Commit 7e7aa538 authored by Matthijs Mekking's avatar Matthijs Mekking 🏡

Introduce keymgr in named

Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
will run a key manager on the matching keys.  This will do a couple
of things:

1. Create keys when needed (in case of rollover for example)
   according to the set policy.

2. Retire keys that are in excess of the policy.

3. Maintain key states according to "Flexible and Robust Key
   Rollover" [1]. After key manager ran, key files will be saved to



Create keys according to DNSSEC policy.  Zones configured with
'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
to dnssec-keymgr) if not available.


Rather than determining the desired state from timing metadata,
add a key state goal.  Any keys that are created or picked from the
key ring and selected to be a successor has its key state goal set
to OMNIPRESENT (this key wants to be signing!). At the same time,
a key that is being retired has its key state goal set to HIDDEN.

The keymgr state machine with the three rules will make sure no
introduction or withdrawal of DNSSEC records happens too soon.


All timings are based on RFC 7583.

The keymgr will return when the next action is happening so
that the zone can set the proper rekey event. Prior to this change
the rekey event will run every hour by default (configurable),
but with kasp we can determine exactly when we need to run again.

The prepublication time is derived from policy.
parent 314b90df
......@@ -65,7 +65,7 @@ DNSOBJS = acl.@O@ adb.@O@ badcache.@O@ byaddr.@O@ \
dlz.@O@ dns64.@O@ dnsrps.@O@ dnssec.@O@ ds.@O@ dyndb.@O@ \
ecs.@O@ fixedname.@O@ forward.@O@ \
ipkeylist.@O@ iptable.@O@ journal.@O@ kasp.@O@ keydata.@O@ \
keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
keymgr.@O@ keytable.@O@ lib.@O@ log.@O@ lookup.@O@ \
master.@O@ masterdump.@O@ message.@O@ \
name.@O@ ncache.@O@ nsec.@O@ nsec3.@O@ nta.@O@ \
order.@O@ peer.@O@ portlist.@O@ private.@O@ \
......@@ -100,8 +100,8 @@ DNSSRCS = acl.c adb.c badcache. byaddr.c \
cache.c callbacks.c clientinfo.c compress.c \
db.c dbiterator.c dbtable.c diff.c dispatch.c \
dlz.c dns64.c dnsrps.c dnssec.c ds.c dyndb.c \
ecs.c fixedname.c forward.c \
ipkeylist.c iptable.c journal.c kasp.c keydata.c keytable.c \
ecs.c fixedname.c forward.c ipkeylist.c iptable.c \
journal.c kasp.c keydata.c keymgr.c keytable.c \
lib.c log.c lookup.c master.c masterdump.c message.c \
name.c ncache.c nsec.c nsec3.c nta.c \
order.c peer.c portlist.c \
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
#ifndef DNS_KEYMGR_H
#define DNS_KEYMGR_H 1
/*! \file dns/keymgr.h */
#include <isc/lang.h>
#include <isc/stdtime.h>
#include <dns/types.h>
#include <dst/dst.h>
dns_keymgr_run(const dns_name_t *origin, dns_rdataclass_t rdclass,
const char *directory, isc_mem_t *mctx,
dns_dnsseckeylist_t *keyring, dns_kasp_t *kasp,
isc_stdtime_t now, isc_stdtime_t *nexttime);
* Manage keys in 'keylist' and update timing data according to 'kasp' policy.
* Create new keys for 'origin' if necessary in 'directory'. Append all such
* keys, along with use hints gleaned from their metadata, onto 'keylist'.
* Update key states and store changes back to disk. Store when to run next
* in 'nexttime'.
* Requires:
*\li 'origin' is a valid FQDN.
*\li 'mctx' is a valid memory context.
*\li 'keyring' is not NULL.
*\li 'kasp' is not NULL.
* Returns:
*\li any error returned by dst_key_generate(), isc_dir_open(),
* dst_key_to_file(), or dns_dnsseckey_create().
* Ensures:
*\li On error, keypool is unchanged
#endif /* DNS_KEYMGR_H */
This diff is collapsed.
......@@ -442,6 +442,7 @@ dns_kasplist_find
......@@ -122,6 +122,9 @@
<ClCompile Include="..\keydata.c">
<Filter>Library Source Files</Filter>
<ClCompile Include="..\keymgr.c">
<Filter>Library Source Files</Filter>
<ClCompile Include="..\keytable.c">
<Filter>Library Source Files</Filter>
......@@ -461,6 +464,9 @@
<ClInclude Include="..\include\dns\keyflags.h">
<Filter>Library Header Files</Filter>
<ClInclude Include="..\include\dns\keymgr.h">
<Filter>Library Header Files</Filter>
<ClInclude Include="..\include\dns\keytable.h">
<Filter>Library Header Files</Filter>
......@@ -152,6 +152,7 @@
<ClCompile Include="..\journal.c" />
<ClCompile Include="..\kasp.c" />
<ClCompile Include="..\key.c" />
<ClCompile Include="..\keymgr.c" />
<ClCompile Include="..\keydata.c" />
<ClCompile Include="..\keytable.c" />
<ClCompile Include="..\lib.c" />
......@@ -269,6 +270,7 @@
<ClInclude Include="..\include\dns\kasp.h" />
<ClInclude Include="..\include\dns\keydata.h" />
<ClInclude Include="..\include\dns\keyflags.h" />
<ClInclude Include="..\include\dns\keymgr.h" />
<ClInclude Include="..\include\dns\keytable.h" />
<ClInclude Include="..\include\dns\keyvalues.h" />
<ClInclude Include="..\include\dns\lib.h" />
......@@ -1683,6 +1683,7 @@
./lib/dns/include/dns/kasp.h C 2019
./lib/dns/include/dns/keydata.h C 2009,2016,2018,2019
./lib/dns/include/dns/keyflags.h C 1999,2000,2001,2004,2005,2006,2007,2016,2018,2019
./lib/dns/include/dns/keymgr.h C 2019
./lib/dns/include/dns/keytable.h C 2000,2001,2004,2005,2007,2009,2010,2014,2015,2016,2017,2018,2019
./lib/dns/include/dns/keyvalues.h C 1999,2000,2001,2003,2004,2005,2006,2007,2008,2009,2010,2012,2016,2017,2018,2019
./lib/dns/include/dns/lib.h C 1999,2000,2001,2004,2005,2006,2007,2009,2016,2017,2018,2019
......@@ -1751,6 +1752,7 @@
./lib/dns/kasp.c C 2019
./lib/dns/key.c C 2001,2004,2005,2006,2007,2011,2016,2018,2019
./lib/dns/keydata.c C 2009,2014,2016,2018,2019
./lib/dns/keymgr.c C 2019
./lib/dns/keytable.c C 2000,2001,2004,2005,2007,2009,2010,2013,2014,2015,2016,2017,2018,2019
./lib/dns/lib.c C 1999,2000,2001,2004,2005,2007,2009,2013,2014,2015,2016,2017,2018,2019
./lib/dns/log.c C 1999,2000,2001,2003,2004,2005,2006,2007,2009,2011,2012,2013,2014,2015,2016,2017,2018,2019
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment