mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

Merge branch '3677-dnssec-policy-inline-signing' into 'main'

Browse Source 
Add inline-signing to dnssec-policy

Closes #3677

See merge request isc-projects/bind9!7204
This commit is contained in:
Matthijs Mekking 2023-08-01 06:55:56 +00:00
commit ce869a521c
48 changed files with 246 additions and 222 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
CHANGES
View File

@ -1,3 +1,5 @@
6218. [func] Add inline-signing to dnssec-policy. [GL #3677]
6217. [func] The dns_badcache unit was refactored to use cds_lfht
instead of hand-crafted locked hashtable. [GL #4223]

2
bin/named/config.c
View File

@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\
cdnskey yes;\n\
cds-digest-types { 2; };\n\
dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
inline-signing yes;\n\
publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
purge-keys " DNS_KASP_PURGE_KEYS "; \n\
@ -308,6 +309,7 @@ dnssec-policy \"default\" {\n\
\n\
dnssec-policy \"insecure\" {\n\
keys { };\n\
inline-signing yes;\n\
};\n\
\n\
"

10
bin/named/include/named/zoneconf.h
View File

@ -44,7 +44,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
*/
bool
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
dns_kasplist_t *kasplist);
/*%<
* If 'zone' can be safely reconfigured according to the configuration
* data in 'zconfig', return true. If the configuration data is so
@ -53,10 +55,12 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig);
*/
bool
named_zone_inlinesigning(const cfg_obj_t *zconfig);
named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
const cfg_obj_t *config, dns_kasplist_t *kasplist);
/*%<
* Determine if zone uses inline-signing. This is true if inline-signing
* is set to yes.
* is set to yes, in the zone clause or in the zone's dnssec-policy clause.
* By default, dnssec-policy uses inline-signing.
*/
isc_result_t

7
bin/named/server.c
View File

@ -6715,7 +6715,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
goto cleanup;
}
if (zone != NULL && !named_zone_reusable(zone, zconfig)) {
if (zone != NULL &&
!named_zone_reusable(zone, zconfig, vconfig, config, kasplist))
{
dns_zone_detach(&zone);
fullsign = true;
}
@ -6788,7 +6790,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
strcasecmp(ztypestr, "slave") == 0));
if (zone_maybe_inline) {
inline_signing = named_zone_inlinesigning(zconfig);
inline_signing = named_zone_inlinesigning(zconfig, vconfig,
config, kasplist);
}
if (inline_signing) {
dns_zone_getraw(zone, &raw);

57
bin/named/zoneconf.c
View File

@ -1917,7 +1917,9 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone,
}
bool
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig,
const cfg_obj_t *vconfig, const cfg_obj_t *config,
dns_kasplist_t *kasplist) {
const cfg_obj_t *zoptions = NULL;
const cfg_obj_t *obj = NULL;
const char *cfilename;
@ -1951,7 +1953,8 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
has_raw = false;
}
inline_signing = named_zone_inlinesigning(zconfig);
inline_signing = named_zone_inlinesigning(zconfig, vconfig, config,
kasplist);
if (!inline_signing && has_raw) {
dns_zone_log(zone, ISC_LOG_DEBUG(1),
"not reusable: old zone was inline-signing");
@ -1988,15 +1991,53 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) {
}
bool
named_zone_inlinesigning(const cfg_obj_t *zconfig) {
const cfg_obj_t *zoptions = NULL;
named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig,
const cfg_obj_t *config, dns_kasplist_t *kasplist) {
const cfg_obj_t *maps[4];
const cfg_obj_t *signing = NULL;
const cfg_obj_t *policy = NULL;
dns_kasp_t *kasp = NULL;
isc_result_t res;
bool inline_signing = false;
int i = 0;
zoptions = cfg_tuple_get(zconfig, "options");
inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) ==
ISC_R_SUCCESS &&
cfg_obj_asboolean(signing));
maps[i++] = cfg_tuple_get(zconfig, "options");
if (vconfig != NULL) {
maps[i++] = cfg_tuple_get(vconfig, "options");
}
if (config != NULL) {
const cfg_obj_t *options = NULL;
(void)cfg_map_get(config, "options", &options);
if (options != NULL) {
maps[i++] = options;
}
}
maps[i] = NULL;
/* "inline-signing" is a zone-only clause, so look in maps[0] only. */
res = cfg_map_get(maps[0], "inline-signing", &signing);
if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) {
return (cfg_obj_asboolean(signing));
}
/* If inline-signing is not set, check the value in dnssec-policy. */
policy = NULL;
res = named_config_get(maps, "dnssec-policy", &policy);
/* If no dnssec-policy found, then zone is not using inline-signing. */
if (res != ISC_R_SUCCESS ||
strcmp(cfg_obj_asstring(policy), "none") == 0)
{
return (false);
}
/* Lookup the policy. */
res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp);
if (res != ISC_R_SUCCESS) {
return (false);
}
inline_signing = dns_kasp_inlinesigning(kasp);
dns_kasp_detach(&kasp);
return (inline_signing);
}

6
bin/tests/system/autosign/ns2/named.conf.in
View File

@ -81,6 +81,7 @@ zone "example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
sig-signing-type 65280;
};
@ -99,6 +100,7 @@ zone "private.secure.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
dnssec-policy private;
};
@ -108,6 +110,7 @@ zone "insecure.secure.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -117,6 +120,7 @@ zone "child.nsec3.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -126,6 +130,7 @@ zone "child.optout.example" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
dnssec-policy optout;
};
@ -135,6 +140,7 @@ zone "optout-with-ent" {
allow-query { any; };
allow-transfer { any; };
allow-update { any; };
inline-signing no;
dnssec-policy optout;
};

27
bin/tests/system/autosign/ns3/named.conf.in
View File

@ -141,6 +141,7 @@ zone "secure.example" {
type primary;
file "secure.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -154,6 +155,7 @@ zone "nsec3.example" {
type primary;
file "nsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -161,6 +163,7 @@ zone "autonsec3.example" {
type primary;
file "autonsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -168,6 +171,7 @@ zone "optout.nsec3.example" {
type primary;
file "optout.nsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy optout;
};
@ -175,6 +179,7 @@ zone "nsec3.nsec3.example" {
type primary;
file "nsec3.nsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -182,6 +187,7 @@ zone "jitter.nsec3.example" {
type primary;
file "jitter.nsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy jitter-nsec3;
sig-signing-nodes 1000;
sig-signing-signatures 100;
@ -191,6 +197,7 @@ zone "secure.nsec3.example" {
type primary;
file "secure.nsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -205,6 +212,7 @@ zone "secure.optout.example" {
type primary;
file "secure.optout.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy optout;
};
@ -212,6 +220,7 @@ zone "nsec3.optout.example" {
type primary;
file "nsec3.optout.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy optout;
};
@ -219,6 +228,7 @@ zone "optout.optout.example" {
type primary;
file "optout.optout.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy optout;
};
@ -226,6 +236,7 @@ zone "rsasha256.example" {
type primary;
file "rsasha256.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy rsasha256;
};
@ -233,6 +244,7 @@ zone "rsasha512.example" {
type primary;
file "rsasha512.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy rsasha512;
};
@ -240,6 +252,7 @@ zone "nsec-only.example" {
type primary;
file "nsec-only.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -247,6 +260,7 @@ zone "nsec3-to-nsec.example" {
type primary;
file "nsec3-to-nsec.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -254,6 +268,7 @@ zone "oldsigs.example" {
type primary;
file "oldsigs.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy jitter;
sig-signing-nodes 1000;
sig-signing-signatures 100;
@ -263,6 +278,7 @@ zone "prepub.example" {
type primary;
file "prepub.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -270,6 +286,7 @@ zone "ttl1.example" {
type primary;
file "ttl1.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -277,6 +294,7 @@ zone "ttl2.example" {
type primary;
file "ttl2.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -284,6 +302,7 @@ zone "ttl3.example" {
type primary;
file "ttl3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -291,6 +310,7 @@ zone "ttl4.example" {
type primary;
file "ttl4.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -303,6 +323,7 @@ zone "nozsk.example" {
type primary;
file "nozsk.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -310,6 +331,7 @@ zone "inaczsk.example" {
type primary;
file "inaczsk.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -317,6 +339,7 @@ zone "noksk.example" {
type primary;
file "noksk.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -324,6 +347,7 @@ zone "sync.example" {
type primary;
file "sync.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy sync;
};
@ -338,6 +362,7 @@ zone "inaczsk2.example" {
type primary;
file "inaczsk2.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy autosign;
};
@ -345,6 +370,7 @@ zone "delzsk.example." {
type primary;
file "delzsk.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};
@ -352,6 +378,7 @@ zone "dname-at-apex-nsec3.example" {
type primary;
file "dname-at-apex-nsec3.example.db";
allow-update { any; };
inline-signing no;
dnssec-policy nsec3;
};

25
bin/tests/system/checkconf/bad-kasp-inline-signing.conf Normal file
View File

@ -0,0 +1,25 @@
/*
* Copyright (C) Internet Systems Consortium, Inc. ("ISC")
*
* SPDX-License-Identifier: MPL-2.0
*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, you can obtain one at https://mozilla.org/MPL/2.0/.
*
* See the COPYRIGHT file distributed with this work for additional
* information regarding copyright ownership.
*/
/*
* inline-signing is a boolean value.
*/
dnssec-policy "inline" {
inline-signing never-ever;
};
zone "." {
type primary;
file "root.db";
dnssec-policy "inline";
};

6
bin/tests/system/checkconf/bad-noddns.conf
View File

@ -11,9 +11,13 @@
* information regarding copyright ownership.
*/
dnssec-policy "test" {
inline-signing no;
};
zone example {
type primary;
file "example.db";
dnssec-policy default;
dnssec-policy test;
allow-update { none; };
};

3
bin/tests/system/checkconf/good-kasp.conf
View File

@ -22,6 +22,7 @@ dnssec-policy "test" {
"sha-256";
};
dnskey-ttl 3600;
inline-signing yes;
keys {
ksk key-directory lifetime P1Y algorithm ecdsa256;
zsk lifetime P30D algorithm 13;
@ -44,7 +45,6 @@ options {
zone "example1" {
type primary;
file "example1.db";
inline-signing yes;
};
zone "example2" {
type primary;
@ -57,7 +57,6 @@ zone "example2" {
zone "example3" {
type primary;
file "example3.db";
inline-signing yes;
dnssec-policy "default";
};
zone "dnssec-policy-none-shared-zonefile1" {

3
bin/tests/system/checkconf/good-key-directory.conf
View File

@ -46,7 +46,6 @@ view "localhost" {
type primary;
file "localhost/example.com.zone";
dnssec-policy "localhost";
inline-signing yes;
};
};
@ -57,7 +56,6 @@ view "external" {
type primary;
file "external/example.com.zone";
dnssec-policy "internet";
inline-signing yes;
};
};
@ -68,6 +66,5 @@ view "internal" {
type primary;
file "internal/example.com.zone";
dnssec-policy "intranet";
inline-signing yes;
};
};

12
bin/tests/system/checkconf/good.conf.in
View File

@ -104,7 +104,6 @@ view "first" {
zone "clone" {
type primary;
file "yyy";
inline-signing yes;
max-ixfr-ratio unlimited;
};
dnssec-validation auto;
@ -168,12 +167,10 @@ view "third" {
zone "p" {
type primary;
file "pfile";
inline-signing yes;
};
zone "s" {
type secondary;
file "sfile";
inline-signing yes;
primaries {
1.2.3.4;
};
@ -185,7 +182,6 @@ view "fourth" {
type primary;
checkds explicit;
file "dnssec-test.db";
inline-signing yes;
parental-agents {
1.2.3.4;
1.2.3.5;
@ -196,7 +192,6 @@ view "fourth" {
zone "dnssec-default" {
type primary;
file "dnssec-default.db";
inline-signing yes;
parental-agents {
"parents";
};
@ -206,7 +201,6 @@ view "fourth" {
type primary;
checkds no;
file "dnssec-inherit.db";
inline-signing yes;
};
zone "dnssec-none" {
type primary;
@ -217,13 +211,11 @@ view "fourth" {
type primary;
checkds yes;
file "dnssec-view41.db";
inline-signing yes;
dnssec-policy "test";
};
zone "dnssec-view2" {
type primary;
file "dnssec-view42.db";
inline-signing yes;
};
zone "dnssec-view3" {
type primary;
@ -243,20 +235,17 @@ view "fifth" {
zone "dnssec-view1" {
type primary;
file "dnssec-view51.db";
inline-signing yes;
dnssec-policy "test";
};
zone "dnssec-view2" {
type primary;
file "dnssec-view52.db";
inline-signing yes;
dnssec-policy "test";
key-directory "keys";
};
zone "dnssec-view3" {
type primary;
file "dnssec-view53.db";
inline-signing yes;
dnssec-policy "default";
key-directory "keys";
};
@ -271,7 +260,6 @@ view "chaos" chaos {
zone "hostname.bind" chaos {
type primary;
database "_builtin hostname";
inline-signing yes;
};
};
dyndb "name" "library.so" {

1
bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf
View File

@ -57,5 +57,4 @@ zone "example.net" {
type primary;
file "example.db";
dnssec-policy "default";
inline-signing yes;
};

2
bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf
View File

@ -34,13 +34,11 @@ dnssec-policy "bad-sigrefresh-dnskey" {
zone "sigrefresh.example.net" {
type primary;
file "sigrefresh.example.db";
inline-signing yes;
dnssec-policy "bad-sigrefresh";
};
zone "dnskey.example.net" {
type primary;
file "dnskey.example.db";
inline-signing yes;
dnssec-policy "bad-sigrefresh-dnskey";
};

1
bin/tests/system/checkconf/kasp-ignore-keylen.conf
View File

@ -22,6 +22,5 @@ zone "example.net" {
type primary;
file "example.db";
dnssec-policy "warn-length";
inline-signing yes;
};

3
bin/tests/system/checkconf/kasp-warning.conf
View File

@ -42,21 +42,18 @@ dnssec-policy "warn3" {
zone "warn1.example.net" {
type primary;
file "warn1.example.db";
inline-signing yes;
dnssec-policy "warn1";
};
zone "warn2.example.net" {
type primary;
file "warn2.example.db";
inline-signing yes;
dnssec-policy "warn2";
};
zone "warn3.example.net" {
type primary;
file "warn3.example.db";
inline-signing yes;
dnssec-policy "warn3";
};

