...
 
Commits (44)
  • Matthijs Mekking's avatar
    Change indentation in doc/arm/dnssec.xml · c67379fb
    Matthijs Mekking authored
    This commit does not change anything significant, it just makes
    the file more readable in preparation for upcoming changes related
    to the `dnssec-policy` configuration option.
    c67379fb
  • Matthijs Mekking's avatar
    Extend ttlval to accept ISO 8601 durations · b7c5bfb2
    Matthijs Mekking authored
    The ttlval configuration types are replaced by duration configuration
    types. The duration is an ISO 8601 duration that is going to be used
    for DNSSEC key timings such as key lifetimes, signature resign
    intervals and refresh periods, etc. But it is also still allowed to
    use the BIND ttlval ways of configuring intervals (number plus
    optional unit).
    
    A duration is stored as an array of 7 different time parts.
    A duration can either be expressed in weeks, or in a combination of
    the other datetime indicators.
    
    Add several unit tests to ensure the correct value is parsed given
    different string values.
    b7c5bfb2
  • Matthijs Mekking's avatar
    Design documentation 'dnssec-policy' · 1fbd8bb1
    Matthijs Mekking authored
    Initial design document.
    1fbd8bb1
  • Matthijs Mekking's avatar
    Introduce dnssec-policy configuration · a50d707f
    Matthijs Mekking authored
    This commit introduces the initial `dnssec-policy` configuration
    statement. It has an initial set of options to deal with signature
    and key maintenance.
    
    Add some checks to ensure that dnssec-policy is configured at the
    right locations, and that policies referenced to in zone statements
    actually exist.
    
    Add some checks that when a user adds the new `dnssec-policy`
    configuration, it will no longer contain existing DNSSEC
    configuration options.  Specifically: `inline-signing`,
    `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
    `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
    and `sig-validity-interval`.
    
    Test a good kasp configuration, and some bad configurations.
    a50d707f
  • Matthijs Mekking's avatar
    Introduce kasp structure · e9ccebd9
    Matthijs Mekking authored
    This stores the dnssec-policy configuration and adds methods to
    create, destroy, and attach/detach, as well as find a policy with
    the same name in a list.
    
    Also, add structures and functions for creating and destroying
    kasp keys.
    e9ccebd9
  • Matthijs Mekking's avatar
    Sync options in dnssec-keygen · 48ce026d
    Matthijs Mekking authored
    Code and documentation were not in line:
    - Remove -z option from code
    - Remove -k option from docbook
    - Add -d option to docbook
    - Add -T option to docbook
    48ce026d
  • Matthijs Mekking's avatar
    dnssec-keygen: Move key gen code in own function · 2829e294
    Matthijs Mekking authored
    In preparation for key generation with dnssec-policy, where multiple
    keys may be created.
    2829e294
  • Matthijs Mekking's avatar
    dnssec-keygen: Move keygen function above main · 1a9692f5
    Matthijs Mekking authored
    This is done in a separate commit to make diff easier.
    1a9692f5
  • Matthijs Mekking's avatar
    Add code for creating kasp from config · 7bfac503
    Matthijs Mekking authored
    Add code for creating, configuring, and destroying KASP keys.  When
    using the default policy, create one CSK, no rollover.
    7bfac503
  • Matthijs Mekking's avatar
    Nit: fix typo (dnsssec-signzone) · e6ee5486
    Matthijs Mekking authored
    e6ee5486
  • Matthijs Mekking's avatar
    Fix: nums type in dst_keys · 68e8741c
    Matthijs Mekking authored
    This was isc_stdtime_t but should be uint32_t.
    68e8741c
  • Matthijs Mekking's avatar
    7f4d1dbd
  • Matthijs Mekking's avatar
    Update dst key code to maintain key state · 77d2895a
    Matthijs Mekking authored
    Add a number of metadata variables (lifetime, ksk and zsk role).
    
    For the roles we add a new type of metadata (booleans).
    
    Add a function to write the state of the key to a separate file.
    
    Only write out known metadata to private file.  With the
    introduction of the numeric metadata "Lifetime", adjust the write
    private key file functionality to only write out metadata it knows
    about.
    77d2895a
  • Matthijs Mekking's avatar
    Add various get functions for kasp · 97a5698e
    Matthijs Mekking authored
    Write functions to access various elements of the kasp structure,
    and the kasp keys. This in preparation of code in dnssec-keygen,
    dnssec-settime, named...
    97a5698e
  • Matthijs Mekking's avatar
    dnssec-keygen can create keys given dnssec-policy · 09ac224c
    Matthijs Mekking authored
    This commit adds code for generating keys with dnssec-keygen given
    a specific dnssec-policy.
    
    The dnssec-policy can be set with a new option '-k'. The '-l'
    option can be used to set a configuration file that contains a
    specific dnssec-policy.
    
    Because the dnssec-policy dictates how the keys should look like,
    many of the existing dnssec-keygen options cannot be used together
    with '-k'.
    
    If the dnssec-policy lists multiple keys, dnssec-keygen has now the
    possibility to generate multiple keys at one run.
    
    Add two tests for creating keys with '-k': One with the default
    policy, one with multiple keys from the configuration.
    09ac224c
  • Matthijs Mekking's avatar
    Parse dnssec-policy config into kasp · 2924b19a
    Matthijs Mekking authored
    Add code that actually stores the configuration into the kasp
    structure and attach it to the appropriate zone.
    2924b19a
  • Matthijs Mekking's avatar
    Add functionality to read key state from disk · c55625b0
    Matthijs Mekking authored
    When reading a key from file, you can set the DST_TYPE_STATE option
    to also read the key state.
    
    This expects the Algorithm and Length fields go above the metadata,
    so update the write functionality to do so accordingly.
    
    Introduce new DST metadata types for KSK, ZSK, Lifetime and the
    timing metadata used in state files.
    c55625b0
  • Matthijs Mekking's avatar
    dnssec-settime: Allow manipulating state files · 72042a06
    Matthijs Mekking authored
    Introduce a new option '-s' for dnssec-settime that when manipulating
    timing metadata, it also updates the key state file.
    
    For testing purposes, add options to dnssec-settime to set key
    states and when they last changed.
    
    The dst code adds ways to write and read the new key states and
    timing metadata. It updates the parsing code for private key files
    to not parse the newly introduced metadata (these are for state
    files only).
    
    Introduce key goal (the state the key wants to be in).
    72042a06
  • Matthijs Mekking's avatar
    Allow DNSSEC records in kasp enabled zone · 53e76f88
    Matthijs Mekking authored
    When signing a zone with dnssec-policy, we don't mind DNSSEC records.
    This is useful for testing purposes, and perhaps it is better to
    signal this behavior with a different configuration option.
    53e76f88
  • Matthijs Mekking's avatar
    arm: Update DNSSEC documentation · da0ae529
    Matthijs Mekking authored
    da0ae529
  • Matthijs Mekking's avatar
    keygen/settime: Write out successor/predecessor · dcf79ce6
    Matthijs Mekking authored
    When creating a successor key, or calculating time for a successor
    key, write out the successor and predecessor metadata to the
    related files.
    dcf79ce6
  • Matthijs Mekking's avatar
    kasp: Expose more key timings · 1f0d6296
    Matthijs Mekking authored
    When doing rollover in a timely manner we need to have access to the
    relevant kasp configured durations.
    
    Most of these are simple get functions, but 'dns_kasp_signdelay'
    will calculate the maximum time that is needed with this policy to
    resign the complete zone (taking into account the refresh interval
    and signature validity).
    
    Introduce parent-propagation-delay, parent-registration-delay,
    parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
    1f0d6296
  • Matthijs Mekking's avatar
    Useful dst_key functions · 314b90df
    Matthijs Mekking authored
    Add a couple of dst_key functions for determining hints that
    consider key states if they are available.
    - dst_key_is_unused:
      A key has no timing metadata set other than Created.
    - dst_key_is_published:
      A key has publish timing metadata <= now, DNSKEY state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_active:
      A key has active timing metadata <= now, RRSIG state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_signing:
      KSK is_signing and is_active means different things than
      for a ZSK. A ZSK is active means it is also signing, but
      a KSK always signs its DNSKEY RRset but is considered
      active if its DS is present (rumoured or omnipresent).
    - dst_key_is_revoked:
      A key has revoke timing metadata <= now.
    - dst_key_is_removed:
      A key has delete timing metadata <= now, DNSKEY state in
      UNRETENTIVE or HIDDEN.
    314b90df
  • Matthijs Mekking's avatar
    Introduce keymgr in named · 7e7aa538
    Matthijs Mekking authored
    Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
    will run a key manager on the matching keys.  This will do a couple
    of things:
    
    1. Create keys when needed (in case of rollover for example)
       according to the set policy.
    
    2. Retire keys that are in excess of the policy.
    
    3. Maintain key states according to "Flexible and Robust Key
       Rollover" [1]. After key manager ran, key files will be saved to
       disk.
    
       [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
    
    KEY GENERATION
    
    Create keys according to DNSSEC policy.  Zones configured with
    'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
    to dnssec-keymgr) if not available.
    
    KEY ROLLOVER
    
    Rather than determining the desired state from timing metadata,
    add a key state goal.  Any keys that are created or picked from the
    key ring and selected to be a successor has its key state goal set
    to OMNIPRESENT (this key wants to be signing!). At the same time,
    a key that is being retired has its key state goal set to HIDDEN.
    
    The keymgr state machine with the three rules will make sure no
    introduction or withdrawal of DNSSEC records happens too soon.
    
    KEY TIMINGS
    
    All timings are based on RFC 7583.
    
    The keymgr will return when the next action is happening so
    that the zone can set the proper rekey event. Prior to this change
    the rekey event will run every hour by default (configurable),
    but with kasp we can determine exactly when we need to run again.
    
    The prepublication time is derived from policy.
    7e7aa538
  • Matthijs Mekking's avatar
    Update zoneconf to use kasp config · 09990672
    Matthijs Mekking authored
    If a zone has a dnssec-policy set, use signature validity,
    dnskey signature validity, and signature refresh from
    dnssec-policy.
    
    Zones configured with 'dnssec-policy' will allow 'named' to create
    DNSSEC keys (similar to dnssec-keymgr) if not available.
    09990672
  • Matthijs Mekking's avatar
    DNSSEC hints use dst_key functions and key states · fcf14b2b
    Matthijs Mekking authored
    Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
    functions and thus if dnssec-policy/KASP is used the key states are
    being considered.
    
    Add a new variable to 'struct dns_dnsseckey' to signal whether this
    key is a zone-signing key (it is no longer true that ksk == !zsk).
    
    Also introduce a hint for revoke.
    
    Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
    to also read the key state file, if available.
    
    Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
    hint for logging.
    
    Also make get_hints() (now dns_dnssec_get_hints()) public so that
    we can use it in the key manager.
    fcf14b2b
  • Matthijs Mekking's avatar
    Adjust signing code to use kasp · c125b721
    Matthijs Mekking authored
    Update the signing code in lib/dns/zone.c and lib/dns/update.c to
    use kasp logic if a dnssec-policy is enabled.
    
    This means zones with dnssec-policy should no longer follow
    'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
    KASP keys configured dictate which RRset gets signed with what key.
    
    Also use the next rekey event from the key manager rather than
    setting it to one hour.
    
    Mark the zone dynamic, as otherwise a zone with dnssec-policy is
    not eligble for automatic DNSSEC maintenance.
    c125b721
  • Matthijs Mekking's avatar
    Refactor kasp system test · 7c783ab9
    Matthijs Mekking authored
    A significant refactor of the kasp system test in an attempt to
    make the test script somewhat brief.  When writing a test case,
    you can/should use the functions 'zone_properties',
    'key_properties', and 'key_timings' to set the expected values
    when checking a key with 'check_key'. All these four functions
    can be used to set environment variables that come in handy when
    testing output.
    7c783ab9
  • Matthijs Mekking's avatar
    Add kasp tests · c9f1ec83
    Matthijs Mekking authored
    Add more tests for kasp:
    
    - Add tests for different algorithms.
    
