Use keywords in dnssec-policy keys configuration

Add keywords 'lifetime' and 'algorithm' to make the key configuration more clear.

Use keywords in dnssec-policy keys configuration
Add keywords 'lifetime' and 'algorithm' to make the key configuration more clear.
6468ffc3 · Matthijs Mekking · 36c72bf3 · 6468ffc3 · 6468ffc3 · 6468ffc3
Commit 6468ffc3 authored Oct 21, 2019 by Matthijs Mekking 🏡
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -1015,7 +1015,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
    <literallayout class="normal">
 dnssec-policy <replaceable>string</replaceable> {
 	dnskey-ttl <replaceable>ttlval</replaceable>;
-	keys { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
+	keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
 	parent-ds-ttl <replaceable>duration</replaceable>;
 	parent-propagation-delay <replaceable>duration</replaceable>;
 	parent-registration-delay <replaceable>duration</replaceable>;

--- a/bin/tests/system/checkconf/good-kasp.conf
+++ b/bin/tests/system/checkconf/good-kasp.conf
@@ -17,9 +17,9 @@
 dnssec-policy "test" {
 	dnskey-ttl 3600;
 	keys {
-		ksk key-directory P1Y 13 256;
-		zsk key-directory P30D 13;
-		csk key-directory P30D 8 2048;
+		ksk key-directory lifetime P1Y algorithm 13 256;
+		zsk key-directory lifetime P30D algorithm 13;
+		csk key-directory lifetime P30D algorithm 8 2048;
 	};
 	publish-safety PT3600S;
 	retire-safety PT3600S;

--- a/bin/tests/system/kasp/kasp.conf
+++ b/bin/tests/system/kasp/kasp.conf
@@ -17,9 +17,9 @@ dnssec-policy "kasp" {
 	dnskey-ttl 200;

 	keys {
-		csk key-directory P1Y 13;
-		ksk key-directory P1Y 8;
-		zsk key-directory P30D 8 1024;
-		zsk key-directory P6M 8 2000;
+		csk key-directory lifetime P1Y  algorithm 13;
+		ksk key-directory lifetime P1Y  algorithm 8;
+		zsk key-directory lifetime P30D algorithm 8 1024;
+		zsk key-directory lifetime P6M  algorithm 8 2000;
 	};
 };
--- a/bin/tests/system/kasp/ns3/policies/autosign.conf
+++ b/bin/tests/system/kasp/ns3/policies/autosign.conf
@@ -18,8 +18,8 @@ dnssec-policy "autosign" {
 	dnskey-ttl 300;

 	keys {
-		ksk key-directory P2Y 13;
-		zsk key-directory P1Y 13;
+		ksk key-directory lifetime P2Y algorithm 13;
+		zsk key-directory lifetime P1Y algorithm 13;
 	};
 };

@@ -34,8 +34,8 @@ dnssec-policy "zsk-prepub" {
 	retire-safety P2D;

 	keys {
-		ksk key-directory P2Y 13;
-		zsk key-directory P30D 13;
+		ksk key-directory lifetime P2Y  algorithm 13;
+		zsk key-directory lifetime P30D algorithm 13;
 	};

 	zone-propagation-delay PT1H;
@@ -53,8 +53,8 @@ dnssec-policy "ksk-doubleksk" {
 	retire-safety P2D;

 	keys {
-		ksk key-directory P60D 13;
-		zsk key-directory P1Y 13;
+		ksk key-directory lifetime P60D algorithm 13;
+		zsk key-directory lifetime P1Y  algorithm 13;
 	};

 	zone-propagation-delay PT1H;

--- a/bin/tests/system/kasp/ns3/policies/kasp.conf
+++ b/bin/tests/system/kasp/ns3/policies/kasp.conf
@@ -13,9 +13,9 @@ dnssec-policy "rsasha1" {
 	dnskey-ttl 1234;

 	keys {
-		ksk key-directory P10Y 5;
-		zsk key-directory P5Y 5;
-		zsk key-directory P1Y 5 2000;
+		ksk key-directory lifetime P10Y algorithm 5;
+		zsk key-directory lifetime P5Y  algorithm 5;
+		zsk key-directory lifetime P1Y  algorithm 5 2000;
 	};
 };

@@ -23,9 +23,9 @@ dnssec-policy "rsasha1-nsec3" {
 	dnskey-ttl 1234;

 	keys {
-		ksk key-directory P10Y 7;
-		zsk key-directory P5Y 7;
-		zsk key-directory P1Y 7 2000;
+		ksk key-directory lifetime P10Y algorithm 7;
+		zsk key-directory lifetime P5Y  algorithm 7;
+		zsk key-directory lifetime P1Y  algorithm 7 2000;
 	};
 };

@@ -33,9 +33,9 @@ dnssec-policy "rsasha256" {
 	dnskey-ttl 1234;

 	keys {
-		ksk key-directory P10Y 8;
-		zsk key-directory P5Y 8;
-		zsk key-directory P1Y 8 2000;
+		ksk key-directory lifetime P10Y algorithm 8;
+		zsk key-directory lifetime P5Y  algorithm 8;
+		zsk key-directory lifetime P1Y  algorithm 8 2000;
 	};
 };

