Commit 5f464d15 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

dnssec-policy inheritance from options/view

'dnssec-policy' can now also be set on the options and view level and
a zone that does not set 'dnssec-policy' explicitly will inherit it
from the view or options level.

This requires a new keyword to be introduced: 'none'.  If set to
'none' the zone will not be DNSSEC maintained, in other words it will
stay unsigned.  You can use this to break the inheritance.  Of course
you can also break the inheritance by referring to a different
policy.

The keywords 'default' and 'none' are not allowed when configuring
your own dnssec-policy statement.

Add appropriate tests for checking the configuration (checkconf)
and add tests to the kasp system test to verify the inheritance
works.

Edit the kasp system test such that it can deal with unsigned zones
and views (so setting a TSIG on the query).
parent ce1c1631
......@@ -58,6 +58,7 @@ options {\n\
"\
# deallocate-on-exit <obsolete>;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 4096;\n\
# fake-iquery <obsolete>;\n"
......
......@@ -6260,7 +6260,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
((cfg_map_get(zoptions, "inline-signing", &signing) ==
ISC_R_SUCCESS && cfg_obj_asboolean(signing)) ||
(cfg_map_get(zoptions, "dnssec-policy", &signing) ==
ISC_R_SUCCESS && signing != NULL)))
ISC_R_SUCCESS && signing != NULL &&
strcmp(cfg_obj_asstring(signing), "none") != 0)))
{
dns_zone_getraw(zone, &raw);
if (raw == NULL) {
......
......@@ -1197,18 +1197,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
ztype != dns_zone_redirect) {
obj = NULL;
result = cfg_map_get(zoptions, "dnssec-policy", &obj);
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
result = dns_kasplist_find(kasplist, kaspname, &kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not found ",
kaspname);
RETERR(result);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not "
"found ", kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
}
dns_zone_setkasp(zone, kasp);
}
obj = NULL;
......
......@@ -9,12 +9,14 @@
* information regarding copyright ownership.
*/
options {
dnssec-policy "notatzonelevel";
// Using the keyword 'default' is not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "default";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "none";
};
......@@ -35,13 +35,25 @@ dnssec-policy "test" {
options {
dnssec-policy "default";
};
options {
dnssec-policy "default";
};
zone "example1" {
type master;
dnssec-policy "test";
file "example1.db";
};
zone "example2" {
type master;
dnssec-policy "default";
file "example2.db";
dnssec-policy "test";
};
zone "example3" {
type master;
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
type master;
file "example4.db";
dnssec-policy "none";
};
......@@ -14,6 +14,24 @@
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
100;
......@@ -60,6 +78,7 @@ options {
validate-except {
"corp";
};
dnssec-policy "test";
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
......@@ -140,6 +159,28 @@ view "third" {
};
};
};
view "fourth" {
zone "dnssec-test" {
type master;
file "dnssec-test.db";
dnssec-policy "test";
};
zone "dnssec-default" {
type master;
file "dnssec-default.db";
dnssec-policy "default";
};
zone "dnssec-inherit" {
type master;
file "dnssec-inherit.db";
};
zone "dnssec-none" {
type master;
file "dnssec-none.db";
dnssec-policy "none";
};
dnssec-policy "default";
};
view "chaos" chaos {
zone "hostname.bind" chaos {
type master;
......
......@@ -8,4 +8,8 @@ clone IN third in-view first
dnssec IN third master
p IN third primary
s IN third secondary
dnssec-test IN fourth master
dnssec-default IN fourth master
dnssec-inherit IN fourth master
dnssec-none IN fourth master
hostname.bind chaos chaos master
......@@ -9,3 +9,5 @@ ns1 is reserved for the root server.
ns2 is running primary service for ns3.
ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
......@@ -21,5 +21,6 @@ rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
rm -f ns*/managed-keys.bind
rm -f ns*/*.mkeys
# NS3 specific
rm -f ns3/zones ns3/*.db.infile
......@@ -21,6 +21,7 @@ options {
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "none";
};
key rndc_key {
......@@ -32,6 +33,21 @@ controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Inherit dnssec-policy (which is none) */
zone "unsigned.tld" {
type master;
file "unsigned.tld.db";
};
/* Override dnssec-policy */
zone "signed.tld" {
type master;
dnssec-policy "default";
file "signed.tld.db";
};
/* Primary service for ns3 */
zone "secondary.kasp" {
......
......@@ -14,8 +14,20 @@
echo_i "ns2/setup.sh"
echo_i "setting up zone: $zone"
zone="secondary.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
zone="signed.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
zone="unsigned.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
......@@ -11,6 +11,9 @@
// NS3
include "policies/kasp.conf";
include "policies/autosign.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
......@@ -21,6 +24,7 @@ options {
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "rsasha1";
};
key rndc_key {
......@@ -32,9 +36,6 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
include "policies/kasp.conf";
include "policies/autosign.conf";
/* Zones that are getting initially signed */
/* The default case: No keys created, using default policy. */
......@@ -51,6 +52,19 @@ zone "rsasha1.kasp" {
dnssec-policy "rsasha1";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type master;
file "inherit.kasp.db";
};
/* A zone that overrides dnssec-policy. */
zone "unsigned.kasp" {
type master;
