...
 
Commits (63)
  • Matthijs Mekking's avatar
    Change indentation in doc/arm/dnssec.xml · c67379fb
    Matthijs Mekking authored
    This commit does not change anything significant, it just makes
    the file more readable in preparation for upcoming changes related
    to the `dnssec-policy` configuration option.
    c67379fb
  • Matthijs Mekking's avatar
    Extend ttlval to accept ISO 8601 durations · b7c5bfb2
    Matthijs Mekking authored
    The ttlval configuration types are replaced by duration configuration
    types. The duration is an ISO 8601 duration that is going to be used
    for DNSSEC key timings such as key lifetimes, signature resign
    intervals and refresh periods, etc. But it is also still allowed to
    use the BIND ttlval ways of configuring intervals (number plus
    optional unit).
    
    A duration is stored as an array of 7 different time parts.
    A duration can either be expressed in weeks, or in a combination of
    the other datetime indicators.
    
    Add several unit tests to ensure the correct value is parsed given
    different string values.
    b7c5bfb2
  • Matthijs Mekking's avatar
    Design documentation 'dnssec-policy' · 1fbd8bb1
    Matthijs Mekking authored
    Initial design document.
    1fbd8bb1
  • Matthijs Mekking's avatar
    Introduce dnssec-policy configuration · a50d707f
    Matthijs Mekking authored
    This commit introduces the initial `dnssec-policy` configuration
    statement. It has an initial set of options to deal with signature
    and key maintenance.
    
    Add some checks to ensure that dnssec-policy is configured at the
    right locations, and that policies referenced to in zone statements
    actually exist.
    
    Add some checks that when a user adds the new `dnssec-policy`
    configuration, it will no longer contain existing DNSSEC
    configuration options.  Specifically: `inline-signing`,
    `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
    `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
    and `sig-validity-interval`.
    
    Test a good kasp configuration, and some bad configurations.
    a50d707f
  • Matthijs Mekking's avatar
    Introduce kasp structure · e9ccebd9
    Matthijs Mekking authored
    This stores the dnssec-policy configuration and adds methods to
    create, destroy, and attach/detach, as well as find a policy with
    the same name in a list.
    
    Also, add structures and functions for creating and destroying
    kasp keys.
    e9ccebd9
  • Matthijs Mekking's avatar
    Sync options in dnssec-keygen · 48ce026d
    Matthijs Mekking authored
    Code and documentation were not in line:
    - Remove -z option from code
    - Remove -k option from docbook
    - Add -d option to docbook
    - Add -T option to docbook
    48ce026d
  • Matthijs Mekking's avatar
    dnssec-keygen: Move key gen code in own function · 2829e294
    Matthijs Mekking authored
    In preparation for key generation with dnssec-policy, where multiple
    keys may be created.
    2829e294
  • Matthijs Mekking's avatar
    dnssec-keygen: Move keygen function above main · 1a9692f5
    Matthijs Mekking authored
    This is done in a separate commit to make diff easier.
    1a9692f5
  • Matthijs Mekking's avatar
    Add code for creating kasp from config · 7bfac503
    Matthijs Mekking authored
    Add code for creating, configuring, and destroying KASP keys.  When
    using the default policy, create one CSK, no rollover.
    7bfac503
  • Matthijs Mekking's avatar
    Nit: fix typo (dnsssec-signzone) · e6ee5486
    Matthijs Mekking authored
    e6ee5486
  • Matthijs Mekking's avatar
    Fix: nums type in dst_keys · 68e8741c
    Matthijs Mekking authored
    This was isc_stdtime_t but should be uint32_t.
    68e8741c
  • Matthijs Mekking's avatar
    7f4d1dbd
  • Matthijs Mekking's avatar
    Update dst key code to maintain key state · 77d2895a
    Matthijs Mekking authored
    Add a number of metadata variables (lifetime, ksk and zsk role).
    
    For the roles we add a new type of metadata (booleans).
    
    Add a function to write the state of the key to a separate file.
    
    Only write out known metadata to private file.  With the
    introduction of the numeric metadata "Lifetime", adjust the write
    private key file functionality to only write out metadata it knows
    about.
    77d2895a
  • Matthijs Mekking's avatar
    Add various get functions for kasp · 97a5698e
    Matthijs Mekking authored
    Write functions to access various elements of the kasp structure,
    and the kasp keys. This in preparation of code in dnssec-keygen,
    dnssec-settime, named...
    97a5698e
  • Matthijs Mekking's avatar
    dnssec-keygen can create keys given dnssec-policy · 09ac224c
    Matthijs Mekking authored
    This commit adds code for generating keys with dnssec-keygen given
    a specific dnssec-policy.
    
    The dnssec-policy can be set with a new option '-k'. The '-l'
    option can be used to set a configuration file that contains a
    specific dnssec-policy.
    
