...
 
Commits (66)
  • Diego dos Santos Fronza's avatar
    Change the isc_statscounter_t type from int to C99 int_fast64_t type · 0fc98ef2
    Diego dos Santos Fronza authored
    For TCP high-water work, we need to keep the used integer types widths
    in sync.
    
    Note: int_fast32_t is used on WIN32 platform
    0fc98ef2
  • Diego dos Santos Fronza's avatar
    Change the isc_stat_t type to isc__atomic_statcounter_t · eb5611a7
    Diego dos Santos Fronza authored
    The isc_stat_t type was too similar to isc_stats_t type, so the name was
    changed to something more distinguishable.
    eb5611a7
  • Diego dos Santos Fronza's avatar
    Add functions for collecting high-water counters · a544e2e3
    Diego dos Santos Fronza authored
    Add {isc,ns}_stats_{update_if_greater,get_counter}() functions that
    are used to set and collect high-water type of statistics.
    a544e2e3
  • Diego dos Santos Fronza's avatar
    Added TCP high-water statistics variable · 66fe8627
    Diego dos Santos Fronza authored
    This variable will report the maximum number of simultaneous tcp clients
    that BIND has served while running.
    
    It can be verified by running rndc status, then inspect "tcp high-water:
    count", or by generating statistics file, rndc stats, then inspect the
    line with "TCP connection high-water" text.
    
    The tcp-highwater variable is atomically updated based on an existing
    tcp-quota system handled in ns/client.c.
    66fe8627
  • Diego dos Santos Fronza's avatar
    Added TCP high-water system tests · 29be224a
    Diego dos Santos Fronza authored
    Note: ans6/ans6.py is a helper script that allows tests.sh to open/close
    TCP connections to some BIND instance.
    29be224a
  • Diego dos Santos Fronza's avatar
    dd492b64
  • Diego dos Santos Fronza's avatar
    ba3fe75e
  • Ondřej Surý's avatar
    Merge branch '1206-tcp-high-water-stats' into 'master' · 9abcff9c
    Ondřej Surý authored
    Added tcp-high-water statistics variable.
    
    Closes #1206
    
    See merge request !2425
    9abcff9c
  • Ondřej Surý's avatar
  • Ondřej Surý's avatar
    Merge branch '1285-documentation-update-to-sortlist-feature-bugs-42615' into 'master' · 33612475
    Ondřej Surý authored
    arm: Add a sentence about overlaping selectors in sortlist statement
    
    Closes #1285
    
    See merge request !2517
    33612475
  • Ondřej Surý's avatar
    Avoid an extra atomic_load() call · b4df5a6e
    Ondřej Surý authored
    b4df5a6e
  • Ondřej Surý's avatar
    Merge branch '1206-tcp-high-water-stats-fix-type' into 'master' · 7c7f5884
    Ondřej Surý authored
    Avoid an extra atomic_load call when doing atomic_compare_exchange_loop
    
    See merge request !2531
    7c7f5884
  • Witold Krecicki's avatar
    Jitter signatures times when adding dynamic records. · 6b2fd402
    Witold Krecicki authored
    When doing regular signing expiry time is jittered to make sure
    that the re-signing times are not clumped together. This expands
    this behaviour to expiry times of dynamically added records.
    
    When incrementally re-signing a zone use the full jitter range if
    the server appears to have been offline for greater than 5 minutes
    otherwise use a small jitter range of 3600 seconds.  This will stop
    the signatures becoming more clustered if the server has been off
    line for a significant period of time (> 5 minutes).
    6b2fd402
  • Matthijs Mekking's avatar
    Test jitter distribution · 540b90fd
    Matthijs Mekking authored
    Test jitter distribution in NSEC3 dynamic zone and for a zone that has old
    signatures.  In both cases the generated signatures should be spread nicely.
    540b90fd
  • Ondřej Surý's avatar
    Add CHANGES · 00569e0d
    Ondřej Surý authored
    00569e0d
  • Ondřej Surý's avatar
    Merge branch '1256-jitter-dynamically-updated-signatures' into 'master' · 54b92a04
    Ondřej Surý authored
    Resolve "Signature Expiration Jitter not working for dynamic NSEC3 zones"
    
    Closes #1256
    
    See merge request !2451
    54b92a04
  • Michał Kępień's avatar
    Add assert_int_equal() shell function · 8bb7f1f2
    Michał Kępień authored
    Add a shell function which is used in the "tcp" system test, but has
    been accidentally omitted from !2425.  Make sure the function does not
    change the value of "ret" itself, so that the caller can decide what to
    do with the function's return value.
    8bb7f1f2
  • Michał Kępień's avatar
    Merge branch '1206-add-assert_int_equal-shell-function' into 'master' · 89f874e6
    Michał Kępień authored
    Add assert_int_equal() shell function
    
    Closes #1206
    
    See merge request !2535
    89f874e6
  • Michał Kępień's avatar
    Do not use <sys/sysctl.h> on Linux · 65a8b53b
    Michał Kępień authored
    glibc 2.30 deprecated the <sys/sysctl.h> header [1].  However, that
    header is still used on other Unix-like systems, so only prevent it from
    being used on Linux, in order to prevent compiler warnings from being
    triggered.
    
    [1] https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html
    65a8b53b
  • Michał Kępień's avatar
    Merge branch '1298-do-not-use-sys-sysctl.h-on-linux' into 'master' · db670fcd
    Michał Kępień authored
    Do not use <sys/sysctl.h> on Linux
    
    Closes #1298
    
    See merge request !2525
    db670fcd
  • Michał Kępień's avatar
    Fix TCP high-water release note · d0a3273d
    Michał Kępień authored
    Add missing GitLab issue number to the TCP high-water release note.
    d0a3273d
  • Michał Kępień's avatar
    Merge branch '1206-fix-tcp-high-water-release-note' into 'master' · 799e95b1
    Michał Kępień authored
    Fix TCP high-water release note
    
    Closes #1206
    
    See merge request !2541
    799e95b1
  • Matthijs Mekking's avatar
    Change indentation in doc/arm/dnssec.xml · c67379fb
    Matthijs Mekking authored
    This commit does not change anything significant, it just makes
    the file more readable in preparation for upcoming changes related
    to the `dnssec-policy` configuration option.
    c67379fb
  • Matthijs Mekking's avatar
    Extend ttlval to accept ISO 8601 durations · b7c5bfb2
    Matthijs Mekking authored
    The ttlval configuration types are replaced by duration configuration
    types. The duration is an ISO 8601 duration that is going to be used
    for DNSSEC key timings such as key lifetimes, signature resign
    intervals and refresh periods, etc. But it is also still allowed to
    use the BIND ttlval ways of configuring intervals (number plus
    optional unit).
    
    A duration is stored as an array of 7 different time parts.
    A duration can either be expressed in weeks, or in a combination of
    the other datetime indicators.
    
    Add several unit tests to ensure the correct value is parsed given
    different string values.
    b7c5bfb2
  • Matthijs Mekking's avatar
    Design documentation 'dnssec-policy' · 1fbd8bb1
    Matthijs Mekking authored
    Initial design document.
    1fbd8bb1
  • Matthijs Mekking's avatar
    Introduce dnssec-policy configuration · a50d707f
    Matthijs Mekking authored
    This commit introduces the initial `dnssec-policy` configuration
    statement. It has an initial set of options to deal with signature
    and key maintenance.
    
    Add some checks to ensure that dnssec-policy is configured at the
    right locations, and that policies referenced to in zone statements
    actually exist.
    
    Add some checks that when a user adds the new `dnssec-policy`
    configuration, it will no longer contain existing DNSSEC
    configuration options.  Specifically: `inline-signing`,
    `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
    `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
    and `sig-validity-interval`.
    
    Test a good kasp configuration, and some bad configurations.
    a50d707f
  • Matthijs Mekking's avatar
    Introduce kasp structure · e9ccebd9
    Matthijs Mekking authored
    This stores the dnssec-policy configuration and adds methods to
    create, destroy, and attach/detach, as well as find a policy with
    the same name in a list.
    
    Also, add structures and functions for creating and destroying
    kasp keys.
    e9ccebd9
  • Matthijs Mekking's avatar
    Sync options in dnssec-keygen · 48ce026d
    Matthijs Mekking authored
    Code and documentation were not in line:
    - Remove -z option from code
    - Remove -k option from docbook
    - Add -d option to docbook
    - Add -T option to docbook
    48ce026d
  • Matthijs Mekking's avatar
    dnssec-keygen: Move key gen code in own function · 2829e294
    Matthijs Mekking authored
    In preparation for key generation with dnssec-policy, where multiple
    keys may be created.
    2829e294
  • Matthijs Mekking's avatar
    dnssec-keygen: Move keygen function above main · 1a9692f5
    Matthijs Mekking authored
    This is done in a separate commit to make diff easier.
    1a9692f5
  • Matthijs Mekking's avatar
    Add code for creating kasp from config · 7bfac503
    Matthijs Mekking authored
    Add code for creating, configuring, and destroying KASP keys.  When
    using the default policy, create one CSK, no rollover.
    7bfac503
  • Matthijs Mekking's avatar
    Nit: fix typo (dnsssec-signzone) · e6ee5486
    Matthijs Mekking authored
    e6ee5486
  • Matthijs Mekking's avatar
    Fix: nums type in dst_keys · 68e8741c
    Matthijs Mekking authored
    This was isc_stdtime_t but should be uint32_t.
    68e8741c
  • Matthijs Mekking's avatar
    7f4d1dbd
  • Matthijs Mekking's avatar
    Update dst key code to maintain key state · 77d2895a
    Matthijs Mekking authored
    Add a number of metadata variables (lifetime, ksk and zsk role).
    
    For the roles we add a new type of metadata (booleans).
    
    Add a function to write the state of the key to a separate file.
    
    Only write out known metadata to private file.  With the
    introduction of the numeric metadata "Lifetime", adjust the write
    private key file functionality to only write out metadata it knows
    about.
    77d2895a
  • Matthijs Mekking's avatar
    Add various get functions for kasp · 97a5698e
    Matthijs Mekking authored
    Write functions to access various elements of the kasp structure,
    and the kasp keys. This in preparation of code in dnssec-keygen,
    dnssec-settime, named...
    97a5698e
  • Matthijs Mekking's avatar
    dnssec-keygen can create keys given dnssec-policy · 09ac224c
    Matthijs Mekking authored
    This commit adds code for generating keys with dnssec-keygen given
    a specific dnssec-policy.
    
    The dnssec-policy can be set with a new option '-k'. The '-l'
    option can be used to set a configuration file that contains a
    specific dnssec-policy.
    
    Because the dnssec-policy dictates how the keys should look like,
    many of the existing dnssec-keygen options cannot be used together
    with '-k'.
    
    If the dnssec-policy lists multiple keys, dnssec-keygen has now the
    possibility to generate multiple keys at one run.
    
    Add two tests for creating keys with '-k': One with the default
    policy, one with multiple keys from the configuration.
    09ac224c
  • Matthijs Mekking's avatar
    Parse dnssec-policy config into kasp · 2924b19a
    Matthijs Mekking authored
    Add code that actually stores the configuration into the kasp
    structure and attach it to the appropriate zone.
    2924b19a
  • Matthijs Mekking's avatar
    Add functionality to read key state from disk · c55625b0
    Matthijs Mekking authored
    When reading a key from file, you can set the DST_TYPE_STATE option
    to also read the key state.
    