33
bin/tests/system/checkds/ns9/named.conf.in
View File

@ -54,7 +54,6 @@ zone "." {
zone "good.explicit.dspublish.ns2" {
type primary;
file "good.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
parental-agents { 10.53.0.8 port @PORT@; };
};
@ -63,7 +62,6 @@ zone "good.explicit.dspublish.ns2" {
zone "reference.explicit.dspublish.ns2" {
type primary;
file "reference.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
parental-agents { "ns8"; };
};
@ -72,7 +70,6 @@ zone "reference.explicit.dspublish.ns2" {
zone "resolver.explicit.dspublish.ns2" {
type primary;
file "resolver.explicit.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.3 port @PORT@;
@ -83,7 +80,6 @@ zone "resolver.explicit.dspublish.ns2" {
zone "good.yes.dspublish.ns2" {
type primary;
file "good.yes.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
};
@ -91,7 +87,6 @@ zone "good.yes.dspublish.ns2" {
zone "good.no.dspublish.ns2" {
type primary;
file "good.no.dspublish.ns2.db";
inline-signing yes;
dnssec-policy "default";
checkds no;
};
@ -100,7 +95,6 @@ zone "good.no.dspublish.ns2" {
zone "no-ent.ns2" {
type primary;
file "no-ent.ns2.db";
inline-signing yes;
dnssec-policy "default";
};
@ -112,7 +106,6 @@ zone "no-ent.ns2" {
zone "not-yet.explicit.dspublish.ns5" {
type primary;
file "not-yet.explicit.dspublish.ns5.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.5 port @PORT@; // missing
@ -122,7 +115,6 @@ zone "not-yet.explicit.dspublish.ns5" {
zone "not-yet.yes.dspublish.ns5" {
type primary;
file "not-yet.yes.dspublish.ns5.db";
inline-signing yes;
dnssec-policy "default";
};
@ -134,7 +126,6 @@ zone "not-yet.yes.dspublish.ns5" {
zone "bad.explicit.dspublish.ns6" {
type primary;
file "bad.explicit.dspublish.ns6.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.6 port @PORT@; // bad
@ -144,7 +135,6 @@ zone "bad.explicit.dspublish.ns6" {
zone "bad.yes.dspublish.ns6" {
type primary;
file "bad.yes.dspublish.ns6.db";
inline-signing yes;
dnssec-policy "default";
};
@ -163,7 +153,6 @@ zone "bad.yes.dspublish.ns6" {
zone "good.explicit.dspublish.ns2-4" {
type primary;
file "good.explicit.dspublish.ns2-4.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.8 port @PORT@;
@ -174,14 +163,12 @@ zone "good.explicit.dspublish.ns2-4" {
zone "good.yes.dspublish.ns2-4" {
type primary;
file "good.yes.dspublish.ns2-4.db";
inline-signing yes;
dnssec-policy "default";
};
zone "good.no.dspublish.ns2-4" {
type primary;
file "good.no.dspublish.ns2-4.db";
inline-signing yes;
dnssec-policy "default";
checkds no;
};
@ -194,7 +181,6 @@ zone "good.no.dspublish.ns2-4" {
zone "incomplete.explicit.dspublish.ns2-4-5" {
type primary;
file "incomplete.explicit.dspublish.ns2-4-5.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.8 port @PORT@;
@ -206,7 +192,6 @@ zone "incomplete.explicit.dspublish.ns2-4-5" {
zone "incomplete.yes.dspublish.ns2-4-5" {
type primary;
file "incomplete.yes.dspublish.ns2-4-5.db";
inline-signing yes;
dnssec-policy "default";
};
@ -218,7 +203,6 @@ zone "incomplete.yes.dspublish.ns2-4-5" {
zone "bad.explicit.dspublish.ns2-4-6" {
type primary;
file "bad.explicit.dspublish.ns2-4-6.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.8 port @PORT@;
@ -230,7 +214,6 @@ zone "bad.explicit.dspublish.ns2-4-6" {
zone "bad.yes.dspublish.ns2-4-6" {
type primary;
file "bad.yes.dspublish.ns2-4-6.db";
inline-signing yes;
dnssec-policy "default";
};
@ -253,7 +236,6 @@ zone "bad.yes.dspublish.ns2-4-6" {
zone "good.explicit.dsremoved.ns5" {
type primary;
file "good.explicit.dsremoved.ns5.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents { 10.53.0.10 port @PORT@; };
};
@ -261,7 +243,6 @@ zone "good.explicit.dsremoved.ns5" {
zone "resolver.explicit.dsremoved.ns5" {
type primary;
file "resolver.explicit.dsremoved.ns5.db";
inline-signing yes;
dnssec-policy "default";
parental-agents {
10.53.0.3 port @PORT@;
@ -271,14 +252,12 @@ zone "resolver.explicit.dsremoved.ns5" {
zone "good.yes.dsremoved.ns5" {
type primary;
file "good.yes.dsremoved.ns5.db";
inline-signing yes;
dnssec-policy "insecure";
};
zone "good.no.dsremoved.ns5" {
type primary;
file "good.no.dsremoved.ns5.db";
inline-signing yes;
dnssec-policy "insecure";
checkds no;
};
@ -286,7 +265,6 @@ zone "good.no.dsremoved.ns5" {
zone "no-ent.ns5" {
type primary;
file "no-ent.ns5.db";
inline-signing yes;
dnssec-policy "default";
};
@ -298,7 +276,6 @@ zone "no-ent.ns5" {
zone "still-there.explicit.dsremoved.ns2" {
type primary;
file "still-there.explicit.dsremoved.ns2.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.2 port @PORT@; // still published
@ -308,7 +285,6 @@ zone "still-there.explicit.dsremoved.ns2" {
zone "still-there.yes.dsremoved.ns2" {
type primary;
file "still-there.yes.dsremoved.ns2.db";
inline-signing yes;
dnssec-policy "insecure";
};
@ -320,7 +296,6 @@ zone "still-there.yes.dsremoved.ns2" {
zone "bad.explicit.dsremoved.ns6" {
type primary;
file "bad.explicit.dsremoved.ns6.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.6 port @PORT@; // bad
@ -330,7 +305,6 @@ zone "bad.explicit.dsremoved.ns6" {
zone "bad.yes.dsremoved.ns6" {
type primary;
file "bad.yes.dsremoved.ns6.db";
inline-signing yes;
dnssec-policy "insecure";
};
@ -349,7 +323,6 @@ zone "bad.yes.dsremoved.ns6" {
zone "good.explicit.dsremoved.ns5-7" {
type primary;
file "good.explicit.dsremoved.ns5-7.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.10 port @PORT@;
@ -360,14 +333,12 @@ zone "good.explicit.dsremoved.ns5-7" {
zone "good.yes.dsremoved.ns5-7" {
type primary;
file "good.yes.dsremoved.ns5-7.db";
inline-signing yes;
dnssec-policy "insecure";
};
zone "good.no.dsremoved.ns5-7" {
type primary;
file "good.no.dsremoved.ns5-7.db";
inline-signing yes;
dnssec-policy "insecure";
checkds no;
};
@ -380,7 +351,6 @@ zone "good.no.dsremoved.ns5-7" {
zone "incomplete.explicit.dsremoved.ns2-5-7" {
type primary;
file "incomplete.explicit.dsremoved.ns2-5-7.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.2 port @PORT@; // still published
@ -392,7 +362,6 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" {
zone "incomplete.yes.dsremoved.ns2-5-7" {
type primary;
file "incomplete.yes.dsremoved.ns2-5-7.db";
inline-signing yes;
dnssec-policy "insecure";
};
@ -404,7 +373,6 @@ zone "incomplete.yes.dsremoved.ns2-5-7" {
zone "bad.explicit.dsremoved.ns5-6-7" {
type primary;
file "bad.explicit.dsremoved.ns5-6-7.db";
inline-signing yes;
dnssec-policy "insecure";
parental-agents {
10.53.0.10 port @PORT@;
@ -416,7 +384,6 @@ zone "bad.explicit.dsremoved.ns5-6-7" {
zone "bad.yes.dsremoved.ns5-6-7" {
type primary;
file "bad.yes.dsremoved.ns5-6-7.db";
inline-signing yes;
dnssec-policy "insecure";
};

