1. 07 Nov, 2019 25 commits
  2. 06 Nov, 2019 15 commits
    • Matthijs Mekking's avatar
      Merge branch '1134-dnssec-made-easy' into 'master' · e7a9f52f
      Matthijs Mekking authored
      DNSSEC Made Easy
      Closes #1134
      See merge request !2458
    • Matthijs Mekking's avatar
      Fix checkconf test · bae0edbf
      Matthijs Mekking authored
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
    • Mark Andrews's avatar
    • Mark Andrews's avatar
      Insist that kasp is not linked. · 5eedd365
      Mark Andrews authored
    • Matthijs Mekking's avatar
      Make kasp opaque · f11ce448
      Matthijs Mekking authored
    • Matthijs Mekking's avatar
      kasp.c: return parenthesis (style) and REQUIRE · 70da58c8
      Matthijs Mekking authored
      This code was missing a lot of return parenthesis (violating our
      style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
    • Matthijs Mekking's avatar
      Add tests for CDS/CDNSKEY publication · c3e0ac86
      Matthijs Mekking authored
      The kasp system tests are updated with 'check_cds' calls that will
      verify that the correct CDS and CDNSKEY records are published during
      a rollover and that they are signed with the correct KSK.
      This requires a change in 'dnssec.c' to check the kasp key states
      whether the CDS/CDNSKEY of a key should be published or not.  If no
      kasp state exist, fall back to key timings.
    • Matthijs Mekking's avatar
      sign_apex() should also consider CDS/CDNSKEY · 2e46dcbb
      Matthijs Mekking authored
      The 'sign_apex()' function has special processing for signing the
      DNSKEY RRset such that it will always be signed with the active
      KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
      should have the same special processing.  The special processing is
      moved into a new function 'tickle_apex_rrset()' and is applied to
      all three RR types (DNSKEY, CDS, CDNSKEY).
      In addition, when kasp is involved, update the DNSKEY TTL accordingly
      to what is in the policy.
    • Matthijs Mekking's avatar
      Add dst_key_copy_metadata function. · 1211c348
      Matthijs Mekking authored
      When updating DNSSEC keys we would like to be able to copy the
      metadata from one key to another.
    • Matthijs Mekking's avatar
      KASP timings all uint32_t · 29e6ec31
      Matthijs Mekking authored
      Get rid of the warnings in the Windows build.
    • Matthijs Mekking's avatar
      Test CSK rollover · 9fbc8691
      Matthijs Mekking authored
      Test two CSK rollover scenarios, one where the DS is swapped before the zone
      signatures are all replaced, and one where the signatures are replaced sooner
      than the DS is swapped.
    • Matthijs Mekking's avatar
      Code changes for CSK · 67033bfd
      Matthijs Mekking authored
      Update dns_dnssec_keyactive to differentiate between the roles ZSK
      and KSK.  A key is active if it is signing but that differs per role.
      A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
      a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
      This means that a key can be actively signing for one role but not
      the other.  Add checks in inline signing (zone.c and update.c) to
      cover the case where a CSK is active in its KSK role but not the ZSK
    • Matthijs Mekking's avatar
      Use keywords in dnssec-policy keys configuration · 6468ffc3
      Matthijs Mekking authored
      Add keywords 'lifetime' and 'algorithm' to make the key configuration
      more clear.
    • Matthijs Mekking's avatar
      Test ZSK and KSK rollover · 36c72bf3
      Matthijs Mekking authored
      Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
      Includes tests for next key event is scheduled at the right time.