Store built-in dnssec-policies in defaultconf

Update the defaultconf with the built-in policies. These will now be printed with "named -C". Change the defines in kasp.h to be strings, so they can be concatenated in the defaultconf. This means when creating a kasp structure, we no longer initialize the defaults (this is fine because only kaspconf.c uses dns_kasp_create() and it inherits from the default policy). In kaspconf.c, the default values now need to be parsed from string. Introduce some variables so we don't need to do get_duration multiple times on the same configuration option. Finally, clang-format-14 decided to do some random formatting changes. (cherry picked from commit 5ff414e986fad453b0fd65c7ee14af277b1b73c2)
2025-08-30 14:07:59 +00:00 · 2022-06-21 12:31:05 +02:00 · 2022-06-21 12:31:05 +02:00 · 03c0c72aeb
commit 03c0c72aeb
parent 4fb2ecd444
5 changed files with 142 additions and 90 deletions
--- a/bin/named/config.c
+++ b/bin/named/config.c
@ -29,6 +29,7 @@
 #include <isc/util.h>

 #include <dns/fixedname.h>
+#include <dns/kasp.h>
 #include <dns/name.h>
 #include <dns/rdataclass.h>
 #include <dns/rdatatype.h>
@ -294,6 +295,44 @@ view \"_bind\" chaos {\n\
 		database \"_builtin id\";\n\
 	};\n\
 };\n\
+"
+			    "#\n\
+#  Built-in DNSSEC key and signing policies.\n\
+#\n\
+dnssec-policy \"default\" {\n\
+	keys {\n\
+		csk key-directory lifetime unlimited algorithm 13;\n\
+	};\n\
+\n\
+	dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
+	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
+	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
+	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
+	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
+	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
+	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
+	max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\
+	zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\
+	parent-ds-ttl " DNS_KASP_DS_TTL "; \n\
+	parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\
+};\n\
+\n\
+dnssec-policy \"insecure\" {\n\
+	keys { };\n\
+\n\
+	dnskey-ttl " DNS_KASP_KEY_TTL "; \n\
+	publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
+	retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
+	purge-keys " DNS_KASP_PURGE_KEYS "; \n\
+	signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\
+	signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\
+	signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\
+	max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\
+	zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\
+	parent-ds-ttl " DNS_KASP_DS_TTL "; \n\
+	parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\
+};\n\
+\n\
 "
 			    "#\n\
 #  Default trusted key(s), used if \n\
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@ -105,17 +105,17 @@ struct dns_kasp {
 #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC)

 /* Defaults */
-#define DNS_KASP_SIG_REFRESH	     (86400 * 5)
-#define DNS_KASP_SIG_VALIDITY	     (86400 * 14)
-#define DNS_KASP_SIG_VALIDITY_DNSKEY (86400 * 14)
-#define DNS_KASP_KEY_TTL	     (3600)
-#define DNS_KASP_DS_TTL		     (86400)
-#define DNS_KASP_PUBLISH_SAFETY	     (3600)
-#define DNS_KASP_PURGE_KEYS	     (86400 * 90)
-#define DNS_KASP_RETIRE_SAFETY	     (3600)
-#define DNS_KASP_ZONE_MAXTTL	     (86400)
-#define DNS_KASP_ZONE_PROPDELAY	     (300)
-#define DNS_KASP_PARENT_PROPDELAY    (3600)
+#define DNS_KASP_SIG_REFRESH	     "P5D"
+#define DNS_KASP_SIG_VALIDITY	     "P14D"
+#define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D"
+#define DNS_KASP_KEY_TTL	     "3600"
+#define DNS_KASP_DS_TTL		     "86400"
+#define DNS_KASP_PUBLISH_SAFETY	     "3600"
+#define DNS_KASP_PURGE_KEYS	     "P90D"
+#define DNS_KASP_RETIRE_SAFETY	     "3600"
+#define DNS_KASP_ZONE_MAXTTL	     "86400"
+#define DNS_KASP_ZONE_PROPDELAY	     "300"
+#define DNS_KASP_PARENT_PROPDELAY    "3600"