    This expects the Algorithm and Length fields go above the metadata,
    so update the write functionality to do so accordingly.
    
    Introduce new DST metadata types for KSK, ZSK, Lifetime and the
    timing metadata used in state files.
    c55625b0
  • Matthijs Mekking's avatar
    dnssec-settime: Allow manipulating state files · 72042a06
    Matthijs Mekking authored
    Introduce a new option '-s' for dnssec-settime that when manipulating
    timing metadata, it also updates the key state file.
    
    For testing purposes, add options to dnssec-settime to set key
    states and when they last changed.
    
    The dst code adds ways to write and read the new key states and
    timing metadata. It updates the parsing code for private key files
    to not parse the newly introduced metadata (these are for state
    files only).
    
    Introduce key goal (the state the key wants to be in).
    72042a06
  • Matthijs Mekking's avatar
    Allow DNSSEC records in kasp enabled zone · 3e819827
    Matthijs Mekking authored
    When signing a zone with dnssec-policy, we don't mind DNSSEC records.
    This is useful for testing purposes, and perhaps it is better to
    signal this behavior with a different configuration option.
    3e819827
  • Matthijs Mekking's avatar
    arm: Update DNSSEC documentation · 66fb0026
    Matthijs Mekking authored
    66fb0026
  • Matthijs Mekking's avatar
    keygen/settime: Write out successor/predecessor · e70f70aa
    Matthijs Mekking authored
    When creating a successor key, or calculating time for a successor
    key, write out the successor and predecessor metadata to the
    related files.
    e70f70aa
  • Matthijs Mekking's avatar
    kasp: Expose more key timings · f530432e
    Matthijs Mekking authored
    When doing rollover in a timely manner we need to have access to the
    relevant kasp configured durations.
    
    Most of these are simple get functions, but 'dns_kasp_signdelay'
    will calculate the maximum time that is needed with this policy to
    resign the complete zone (taking into account the refresh interval
    and signature validity).
    
    Introduce parent-propagation-delay, parent-registration-delay,
    parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
    f530432e
  • Matthijs Mekking's avatar
    Useful dst_key functions · 44701100
    Matthijs Mekking authored
    Add a couple of dst_key functions for determining hints that
    consider key states if they are available.
    - dst_key_is_unused:
      A key has no timing metadata set other than Created.
    - dst_key_is_published:
      A key has publish timing metadata <= now, DNSKEY state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_active:
      A key has active timing metadata <= now, RRSIG state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_signing:
      KSK is_signing and is_active means different things than
      for a ZSK. A ZSK is active means it is also signing, but
      a KSK always signs its DNSKEY RRset but is considered
      active if its DS is present (rumoured or omnipresent).
    - dst_key_is_revoked:
      A key has revoke timing metadata <= now.
    - dst_key_is_removed:
      A key has delete timing metadata <= now, DNSKEY state in
      UNRETENTIVE or HIDDEN.
    44701100
  • Matthijs Mekking's avatar
    Introduce keymgr in named · a54b7089
    Matthijs Mekking authored
    Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
    will run a key manager on the matching keys.  This will do a couple
    of things:
    
    1. Create keys when needed (in case of rollover for example)
       according to the set policy.
    
    2. Retire keys that are in excess of the policy.
    
    3. Maintain key states according to "Flexible and Robust Key
       Rollover" [1]. After key manager ran, key files will be saved to
       disk.
    
       [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
    
    KEY GENERATION
    
    Create keys according to DNSSEC policy.  Zones configured with
    'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
    to dnssec-keymgr) if not available.
    
    KEY ROLLOVER
    
    Rather than determining the desired state from timing metadata,
    add a key state goal.  Any keys that are created or picked from the
    key ring and selected to be a successor has its key state goal set
    to OMNIPRESENT (this key wants to be signing!). At the same time,
    a key that is being retired has its key state goal set to HIDDEN.
    
    The keymgr state machine with the three rules will make sure no
    introduction or withdrawal of DNSSEC records happens too soon.
    
    KEY TIMINGS
    
    All timings are based on RFC 7583.
    
    The keymgr will return when the next action is happening so
    that the zone can set the proper rekey event. Prior to this change
    the rekey event will run every hour by default (configurable),
    but with kasp we can determine exactly when we need to run again.
    
    The prepublication time is derived from policy.
    a54b7089
  • Matthijs Mekking's avatar
    Update zoneconf to use kasp config · 8bafe453
    Matthijs Mekking authored
    If a zone has a dnssec-policy set, use signature validity,
    dnskey signature validity, and signature refresh from
    dnssec-policy.
    
    Zones configured with 'dnssec-policy' will allow 'named' to create
    DNSSEC keys (similar to dnssec-keymgr) if not available.
    8bafe453
  • Matthijs Mekking's avatar
    DNSSEC hints use dst_key functions and key states · bd9750f3
    Matthijs Mekking authored
    Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
    functions and thus if dnssec-policy/KASP is used the key states are
    being considered.
    
    Add a new variable to 'struct dns_dnsseckey' to signal whether this
    key is a zone-signing key (it is no longer true that ksk == !zsk).
    
    Also introduce a hint for revoke.
    
    Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
    to also read the key state file, if available.
    
    Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
    hint for logging.
    
    Also make get_hints() (now dns_dnssec_get_hints()) public so that
    we can use it in the key manager.
    bd9750f3
  • Matthijs Mekking's avatar
    Adjust signing code to use kasp · 64615403
    Matthijs Mekking authored
    Update the signing code in lib/dns/zone.c and lib/dns/update.c to
    use kasp logic if a dnssec-policy is enabled.
    
    This means zones with dnssec-policy should no longer follow
    'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
    KASP keys configured dictate which RRset gets signed with what key.
    
