...
 
Commits (66)
  • Diego dos Santos Fronza's avatar
    Change the isc_statscounter_t type from int to C99 int_fast64_t type · 0fc98ef2
    Diego dos Santos Fronza authored
    For TCP high-water work, we need to keep the used integer types widths
    in sync.
    
    Note: int_fast32_t is used on WIN32 platform
    0fc98ef2
  • Diego dos Santos Fronza's avatar
    Change the isc_stat_t type to isc__atomic_statcounter_t · eb5611a7
    Diego dos Santos Fronza authored
    The isc_stat_t type was too similar to isc_stats_t type, so the name was
    changed to something more distinguishable.
    eb5611a7
  • Diego dos Santos Fronza's avatar
    Add functions for collecting high-water counters · a544e2e3
    Diego dos Santos Fronza authored
    Add {isc,ns}_stats_{update_if_greater,get_counter}() functions that
    are used to set and collect high-water type of statistics.
    a544e2e3
  • Diego dos Santos Fronza's avatar
    Added TCP high-water statistics variable · 66fe8627
    Diego dos Santos Fronza authored
    This variable will report the maximum number of simultaneous tcp clients
    that BIND has served while running.
    
    It can be verified by running rndc status, then inspect "tcp high-water:
    count", or by generating statistics file, rndc stats, then inspect the
    line with "TCP connection high-water" text.
    
    The tcp-highwater variable is atomically updated based on an existing
    tcp-quota system handled in ns/client.c.
    66fe8627
  • Diego dos Santos Fronza's avatar
    Added TCP high-water system tests · 29be224a
    Diego dos Santos Fronza authored
    Note: ans6/ans6.py is a helper script that allows tests.sh to open/close
    TCP connections to some BIND instance.
    29be224a
  • Diego dos Santos Fronza's avatar
    dd492b64
  • Diego dos Santos Fronza's avatar
    ba3fe75e
  • Ondřej Surý's avatar
    Merge branch '1206-tcp-high-water-stats' into 'master' · 9abcff9c
    Ondřej Surý authored
    Added tcp-high-water statistics variable.
    
    Closes #1206
    
    See merge request !2425
    9abcff9c
  • Ondřej Surý's avatar
  • Ondřej Surý's avatar
    Merge branch '1285-documentation-update-to-sortlist-feature-bugs-42615' into 'master' · 33612475
    Ondřej Surý authored
    arm: Add a sentence about overlaping selectors in sortlist statement
    
    Closes #1285
    
    See merge request !2517
    33612475
  • Ondřej Surý's avatar
    Avoid an extra atomic_load() call · b4df5a6e
    Ondřej Surý authored
    b4df5a6e
  • Ondřej Surý's avatar
    Merge branch '1206-tcp-high-water-stats-fix-type' into 'master' · 7c7f5884
    Ondřej Surý authored
    Avoid an extra atomic_load call when doing atomic_compare_exchange_loop
    
    See merge request !2531
    7c7f5884
  • Witold Krecicki's avatar
    Jitter signatures times when adding dynamic records. · 6b2fd402
    Witold Krecicki authored
    When doing regular signing expiry time is jittered to make sure
    that the re-signing times are not clumped together. This expands
    this behaviour to expiry times of dynamically added records.
    
    When incrementally re-signing a zone use the full jitter range if
    the server appears to have been offline for greater than 5 minutes
    otherwise use a small jitter range of 3600 seconds.  This will stop
    the signatures becoming more clustered if the server has been off
    line for a significant period of time (> 5 minutes).
    6b2fd402
  • Matthijs Mekking's avatar
    Test jitter distribution · 540b90fd
    Matthijs Mekking authored
    Test jitter distribution in NSEC3 dynamic zone and for a zone that has old
    signatures.  In both cases the generated signatures should be spread nicely.
    540b90fd
  • Ondřej Surý's avatar
    Add CHANGES · 00569e0d
    Ondřej Surý authored
    00569e0d
  • Ondřej Surý's avatar
    Merge branch '1256-jitter-dynamically-updated-signatures' into 'master' · 54b92a04
    Ondřej Surý authored
    Resolve "Signature Expiration Jitter not working for dynamic NSEC3 zones"
    
    Closes #1256
    
    See merge request !2451
    54b92a04
  • Michał Kępień's avatar
    Add assert_int_equal() shell function · 8bb7f1f2
    Michał Kępień authored
    Add a shell function which is used in the "tcp" system test, but has
    been accidentally omitted from !2425.  Make sure the function does not
    change the value of "ret" itself, so that the caller can decide what to
    do with the function's return value.
    8bb7f1f2
  • Michał Kępień's avatar
    Merge branch '1206-add-assert_int_equal-shell-function' into 'master' · 89f874e6
    Michał Kępień authored
    Add assert_int_equal() shell function
    
    Closes #1206
    
    See merge request !2535
    89f874e6
  • Michał Kępień's avatar
    Do not use <sys/sysctl.h> on Linux · 65a8b53b
    Michał Kępień authored
    glibc 2.30 deprecated the <sys/sysctl.h> header [1].  However, that
    header is still used on other Unix-like systems, so only prevent it from
    being used on Linux, in order to prevent compiler warnings from being
    triggered.
    
    [1] https://sourceware.org/ml/libc-alpha/2019-08/msg00029.html
    65a8b53b
  • Michał Kępień's avatar
    Merge branch '1298-do-not-use-sys-sysctl.h-on-linux' into 'master' · db670fcd
    Michał Kępień authored
    Do not use <sys/sysctl.h> on Linux
    
    Closes #1298
    
    See merge request !2525
    db670fcd
  • Michał Kępień's avatar
    Fix TCP high-water release note · d0a3273d
    Michał Kępień authored
    Add missing GitLab issue number to the TCP high-water release note.
    d0a3273d
  • Michał Kępień's avatar
    Merge branch '1206-fix-tcp-high-water-release-note' into 'master' · 799e95b1
    Michał Kępień authored
    Fix TCP high-water release note
    
    Closes #1206
    
    See merge request !2541
    799e95b1
  • Matthijs Mekking's avatar
    Change indentation in doc/arm/dnssec.xml · c67379fb
    Matthijs Mekking authored
    This commit does not change anything significant, it just makes
    the file more readable in preparation for upcoming changes related
    to the `dnssec-policy` configuration option.
    c67379fb
  • Matthijs Mekking's avatar
    Extend ttlval to accept ISO 8601 durations · b7c5bfb2
    Matthijs Mekking authored
    The ttlval configuration types are replaced by duration configuration
    types. The duration is an ISO 8601 duration that is going to be used
    for DNSSEC key timings such as key lifetimes, signature resign
    intervals and refresh periods, etc. But it is also still allowed to
    use the BIND ttlval ways of configuring intervals (number plus
    optional unit).
    
    A duration is stored as an array of 7 different time parts.
    A duration can either be expressed in weeks, or in a combination of
    the other datetime indicators.
    
    Add several unit tests to ensure the correct value is parsed given
    different string values.
    b7c5bfb2
  • Matthijs Mekking's avatar
    Design documentation 'dnssec-policy' · 1fbd8bb1
    Matthijs Mekking authored
    Initial design document.
    1fbd8bb1
  • Matthijs Mekking's avatar
    Introduce dnssec-policy configuration · a50d707f
    Matthijs Mekking authored
    This commit introduces the initial `dnssec-policy` configuration
    statement. It has an initial set of options to deal with signature
    and key maintenance.
    
    Add some checks to ensure that dnssec-policy is configured at the
    right locations, and that policies referenced to in zone statements
    actually exist.
    
    Add some checks that when a user adds the new `dnssec-policy`
    configuration, it will no longer contain existing DNSSEC
    configuration options.  Specifically: `inline-signing`,
    `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`,
    `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`,
    and `sig-validity-interval`.
    
    Test a good kasp configuration, and some bad configurations.
    a50d707f
  • Matthijs Mekking's avatar
    Introduce kasp structure · e9ccebd9
    Matthijs Mekking authored
    This stores the dnssec-policy configuration and adds methods to
    create, destroy, and attach/detach, as well as find a policy with
    the same name in a list.
    
