diff --git a/bin/named/config.c b/bin/named/config.c index 1471b7bfb6..8fd96b91a5 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -29,6 +29,7 @@ #include #include +#include #include #include #include @@ -294,6 +295,44 @@ view \"_bind\" chaos {\n\ database \"_builtin id\";\n\ };\n\ };\n\ +" + "#\n\ +# Built-in DNSSEC key and signing policies.\n\ +#\n\ +dnssec-policy \"default\" {\n\ + keys {\n\ + csk key-directory lifetime unlimited algorithm 13;\n\ + };\n\ +\n\ + dnskey-ttl " DNS_KASP_KEY_TTL ";\n\ + publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ + retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ + purge-keys " DNS_KASP_PURGE_KEYS "; \n\ + signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\ + signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\ + signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\ + max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\ + zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\ + parent-ds-ttl " DNS_KASP_DS_TTL "; \n\ + parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\ +};\n\ +\n\ +dnssec-policy \"insecure\" {\n\ + keys { };\n\ +\n\ + dnskey-ttl " DNS_KASP_KEY_TTL "; \n\ + publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ + retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ + purge-keys " DNS_KASP_PURGE_KEYS "; \n\ + signatures-refresh " DNS_KASP_SIG_REFRESH "; \n\ + signatures-validity " DNS_KASP_SIG_VALIDITY "; \n\ + signatures-validity-dnskey " DNS_KASP_SIG_VALIDITY_DNSKEY "; \n\ + max-zone-ttl " DNS_KASP_ZONE_MAXTTL "; \n\ + zone-propagation-delay " DNS_KASP_ZONE_PROPDELAY "; \n\ + parent-ds-ttl " DNS_KASP_DS_TTL "; \n\ + parent-propagation-delay " DNS_KASP_PARENT_PROPDELAY "; \n\ +};\n\ +\n\ " "#\n\ # Default trusted key(s), used if \n\ diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index ca7dfce6f0..b429494ca3 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -105,17 +105,17 @@ struct dns_kasp { #define DNS_KASP_VALID(kasp) ISC_MAGIC_VALID(kasp, DNS_KASP_MAGIC) /* Defaults */ -#define DNS_KASP_SIG_REFRESH (86400 * 5) -#define DNS_KASP_SIG_VALIDITY (86400 * 14) -#define DNS_KASP_SIG_VALIDITY_DNSKEY (86400 * 14) -#define DNS_KASP_KEY_TTL (3600) -#define DNS_KASP_DS_TTL (86400) -#define DNS_KASP_PUBLISH_SAFETY (3600) -#define DNS_KASP_PURGE_KEYS (86400 * 90) -#define DNS_KASP_RETIRE_SAFETY (3600) -#define DNS_KASP_ZONE_MAXTTL (86400) -#define DNS_KASP_ZONE_PROPDELAY (300) -#define DNS_KASP_PARENT_PROPDELAY (3600) +#define DNS_KASP_SIG_REFRESH "P5D" +#define DNS_KASP_SIG_VALIDITY "P14D" +#define DNS_KASP_SIG_VALIDITY_DNSKEY "P14D" +#define DNS_KASP_KEY_TTL "3600" +#define DNS_KASP_DS_TTL "86400" +#define DNS_KASP_PUBLISH_SAFETY "3600" +#define DNS_KASP_PURGE_KEYS "P90D" +#define DNS_KASP_RETIRE_SAFETY "3600" +#define DNS_KASP_ZONE_MAXTTL "86400" +#define DNS_KASP_ZONE_PROPDELAY "300" +#define DNS_KASP_PARENT_PROPDELAY "3600" /* Key roles */ #define DNS_KASP_KEY_ROLE_KSK 0x01 diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 09c6810958..cdc70fd2d9 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -30,44 +30,26 @@ isc_result_t dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) { dns_kasp_t *kasp; + dns_kasp_t k = { + .magic = DNS_KASP_MAGIC, + }; REQUIRE(name != NULL); REQUIRE(kaspp != NULL && *kaspp == NULL); kasp = isc_mem_get(mctx, sizeof(*kasp)); + *kasp = k; + kasp->mctx = NULL; isc_mem_attach(mctx, &kasp->mctx); - kasp->name = isc_mem_strdup(mctx, name); isc_mutex_init(&kasp->lock); - kasp->frozen = false; - isc_refcount_init(&kasp->references, 1); ISC_LINK_INIT(kasp, link); - - kasp->signatures_refresh = DNS_KASP_SIG_REFRESH; - kasp->signatures_validity = DNS_KASP_SIG_VALIDITY; - kasp->signatures_validity_dnskey = DNS_KASP_SIG_VALIDITY_DNSKEY; - ISC_LIST_INIT(kasp->keys); - kasp->dnskey_ttl = DNS_KASP_KEY_TTL; - kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY; - kasp->retire_safety = DNS_KASP_RETIRE_SAFETY; - kasp->purge_keys = DNS_KASP_PURGE_KEYS; - - kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL; - kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY; - - kasp->parent_ds_ttl = DNS_KASP_DS_TTL; - kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY; - - kasp->nsec3 = false; - - kasp->magic = DNS_KASP_MAGIC; *kaspp = kasp; - return (ISC_R_SUCCESS); } diff --git a/lib/isccfg/include/isccfg/grammar.h b/lib/isccfg/include/isccfg/grammar.h index 9c5e5dfa26..01d31fc3f1 100644 --- a/lib/isccfg/include/isccfg/grammar.h +++ b/lib/isccfg/include/isccfg/grammar.h @@ -123,17 +123,17 @@ struct cfg_tuplefielddef { /*% A configuration object type definition. */ struct cfg_type { - const char *name; /*%< For debugging purposes only */ + const char *name; /*%< For debugging purposes only */ cfg_parsefunc_t parse; cfg_printfunc_t print; cfg_docfunc_t doc; /*%< Print grammar description */ - cfg_rep_t *rep; /*%< Data representation */ - const void *of; /*%< Additional data for meta-types */ + cfg_rep_t *rep; /*%< Data representation */ + const void *of; /*%< Additional data for meta-types */ }; /*% A keyword-type definition, for things like "port ". */ typedef struct { - const char *name; + const char *name; const cfg_type_t *type; } keyword_type_t; @@ -157,7 +157,7 @@ struct cfg_netprefix { * A configuration data representation. */ struct cfg_rep { - const char *name; /*%< For debugging only */ + const char *name; /*%< For debugging only */ cfg_freefunc_t free; /*%< How to free this kind of data. */ }; @@ -175,7 +175,7 @@ struct cfg_obj { bool boolean; cfg_map_t map; cfg_list_t list; - cfg_obj_t **tuple; + cfg_obj_t **tuple; isc_sockaddr_t sockaddr; struct { isc_sockaddr_t sockaddr; @@ -185,7 +185,7 @@ struct cfg_obj { isccfg_duration_t duration; } value; isc_refcount_t references; /*%< reference counter */ - const char *file; + const char *file; unsigned int line; cfg_parser_t *pctx; }; @@ -198,9 +198,9 @@ struct cfg_listelt { /*% The parser object. */ struct cfg_parser { - isc_mem_t *mctx; - isc_log_t *lctx; - isc_lex_t *lexer; + isc_mem_t *mctx; + isc_log_t *lctx; + isc_lex_t *lexer; unsigned int errors; unsigned int warnings; isc_token_t token; @@ -254,7 +254,7 @@ struct cfg_parser { isc_refcount_t references; cfg_parsecallback_t callback; - void *callbackarg; + void *callbackarg; }; /* Parser context flags */ diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index d7a01ccd04..db99ebbae3 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -20,6 +20,7 @@ #include #include #include +#include #include #include @@ -27,8 +28,10 @@ #include #include #include +#include #include +#include #include #include @@ -50,18 +53,48 @@ confget(cfg_obj_t const *const *maps, const char *name, const cfg_obj_t **obj) { } } +/* + * Utility function for parsing durations from string. + */ +static uint32_t +parse_duration(const char *str) { + uint32_t time = 0; + isccfg_duration_t duration; + isc_result_t result; + isc_textregion_t tr; + + DE_CONST(str, tr.base); + tr.length = strlen(tr.base); + result = isccfg_duration_fromtext(&tr, &duration); + if (result == ISC_R_BADNUMBER) { + /* Fallback to dns_ttl_fromtext. */ + (void)dns_ttl_fromtext(&tr, &time); + return (time); + } + if (result == ISC_R_SUCCESS) { + time += duration.parts[6]; /* Seconds */ + time += duration.parts[5] * 60; /* Minutes */ + time += duration.parts[4] * 3600; /* Hours */ + time += duration.parts[3] * 86400; /* Days */ + time += duration.parts[2] * 86400 * 7; /* Weaks */ + time += duration.parts[1] * 86400 * 31; /* Months */ + time += duration.parts[0] * 86400 * 365; /* Years */ + } + return (time); +} + /* * Utility function for configuring durations. */ static uint32_t -get_duration(const cfg_obj_t **maps, const char *option, uint32_t dfl) { +get_duration(const cfg_obj_t **maps, const char *option, const char *dfl) { const cfg_obj_t *obj; isc_result_t result; obj = NULL; result = confget(maps, option, &obj); if (result == ISC_R_NOTFOUND) { - return (dfl); + return (parse_duration(dfl)); } INSIST(result == ISC_R_SUCCESS); return (cfg_obj_asduration(obj)); @@ -291,14 +324,16 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx, dns_kasp_t *kasp = NULL; size_t i = 0; uint32_t sigrefresh = 0, sigvalidity = 0; + uint32_t dnskeyttl = 0, dsttl = 0, maxttl = 0; + uint32_t publishsafety = 0, retiresafety = 0; + uint32_t