1
bin/tests/system/kasp/ns2/named.conf.in
View File

@ -49,7 +49,6 @@ zone "signed.tld" {
type primary;
file "signed.tld.db";
dnssec-policy "default";
inline-signing yes;
};
/* Primary service for ns3 */

1
bin/tests/system/kasp/ns3/ed25519.conf
View File

@ -24,6 +24,5 @@ dnssec-policy "ed25519" {
zone "ed25519.kasp" {
type primary;
file "ed25519.kasp.db";
inline-signing yes;
dnssec-policy "ed25519";
};

1
bin/tests/system/kasp/ns3/ed448.conf
View File

@ -24,6 +24,5 @@ dnssec-policy "ed448" {
zone "ed448.kasp" {
type primary;
file "ed448.kasp.db";
inline-signing yes;
dnssec-policy "ed448";
};

61
bin/tests/system/kasp/ns3/named-fips.conf.in
View File

@ -45,7 +45,6 @@ controls {
zone "default.kasp" {
type primary;
file "default.kasp.db";
inline-signing yes;
dnssec-policy "default";
};
@ -53,7 +52,6 @@ zone "default.kasp" {
zone "checkds-ksk.kasp" {
type primary;
file "checkds-ksk.kasp.db";
inline-signing yes;
dnssec-policy "checkds-ksk";
};
@ -61,7 +59,6 @@ zone "checkds-ksk.kasp" {
zone "checkds-doubleksk.kasp" {
type primary;
file "checkds-doubleksk.kasp.db";
inline-signing yes;
dnssec-policy "checkds-doubleksk";
};
@ -69,7 +66,6 @@ zone "checkds-doubleksk.kasp" {
zone "checkds-csk.kasp" {
type primary;
file "checkds-csk.kasp.db";
inline-signing yes;
dnssec-policy "checkds-csk";
};
@ -77,7 +73,6 @@ zone "checkds-csk.kasp" {
zone "unlimited.kasp" {
type primary;
file "unlimited.kasp.db";
inline-signing yes;
dnssec-policy "unlimited";
};
@ -85,14 +80,12 @@ zone "unlimited.kasp" {
zone "manual-rollover.kasp" {
type primary;
file "manual-rollover.kasp.db";
inline-signing yes;
dnssec-policy "manual-rollover";
};
/* A zone that inherits dnssec-policy. */
zone "inherit.kasp" {
type primary;
inline-signing yes;
file "inherit.kasp.db";
};
@ -100,7 +93,6 @@ zone "inherit.kasp" {
zone "unsigned.kasp" {
type primary;
file "unsigned.kasp.db";
inline-signing yes;
dnssec-policy "none";
};
@ -108,7 +100,6 @@ zone "unsigned.kasp" {
zone "insecure.kasp" {
type primary;
file "insecure.kasp.db";
inline-signing yes;
dnssec-policy "insecure";
};
@ -116,7 +107,6 @@ zone "insecure.kasp" {
zone "dnssec-keygen.kasp" {
type primary;
file "dnssec-keygen.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -125,7 +115,6 @@ zone "secondary.kasp" {
type secondary;
primaries { 10.53.0.2; };
file "secondary.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -133,7 +122,7 @@ zone "secondary.kasp" {
zone "dynamic.kasp" {
type primary;
file "dynamic.kasp.db";
dnssec-policy "default";
dnssec-policy "default-dynamic";
allow-update { any; };
};
@ -143,7 +132,6 @@ zone "dynamic-inline-signing.kasp" {
file "dynamic-inline-signing.kasp.db";
dnssec-policy "default";
allow-update { any; };
inline-signing yes;
};
/* An inline-signed zone with dnssec-policy. */
@ -151,7 +139,6 @@ zone "inline-signing.kasp" {
type primary;
file "inline-signing.kasp.db";
dnssec-policy "default";
inline-signing yes;
};
/*
@ -160,7 +147,6 @@ zone "inline-signing.kasp" {
zone "some-keys.kasp" {
type primary;
file "some-keys.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -170,7 +156,6 @@ zone "some-keys.kasp" {
zone "legacy-keys.kasp" {
type primary;
file "legacy-keys.kasp.db";
inline-signing yes;
dnssec-policy "migrate-to-dnssec-policy";
};
@ -180,7 +165,6 @@ zone "legacy-keys.kasp" {
zone "pregenerated.kasp" {
type primary;
file "pregenerated.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -191,7 +175,6 @@ zone "pregenerated.kasp" {
zone "rumoured.kasp" {
type primary;
file "rumoured.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
@ -209,25 +192,21 @@ zone "multisigner-model2.kasp" {
zone "rsasha256.kasp" {
type primary;
file "rsasha256.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
zone "rsasha512.kasp" {
type primary;
file "rsasha512.kasp.db";
inline-signing yes;
dnssec-policy "rsasha512";
};
zone "ecdsa256.kasp" {
type primary;
file "ecdsa256.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "ecdsa384.kasp" {
type primary;
file "ecdsa384.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa384";
};
@ -237,7 +216,6 @@ zone "ecdsa384.kasp" {
zone "max-zone-ttl.kasp" {
type primary;
file "max-zone-ttl.kasp.db";
inline-signing yes;
dnssec-policy "ttl";
};
@ -262,7 +240,6 @@ zone "three-is-a-crowd.kasp" {
zone "expired-sigs.autosign" {
type primary;
file "expired-sigs.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -272,7 +249,6 @@ zone "expired-sigs.autosign" {
zone "fresh-sigs.autosign" {
type primary;
file "fresh-sigs.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -282,7 +258,6 @@ zone "fresh-sigs.autosign" {
zone "unfresh-sigs.autosign" {
type primary;