    Also use the next rekey event from the key manager rather than
    setting it to one hour.
    
    Mark the zone dynamic, as otherwise a zone with dnssec-policy is
    not eligble for automatic DNSSEC maintenance.
    64615403
  • Matthijs Mekking's avatar
    Refactor kasp system test · fa1c8cbd
    Matthijs Mekking authored
    A significant refactor of the kasp system test in an attempt to
    make the test script somewhat brief.  When writing a test case,
    you can/should use the functions 'zone_properties',
    'key_properties', and 'key_timings' to set the expected values
    when checking a key with 'check_key'. All these four functions
    can be used to set environment variables that come in handy when
    testing output.
    fa1c8cbd
  • Matthijs Mekking's avatar
    Add kasp tests · 9ae13497
    Matthijs Mekking authored
    Add more tests for kasp:
    
    - Add tests for different algorithms.
    
    - Add a test to ensure that an edit in an unsigned zone is
      picked up and properly signed.
    
    - Add two tests that ensures that a zone gets signed when it is
      configured as so-called 'inline-signing'.  In other words, a
      secondary zone that is configured with a 'dnssec-policy'.  A zone
      that is transferred over AXFR or IXFR will get signed.
    
    - Add a test to ensure signatures are reused if they are still
      fresh enough.
    
    - Adds two more tests to verify that expired and unfresh signatures
      will be regenerated.
    
    - Add tests for various cases with keys already available in the
      key-directory.
    9ae13497
  • Matthijs Mekking's avatar
    Test ZSK and KSK rollover · cfd15ec8
    Matthijs Mekking authored
    Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
    
    Includes tests for next key event is scheduled at the right time.
    cfd15ec8
  • Matthijs Mekking's avatar
    Use keywords in dnssec-policy keys configuration · bcf7bcb6
    Matthijs Mekking authored
    Add keywords 'lifetime' and 'algorithm' to make the key configuration
    more clear.
    bcf7bcb6
  • Matthijs Mekking's avatar
    Code changes for CSK · 0bbbf730
    Matthijs Mekking authored
    Update dns_dnssec_keyactive to differentiate between the roles ZSK
    and KSK.  A key is active if it is signing but that differs per role.
    A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
    a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
    
    This means that a key can be actively signing for one role but not
    the other.  Add checks in inline signing (zone.c and update.c) to
    cover the case where a CSK is active in its KSK role but not the ZSK
    role.
    0bbbf730
  • Matthijs Mekking's avatar
    Test CSK rollover · c04f0b0e
    Matthijs Mekking authored
    Test two CSK rollover scenarios, one where the DS is swapped before the zone
    signatures are all replaced, and one where the signatures are replaced sooner
    than the DS is swapped.
    c04f0b0e
  • Matthijs Mekking's avatar
    KASP timings all uint32_t · e94fa49c
    Matthijs Mekking authored
    Get rid of the warnings in the Windows build.
    e94fa49c
  • Matthijs Mekking's avatar
    Add dst_key_copy_metadata function. · 16a722c6
    Matthijs Mekking authored
    When updating DNSSEC keys we would like to be able to copy the
    metadata from one key to another.
    16a722c6
  • Matthijs Mekking's avatar
    sign_apex() should also consider CDS/CDNSKEY · 4877608d
    Matthijs Mekking authored
    The 'sign_apex()' function has special processing for signing the
    DNSKEY RRset such that it will always be signed with the active
    KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
    should have the same special processing.  The special processing is
    moved into a new function 'tickle_apex_rrset()' and is applied to
    all three RR types (DNSKEY, CDS, CDNSKEY).
    
    In addition, when kasp is involved, update the DNSKEY TTL accordingly
    to what is in the policy.
    4877608d
  • Matthijs Mekking's avatar
    Add tests for CDS/CDNSKEY publication · fcc70c39
    Matthijs Mekking authored
    The kasp system tests are updated with 'check_cds' calls that will
    verify that the correct CDS and CDNSKEY records are published during
    a rollover and that they are signed with the correct KSK.
    
    This requires a change in 'dnssec.c' to check the kasp key states
    whether the CDS/CDNSKEY of a key should be published or not.  If no
    kasp state exist, fall back to key timings.
    fcc70c39
  • Matthijs Mekking's avatar
    kasp.c: return parenthesis (style) and REQUIRE · 2681579a
    Matthijs Mekking authored
    This code was missing a lot of return parenthesis (violating our
    style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
    2681579a
  • Matthijs Mekking's avatar
    Make kasp opaque · e6e15fc2
    Matthijs Mekking authored
    e6e15fc2
  • Mark Andrews's avatar
    Insist that kasp is not linked. · ea34ca4b
    Mark Andrews authored
    ea34ca4b
  • Mark Andrews's avatar
  • Matthijs Mekking's avatar
    dnssec-policy inheritance from options/view · 1d7d8c80
    Matthijs Mekking authored
    'dnssec-policy' can now also be set on the options and view level and
    a zone that does not set 'dnssec-policy' explicitly will inherit it
    from the view or options level.
    
    This requires a new keyword to be introduced: 'none'.  If set to
    'none' the zone will not be DNSSEC maintained, in other words it will
    stay unsigned.  You can use this to break the inheritance.  Of course
    you can also break the inheritance by referring to a different
    policy.
    
    The keywords 'default' and 'none' are not allowed when configuring
    your own dnssec-policy statement.
    
    Add appropriate tests for checking the configuration (checkconf)
    and add tests to the kasp system test to verify the inheritance
    works.
    