@@ -43,9 +43,9 @@ dnssec-policy "rsasha512" {
 	dnskey-ttl 1234;

 	keys {
-		ksk key-directory P10Y 10;
-		zsk key-directory P5Y 10;
-		zsk key-directory P1Y 10 2000;
+		ksk key-directory lifetime P10Y algorithm 10;
+		zsk key-directory lifetime P5Y  algorithm 10;
+		zsk key-directory lifetime P1Y  algorithm 10 2000;
 	};
 };

@@ -53,9 +53,9 @@ dnssec-policy "ecdsa256" {
 	dnskey-ttl 1234;

 	keys {
-		ksk key-directory P10Y 13;
-		zsk key-directory P5Y 13;
-		zsk key-directory P1Y 13 256;
+		ksk key-directory lifetime P10Y algorithm 13;
+		zsk key-directory lifetime P5Y  algorithm 13;
+		zsk key-directory lifetime P1Y  algorithm 13 256;
 	};
 };

@@ -63,8 +63,8 @@ dnssec-policy "ecdsa384" {
 	dnskey-ttl 1234;

 	keys {
-		ksk key-directory P10Y 14;
-		zsk key-directory P5Y 14;
-		zsk key-directory P1Y 14 384;
+		ksk key-directory lifetime P10Y algorithm 14;
+		zsk key-directory lifetime P5Y  algorithm 14;
+		zsk key-directory lifetime P1Y  algorithm 14 384;
 	};
 };
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -11059,9 +11059,9 @@ example.com                 CNAME   rpz-tcp-only.
 		</para>
  
 <programlisting>keys {
-	ksk key-directory P5Y 8 2048;
-	zsk key-directory P30D 8;
-	csk key-directory P6MT12H3M15S 13;
+    ksk key-directory lifetime P5Y algorithm 8 2048;
+    zsk key-directory lifetime P30D algorithm 8;
+    csk key-directory lifetime P6MT12H3M15S algorithm 13;
 };
 </programlisting>
  

--- a/doc/arm/dnssec.xml
+++ b/doc/arm/dnssec.xml
@@ -54,7 +54,7 @@
  <programlisting>
 	dnssec-policy csk {
 		keys {
-			csk key-directory P5Y 13;
+			csk key-directory lifetime P5Y algorithm 13;
 		};
 	};
  </programlisting>

--- a/doc/design/dnssec-policy
+++ b/doc/design/dnssec-policy
@@ -199,9 +199,9 @@ is referred to as a CSK. Below is an example configuration for the three types
 of keys:
 ```
 	keys {
-		ksk key-directory P5Y ECDSAP256SHA256;
-		zsk key-directory P30D ECDSAP256SHA256;
-		csk key-directory PT0S 8 2048;
+		ksk key-directory lifetime P5Y  algorithm ECDSAP256SHA256;
+		zsk key-directory lifetime P30D algorithm ECDSAP256SHA256;
+		csk key-directory lifetime PT0S algorithm 8 2048;
 	};
 ```


--- a/doc/misc/options
+++ b/doc/misc/options
@@ -27,7 +27,7 @@ dnssec-keys { <string> ( static-key |

 dnssec-policy <string> {
        dnskey-ttl <ttlval>;
-        keys { ( csk | ksk | zsk ) key-directory <duration> <string>
+        keys { ( csk | ksk | zsk ) key-directory lifetime <duration> algorithm <integer>
 	    [ <integer> ]; ... };
 	parent-ds-ttl <duration>;
 	parent-propagation-delay <duration>;

--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -502,11 +502,23 @@ static cfg_type_t cfg_type_dnsseckeystore = {
 /*%
 * A dnssec key, as used in the "keys" statement in a "dnssec-policy".
 */
+static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_uint32 };
+static cfg_type_t cfg_type_algorithm = {
+	"algorithm", parse_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_uint32, &algorithm_kw
+};
+
+static keyword_type_t lifetime_kw = { "lifetime", &cfg_type_duration };
+static cfg_type_t cfg_type_lifetime = {
+	"lifetime", parse_keyvalue, print_keyvalue,
+	doc_keyvalue, &cfg_rep_duration, &lifetime_kw
+};
+
 static cfg_tuplefielddef_t kaspkey_fields[] = {
 	{ "role", &cfg_type_dnsseckeyrole, 0 },
 	{ "keystore-type", &cfg_type_dnsseckeystore, 0 },
-	{ "lifetime", &cfg_type_duration, 0 },
-	{ "algorithm", &cfg_type_uint32, 0 },
+	{ "lifetime", &cfg_type_lifetime, 0 },
+	{ "algorithm", &cfg_type_algorithm, 0 },
 	{ "length", &cfg_type_optional_uint32, 0 },
 	{ NULL, NULL, 0 }
 };
@@ -515,6 +527,9 @@ static cfg_type_t cfg_type_kaspkey = {
 	&cfg_rep_tuple, kaspkey_fields
 };

+/*%
+ * Wild class, type, name.
+ */
 static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };

 static cfg_type_t cfg_type_optional_wild_class = {