    Also, add structures and functions for creating and destroying
    kasp keys.
    e9ccebd9
  • Matthijs Mekking's avatar
    Sync options in dnssec-keygen · 48ce026d
    Matthijs Mekking authored
    Code and documentation were not in line:
    - Remove -z option from code
    - Remove -k option from docbook
    - Add -d option to docbook
    - Add -T option to docbook
    48ce026d
  • Matthijs Mekking's avatar
    dnssec-keygen: Move key gen code in own function · 2829e294
    Matthijs Mekking authored
    In preparation for key generation with dnssec-policy, where multiple
    keys may be created.
    2829e294
  • Matthijs Mekking's avatar
    dnssec-keygen: Move keygen function above main · 1a9692f5
    Matthijs Mekking authored
    This is done in a separate commit to make diff easier.
    1a9692f5
  • Matthijs Mekking's avatar
    Add code for creating kasp from config · 7bfac503
    Matthijs Mekking authored
    Add code for creating, configuring, and destroying KASP keys.  When
    using the default policy, create one CSK, no rollover.
    7bfac503
  • Matthijs Mekking's avatar
    Nit: fix typo (dnsssec-signzone) · e6ee5486
    Matthijs Mekking authored
    e6ee5486
  • Matthijs Mekking's avatar
    Fix: nums type in dst_keys · 68e8741c
    Matthijs Mekking authored
    This was isc_stdtime_t but should be uint32_t.
    68e8741c
  • Matthijs Mekking's avatar
    7f4d1dbd
  • Matthijs Mekking's avatar
    Update dst key code to maintain key state · 77d2895a
    Matthijs Mekking authored
    Add a number of metadata variables (lifetime, ksk and zsk role).
    
    For the roles we add a new type of metadata (booleans).
    
    Add a function to write the state of the key to a separate file.
    
    Only write out known metadata to private file.  With the
    introduction of the numeric metadata "Lifetime", adjust the write
    private key file functionality to only write out metadata it knows
    about.
    77d2895a
  • Matthijs Mekking's avatar
    Add various get functions for kasp · 97a5698e
    Matthijs Mekking authored
    Write functions to access various elements of the kasp structure,
    and the kasp keys. This in preparation of code in dnssec-keygen,
    dnssec-settime, named...
    97a5698e
  • Matthijs Mekking's avatar
    dnssec-keygen can create keys given dnssec-policy · 09ac224c
    Matthijs Mekking authored
    This commit adds code for generating keys with dnssec-keygen given
    a specific dnssec-policy.
    
    The dnssec-policy can be set with a new option '-k'. The '-l'
    option can be used to set a configuration file that contains a
    specific dnssec-policy.
    
    Because the dnssec-policy dictates how the keys should look like,
    many of the existing dnssec-keygen options cannot be used together
    with '-k'.
    
    If the dnssec-policy lists multiple keys, dnssec-keygen has now the
    possibility to generate multiple keys at one run.
    
    Add two tests for creating keys with '-k': One with the default
    policy, one with multiple keys from the configuration.
    09ac224c
  • Matthijs Mekking's avatar
    Parse dnssec-policy config into kasp · 2924b19a
    Matthijs Mekking authored
    Add code that actually stores the configuration into the kasp
    structure and attach it to the appropriate zone.
    2924b19a
  • Matthijs Mekking's avatar
    Add functionality to read key state from disk · c55625b0
    Matthijs Mekking authored
    When reading a key from file, you can set the DST_TYPE_STATE option
    to also read the key state.
    
    This expects the Algorithm and Length fields go above the metadata,
    so update the write functionality to do so accordingly.
    
    Introduce new DST metadata types for KSK, ZSK, Lifetime and the
    timing metadata used in state files.
    c55625b0
  • Matthijs Mekking's avatar
    dnssec-settime: Allow manipulating state files · 72042a06
    Matthijs Mekking authored
    Introduce a new option '-s' for dnssec-settime that when manipulating
    timing metadata, it also updates the key state file.
    
    For testing purposes, add options to dnssec-settime to set key
    states and when they last changed.
    
    The dst code adds ways to write and read the new key states and
    timing metadata. It updates the parsing code for private key files
    to not parse the newly introduced metadata (these are for state
    files only).
    
    Introduce key goal (the state the key wants to be in).
    72042a06
  • Matthijs Mekking's avatar
    Allow DNSSEC records in kasp enabled zone · 3e819827
    Matthijs Mekking authored
    When signing a zone with dnssec-policy, we don't mind DNSSEC records.
    This is useful for testing purposes, and perhaps it is better to
    signal this behavior with a different configuration option.
    3e819827
  • Matthijs Mekking's avatar
    arm: Update DNSSEC documentation · 66fb0026
    Matthijs Mekking authored
    66fb0026
  • Matthijs Mekking's avatar
    keygen/settime: Write out successor/predecessor · e70f70aa
    Matthijs Mekking authored
    When creating a successor key, or calculating time for a successor
    key, write out the successor and predecessor metadata to the
    related files.
    e70f70aa
  • Matthijs Mekking's avatar
    kasp: Expose more key timings · f530432e
    Matthijs Mekking authored
    When doing rollover in a timely manner we need to have access to the
    relevant kasp configured durations.
    
    Most of these are simple get functions, but 'dns_kasp_signdelay'
    will calculate the maximum time that is needed with this policy to
    resign the complete zone (taking into account the refresh interval
    and signature validity).
    
    Introduce parent-propagation-delay, parent-registration-delay,
    parent-ds-ttl, zone-max-ttl, zone-propagation-delay.
    f530432e
  • Matthijs Mekking's avatar
    Useful dst_key functions · 44701100
    Matthijs Mekking authored
    Add a couple of dst_key functions for determining hints that
    consider key states if they are available.
    - dst_key_is_unused:
      A key has no timing metadata set other than Created.
    - dst_key_is_published:
      A key has publish timing metadata <= now, DNSKEY state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_active:
      A key has active timing metadata <= now, RRSIG state in
      RUMOURED or OMNIPRESENT.
    - dst_key_is_signing:
      KSK is_signing and is_active means different things than
      for a ZSK. A ZSK is active means it is also signing, but
      a KSK always signs its DNSKEY RRset but is considered
      active if its DS is present (rumoured or omnipresent).
    - dst_key_is_revoked:
      A key has revoke timing metadata <= now.
    - dst_key_is_removed:
      A key has delete timing metadata <= now, DNSKEY state in
      UNRETENTIVE or HIDDEN.
    44701100
  • Matthijs Mekking's avatar
    Introduce keymgr in named · a54b7089
    Matthijs Mekking authored
    Add a key manager to named.  If a 'dnssec-policy' is set, 'named'
    will run a key manager on the matching keys.  This will do a couple
    of things:
    
    1. Create keys when needed (in case of rollover for example)
       according to the set policy.
    
    2. Retire keys that are in excess of the policy.
    
    3. Maintain key states according to "Flexible and Robust Key
       Rollover" [1]. After key manager ran, key files will be saved to
       disk.
    
       [1] https://matthijsmekking.nl/static/pdf/satin2012-Schaeffer.pdf
    
    KEY GENERATION
    
    Create keys according to DNSSEC policy.  Zones configured with
    'dnssec-policy' will allow 'named' to create DNSSEC keys (similar
    to dnssec-keymgr) if not available.
    
    KEY ROLLOVER
    
    Rather than determining the desired state from timing metadata,
    add a key state goal.  Any keys that are created or picked from the
    key ring and selected to be a successor has its key state goal set
    to OMNIPRESENT (this key wants to be signing!). At the same time,
    a key that is being retired has its key state goal set to HIDDEN.
    
    The keymgr state machine with the three rules will make sure no
    introduction or withdrawal of DNSSEC records happens too soon.
    
    KEY TIMINGS
    
    All timings are based on RFC 7583.
    
    The keymgr will return when the next action is happening so
    that the zone can set the proper rekey event. Prior to this change
    the rekey event will run every hour by default (configurable),
    but with kasp we can determine exactly when we need to run again.
    
    The prepublication time is derived from policy.
    a54b7089
  • Matthijs Mekking's avatar
    Update zoneconf to use kasp config · 8bafe453
    Matthijs Mekking authored
    If a zone has a dnssec-policy set, use signature validity,
    dnskey signature validity, and signature refresh from
    dnssec-policy.
    
    Zones configured with 'dnssec-policy' will allow 'named' to create
    DNSSEC keys (similar to dnssec-keymgr) if not available.
    8bafe453
  • Matthijs Mekking's avatar
    DNSSEC hints use dst_key functions and key states · bd9750f3
    Matthijs Mekking authored
    Update dns_dnssec_get_hints and dns_dnssec_keyactive to use dst_key
    functions and thus if dnssec-policy/KASP is used the key states are
    being considered.
    
