mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Use keywords in dnssec-policy keys configuration

Browse Source 
Add keywords 'lifetime' and 'algorithm' to make the key configuration
more clear.
This commit is contained in:
Matthijs Mekking
2019-10-21 13:26:30 +02:00
parent 36c72bf3c3
commit 6468ffc336
10 changed files with 57 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
bin/named/named.conf.docbook
View File

@@ -1015,7 +1015,7 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
<literallayout class="normal">
dnssec-policy <replaceable>string</replaceable> {
dnskey-ttl <replaceable>ttlval</replaceable>;
keys { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
keys { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
parent-ds-ttl <replaceable>duration</replaceable>;
parent-propagation-delay <replaceable>duration</replaceable>;
parent-registration-delay <replaceable>duration</replaceable>;

6
bin/tests/system/checkconf/good-kasp.conf
View File

@@ -17,9 +17,9 @@
dnssec-policy "test" {
dnskey-ttl 3600;
keys {
ksk key-directory P1Y 13 256;
zsk key-directory P30D 13;
csk key-directory P30D 8 2048;
ksk key-directory lifetime P1Y algorithm 13 256;
zsk key-directory lifetime P30D algorithm 13;
csk key-directory lifetime P30D algorithm 8 2048;
};
publish-safety PT3600S;
retire-safety PT3600S;

8
bin/tests/system/kasp/kasp.conf
View File

@@ -17,9 +17,9 @@ dnssec-policy "kasp" {
dnskey-ttl 200;
keys {
csk key-directory P1Y 13;
ksk key-directory P1Y 8;
zsk key-directory P30D 8 1024;
zsk key-directory P6M 8 2000;
csk key-directory lifetime P1Y algorithm 13;
ksk key-directory lifetime P1Y algorithm 8;
zsk key-directory lifetime P30D algorithm 8 1024;
zsk key-directory lifetime P6M algorithm 8 2000;
};
};

12
bin/tests/system/kasp/ns3/policies/autosign.conf
View File

@@ -18,8 +18,8 @@ dnssec-policy "autosign" {
dnskey-ttl 300;
keys {
ksk key-directory P2Y 13;
zsk key-directory P1Y 13;
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
};
};
@@ -34,8 +34,8 @@ dnssec-policy "zsk-prepub" {
retire-safety P2D;
keys {
ksk key-directory P2Y 13;
zsk key-directory P30D 13;
ksk key-directory lifetime P2Y algorithm 13;
zsk key-directory lifetime P30D algorithm 13;
};
zone-propagation-delay PT1H;
@@ -53,8 +53,8 @@ dnssec-policy "ksk-doubleksk" {
retire-safety P2D;
keys {
ksk key-directory P60D 13;
zsk key-directory P1Y 13;
ksk key-directory lifetime P60D algorithm 13;
zsk key-directory lifetime P1Y algorithm 13;
};
zone-propagation-delay PT1H;

36
bin/tests/system/kasp/ns3/policies/kasp.conf
View File

@@ -13,9 +13,9 @@ dnssec-policy "rsasha1" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 5;
zsk key-directory P5Y 5;
zsk key-directory P1Y 5 2000;
ksk key-directory lifetime P10Y algorithm 5;
zsk key-directory lifetime P5Y algorithm 5;
zsk key-directory lifetime P1Y algorithm 5 2000;
};
};
@@ -23,9 +23,9 @@ dnssec-policy "rsasha1-nsec3" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 7;
zsk key-directory P5Y 7;
zsk key-directory P1Y 7 2000;
ksk key-directory lifetime P10Y algorithm 7;
zsk key-directory lifetime P5Y algorithm 7;
zsk key-directory lifetime P1Y algorithm 7 2000;
};
};
@@ -33,9 +33,9 @@ dnssec-policy "rsasha256" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 8;
zsk key-directory P5Y 8;
zsk key-directory P1Y 8 2000;
ksk key-directory lifetime P10Y algorithm 8;
zsk key-directory lifetime P5Y algorithm 8;
zsk key-directory lifetime P1Y algorithm 8 2000;
};
};
@@ -43,9 +43,9 @@ dnssec-policy "rsasha512" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 10;
zsk key-directory P5Y 10;
zsk key-directory P1Y 10 2000;
ksk key-directory lifetime P10Y algorithm 10;
zsk key-directory lifetime P5Y algorithm 10;
zsk key-directory lifetime P1Y algorithm 10 2000;
};
};
@@ -53,9 +53,9 @@ dnssec-policy "ecdsa256" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 13;
zsk key-directory P5Y 13;
zsk key-directory P1Y 13 256;
ksk key-directory lifetime P10Y algorithm 13;
zsk key-directory lifetime P5Y algorithm 13;
zsk key-directory lifetime P1Y algorithm 13 256;
};
};
@@ -63,8 +63,8 @@ dnssec-policy "ecdsa384" {
dnskey-ttl 1234;
keys {
ksk key-directory P10Y 14;
zsk key-directory P5Y 14;
zsk key-directory P1Y 14 384;
ksk key-directory lifetime P10Y algorithm 14;
zsk key-directory lifetime P5Y algorithm 14;
zsk key-directory lifetime P1Y algorithm 14 384;
};
};

6
doc/arm/Bv9ARM-book.xml
View File

@@ -11059,9 +11059,9 @@ example.com CNAME rpz-tcp-only.
</para>
<programlisting>keys {
ksk key-directory P5Y 8 2048;
zsk key-directory P30D 8;
csk key-directory P6MT12H3M15S 13;
ksk key-directory lifetime P5Y algorithm 8 2048;
zsk key-directory lifetime P30D algorithm 8;
csk key-directory lifetime P6MT12H3M15S algorithm 13;
};
</programlisting>

2
doc/arm/dnssec.xml
View File

@@ -54,7 +54,7 @@
<programlisting>
dnssec-policy csk {
keys {
csk key-directory P5Y 13;
csk key-directory lifetime P5Y algorithm 13;
};
};
</programlisting>

6
doc/design/dnssec-policy
View File

@@ -199,9 +199,9 @@ is referred to as a CSK. Below is an example configuration for the three types
of keys:
```
keys {
ksk key-directory P5Y ECDSAP256SHA256;
zsk key-directory P30D ECDSAP256SHA256;
csk key-directory PT0S 8 2048;
ksk key-directory lifetime P5Y algorithm ECDSAP256SHA256;
zsk key-directory lifetime P30D algorithm ECDSAP256SHA256;
csk key-directory lifetime PT0S algorithm 8 2048;
};
```

2
doc/misc/options
View File

@@ -27,7 +27,7 @@ dnssec-keys { <string> ( static-key |
dnssec-policy <string> {
dnskey-ttl <ttlval>;
keys { ( csk | ksk | zsk ) key-directory <duration> <string>
keys { ( csk | ksk | zsk ) key-directory lifetime <duration> algorithm <integer>
[ <integer> ]; ... };
parent-ds-ttl <duration>;
parent-propagation-delay <duration>;

19
lib/isccfg/namedconf.c
View File

@@ -502,11 +502,23 @@ static cfg_type_t cfg_type_dnsseckeystore = {
/*%
* A dnssec key, as used in the "keys" statement in a "dnssec-policy".
*/
static keyword_type_t algorithm_kw = { "algorithm", &cfg_type_uint32 };
static cfg_type_t cfg_type_algorithm = {
"algorithm", parse_keyvalue, print_keyvalue,
doc_keyvalue, &cfg_rep_uint32, &algorithm_kw
};
static keyword_type_t lifetime_kw = { "lifetime", &cfg_type_duration };
static cfg_type_t cfg_type_lifetime = {
"lifetime", parse_keyvalue, print_keyvalue,
doc_keyvalue, &cfg_rep_duration, &lifetime_kw
};
static cfg_tuplefielddef_t kaspkey_fields[] = {
{ "role", &cfg_type_dnsseckeyrole, 0 },
{ "keystore-type", &cfg_type_dnsseckeystore, 0 },
{ "lifetime", &cfg_type_duration, 0 },
{ "algorithm", &cfg_type_uint32, 0 },
{ "lifetime", &cfg_type_lifetime, 0 },
{ "algorithm", &cfg_type_algorithm, 0 },
{ "length", &cfg_type_optional_uint32, 0 },
{ NULL, NULL, 0 }
};
@@ -515,6 +527,9 @@ static cfg_type_t cfg_type_kaspkey = {
&cfg_rep_tuple, kaspkey_fields
};
/*%
* Wild class, type, name.
*/
static keyword_type_t wild_class_kw = { "class", &cfg_type_ustring };
static cfg_type_t cfg_type_optional_wild_class = {