    Because the dnssec-policy dictates how the keys should look like,
    many of the existing dnssec-keygen options cannot be used together
    with '-k'.
    
    If the dnssec-policy lists multiple keys, dnssec-keygen has now the
    possibility to generate multiple keys at one run.
    
    Add two tests for creating keys with '-k': One with the default
    policy, one with multiple keys from the configuration.
    09ac224c
  • Matthijs Mekking's avatar
    Parse dnssec-policy config into kasp · 2924b19a
    Matthijs Mekking authored
    Add code that actually stores the configuration into the kasp
    structure and attach it to the appropriate zone.
    2924b19a
  • Matthijs Mekking's avatar
    Add functionality to read key state from disk · c55625b0
    Matthijs Mekking authored
    When reading a key from file, you can set the DST_TYPE_STATE option
    to also read the key state.
    
    This expects the Algorithm and Length fields go above the metadata,
    so update the write functionality to do so accordingly.
    
    Introduce new DST metadata types for KSK, ZSK, Lifetime and the
    timing metadata used in state files.
    c55625b0
  • Matthijs Mekking's avatar
    dnssec-settime: Allow manipulating state files · 72042a06
    Matthijs Mekking authored
    Introduce a new option '-s' for dnssec-settime that when manipulating
    timing metadata, it also updates the key state file.
    
    For testing purposes, add options to dnssec-settime to set key
    states and when they last changed.
    
    The dst code adds ways to write and read the new key states and
    timing metadata. It updates the parsing code for private key files
    to not parse the newly introduced metadata (these are for state
    files only).
    
    Introduce key goal (the state the key wants to be in).
    72042a06
  • Matthijs Mekking's avatar
    Allow DNSSEC records in kasp enabled zone · 53e76f88
    Matthijs Mekking authored
    When signing a zone with dnssec-policy, we don't mind DNSSEC records.
    This is useful for testing purposes, and perhaps it is better to
    signal this behavior with a different configuration option.
    53e76f88
  • Matthijs Mekking's avatar
    arm: Update DNSSEC documentation · da0ae529
    Matthijs Mekking authored
    da0ae529
  • Matthijs Mekking's avatar
    keygen/settime: Write out successor/predecessor · dcf79ce6
    Matthijs Mekking authored
    When creating a successor key, or calculating time for a successor
    key, write out the successor and predecessor metadata to the
    related files.
    dcf79ce6
  • Matthijs Mekking's avatar
    kasp: Expose more key timings · 1f0d6296
    Matthijs Mekking authored
    When doing rollover in a timely manner we need to have access to the
    relevant kasp configured durations.
    
    Most of these are simple get functions, but 'dns_kasp_signdelay'
    will calculate the maximum time that is needed with this policy to
    resign the complete zone (taking into account the refresh interval
    and signature validity).
    
    Introduce parent-propagation-delay, parent-registration-delay,
    parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
    1f0d6296
  • Matthijs Mekking's avatar
    Useful dst_key functions · 314b90df
    Matthijs Mekking authored
    Add a couple of dst_key functions for determining hints that
    consider key states if they are available.
    - dst_key_is_unused:
      A key has no timing metadata set other than Created.
    - dst_key_is_published:
      A key has publish timing metadata <= now, DNSKEY state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_active:
      A key has active timing metadata <= now, RRSIG state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_signing:
      KSK is_signing and is_active means different things than
      for a ZSK. A ZSK is active means it is also signing, but
      a KSK always signs its DNSKEY RRset but is considered
      active if its DS is present (rumoured or omnipresent).
    - dst_key_is_revoked:
      A key has revoke timing metadata <= now.
    - dst_key_is_removed:
      A key has delete timing metadata <= now, DNSKEY state in
      UNRETENTIVE or HIDDEN.
    314b90df
  • Matthijs Mekking's avatar
    Introduce keymgr in named · 7e7aa538
    Matthijs Mekking authored
    Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
    will run a key manager on the matching keys.  This will do a couple
    of things:
    
    1. Create keys when needed (in case of rollover for example)
       according to the set policy.
    
    2. Retire keys that are in excess of the policy.
    
    3. Maintain key states according to "Flexible and Robust Key
       Rollover" [1]. After key manager ran, key files will be saved to
       disk.
    
       [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
    
    KEY GENERATION
    
    Create keys according to DNSSEC policy.  Zones configured with
    'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
    to dnssec-keymgr) if not available.
    
    KEY ROLLOVER
    
    Rather than determining the desired state from timing metadata,
    add a key state goal.  Any keys that are created or picked from the
    key ring and selected to be a successor has its key state goal set
    to OMNIPRESENT (this key wants to be signing!). At the same time,
    a key that is being retired has its key state goal set to HIDDEN.
    
    The keymgr state machine with the three rules will make sure no
    introduction or withdrawal of DNSSEC records happens too soon.
    