    Add a new variable to 'struct dns_dnsseckey' to signal whether this
    key is a zone-signing key (it is no longer true that ksk == !zsk).
    
    Also introduce a hint for revoke.
    
    Update 'dns_dnssec_findzonekeys' and 'dns_dnssec_findmatchingkeys'
    to also read the key state file, if available.
    
    Remove 'allzsk' from 'dns_dnssec_updatekeys' as this was only a
    hint for logging.
    
    Also make get_hints() (now dns_dnssec_get_hints()) public so that
    we can use it in the key manager.
    bd9750f3
  • Matthijs Mekking's avatar
    Adjust signing code to use kasp · 64615403
    Matthijs Mekking authored
    Update the signing code in lib/dns/zone.c and lib/dns/update.c to
    use kasp logic if a dnssec-policy is enabled.
    
    This means zones with dnssec-policy should no longer follow
    'update-check-ksk' and 'dnssec-dnskey-kskonly' logic, instead the
    KASP keys configured dictate which RRset gets signed with what key.
    
    Also use the next rekey event from the key manager rather than
    setting it to one hour.
    
    Mark the zone dynamic, as otherwise a zone with dnssec-policy is
    not eligble for automatic DNSSEC maintenance.
    64615403
  • Matthijs Mekking's avatar
    Refactor kasp system test · fa1c8cbd
    Matthijs Mekking authored
    A significant refactor of the kasp system test in an attempt to
    make the test script somewhat brief.  When writing a test case,
    you can/should use the functions 'zone_properties',
    'key_properties', and 'key_timings' to set the expected values
    when checking a key with 'check_key'. All these four functions
    can be used to set environment variables that come in handy when
    testing output.
    fa1c8cbd
  • Matthijs Mekking's avatar
    Add kasp tests · 9ae13497
    Matthijs Mekking authored
    Add more tests for kasp:
    
    - Add tests for different algorithms.
    
    - Add a test to ensure that an edit in an unsigned zone is
      picked up and properly signed.
    
    - Add two tests that ensures that a zone gets signed when it is
      configured as so-called 'inline-signing'.  In other words, a
      secondary zone that is configured with a 'dnssec-policy'.  A zone
      that is transferred over AXFR or IXFR will get signed.
    
    - Add a test to ensure signatures are reused if they are still
      fresh enough.
    
    - Adds two more tests to verify that expired and unfresh signatures
      will be regenerated.
    
    - Add tests for various cases with keys already available in the
      key-directory.
    9ae13497
  • Matthijs Mekking's avatar
    Test ZSK and KSK rollover · cfd15ec8
    Matthijs Mekking authored
    Add tests for ZSK Pre-Publication and KSK Double-KSK rollover.
    
    Includes tests for next key event is scheduled at the right time.
    cfd15ec8
  • Matthijs Mekking's avatar
    Use keywords in dnssec-policy keys configuration · bcf7bcb6
    Matthijs Mekking authored
    Add keywords 'lifetime' and 'algorithm' to make the key configuration
    more clear.
    bcf7bcb6
  • Matthijs Mekking's avatar
    Code changes for CSK · 0bbbf730
    Matthijs Mekking authored
    Update dns_dnssec_keyactive to differentiate between the roles ZSK
    and KSK.  A key is active if it is signing but that differs per role.
    A ZSK is signing if its ZRRSIG state is in RUMOURED or OMNIPRESENT,
    a KSK is signing if its KRRSIG state is in RUMOURED or OMNIPRESENT.
    
    This means that a key can be actively signing for one role but not
    the other.  Add checks in inline signing (zone.c and update.c) to
    cover the case where a CSK is active in its KSK role but not the ZSK
    role.
    0bbbf730
  • Matthijs Mekking's avatar
    Test CSK rollover · c04f0b0e
    Matthijs Mekking authored
    Test two CSK rollover scenarios, one where the DS is swapped before the zone
    signatures are all replaced, and one where the signatures are replaced sooner
    than the DS is swapped.
    c04f0b0e
  • Matthijs Mekking's avatar
    KASP timings all uint32_t · e94fa49c
    Matthijs Mekking authored
    Get rid of the warnings in the Windows build.
    e94fa49c
  • Matthijs Mekking's avatar
    Add dst_key_copy_metadata function. · 16a722c6
    Matthijs Mekking authored
    When updating DNSSEC keys we would like to be able to copy the
    metadata from one key to another.
    16a722c6
  • Matthijs Mekking's avatar
    sign_apex() should also consider CDS/CDNSKEY · 4877608d
    Matthijs Mekking authored
    The 'sign_apex()' function has special processing for signing the
    DNSKEY RRset such that it will always be signed with the active
    KSK.  Since CDS and CDNSKEY are also signed with the KSK, it
    should have the same special processing.  The special processing is
    moved into a new function 'tickle_apex_rrset()' and is applied to
    all three RR types (DNSKEY, CDS, CDNSKEY).
    
    In addition, when kasp is involved, update the DNSKEY TTL accordingly
    to what is in the policy.
    4877608d
  • Matthijs Mekking's avatar
    Add tests for CDS/CDNSKEY publication · fcc70c39
    Matthijs Mekking authored
    The kasp system tests are updated with 'check_cds' calls that will
    verify that the correct CDS and CDNSKEY records are published during
    a rollover and that they are signed with the correct KSK.
    
    This requires a change in 'dnssec.c' to check the kasp key states
    whether the CDS/CDNSKEY of a key should be published or not.  If no
    kasp state exist, fall back to key timings.
    fcc70c39
  • Matthijs Mekking's avatar
    kasp.c: return parenthesis (style) and REQUIRE · 2681579a
    Matthijs Mekking authored
    This code was missing a lot of return parenthesis (violating our
    style guide) and a missing REQUIRE in 'dns_kasplist_find()'.
    2681579a
  • Matthijs Mekking's avatar
    Make kasp opaque · e6e15fc2
    Matthijs Mekking authored
    e6e15fc2
  • Mark Andrews's avatar
    Insist that kasp is not linked. · ea34ca4b
    Mark Andrews authored
    ea34ca4b
  • Mark Andrews's avatar
  • Matthijs Mekking's avatar
    dnssec-policy inheritance from options/view · 1d7d8c80
    Matthijs Mekking authored
    'dnssec-policy' can now also be set on the options and view level and
    a zone that does not set 'dnssec-policy' explicitly will inherit it
    from the view or options level.
    
    This requires a new keyword to be introduced: 'none'.  If set to
    'none' the zone will not be DNSSEC maintained, in other words it will
    stay unsigned.  You can use this to break the inheritance.  Of course
    you can also break the inheritance by referring to a different
    policy.
    
    The keywords 'default' and 'none' are not allowed when configuring
    your own dnssec-policy statement.
    
    Add appropriate tests for checking the configuration (checkconf)
    and add tests to the kasp system test to verify the inheritance
    works.
    