    - Add a test to ensure that an edit in an unsigned zone is
      picked up and properly signed.
    
    - Add two tests that ensures that a zone gets signed when it is
      configured as so-called 'inline-signing'.  In other words, a
      secondary zone that is configured with a 'dnssec-policy'.  A zone
      that is transferred over AXFR or IXFR will get signed.
    
    - Add a test to ensure signatures are reused if they are still
      fresh enough.
    
    - Adds two more tests to verify that expired and unfresh signatures
      will be regenerated.
    
    - Add tests for various cases with keys already available in the
      key-directory.
    c9f1ec83
  • Matthijs Mekking's avatar
    Test ZSK and KSK rollover · 36c72bf3
    Matthijs Mekking authored
    Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
    
    Includes tests for next key event is scheduled at the right time.
    36c72bf3
  • Matthijs Mekking's avatar
    Use keywords in dnssec-policy keys configuration · 6468ffc3
    Matthijs Mekking authored
    Add keywords 'lifetime' and 'algorithm' to make the key configuration
    more clear.
    6468ffc3
  • Matthijs Mekking's avatar
    Code changes for CSK · 67033bfd
    Matthijs Mekking authored
    Update dns_dnssec_keyactive to differentiate between the roles ZSK
    and KSK.  A key is active if it is signing but that differs per role.
    A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
    a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
    
    This means that a key can be actively signing for one role but not
    the other.  Add checks in inline signing (zone.c and update.c) to
    cover the case where a CSK is active in its KSK role but not the ZSK
    role.
    67033bfd
  • Matthijs Mekking's avatar
    Test CSK rollover · 9fbc8691
    Matthijs Mekking authored
    Test two CSK rollover scenarios, one where the DS is swapped before the zone
    signatures are all replaced, and one where the signatures are replaced sooner
    than the DS is swapped.
    9fbc8691
  • Matthijs Mekking's avatar
    KASP timings all uint32_t · 29e6ec31
    Matthijs Mekking authored
    Get rid of the warnings in the Windows build.
    29e6ec31
  • Matthijs Mekking's avatar
    Add dst_key_copy_metadata function. · 1211c348
    Matthijs Mekking authored
    When updating DNSSEC keys we would like to be able to copy the
    metadata from one key to another.
    1211c348
  • Matthijs Mekking's avatar
    sign_apex() should also consider CDS/CDNSKEY · 2e46dcbb
    Matthijs Mekking authored
    The 'sign_apex()' function has special processing for signing the
    DNSKEY RRset such that it will always be signed with the active
    KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
    should have the same special processing.  The special processing is
    moved into a new function 'tickle_apex_rrset()' and is applied to
    all three RR types (DNSKEY, CDS, CDNSKEY).
    
    In addition, when kasp is involved, update the DNSKEY TTL accordingly
    to what is in the policy.
    2e46dcbb
  • Matthijs Mekking's avatar
    Add tests for CDS/CDNSKEY publication · c3e0ac86
    Matthijs Mekking authored
    The kasp system tests are updated with 'check_cds' calls that will
    verify that the correct CDS and CDNSKEY records are published during
    a rollover and that they are signed with the correct KSK.
    
    This requires a change in 'dnssec.c' to check the kasp key states
    whether the CDS/CDNSKEY of a key should be published or not.  If no
    kasp state exist, fall back to key timings.
    c3e0ac86
  • Matthijs Mekking's avatar
    kasp.c: return parenthesis (style) and REQUIRE · 70da58c8
    Matthijs Mekking authored
    This code was missing a lot of return parenthesis (violating our
    style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
    70da58c8
  • Matthijs Mekking's avatar
    Make kasp opaque · f11ce448
    Matthijs Mekking authored
    f11ce448
  • Mark Andrews's avatar
    Insist that kasp is not linked. · 5eedd365
    Mark Andrews authored
    5eedd365
  • Mark Andrews's avatar
  • Matthijs Mekking's avatar
    dnssec-policy inheritance from options/view · 5f464d15
    Matthijs Mekking authored
    'dnssec-policy' can now also be set on the options and view level and
    a zone that does not set 'dnssec-policy' explicitly will inherit it
    from the view or options level.
    
