1. 02 Jul, 2021 1 commit
  2. 01 Jul, 2021 7 commits
  3. 30 Jun, 2021 21 commits
    • Matthijs Mekking's avatar
      Merge branch '1126-checkds' into 'main' · f3bce656
      Matthijs Mekking authored
      checkds
      
      Closes #1126
      
      See merge request !5234
      f3bce656
    • Matthijs Mekking's avatar
      Move private_type_record() to conf.sh.common · c92128ea
      Matthijs Mekking authored
      The function 'private_type_record()' is now used in multiple system
      setup scripts and should be moved to the common configuration script
      conf.sh.common.
      c92128ea
    • Matthijs Mekking's avatar
      Add change and release note for [#1126] · 22cd63bf
      Matthijs Mekking authored
      Seems pretty newsworthy.
      22cd63bf
    • Matthijs Mekking's avatar
      Update documentation · b4c1f3b8
      Matthijs Mekking authored
      Update ARM and DNSSEC guide with the new checkds feature.
      b4c1f3b8
    • Matthijs Mekking's avatar
      Protect dst key metadata with lock · 39df3f04
      Matthijs Mekking authored
      The DST key metadata can be written by several threads in parralel.
      Protect the dst_key_get* and dst_key_set* functions with a mutex.
      39df3f04
    • Matthijs Mekking's avatar
      Replace zone keyflock with zonemgr keymgmt · 28c51799
      Matthijs Mekking authored
      The old approach where each zone structure has its own mutex that
      a thread needs to obtain multiple locks to do safe keyfile I/O
      operations lead to a race condition ending in a possible deadlock.
      
      Consider a zone in two views. Each such zone is stored in a separate
      zone structure. A thread that needs to read or write the key files for
      this zone needs to obtain both mutexes in seperate structures. If
      another thread is working on the same zone in a different view, they
      race to get the locks. It would be possible that thread1 grabs the
      lock of the zone in view1, while thread2 wins the race for the lock
      of the zone in view2. Now both threads try to get the other lock,  both
      of them are already locked.
      
      Ideally, when a thread wants to do key file operations, it only needs
      to lock a single mutex. This commit introduces a key management hash
      table, stored in the zonemgr structure. Each time a zone is being
      managed, an object is added to the hash table (and removed when the
      zone is being released). This object is identified by the zone name
      and contains a mutex that needs to be locked prior to reading or
      writing key files.
      
      (cherry-picked from commit ef461936)
      28c51799
    • Matthijs Mekking's avatar
      Add checkds code · f7872dbd
      Matthijs Mekking authored
      Similar to notify, add code to send and keep track of checkds requests.
      
      On every zone_rekey event, we will check the DS at parental agents
      (but we will only actually query parental agents if theree is a DS
      scheduled to be published/withdrawn).
      
      On a zone_rekey event, we will first clear the ongoing checkds requests.
      Reset the counter, to avoid continuing KSK rollover premature.
      
      This has the risk that if zone_rekey events happen too soon after each
      other, there are redundant DS queries to the parental agents. But
      if TTLs and the configured durations in the dnssec-policy are sane (as
      in not ridiculous short) the chance of this happening is low.
      f7872dbd
    • Matthijs Mekking's avatar
      Add checkds log notice · 1a505549
      Matthijs Mekking authored
      When the checkds published/withdrawn is activated, log a notice. Can
      be used for testing, but also operationally useful.
      1a505549
    • Matthijs Mekking's avatar
      Add key metadata for DS published/withdrawn · 6e2c24be
      Matthijs Mekking authored
      In order to keep track of how many parents have the DS for a given key
      published or withdrawn, keep a counter.
      6e2c24be
    • Matthijs Mekking's avatar
      Add missing VERIFY export · 4c337a8e
      Matthijs Mekking authored
      This makes the 'dnssec-verify' tool visible to the test environment.
      4c337a8e
    • Matthijs Mekking's avatar
      Slightly improved dnssec tools fatal message · 71d5932a
      Matthijs Mekking authored
      Return the offending key state identifier.
      71d5932a
    • Matthijs Mekking's avatar
      Add helpful function 'dns_zone_getdnsseckeys' · 40331a20
      Matthijs Mekking authored
      This code gathers DNSSEC keys from key files and from the DNSKEY RRset.
      It is used for the 'rndc dnssec -status' command, but will also be
      needed for "checkds". Turn it into a function.
      40331a20
    • Matthijs Mekking's avatar
      Add "parental-source[-v6]" config option · 2872d6a1
      Matthijs Mekking authored
      Similar to "notify-source" and "transfer-source", add options to
      set the source address when querying parental agents for DS records.
      2872d6a1
    • Matthijs Mekking's avatar
      Add dst_key_role function · c9b7f627
      Matthijs Mekking authored
      Change the static function 'get_ksk_zsk' to a library function that
      can be used to determine the role of a dst_key. Add checks if the
      boolean parameters to store the role are not NULL. Rename to
      'dst_key_role'.
      c9b7f627
    • Matthijs Mekking's avatar
      Parse "parental-agents" configuration · 6f92d4b9
      Matthijs Mekking authored
      Parse the new "parental-agents" configuration and store it in the zone
      structure.
      6f92d4b9
    • Matthijs Mekking's avatar
      Make "primaries" config parsing generic · 6040c714
      Matthijs Mekking authored
      Make the code to parse "primaries" configuration more generic so
      it can be reused for "parental-agents".
      6040c714
    • Matthijs Mekking's avatar
      8327cb78
    • Matthijs Mekking's avatar
      Add checkds system test · 56262db9
      Matthijs Mekking authored
      Add a Pytest based system test for the 'checkds' feature. There is
      one nameserver (ns9, because it should be started the latest) that
      has configured several zones with dnssec-policy. The zones are set
      in such a state that they are waiting for DS publication or DS
      withdrawal.
      
      Then several other name servers act as parent servers that either have
      the DS for these published, or not. Also one server in the mix is
      to test a badly configured parental-agent.
      
      There are tests for DS publication, DS publication error handling,
      DS withdrawal and DS withdrawal error handling.
      
      The tests ensures that the zone is DNSSEC valid, and that the
      DSPublish/DSRemoved key metadata is set (or not in case of the error
      handling).
      
      It does not test if the rollover continues, this is already tested in
      the kasp system test (that uses 'rndc -dnssec checkds' to set the
      DSPublish/DSRemoved key metadata).
      56262db9
    • Matthijs Mekking's avatar
      Check parental-agents config · 1e763e58
      Matthijs Mekking authored
      Add checks for "parental-agents" configuration, checking for the option
      being at wrong type of zone (only allowed for primaries and
      secondaries), duplicate definitions, duplicate references, and
      undefined parental clauses (the name referenced in the zone clause
      does not have a matching "parental-agent" clause).
      1e763e58
    • Matthijs Mekking's avatar
      Add parental-agents configuration · 0311705d
      Matthijs Mekking authored
      Introduce a way to configure parental agents that can be used to
      query DS records to be used in automatic key rollovers.
      0311705d
    • Matthijs Mekking's avatar
      Change primaries objects to remote-servers · 39a96111
      Matthijs Mekking authored
      Change the primaries configuration objects to the more generic
      remote-servers, that we can reuse for other purposes (such as
      parental-agents).
      39a96111
  4. 28 Jun, 2021 6 commits
  5. 24 Jun, 2021 5 commits