    Edit the kasp system test such that it can deal with unsigned zones
    and views (so setting a TSIG on the query).
    1d7d8c80
  • Matthijs Mekking's avatar
    Fix checkconf test · 3933aceb
    Matthijs Mekking authored
    3933aceb
  • Matthijs Mekking's avatar
    f898353f
5315. [bug] Apply the inital RRSIG expiration spread fixed
to all dynamically created records in the zone
including NSEC3. Also fix the signature clusters
when the server has been offline for prolonged
period of times. [GL #1256]
5314. [func] Added a new statistics variable "tcp-highwater"
that reports the maximum number of simultaneous TCP
clients BIND has handled while running. [GL #1206]
5313. [bug] The default GeoIP2 database location did not match
the ARM. 'named -V' now reports the default
location. [GL #1301]
......
......@@ -421,7 +421,7 @@ configure_zone(const char *vclass, const char *view,
obj = NULL;
if (get_maps(maps, "max-zone-ttl", &obj)) {
maxttl = cfg_obj_asuint32(obj);
maxttl = cfg_obj_asduration(obj);
zone_options |= DNS_ZONEOPT_CHECKTTL;
}
......
......@@ -15,24 +15,26 @@ VERSION=@BIND9_VERSION@
@BIND9_MAKE_INCLUDES@
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} \
CINCLUDES = ${DNS_INCLUDES} ${ISC_INCLUDES} ${ISCCFG_INCLUDES} \
${OPENSSL_CFLAGS}
CDEFINES = -DVERSION=\"${VERSION}\"
CDEFINES = -DVERSION=\"${VERSION}\" -DNAMED_CONFFILE=\"${sysconfdir}/named.conf\"
CWARNINGS =
DNSLIBS = ../../lib/dns/libdns.@A@ ${MAXMINDDB_LIBS} @DNS_CRYPTO_LIBS@
ISCCFGLIBS = ../../lib/isccfg/libisccfg.@A@
ISCLIBS = ../../lib/isc/libisc.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
ISCNOSYMLIBS = ../../lib/isc/libisc-nosymtbl.@A@ ${OPENSSL_LIBS} ${JSON_C_LIBS} ${LIBXML2_LIBS}
DNSDEPLIBS = ../../lib/dns/libdns.@A@
ISCDEPLIBS = ../../lib/isc/libisc.@A@
ISCCFGDEPLIBS = ../../lib/isccfg/libisccfg.@A@
DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
DEPLIBS = ${DNSDEPLIBS} ${ISCCFGDEPLIBS} ${ISCDEPLIBS}
LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@
LIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCNOSYMLIBS} @LIBS@
NOSYMLIBS = ${DNSLIBS} ${ISCCFGLIBS} ${ISCNOSYMLIBS} @LIBS@
# Alphabetically
TARGETS = dnssec-cds@EXEEXT@ dnssec-dsfromkey@EXEEXT@ \
......@@ -48,7 +50,7 @@ SRCS = dnssec-cds.c dnssec-dsfromkey.c dnssec-importkey.c \
dnssec-settime.c dnssec-signzone.c dnssec-verify.c \
dnssectool.c
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
MANPAGES = dnssec-cds.8 dnssec-dsfromkey.8 dnssec-importkey.8 \
dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-revoke.8 \
dnssec-settime.8 dnssec-signzone.8 dnssec-verify.8
......
This diff is collapsed.
......@@ -66,6 +66,7 @@
<arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">bits</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-G</option></arg>
......@@ -74,8 +75,9 @@
<arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k</option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">policy</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">file</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
......@@ -84,6 +86,7 @@
<arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">rrtype</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
......@@ -207,6 +210,18 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">bits</replaceable></term>
<listitem>
<para>
Key size in bits. For the algorithms RSASHA1, NSEC3RSASA1,
RSASHA256 and RSASHA512 the key size must be in range 1024-4096.
DH size is between 128 and 4096. This option is ignored for
algorithms ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-E <replaceable class="parameter">engine</replaceable></term>
<listitem>
......@@ -275,6 +290,24 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-k <replaceable class="parameter">policy</replaceable></term>
<listitem>
<para>
Create keys for a specific dnssec-policy. If a policy uses
multiple keys, <command>dnssec-keygen</command> will generate
multiple keys. This will also create a ".state" file to keep
track of the key state.
</para>
<para>
This option creates keys according to the dnssec-policy
configuration, hence it cannot be used together with many of
the other options that <command>dnssec-keygen</command>
provides.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-L <replaceable class="parameter">ttl</replaceable></term>
<listitem>
......@@ -291,6 +324,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Provide a configuration file that contains a dnssec-policy
statement (matching the policy set with <command>-k</command>).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
......
......@@ -88,6 +88,15 @@ usage(void) {
fprintf(stderr, " -i <interval>: prepublication interval for "
"successor key "
"(default: 30 days)\n");
fprintf(stderr, "Key state options:\n");
fprintf(stderr, " -s: update key state file (default no)\n");
fprintf(stderr, " -g state: set the goal state for this key\n");
fprintf(stderr, " -d state date/[+-]offset: set the DS state\n");
fprintf(stderr, " -k state date/[+-]offset: set the DNSKEY state\n");
fprintf(stderr, " -r state date/[+-]offset: set the RRSIG (KSK) "
"state\n");
fprintf(stderr, " -z state date/[+-]offset: set the RRSIG (ZSK) "
"state\n");
fprintf(stderr, "Printing options:\n");
fprintf(stderr, " -p C/P/Psync/A/R/I/D/Dsync/all: print a "
"particular time value or values\n");
......@@ -123,29 +132,87 @@ printtime(dst_key_t *key, int type, const char *tag, bool epoch,
}
}
static void
writekey(dst_key_t *key, const char *directory, bool write_state)
{
char newname[1024];
char keystr[DST_KEY_FORMATSIZE];
isc_buffer_t buf;
isc_result_t result;
int options = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE;
if (write_state) {
options |= DST_TYPE_STATE;
}
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
result = dst_key_tofile(key, options, directory);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", newname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory, &buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
if (write_state) {
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_STATE, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build key state filename: %s",
isc_result_totext(result));
}
printf("%s\n", newname);
}
}
int
main(int argc, char **argv) {
isc_result_t result;
const char *engine = NULL;
const char *filename = NULL;
char *directory = NULL;
char newname[1024];
char keystr[DST_KEY_FORMATSIZE];
char *endp, *p;
int ch;
const char *predecessor = NULL;
dst_key_t *prevkey = NULL;
dst_key_t *key = NULL;
isc_buffer_t buf;
dns_name_t *name = NULL;
dns_secalg_t alg = 0;
unsigned int size = 0;
uint16_t flags = 0;
int prepub = -1;
int options;
dns_ttl_t ttl = 0;
isc_stdtime_t now;
isc_stdtime_t dstime = 0, dnskeytime = 0;
isc_stdtime_t krrsigtime = 0, zrrsigtime = 0;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_stdtime_t prevact = 0, previnact = 0, prevdel = 0;
dst_key_state_t goal = DST_KEY_STATE_NA;
dst_key_state_t ds = DST_KEY_STATE_NA;
dst_key_state_t dnskey = DST_KEY_STATE_NA;
dst_key_state_t krrsig = DST_KEY_STATE_NA;
dst_key_state_t zrrsig = DST_KEY_STATE_NA;
bool setgoal = false, setds = false, setdnskey = false;
bool setkrrsig = false, setzrrsig = false;
bool setdstime = false, setdnskeytime = false;
bool setkrrsigtime = false, setzrrsigtime = false;
bool setpub = false, setact = false;
bool setrev = false, setinact = false;
bool setdel = false, setttl = false;
......@@ -156,14 +223,17 @@ main(int argc, char **argv) {
bool printact = false, printrev = false;
bool printinact = false, printdel = false;
bool force = false;
bool epoch = false;
bool changed = false;
bool epoch = false;
bool changed = false;
bool write_state = false;
isc_log_t *log = NULL;
isc_stdtime_t syncadd = 0, syncdel = 0;
bool unsetsyncadd = false, setsyncadd = false;
bool unsetsyncdel = false, setsyncdel = false;
bool printsyncadd = false, printsyncdel = false;
options = DST_TYPE_PUBLIC|DST_TYPE_PRIVATE|DST_TYPE_STATE;
if (argc == 1)
usage();
......@@ -180,7 +250,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
#define CMDLINE_FLAGS "A:D:E:fhI:i:K:L:P:p:R:S:uv:V"
#define CMDLINE_FLAGS "A:D:d:E:fg:hI:i:K:k:L:P:p:R:r:S:suv:Vz:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'E':
......@@ -339,6 +409,70 @@ main(int argc, char **argv) {
case 'i':
