1. 06 Nov, 2019 40 commits
    • Matthijs Mekking's avatar
      dnssec-policy inheritance from options/view · 5f464d15
      Matthijs Mekking authored
      'dnssec-policy' can now also be set on the options and view level and
      a zone that does not set 'dnssec-policy' explicitly will inherit it
      from the view or options level.
      
      This requires a new keyword to be introduced: 'none'.  If set to
      'none' the zone will not be DNSSEC maintained, in other words it will
      stay unsigned.  You can use this to break the inheritance.  Of course
      you can also break the inheritance by referring to a different
      policy.
      
      The keywords 'default' and 'none' are not allowed when configuring
      your own dnssec-policy statement.
      
      Add appropriate tests for checking the configuration (checkconf)
      and add tests to the kasp system test to verify the inheritance
      works.
      
      Edit the kasp system test such that it can deal with unsigned zones
      and views (so setting a TSIG on the query).
      5f464d15
    • Mark Andrews's avatar
    • Mark Andrews's avatar
      Insist that kasp is not linked. · 5eedd365
      Mark Andrews authored
      5eedd365
    • Matthijs Mekking's avatar
      Make kasp opaque · f11ce448
      Matthijs Mekking authored
      f11ce448
    • Matthijs Mekking's avatar
      kasp.c: return parenthesis (style) and REQUIRE · 70da58c8
      Matthijs Mekking authored
      This code was missing a lot of return parenthesis (violating our
      style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
      70da58c8
    • Matthijs Mekking's avatar
      Add tests for CDS/CDNSKEY publication · c3e0ac86
      Matthijs Mekking authored
      The kasp system tests are updated with 'check_cds' calls that will
      verify that the correct CDS and CDNSKEY records are published during
      a rollover and that they are signed with the correct KSK.
      
      This requires a change in 'dnssec.c' to check the kasp key states
      whether the CDS/CDNSKEY of a key should be published or not.  If no
      kasp state exist, fall back to key timings.
      c3e0ac86
    • Matthijs Mekking's avatar
      sign_apex() should also consider CDS/CDNSKEY · 2e46dcbb
      Matthijs Mekking authored
      The 'sign_apex()' function has special processing for signing the
      DNSKEY RRset such that it will always be signed with the active
      KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
      should have the same special processing.  The special processing is
      moved into a new function 'tickle_apex_rrset()' and is applied to
      all three RR types (DNSKEY, CDS, CDNSKEY).
      
      In addition, when kasp is involved, update the DNSKEY TTL accordingly
      to what is in the policy.
      2e46dcbb
    • Matthijs Mekking's avatar
      Add dst_key_copy_metadata function. · 1211c348
      Matthijs Mekking authored
      When updating DNSSEC keys we would like to be able to copy the
      metadata from one key to another.
      1211c348
    • Matthijs Mekking's avatar
      KASP timings all uint32_t · 29e6ec31
      Matthijs Mekking authored
      Get rid of the warnings in the Windows build.
      29e6ec31
    • Matthijs Mekking's avatar
      Test CSK rollover · 9fbc8691
      Matthijs Mekking authored
      Test two CSK rollover scenarios, one where the DS is swapped before the zone
      signatures are all replaced, and one where the signatures are replaced sooner
      than the DS is swapped.
      9fbc8691
    • Matthijs Mekking's avatar
      Code changes for CSK · 67033bfd
      Matthijs Mekking authored
      Update dns_dnssec_keyactive to differentiate between the roles ZSK
      and KSK.  A key is active if it is signing but that differs per role.
      A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
      a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
      
      This means that a key can be actively signing for one role but not
      the other.  Add checks in inline signing (zone.c and update.c) to
      cover the case where a CSK is active in its KSK role but not the ZSK
      role.
      67033bfd
    • Matthijs Mekking's avatar
      Use keywords in dnssec-policy keys configuration · 6468ffc3
      Matthijs Mekking authored
      Add keywords 'lifetime' and 'algorithm' to make the key configuration
      more clear.
      6468ffc3
    • Matthijs Mekking's avatar
      Test ZSK and KSK rollover · 36c72bf3
      Matthijs Mekking authored
      Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
      
      Includes tests for next key event is scheduled at the right time.
      36c72bf3
    • Matthijs Mekking's avatar
      Add kasp tests · c9f1ec83
      Matthijs Mekking authored
      Add more tests for kasp:
      
      - Add tests for different algorithms.
      
      - Add a test to ensure that an edit in an unsigned zone is
        picked up and properly signed.
      
      - Add two tests that ensures that a zone gets signed when it is
        configured as so-called 'inline-signing'.  In other words, a
        secondary zone that is configured with a 'dnssec-policy'.  A zone
        that is transferred over AXFR or IXFR will get signed.
      
      - Add a test to ensure signatures are reused if they are still
        fresh enough.
      
      - Adds two more tests to verify that expired and unfresh signatures
        will be regenerated.
      
      - Add tests for various cases with keys already available in the
        key-directory.
      c9f1ec83
    • Matthijs Mekking's avatar
      Refactor kasp system test · 7c783ab9
      Matthijs Mekking authored
      A significant refactor of the kasp system test in an attempt to
      make the test script somewhat brief.  When writing a test case,
      you can/should use the functions 'zone_properties',
      'key_properties', and 'key_timings' to set the expected values
      when checking a key with 'check_key'. All these four functions
      can be used to set environment variables that come in handy when
      testing output.
      7c783ab9
    • Matthijs Mekking's avatar
      Adjust signing code to use kasp · c125b721
      Matthijs Mekking authored
      Update the signing code in lib/dns/zone.c and lib/dns/update.c to
      use kasp logic if a dnssec-policy is enabled.
      
      This means zones with dnssec-policy should no longer follow
      'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
      KASP keys configured dictate which RRset gets signed with what key.
      
      Also use the next rekey event from the key manager rather than
      setting it to one hour.
      
      Mark the zone dynamic, as otherwise a zone with dnssec-policy is
      not eligble for automatic DNSSEC maintenance.
      c125b721
    • Matthijs Mekking's avatar
      DNSSEC hints use dst_key functions and key states · fcf14b2b
      Matthijs Mekking authored
      Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
      functions and thus if dnssec-policy/KASP is used the key states are
      being considered.
      
      Add a new variable to 'struct dns_dnsseckey' to signal whether this
      key is a zone-signing key (it is no longer true that ksk == !zsk).
      
      Also introduce a hint for revoke.
      
      Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
      to also read the key state file, if available.
      
      Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
      hint for logging.
      
      Also make get_hints() (now dns_dnssec_get_hints()) public so that
      we can use it in the key manager.
      fcf14b2b
    • Matthijs Mekking's avatar
      Update zoneconf to use kasp config · 09990672
      Matthijs Mekking authored
      If a zone has a dnssec-policy set, use signature validity,
      dnskey signature validity, and signature refresh from
      dnssec-policy.
      
      Zones configured with 'dnssec-policy' will allow 'named' to create
      DNSSEC keys (similar to dnssec-keymgr) if not available.
      09990672
    • Matthijs Mekking's avatar
      Introduce keymgr in named · 7e7aa538
      Matthijs Mekking authored
      Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
      will run a key manager on the matching keys.  This will do a couple
      of things:
      
      1. Create keys when needed (in case of rollover for example)
         according to the set policy.
      
      2. Retire keys that are in excess of the policy.
      
      3. Maintain key states according to "Flexible and Robust Key
         Rollover" [1]. After key manager ran, key files will be saved to
         disk.
      
         [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
      
      KEY GENERATION
      
      Create keys according to DNSSEC policy.  Zones configured with
      'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
      to dnssec-keymgr) if not available.
      
      KEY ROLLOVER
      
      Rather than determining the desired state from timing metadata,
      add a key state goal.  Any keys that are created or picked from the
      key ring and selected to be a successor has its key state goal set
      to OMNIPRESENT (this key wants to be signing!). At the same time,
      a key that is being retired has its key state goal set to HIDDEN.
      
      The keymgr state machine with the three rules will make sure no
      introduction or withdrawal of DNSSEC records happens too soon.
      
      KEY TIMINGS
      
      All timings are based on RFC 7583.
      
      The keymgr will return when the next action is happening so
      that the zone can set the proper rekey event. Prior to this change
      the rekey event will run every hour by default (configurable),
      but with kasp we can determine exactly when we need to run again.
      
      The prepublication time is derived from policy.
      7e7aa538
    • Matthijs Mekking's avatar
      Useful dst_key functions · 314b90df
      Matthijs Mekking authored
      Add a couple of dst_key functions for determining hints that
      consider key states if they are available.
      - dst_key_is_unused:
        A key has no timing metadata set other than Created.
      - dst_key_is_published:
        A key has publish timing metadata <= now, DNSKEY state in
        RUMOURED or OMNIPRESENT.
      - dst_key_is_active:
        A key has active timing metadata <= now, RRSIG state in
        RUMOURED or OMNIPRESENT.
      - dst_key_is_signing:
        KSK is_signing and is_active means different things than
        for a ZSK. A ZSK is active means it is also signing, but
        a KSK always signs its DNSKEY RRset but is considered
        active if its DS is present (rumoured or omnipresent).
      - dst_key_is_revoked:
        A key has revoke timing metadata <= now.
      - dst_key_is_removed:
        A key has delete timing metadata <= now, DNSKEY state in
        UNRETENTIVE or HIDDEN.
      314b90df
    • Matthijs Mekking's avatar
      kasp: Expose more key timings · 1f0d6296
      Matthijs Mekking authored
      When doing rollover in a timely manner we need to have access to the
      relevant kasp configured durations.
      
      Most of these are simple get functions, but 'dns_kasp_signdelay'
      will calculate the maximum time that is needed with this policy to
      resign the complete zone (taking into account the refresh interval
      and signature validity).
      
      Introduce parent-propagation-delay, parent-registration-delay,
      parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
      1f0d6296
    • Matthijs Mekking's avatar
      keygen/settime: Write out successor/predecessor · dcf79ce6
      Matthijs Mekking authored
      When creating a successor key, or calculating time for a successor
      key, write out the successor and predecessor metadata to the
      related files.
      dcf79ce6
    • Matthijs Mekking's avatar
      arm: Update DNSSEC documentation · da0ae529
      Matthijs Mekking authored
      da0ae529
    • Matthijs Mekking's avatar
      Allow DNSSEC records in kasp enabled zone · 53e76f88
      Matthijs Mekking authored
      When signing a zone with dnssec-policy, we don't mind DNSSEC records.
      This is useful for testing purposes, and perhaps it is better to
      signal this behavior with a different configuration option.
      53e76f88
    • Matthijs Mekking's avatar
      dnssec-settime: Allow manipulating state files · 72042a06
      Matthijs Mekking authored
      Introduce a new option '-s' for dnssec-settime that when manipulating
      timing metadata, it also updates the key state file.
      
      For testing purposes, add options to dnssec-settime to set key
      states and when they last changed.
      
      The dst code adds ways to write and read the new key states and
      timing metadata. It updates the parsing code for private key files
      to not parse the newly introduced metadata (these are for state
      files only).
      
      Introduce key goal (the state the key wants to be in).
      72042a06
    • Matthijs Mekking's avatar
      Add functionality to read key state from disk · c55625b0
      Matthijs Mekking authored
      When reading a key from file, you can set the DST_TYPE_STATE option
      to also read the key state.
      
      This expects the Algorithm and Length fields go above the metadata,
      so update the write functionality to do so accordingly.
      
      Introduce new DST metadata types for KSK, ZSK, Lifetime and the
      timing metadata used in state files.
      c55625b0
    • Matthijs Mekking's avatar
      Parse dnssec-policy config into kasp · 2924b19a
      Matthijs Mekking authored
      Add code that actually stores the configuration into the kasp
      structure and attach it to the appropriate zone.
      2924b19a
    • Matthijs Mekking's avatar
      dnssec-keygen can create keys given dnssec-policy · 09ac224c
      Matthijs Mekking authored
      This commit adds code for generating keys with dnssec-keygen given
      a specific dnssec-policy.
      
      The dnssec-policy can be set with a new option '-k'. The '-l'
      option can be used to set a configuration file that contains a
      specific dnssec-policy.
      
      Because the dnssec-policy dictates how the keys should look like,
      many of the existing dnssec-keygen options cannot be used together
      with '-k'.
      
      If the dnssec-policy lists multiple keys, dnssec-keygen has now the
      possibility to generate multiple keys at one run.
      
      Add two tests for creating keys with '-k': One with the default
      policy, one with multiple keys from the configuration.
      09ac224c
    • Matthijs Mekking's avatar
      Add various get functions for kasp · 97a5698e
      Matthijs Mekking authored
      Write functions to access various elements of the kasp structure,
      and the kasp keys. This in preparation of code in dnssec-keygen,
      dnssec-settime, named...
      97a5698e
    • Matthijs Mekking's avatar
      Update dst key code to maintain key state · 77d2895a
      Matthijs Mekking authored
      Add a number of metadata variables (lifetime, ksk and zsk role).
      
      For the roles we add a new type of metadata (booleans).
      
      Add a function to write the state of the key to a separate file.
      
      Only write out known metadata to private file.  With the
      introduction of the numeric metadata "Lifetime", adjust the write
      private key file functionality to only write out metadata it knows
      about.
      77d2895a
    • Matthijs Mekking's avatar
      7f4d1dbd
    • Matthijs Mekking's avatar
      Fix: nums type in dst_keys · 68e8741c
      Matthijs Mekking authored
      This was isc_stdtime_t but should be uint32_t.
      68e8741c
    • Matthijs Mekking's avatar
      Nit: fix typo (dnsssec-signzone) · e6ee5486
      Matthijs Mekking authored
      e6ee5486
    • Matthijs Mekking's avatar
      Add code for creating kasp from config · 7bfac503
      Matthijs Mekking authored
      Add code for creating, configuring, and destroying KASP keys.  When
      using the default policy, create one CSK, no rollover.
      7bfac503
    • Matthijs Mekking's avatar
      dnssec-keygen: Move keygen function above main · 1a9692f5
      Matthijs Mekking authored
      This is done in a separate commit to make diff easier.
      1a9692f5
    • Matthijs Mekking's avatar
      dnssec-keygen: Move key gen code in own function · 2829e294
      Matthijs Mekking authored
      In preparation for key generation with dnssec-policy, where multiple
      keys may be created.
      2829e294
    • Matthijs Mekking's avatar
      Sync options in dnssec-keygen · 48ce026d
      Matthijs Mekking authored
      Code and documentation were not in line:
      - Remove -z option from code
      - Remove -k option from docbook
      - Add -d option to docbook
      - Add -T option to docbook
      48ce026d
    • Matthijs Mekking's avatar
      Introduce kasp structure · e9ccebd9
      Matthijs Mekking authored
      This stores the dnssec-policy configuration and adds methods to
      create, destroy, and attach/detach, as well as find a policy with
      the same name in a list.
      
      Also, add structures and functions for creating and destroying
      kasp keys.
      e9ccebd9
    • Matthijs Mekking's avatar
      Introduce dnssec-policy configuration · a50d707f
      Matthijs Mekking authored
      This commit introduces the initial `dnssec-policy` configuration
      statement. It has an initial set of options to deal with signature
      and key maintenance.
      
      Add some checks to ensure that dnssec-policy is configured at the
      right locations, and that policies referenced to in zone statements
      actually exist.
      
      Add some checks that when a user adds the new `dnssec-policy`
      configuration, it will no longer contain existing DNSSEC
      configuration options.  Specifically: `inline-signing`,
      `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
      `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
      and `sig-validity-interval`.
      
      Test a good kasp configuration, and some bad configurations.
      a50d707f
    • Matthijs Mekking's avatar
      Design documentation 'dnssec-policy' · 1fbd8bb1
      Matthijs Mekking authored
      Initial design document.
      1fbd8bb1