Add parental-agents configuration

Introduce a way to configure parental agents that can be used to
query DS records to be used in automatic key rollovers.

bin/named/named.conf.rst

@@ -465,6 +465,17 @@ OPTIONS
   	zone-statistics ( full | terse | none | boolean );
   };
 
+PARENTAL-AGENTS
+^^^^^^^^^^^^^^^
+
+::
+
+  parental-agents string [ port integer ] [
+      dscp integer ] { ( remote-servers |
+      ipv4_address [ port integer ] |
+      ipv6_address [ port integer ] ) [ key
+      string ] [ tls string ]; ... };
+
 PLUGIN
 ^^^^^^
 
@@ -930,6 +941,10 @@ VIEW
   		notify-source-v6 ( ipv6_address | * ) [ port ( integer
   		    | * ) ] [ dscp integer ];
   		notify-to-soa boolean;
+  		parental-agents [ port integer ] [ dscp integer ] { (
+  		    remote-servers | ipv4_address [ port integer ] |
+  		    ipv6_address [ port integer ] ) [ key string ] [
+  		    tls string ]; ... };
   		primaries [ port integer ] [ dscp integer ] { (
   		    remote-servers | ipv4_address [ port integer ] |
   		    ipv6_address [ port integer ] ) [ key string ] [
@@ -1038,6 +1053,10 @@ ZONE
   	notify-source-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
   	    [ dscp integer ];
   	notify-to-soa boolean;
+  	parental-agents [ port integer ] [ dscp integer ] { (
+  	    remote-servers | ipv4_address [ port integer ] |
+  	    ipv6_address [ port integer ] ) [ key string ] [ tls
+  	    string ]; ... };
   	primaries [ port integer ] [ dscp integer ] { (
   	    remote-servers | ipv4_address [ port integer ] |
   	    ipv6_address [ port integer ] ) [ key string ] [ tls

bin/tests/system/checkconf/good.conf

@@ -86,6 +86,10 @@ options {
 	transfer-source 0.0.0.0 dscp 63;
 	zone-statistics none;
 };
+parental-agents "parents" {
+	10.10.10.11;
+	10.10.10.12;
+};
 view "first" {
 	match-clients {
 		"none";
@@ -176,11 +180,18 @@ view "fourth" {
 	zone "dnssec-test" {
 		type master;
 		file "dnssec-test.db";
+		parental-agents {
+			1.2.3.4;
+			1.2.3.5;
+		};
 		dnssec-policy "test";
 	};
 	zone "dnssec-default" {
 		type master;
 		file "dnssec-default.db";
+		parental-agents {
+			"parents";
+		};
 		dnssec-policy "default";
 	};
 	zone "dnssec-inherit" {

doc/arm/Makefile.am

@@ -37,6 +37,7 @@ EXTRA_DIST =					\
 	../misc/master.zoneopt.rst		\
 	../misc/mirror.zoneopt.rst		\
 	../misc/options.grammar.rst		\
+	../misc/parentals.grammar.rst		\
 	../misc/primaries.grammar.rst		\
 	../misc/redirect.zoneopt.rst		\
 	../misc/server.grammar.rst		\

doc/arm/reference.rst

@@ -280,6 +280,9 @@ The following statements are supported:
     ``options``
         Controls global server configuration options and sets defaults for other statements.
 
+    ``parental-agents``
+        Defines a named list of servers for inclusion in primary and secondary zones' ``parental-agents`` lists.
+
     ``primaries``
         Defines a named list of servers for inclusion in stub and secondary zones' ``primaries`` or ``also-notify`` lists. (Note: this is a synonym for the original keyword ``masters``, which can still be used, but is no longer the preferred terminology.)
 
@@ -844,6 +847,21 @@ At ``debug`` level 4 or higher, the detailed context information logged at
 ``debug`` level 2 is logged for errors other than SERVFAIL and for negative
 responses such as NXDOMAIN.
 
+.. _parentals_grammar:
+
+``parental-agents`` Statement Grammar
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+.. include:: ../misc/parentals.grammar.rst
+
+.. _parentals_statement:
+
+``parental-agents`` Statement Definition and Usage
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+``parental-agents`` lists allow for a common set of parental agents to be easily
+used by multiple primary and secondary zones in their ``parental-agents`` lists.
+
 .. _primaries_grammar:
 
 ``primaries`` Statement Grammar

doc/man/named.conf.5in

@@ -535,6 +535,21 @@ options {
 .fi
 .UNINDENT
 .UNINDENT
+.SS PARENTAL\-AGENTS
+.INDENT 0.0
+.INDENT 3.5
+.sp
+.nf
+.ft C
+parental\-agents string [ port integer ] [
+    dscp integer ] { ( remote\-servers |
+    ipv4_address [ port integer ] |
+    ipv6_address [ port integer ] ) [ key
+    string ] [ tls string ]; ... };
+.ft P
+.fi
+.UNINDENT
+.UNINDENT
 .SS PLUGIN
 .INDENT 0.0
 .INDENT 3.5
@@ -1029,6 +1044,10 @@ view string [ class ] {
               notify\-source\-v6 ( ipv6_address | * ) [ port ( integer
                   | * ) ] [ dscp integer ];
               notify\-to\-soa boolean;
+              parental\-agents [ port integer ] [ dscp integer ] { (
+                  remote\-servers | ipv4_address [ port integer ] |
+                  ipv6_address [ port integer ] ) [ key string ] [
+                  tls string ]; ... };
               primaries [ port integer ] [ dscp integer ] { (
                   remote\-servers | ipv4_address [ port integer ] |
                   ipv6_address [ port integer ] ) [ key string ] [
@@ -1141,6 +1160,10 @@ zone string [ class ] {
       notify\-source\-v6 ( ipv6_address | * ) [ port ( integer | * ) ]
           [ dscp integer ];
       notify\-to\-soa boolean;
+      parental\-agents [ port integer ] [ dscp integer ] { (
+          remote\-servers | ipv4_address [ port integer ] |
+          ipv6_address [ port integer ] ) [ key string ] [ tls
+          string ]; ... };
       primaries [ port integer ] [ dscp integer ] { (
           remote\-servers | ipv4_address [ port integer ] |
           ipv6_address [ port integer ] ) [ key string ] [ tls

doc/misc/master.zoneopt

@@ -46,6 +46,7 @@ zone <string> [ <class> ] {
 	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	notify-to-soa <boolean>;
+	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	serial-update-method ( date | increment | unixtime );
 	sig-signing-nodes <integer>;
 	sig-signing-signatures <integer>;

doc/misc/master.zoneopt.rst

@@ -48,6 +48,7 @@
   	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	notify-to-soa <boolean>;
+  	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
   	serial-update-method ( date | increment | unixtime );
   	sig-signing-nodes <integer>;
   	sig-signing-signatures <integer>;

doc/misc/options

@@ -391,6 +391,12 @@ options {
         zone-statistics ( full | terse | none | <boolean> );
 };
 
+parental-agents <string> [ port <integer> ] [
+    dscp <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ] [ tls <string> ]; ... }; // may occur multiple times
+
 plugin ( query ) <string> [ { <unspecified-text>
     } ]; // may occur multiple times
 
@@ -817,6 +823,10 @@ view <string> [ <class> ] {
                     | * ) ] [ dscp <integer> ];
                 notify-to-soa <boolean>;
                 nsec3-test-zone <boolean>; // test only
+                parental-agents [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ] [
+                    tls <string> ]; ... };
                 primaries [ port <integer> ] [ dscp <integer> ] { (
                     <remote-servers> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ] [
@@ -921,6 +931,10 @@ zone <string> [ <class> ] {
             [ dscp <integer> ];
         notify-to-soa <boolean>;
         nsec3-test-zone <boolean>; // test only
+        parental-agents [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
+            <string> ]; ... };
         primaries [ port <integer> ] [ dscp <integer> ] { (
             <remote-servers> | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls

doc/misc/options.active

@@ -388,6 +388,12 @@ options {
         zone-statistics ( full | terse | none | <boolean> );
 };
 
+parental-agents <string> [ port <integer> ] [
+    dscp <integer> ] { ( <remote-servers> |
+    <ipv4_address> [ port <integer> ] |
+    <ipv6_address> [ port <integer> ] ) [ key
+    <string> ] [ tls <string> ]; ... }; // may occur multiple times
+
 plugin ( query ) <string> [ { <unspecified-text>
     } ]; // may occur multiple times
 
@@ -811,6 +817,10 @@ view <string> [ <class> ] {
                 notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer>
                     | * ) ] [ dscp <integer> ];
                 notify-to-soa <boolean>;
+                parental-agents [ port <integer> ] [ dscp <integer> ] { (
+                    <remote-servers> | <ipv4_address> [ port <integer> ] |
+                    <ipv6_address> [ port <integer> ] ) [ key <string> ] [
+                    tls <string> ]; ... };
                 primaries [ port <integer> ] [ dscp <integer> ] { (
                     <remote-servers> | <ipv4_address> [ port <integer> ] |
                     <ipv6_address> [ port <integer> ] ) [ key <string> ] [
@@ -914,6 +924,10 @@ zone <string> [ <class> ] {
         notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ]
             [ dscp <integer> ];
         notify-to-soa <boolean>;
+        parental-agents [ port <integer> ] [ dscp <integer> ] { (
+            <remote-servers> | <ipv4_address> [ port <integer> ] |
+            <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls
+            <string> ]; ... };
         primaries [ port <integer> ] [ dscp <integer> ] { (
             <remote-servers> | <ipv4_address> [ port <integer> ] |
             <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls

doc/misc/parentals.grammar.rst

@@ -0,0 +1,7 @@
+::
+
+  parental-agents <string> [ port <integer> ] [ dscp
+      <integer> ] { ( <remote-servers> |
+      <ipv4_address> [ port <integer> ] |
+      <ipv6_address> [ port <integer> ] ) [ key
+      <string> ] [ tls <string> ]; ... };

doc/misc/slave.zoneopt

@@ -45,6 +45,7 @@ zone <string> [ <class> ] {
 	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
 	notify-to-soa <boolean>;
+	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
 	request-expire <boolean>;
 	request-ixfr <boolean>;

doc/misc/slave.zoneopt.rst

@@ -47,6 +47,7 @@
   	notify-source ( <ipv4_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	notify-source-v6 ( <ipv6_address> | * ) [ port ( <integer> | * ) ] [ dscp <integer> ];
   	notify-to-soa <boolean>;
+  	parental-agents [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
   	primaries [ port <integer> ] [ dscp <integer> ] { ( <remote-servers> | <ipv4_address> [ port <integer> ] | <ipv6_address> [ port <integer> ] ) [ key <string> ] [ tls <string> ]; ... };
   	request-expire <boolean>;
   	request-ixfr <boolean>;

lib/dns/include/dns/zone.h

@@ -655,6 +655,27 @@ dns_zone_setprimaries(dns_zone_t *zone, const isc_sockaddr_t *primaries,
  *\li      Any result dns_name_dup() can return, if keynames!=NULL
  */
 
+isc_result_t
+dns_zone_setparentals(dns_zone_t *zone, const isc_sockaddr_t *parentals,
+		      dns_name_t **keynames, dns_name_t **tlsnames,
+		      uint32_t count);
+/*%<
+ *	Set the list of parental agents for the zone.
+ *
+ * Require:
+ *\li	'zone' to be a valid zone.
+ *\li	'parentals' array of isc_sockaddr_t with port set or NULL.
+ *\li	'count' the number of parentals.
+ *\li	'keynames' array of dns_name_t's for tsig keys or NULL.
+ *
+ *\li	If 'parentals' is NULL then 'count' must be zero.
+ *
+ * Returns:
+ *\li	#ISC_R_SUCCESS
+ *\li	#ISC_R_NOMEMORY
+ *\li      Any result dns_name_dup() can return, if keynames!=NULL
+ */
+
 isc_result_t
 dns_zone_setalsonotify(dns_zone_t *zone, const isc_sockaddr_t *notify,
 		       const isc_dscp_t *dscps, dns_name_t **keynames,

lib/isccfg/namedconf.c

@@ -1114,6 +1114,7 @@ static cfg_clausedef_t namedconf_clauses[] = {
 	{ "lwres", NULL, CFG_CLAUSEFLAG_MULTI | CFG_CLAUSEFLAG_ANCIENT },
 	{ "masters", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
 	{ "options", &cfg_type_options, 0 },
+	{ "parental-agents", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
 	{ "primaries", &cfg_type_remoteservers, CFG_CLAUSEFLAG_MULTI },
 	{ "statistics-channels", &cfg_type_statschannels,
 	  CFG_CLAUSEFLAG_MULTI },
@@ -2318,6 +2319,8 @@ static cfg_clausedef_t zone_only_clauses[] = {
 	{ "masters", &cfg_type_namesockaddrkeylist,
 	  CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
 		  CFG_ZONE_REDIRECT },
+	{ "parental-agents", &cfg_type_namesockaddrkeylist,
+	  CFG_ZONE_MASTER | CFG_ZONE_SLAVE },
 	{ "primaries", &cfg_type_namesockaddrkeylist,
 	  CFG_ZONE_SLAVE | CFG_ZONE_MIRROR | CFG_ZONE_STUB |
 		  CFG_ZONE_REDIRECT },