    This requires a new keyword to be introduced: 'none'.  If set to
    'none' the zone will not be DNSSEC maintained, in other words it will
    stay unsigned.  You can use this to break the inheritance.  Of course
    you can also break the inheritance by referring to a different
    policy.
    
    The keywords 'default' and 'none' are not allowed when configuring
    your own dnssec-policy statement.
    
    Add appropriate tests for checking the configuration (checkconf)
    and add tests to the kasp system test to verify the inheritance
    works.
    
    Edit the kasp system test such that it can deal with unsigned zones
    and views (so setting a TSIG on the query).
    5f464d15
  • Matthijs Mekking's avatar
    Fix checkconf test · bae0edbf
    Matthijs Mekking authored
    bae0edbf
  • Matthijs Mekking's avatar
    Merge branch '1134-dnssec-made-easy' into 'master' · e7a9f52f
    Matthijs Mekking authored
    DNSSEC Made Easy
    
    Closes #1134
    
    See merge request !2458
    e7a9f52f
......@@ -421,7 +421,7 @@ configure_zone(const char *vclass, const char *view,
obj = NULL;
if (get_maps(maps, "max-zone-ttl", &obj)) {
maxttl = cfg_obj_asuint32(obj);
maxttl = cfg_obj_asduration(obj);
zone_options |= DNS_ZONEOPT_CHECKTTL;
}
......
......@@ -15,24 +15,26 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\"
CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
......@@ -48,7 +50,7 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
......
This diff is collapsed.
......@@ -66,6 +66,7 @@
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">bits</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
......@@ -74,8 +75,9 @@
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">policy</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
......@@ -84,6 +86,7 @@
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">rrtype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
......@@ -207,6 +210,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">bits</replaceable></term>
<listitem>
<para>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
......@@ -275,6 +290,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">policy</replaceable></term>
<listitem>
<para>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <command>dnssec-keygen</command> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</para>
<para>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <command>dnssec-keygen</command>
provides.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
......@@ -291,6 +324,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <command>-k</command>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
......
This diff is collapsed.
......@@ -64,6 +64,12 @@
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">state</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
......@@ -88,11 +94,30 @@
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
</para>
<para>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
<para>
When working with state files, it is possible to update the timing
metadata in those files as well with <option>-s</option>. If this
option is used you can also update key states with <option>-d</option>
(DS), <option>-k</option> (DNSKEY), <option>-r</option> (RRSIG of KSK),
or <option>-z</option> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</para>
<para>
You can also set the goal state of the key with <option>-g</option>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</para>
<para>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
......@@ -319,6 +344,74 @@
</variablelist>
</refsection>
<refsection><info><title>KEY STATE OPTIONS</title></info>
<para>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</para>
<variablelist>
<varlistentry>
<term>-s</term>
<listitem>
<para>
When setting key timing data, also update the state file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Set the DS state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Set the DNSKEY state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>PRINTING OPTIONS</title></info>
<para>
......
......@@ -2717,7 +2717,7 @@ build_final_keylist(void) {
* Update keylist with information from from the key repository.
*/
dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
&diff, ignore_kskflag, mctx, report);
&diff, mctx, report);
/*
* Update keylist with sync records.
......
......@@ -57,6 +57,11 @@
#include "dnssectool.h"
#define KEYSTATES_NVALUES 4
static const char *keystates[KEYSTATES_NVALUES] = {
"hidden", "rumoured", "omnipresent", "unretentive",
};
int verbose = 0;