    Edit the kasp system test such that it can deal with unsigned zones
    and views (so setting a TSIG on the query).
    1d7d8c80
  • Matthijs Mekking's avatar
    Fix checkconf test · 3933aceb
    Matthijs Mekking authored
    3933aceb
  • Matthijs Mekking's avatar
    f898353f
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
when the server has been offline for prolonged
period of times. [GL #1256]
5314. [func] Added a new statistics variable "tcp-highwater"
that reports the maximum number of simultaneous TCP
clients BIND has handled while running. [GL #1206]
5313. [bug] The default GeoIP2 database location did not match
the ARM. 'named -V' now reports the default
location. [GL #1301]
......
......@@ -421,7 +421,7 @@ configure_zone(const char *vclass, const char *view,
obj = NULL;
if (get_maps(maps, "max-zone-ttl", &obj)) {
maxttl = cfg_obj_asuint32(obj);
maxttl = cfg_obj_asduration(obj);
zone_options |= DNS_ZONEOPT_CHECKTTL;
}
......
......@@ -15,24 +15,26 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\"
CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
......@@ -48,7 +50,7 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
......
This diff is collapsed.
......@@ -66,6 +66,7 @@
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">bits</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
......@@ -74,8 +75,9 @@
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">policy</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
......@@ -84,6 +86,7 @@
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">rrtype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
......@@ -207,6 +210,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">bits</replaceable></term>
<listitem>
<para>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
......@@ -275,6 +290,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">policy</replaceable></term>
<listitem>
<para>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <command>dnssec-keygen</command> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</para>
<para>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <command>dnssec-keygen</command>
provides.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
......@@ -291,6 +324,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <command>-k</command>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
......
This diff is collapsed.
......@@ -64,6 +64,12 @@
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">state</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
......@@ -88,11 +94,30 @@
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
</para>
<para>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
<para>
When working with state files, it is possible to update the timing
metadata in those files as well with <option>-s</option>. If this
option is used you can also update key states with <option>-d</option>
(DS), <option>-k</option> (DNSKEY), <option>-r</option> (RRSIG of KSK),
or <option>-z</option> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</para>
<para>
You can also set the goal state of the key with <option>-g</option>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</para>
<para>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
......@@ -319,6 +344,74 @@
</variablelist>
</refsection>
<refsection><info><title>KEY STATE OPTIONS</title></info>
<para>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</para>
<variablelist>
<varlistentry>
<term>-s</term>
<listitem>
<para>
When setting key timing data, also update the state file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Set the DS state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Set the DNSKEY state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>PRINTING OPTIONS</title></info>
<para>
......
......@@ -2717,7 +2717,7 @@ build_final_keylist(void) {
* Update keylist with information from from the key repository.
*/
dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
&diff, ignore_kskflag, mctx, report);
&diff, mctx, report);
/*
* Update keylist with sync records.
......
......@@ -57,6 +57,11 @@
#include "dnssectool.h"
#define KEYSTATES_NVALUES 4
static const char *keystates[KEYSTATES_NVALUES] = {
"hidden", "rumoured", "omnipresent", "unretentive",
};
int verbose = 0;
bool quiet = false;
uint8_t dtype[8];
......@@ -244,6 +249,21 @@ strtottl(const char *str) {
return (ttl);
}
dst_key_state_t
strtokeystate(const char *str) {
if (isnone(str)) {
return (DST_KEY_STATE_NA);
}
for (int i = 0; i < KEYSTATES_NVALUES; i++) {
if (keystates[i] != NULL &&
strcasecmp(str, keystates[i]) == 0) {
return (dst_key_state_t) i;
}
}
fatal("unknown key state");
}
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp)
......
......@@ -71,6 +71,8 @@ cleanup_logging(isc_log_t **logp);
dns_ttl_t strtottl(const char *str);
dst_key_state_t strtokeystate(const char *str);
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp);
......
......@@ -66,15 +66,15 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
......@@ -94,7 +94,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
......@@ -104,8 +104,8 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
......
......@@ -58,6 +58,7 @@ options {\n\
"\
# deallocate-on-exit <obsolete>;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 4096;\n\
# fake-iquery <obsolete>;\n"
......
......@@ -64,6 +64,7 @@ struct named_server {
dns_loadmgr_t * loadmgr;
dns_zonemgr_t * zonemgr;
dns_viewlist_t viewlist;
dns_kasplist_t kasplist;
ns_interfacemgr_t * interfacemgr;
dns_db_t * in_roothints;
......
......@@ -27,19 +27,18 @@ ISC_LANG_BEGINDECLS
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw);
dns_kasplist_t* kasplist, dns_zone_t *zone,
dns_zone_t *raw);
/*%<
* Configure or reconfigure a zone according to the named.conf
