1. 06 Nov, 2019 40 commits
    • Matthijs Mekking's avatar
      Test ZSK and KSK rollover · 36c72bf3
      Matthijs Mekking authored
      Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
      
      Includes tests for next key event is scheduled at the right time.
      36c72bf3
    • Matthijs Mekking's avatar
      Add kasp tests · c9f1ec83
      Matthijs Mekking authored
      Add more tests for kasp:
      
      - Add tests for different algorithms.
      
      - Add a test to ensure that an edit in an unsigned zone is
        picked up and properly signed.
      
      - Add two tests that ensures that a zone gets signed when it is
        configured as so-called 'inline-signing'.  In other words, a
        secondary zone that is configured with a 'dnssec-policy'.  A zone
        that is transferred over AXFR or IXFR will get signed.
      
      - Add a test to ensure signatures are reused if they are still
        fresh enough.
      
      - Adds two more tests to verify that expired and unfresh signatures
        will be regenerated.
      
      - Add tests for various cases with keys already available in the
        key-directory.
      c9f1ec83
    • Matthijs Mekking's avatar
      Refactor kasp system test · 7c783ab9
      Matthijs Mekking authored
      A significant refactor of the kasp system test in an attempt to
      make the test script somewhat brief.  When writing a test case,
      you can/should use the functions 'zone_properties',
      'key_properties', and 'key_timings' to set the expected values
      when checking a key with 'check_key'. All these four functions
      can be used to set environment variables that come in handy when
      testing output.
      7c783ab9
    • Matthijs Mekking's avatar
      Adjust signing code to use kasp · c125b721
      Matthijs Mekking authored
      Update the signing code in lib/dns/zone.c and lib/dns/update.c to
      use kasp logic if a dnssec-policy is enabled.
      
      This means zones with dnssec-policy should no longer follow
      'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
      KASP keys configured dictate which RRset gets signed with what key.
      
      Also use the next rekey event from the key manager rather than
      setting it to one hour.
      
      Mark the zone dynamic, as otherwise a zone with dnssec-policy is
      not eligble for automatic DNSSEC maintenance.
      c125b721
    • Matthijs Mekking's avatar
      DNSSEC hints use dst_key functions and key states · fcf14b2b
      Matthijs Mekking authored
      Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
      functions and thus if dnssec-policy/KASP is used the key states are
      being considered.
      
      Add a new variable to 'struct dns_dnsseckey' to signal whether this
      key is a zone-signing key (it is no longer true that ksk == !zsk).
      
      Also introduce a hint for revoke.
      
      Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
      to also read the key state file, if available.
      
      Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
      hint for logging.
      
      Also make get_hints() (now dns_dnssec_get_hints()) public so that
      we can use it in the key manager.
      fcf14b2b
    • Matthijs Mekking's avatar
      Update zoneconf to use kasp config · 09990672
      Matthijs Mekking authored
      If a zone has a dnssec-policy set, use signature validity,
      dnskey signature validity, and signature refresh from
      dnssec-policy.
      
      Zones configured with 'dnssec-policy' will allow 'named' to create
      DNSSEC keys (similar to dnssec-keymgr) if not available.
      09990672
    • Matthijs Mekking's avatar
      Introduce keymgr in named · 7e7aa538
      Matthijs Mekking authored
      Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
      will run a key manager on the matching keys.  This will do a couple
      of things:
      
      1. Create keys when needed (in case of rollover for example)
         according to the set policy.
      
      2. Retire keys that are in excess of the policy.
      
      3. Maintain key states according to "Flexible and Robust Key
         Rollover" [1]. After key manager ran, key files will be saved to
         disk.
      
         [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
      
      KEY GENERATION
      
      Create keys according to DNSSEC policy.  Zones configured with
      'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
      to dnssec-keymgr) if not available.
      
      KEY ROLLOVER
      
      Rather than determining the desired state from timing metadata,
      add a key state goal.  Any keys that are created or picked from the
      key ring and selected to be a successor has its key state goal set
      to OMNIPRESENT (this key wants to be signing!). At the same time,
      a key that is being retired has its key state goal set to HIDDEN.
      
      The keymgr state machine with the three rules will make sure no
      introduction or withdrawal of DNSSEC records happens too soon.
      
      KEY TIMINGS
      
      All timings are based on RFC 7583.
      
      The keymgr will return when the next action is happening so
      that the zone can set the proper rekey event. Prior to this change
      the rekey event will run every hour by default (configurable),
      but with kasp we can determine exactly when we need to run again.
      
      The prepublication time is derived from policy.
      7e7aa538
    • Matthijs Mekking's avatar
      Useful dst_key functions · 314b90df
      Matthijs Mekking authored
      Add a couple of dst_key functions for determining hints that
      consider key states if they are available.
      - dst_key_is_unused:
        A key has no timing metadata set other than Created.
      - dst_key_is_published:
        A key has publish timing metadata <= now, DNSKEY state in
        RUMOURED or OMNIPRESENT.
      - dst_key_is_active:
        A key has active timing metadata <= now, RRSIG state in
        RUMOURED or OMNIPRESENT.
      - dst_key_is_signing:
        KSK is_signing and is_active means different things than
        for a ZSK. A ZSK is active means it is also signing, but
        a KSK always signs its DNSKEY RRset but is considered
        active if its DS is present (rumoured or omnipresent).
      - dst_key_is_revoked:
        A key has revoke timing metadata <= now.
      - dst_key_is_removed:
        A key has delete timing metadata <= now, DNSKEY state in
        UNRETENTIVE or HIDDEN.
      314b90df
    • Matthijs Mekking's avatar
      kasp: Expose more key timings · 1f0d6296
      Matthijs Mekking authored
      When doing rollover in a timely manner we need to have access to the
      relevant kasp configured durations.
      
      Most of these are simple get functions, but 'dns_kasp_signdelay'
      will calculate the maximum time that is needed with this policy to
      resign the complete zone (taking into account the refresh interval
      and signature validity).
      
      Introduce parent-propagation-delay, parent-registration-delay,
      parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
      1f0d6296
    • Matthijs Mekking's avatar
      keygen/settime: Write out successor/predecessor · dcf79ce6
      Matthijs Mekking authored
      When creating a successor key, or calculating time for a successor
      key, write out the successor and predecessor metadata to the
      related files.
      dcf79ce6
    • Matthijs Mekking's avatar
      arm: Update DNSSEC documentation · da0ae529
      Matthijs Mekking authored
      da0ae529
    • Matthijs Mekking's avatar
      Allow DNSSEC records in kasp enabled zone · 53e76f88
      Matthijs Mekking authored
      When signing a zone with dnssec-policy, we don't mind DNSSEC records.
      This is useful for testing purposes, and perhaps it is better to
      signal this behavior with a different configuration option.
      53e76f88
    • Matthijs Mekking's avatar
      dnssec-settime: Allow manipulating state files · 72042a06
      Matthijs Mekking authored
      Introduce a new option '-s' for dnssec-settime that when manipulating
      timing metadata, it also updates the key state file.
      
      For testing purposes, add options to dnssec-settime to set key
      states and when they last changed.
      
      The dst code adds ways to write and read the new key states and
      timing metadata. It updates the parsing code for private key files
      to not parse the newly introduced metadata (these are for state
      files only).
      
      Introduce key goal (the state the key wants to be in).
      72042a06
    • Matthijs Mekking's avatar
      Add functionality to read key state from disk · c55625b0
      Matthijs Mekking authored
      When reading a key from file, you can set the DST_TYPE_STATE option
      to also read the key state.
      
      This expects the Algorithm and Length fields go above the metadata,
      so update the write functionality to do so accordingly.
      
      Introduce new DST metadata types for KSK, ZSK, Lifetime and the
      timing metadata used in state files.
      c55625b0
    • Matthijs Mekking's avatar
      Parse dnssec-policy config into kasp · 2924b19a
      Matthijs Mekking authored
      Add code that actually stores the configuration into the kasp
      structure and attach it to the appropriate zone.
      2924b19a
    • Matthijs Mekking's avatar
      dnssec-keygen can create keys given dnssec-policy · 09ac224c
      Matthijs Mekking authored
      This commit adds code for generating keys with dnssec-keygen given
      a specific dnssec-policy.
      
      The dnssec-policy can be set with a new option '-k'. The '-l'
      option can be used to set a configuration file that contains a
      specific dnssec-policy.
      
      Because the dnssec-policy dictates how the keys should look like,
      many of the existing dnssec-keygen options cannot be used together
      with '-k'.
      
      If the dnssec-policy lists multiple keys, dnssec-keygen has now the
      possibility to generate multiple keys at one run.
      
      Add two tests for creating keys with '-k': One with the default
      policy, one with multiple keys from the configuration.
      09ac224c
    • Matthijs Mekking's avatar
      Add various get functions for kasp · 97a5698e
      Matthijs Mekking authored
      Write functions to access various elements of the kasp structure,
      and the kasp keys. This in preparation of code in dnssec-keygen,
      dnssec-settime, named...
      97a5698e
    • Matthijs Mekking's avatar
      Update dst key code to maintain key state · 77d2895a
      Matthijs Mekking authored
      Add a number of metadata variables (lifetime, ksk and zsk role).
      
      For the roles we add a new type of metadata (booleans).
      
      Add a function to write the state of the key to a separate file.
      
      Only write out known metadata to private file.  With the
      introduction of the numeric metadata "Lifetime", adjust the write
      private key file functionality to only write out metadata it knows
      about.
      77d2895a
    • Matthijs Mekking's avatar
      7f4d1dbd
    • Matthijs Mekking's avatar
      Fix: nums type in dst_keys · 68e8741c
      Matthijs Mekking authored
      This was isc_stdtime_t but should be uint32_t.
      68e8741c
    • Matthijs Mekking's avatar
      Nit: fix typo (dnsssec-signzone) · e6ee5486
      Matthijs Mekking authored
      e6ee5486
    • Matthijs Mekking's avatar
      Add code for creating kasp from config · 7bfac503
      Matthijs Mekking authored
      Add code for creating, configuring, and destroying KASP keys.  When
      using the default policy, create one CSK, no rollover.
      7bfac503
    • Matthijs Mekking's avatar
      dnssec-keygen: Move keygen function above main · 1a9692f5
      Matthijs Mekking authored
      This is done in a separate commit to make diff easier.
      1a9692f5
    • Matthijs Mekking's avatar
      dnssec-keygen: Move key gen code in own function · 2829e294
      Matthijs Mekking authored
      In preparation for key generation with dnssec-policy, where multiple
      keys may be created.
      2829e294
    • Matthijs Mekking's avatar
      Sync options in dnssec-keygen · 48ce026d
      Matthijs Mekking authored
      Code and documentation were not in line:
      - Remove -z option from code
      - Remove -k option from docbook
      - Add -d option to docbook
      - Add -T option to docbook
      48ce026d
    • Matthijs Mekking's avatar
      Introduce kasp structure · e9ccebd9
      Matthijs Mekking authored
      This stores the dnssec-policy configuration and adds methods to
      create, destroy, and attach/detach, as well as find a policy with
      the same name in a list.
      
      Also, add structures and functions for creating and destroying
      kasp keys.
      e9ccebd9
    • Matthijs Mekking's avatar
      Introduce dnssec-policy configuration · a50d707f
      Matthijs Mekking authored
      This commit introduces the initial `dnssec-policy` configuration
      statement. It has an initial set of options to deal with signature
      and key maintenance.
      
      Add some checks to ensure that dnssec-policy is configured at the
      right locations, and that policies referenced to in zone statements
      actually exist.
      
      Add some checks that when a user adds the new `dnssec-policy`
      configuration, it will no longer contain existing DNSSEC
      configuration options.  Specifically: `inline-signing`,
      `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
      `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
      and `sig-validity-interval`.
      
      Test a good kasp configuration, and some bad configurations.
      a50d707f
    • Matthijs Mekking's avatar
      Design documentation 'dnssec-policy' · 1fbd8bb1
      Matthijs Mekking authored
      Initial design document.
      1fbd8bb1
    • Matthijs Mekking's avatar
      Extend ttlval to accept ISO 8601 durations · b7c5bfb2
      Matthijs Mekking authored
      The ttlval configuration types are replaced by duration configuration
      types. The duration is an ISO 8601 duration that is going to be used
      for DNSSEC key timings such as key lifetimes, signature resign
      intervals and refresh periods, etc. But it is also still allowed to
      use the BIND ttlval ways of configuring intervals (number plus
      optional unit).
      
      A duration is stored as an array of 7 different time parts.
      A duration can either be expressed in weeks, or in a combination of
      the other datetime indicators.
      
      Add several unit tests to ensure the correct value is parsed given
      different string values.
      b7c5bfb2
    • Matthijs Mekking's avatar
      Change indentation in doc/arm/dnssec.xml · c67379fb
      Matthijs Mekking authored
      This commit does not change anything significant, it just makes
      the file more readable in preparation for upcoming changes related
      to the `dnssec-policy` configuration option.
      c67379fb
    • Michał Kępień's avatar
      Merge branch '1206-fix-tcp-high-water-release-note' into 'master' · 799e95b1
      Michał Kępień authored
      Fix TCP high-water release note
      
      Closes #1206
      
      See merge request !2541
      799e95b1
    • Michał Kępień's avatar
      Fix TCP high-water release note · d0a3273d
      Michał Kępień authored
      Add missing GitLab issue number to the TCP high-water release note.
      d0a3273d
    • Michał Kępień's avatar
      Merge branch '1298-do-not-use-sys-sysctl.h-on-linux' into 'master' · db670fcd
      Michał Kępień authored
      Do not use <sys/sysctl.h> on Linux
      
      Closes #1298
      
      See merge request !2525
      db670fcd
    • Michał Kępień's avatar
      Do not use <sys/sysctl.h> on Linux · 65a8b53b
      Michał Kępień authored
      glibc 2.30 deprecated the <sys/sysctl.h> header [1].  However, that
      header is still used on other Unix-like systems, so only prevent it from
      being used on Linux, in order to prevent compiler warnings from being
      triggered.
      
      [1] https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html
      65a8b53b
    • Michał Kępień's avatar
      Merge branch '1206-add-assert_int_equal-shell-function' into 'master' · 89f874e6
      Michał Kępień authored
      Add assert_int_equal() shell function
      
      Closes #1206
      
      See merge request !2535
      89f874e6
    • Michał Kępień's avatar
      Add assert_int_equal() shell function · 8bb7f1f2
      Michał Kępień authored
      Add a shell function which is used in the "tcp" system test, but has
      been accidentally omitted from !2425.  Make sure the function does not
      change the value of "ret" itself, so that the caller can decide what to
      do with the function's return value.
      8bb7f1f2
    • Ondřej Surý's avatar
      Merge branch '1256-jitter-dynamically-updated-signatures' into 'master' · 54b92a04
      Ondřej Surý authored
      Resolve "Signature Expiration Jitter not working for dynamic NSEC3 zones"
      
      Closes #1256
      
      See merge request !2451
      54b92a04
    • Ondřej Surý's avatar
      Add CHANGES · 00569e0d
      Ondřej Surý authored
      00569e0d
    • Matthijs Mekking's avatar
      Test jitter distribution · 540b90fd
      Matthijs Mekking authored
      Test jitter distribution in NSEC3 dynamic zone and for a zone that has old
      signatures.  In both cases the generated signatures should be spread nicely.
      540b90fd
    • Witold Krecicki's avatar
      Jitter signatures times when adding dynamic records. · 6b2fd402
      Witold Krecicki authored
      When doing regular signing expiry time is jittered to make sure
      that the re-signing times are not clumped together. This expands
      this behaviour to expiry times of dynamically added records.
      
      When incrementally re-signing a zone use the full jitter range if
      the server appears to have been offline for greater than 5 minutes
      otherwise use a small jitter range of 3600 seconds.  This will stop
      the signatures becoming more clustered if the server has been off
      line for a significant period of time (> 5 minutes).
      6b2fd402