file "unsigned.kasp.db";
dnssec-policy "none";
};
/* A master zone with dnssec-policy but keys already created. */
zone "dnssec-keygen.kasp" {
type master;
......
......@@ -43,12 +43,19 @@ U="UNRETENTIVE"
# Set up zones that will be initially signed.
#
for zn in default rsasha1 dnssec-keygen some-keys legacy-keys pregenerated \
rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384
rsasha1-nsec3 rsasha256 rsasha512 ecdsa256 ecdsa384 inherit
do
setup "${zn}.kasp"
cp template.db.in $zonefile
done
# Set up zone that stays unsigned.
zone="unsigned.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zone}.db.infile"
cp template.db.in $zonefile
# Some of these zones already have keys.
zone="dnssec-keygen.kasp"
$KEYGEN -k rsasha1 -l policies/kasp.conf $zone > keygen.out.$zone.1 2>&1
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS4
key "sha1" {
algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
};
key "sha224" {
algorithm "hmac-sha224";
secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
};
key "sha256" {
algorithm "hmac-sha256";
secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
};
dnssec-policy "test" {
keys {
csk key-directory lifetime 0 algorithm 14;
};
};
options {
query-source address 10.53.0.4;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.4; };
listen-on-v6 { none; };
recursion no;
dnssec-policy "test";
};
view "inherit" {
match-clients { key "sha1"; };
/* Inherit dnssec-policy 'test' */
zone "inherit.inherit.signed" {
type master;
file "inherit.inherit.signed.db";
};
/* Override dnssec-policy */
zone "override.inherit.signed" {
type master;
dnssec-policy "default";
file "override.inherit.signed.db";
};
/* Unset dnssec-policy */
zone "none.inherit.signed" {
type master;
dnssec-policy "none";
file "none.inherit.signed.db";
};
};
view "override" {
match-clients { key "sha224"; };
dnssec-policy "default";
/* Inherit dnssec-policy 'test' */
zone "inherit.override.signed" {
type master;
file "inherit.override.signed.db";
};
/* Override dnssec-policy */
zone "override.override.signed" {
type master;
dnssec-policy "test";
file "override.override.signed.db";
};
/* Unset dnssec-policy */
zone "none.override.signed" {
type master;
dnssec-policy "none";
file "none.override.signed.db";
};
};
view "none" {
match-clients { key "sha256"; };
dnssec-policy "none";
/* Inherit dnssec-policy 'none' */
zone "inherit.none.signed" {
type master;
file "inherit.none.signed.db";
};
/* Override dnssec-policy */
zone "override.none.signed" {
type master;
dnssec-policy "test";
file "override.none.signed.db";
};
/* Unset dnssec-policy */
zone "none.none.signed" {
type master;
dnssec-policy "none";
file "none.none.signed.db";
};
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns4/setup.sh"
#
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
inherit.override override.override none.override \
inherit.none override.none none.none
do
zone="$zn.signed"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
cp template.db.in $zonefile
done
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns4
ns4 A 10.53.0.4
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS5
key "sha1" {
algorithm "hmac-sha1";
secret "FrSt77yPTFx6hTs4i2tKLB9LmE0=";
};
key "sha224" {
algorithm "hmac-sha224";
secret "hXfwwwiag2QGqblopofai9NuW28q/1rH4CaTnA==";
};
key "sha256" {
algorithm "hmac-sha256";
secret "R16NojROxtxH/xbDl//ehDsHm5DjWTQ2YXV+hGC2iBY=";
};
dnssec-policy "test" {
keys {
csk key-directory lifetime 0 algorithm 14;
};
};
options {
query-source address 10.53.0.5;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.5; };
listen-on-v6 { none; };
recursion no;
dnssec-policy "none";
};
view "inherit" {
match-clients { key "sha1"; };
/* Inherit dnssec-policy 'none' */
zone "inherit.inherit.unsigned" {
type master;
file "inherit.inherit.unsigned.db";
};
/* Override dnssec-policy */
zone "override.inherit.unsigned" {
type master;
dnssec-policy "default";
file "override.inherit.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.inherit.unsigned" {
type master;
dnssec-policy "none";
file "none.inherit.unsigned.db";
};
};
view "override" {
match-clients { key "sha224"; };
dnssec-policy "default";
/* Inherit dnssec-policy 'default' */
zone "inherit.override.unsigned" {
type master;
file "inherit.override.unsigned.db";
};
/* Override dnssec-policy */
zone "override.override.unsigned" {
type master;
dnssec-policy "test";
file "override.override.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.override.unsigned" {
type master;
dnssec-policy "none";
file "none.override.unsigned.db";
};
};
view "none" {
match-clients { key "sha256"; };
dnssec-policy "none";
/* Inherit dnssec-policy 'none' */
zone "inherit.none.unsigned" {
type master;
file "inherit.none.unsigned.db";
};
/* Override dnssec-policy */
zone "override.none.unsigned" {
type master;
dnssec-policy "test";
file "override.none.unsigned.db";
};
/* Unset dnssec-policy */
zone "none.none.unsigned" {
type master;
dnssec-policy "none";
file "none.none.unsigned.db";
};
};
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns5/setup.sh"
#
# Set up zones that potentially will be initially signed.
#
for zn in inherit.inherit override.inherit none.inherit \
inherit.override override.override none.override \
inherit.none override.none none.none
do
zone="$zn.unsigned"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
cp template.db.in $zonefile
done
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA mname1. . (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns5
ns5 A 10.53.0.5
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
......@@ -20,14 +20,23 @@ mkdir keys