp $ */
/* $Id: check.c,v 1.91 2008/04/02 02:37:42 marka Exp $ */
/*! \file */
......@@ -508,6 +508,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
isc_result_t tresult;
unsigned int i;
const cfg_obj_t *obj = NULL;
const cfg_obj_t *resignobj = NULL;
const cfg_listelt_t *element;
isc_symtab_t *symtab = NULL;
dns_fixedname_t fixed;
......@@ -523,7 +524,6 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
{ "max-transfer-idle-out", 60, 28 * 24 * 60 }, /* 28 days */
{ "max-transfer-time-in", 60, 28 * 24 * 60 }, /* 28 days */
{ "max-transfer-time-out", 60, 28 * 24 * 60 }, /* 28 days */
{ "sig-validity-interval", 86400, 10 * 366 }, /* 10 years */
{ "statistics-interval", 60, 28 * 24 * 60 }, /* 28 days */
};
......@@ -551,6 +551,43 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx) {
result = ISC_R_RANGE;
}
}
obj = NULL;
cfg_map_get(options, "sig-validity-interval", &obj);
if (obj != NULL) {
isc_uint32_t validity, resign = 0;
validity = cfg_obj_asuint32(cfg_tuple_get(obj, "validity"));
resignobj = cfg_tuple_get(obj, "re-sign");
if (!cfg_obj_isvoid(resignobj))
resign = cfg_obj_asuint32(resignobj);
if (validity > 3660 || validity == 0) { /* 10 years */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s '%u' is out of range (1..3660)",
"sig-validity-interval", validity);
result = ISC_R_RANGE;
}
if (!cfg_obj_isvoid(resignobj)) {
if (resign > 3660 || resign == 0) { /* 10 years */
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"%s '%u' is out of range (1..3660)",
"sig-validity-interval (re-sign)",
validity);
result = ISC_R_RANGE;
} else if ((validity > 7 && validity < resign) ||
(validity <= 7 && validity * 24 < resign)) {
cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
"validity interval (%u days) "
"less than re-signing interval "
"(%u %s)", validity, resign,
(validity > 7) ? "days" : "hours");
result = ISC_R_RANGE;
}
}