file "unfresh-sigs.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -292,7 +267,6 @@ zone "unfresh-sigs.autosign" {
zone "ksk-missing.autosign" {
type primary;
file "ksk-missing.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -302,7 +276,6 @@ zone "ksk-missing.autosign" {
zone "zsk-missing.autosign" {
type primary;
file "zsk-missing.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -312,7 +285,6 @@ zone "zsk-missing.autosign" {
zone "zsk-retired.autosign" {
type primary;
file "zsk-retired.autosign.db";
inline-signing yes;
dnssec-policy "autosign";
};
@ -322,25 +294,21 @@ zone "zsk-retired.autosign" {
zone "step1.enable-dnssec.autosign" {
type primary;
file "step1.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
zone "step2.enable-dnssec.autosign" {
type primary;
file "step2.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
zone "step3.enable-dnssec.autosign" {
type primary;
file "step3.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
zone "step4.enable-dnssec.autosign" {
type primary;
file "step4.enable-dnssec.autosign.db";
inline-signing yes;
dnssec-policy "enable-dnssec";
};
@ -350,37 +318,31 @@ zone "step4.enable-dnssec.autosign" {
zone "step1.zsk-prepub.autosign" {
type primary;
file "step1.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step2.zsk-prepub.autosign" {
type primary;
file "step2.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step3.zsk-prepub.autosign" {
type primary;
file "step3.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step4.zsk-prepub.autosign" {
type primary;
file "step4.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step5.zsk-prepub.autosign" {
type primary;
file "step5.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
zone "step6.zsk-prepub.autosign" {
type primary;
file "step6.zsk-prepub.autosign.db";
inline-signing yes;
dnssec-policy "zsk-prepub";
};
@ -390,37 +352,31 @@ zone "step6.zsk-prepub.autosign" {
zone "step1.ksk-doubleksk.autosign" {
type primary;
file "step1.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step2.ksk-doubleksk.autosign" {
type primary;
file "step2.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step3.ksk-doubleksk.autosign" {
type primary;
file "step3.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step4.ksk-doubleksk.autosign" {
type primary;
file "step4.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step5.ksk-doubleksk.autosign" {
type primary;
file "step5.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
zone "step6.ksk-doubleksk.autosign" {
type primary;
file "step6.ksk-doubleksk.autosign.db";
inline-signing yes;
dnssec-policy "ksk-doubleksk";
};
@ -430,91 +386,76 @@ zone "step6.ksk-doubleksk.autosign" {
zone "step1.csk-roll.autosign" {
type primary;
file "step1.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step2.csk-roll.autosign" {
type primary;
file "step2.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step3.csk-roll.autosign" {
type primary;
file "step3.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step4.csk-roll.autosign" {
type primary;
file "step4.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step5.csk-roll.autosign" {
type primary;
file "step5.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step6.csk-roll.autosign" {
type primary;
file "step6.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step7.csk-roll.autosign" {
type primary;
file "step7.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step8.csk-roll.autosign" {
type primary;
file "step8.csk-roll.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll";
};
zone "step1.csk-roll2.autosign" {
type primary;
file "step1.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step2.csk-roll2.autosign" {
type primary;
file "step2.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step3.csk-roll2.autosign" {
type primary;
file "step3.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step4.csk-roll2.autosign" {
type primary;
file "step4.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step5.csk-roll2.autosign" {
type primary;
file "step5.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step6.csk-roll2.autosign" {
type primary;
file "step6.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};
zone "step7.csk-roll2.autosign" {
type primary;
file "step7.csk-roll2.autosign.db";
inline-signing yes;
dnssec-policy "csk-roll2";
};

2
bin/tests/system/kasp/ns3/named.conf.in
View File

@ -18,13 +18,11 @@ include "named-fips.conf";
zone "rsasha1.kasp" {
type primary;
file "rsasha1.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1";
};
zone "rsasha1-nsec3.kasp" {
type primary;
file "rsasha1-nsec3.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1-nsec3";
};