* data in 'cctx' and 'czone'.
* data.
*
* The zone origin is not configured, it is assumed to have been set
* at zone creation time.
*
* Require:
* \li 'lctx' to be initialized or NULL.
* \li 'cctx' to be initialized or NULL.
* \li 'ac' to point to an initialized cfg_aclconfctx_t.
* \li 'czone' to be initialized.
* \li 'kasplist' to be initialized.
* \li 'zone' to be initialized.
*/
......
This diff is collapsed.
This diff is collapsed.
......@@ -241,6 +241,8 @@ init_desc(void) {
SET_NSSTATDESC(invalidsig, "requests with invalid signature",
"ReqBadSIG");
SET_NSSTATDESC(requesttcp, "TCP requests received", "ReqTCP");
SET_NSSTATDESC(tcphighwater, "TCP connection high-water",
"TCPConnHighWater");
SET_NSSTATDESC(authrej, "auth queries rejected", "AuthQryRej");
SET_NSSTATDESC(recurserej, "recursive queries rejected", "RecQryRej");
SET_NSSTATDESC(xfrrej, "transfer requests rejected", "XfrRej");
......@@ -322,6 +324,7 @@ init_desc(void) {
"QryUsedStale");
SET_NSSTATDESC(prefetch, "queries triggered prefetch", "Prefetch");
SET_NSSTATDESC(keytagopt, "Keytag option received", "KeyTagOpt");
INSIST(i == ns_statscounter_max);
/* Initialize resolver statistics */
......
......@@ -25,6 +25,7 @@
#include <dns/ipkeylist.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/kasp.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/masterdump.h>
......@@ -840,8 +841,9 @@ process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype,
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw)
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_kasplist_t *kasplist, dns_zone_t *zone,
dns_zone_t *raw)
{
isc_result_t result;
const char *zname;
......@@ -853,6 +855,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *options = NULL;
const cfg_obj_t *obj;
const char *filename = NULL;
const char *kaspname = NULL;
const char *dupcheck;
dns_notifytype_t notifytype = dns_notifytype_yes;
uint32_t count;
......@@ -868,7 +871,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
int32_t journal_size;
bool multi;
bool alt;
dns_view_t *view;
dns_view_t *view = NULL;
dns_kasp_t *kasp = NULL;
bool check = false, fail = false;
bool warn = false, ignore = false;
bool ixfrdiff;
......@@ -1045,8 +1049,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
} else if (result == ISC_R_SUCCESS) {
dns_ttl_t maxttl = 0; /* unlimited */
if (cfg_obj_isuint32(obj))
maxttl = cfg_obj_asuint32(obj);
if (cfg_obj_isduration(obj))
maxttl = cfg_obj_asduration(obj);
dns_zone_setmaxttl(zone, maxttl);
if (raw != NULL)
dns_zone_setmaxttl(raw, maxttl);
......@@ -1192,6 +1196,24 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
ztype != dns_zone_redirect) {
obj = NULL;
result = named_config_get(maps, "dnssec-policy", &obj);
if (result == ISC_R_SUCCESS) {
kaspname = cfg_obj_asstring(obj);
if (strcmp(kaspname, "none") != 0) {
result = dns_kasplist_find(kasplist, kaspname,
&kasp);
if (result != ISC_R_SUCCESS) {
cfg_obj_log(obj, named_g_lctx,
ISC_LOG_ERROR,
"'dnssec-policy '%s' not "
"found ", kaspname);
RETERR(result);
}
dns_zone_setkasp(zone, kasp);
}
}
obj = NULL;
result = named_config_get(maps, "notify", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
......@@ -1481,38 +1503,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false;
bool sigvalinsecs;
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
} else {
obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "sig-validity-interval", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
if (kasp) {
seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
dns_zone_setsigresigninginterval(zone, seconds);
} else {
obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
} else {
seconds *= 3600;
}
} else {
seconds = cfg_obj_asuint32(resign) * 3600;
seconds = cfg_obj_asuint32(resign);
}
} else {
seconds = cfg_obj_asuint32(resign);
dns_zone_setsigresigninginterval(zone, seconds);
}
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL;
result = named_config_get(maps, "key-directory", &obj);
......@@ -1541,12 +1577,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval",
......@@ -1557,7 +1601,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (result == ISC_R_SUCCESS) {
if (dns_zone_getkasp(zone) != NULL) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) {
allow = true;
......@@ -1570,6 +1618,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_UNREACHABLE();
}
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
}
}
......
......@@ -443,7 +443,8 @@
allowed to incrementally re-sign over time.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option
be set to <literal>maintain</literal>,
and also requires the zone to be configured to
......@@ -849,7 +850,8 @@
re-signed with the new key set.
</para>
<para>
This command requires that the
This command requires that the zone is configured with a
<command>dnssec-policy</command>, or that the
<command>auto-dnssec</command> zone option be set
to <literal>allow</literal> or
<literal>maintain</literal>,
......
......@@ -39,6 +39,7 @@ rm -f ns3/inacksk2.example.db
rm -f ns3/inacksk3.example.db
rm -f ns3/inaczsk2.example.db
rm -f ns3/inaczsk3.example.db
rm -f ns3/jitter.nsec3.example.db
rm -f ns3/kg.out ns3/s.out ns3/st.out
rm -f ns3/kskonly.example.db
rm -f ns3/nozsk.example.db ns3/inaczsk.example.db
......
; Copyright (C) Internet Systems Consortium, Inc. ("ISC")
;
; This Source Code Form is subject to the terms of the Mozilla Public
; License, v. 2.0. If a copy of the MPL was not distributed with this
; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;
; See the COPYRIGHT file distributed with this work for additional
; information regarding copyright ownership.
$TTL 300 ; 5 minutes
@ IN SOA mname1. . (
2000042407 ; serial
20 ; refresh (20 seconds)
20 ; retry (20 seconds)
1814400 ; expire (3 weeks)
3600 ; minimum (1 hour)
)
NS ns