    KEY TIMINGS
    
    All timings are based on RFC 7583.
    
    The keymgr will return when the next action is happening so
    that the zone can set the proper rekey event. Prior to this change
    the rekey event will run every hour by default (configurable),
    but with kasp we can determine exactly when we need to run again.
    
    The prepublication time is derived from policy.
    7e7aa538
  • Matthijs Mekking's avatar
    Update zoneconf to use kasp config · 09990672
    Matthijs Mekking authored
    If a zone has a dnssec-policy set, use signature validity,
    dnskey signature validity, and signature refresh from
    dnssec-policy.
    
    Zones configured with 'dnssec-policy' will allow 'named' to create
    DNSSEC keys (similar to dnssec-keymgr) if not available.
    09990672
  • Matthijs Mekking's avatar
    DNSSEC hints use dst_key functions and key states · fcf14b2b
    Matthijs Mekking authored
    Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
    functions and thus if dnssec-policy/KASP is used the key states are
    being considered.
    
    Add a new variable to 'struct dns_dnsseckey' to signal whether this
    key is a zone-signing key (it is no longer true that ksk == !zsk).
    
    Also introduce a hint for revoke.
    
    Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
    to also read the key state file, if available.
    
    Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
    hint for logging.
    
    Also make get_hints() (now dns_dnssec_get_hints()) public so that
    we can use it in the key manager.
    fcf14b2b
  • Matthijs Mekking's avatar
    Adjust signing code to use kasp · c125b721
    Matthijs Mekking authored
    Update the signing code in lib/dns/zone.c and lib/dns/update.c to
    use kasp logic if a dnssec-policy is enabled.
    
    This means zones with dnssec-policy should no longer follow
    'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
    KASP keys configured dictate which RRset gets signed with what key.
    
    Also use the next rekey event from the key manager rather than
    setting it to one hour.
    
    Mark the zone dynamic, as otherwise a zone with dnssec-policy is
    not eligble for automatic DNSSEC maintenance.
    c125b721
  • Matthijs Mekking's avatar
    Refactor kasp system test · 7c783ab9
    Matthijs Mekking authored
    A significant refactor of the kasp system test in an attempt to
    make the test script somewhat brief.  When writing a test case,
    you can/should use the functions 'zone_properties',
    'key_properties', and 'key_timings' to set the expected values
    when checking a key with 'check_key'. All these four functions
    can be used to set environment variables that come in handy when
    testing output.
    7c783ab9
  • Matthijs Mekking's avatar
    Add kasp tests · c9f1ec83
    Matthijs Mekking authored
    Add more tests for kasp:
    
    - Add tests for different algorithms.
    
    - Add a test to ensure that an edit in an unsigned zone is
      picked up and properly signed.
    
    - Add two tests that ensures that a zone gets signed when it is
      configured as so-called 'inline-signing'.  In other words, a
      secondary zone that is configured with a 'dnssec-policy'.  A zone
      that is transferred over AXFR or IXFR will get signed.
    
    - Add a test to ensure signatures are reused if they are still
      fresh enough.
    
    - Adds two more tests to verify that expired and unfresh signatures
      will be regenerated.
    
    - Add tests for various cases with keys already available in the
      key-directory.
    c9f1ec83
  • Matthijs Mekking's avatar
    Test ZSK and KSK rollover · 36c72bf3
    Matthijs Mekking authored
    Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
    
    Includes tests for next key event is scheduled at the right time.
    36c72bf3
  • Matthijs Mekking's avatar
    Use keywords in dnssec-policy keys configuration · 6468ffc3
    Matthijs Mekking authored
    Add keywords 'lifetime' and 'algorithm' to make the key configuration
    more clear.
    6468ffc3
  • Matthijs Mekking's avatar
    Code changes for CSK · 67033bfd
    Matthijs Mekking authored
    Update dns_dnssec_keyactive to differentiate between the roles ZSK
    and KSK.  A key is active if it is signing but that differs per role.
    A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
    a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
    
    This means that a key can be actively signing for one role but not
    the other.  Add checks in inline signing (zone.c and update.c) to
    cover the case where a CSK is active in its KSK role but not the ZSK
    role.
    67033bfd
  • Matthijs Mekking's avatar
    Test CSK rollover · 9fbc8691
    Matthijs Mekking authored
    Test two CSK rollover scenarios, one where the DS is swapped before the zone
    signatures are all replaced, and one where the signatures are replaced sooner
    than the DS is swapped.
    9fbc8691
  • Matthijs Mekking's avatar
    KASP timings all uint32_t · 29e6ec31
    Matthijs Mekking authored
    Get rid of the warnings in the Windows build.
    29e6ec31
  • Matthijs Mekking's avatar
    Add dst_key_copy_metadata function. · 1211c348
    Matthijs Mekking authored
    When updating DNSSEC keys we would like to be able to copy the
    metadata from one key to another.
    1211c348
  • Matthijs Mekking's avatar
    sign_apex() should also consider CDS/CDNSKEY · 2e46dcbb
    Matthijs Mekking authored
    The 'sign_apex()' function has special processing for signing the
    DNSKEY RRset such that it will always be signed with the active
    KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
    should have the same special processing.  The special processing is
    moved into a new function 'tickle_apex_rrset()' and is applied to
    all three RR types (DNSKEY, CDS, CDNSKEY).
    
    In addition, when kasp is involved, update the DNSKEY TTL accordingly
    to what is in the policy.
    2e46dcbb
  • Matthijs Mekking's avatar
    Add tests for CDS/CDNSKEY publication · c3e0ac86
    Matthijs Mekking authored
    The kasp system tests are updated with 'check_cds' calls that will
    verify that the correct CDS and CDNSKEY records are published during
    a rollover and that they are signed with the correct KSK.
    
    This requires a change in 'dnssec.c' to check the kasp key states
    whether the CDS/CDNSKEY of a key should be published or not.  If no
    kasp state exist, fall back to key timings.
    c3e0ac86
  • Matthijs Mekking's avatar
    kasp.c: return parenthesis (style) and REQUIRE · 70da58c8
    Matthijs Mekking authored
    This code was missing a lot of return parenthesis (violating our
    style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
    70da58c8
  • Matthijs Mekking's avatar
    Make kasp opaque · f11ce448
    Matthijs Mekking authored
    f11ce448
  • Mark Andrews's avatar
    Insist that kasp is not linked. · 5eedd365
    Mark Andrews authored
    5eedd365
  • Mark Andrews's avatar
  • Matthijs Mekking's avatar
    dnssec-policy inheritance from options/view · 5f464d15
    Matthijs Mekking authored
    'dnssec-policy' can now also be set on the options and view level and
    a zone that does not set 'dnssec-policy' explicitly will inherit it
    from the view or options level.
    
    This requires a new keyword to be introduced: 'none'.  If set to
    'none' the zone will not be DNSSEC maintained, in other words it will
    stay unsigned.  You can use this to break the inheritance.  Of course
    you can also break the inheritance by referring to a different
    policy.
    
    The keywords 'default' and 'none' are not allowed when configuring
    your own dnssec-policy statement.
    
    Add appropriate tests for checking the configuration (checkconf)
    and add tests to the kasp system test to verify the inheritance
    works.
    
    Edit the kasp system test such that it can deal with unsigned zones
    and views (so setting a TSIG on the query).
    5f464d15
  • Matthijs Mekking's avatar
    Fix checkconf test · bae0edbf
    Matthijs Mekking authored
    bae0edbf
  • Matthijs Mekking's avatar
    Merge branch '1134-dnssec-made-easy' into 'master' · e7a9f52f
    Matthijs Mekking authored
    DNSSEC Made Easy
    
    Closes #1134
    
    See merge request !2458
    e7a9f52f
  • Evan Hunt's avatar
    add 'kasp' to test list · 18454a0b
    Evan Hunt authored
    18454a0b
  • Evan Hunt's avatar
    CHANGES, REAMDE, release note · 45d62398
    Evan Hunt authored
    45d62398
  • Evan Hunt's avatar
    Merge branch 'each-kasp-relnotes' into 'master' · 8afcffaa
    Evan Hunt authored
    KASP release notes
    
    See merge request !2547
    8afcffaa
  • Ondřej Surý's avatar
  • Ondřej Surý's avatar
  • Ondřej Surý's avatar
    Clean the rest of the shellcheck errors · 91498f8b
    Ondřej Surý authored
    91498f8b
  • Ondřej Surý's avatar
    Fix the get_keyids() usage as it could return multiple key ids · 88bfce09
    Ondřej Surý authored
    The get_keyids() function can return multiple keyids, when the
    return value was not quoted, only the first keyid would be checked
    with check_key() function.  This MR fixes both the error that came
    with quoting the "$id" with value "12345 54321", and the code now
    checks all returned keyids.
    88bfce09
  • Ondřej Surý's avatar
    Relax the requirement for check_next_key_event() to <-60;60> · e9df8f4e
    Ondřej Surý authored
    The original requirement for the check to pass was <-10;10> interval and
    the first test was failing by 1 second.  As the minimum interval for
    checking is 7200 seconds, the commit relaxes the requirement to <-60;60>
    interval, which is still sane, but not that draconic.
    e9df8f4e
  • Ondřej Surý's avatar
    Use better '\#' quoting in ns3/setup.sh · d5f00f83
    Ondřej Surý authored
    d5f00f83
  • Ondřej Surý's avatar
    Merge branch '1134-fix-bashisms-in-kasp-test' into 'master' · 65860c80
    Ondřej Surý authored
    Fix the bashisms in kasp/tests.sh and make the script shellcheck clean
    
    See merge request !2548
    65860c80
  • Evan Hunt's avatar
    temporarily disable jitter tests in the 'autosign' system test · e17b7ee0
    Evan Hunt authored
    the current method used for testing distribution of signatures
    is failure-prone. we need to replace it with something both
    effective and portable, but in the meantime we're commenting
    out the jitter test.
    e17b7ee0
  • Evan Hunt's avatar
    Merge branch 'each-disable-jitter-test' into 'master' · 69f8f653
    Evan Hunt authored
    temporarily disable jitter tests in the 'autosign' system test
    
    See merge request !2551
    69f8f653
  • Michał Kępień's avatar
    Allow retries when checking TCP high-water stats · 1e22e052
    Michał Kępień authored
    In the TCP high-water checks, "rndc stats" is run after ans6 reports
    that it opened the requested number of TCP connections.  However, we
    fail to account for the fact that ns5 might not yet have called accept()
    for these connections, in which case the counts output by "rndc stats"
    will be off.  To prevent intermittent "tcp" system test failures, allow
    the relevant connection count checks to be retried (just once, after one
    second, as that should be enough for any system to accept() a dozen TCP
    connections under any circumstances).
    1e22e052
  • Michał Kępień's avatar
    Fix argument order in assert_int_equal() · 6bd1f68b
    Michał Kępień authored
    assert_int_equal() calls in bin/tests/system/tcp/tests.sh pass the found
    value as the first argument and the expected value as the second
    argument, while the function interprets its arguments the other way
    round.  Fix argument handling in assert_int_equal() to make sure the
    error messages printed by that function are correct.
    6bd1f68b
  • Michał Kępień's avatar
    Make all "tcp" system test checks numbered · 2f4877d1
    Michał Kępień authored
    Ensure all checks in the "tcp" system test are numbered, so that
    forensic data is preserved in case of any failure.
    2f4877d1
  • Michał Kępień's avatar
    Ensure all "tcp" system test errors are caught · 46df363a
    Michał Kępień authored
    Ensure any "rndc stats" failure causes the "tcp" system test to fail.
    Do not hide "rndc stats" output.
    46df363a
  • Michał Kępień's avatar
    Use "set -e" in the "tcp" system test · 9841635b
    Michał Kępień authored
    Ensure any unexpected failure in the "tcp" system test causes it to be
    immediately interrupted with an error to make the aforementioned test
    more reliable.  Since the exit code for "expr 0 + 0" is 1, the status
    variable needs to be updated using arithmetic expansion.
    9841635b
  • Michał Kępień's avatar
    Address ShellCheck warnings · 23ca0ec5
    Michał Kępień authored
    Address all outstanding warnings that ShellCheck reports for
    bin/tests/system/tcp/tests.sh.
    23ca0ec5
  • Evan Hunt's avatar
5316. [func] A new "dnssec-policy" option has been added to
named.conf to implement a key and signing policy
(KASP) for zones. When this option is in use,
named can generate new keys as needed and
automatically roll both ZSK and KSK keys. (Note
that the syntax for this statement differs from
the dnssec policy used by dnssec-keymgr.)
See the ARM for configuration details. [GL #1134]
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
......
......@@ -127,6 +127,8 @@ BIND 9.15 is the newest development branch of BIND 9. It includes a
number of changes from BIND 9.14 and earlier releases. New features
include:
* New "dnssec-policy" statement to configure a key and signing policy
for zones, enabling automatic key regeneration and rollover.
* Support for the new GeoIP2 geolocation API
* Improved DNSSEC key configuration using `dnssec-keys`
* YAML output for `dig`, `mdig`, and `delv`.
......
......@@ -421,7 +421,7 @@ configure_zone(const char *vclass, const char *view,
obj = NULL;
if (get_maps(maps, "max-zone-ttl", &obj)) {
maxttl = cfg_obj_asuint32(obj);
maxttl = cfg_obj_asduration(obj);
zone_options |= DNS_ZONEOPT_CHECKTTL;
}
......
......@@ -15,24 +15,26 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\"
CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
......@@ -48,7 +50,7 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
......
This diff is collapsed.
......@@ -66,6 +66,7 @@
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">bits</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
......@@ -74,8 +75,9 @@
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">policy</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
......@@ -84,6 +86,7 @@
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">rrtype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
......@@ -207,6 +210,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">bits</replaceable></term>
<listitem>
<para>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
......@@ -275,6 +290,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">policy</replaceable></term>
<listitem>
<para>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <command>dnssec-keygen</command> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</para>
<para>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <command>dnssec-keygen</command>
provides.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
......@@ -291,6 +324,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <command>-k</command>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
......
This diff is collapsed.
......@@ -64,6 +64,12 @@
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">state</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
......@@ -88,11 +94,30 @@
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
</para>
<para>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
<para>
When working with state files, it is possible to update the timing
metadata in those files as well with <option>-s</option>. If this
option is used you can also update key states with <option>-d</option>
(DS), <option>-k</option> (DNSKEY), <option>-r</option> (RRSIG of KSK),
or <option>-z</option> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</para>
<para>
You can also set the goal state of the key with <option>-g</option>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</para>
<para>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
......@@ -319,6 +344,74 @@
</variablelist>
</refsection>
<refsection><info><title>KEY STATE OPTIONS</title></info>
<para>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</para>
<variablelist>
<varlistentry>
<term>-s</term>
<listitem>
<para>
When setting key timing data, also update the state file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Set the DS state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Set the DNSKEY state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>PRINTING OPTIONS</title></info>
<para>
......
......@@ -2717,7 +2717,7 @@ build_final_keylist(void) {
* Update keylist with information from from the key repository.
*/
dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
&diff, ignore_kskflag, mctx, report);
&diff, mctx, report);
/*
* Update keylist with sync records.
......
......@@ -57,6 +57,11 @@
#include "dnssectool.h"
#define KEYSTATES_NVALUES 4
static const char *keystates[KEYSTATES_NVALUES] = {
"hidden", "rumoured", "omnipresent", "unretentive",
};
int verbose = 0;
bool quiet = false;
uint8_t dtype[8];
......@@ -244,6 +249,21 @@ strtottl(const char *str) {
return (ttl);
}
dst_key_state_t
strtokeystate(const char *str) {
if (isnone(str)) {
return (DST_KEY_STATE_NA);
}
for (int i = 0; i < KEYSTATES_NVALUES; i++) {
if (keystates[i] != NULL &&
strcasecmp(str, keystates[i]) == 0) {
return (dst_key_state_t) i;
}
}
fatal("unknown key state");
}
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp)
......
......@@ -71,6 +71,8 @@ cleanup_logging(isc_log_t **logp);
dns_ttl_t strtottl(const char *str);
dst_key_state_t strtokeystate(const char *str);
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp);
......
......@@ -66,15 +66,15 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
......@@ -94,7 +94,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
......@@ -104,8 +104,8 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
......
......@@ -58,6 +58,7 @@ options {\n\
"\
# deallocate-on-exit <obsolete>;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 4096;\n\
# fake-iquery <obsolete>;\n"
......
......@@ -64,6 +64,7 @@ struct named_server {
dns_loadmgr_t * loadmgr;
dns_zonemgr_t * zonemgr;
dns_viewlist_t viewlist;
dns_kasplist_t kasplist;
ns_interfacemgr_t * interfacemgr;
dns_db_t * in_roothints;
......
......@@ -27,19 +27,18 @@ ISC_LANG_BEGINDECLS
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw);
dns_kasplist_t* kasplist, dns_zone_t *zone,
dns_zone_t *raw);
/*%<
* Configure or reconfigure a zone according to the named.conf
* data in 'cctx' and 'czone'.
* data.
*
* The zone origin is not configured, it is assumed to have been set
* at zone creation time.
*
* Require:
* \li 'lctx' to be initialized or NULL.
* \li 'cctx' to be initialized or NULL.
* \li 'ac' to point to an initialized cfg_aclconfctx_t.
* \li 'czone' to be initialized.
* \li 'kasplist' to be initialized.
* \li 'zone' to be initialized.
*/
......
This diff is collapsed.
This diff is collapsed.
......@@ -25,6 +25,7 @@
#include <dns/ipkeylist.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/kasp.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/masterdump.h>
......@@ -840,8 +841,9 @@ process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype,
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw)
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_kasplist_t *kasplist, dns_zone_t *zone,
dns_zone_t *raw)
{
isc_result_t result;
const char *zname;
......@@ -853,6 +855,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *options = NULL;
const cfg_obj_t *obj;
const char *filename = NULL;
const char *kaspname = NULL;
const char *dupcheck;
dns_notifytype_t notifytype = dns_notifytype_yes;
uint32_t count;
......@@ -868,7 +871,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
int32_t journal_size;
bool multi;
bool alt;
dns_view_t *view;
dns_view_t *view = NULL;
dns_kasp_t *kasp = NULL;
bool check = false, fail = false;
bool warn = false, ignore = false;
bool ixfrdiff;
......@@ -1045,8 +1049,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
} else if (result == ISC_R_SUCCESS) {
dns_ttl_t maxttl = 0; /* unlimited */
if (cfg_obj_isuint32(obj))
maxttl = cfg_obj_asuint32(obj);
if (cfg_obj_isduration(obj))
maxttl = cfg_obj_asduration(obj);
dns_zone_setmaxttl(zone, maxttl);
if (raw != NULL)
dns_zone_setmaxttl(raw, maxttl);
......@@ -1192,6 +1196,24 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
ztype != dns_zone_redirect) {
obj = NULL;
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not "
"found ", kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