5
bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in
View File

@ -19,6 +19,10 @@ dnssec-policy "unlimited" {
};
};
dnssec-policy "default-dynamic" {
inline-signing no;
};
dnssec-policy "manual-rollover" {
dnskey-ttl 3600;
@ -30,6 +34,7 @@ dnssec-policy "manual-rollover" {
dnssec-policy "multisigner-model2" {
dnskey-ttl 3600;
inline-signing no;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

7
bin/tests/system/kasp/ns4/named.conf.in
View File

@ -76,14 +76,12 @@ view "inherit" {
zone "inherit.inherit.signed" {
type primary;
file "inherit.inherit.signed.db";
inline-signing yes;
};
/* Override dnssec-policy */
zone "override.inherit.signed" {
type primary;
file "override.inherit.signed.db";
inline-signing yes;
dnssec-policy "default";
};
@ -103,14 +101,12 @@ view "override" {
zone "inherit.override.signed" {
type primary;
file "inherit.override.signed.db";
inline-signing yes;
};
/* Override dnssec-policy */
zone "override.override.signed" {
type primary;
file "override.override.signed.db";
inline-signing yes;
dnssec-policy "test";
};
@ -136,7 +132,6 @@ view "none" {
zone "override.none.signed" {
type primary;
file "override.none.signed.db";
inline-signing yes;
dnssec-policy "test";
};
@ -155,6 +150,7 @@ view "example1" {
zone "example.net" {
type primary;
inline-signing no;
file "example1.db";
};
};
@ -165,7 +161,6 @@ view "example2" {
zone "example.net" {
type primary;
file "example2.db";
inline-signing yes;
};
};

4
bin/tests/system/kasp/ns5/named.conf.in
View File

@ -67,7 +67,6 @@ view "inherit" {
zone "override.inherit.unsigned" {
type primary;
file "override.inherit.unsigned.db";
inline-signing yes;
dnssec-policy "default";
};
@ -87,14 +86,12 @@ view "override" {
zone "inherit.override.unsigned" {
type primary;
file "inherit.override.unsigned.db";
inline-signing yes;
};
/* Override dnssec-policy */
zone "override.override.unsigned" {
type primary;
file "override.override.unsigned.db";
inline-signing yes;
dnssec-policy "test";
};
@ -120,7 +117,6 @@ view "none" {
zone "override.none.unsigned" {
type primary;
file "override.none.unsigned.db";
inline-signing yes;
dnssec-policy "test";
};

7
bin/tests/system/kasp/ns6/named.conf.in
View File

@ -51,7 +51,6 @@ zone "dynamic2inline.kasp" {
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
inline-signing yes;
dnssec-policy "unsigning";
};
@ -59,19 +58,20 @@ zone "step1.going-insecure-dynamic.kasp" {
type primary;
file "step1.going-insecure-dynamic.kasp.db";
dnssec-policy "unsigning";
inline-signing no;
allow-update { any; };
};
zone "step1.going-straight-to-none.kasp" {
type primary;
file "step1.going-straight-to-none.kasp.db";
inline-signing yes;
dnssec-policy "default";
};
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
dnssec-policy "default";
allow-update { any; };
};
@ -80,14 +80,12 @@ zone "step1.going-straight-to-none-dynamic.kasp" {
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "rsasha256";
};
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
@ -100,6 +98,5 @@ dnssec-policy "modified" {
zone example {
type primary;
file "example.db";
inline-signing yes;
dnssec-policy modified;
};

19
bin/tests/system/kasp/ns6/named2.conf.in
View File

@ -43,7 +43,6 @@ zone "dynamic2inline.kasp" {
type primary;
file "dynamic2inline.kasp.db";
allow-update { any; };
inline-signing yes;
dnssec-policy "default";
};
@ -51,20 +50,19 @@ zone "dynamic2inline.kasp" {
zone "step1.going-insecure.kasp" {
type primary;
file "step1.going-insecure.kasp.db";
inline-signing yes;
dnssec-policy "insecure";
};
zone "step2.going-insecure.kasp" {
type primary;
file "step2.going-insecure.kasp.db";
inline-signing yes;
dnssec-policy "insecure";
};
zone "step1.going-insecure-dynamic.kasp" {
type primary;
file "step1.going-insecure-dynamic.kasp.db";
inline-signing no;
dnssec-policy "insecure";
allow-update { any; };
};
@ -72,6 +70,7 @@ zone "step1.going-insecure-dynamic.kasp" {
zone "step2.going-insecure-dynamic.kasp" {
type primary;
file "step2.going-insecure-dynamic.kasp.db";
inline-signing no;
dnssec-policy "insecure";
allow-update { any; };
};
@ -85,6 +84,7 @@ zone "step1.going-straight-to-none.kasp" {
zone "step1.going-straight-to-none-dynamic.kasp" {
type primary;
file "step1.going-straight-to-none-dynamic.kasp.db.signed";
inline-signing no;
dnssec-policy "none";
allow-update { any; };
};
@ -95,42 +95,36 @@ zone "step1.going-straight-to-none-dynamic.kasp" {
zone "step1.algorithm-roll.kasp" {
type primary;
file "step1.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step2.algorithm-roll.kasp" {
type primary;
file "step2.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step3.algorithm-roll.kasp" {
type primary;
file "step3.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step4.algorithm-roll.kasp" {
type primary;
file "step4.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step5.algorithm-roll.kasp" {
type primary;
file "step5.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
zone "step6.algorithm-roll.kasp" {
type primary;
file "step6.algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "ecdsa256";
};
@ -140,42 +134,36 @@ zone "step6.algorithm-roll.kasp" {
zone "step1.csk-algorithm-roll.kasp" {
type primary;
file "step1.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step2.csk-algorithm-roll.kasp" {
type primary;
file "step2.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step3.csk-algorithm-roll.kasp" {
type primary;
file "step3.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step4.csk-algorithm-roll.kasp" {
type primary;
file "step4.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step5.csk-algorithm-roll.kasp" {
type primary;
file "step5.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
zone "step6.csk-algorithm-roll.kasp" {
type primary;
file "step6.csk-algorithm-roll.kasp.db";
inline-signing yes;
dnssec-policy "csk-algoroll";
};
@ -188,6 +176,5 @@ dnssec-policy "modified" {
zone example {
type primary;
file "example.db";
inline-signing yes;
dnssec-policy modified;
};

