Introduce dnssec-policy configuration

This commit introduces the initial `dnssec-policy` configuration statement. It has an initial set of options to deal with signature and key maintenance. Add some checks to ensure that dnssec-policy is configured at the right locations, and that policies referenced to in zone statements actually exist. Add some checks that when a user adds the new `dnssec-policy` configuration, it will no longer contain existing DNSSEC configuration options. Specifically: `inline-signing`, `auto-dnssec`, `dnssec-dnskey-kskonly`, `dnssec-secure-to-insecure`, `update-check-ksk`, `dnssec-update-mode`, `dnskey-sig-validity`, and `sig-validity-interval`. Test a good kasp configuration, and some bad configurations.
2025-08-30 22:15:20 +00:00 · 2019-09-02 16:24:48 +02:00
parent 1fbd8bb1b3
commit a50d707fdc
21 changed files with 653 additions and 11 deletions
--- a/lib/bind9/check.c
+++ b/lib/bind9/check.c
@@ -856,6 +856,7 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 	const char *str;
 	isc_buffer_t b;
 	uint32_t lifetime = 3600;
+	bool has_dnssecpolicy = false;
 	const char *ccalg = "siphash24";

 	/*
@@ -948,6 +949,44 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 		}
 	}

+	/*
+	 * Check dnssec-policy at the view/options level
+	 */
+	obj = NULL;
+	(void)cfg_map_get(options, "dnssec-policy", &obj);
+	if (obj != NULL) {
+		bool bad_kasp = true;
+		if (optlevel == optlevel_zone && cfg_obj_isstring(obj)) {
+			bad_kasp = false;
+		} else if (optlevel == optlevel_config) {
+			if (cfg_obj_islist(obj)) {
+				for (element = cfg_list_first(obj);
+				     element != NULL;
+				     element = cfg_list_next(element))
+				{
+					if (!cfg_obj_istuple(
+						    cfg_listelt_value(element)))
+					{
+						break;
+					}
+				}
+				bad_kasp = false;
+			}
+		}
+
+		if (bad_kasp) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-policy may only be activated at "
+				    "the top level and referenced to at the "
+				    "zone level");
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+
+		has_dnssecpolicy = true;
+	}
+
 	obj = NULL;
 	cfg_map_get(options, "max-rsa-exponent-size", &obj);
 	if (obj != NULL) {
@@ -996,6 +1035,13 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 				result = ISC_R_RANGE;
 			}
 		}
+
+		if (has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "sig-validity-interval: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
 	}

 	obj = NULL;
@@ -1012,6 +1058,12 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 			result = ISC_R_RANGE;
 		}

+		if (has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnskey-sig-validity: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
 	}

 	obj = NULL;
@@ -1117,8 +1169,9 @@ check_options(const cfg_obj_t *options, isc_log_t *logctx, isc_mem_t *mctx,
 			if (result == ISC_R_SUCCESS && tresult != ISC_R_SUCCESS)
 				result = tresult;
 		}
-		if (symtab != NULL)
+		if (symtab != NULL) {
 			isc_symtab_destroy(&symtab);
+		}
 	}

 	/*
@@ -1858,6 +1911,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	bool dlz;
 	dns_masterformat_t masterformat;
 	bool ddns = false;
+	bool has_dnssecpolicy = false;
 	const void *clauses = NULL;
 	const char *option = NULL;
 	static const char *acls[] = {
@@ -2070,6 +2124,42 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 	if (check_nonzero(zoptions, logctx) != ISC_R_SUCCESS)
 		result = ISC_R_FAILURE;

+	/*
+	 * Check if a dnssec-policy is set.
+	 */
+	obj = NULL;
+	(void)cfg_map_get(zoptions, "dnssec-policy", &obj);
+	if (obj != NULL) {
+		const cfg_obj_t *kasps = NULL;
+		const char* kaspname = cfg_obj_asstring(obj);
+
+		if (strcmp(kaspname, "default") == 0) {
+			has_dnssecpolicy = true;
+		} else {
+			(void)cfg_map_get(config, "dnssec-policy", &kasps);
+			for (element = cfg_list_first(kasps); element != NULL;
+			     element = cfg_list_next(element))
+			{
+				const char* kn = cfg_obj_asstring(
+				       cfg_tuple_get(cfg_listelt_value(element),
+						     "name"));
+				if (strcmp(kaspname, kn) == 0) {
+					has_dnssecpolicy = true;
+				}
+			}
+		}
+
+		if (!has_dnssecpolicy) {
+			cfg_obj_log(zconfig, logctx, ISC_LOG_ERROR,
+				    "zone '%s': option 'dnssec-policy %s' "
+				    "has no matching dnssec-policy config",
+				    znamestr, kaspname);
+			if (result == ISC_R_SUCCESS) {
+				result = ISC_R_FAILURE;
+			}
+		}
+	}
+
 	/*
 	 * Check validity of the zone options.
 	 */
@@ -2256,19 +2346,36 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 		if (res1 == ISC_R_SUCCESS)
 			signing = cfg_obj_asboolean(obj);

+		if (signing && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "inline-signing: cannot be configured if "
+				    "dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+
 		obj = NULL;
 		arg = "off";
 		res3 = cfg_map_get(zoptions, "auto-dnssec", &obj);
-		if (res3 == ISC_R_SUCCESS)
+		if (res3 == ISC_R_SUCCESS) {
 			arg = cfg_obj_asstring(obj);
-		if (strcasecmp(arg, "off") != 0 && !ddns && !signing) {
-			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
-				    "'auto-dnssec %s;' requires%s "
-				    "inline-signing to be configured for "
-				    "the zone", arg,
-				    (ztype == CFG_ZONE_MASTER) ?
-					 " dynamic DNS or" : "");
-			result = ISC_R_FAILURE;
+		}
+		if (strcasecmp(arg, "off") != 0) {
+			if (!ddns && !signing) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'auto-dnssec %s;' requires%s "
+					    "inline-signing to be configured "
+					    "for the zone", arg,
+					    (ztype == CFG_ZONE_MASTER) ?
+					    " dynamic DNS or" : "");
+				result = ISC_R_FAILURE;
+			}
+			if (has_dnssecpolicy) {
+				cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+					    "'auto-dnssec %s;' cannot be "
+					    "configured if dnssec-policy is "
+					    "also set", arg);
+				result = ISC_R_FAILURE;
+			}
 		}

 		obj = NULL;
@@ -2293,6 +2400,21 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				    "inline-signing when used in slave zone");
 			result = ISC_R_FAILURE;
 		}
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-dnskey-kskonly: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-secure-to-insecure", &obj);
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-secure-to-insecure: cannot be "
+				    "configured if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}

 		obj = NULL;
 		res1 = cfg_map_get(zoptions, "dnssec-loadkeys-interval", &obj);
@@ -2315,6 +2437,21 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
 				    "inline-signing when used in slave zone");
 			result = ISC_R_FAILURE;
 		}
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "update-check-ksk: cannot be configured "
+				    "if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
+
+		obj = NULL;
+		res1 = cfg_map_get(zoptions, "dnssec-update-mode", &obj);
+		if (res1 == ISC_R_SUCCESS && has_dnssecpolicy) {
+			cfg_obj_log(obj, logctx, ISC_LOG_ERROR,
+				    "dnssec-update-mode: cannot be configured "
+				    "if dnssec-policy is also set");
+			result = ISC_R_FAILURE;
+		}
 	}

 	/*