}
}
obj = NULL;
result = named_config_get(maps, "notify", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
......@@ -1481,38 +1503,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false;
bool sigvalinsecs;
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
} else {
obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
} else {
seconds *= 3600;
}
} else {
seconds = cfg_obj_asuint32(resign) * 3600;
seconds = cfg_obj_asuint32(resign);
}
} else {
seconds = cfg_obj_asuint32(resign);
dns_zone_setsigresigninginterval(zone, seconds);
}
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "key-directory", &obj);
......@@ -1541,12 +1577,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
......@@ -1557,7 +1601,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (result == ISC_R_SUCCESS) {
if (dns_zone_getkasp(zone) != NULL) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) {
allow = true;
......@@ -1570,6 +1618,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_UNREACHABLE();
}
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
}
}
......
......@@ -443,7 +443,8 @@
allowed to incrementally re-sign over time.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option
be set to <literal>maintain</literal>,
and also requires the zone to be configured to
......@@ -849,7 +850,8 @@
re-signed with the new key set.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option be set
to <literal>allow</literal> or
<literal>maintain</literal>,
......
......@@ -373,14 +373,24 @@ done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Check jitter distribution.
echo_i "checking expired signatures were jittered correctly ($n)"
ret=0
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# XXX temporarily disable jitter test below until we have a better and more
# portable method for evaluating the evenness of the distribution.
if false; then
# Check jitter distribution.
echo_i "checking expired signatures were jittered correctly ($n)"
ret=0
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# XXX temporarily disabled
else
echowarn "I:autosign:jitter tests disabled"
fi
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
ret=0
......@@ -984,35 +994,44 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
ret=0
# Use DNS UPDATE to add an NSEC3PARAM record into the zone.
$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
server 10.53.0.3 ${PORT}
zone jitter.nsec3.example.
update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
# XXX temporarily disable jitter test below until we have a better and more
# portable method for evaluating the evenness of the distribution.
if false; then
echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
ret=0
# Use DNS UPDATE to add an NSEC3PARAM record into the zone.
$NSUPDATE > nsupdate.out.test$n 2>&1 <<-END || ret=1
server 10.53.0.3 ${PORT}
zone jitter.nsec3.example.
update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
# Create DNSSEC keys in the zone directory.
$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
# Trigger zone signing.
$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
# Wait until zone has been signed.
for i in 0 1 2 3 4 5 6 7 8 9; do
failed=0
$DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1
[ $failed -eq 0 ] && break
echo_i "waiting ... ($i)"
sleep 2
done
[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1
# Check jitter distribution.
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
# Create DNSSEC keys in the zone directory.
$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
# Trigger zone signing.
$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
# Wait until zone has been signed.
for i in 0 1 2 3 4 5 6 7 8 9; do
failed=0
$DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1
[ $failed -eq 0 ] && break
echo_i "waiting ... ($i)"
sleep 2
done
[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1
# Check jitter distribution.
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# XXX temporarily disabled
else
echowarn "I:autosign:jitter tests disabled"
fi
echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
ret=0
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'default' is not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "default";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
// configuration options (auto-dnssec).
zone "example.net" {
type master;
file "example.db";
dnssec-policy "test";
auto-dnssec maintain;
allow-update { any; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy with no matching
// dnssec-policy configuration (good-kasp.conf has "test", zone refers to
// "nosuchpolicy".
zone "example.net" {
type master;
file "example.db";
dnssec-policy "nosuchpolicy";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Bad kasp configuration because this has an invalid duration for
// signatures-refresh.
dnssec-policy "badduration" {
signatures-refresh PT20Sabcd;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badduration";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "none";
};
......@@ -10,6 +10,7 @@
# information regarding copyright ownership.
rm -f good.conf.in good.conf.out badzero.conf *.out
rm -f good-kasp.conf.in
rm -rf test.keydir
rm -f checkconf.out*
rm -f diff.out*
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* This is just a random selection of DNSSEC configuration options.
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
dnssec-policy "default";
};