ns A 10.53.0.3
......@@ -52,6 +52,21 @@ ksk=`$KEYGEN -q -a RSASHA1 -3 -fk $zone 2> kg.out` || dumpit kg.out
$KEYGEN -q -a RSASHA1 -3 $zone > kg.out 2>&1 || dumpit kg.out
$DSFROMKEY $ksk.key > dsset-${zone}$TP
#
# Jitter/NSEC3 test zone
#
setup jitter.nsec3.example
cp $infile $zonefile
count=1
while [ $count -le 100 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=`expr $count + 1`
done
# Don't create keys just yet, because the scenario we want to test
# is an unsigned zone that has a NSEC3PARAM record added with
# dynamic update before the keys are generated.
#
# OPTOUT/NSEC3 test zone
#
......@@ -150,9 +165,16 @@ $DSFROMKEY $ksk.key > dsset-${zone}$TP
#
setup oldsigs.example
cp $infile $zonefile
count=1
while [ $count -le 100 ]
do
echo "label${count} IN TXT label${count}" >> $zonefile
count=`expr $count + 1`
done
$KEYGEN -q -a RSASHA1 -fk $zone > kg.out 2>&1 || dumpit kg.out
$KEYGEN -q -a RSASHA1 $zone > kg.out 2>&1 || dumpit kg.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile $infile > s.out || dumpit s.out
$SIGNER -PS -s now-1y -e now-6mo -o $zone -f $zonefile.signed $zonefile > s.out || dumpit s.out
mv $zonefile.signed $zonefile
#
# NSEC3->NSEC transition test zone.
......
......@@ -95,6 +95,14 @@ zone "nsec3.nsec3.example" {
auto-dnssec maintain;
};
zone "jitter.nsec3.example" {
type master;
file "jitter.nsec3.example.db";
allow-update { any; };
auto-dnssec maintain;
sig-validity-interval 10 2;
};
zone "secure.nsec3.example" {
type master;
file "secure.nsec3.example.db";
......@@ -178,6 +186,7 @@ zone "oldsigs.example" {
file "oldsigs.example.db";
allow-update { any; };
auto-dnssec maintain;
sig-validity-interval 10 2;
};
zone "prepub.example" {
......
......@@ -50,6 +50,43 @@ checkprivate () {
return 1
}
# Check the signatures expiration times. First check how many signatures
# there are in total ($rrsigs). Then see what the distribution of signature
# expiration times is ($expiretimes). Ignore the time part for a better
# modelled distribution.
checkjitter () {
_file=$1
_ret=0
cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | cat_i
_rrsigs=$(cat $_file | awk '$4 == "RRSIG" {print $4}' | cat_i | wc -l)
_expiretimes=$(cat $_file | awk '$4 == "RRSIG" {print substr($9,1,8)}' | sort | uniq -c | awk '{print $1}')
_count=0
_total=0
for _num in $_expiretimes
do
_total=$(($_total + $_num))
done
# Make sure the total number of numbers matches the number of RRSIGs.
test $_total -eq $_rrsigs || _ret=1
# Calculate mean: The number of signatures divided over 8 days.
_mean=$(($_total / 8))
# We expect the number of signatures not to exceed twice the mean.
_limit=$(($_mean * 2))
# Add an additional margin.
_limit=$(($_limit + 10))
# Find outliers.
for _num in $_expiretimes
do
if [ $_num -gt $_limit ]; then
echo_i "error: too many RRSIG records ($_num) with the same expiration time"
_ret=1
fi
done
return $_ret
}
#
# The NSEC record at the apex of the zone and its RRSIG records are
# added as part of the last step in signing a zone. We wait for the
......@@ -334,6 +371,15 @@ do
sleep 1
done
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
# Check jitter distribution.
echo_i "checking expired signatures were jittered correctly ($n)"
ret=0
$DIG $DIGOPTS axfr oldsigs.example @10.53.0.3 > dig.out.ns3.test$n || ret=1
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking NSEC->NSEC3 conversion succeeded ($n)"
......@@ -938,6 +984,36 @@ n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking jitter in a newly signed NSEC3 zone ($n)"
ret=0
# Use DNS UPDATE to add an NSEC3PARAM record into the zone.
$NSUPDATE > nsupdate.out.test$n 2>&1 <<END || ret=1
server 10.53.0.3 ${PORT}
zone jitter.nsec3.example.
update add jitter.nsec3.example. 3600 NSEC3PARAM 1 0 10 BEEF
send
END
[ $ret != 0 ] && echo_i "error: dynamic update add NSEC3PARAM failed"
# Create DNSSEC keys in the zone directory.
$KEYGEN -a rsasha1 -3 -q -K ns3 jitter.nsec3.example > /dev/null
# Trigger zone signing.
$RNDCCMD 10.53.0.3 sign jitter.nsec3.example. 2>&1 | sed 's/^/ns3 /' | cat_i
# Wait until zone has been signed.
for i in 0 1 2 3 4 5 6 7 8 9; do
failed=0
$DIG $DIGOPTS axfr jitter.nsec3.example @10.53.0.3 > dig.out.ns3.test$n || failed=1
grep "NSEC3PARAM" dig.out.ns3.test$n > /dev/null || failed=1
[ $failed -eq 0 ] && break
echo_i "waiting ... ($i)"
sleep 2
done
[ $failed != 0 ] && echo_i "error: no NSEC3PARAM found in AXFR" && ret=1
# Check jitter distribution.
checkjitter dig.out.ns3.test$n || ret=1
n=`expr $n + 1`
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "checking that serial number and RRSIGs are both updated (rt21045) ($n)"
ret=0
oldserial=`$DIG $DIGOPTS +short soa prepub.example @10.53.0.3 | awk '$0 !~ /SOA/ {print $3}'`
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'default' is not allowed.
dnssec-policy "default" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "default";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy and other DNSSEC sign
// configuration options (auto-dnssec).
zone "example.net" {
type master;
file "example.db";
dnssec-policy "test";
auto-dnssec maintain;
allow-update { any; };
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
// Bad zone configuration because this has dnssec-policy with no matching
// dnssec-policy configuration (good-kasp.conf has "test", zone refers to
// "nosuchpolicy".
zone "example.net" {
type master;
file "example.db";
dnssec-policy "nosuchpolicy";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Bad kasp configuration because this has an invalid duration for
// signatures-refresh.
dnssec-policy "badduration" {
signatures-refresh PT20Sabcd;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "badduration";
};
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
// Using the keyword 'none' is not allowed.
