Commit 6468ffc3 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Use keywords in dnssec-policy keys configuration

Add keywords 'lifetime' and 'algorithm' to make the key configuration
more clear.
parent 36c72bf3
......@@ -1015,7 +1015,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>ttlval</replaceable>;
keys { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;
......
......@@ -17,9 +17,9 @@
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory P1Y 13 256;
zsk key-directory P30D 13;
csk key-directory P30D 8 2048;
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
......
......@@ -17,9 +17,9 @@ dnssec-policy "kasp" {
dnskey-ttl 200;
keys {
csk key-directory P1Y 13;
ksk key-directory P1Y 8;
zsk key-directory P30D 8 1024;
zsk key-directory P6M 8 2000;
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P30D algorithm 8 1024;
zsk key-directory lifetime P6M algorithm 8 2000;
};
};
......@@ -18,8 +18,8 @@ dnssec-policy "autosign" {
dnskey-ttl 300;
keys {
ksk key-directory P2Y 13;
zsk key-directory P1Y 13;
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
};
};
......@@ -34,8 +34,8 @@ dnssec-policy "zsk-prepub" {
retire-safety P2D;
keys {
ksk key-directory P2Y 13;
zsk key-directory P30D 13;
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P30D algorithm 13;
};
zone-propagation-delay PT1H;
......@@ -53,8 +53,8 @@ dnssec-policy "ksk-doubleksk" {
retire-safety P2D;
keys {
ksk key-directory P60D 13;
zsk key-directory P1Y 13;
ksk key-directory lifetime P60D algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
};
zone-propagation-delay PT1H;
......
......@@ -13,9 +13,9 @@ dnssec-policy "rsasha1" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 5;
zsk key-directory P5Y 5;
zsk key-directory P1Y 5 2000;
ksk key-directory lifetime P10Y algorithm 5;
zsk key-directory lifetime P5Y algorithm 5;
zsk key-directory lifetime P1Y algorithm 5 2000;
};
};
......@@ -23,9 +23,9 @@ dnssec-policy "rsasha1-nsec3" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 7;
zsk key-directory P5Y 7;
zsk key-directory P1Y 7 2000;
ksk key-directory lifetime P10Y algorithm 7;
zsk key-directory lifetime P5Y algorithm 7;
zsk key-directory lifetime P1Y algorithm 7 2000;
};
};
......@@ -33,9 +33,9 @@ dnssec-policy "rsasha256" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 8;
zsk key-directory P5Y 8;
zsk key-directory P1Y 8 2000;
ksk key-directory lifetime P10Y algorithm 8;
zsk key-directory lifetime P5Y algorithm 8;
zsk key-directory lifetime P1Y algorithm 8 2000;
};
};
......@@ -43,9 +43,9 @@ dnssec-policy "rsasha512" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 10;
zsk key-directory P5Y 10;
zsk key-directory P1Y 10 2000;
ksk key-directory lifetime P10Y algorithm 10;
zsk key-directory lifetime P5Y algorithm 10;
zsk key-directory lifetime P1Y algorithm 10 2000;
};
};
......@@ -53,9 +53,9 @@ dnssec-policy "ecdsa256" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 13;
zsk key-directory P5Y 13;
zsk key-directory P1Y 13 256;
ksk key-directory lifetime P10Y algorithm 13;
zsk key-directory lifetime P5Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13 256;
};
};
......@@ -63,8 +63,8 @@ dnssec-policy "ecdsa384" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 14;
zsk key-directory P5Y 14;
zsk key-directory P1Y 14 384;
ksk key-directory lifetime P10Y algorithm 14;
zsk key-directory lifetime P5Y algorithm 14;
zsk key-directory lifetime P1Y algorithm 14 384;
};
};
......@@ -11059,9 +11059,9 @@ example.com CNAME rpz-tcp-only.
</para>
<programlisting>keys {
ksk key-directory P5Y 8 2048;
zsk key-directory P30D 8;
csk key-directory P6MT12H3M15S 13;
ksk key-directory lifetime P5Y algorithm 8 2048;
zsk key-directory lifetime P30D algorithm 8;
csk key-directory lifetime P6MT12H3M15S algorithm 13;
};
</programlisting>
......
......@@ -54,7 +54,7 @@
<programlisting>
dnssec-policy csk {
keys {
csk key-directory P5Y 13;
csk key-directory lifetime P5Y algorithm 13;
};
};
</programlisting>
......
......@@ -199,9 +199,9 @@ is referred to as a CSK. Below is an example configuration for the three types
of keys:
```
keys {
ksk key-directory P5Y ECDSAP256SHA256;
zsk key-directory P30D ECDSAP256SHA256;
csk key-directory PT0S 8 2048;
ksk key-directory lifetime P5Y algorithm ECDSAP256SHA256;
zsk key-directory lifetime P30D algorithm ECDSAP256SHA256;
csk key-directory lifetime PT0S algorithm 8 2048;
};
```
......
......@@ -27,7 +27,7 @@ dnssec-keys { <string> ( static-key |
dnssec-policy <string> {
dnskey-ttl <ttlval>;
keys { ( csk | ksk | zsk ) key-directory <duration> <string>
keys { ( csk | ksk | zsk ) key-directory lifetime <duration> algorithm <integer>
[ <integer> ]; ... };
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;
......
......@@ -502,11 +502,23 @@ static cfg_type_t cfg_type_dnsseckeystore = {
/*%
* A dnssec key, as used in the "keys" statement in a "dnssec-policy".
*/
static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_uint32 };
static cfg_type_t cfg_type_algorithm = {
"algorithm", parse_keyvalue, print_keyvalue,
doc_keyvalue, &cfg_rep_uint32, &algorithm_kw
};
static keyword_type_t lifetime_kw = { "lifetime", &cfg_type_duration };
static cfg_type_t cfg_type_lifetime = {
"lifetime", parse_keyvalue, print_keyvalue,
doc_keyvalue, &cfg_rep_duration, &lifetime_kw
};
static cfg_tuplefielddef_t kaspkey_fields[] = {
{ "role", &cfg_type_dnsseckeyrole, 0 },
{ "keystore-type", &cfg_type_dnsseckeystore, 0 },
{ "lifetime", &cfg_type_duration, 0 },
{ "algorithm", &cfg_type_uint32, 0 },
{ "lifetime", &cfg_type_lifetime, 0 },
{ "algorithm", &cfg_type_algorithm, 0 },
{ "length", &cfg_type_optional_uint32, 0 },
{ NULL, NULL, 0 }
};
......@@ -515,6 +527,9 @@ static cfg_type_t cfg_type_kaspkey = {
&cfg_rep_tuple, kaspkey_fields
};
/*%
* Wild class, type, name.
*/
static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
static cfg_type_t cfg_type_optional_wild_class = {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment