- 06 Nov, 2019 40 commits
-
-
Matthijs Mekking authored
Add tests for ZSK Pre-Publication and KSK Double-KSK rollover. Includes tests for next key event is scheduled at the right time.
-
Matthijs Mekking authored
Add more tests for kasp: - Add tests for different algorithms. - Add a test to ensure that an edit in an unsigned zone is picked up and properly signed. - Add two tests that ensures that a zone gets signed when it is configured as so-called 'inline-signing'. In other words, a secondary zone that is configured with a 'dnssec-policy'. A zone that is transferred over AXFR or IXFR will get signed. - Add a test to ensure signatures are reused if they are still fresh enough. - Adds two more tests to verify that expired and unfresh signatures will be regenerated. - Add tests for various cases with keys already available in the key-directory.
-
Matthijs Mekking authored
A significant refactor of the kasp system test in an attempt to make the test script somewhat brief. When writing a test case, you can/should use the functions 'zone_properties', 'key_properties', and 'key_timings' to set the expected values when checking a key with 'check_key'. All these four functions can be used to set environment variables that come in handy when testing output.
-
Matthijs Mekking authored
Update the signing code in lib/dns/zone.c and lib/dns/update.c to use kasp logic if a dnssec-policy is enabled. This means zones with dnssec-policy should no longer follow 'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the KASP keys configured dictate which RRset gets signed with what key. Also use the next rekey event from the key manager rather than setting it to one hour. Mark the zone dynamic, as otherwise a zone with dnssec-policy is not eligble for automatic DNSSEC maintenance.
-
Matthijs Mekking authored
Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key functions and thus if dnssec-policy/KASP is used the key states are being considered. Add a new variable to 'struct dns_dnsseckey' to signal whether this key is a zone-signing key (it is no longer true that ksk == !zsk). Also introduce a hint for revoke. Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys' to also read the key state file, if available. Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a hint for logging. Also make get_hints() (now dns_dnssec_get_hints()) public so that we can use it in the key manager.
-
Matthijs Mekking authored
If a zone has a dnssec-policy set, use signature validity, dnskey signature validity, and signature refresh from dnssec-policy. Zones configured with 'dnssec-policy' will allow 'named' to create DNSSEC keys (similar to dnssec-keymgr) if not available.
-
Matthijs Mekking authored
Add a key manager to named. If a 'dnssec-policy' is set, 'named' will run a key manager on the matching keys. This will do a couple of things: 1. Create keys when needed (in case of rollover for example) according to the set policy. 2. Retire keys that are in excess of the policy. 3. Maintain key states according to "Flexible and Robust Key Rollover" [1]. After key manager ran, key files will be saved to disk. [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf KEY GENERATION Create keys according to DNSSEC policy. Zones configured with 'dnssec-policy' will allow 'named' to create DNSSEC keys (similar to dnssec-keymgr) if not available. KEY ROLLOVER Rather than determining the desired state from timing metadata, add a key state goal. Any keys that are created or picked from the key ring and selected to be a successor has its key state goal set to OMNIPRESENT (this key wants to be signing!). At the same time, a key that is being retired has its key state goal set to HIDDEN. The keymgr state machine with the three rules will make sure no introduction or withdrawal of DNSSEC records happens too soon. KEY TIMINGS All timings are based on RFC 7583. The keymgr will return when the next action is happening so that the zone can set the proper rekey event. Prior to this change the rekey event will run every hour by default (configurable), but with kasp we can determine exactly when we need to run again. The prepublication time is derived from policy.
-
Matthijs Mekking authored
Add a couple of dst_key functions for determining hints that consider key states if they are available. - dst_key_is_unused: A key has no timing metadata set other than Created. - dst_key_is_published: A key has publish timing metadata <= now, DNSKEY state in RUMOURED or OMNIPRESENT. - dst_key_is_active: A key has active timing metadata <= now, RRSIG state in RUMOURED or OMNIPRESENT. - dst_key_is_signing: KSK is_signing and is_active means different things than for a ZSK. A ZSK is active means it is also signing, but a KSK always signs its DNSKEY RRset but is considered active if its DS is present (rumoured or omnipresent). - dst_key_is_revoked: A key has revoke timing metadata <= now. - dst_key_is_removed: A key has delete timing metadata <= now, DNSKEY state in UNRETENTIVE or HIDDEN.
-
Matthijs Mekking authored
When doing rollover in a timely manner we need to have access to the relevant kasp configured durations. Most of these are simple get functions, but 'dns_kasp_signdelay' will calculate the maximum time that is needed with this policy to resign the complete zone (taking into account the refresh interval and signature validity). Introduce parent-propagation-delay, parent-registration-delay, parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
-
Matthijs Mekking authored
When creating a successor key, or calculating time for a successor key, write out the successor and predecessor metadata to the related files.
-
Matthijs Mekking authored
-
Matthijs Mekking authored
When signing a zone with dnssec-policy, we don't mind DNSSEC records. This is useful for testing purposes, and perhaps it is better to signal this behavior with a different configuration option.
-
Matthijs Mekking authored
Introduce a new option '-s' for dnssec-settime that when manipulating timing metadata, it also updates the key state file. For testing purposes, add options to dnssec-settime to set key states and when they last changed. The dst code adds ways to write and read the new key states and timing metadata. It updates the parsing code for private key files to not parse the newly introduced metadata (these are for state files only). Introduce key goal (the state the key wants to be in).
-
Matthijs Mekking authored
When reading a key from file, you can set the DST_TYPE_STATE option to also read the key state. This expects the Algorithm and Length fields go above the metadata, so update the write functionality to do so accordingly. Introduce new DST metadata types for KSK, ZSK, Lifetime and the timing metadata used in state files.
-
Matthijs Mekking authored
Add code that actually stores the configuration into the kasp structure and attach it to the appropriate zone.
-
Matthijs Mekking authored
This commit adds code for generating keys with dnssec-keygen given a specific dnssec-policy. The dnssec-policy can be set with a new option '-k'. The '-l' option can be used to set a configuration file that contains a specific dnssec-policy. Because the dnssec-policy dictates how the keys should look like, many of the existing dnssec-keygen options cannot be used together with '-k'. If the dnssec-policy lists multiple keys, dnssec-keygen has now the possibility to generate multiple keys at one run. Add two tests for creating keys with '-k': One with the default policy, one with multiple keys from the configuration.
-
Matthijs Mekking authored
Write functions to access various elements of the kasp structure, and the kasp keys. This in preparation of code in dnssec-keygen, dnssec-settime, named...
-
Matthijs Mekking authored
Add a number of metadata variables (lifetime, ksk and zsk role). For the roles we add a new type of metadata (booleans). Add a function to write the state of the key to a separate file. Only write out known metadata to private file. With the introduction of the numeric metadata "Lifetime", adjust the write private key file functionality to only write out metadata it knows about.
-
Matthijs Mekking authored
-
Matthijs Mekking authored
This was isc_stdtime_t but should be uint32_t.
-
Matthijs Mekking authored
-
Matthijs Mekking authored
Add code for creating, configuring, and destroying KASP keys. When using the default policy, create one CSK, no rollover.
-
Matthijs Mekking authored
This is done in a separate commit to make diff easier.
-
Matthijs Mekking authored
In preparation for key generation with dnssec-policy, where multiple keys may be created.
-
Matthijs Mekking authored
Code and documentation were not in line: - Remove -z option from code - Remove -k option from docbook - Add -d option to docbook - Add -T option to docbook
-
Matthijs Mekking authored
This stores the dnssec-policy configuration and adds methods to create, destroy, and attach/detach, as well as find a policy with the same name in a list. Also, add structures and functions for creating and destroying kasp keys.
-
Matthijs Mekking authored
This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
-
Matthijs Mekking authored
Initial design document.
-
Matthijs Mekking authored
The ttlval configuration types are replaced by duration configuration types. The duration is an ISO 8601 duration that is going to be used for DNSSEC key timings such as key lifetimes, signature resign intervals and refresh periods, etc. But it is also still allowed to use the BIND ttlval ways of configuring intervals (number plus optional unit). A duration is stored as an array of 7 different time parts. A duration can either be expressed in weeks, or in a combination of the other datetime indicators. Add several unit tests to ensure the correct value is parsed given different string values.
-
Matthijs Mekking authored
This commit does not change anything significant, it just makes the file more readable in preparation for upcoming changes related to the `dnssec-policy` configuration option.
-
Michał Kępień authored
Fix TCP high-water release note Closes #1206 See merge request !2541
-
Michał Kępień authored
Add missing GitLab issue number to the TCP high-water release note.
-
Michał Kępień authored
Do not use <sys/sysctl.h> on Linux Closes #1298 See merge request !2525
-
Michał Kępień authored
glibc 2.30 deprecated the <sys/sysctl.h> header [1]. However, that header is still used on other Unix-like systems, so only prevent it from being used on Linux, in order to prevent compiler warnings from being triggered. [1] https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html
-
Michał Kępień authored
Add assert_int_equal() shell function Closes #1206 See merge request !2535
-
Michał Kępień authored
Add a shell function which is used in the "tcp" system test, but has been accidentally omitted from !2425. Make sure the function does not change the value of "ret" itself, so that the caller can decide what to do with the function's return value.
-
Ondřej Surý authored
Resolve "Signature Expiration Jitter not working for dynamic NSEC3 zones" Closes #1256 See merge request !2451
-
Ondřej Surý authored
-
Matthijs Mekking authored
Test jitter distribution in NSEC3 dynamic zone and for a zone that has old signatures. In both cases the generated signatures should be spread nicely.
-
Witold Krecicki authored
When doing regular signing expiry time is jittered to make sure that the re-signing times are not clumped together. This expands this behaviour to expiry times of dynamically added records. When incrementally re-signing a zone use the full jitter range if the server appears to have been offline for greater than 5 minutes otherwise use a small jitter range of 3600 seconds. This will stop the signatures becoming more clustered if the server has been off line for a significant period of time (> 5 minutes).
-