prepub = strtottl(isc_commandline_argument);
break;
case 's':
write_state = true;
break;
case 'g':
if (setgoal) {
fatal("-g specified more than once");
}
goal = strtokeystate(isc_commandline_argument);
if (goal != DST_KEY_STATE_NA &&
goal != DST_KEY_STATE_HIDDEN &&
goal != DST_KEY_STATE_OMNIPRESENT) {
fatal("-g must be either none, hidden, or "
"omnipresent");
}
setgoal = true;
break;
case 'd':
if (setds) {
fatal("-d specified more than once");
}
ds = strtokeystate(isc_commandline_argument);
setds = true;
/* time */
(void)isoptarg(isc_commandline_argument, argv, usage);
dstime = strtotime(isc_commandline_argument,
now, now, &setdstime);
break;
case 'k':
if (setdnskey) {
fatal("-k specified more than once");
}
dnskey = strtokeystate(isc_commandline_argument);
setdnskey = true;
/* time */
(void)isoptarg(isc_commandline_argument, argv, usage);
dnskeytime = strtotime(isc_commandline_argument,
now, now, &setdnskeytime);
break;
case 'r':
if (setkrrsig) {
fatal("-r specified more than once");
}
krrsig = strtokeystate(isc_commandline_argument);
setkrrsig = true;
/* time */
(void)isoptarg(isc_commandline_argument, argv, usage);
krrsigtime = strtotime(isc_commandline_argument,
now, now, &setkrrsigtime);
break;
case 'z':
if (setzrrsig) {
fatal("-z specified more than once");
}
zrrsig = strtokeystate(isc_commandline_argument);
setzrrsig = true;
(void)isoptarg(isc_commandline_argument, argv, usage);
zrrsigtime = strtotime(isc_commandline_argument,
now, now, &setzrrsigtime);
break;
case '?':
if (isc_commandline_option != '?')
fprintf(stderr, "%s: invalid argument -%c\n",
......@@ -365,6 +499,12 @@ main(int argc, char **argv) {
if (argc > isc_commandline_index + 1)
fatal("Extraneous arguments");
if ((setgoal || setds || setdnskey || setkrrsig || setzrrsig) &&
!write_state)
{
fatal("Options -g, -d, -k, -r and -z require -s to be set");
}
result = dst_lib_init(mctx, engine);
if (result != ISC_R_SUCCESS)
fatal("Could not initialize dst: %s",
......@@ -381,9 +521,7 @@ main(int argc, char **argv) {
if (setact || unsetact)
fatal("-S and -A cannot be used together");
result = dst_key_fromnamedfile(predecessor, directory,
DST_TYPE_PUBLIC |
DST_TYPE_PRIVATE,
result = dst_key_fromnamedfile(predecessor, directory, options,
mctx, &prevkey);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
......@@ -475,9 +613,8 @@ main(int argc, char **argv) {
isc_result_totext(result));
}
result = dst_key_fromnamedfile(filename, directory,
DST_TYPE_PUBLIC | DST_TYPE_PRIVATE,
mctx, &key);
result = dst_key_fromnamedfile(filename, directory, options, mctx,
&key);
if (result != ISC_R_SUCCESS)
fatal("Invalid keyfile %s: %s",
filename, isc_result_totext(result));
......@@ -578,6 +715,11 @@ main(int argc, char **argv) {
if (setttl)
dst_key_setttl(key, ttl);
if (predecessor != NULL && prevkey != NULL) {
dst_key_setnum(prevkey, DST_NUM_SUCCESSOR, dst_key_id(key));
dst_key_setnum(key, DST_NUM_PREDECESSOR, dst_key_id(prevkey));
}
/*
* No metadata changes were made but we're forcing an upgrade
* to the new format anyway: use "-P now -A now" as the default
......@@ -588,6 +730,63 @@ main(int argc, char **argv) {
changed = true;
}
/*
* Make sure the key state goals are written.
*/
if (write_state) {
if (setgoal) {
if (goal == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_GOAL);
} else {
dst_key_setstate(key, DST_KEY_GOAL, goal);
}
changed = true;
}
if (setds) {
if (ds == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_DS);
dst_key_unsettime(key, DST_TIME_DS);
} else {
dst_key_setstate(key, DST_KEY_DS, ds);
dst_key_settime(key, DST_TIME_DS, dstime);
}
changed = true;
}
if (setdnskey) {
if (dnskey == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_DNSKEY);
dst_key_unsettime(key, DST_TIME_DNSKEY);
} else {
dst_key_setstate(key, DST_KEY_DNSKEY, dnskey);
dst_key_settime(key, DST_TIME_DNSKEY,
dnskeytime);
}
changed = true;
}
if (setkrrsig) {
if (krrsig == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_KRRSIG);
dst_key_unsettime(key, DST_TIME_KRRSIG);
} else {
dst_key_setstate(key, DST_KEY_KRRSIG, krrsig);
dst_key_settime(key, DST_TIME_KRRSIG,
krrsigtime);
}
changed = true;
}
if (setzrrsig) {
if (zrrsig == DST_KEY_STATE_NA) {
dst_key_unsetstate(key, DST_KEY_ZRRSIG);
dst_key_unsettime(key, DST_TIME_ZRRSIG);
} else {
dst_key_setstate(key, DST_KEY_ZRRSIG, zrrsig);
dst_key_settime(key, DST_TIME_ZRRSIG,
zrrsigtime);
}
changed = true;
}
}
if (!changed && setttl)
changed = true;
......@@ -621,32 +820,10 @@ main(int argc, char **argv) {
epoch, stdout);
if (changed) {
isc_buffer_init(&buf, newname, sizeof(newname));
result = dst_key_buildfilename(key, DST_TYPE_PUBLIC, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build public key filename: %s",
isc_result_totext(result));
}
result = dst_key_tofile(key, DST_TYPE_PUBLIC|DST_TYPE_PRIVATE,
directory);
if (result != ISC_R_SUCCESS) {
dst_key_format(key, keystr, sizeof(keystr));
fatal("Failed to write key %s: %s", keystr,
isc_result_totext(result));
}
printf("%s\n", newname);
isc_buffer_clear(&buf);
result = dst_key_buildfilename(key, DST_TYPE_PRIVATE, directory,
&buf);
if (result != ISC_R_SUCCESS) {
fatal("Failed to build private key filename: %s",
isc_result_totext(result));
writekey(key, directory, write_state);
if (predecessor != NULL && prevkey != NULL) {
writekey(prevkey, directory, write_state);
}
printf("%s\n", newname);
}
if (prevkey != NULL)
......
......@@ -64,6 +64,12 @@
<arg choice="opt" rep="norepeat"><option>-V</option></arg>
<arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-s</option></arg>
<arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">state</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-d <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-k <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="opt" rep="norepeat"><option>-z <replaceable class="parameter">state</replaceable> <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg choice="req" rep="norepeat">keyfile</arg>
</cmdsynopsis>
</refsynopsisdiv>
......@@ -88,11 +94,30 @@
When key metadata fields are changed, both files of a key
pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
<filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
</para>
<para>
Metadata fields are stored in the private file. A human-readable
description of the metadata is also placed in comments in the key
file. The private file's permissions are always set to be
inaccessible to anyone other than the owner (mode 0600).
</para>
<para>
When working with state files, it is possible to update the timing
metadata in those files as well with <option>-s</option>. If this
option is used you can also update key states with <option>-d</option>
(DS), <option>-k</option> (DNSKEY), <option>-r</option> (RRSIG of KSK),
or <option>-z</option> (RRSIG of ZSK). Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
</para>
<para>
You can also set the goal state of the key with <option>-g</option>.
This should be either HIDDEN or OMNIPRESENT (representing whether the
key should be removed from the zone, or published).
</para>
<para>
It is NOT RECOMMENDED to manipulate state files manually except for
testing purposes.
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
......@@ -319,6 +344,74 @@
</variablelist>
</refsection>
<refsection><info><title>KEY STATE OPTIONS</title></info>
<para>
Known key states are HIDDEN, RUMOURED, OMNIPRESENT and UNRETENTIVE.
These should not be set manually except for testing purposes.
</para>
<variablelist>
<varlistentry>
<term>-s</term>
<listitem>
<para>
When setting key timing data, also update the state file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g</term>
<listitem>
<para>
Set the goal state for this key. Must be HIDDEN or OMNIPRESENT.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d</term>
<listitem>
<para>
Set the DS state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Set the DNSKEY state for this key, and when it was last changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r</term>
<listitem>
<para>
Set the RRSIG (KSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-z</term>
<listitem>
<para>
Set the RRSIG (ZSK) state for this key, and when it was last
changed.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>PRINTING OPTIONS</title></info>
<para>
......