bool quiet = false;
uint8_t dtype[8];
......@@ -244,6 +249,21 @@ strtottl(const char *str) {
return (ttl);
}
dst_key_state_t
strtokeystate(const char *str) {
if (isnone(str)) {
return (DST_KEY_STATE_NA);
}
for (int i = 0; i < KEYSTATES_NVALUES; i++) {
if (keystates[i] != NULL &&
strcasecmp(str, keystates[i]) == 0) {
return (dst_key_state_t) i;
}
}
fatal("unknown key state");
}
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp)
......
......@@ -71,6 +71,8 @@ cleanup_logging(isc_log_t **logp);
dns_ttl_t strtottl(const char *str);
dst_key_state_t strtokeystate(const char *str);
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp);
......
......@@ -66,15 +66,15 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
......@@ -94,7 +94,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
......@@ -104,8 +104,8 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
......
......@@ -58,6 +58,7 @@ options {\n\
"\
# deallocate-on-exit <obsolete>;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 4096;\n\
# fake-iquery <obsolete>;\n"
......
......@@ -64,6 +64,7 @@ struct named_server {
dns_loadmgr_t * loadmgr;
dns_zonemgr_t * zonemgr;
dns_viewlist_t viewlist;
dns_kasplist_t kasplist;
ns_interfacemgr_t * interfacemgr;
dns_db_t * in_roothints;
......
......@@ -27,19 +27,18 @@ ISC_LANG_BEGINDECLS
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw);
dns_kasplist_t* kasplist, dns_zone_t *zone,
dns_zone_t *raw);
/*%<
* Configure or reconfigure a zone according to the named.conf
* data in 'cctx' and 'czone'.
* data.
*
* The zone origin is not configured, it is assumed to have been set
* at zone creation time.
*
* Require:
* \li 'lctx' to be initialized or NULL.
* \li 'cctx' to be initialized or NULL.
* \li 'ac' to point to an initialized cfg_aclconfctx_t.
* \li 'czone' to be initialized.
* \li 'kasplist' to be initialized.
* \li 'zone' to be initialized.
*/
......
This diff is collapsed.
This diff is collapsed.
......@@ -25,6 +25,7 @@
#include <dns/ipkeylist.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/kasp.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/masterdump.h>
......@@ -840,8 +841,9 @@ process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype,
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw)
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_kasplist_t *kasplist, dns_zone_t *zone,
dns_zone_t *raw)
{
isc_result_t result;
const char *zname;
......@@ -853,6 +855,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *options = NULL;
const cfg_obj_t *obj;
const char *filename = NULL;
const char *kaspname = NULL;
const char *dupcheck;
dns_notifytype_t notifytype = dns_notifytype_yes;
uint32_t count;
......@@ -868,7 +871,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
int32_t journal_size;
bool multi;
bool alt;
dns_view_t *view;
dns_view_t *view = NULL;
dns_kasp_t *kasp = NULL;
bool check = false, fail = false;
bool warn = false, ignore = false;
bool ixfrdiff;
......@@ -1045,8 +1049,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
} else if (result == ISC_R_SUCCESS) {
dns_ttl_t maxttl = 0; /* unlimited */
if (cfg_obj_isuint32(obj))
maxttl = cfg_obj_asuint32(obj);
if (cfg_obj_isduration(obj))
maxttl = cfg_obj_asduration(obj);
dns_zone_setmaxttl(zone, maxttl);
if (raw != NULL)
dns_zone_setmaxttl(raw, maxttl);
......@@ -1192,6 +1196,24 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
ztype != dns_zone_redirect) {
obj = NULL;
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not "
"found ", kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
}
}
obj = NULL;
result = named_config_get(maps, "notify", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
......@@ -1481,38 +1503,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false;
bool sigvalinsecs;
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
} else {
obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
} else {
seconds *= 3600;
}
} else {
seconds = cfg_obj_asuint32(resign) * 3600;
seconds = cfg_obj_asuint32(resign);
}
} else {
seconds = cfg_obj_asuint32(resign);
dns_zone_setsigresigninginterval(zone, seconds);
}
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "key-directory", &obj);
......@@ -1541,12 +1577,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
......@@ -1557,7 +1601,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (result == ISC_R_SUCCESS) {
if (dns_zone_getkasp(zone) != NULL) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) {
allow = true;
......@@ -1570,6 +1618,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_UNREACHABLE();
}
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
}
}
......
......@@ -443,7 +443,8 @@
allowed to incrementally re-sign over time.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option
be set to <literal>maintain</literal>,
and also requires the zone to be configured to
......@@ -849,7 +850,8 @@
re-signed with the new key set.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option be set
to <literal>allow</literal> or
<literal>maintain</literal>,
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'default' is not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "default";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
// configuration options (auto-dnssec).
zone "example.net" {
type master;
file "example.db";
dnssec-policy "test";
auto-dnssec maintain;
allow-update { any; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy with no matching
// dnssec-policy configuration (good-kasp.conf has "test", zone refers to
// "nosuchpolicy".
zone "example.net" {
type master;
file "example.db";
dnssec-policy "nosuchpolicy";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Bad kasp configuration because this has an invalid duration for
// signatures-refresh.
dnssec-policy "badduration" {
signatures-refresh PT20Sabcd;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badduration";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "none";
};
......@@ -10,6 +10,7 @@
# information regarding copyright ownership.
rm -f good.conf.in good.conf.out badzero.conf *.out
rm -f good-kasp.conf.in
rm -rf test.keydir
rm -f checkconf.out*
rm -f diff.out*
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* This is just a random selection of DNSSEC configuration options.
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
dnssec-policy "default";
};
zone "example1" {
type master;
file "example1.db";
};
zone "example2" {
type master;
file "example2.db";
dnssec-policy "test";
};
zone "example3" {
type master;
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
type master;
file "example4.db";
dnssec-policy "none";
};
......@@ -14,6 +14,24 @@
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
100;
......@@ -60,6 +78,7 @@ options {
validate-except {
"corp";
};
dnssec-policy "test";
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
......@@ -140,6 +159,28 @@ view "third" {
};
};
};
view "fourth" {
zone "dnssec-test" {
type master;
file "dnssec-test.db";
dnssec-policy "test";
};
zone "dnssec-default" {
type master;
file "dnssec-default.db";
dnssec-policy "default";
};
zone "dnssec-inherit" {
type master;
file "dnssec-inherit.db";
};
zone "dnssec-none" {
type master;
file "dnssec-none.db";
dnssec-policy "none";
};
dnssec-policy "default";
};
view "chaos" chaos {
zone "hostname.bind" chaos {
type master;
......
......@@ -8,4 +8,8 @@ clone IN third in-view first
dnssec IN third master
p IN third primary
s IN third secondary
dnssec-test IN fourth master
dnssec-default IN fourth master
dnssec-inherit IN fourth master
dnssec-none IN fourth master
hostname.bind chaos chaos master
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
zone "nsec3.net" {
type master;
file "nsec3.db";
dnssec-policy "test";
auto-dnssec maintain;
dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
dnssec-secure-to-insecure yes;
dnssec-update-mode maintain;
inline-signing yes;
sig-validity-interval 3600;
update-check-ksk yes;
allow-update { any; };
};
......@@ -466,5 +466,38 @@ grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp warnings ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "inline-signing: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0
$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that named-checkconf prints a known good kasp config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
[ -s good-kasp.conf.in ] || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
cmp good-kasp.conf.in good-kasp.conf.out || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -1485,7 +1485,7 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
......
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The test setup for the KASP tests.
ns1 is reserved for the root server.
ns2 is running primary service for ns3.
ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f ./keygen.*
rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
rm -rf ./keys/
rm -f dig.out* rrsig.out.* keyevent.out.*
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
rm -f ns*/managed-keys.bind
rm -f ns*/*.mkeys
# NS3 specific
rm -f ns3/zones ns3/*.db.infile
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* This is just a random selection of configuration options.