dnssec-policy "none" {
signatures-refresh P5D;
};
zone "example.net" {
type master;
file "example.db";
dnssec-policy "none";
};
......@@ -10,6 +10,7 @@
# information regarding copyright ownership.
rm -f good.conf.in good.conf.out badzero.conf *.out
rm -f good-kasp.conf.in
rm -rf test.keydir
rm -f checkconf.out*
rm -f diff.out*
......
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* This is just a random selection of DNSSEC configuration options.
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
dnssec-policy "default";
};
zone "example1" {
type master;
file "example1.db";
};
zone "example2" {
type master;
file "example2.db";
dnssec-policy "test";
};
zone "example3" {
type master;
file "example3.db";
dnssec-policy "default";
};
zone "example4" {
type master;
file "example4.db";
dnssec-policy "none";
};
......@@ -14,6 +14,24 @@
*/
/* cut here */
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;
signatures-refresh P3D;
signatures-validity P2W;
signatures-validity-dnskey P14D;
zone-max-ttl 86400;
zone-propagation-delay PT5M;
parent-ds-ttl 7200;
parent-propagation-delay PT1H;
parent-registration-delay P1D;
};
options {
avoid-v4-udp-ports {
100;
......@@ -60,6 +78,7 @@ options {
validate-except {
"corp";
};
dnssec-policy "test";
transfer-source 0.0.0.0 dscp 63;
zone-statistics none;
};
......@@ -140,6 +159,28 @@ view "third" {
};
};
};
view "fourth" {
zone "dnssec-test" {
type master;
file "dnssec-test.db";
dnssec-policy "test";
};
zone "dnssec-default" {
type master;
file "dnssec-default.db";
dnssec-policy "default";
};
zone "dnssec-inherit" {
type master;
file "dnssec-inherit.db";
};
zone "dnssec-none" {
type master;
file "dnssec-none.db";
dnssec-policy "none";
};
dnssec-policy "default";
};
view "chaos" chaos {
zone "hostname.bind" chaos {
type master;
......
......@@ -8,4 +8,8 @@ clone IN third in-view first
dnssec IN third master
p IN third primary
s IN third secondary
dnssec-test IN fourth master
dnssec-default IN fourth master
dnssec-inherit IN fourth master
dnssec-none IN fourth master
hostname.bind chaos chaos master
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
include "good-kasp.conf";
zone "nsec3.net" {
type master;
file "nsec3.db";
dnssec-policy "test";
auto-dnssec maintain;
dnskey-sig-validity 3600;
dnssec-dnskey-kskonly yes;
dnssec-secure-to-insecure yes;
dnssec-update-mode maintain;
inline-signing yes;
sig-validity-interval 3600;
update-check-ksk yes;
allow-update { any; };
};
......@@ -466,5 +466,38 @@ grep "'geoip-use-ecs' is obsolete" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking named-checkconf kasp warnings ($n)"
ret=0
$CHECKCONF kasp-and-other-dnssec-options.conf > checkconf.out$n 2>&1
grep "'auto-dnssec maintain;' cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnskey-sig-validity: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-dnskey-kskonly: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-secure-to-insecure: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "dnssec-update-mode: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "inline-signing: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "sig-validity-interval: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
grep "update-check-ksk: cannot be configured if dnssec-policy is also set" < checkconf.out$n > /dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "check that a good 'kasp' configuration is accepted ($n)"
ret=0
$CHECKCONF good-kasp.conf > checkconf.out$n 2>/dev/null || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
n=`expr $n + 1`
echo_i "checking that named-checkconf prints a known good kasp config ($n)"
ret=0
awk 'BEGIN { ok = 0; } /cut here/ { ok = 1; getline } ok == 1 { print }' good-kasp.conf > good-kasp.conf.in
[ -s good-kasp.conf.in ] || ret=1
$CHECKCONF -p good-kasp.conf.in | grep -v '^good-kasp.conf.in:' > good-kasp.conf.out 2>&1 || ret=1
cmp good-kasp.conf.in good-kasp.conf.out || ret=1
if [ $ret != 0 ]; then echo_i "failed"; fi
status=`expr $status + $ret`
echo_i "exit status: $status"
[ $status -eq 0 ] || exit 1
......@@ -202,6 +202,24 @@ DISABLED_BITS=384
# Useful functions in test scripts
#
# assert_int_equal: compare two integer variables, $1 and $2
#
# If $1 and $2 are equal, return 0; if $1 and $2 are not equal, report
# the error using the description of the tested variable provided in $3
# and return 1.
assert_int_equal() {
expected="$1"
found="$2"
description="$3"
if [ "${expected}" -ne "${found}" ]; then
echo_i "incorrect ${description}: expected ${expected}, got ${found}"
return 1
fi
return 0
}
# keyfile_to_keys_section: helper function for keyfile_to_*_keys() which
# converts keyfile data into a configuration section using the supplied
# parameters
......
......@@ -1485,7 +1485,7 @@ n=$((n+1))
test "$ret" -eq 0 || echo_i "failed"
status=$((status+ret))
echo_i "checking that dnsssec-signzone updates originalttl on ttl changes ($n)"
echo_i "checking that dnssec-signzone updates originalttl on ttl changes ($n)"
ret=0
zone=example
key1=$($KEYGEN -K signer -q -a RSASHA1 -b 1024 -n zone $zone)
......
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
See COPYRIGHT in the source root or http://isc.org/copyright.html for terms.
The test setup for the KASP tests.
ns1 is reserved for the root server.
ns2 is running primary service for ns3.
ns3 is an authoritative server for the various test domains.
ns4 and ns5 are authoritative servers for various test domains related to views.
#!/bin/sh
#
# Copyright (C) Internet Systems Consortium, Inc. ("ISC")
#
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# See the COPYRIGHT file distributed with this work for additional
# information regarding copyright ownership.
set -e
rm -f ./keygen.*
rm -f ./K*.private ./K*.key ./K*.state ./K*.cmp
rm -rf ./keys/
rm -f dig.out* rrsig.out.*