zonepropdelay = 0, parentpropdelay = 0; uint32_t ipub = 0, iret = 0; uint32_t ksk_min_lifetime = 0, zsk_min_lifetime = 0; + REQUIRE(config != NULL); REQUIRE(kaspp != NULL && *kaspp == NULL); - kaspname = (name == NULL) - ? cfg_obj_asstring(cfg_tuple_get(config, "name")) - : name; + kaspname = cfg_obj_asstring(cfg_tuple_get(config, "name")); INSIST(kaspname != NULL); result = dns_kasplist_find(kasplist, kaspname, &kasp); @@ -352,10 +387,11 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx, sigvalidity = get_duration(maps, "signatures-validity", DNS_KASP_SIG_VALIDITY); if (sigrefresh >= (sigvalidity * 0.9)) { - cfg_obj_log(config, logctx, ISC_LOG_ERROR, - "dnssec-policy: policy '%s' signatures-refresh " - "must be at most 90%% of the signatures-validity", - kaspname); + cfg_obj_log( + config, logctx, ISC_LOG_ERROR, + "dnssec-policy: policy '%s' signatures-refresh must be " + "at most 90%% of the signatures-validity", + kaspname); result = ISC_R_FAILURE; } dns_kasp_setsigvalidity(kasp, sigvalidity); @@ -364,34 +400,43 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx, goto cleanup; } + /* Configuration: Zone settings */ + maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL); + dns_kasp_setzonemaxttl(kasp, maxttl); + + zonepropdelay = get_duration(maps, "zone-propagation-delay", + DNS_KASP_ZONE_PROPDELAY); + dns_kasp_setzonepropagationdelay(kasp, zonepropdelay); + + /* Configuration: Parent settings */ + dsttl = get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL); + dns_kasp_setdsttl(kasp, dsttl); + + parentpropdelay = get_duration(maps, "parent-propagation-delay", + DNS_KASP_PARENT_PROPDELAY); + dns_kasp_setparentpropagationdelay(kasp, parentpropdelay); + /* Configuration: Keys */ - dns_kasp_setdnskeyttl( - kasp, get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL)); - dns_kasp_setpublishsafety(kasp, get_duration(maps, "publish-safety", - DNS_KASP_PUBLISH_SAFETY)); - dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety", - DNS_KASP_RETIRE_SAFETY)); + dnskeyttl = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL); + dns_kasp_setdnskeyttl(kasp, dnskeyttl); + + publishsafety = get_duration(maps, "publish-safety", + DNS_KASP_PUBLISH_SAFETY); + dns_kasp_setpublishsafety(kasp, publishsafety); + + retiresafety = get_duration(maps, "retire-safety", + DNS_KASP_RETIRE_SAFETY); + dns_kasp_setretiresafety(kasp, retiresafety); + dns_kasp_setpurgekeys( kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS)); - ipub = get_duration(maps, "dnskey-ttl", DNS_KASP_KEY_TTL) + - get_duration(maps, "publish-safety", DNS_KASP_PUBLISH_SAFETY) + - get_duration(maps, "zone-propagation-delay", - DNS_KASP_ZONE_PROPDELAY); - - iret = get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL) + - get_duration(maps, "retire-safety", DNS_KASP_RETIRE_SAFETY) + - get_duration(maps, "parent-propagation-delay", - DNS_KASP_PARENT_PROPDELAY); - + ipub = dnskeyttl + publishsafety + zonepropdelay; + iret = dsttl + retiresafety + parentpropdelay; ksk_min_lifetime = ISC_MAX(ipub, iret); - iret = (sigvalidity - sigrefresh) + - get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL) + - get_duration(maps, "retire-safety", DNS_KASP_RETIRE_SAFETY) + - get_duration(maps, "zone-propagation-delay", - DNS_KASP_ZONE_PROPDELAY); - + iret = (sigvalidity - sigrefresh) + maxttl + retiresafety + + zonepropdelay; zsk_min_lifetime = ISC_MAX(ipub, iret); (void)confget(maps, "keys", &keys); @@ -489,20 +534,6 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx, } } - /* Configuration: Zone settings */ - dns_kasp_setzonemaxttl( - kasp, get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL)); - dns_kasp_setzonepropagationdelay( - kasp, get_duration(maps, "zone-propagation-delay", - DNS_KASP_ZONE_PROPDELAY)); - - /* Configuration: Parent settings */ - dns_kasp_setdsttl(kasp, - get_duration(maps, "parent-ds-ttl", DNS_KASP_DS_TTL)); - dns_kasp_setparentpropagationdelay( - kasp, get_duration(maps, "parent-propagation-delay", - DNS_KASP_PARENT_PROPDELAY)); - /* Append it to the list for future lookups. */ ISC_LIST_APPEND(*kasplist, kasp, link); INSIST(!(ISC_LIST_EMPTY(*kasplist)));