*/
dnssec-policy "kasp" {
dnskey-ttl 200;
keys {
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P30D algorithm 8 1024;
zsk key-directory lifetime P6M algorithm 8 2000;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "none";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Inherit dnssec-policy (which is none) */
zone "unsigned.tld" {
type master;
file "unsigned.tld.db";
};
/* Override dnssec-policy */
zone "signed.tld" {
type master;
dnssec-policy "default";
file "signed.tld.db";
};
/* Primary service for ns3 */
zone "secondary.kasp" {
type master;
file "secondary.kasp.db";
allow-transfer { 10.53.0.3; };
notify yes;
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
2 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
NS ns3
ns2 A 10.53.0.2
ns3 A 10.53.0.3
a A 10.0.0.11
b A 10.0.0.2
c A 10.0.0.3
d A 10.0.0.4
#!/bin/sh -e
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
# shellcheck source=conf.sh
. "$SYSTEMTESTTOP/conf.sh"
echo_i "ns2/setup.sh"
zone="secondary.kasp"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="${zonefile}.in"
cp $infile $zonefile
zone="signed.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
zone="unsigned.tld"
echo_i "setting up zone: $zone"
zonefile="${zone}.db"
infile="template.tld.db.in"
cp $infile $zonefile
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns2
ns2 A 10.53.0.2
a A 10.0.0.1
b A 10.0.0.2
c A 10.0.0.3
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS3
include "policies/kasp.conf";
include "policies/autosign.conf";
options {
query-source address 10.53.0.3;
notify-source 10.53.0.3;
transfer-source 10.53.0.3;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.3; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "rsasha1";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Zones that are getting initially signed */
/* The default case: No keys created, using default policy. */
zone "default.kasp" {
type master;
file "default.kasp.db";
dnssec-policy "default";
};
/* A master zone with dnssec-policy, no keys created. */
zone "rsasha1.kasp" {
type master;
file "rsasha1.kasp.db";
dnssec-policy "rsasha1";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type master;
file "inherit.kasp.db";
};
/* A zone that overrides dnssec-policy. */
zone "unsigned.kasp" {
type master;
file "unsigned.kasp.db";
dnssec-policy "none";
};
/* A master zone with dnssec-policy but keys already created. */
zone "dnssec-keygen.kasp" {
type master;
file "dnssec-keygen.kasp.db";
dnssec-policy "rsasha1";
};
/* A secondary zone with dnssec-policy. */
zone "secondary.kasp" {
type secondary;
masters { 10.53.0.2; };
file "secondary.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy but some keys already created.
*/
zone "some-keys.kasp" {
type master;
file "some-keys.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy but some keys already in use.
*/
zone "legacy-keys.kasp" {
type master;
file "legacy-keys.kasp.db";
dnssec-policy "rsasha1";
};
/*
* A configured dnssec-policy with (too) many keys pregenerated.
*/
zone "pregenerated.kasp" {
type master;
file "pregenerated.kasp.db";
dnssec-policy "rsasha1";
};
/*
* Different algorithms.
*/
zone "rsasha1-nsec3.kasp" {
type master;
file "rsasha1-nsec3.kasp.db";
dnssec-policy "rsasha1-nsec3";
};
zone "rsasha256.kasp" {
type master;
file "rsasha256.kasp.db";
dnssec-policy "rsasha256";
};
zone "rsasha512.kasp" {
type master;
file "rsasha512.kasp.db";
dnssec-policy "rsasha512";
};
zone "ecdsa256.kasp" {
type master;
file "ecdsa256.kasp.db";
dnssec-policy "ecdsa256";
};
zone "ecdsa384.kasp" {
type master;
file "ecdsa384.kasp.db";
dnssec-policy "ecdsa384";
};
/*
* Zones in different signing states.
*/
/*
* Zone that has expired signatures.
*/
zone "expired-sigs.autosign" {
type master;
file "expired-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has valid, fresh signatures.
*/
zone "fresh-sigs.autosign" {
type master;
file "fresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has unfresh signatures.
*/
zone "unfresh-sigs.autosign" {
type master;
file "unfresh-sigs.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has missing private ZSK.
*/
zone "zsk-missing.autosign" {
type master;
file "zsk-missing.autosign.db";
dnssec-policy "autosign";
};
/*
* Zone that has inactive ZSK.
*/
zone "zsk-retired.autosign" {
type master;
file "zsk-retired.autosign.db";
dnssec-policy "autosign";
};
/*
* Zones for testing ZSK Pre-Publication steps.
*/
zone "step1.zsk-prepub.autosign" {
type master;
file "step1.zsk-prepub.autosign.db";
dnssec-policy "zsk-prepub";
};
zone "step2.zsk-prepub.autosign" {
type master;