......@@ -2717,7 +2717,7 @@ build_final_keylist(void) {
* Update keylist with information from from the key repository.
*/
dns_dnssec_updatekeys(&keylist, &matchkeys, NULL, gorigin, keyttl,
&diff, ignore_kskflag, mctx, report);
&diff, mctx, report);
/*
* Update keylist with sync records.
......
......@@ -57,6 +57,11 @@
#include "dnssectool.h"
#define KEYSTATES_NVALUES 4
static const char *keystates[KEYSTATES_NVALUES] = {
"hidden", "rumoured", "omnipresent", "unretentive",
};
int verbose = 0;
bool quiet = false;
uint8_t dtype[8];
......@@ -244,6 +249,21 @@ strtottl(const char *str) {
return (ttl);
}
dst_key_state_t
strtokeystate(const char *str) {
if (isnone(str)) {
return (DST_KEY_STATE_NA);
}
for (int i = 0; i < KEYSTATES_NVALUES; i++) {
if (keystates[i] != NULL &&
strcasecmp(str, keystates[i]) == 0) {
return (dst_key_state_t) i;
}
}
fatal("unknown key state");
}
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp)
......
......@@ -71,6 +71,8 @@ cleanup_logging(isc_log_t **logp);
dns_ttl_t strtottl(const char *str);
dst_key_state_t strtokeystate(const char *str);
isc_stdtime_t
strtotime(const char *str, int64_t now, int64_t base,
bool *setp);
......
......@@ -66,15 +66,15 @@
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<BrowseInformation>true</BrowseInformation>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
<SubSystem>Console</SubSystem>
<GenerateDebugInformation>true</GenerateDebugInformation>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|@PLATFORM@'">
......@@ -94,7 +94,7 @@
<ObjectFileName>.\$(Configuration)\</ObjectFileName>
<ProgramDataBaseFileName>$(OutDir)$(TargetName).pdb</ProgramDataBaseFileName>
<ForcedIncludeFiles>..\..\..\config.h</ForcedIncludeFiles>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<AdditionalIncludeDirectories>.\;..\..\..\;@LIBXML2_INC@@OPENSSL_INC@..\..\..\lib\isc\win32;..\..\..\lib\isc\win32\include;..\..\..\lib\isc\include;..\..\..\lib\isccfg\win32;..\..\..\lib\isccfg\include;..\..\..\lib\dns\include;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
<CompileAs>CompileAsC</CompileAs>
</ClCompile>
<Link>
......@@ -104,8 +104,8 @@
<OptimizeReferences>true</OptimizeReferences>
<OutputFile>..\..\..\Build\$(Configuration)\$(TargetName)$(TargetExt)</OutputFile>
<LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
<AdditionalDependencies>@OPENSSL_LIB@dnssectool.lib;libisc.lib;libisccfg.lib;libdns.lib;ws2_32.lib;%(AdditionalDependencies)</AdditionalDependencies>
<AdditionalLibraryDirectories>$(Configuration);..\..\..\lib\isc\win32\$(Configuration);..\..\..\lib\isccfg\win32\$(Configuration);..\..\..\lib\dns\win32\$(Configuration);%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
</Link>
</ItemDefinitionGroup>
<ItemGroup>
......
......@@ -58,6 +58,7 @@ options {\n\
"\
# deallocate-on-exit <obsolete>;\n\
# directory <none>\n\
dnssec-policy \"none\";\n\
dump-file \"named_dump.db\";\n\
edns-udp-size 4096;\n\
# fake-iquery <obsolete>;\n"
......
......@@ -64,6 +64,7 @@ struct named_server {
dns_loadmgr_t * loadmgr;
dns_zonemgr_t * zonemgr;
dns_viewlist_t viewlist;
dns_kasplist_t kasplist;
ns_interfacemgr_t * interfacemgr;
dns_db_t * in_roothints;
......
......@@ -27,19 +27,18 @@ ISC_LANG_BEGINDECLS
isc_result_t
named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
dns_zone_t *zone, dns_zone_t *raw);
dns_kasplist_t* kasplist, dns_zone_t *zone,
dns_zone_t *raw);
/*%<
* Configure or reconfigure a zone according to the named.conf
* data in 'cctx' and 'czone'.
* data.
*
* The zone origin is not configured, it is assumed to have been set
* at zone creation time.
*
* Require:
* \li 'lctx' to be initialized or NULL.
* \li 'cctx' to be initialized or NULL.
* \li 'ac' to point to an initialized cfg_aclconfctx_t.
* \li 'czone' to be initialized.
* \li 'kasplist' to be initialized.
* \li 'zone' to be initialized.
*/
......
......@@ -208,7 +208,7 @@ options {
[ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
<replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ]; ... };
in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>duration</replaceable> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <replaceable>boolean</replaceable>;
check-mx ( fail | warn | ignore );
......@@ -290,18 +290,18 @@ options {
fstrm-set-output-notify-threshold <replaceable>integer</replaceable>;
fstrm-set-output-queue-model ( mpsc | spsc );
fstrm-set-output-queue-size <replaceable>integer</replaceable>;
fstrm-set-reopen-interval <replaceable>ttlval</replaceable>;
fstrm-set-reopen-interval <replaceable>duration</replaceable>;
geoip-directory ( <replaceable>quoted_string</replaceable> | none );
glue-cache <replaceable>boolean</replaceable>;
heartbeat-interval <replaceable>integer</replaceable>;
hostname ( <replaceable>quoted_string</replaceable> | none );
inline-signing <replaceable>boolean</replaceable>;
interface-interval <replaceable>ttlval</replaceable>;
interface-interval <replaceable>duration</replaceable>;
ixfr-from-differences ( primary | master | secondary | slave |
<replaceable>boolean</replaceable> );
keep-response-order { <replaceable>address_match_element</replaceable>; ... };
key-directory <replaceable>quoted_string</replaceable>;
lame-ttl <replaceable>ttlval</replaceable>;
lame-ttl <replaceable>duration</replaceable>;
listen-on [ port <replaceable>integer</replaceable> ] [ dscp
<replaceable>integer</replaceable> ] {
<replaceable>address_match_element</replaceable>; ... };
......@@ -315,28 +315,28 @@ options {
masterfile-style ( full | relative );
match-mapped-addresses <replaceable>boolean</replaceable>;
max-cache-size ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
max-cache-ttl <replaceable>ttlval</replaceable>;
max-cache-ttl <replaceable>duration</replaceable>;
max-clients-per-query <replaceable>integer</replaceable>;
max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
max-ncache-ttl <replaceable>ttlval</replaceable>;
max-ncache-ttl <replaceable>duration</replaceable>;
max-records <replaceable>integer</replaceable>;
max-recursion-depth <replaceable>integer</replaceable>;
max-recursion-queries <replaceable>integer</replaceable>;
max-refresh-time <replaceable>integer</replaceable>;
max-retry-time <replaceable>integer</replaceable>;
max-rsa-exponent-size <replaceable>integer</replaceable>;
max-stale-ttl <replaceable>ttlval</replaceable>;
max-stale-ttl <replaceable>duration</replaceable>;
max-transfer-idle-in <replaceable>integer</replaceable>;
max-transfer-idle-out <replaceable>integer</replaceable>;
max-transfer-time-in <replaceable>integer</replaceable>;
max-transfer-time-out <replaceable>integer</replaceable>;
max-udp-size <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
max-zone-ttl ( unlimited | <replaceable>duration</replaceable> );
memstatistics <replaceable>boolean</replaceable>;
memstatistics-file <replaceable>quoted_string</replaceable>;
message-compression <replaceable>boolean</replaceable>;
min-cache-ttl <replaceable>ttlval</replaceable>;
min-ncache-ttl <replaceable>ttlval</replaceable>;
min-cache-ttl <replaceable>duration</replaceable>;
min-ncache-ttl <replaceable>duration</replaceable>;
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
......@@ -353,8 +353,8 @@ options {
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
[ dscp <replaceable>integer</replaceable> ];
notify-to-soa <replaceable>boolean</replaceable>;
nta-lifetime <replaceable>ttlval</replaceable>;
nta-recheck <replaceable>ttlval</replaceable>;
nta-lifetime <replaceable>duration</replaceable>;
nta-recheck <replaceable>duration</replaceable>;
nxdomain-redirect <replaceable>string</replaceable>;
pid-file ( <replaceable>quoted_string</replaceable> | none );
port <replaceable>integer</replaceable>;
......@@ -401,13 +401,13 @@ options {
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
min-update-interval <replaceable>duration</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
[ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ] [ dnsrps-enable <replaceable>boolean</replaceable> ] [
......@@ -421,7 +421,7 @@ options {
serial-query-rate <replaceable>integer</replaceable>;
serial-update-method ( date | increment | unixtime );
server-id ( <replaceable>quoted_string</replaceable> | none | hostname );
servfail-ttl <replaceable>ttlval</replaceable>;