 /* Key roles */
 #define DNS_KASP_KEY_ROLE_KSK 0x01
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@ -30,44 +30,26 @@
 isc_result_t
 dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	dns_kasp_t *kasp;
+	dns_kasp_t k = {
+		.magic = DNS_KASP_MAGIC,
+	};

 	REQUIRE(name != NULL);
 	REQUIRE(kaspp != NULL && *kaspp == NULL);

 	kasp = isc_mem_get(mctx, sizeof(*kasp));
+	*kasp = k;
+
 	kasp->mctx = NULL;
 	isc_mem_attach(mctx, &kasp->mctx);
-
 	kasp->name = isc_mem_strdup(mctx, name);
 	isc_mutex_init(&kasp->lock);
-	kasp->frozen = false;
-
 	isc_refcount_init(&kasp->references, 1);

 	ISC_LINK_INIT(kasp, link);
-
-	kasp->signatures_refresh = DNS_KASP_SIG_REFRESH;
-	kasp->signatures_validity = DNS_KASP_SIG_VALIDITY;
-	kasp->signatures_validity_dnskey = DNS_KASP_SIG_VALIDITY_DNSKEY;
-
 	ISC_LIST_INIT(kasp->keys);

-	kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
-	kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
-	kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
-	kasp->purge_keys = DNS_KASP_PURGE_KEYS;
-
-	kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
-	kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
-
-	kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
-	kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
-
-	kasp->nsec3 = false;
-
-	kasp->magic = DNS_KASP_MAGIC;
 	*kaspp = kasp;
-
 	return (ISC_R_SUCCESS);
 }

--- a/lib/isccfg/include/isccfg/grammar.h
+++ b/lib/isccfg/include/isccfg/grammar.h
@ -123,17 +123,17 @@ struct cfg_tuplefielddef {

 /*% A configuration object type definition. */
 struct cfg_type {
-	const char	   *name; /*%< For debugging purposes only */
+	const char     *name; /*%< For debugging purposes only */
 	cfg_parsefunc_t parse;
 	cfg_printfunc_t print;
 	cfg_docfunc_t	doc; /*%< Print grammar description */
-	cfg_rep_t	  *rep; /*%< Data representation */
-	const void	   *of;  /*%< Additional data for meta-types */
+	cfg_rep_t      *rep; /*%< Data representation */
+	const void     *of;  /*%< Additional data for meta-types */
 };

 /*% A keyword-type definition, for things like "port <integer>". */
 typedef struct {
-	const char	   *name;
+	const char	 *name;
 	const cfg_type_t *type;
 } keyword_type_t;

@ -157,7 +157,7 @@ struct cfg_netprefix {
 * A configuration data representation.
 */
 struct cfg_rep {
-	const char	   *name; /*%< For debugging only */
+	const char    *name; /*%< For debugging only */
 	cfg_freefunc_t free; /*%< How to free this kind of data. */
 };

@ -175,7 +175,7 @@ struct cfg_obj {
 		bool		 boolean;
 		cfg_map_t	 map;
 		cfg_list_t	 list;
-		cfg_obj_t	  **tuple;
+		cfg_obj_t      **tuple;
 		isc_sockaddr_t	 sockaddr;
 		struct {
 			isc_sockaddr_t sockaddr;
@ -185,7 +185,7 @@ struct cfg_obj {
 		isccfg_duration_t duration;
 	} value;
 	isc_refcount_t references; /*%< reference counter */
-	const char	   *file;
+	const char    *file;
 	unsigned int   line;
 	cfg_parser_t  *pctx;
 };
@ -198,9 +198,9 @@ struct cfg_listelt {

 /*% The parser object. */
 struct cfg_parser {
-	isc_mem_t	  *mctx;
-	isc_log_t	  *lctx;
-	isc_lex_t	  *lexer;
+	isc_mem_t   *mctx;
+	isc_log_t   *lctx;
+	isc_lex_t   *lexer;
 	unsigned int errors;
 	unsigned int warnings;
 	isc_token_t  token;
@ -254,7 +254,7 @@ struct cfg_parser {
 	isc_refcount_t references;

 	cfg_parsecallback_t callback;
-	void	       *callbackarg;
+	void		   *callbackarg;
 };

