Add purge-keys config option

Add a new option 'purge-keys' to 'dnssec-policy' that will purge key
files for deleted keys. The option determines how long key files
should be retained prior to removing the corresponding files from
disk.

If set to 0, the option is disabled and 'named' will not remove key
files from disk.

bin/named/named.conf.rst

@@ -71,6 +71,7 @@ DNSSEC-POLICY
   	parent-ds-ttl duration;
   	parent-propagation-delay duration;
   	publish-safety duration;
+  	purge-keys duration;
   	retire-safety duration;
   	signatures-refresh duration;
   	signatures-validity duration;

bin/tests/system/checkconf/good.conf

@@ -26,6 +26,7 @@ dnssec-policy "test" {
 	parent-ds-ttl 7200;
 	parent-propagation-delay PT1H;
 	publish-safety PT3600S;
+	purge-keys P90D;
 	retire-safety PT3600S;
 	signatures-refresh P3D;
 	signatures-validity P2W;

doc/arm/reference.rst

@@ -4980,6 +4980,15 @@ The following options can be specified in a ``dnssec-policy`` statement:
     bits.  If it is omitted, as shown in the example for the second and
     third keys, an appropriate default size for the algorithm is used.
 
+  ``purge-keys``
+    This is the time after when DNSSEC keys that have been deleted from
+    the zone can be removed from disk. If a key still determined to have
+    presence (for example in some resolver cache), ``named`` will not
+    remove the key files.
+
+    The default is ``P90D`` (90 days). Set this option to ``0`` to never
+    purge deleted keys.
+
   ``publish-safety``
     This is a margin that is added to the pre-publication interval in
     rollover timing calculations, to give some extra time to cover

doc/design/dnssec-policy

@@ -135,7 +135,7 @@ dnssec-policy "nsec3" {
     publish-safety PT3600S;
     retire-safety PT3600S;
     share-keys no;
-    purge-keys-after P14D;
+    purge-keys P90D;
 
     keys {
 	ksk key-directory P5Y ECDSAP256SHA256;

doc/dnssec-guide/signing.rst

@@ -753,9 +753,10 @@ keys. The following is an example of such a clause:
 
 The policy has multiple parts:
 
--  The name must be specified. As each zone can use a different policy, ``named`` needs to
-   be able to distinguish between policies. This is done by giving each
-   policy a name, such as ``standard`` in the above example.
+-  The name must be specified. As each zone can use a different policy,
+   ``named`` needs to be able to distinguish between policies. This is
+   done by giving each policy a name, such as ``standard`` in the above
+   example.
 
 -  The ``keys`` clause lists all keys that should be in the zone, along
    with their associated parameters. In this example, we are using the
@@ -782,7 +783,7 @@ The policy has multiple parts:
    long the signatures on the DNSKEY and non-DNSKEY records are valid,
    and how often BIND should re-sign the zone.
 
--  Finally, the parameters ending in ``-safety`` are there to give
+-  The parameters ending in ``-safety`` are there to give
    you a bit of leeway in case a key roll doesn't go to plan. When
    introduced into the zone, the ``publish-safety`` time is the amount
    of additional time, over and above that calculated from the other
@@ -792,6 +793,11 @@ The policy has multiple parts:
    other parameters, during which the old key is retained in the zone before
    being removed.
 
+-  Finally, the ``purge-keys`` option allows you to clean up key files
+   automatically after a period of time. If a key has been removed from the
+   zone, this option will determine how long its key files will be retained
+   on disk.
+
 (You do not have to specify all the items listed above in your policy
 definition. Any that are not set simply take the default value.)
 

doc/man/named.conf.5in

@@ -110,6 +110,7 @@ dnssec\-policy string {
       parent\-ds\-ttl duration;
       parent\-propagation\-delay duration;
       publish\-safety duration;
+      purge\-keys duration;
       retire\-safety duration;
       signatures\-refresh duration;
       signatures\-validity duration;

doc/misc/dnssec-policy.default.conf

@@ -8,6 +8,7 @@ dnssec-policy "default" {
 	dnskey-ttl 3600;
 	publish-safety 1h;
 	retire-safety 1h;
+        purge-keys P90D;
 