servfail-ttl <replaceable>duration</replaceable>;
session-keyalg <replaceable>string</replaceable>;
session-keyfile ( <replaceable>quoted_string</replaceable> | none );
session-keyname <replaceable>string</replaceable>;
......@@ -432,7 +432,7 @@ options {
sortlist { <replaceable>address_match_element</replaceable>; ... };
stacksize ( default | unlimited | <replaceable>sizeval</replaceable> );
stale-answer-enable <replaceable>boolean</replaceable>;
stale-answer-ttl <replaceable>ttlval</replaceable>;
stale-answer-ttl <replaceable>duration</replaceable>;
startup-notify-rate <replaceable>integer</replaceable>;
statistics-file <replaceable>quoted_string</replaceable>;
synth-from-dnssec <replaceable>boolean</replaceable>;
......@@ -564,7 +564,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
[ dscp <replaceable>integer</replaceable> ] { ( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> [ port
<replaceable>integer</replaceable> ] | <replaceable>ipv6_address</replaceable> [ port <replaceable>integer</replaceable> ] ) [ key
<replaceable>string</replaceable> ]; ... } ] [ zone-directory <replaceable>quoted_string</replaceable> ] [
in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>ttlval</replaceable> ]; ... };
in-memory <replaceable>boolean</replaceable> ] [ min-update-interval <replaceable>duration</replaceable> ]; ... };
check-dup-records ( fail | warn | ignore );
check-integrity <replaceable>boolean</replaceable>;
check-mx ( fail | warn | ignore );
......@@ -642,7 +642,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
secret <replaceable>string</replaceable>;
};
key-directory <replaceable>quoted_string</replaceable>;
lame-ttl <replaceable>ttlval</replaceable>;
lame-ttl <replaceable>duration</replaceable>;
lmdb-mapsize <replaceable>sizeval</replaceable>;
managed-keys { <replaceable>string</replaceable> (
static-key | initial-key
......@@ -655,25 +655,25 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
match-destinations { <replaceable>address_match_element</replaceable>; ... };
match-recursive-only <replaceable>boolean</replaceable>;
max-cache-size ( default | unlimited | <replaceable>sizeval</replaceable> | <replaceable>percentage</replaceable> );
max-cache-ttl <replaceable>ttlval</replaceable>;
max-cache-ttl <replaceable>duration</replaceable>;
max-clients-per-query <replaceable>integer</replaceable>;
max-journal-size ( default | unlimited | <replaceable>sizeval</replaceable> );
max-ncache-ttl <replaceable>ttlval</replaceable>;
max-ncache-ttl <replaceable>duration</replaceable>;
max-records <replaceable>integer</replaceable>;
max-recursion-depth <replaceable>integer</replaceable>;
max-recursion-queries <replaceable>integer</replaceable>;
max-refresh-time <replaceable>integer</replaceable>;
max-retry-time <replaceable>integer</replaceable>;
max-stale-ttl <replaceable>ttlval</replaceable>;
max-stale-ttl <replaceable>duration</replaceable>;
max-transfer-idle-in <replaceable>integer</replaceable>;
max-transfer-idle-out <replaceable>integer</replaceable>;
max-transfer-time-in <replaceable>integer</replaceable>;
max-transfer-time-out <replaceable>integer</replaceable>;
max-udp-size <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
max-zone-ttl ( unlimited | <replaceable>duration</replaceable> );
message-compression <replaceable>boolean</replaceable>;
min-cache-ttl <replaceable>ttlval</replaceable>;
min-ncache-ttl <replaceable>ttlval</replaceable>;
min-cache-ttl <replaceable>duration</replaceable>;
min-ncache-ttl <replaceable>duration</replaceable>;
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
minimal-any <replaceable>boolean</replaceable>;
......@@ -689,8 +689,8 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
notify-source-v6 ( <replaceable>ipv6_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ]
[ dscp <replaceable>integer</replaceable> ];
notify-to-soa <replaceable>boolean</replaceable>;
nta-lifetime <replaceable>ttlval</replaceable>;
nta-recheck <replaceable>ttlval</replaceable>;
nta-lifetime <replaceable>duration</replaceable>;
nta-recheck <replaceable>duration</replaceable>;
nxdomain-redirect <replaceable>string</replaceable>;
plugin ( query ) <replaceable>string</replaceable> [ {
<replaceable>unspecified-text</replaceable> } ];
......@@ -732,13 +732,13 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
response-padding { <replaceable>address_match_element</replaceable>; ... } block-size
<replaceable>integer</replaceable>;
response-policy { zone <replaceable>string</replaceable> [ add-soa <replaceable>boolean</replaceable> ] [ log
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [ min-update-interval
<replaceable>ttlval</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
<replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [ min-update-interval
<replaceable>duration</replaceable> ] [ policy ( cname | disabled | drop | given | no-op |
nodata | nxdomain | passthru | tcp-only <replaceable>quoted_string</replaceable> ) ] [
recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ]; ... } [ add-soa <replaceable>boolean</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>ttlval</replaceable> ] [
min-update-interval <replaceable>ttlval</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
break-dnssec <replaceable>boolean</replaceable> ] [ max-policy-ttl <replaceable>duration</replaceable> ] [
min-update-interval <replaceable>duration</replaceable> ] [ min-ns-dots <replaceable>integer</replaceable> ] [
nsip-wait-recurse <replaceable>boolean</replaceable> ] [ qname-wait-recurse <replaceable>boolean</replaceable> ]
[ recursive-only <replaceable>boolean</replaceable> ] [ nsip-enable <replaceable>boolean</replaceable> ] [
nsdname-enable <replaceable>boolean</replaceable> ] [ dnsrps-enable <replaceable>boolean</replaceable> ] [
......@@ -783,14 +783,14 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
<replaceable>integer</replaceable> | * ) ] [ dscp <replaceable>integer</replaceable> ];
transfers <replaceable>integer</replaceable>;
};
servfail-ttl <replaceable>ttlval</replaceable>;
servfail-ttl <replaceable>duration</replaceable>;
sig-signing-nodes <replaceable>integer</replaceable>;
sig-signing-signatures <replaceable>integer</replaceable>;
sig-signing-type <replaceable>integer</replaceable>;
sig-validity-interval <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ];
sortlist { <replaceable>address_match_element</replaceable>; ... };
stale-answer-enable <replaceable>boolean</replaceable>;
stale-answer-ttl <replaceable>ttlval</replaceable>;
stale-answer-ttl <replaceable>duration</replaceable>;
synth-from-dnssec <replaceable>boolean</replaceable>;
transfer-format ( many-answers | one-answer );
transfer-source ( <replaceable>ipv4_address</replaceable> | * ) [ port ( <replaceable>integer</replaceable> | * ) ] [
......@@ -842,6 +842,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnskey-sig-validity <replaceable>integer</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-policy <replaceable>string</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
file <replaceable>quoted_string</replaceable>;
......@@ -867,7 +868,7 @@ view <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
max-transfer-idle-out <replaceable>integer</replaceable>;
max-transfer-time-in <replaceable>integer</replaceable>;
max-transfer-time-out <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
max-zone-ttl ( unlimited | <replaceable>duration</replaceable> );
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
multi-master <replaceable>boolean</replaceable>;
......@@ -943,6 +944,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
dnskey-sig-validity <replaceable>integer</replaceable>;
dnssec-dnskey-kskonly <replaceable>boolean</replaceable>;
dnssec-loadkeys-interval <replaceable>integer</replaceable>;
dnssec-policy <replaceable>string</replaceable>;
dnssec-secure-to-insecure <replaceable>boolean</replaceable>;
dnssec-update-mode ( maintain | no-resign );
file <replaceable>quoted_string</replaceable>;
......@@ -967,7 +969,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
max-transfer-idle-out <replaceable>integer</replaceable>;
max-transfer-time-in <replaceable>integer</replaceable>;
max-transfer-time-out <replaceable>integer</replaceable>;
max-zone-ttl ( unlimited | <replaceable>ttlval</replaceable> );
max-zone-ttl ( unlimited | <replaceable>duration</replaceable> );
min-refresh-time <replaceable>integer</replaceable>;
min-retry-time <replaceable>integer</replaceable>;
multi-master <replaceable>boolean</replaceable>;
......@@ -1008,6 +1010,26 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
</literallayout>
</refsection>
<refsection><info><title>DNSSEC-POLICY</title></info>
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>ttlval</replaceable>;
keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;
publish-safety <replaceable>duration</replaceable>;
retire-safety <replaceable>duration</replaceable>;
signatures-refresh <replaceable>duration</replaceable>;
signatures-validity <replaceable>duration</replaceable>;
signatures-validity-dnskey <replaceable>duration</replaceable>;
zone-max-ttl <replaceable>duration</replaceable>;
zone-propagation-delay <replaceable>duration</replaceable>;
};
</literallayout>
</refsection>
<refsection><info><title>FILES</title></info>
<para><filename>/etc/named.conf</filename>
......
......@@ -50,6 +50,7 @@
#include <isc/util.h>
#include <isccfg/grammar.h>
#include <isccfg/kaspconf.h>
#include <isccfg/namedconf.h>
#include <bind9/check.h>
......@@ -68,6 +69,7 @@
#include <dns/forward.h>
#include <dns/fixedname.h>
#include <dns/journal.h>
#include <dns/kasp.h>
#include <dns/keytable.h>
#include <dns/keyvalues.h>
#include <dns/lib.h>
......@@ -459,8 +461,8 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
dns_viewlist_t *viewlist, cfg_aclconfctx_t *aclconf,
bool added, bool old_rpz_ok,
dns_viewlist_t *viewlist, dns_kasplist_t* kasplist,
cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
bool modify);
static isc_result_t
......@@ -2039,7 +2041,13 @@ conf_dnsrps_num(const cfg_obj_t *obj, const char *name,
return;
}
conf_dnsrps_sadd(ctx, " %s %d", name, cfg_obj_asuint32(sub_obj));
if (cfg_obj_isduration(sub_obj)) {
conf_dnsrps_sadd(ctx, " %s %d", name,
cfg_obj_asduration(sub_obj));
} else {
conf_dnsrps_sadd(ctx, " %s %d", name,
cfg_obj_asuint32(sub_obj));
}
}
/*
......@@ -2221,15 +2229,15 @@ configure_rpz_zone(dns_view_t *view, const cfg_listelt_t *element,
}
obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(obj)) {
zone->max_policy_ttl = cfg_obj_asuint32(obj);
if (cfg_obj_isduration(obj)) {
zone->max_policy_ttl = cfg_obj_asduration(obj);
} else {
zone->max_policy_ttl = ttl_default;
}
obj = cfg_tuple_get(rpz_obj, "min-update-interval");
if (cfg_obj_isuint32(obj)) {
zone->min_update_interval = cfg_obj_asuint32(obj);
if (cfg_obj_isduration(obj)) {
zone->min_update_interval = cfg_obj_asduration(obj);
} else {
zone->min_update_interval = minupdateinterval_default;
}
......@@ -2448,14 +2456,14 @@ configure_rpz(dns_view_t *view, const cfg_obj_t **maps,
}
sub_obj = cfg_tuple_get(rpz_obj, "max-policy-ttl");
if (cfg_obj_isuint32(sub_obj))
ttl_default = cfg_obj_asuint32(sub_obj);
if (cfg_obj_isduration(sub_obj))
ttl_default = cfg_obj_asduration(sub_obj);
else
ttl_default = DNS_RPZ_MAX_TTL_DEFAULT;
sub_obj = cfg_tuple_get(rpz_obj, "min-update-interval");
if (cfg_obj_isuint32(sub_obj))
minupdateinterval_default = cfg_obj_asuint32(sub_obj);
if (cfg_obj_isduration(sub_obj))
minupdateinterval_default = cfg_obj_asduration(sub_obj);
else
minupdateinterval_default = DNS_RPZ_MINUPDATEINTERVAL_DEFAULT;
......@@ -2679,7 +2687,8 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) {
dns_view_thaw(ev->view);
result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
ev->cbd->server->mctx, ev->view,
&ev->cbd->server->viewlist, cfg->actx,
&ev->cbd->server->viewlist,
&ev->cbd->server->kasplist, cfg->actx,
true, false, ev->mod);
dns_view_freeze(ev->view);
isc_task_endexclusive(task);
......@@ -2992,8 +3001,8 @@ configure_catz_zone(dns_view_t *view, const cfg_obj_t *config,
}
obj = cfg_tuple_get(catz_obj, "min-update-interval");
if (obj != NULL && cfg_obj_isuint32(obj))
opts->min_update_interval = cfg_obj_asuint32(obj);
if (obj != NULL && cfg_obj_isduration(obj))
opts->min_update_interval = cfg_obj_asduration(obj);
cleanup:
if (pview != NULL)
......@@ -3641,7 +3650,7 @@ configure_dnstap(const cfg_obj_t **maps, dns_view_t *view) {
result = named_config_get(maps, "fstrm-set-reopen-interval",
&obj);
if (result == ISC_R_SUCCESS) {
i = cfg_obj_asuint32(obj);
i = cfg_obj_asduration(obj);
fstrm_iothr_options_set_reopen_interval(fopt, i);
}
......@@ -3764,11 +3773,10 @@ register_one_plugin(const cfg_obj_t *config, const cfg_obj_t *obj,
* global defaults in 'config' used exclusively.
*/
static isc_result_t
configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
cfg_obj_t *config, cfg_obj_t *vconfig,
named_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
isc_mem_t *mctx, cfg_aclconfctx_t *actx,
bool need_hints)
configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
cfg_obj_t *vconfig, named_cachelist_t *cachelist,
dns_kasplist_t *kasplist, const cfg_obj_t *bindkeys,
isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints)
{
const cfg_obj_t *maps[4];
const cfg_obj_t *cfgmaps[3];
......@@ -3895,8 +3903,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
{
const cfg_obj_t *zconfig = cfg_listelt_value(element);
CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
viewlist, actx, false, old_rpz_ok,
false));
viewlist, kasplist, actx, false,
old_rpz_ok, false));
}
/*
......@@ -4217,22 +4225,22 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(maps, "max-cache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->maxcachettl = cfg_obj_asuint32(obj);
view->maxcachettl = cfg_obj_asduration(obj);
obj = NULL;
result = named_config_get(maps, "max-ncache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->maxncachettl = cfg_obj_asuint32(obj);
view->maxncachettl = cfg_obj_asduration(obj);
obj = NULL;
result = named_config_get(maps, "min-cache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->mincachettl = cfg_obj_asuint32(obj);
view->mincachettl = cfg_obj_asduration(obj);
obj = NULL;
result = named_config_get(maps, "min-ncache-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->minncachettl = cfg_obj_asuint32(obj);
view->minncachettl = cfg_obj_asduration(obj);
obj = NULL;
result = named_config_get(maps, "synth-from-dnssec", &obj);
......@@ -4242,7 +4250,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(maps, "max-stale-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
max_stale_ttl = ISC_MAX(cfg_obj_asuint32(obj), 1);
max_stale_ttl = ISC_MAX(cfg_obj_asduration(obj), 1);
obj = NULL;
result = named_config_get(maps, "stale-answer-enable", &obj);
......@@ -4392,7 +4400,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(maps, "stale-answer-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
view->staleanswerttl = ISC_MAX(cfg_obj_asuint32(obj), 1);
view->staleanswerttl = ISC_MAX(cfg_obj_asduration(obj), 1);
/*
* Resolver.
......@@ -4512,7 +4520,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(maps, "lame-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
lame_ttl = cfg_obj_asuint32(obj);
lame_ttl = cfg_obj_asduration(obj);
if (lame_ttl > 1800)
lame_ttl = 1800;
dns_resolver_setlamettl(view->resolver, lame_ttl);
......@@ -5216,12 +5224,12 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(maps, "nta-recheck", &obj);
INSIST(result == ISC_R_SUCCESS);
view->nta_recheck = cfg_obj_asuint32(obj);
view->nta_recheck = cfg_obj_asduration(obj);
obj = NULL;
result = named_config_get(maps, "nta-lifetime", &obj);
INSIST(result == ISC_R_SUCCESS);
view->nta_lifetime = cfg_obj_asuint32(obj);
view->nta_lifetime = cfg_obj_asduration(obj);
obj = NULL;
result = named_config_get(maps, "preferred-glue", &obj);
......@@ -5464,7 +5472,7 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
obj = NULL;
result = named_config_get(maps, "servfail-ttl", &obj);
INSIST(result == ISC_R_SUCCESS);
fail_ttl = cfg_obj_asuint32(obj);
fail_ttl = cfg_obj_asduration(obj);
if (fail_ttl > 30)
fail_ttl = 30;
dns_view_setfailttl(view, fail_ttl);
......@@ -5893,8 +5901,8 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
static isc_result_t
configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
dns_viewlist_t *viewlist, cfg_aclconfctx_t *aclconf,
bool added, bool old_rpz_ok,
dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
cfg_aclconfctx_t </