 /* Parser context flags */
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@ -20,6 +20,7 @@
 #include <isc/region.h>
 #include <isc/result.h>
 #include <isc/string.h>
+#include <isc/types.h>
 #include <isc/util.h>

 #include <dns/kasp.h>
@ -27,8 +28,10 @@
 #include <dns/log.h>
 #include <dns/nsec3.h>
 #include <dns/secalg.h>
+#include <dns/ttl.h>

 #include <isccfg/cfg.h>
+#include <isccfg/duration.h>
 #include <isccfg/kaspconf.h>
 #include <isccfg/namedconf.h>

@ -50,18 +53,48 @@ confget(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj) {
 	}
 }

+/*
+ * Utility function for parsing durations from string.
+ */
+static uint32_t
+parse_duration(const char *str) {
+	uint32_t time = 0;
+	isccfg_duration_t duration;
+	isc_result_t result;
+	isc_textregion_t tr;
+
+	DE_CONST(str, tr.base);
+	tr.length = strlen(tr.base);
+	result = isccfg_duration_fromtext(&tr, &duration);
+	if (result == ISC_R_BADNUMBER) {
+		/* Fallback to dns_ttl_fromtext. */
+		(void)dns_ttl_fromtext(&tr, &time);
+		return (time);
+	}
+	if (result == ISC_R_SUCCESS) {
+		time += duration.parts[6];		 /* Seconds */
+		time += duration.parts[5] * 60;		 /* Minutes */
+		time += duration.parts[4] * 3600;	 /* Hours */
+		time += duration.parts[3] * 86400;	 /* Days */
+		time += duration.parts[2] * 86400 * 7;	 /* Weaks */
+		time += duration.parts[1] * 86400 * 31;	 /* Months */
+		time += duration.parts[0] * 86400 * 365; /* Years */
+	}
+	return (time);
+}
+
 /*
 * Utility function for configuring durations.
 */
 static uint32_t
-get_duration(const cfg_obj_t **maps, const char *option, uint32_t dfl) {
+get_duration(const cfg_obj_t **maps, const char *option, const char *dfl) {
 	const cfg_obj_t *obj;
 	isc_result_t result;
 	obj = NULL;

 	result = confget(maps, option, &obj);
 	if (result == ISC_R_NOTFOUND) {
-		return (dfl);
+		return (parse_duration(dfl));
 	}
 	INSIST(result == ISC_R_SUCCESS);
 	return (cfg_obj_asduration(obj));
@ -291,14 +324,16 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 	dns_kasp_t *kasp = NULL;
 	size_t i = 0;
 	uint32_t sigrefresh = 0, sigvalidity = 0;
+	uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0;
+	uint32_t publishsafety = 0, retiresafety = 0;
+	uint32_t zonepropdelay = 0, parentpropdelay = 0;
 	uint32_t ipub = 0, iret = 0;
 	uint32_t ksk_min_lifetime = 0, zsk_min_lifetime = 0;

+	REQUIRE(config != NULL);
 	REQUIRE(kaspp != NULL && *kaspp == NULL);

-	kaspname = (name == NULL)
-			   ? cfg_obj_asstring(cfg_tuple_get(config, "name"))
-			   : name;
+	kaspname = cfg_obj_asstring(cfg_tuple_get(config, "name"));
 	INSIST(kaspname != NULL);

 	result = dns_kasplist_find(kasplist, kaspname, &kasp);
@ -352,10 +387,11 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 	sigvalidity = get_duration(maps, "signatures-validity",
 				   DNS_KASP_SIG_VALIDITY);
 	if (sigrefresh >= (sigvalidity * 0.9)) {
-		cfg_obj_log(config, logctx, ISC_LOG_ERROR,
-			    "dnssec-policy: policy '%s' signatures-refresh "
-			    "must be at most 90%% of the signatures-validity",
-			    kaspname);
+		cfg_obj_log(
+			config, logctx, ISC_LOG_ERROR,
+			"dnssec-policy: policy '%s' signatures-refresh must be "
+			"at most 90%% of the signatures-validity",
+			kaspname);
 		result = ISC_R_FAILURE;
 	}
 	dns_kasp_setsigvalidity(kasp, sigvalidity);
@ -364,34 +400,43 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 		goto cleanup;
 	}

+	/* Configuration: Zone settings */
+	maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL);
+	dns_kasp_setzonemaxttl(kasp, maxttl);
+
+	zonepropdelay = get_duration(maps, "zone-propagation-delay",
+				     DNS_KASP_ZONE_PROPDELAY);
+	dns_kasp_setzonepropagationdelay(kasp, zonepropdelay);
+
+	/* Configuration: Parent settings */
+	dsttl = get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL);
+	dns_kasp_setdsttl(kasp, dsttl);
+
+	parentpropdelay = get_duration(maps, "parent-propagation-delay",
+				       DNS_KASP_PARENT_PROPDELAY);
+	dns_kasp_setparentpropagationdelay(kasp, parentpropdelay);
+
 	/* Configuration: Keys */
-	dns_kasp_setdnskeyttl(
-		kasp, get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL));
-	dns_kasp_setpublishsafety(kasp, get_duration(maps, "publish-safety",
-						     DNS_KASP_PUBLISH_SAFETY));
-	dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
-						    DNS_KASP_RETIRE_SAFETY));
+	dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL);
+	dns_kasp_setdnskeyttl(kasp, dnskeyttl);
+
+	publishsafety = get_duration(maps, "publish-safety",
+				     DNS_KASP_PUBLISH_SAFETY);
+	dns_kasp_setpublishsafety(kasp, publishsafety);
+
+	retiresafety = get_duration(maps, "retire-safety",
+				    DNS_KASP_RETIRE_SAFETY);
+	dns_kasp_setretiresafety(kasp, retiresafety);
+
 	dns_kasp_setpurgekeys(
 		kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));

-	ipub = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL) +
-	       get_duration(maps, "publish-safety", DNS_KASP_PUBLISH_SAFETY) +
-	       get_duration(maps, "zone-propagation-delay",
-			    DNS_KASP_ZONE_PROPDELAY);
-
-	iret = get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL) +
-	       get_duration(maps, "retire-safety", DNS_KASP_RETIRE_SAFETY) +
-	       get_duration(maps, "parent-propagation-delay",
-			    DNS_KASP_PARENT_PROPDELAY);
-
+	ipub = dnskeyttl + publishsafety + zonepropdelay;
+	iret = dsttl + retiresafety + parentpropdelay;
 	ksk_min_lifetime = ISC_MAX(ipub, iret);

-	iret = (sigvalidity - sigrefresh) +
-	       get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL) +
-	       get_duration(maps, "retire-safety", DNS_KASP_RETIRE_SAFETY) +
-	       get_duration(maps, "zone-propagation-delay",
-			    DNS_KASP_ZONE_PROPDELAY);
-
+	iret = (sigvalidity - sigrefresh) + maxttl + retiresafety +
+	       zonepropdelay;
 	zsk_min_lifetime = ISC_MAX(ipub, iret);

 	(void)confget(maps, "keys", &keys);
@ -489,20 +534,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 		}
 	}

-	/* Configuration: Zone settings */
-	dns_kasp_setzonemaxttl(
-		kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL));
-	dns_kasp_setzonepropagationdelay(
-		kasp, get_duration(maps, "zone-propagation-delay",
-				   DNS_KASP_ZONE_PROPDELAY));
-
-	/* Configuration: Parent settings */
-	dns_kasp_setdsttl(kasp,
-			  get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL));
-	dns_kasp_setparentpropagationdelay(
-		kasp, get_duration(maps, "parent-propagation-delay",
-				   DNS_KASP_PARENT_PROPDELAY));
-
 	/* Append it to the list for future lookups. */
 	ISC_LIST_APPEND(*kasplist, kasp, link);
 	INSIST(!(ISC_LIST_EMPTY(*kasplist)));