 	// Signature timings
 	signatures-refresh 5d;

doc/misc/dnssec-policy.grammar.rst

@@ -10,6 +10,7 @@
   	parent-ds-ttl <duration>;
   	parent-propagation-delay <duration>;
   	publish-safety <duration>;
+  	purge-keys <duration>;
   	retire-safety <duration>;
   	signatures-refresh <duration>;
   	signatures-validity <duration>;

doc/misc/options

@@ -32,6 +32,7 @@ dnssec-policy <string> {
         parent-propagation-delay <duration>;
         parent-registration-delay <duration>; // obsolete
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;

doc/misc/options.active

@@ -31,6 +31,7 @@ dnssec-policy <string> {
         parent-ds-ttl <duration>;
         parent-propagation-delay <duration>;
         publish-safety <duration>;
+        purge-keys <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;

lib/dns/include/dns/kasp.h

@@ -89,6 +89,7 @@ struct dns_kasp {
 	/* Configuration: Timings */
 	uint32_t publish_safety;
 	uint32_t retire_safety;
+	uint32_t purge_keys;
 
 	/* Zone settings */
 	dns_ttl_t zone_max_ttl;
@@ -109,6 +110,7 @@ struct dns_kasp {
 #define DNS_KASP_KEY_TTL	     (3600)
 #define DNS_KASP_DS_TTL		     (86400)
 #define DNS_KASP_PUBLISH_SAFETY	     (3600)
+#define DNS_KASP_PURGE_KEYS	     (86400 * 90)
 #define DNS_KASP_RETIRE_SAFETY	     (3600)
 #define DNS_KASP_ZONE_MAXTTL	     (86400)
 #define DNS_KASP_ZONE_PROPDELAY	     (300)
@@ -306,6 +308,30 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp);
+/*%<
+ * Get purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Purge keys interval.
+ */
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value);
+/*%<
+ * Set purge keys interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp);
 /*%<

lib/dns/kasp.c

@@ -53,6 +53,7 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp) {
 	kasp->dnskey_ttl = DNS_KASP_KEY_TTL;
 	kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
 	kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
+	kasp->purge_keys = DNS_KASP_PURGE_KEYS;
 
 	kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
 	kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
@@ -203,6 +204,22 @@ dns_kasp_setdnskeyttl(dns_kasp_t *kasp, dns_ttl_t ttl) {
 	kasp->dnskey_ttl = ttl;
 }
 
+uint32_t
+dns_kasp_purgekeys(dns_kasp_t *kasp) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(kasp->frozen);
+
+	return (kasp->purge_keys);
+}
+
+void
+dns_kasp_setpurgekeys(dns_kasp_t *kasp, uint32_t value) {
+	REQUIRE(DNS_KASP_VALID(kasp));
+	REQUIRE(!kasp->frozen);
+
+	kasp->purge_keys = value;
+}
+
 uint32_t
 dns_kasp_publishsafety(dns_kasp_t *kasp) {
 	REQUIRE(DNS_KASP_VALID(kasp));

lib/dns/win32/libdns.def.in

@@ -442,6 +442,7 @@ dns_kasp_nsec3iter
 dns_kasp_nsec3saltlen
 dns_kasp_parentpropagationdelay
 dns_kasp_publishsafety
+dns_kasp_purgekeys
 dns_kasp_retiresafety
 dns_kasp_setdnskeyttl
 dns_kasp_setdsttl
@@ -449,6 +450,7 @@ dns_kasp_setnsec3
 dns_kasp_setnsec3param
 dns_kasp_setparentpropagationdelay
 dns_kasp_setpublishsafety
+dns_kasp_setpurgekeys
 dns_kasp_setretiresafety
 dns_kasp_setsigrefresh
 dns_kasp_setsigvalidity

lib/isccfg/kaspconf.c

@@ -315,6 +315,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, const char *name, isc_mem_t *mctx,
 						     DNS_KASP_PUBLISH_SAFETY));
 	dns_kasp_setretiresafety(kasp, get_duration(maps, "retire-safety",
 						    DNS_KASP_RETIRE_SAFETY));
+	dns_kasp_setpurgekeys(
+		kasp, get_duration(maps, "purge-keys", DNS_KASP_PURGE_KEYS));
 
 	(void)confget(maps, "keys", &keys);
 	if (keys != NULL) {

lib/isccfg/namedconf.c

@@ -2131,6 +2131,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
 	{ "parent-registration-delay", &cfg_type_duration,
 	  CFG_CLAUSEFLAG_OBSOLETE },
 	{ "publish-safety", &cfg_type_duration, 0 },
+	{ "purge-keys", &cfg_type_duration, 0 },
 	{ "retire-safety", &cfg_type_duration, 0 },
 	{ "signatures-refresh", &cfg_type_duration, 0 },
 	{ "signatures-validity", &cfg_type_duration, 0 },