zone "example1" {
type master;
file "example1.db";
};
zone "example2" {
type master;
file "example2.db";
dnssec-policy "test";
};
zone "example3" {
type master;
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
type master;
file "example4.db";
dnssec-policy "none";
};
......@@ -14,6 +14,24 @@
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
100;
......@@ -60,6 +78,7 @@ options {
validate-except {
"corp";
};
dnssec-policy "test";
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
......@@ -140,6 +159,28 @@ view "third" {
};
};
};
view "fourth" {
zone "dnssec-test" {
type master;
file "dnssec-test.db";
dnssec-policy "test";
};
zone "dnssec-default" {
type master;
file "dnssec-default.db";
dnssec-policy "default";
};
zone "dnssec-inherit" {
type master;
file "dnssec-inherit.db";
};
zone "dnssec-none" {
type master;
file "dnssec-none.db";
dnssec-policy "none";
};
dnssec-policy "default";
};
view "chaos" chaos {
zone "hostname.bind" chaos {
type master;
......
......@@ -8,4 +8,8 @@ clone IN third in-view first
dnssec IN third master
p IN third primary
s IN third secondary
dnssec-test IN fourth master
dnssec-default IN fourth master
dnssec-inherit IN fourth master
dnssec-none IN fourth master
hostname.bind chaos chaos master
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
zone "nsec3.net" {
type master;
file "nsec3.db";
dnssec-policy "test";
auto-dnssec maintain;
dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
dnssec-secure-to-insecure yes;
dnssec-update-mode maintain;
inline-signing yes;
sig-validity-interval 3600;
update-check-ksk yes;
allow-update { any; };
};
......@@ -466,5 +466,38 @@ grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp warnings ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "inline-signing: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0
$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that named-checkconf prints a known good kasp config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
[ -s good-kasp.conf.in ] || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
cmp good-kasp.conf.in good-kasp.conf.out || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -61,7 +61,7 @@ PARALLEL_COMMON="dnssec rpzrecurse serve-stale \
ednscompliance emptyzones \
fetchlimit filter-aaaa formerr forward \
geoip2 glue idna inline integrity ixfr \
keepalive legacy limits \
kasp keepalive legacy limits \
masterfile masterformat metadata mirror mkeys \
names notify nslookup nsupdate nzd2nzf \
padding pending pipelined qmin \
......@@ -208,12 +208,12 @@ DISABLED_BITS=384
# the error using the description of the tested variable provided in $3
# and return 1.
assert_int_equal() {
expected="$1"
found="$2"
found="$1"
expected="$2"
description="$3"
if [ "${expected}" -ne "${found}" ]; then
echo_i "incorrect ${description}: expected ${expected}, got ${found}"
echo_i "incorrect ${description}: got ${found}, expected ${expected}"
return 1
fi
......@@ -338,6 +338,26 @@ nextpartpeek() {
nextpartread $1 2> /dev/null
}
# retry: keep running a command until it succeeds, up to $1 times, with
# one-second intervals
retry() {
__retries="${1}"
shift
while :; do
if "$@"; then
return 0
fi
__retries=$((__retries-1))
if [ "${__retries}" -gt 0 ]; then
echo_i "retrying"
sleep 1
else
return 1
fi
done
}
rndc_reload() {
echo_i "`$RNDC -c ../common/rndc.conf -s $2 -p ${CONTROLPORT} reload $3 2>&1 | sed 's/^/'$1' /'`"
# reloading single zone is synchronous, if we're reloading whole server
......
......@@ -1485,7 +1485,7 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
......
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The test setup for the KASP tests.
ns1 is reserved for the root server.
ns2 is running primary service for ns3.
ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f ./keygen.*
rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
rm -rf ./keys/
rm -f dig.out* rrsig.out.* keyevent.out.*
rm -f ns*/named.conf ns*/named.memstats ns*/named.run*
rm -f ns*/*.jnl ns*/*.jbk
rm -f ns*/K*.private ns*/K*.key ns*/K*.state
rm -f ns*/dsset-* ns*/*.db ns*/*.db.signed
rm -f ns*/keygen.out.* ns*/settime.out.* ns*/signer.out.*
rm -f ns*/managed-keys.bind
rm -f ns*/*.mkeys
# NS3 specific
rm -f ns3/zones ns3/*.db.infile
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* This is just a random selection of configuration options.
*/
dnssec-policy "kasp" {
dnskey-ttl 200;
keys {
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P30D algorithm 8 1024;
zsk key-directory lifetime P6M algorithm 8 2000;
};
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// NS2
options {
query-source address 10.53.0.2;
notify-source 10.53.0.2;
transfer-source 10.53.0.2;
port @PORT@;
pid-file "named.pid";
listen-on { 10.53.0.2; };
listen-on-v6 { none; };
allow-transfer { any; };
recursion no;
dnssec-policy "none";
};
key rndc_key {
secret "1234abcd8765";
algorithm hmac-sha256;
};
controls {
inet 10.53.0.2 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
/* Inherit dnssec-policy (which is none) */
zone "unsigned.tld" {
type master;
file "unsigned.tld.db";
};
/* Override dnssec-policy */
zone "signed.tld" {
type master;
dnssec-policy "default";
file "signed.tld.db";
};
/* Primary service for ns3 */
zone "secondary.kasp" {
type master;
file "secondary.kasp.db";
allow-transfer { 10.53.0.3; };
notify yes;
};
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300
@ IN SOA secondary.kasp. hostmaster.kasp. (
1 ; serial
20 ; refresh (20 seconds)