mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-09-03 16:15:27 +00:00
Code Issues Releases Wiki Activity

Update zoneconf to use kasp config

Browse Source 
If a zone has a dnssec-policy set, use signature validity,
dnskey signature validity, and signature refresh from
dnssec-policy.

Zones configured with 'dnssec-policy' will allow 'named' to create
DNSSEC keys (similar to dnssec-keymgr) if not available.
This commit is contained in:
Matthijs Mekking
2019-10-17 11:38:56 +02:00
parent 7e7aa5387c
commit 09990672d9
1 changed files with 56 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

85
bin/named/zoneconf.c
View File

@@ -1500,38 +1500,52 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
bool allow = false, maint = false; bool allow = false, maint = false;
bool sigvalinsecs; bool sigvalinsecs;
obj = NULL; if (kasp) {
result = named_config_get(maps, "dnskey-sig-validity", &obj); seconds = (uint32_t) dns_kasp_sigvalidity_dnskey(kasp);
INSIST(result == ISC_R_SUCCESS && obj != NULL); } else {
seconds = cfg_obj_asuint32(obj) * 86400; obj = NULL;
result = named_config_get(maps, "dnskey-sig-validity",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
seconds = cfg_obj_asuint32(obj) * 86400;
}
dns_zone_setkeyvalidityinterval(zone, seconds); dns_zone_setkeyvalidityinterval(zone, seconds);
obj = NULL; if (kasp) {
result = named_config_get(maps, "sig-validity-interval", &obj); seconds = (uint32_t) dns_kasp_sigvalidity(kasp);
INSIST(result == ISC_R_SUCCESS && obj != NULL); dns_zone_setsigvalidityinterval(zone, seconds);
seconds = (uint32_t) dns_kasp_sigrefresh(kasp);
sigvalinsecs = ns_server_getoption(named_g_server->sctx, dns_zone_setsigresigninginterval(zone, seconds);
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
if (seconds > 7 * 86400) {
seconds = cfg_obj_asuint32(resign) * 86400;
} else {
seconds = cfg_obj_asuint32(resign) * 3600;
}
} else { } else {
seconds = cfg_obj_asuint32(resign); obj = NULL;
result = named_config_get(maps, "sig-validity-interval",
&obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL);
sigvalinsecs = ns_server_getoption(named_g_server->sctx,
NS_SERVER_SIGVALINSECS);
validity = cfg_tuple_get(obj, "validity");
seconds = cfg_obj_asuint32(validity);
if (!sigvalinsecs) {
seconds *= 86400;
}
dns_zone_setsigvalidityinterval(zone, seconds);
resign = cfg_tuple_get(obj, "re-sign");
if (cfg_obj_isvoid(resign)) {
seconds /= 4;
} else if (!sigvalinsecs) {
seconds = cfg_obj_asuint32(resign);
if (seconds > 7 * 86400) {
seconds *= 86400;
} else {
seconds *= 3600;
}
} else {
seconds = cfg_obj_asuint32(resign);
}
dns_zone_setsigresigninginterval(zone, seconds);
} }
dns_zone_setsigresigninginterval(zone, seconds);
obj = NULL; obj = NULL;
result = named_config_get(maps, "key-directory", &obj); result = named_config_get(maps, "key-directory", &obj);
@@ -1560,12 +1574,20 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
INSIST(result == ISC_R_SUCCESS && obj != NULL); INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK, dns_zone_setoption(zone, DNS_ZONEOPT_UPDATECHECKKSK,
cfg_obj_asboolean(obj)); cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL; obj = NULL;
result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj); result = named_config_get(maps, "dnssec-dnskey-kskonly", &obj);
INSIST(result == ISC_R_SUCCESS && obj != NULL); INSIST(result == ISC_R_SUCCESS && obj != NULL);
dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY, dns_zone_setoption(zone, DNS_ZONEOPT_DNSKEYKSKONLY,
cfg_obj_asboolean(obj)); cfg_obj_asboolean(obj));
/*
* This setting will be ignored if dnssec-policy is used.
* named-checkconf will error if both are configured.
*/
obj = NULL; obj = NULL;
result = named_config_get(maps, "dnssec-loadkeys-interval", result = named_config_get(maps, "dnssec-loadkeys-interval",
@@ -1576,7 +1598,11 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
obj = NULL; obj = NULL;
result = cfg_map_get(zoptions, "auto-dnssec", &obj); result = cfg_map_get(zoptions, "auto-dnssec", &obj);
if (result == ISC_R_SUCCESS) { if (dns_zone_getkasp(zone) != NULL) {
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, true);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, true);
} else if (result == ISC_R_SUCCESS) {
const char *arg = cfg_obj_asstring(obj); const char *arg = cfg_obj_asstring(obj);
if (strcasecmp(arg, "allow") == 0) { if (strcasecmp(arg, "allow") == 0) {
allow = true; allow = true;
@@ -1589,6 +1615,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
ISC_UNREACHABLE(); ISC_UNREACHABLE();
} }
dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow); dns_zone_setkeyopt(zone, DNS_ZONEKEY_ALLOW, allow);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_CREATE, false);
dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint); dns_zone_setkeyopt(zone, DNS_ZONEKEY_MAINTAIN, maint);
} }
} }