1
bin/tests/system/nsec3/ns2/named.conf.in
View File

@ -42,6 +42,5 @@ controls {
zone "nsec3-xfr-inline.kasp" {
type primary;
file "nsec3-xfr-inline.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};

20
bin/tests/system/nsec3/ns3/named-fips.conf.in
View File

@ -56,7 +56,6 @@ controls {
zone "nsec-to-nsec3.kasp" {
type primary;
file "nsec-to-nsec3.kasp.db";
inline-signing yes;
dnssec-policy "nsec";
};
@ -64,7 +63,6 @@ zone "nsec-to-nsec3.kasp" {
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -79,7 +77,6 @@ zone "nsec3-dynamic.kasp" {
zone "nsec3-other.kasp" {
type primary;
file "nsec3-other.kasp.db";
inline-signing yes;
dnssec-policy "nsec3-other";
};
@ -87,13 +84,13 @@ zone "nsec3-other.kasp" {
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
inline-signing no;
dnssec-policy "nsec3";
allow-update { any; };
};
@ -102,7 +99,6 @@ zone "nsec3-dynamic-change.kasp" {
zone "nsec3-to-optout.kasp" {
type primary;
file "nsec3-to-optout.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -110,7 +106,6 @@ zone "nsec3-to-optout.kasp" {
zone "nsec3-from-optout.kasp" {
type primary;
file "nsec3-from-optout.kasp.db";
inline-signing yes;
dnssec-policy "optout";
};
@ -118,7 +113,6 @@ zone "nsec3-from-optout.kasp" {
zone "nsec3-to-nsec.kasp" {
type primary;
file "nsec3-to-nsec.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -132,16 +126,16 @@ zone "nsec3-fails-to-load.kasp" {
/* These zones switch from dynamic to inline-signing or vice versa. */
zone "nsec3-dynamic-to-inline.kasp" {
type primary;
file "nsec3-dynamic-to-inline.kasp.db";
dnssec-policy "nsec3";
allow-update { any; };
type primary;
file "nsec3-dynamic-to-inline.kasp.db";
inline-signing no;
dnssec-policy "nsec3";
allow-update { any; };
};
zone "nsec3-inline-to-dynamic.kasp" {
type primary;
file "nsec3-inline-to-dynamic.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -149,7 +143,6 @@ zone "nsec3-inline-to-dynamic.kasp" {
zone "nsec3-dynamic-update-inline.kasp" {
type primary;
file "nsec3-dynamic-update-inline.kasp.db";
inline-signing yes;
allow-update { any; };
dnssec-policy "nsec";
};
@ -157,7 +150,6 @@ zone "nsec3-dynamic-update-inline.kasp" {
zone "nsec3-xfr-inline.kasp" {
type secondary;
file "nsec3-xfr-inline.kasp.db";
inline-signing yes;
dnssec-policy "nsec";
primaries { 10.53.0.2; };
};

4
bin/tests/system/nsec3/ns3/named.conf.in
View File

@ -29,7 +29,6 @@ dnssec-policy "rsasha1" {
zone "rsasha1-to-nsec3.kasp" {
type primary;
file "rsasha1-to-nsec3.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1";
};
@ -41,7 +40,6 @@ zone "rsasha1-to-nsec3.kasp" {
zone "rsasha1-to-nsec3-wait.kasp" {
type primary;
file "rsasha1-to-nsec3-wait.kasp.db";
inline-signing yes;
dnssec-policy "rsasha1";
};
@ -53,7 +51,6 @@ zone "rsasha1-to-nsec3-wait.kasp" {
zone "nsec3-to-rsasha1.kasp" {
type primary;
file "nsec3-to-rsasha1.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -66,6 +63,5 @@ zone "nsec3-to-rsasha1.kasp" {
zone "nsec3-to-rsasha1-ds.kasp" {
type primary;
file "nsec3-to-rsasha1-ds.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};

9
bin/tests/system/nsec3/ns3/named2-fips.conf.in
View File

@ -56,7 +56,6 @@ controls {
zone "nsec-to-nsec3.kasp" {
type primary;
file "nsec-to-nsec3.kasp.db";
inline-signing yes;
//dnssec-policy "nsec";
dnssec-policy "nsec3";
};
@ -65,7 +64,6 @@ zone "nsec-to-nsec3.kasp" {
zone "nsec3.kasp" {
type primary;
file "nsec3.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
};
@ -80,7 +78,6 @@ zone "nsec3-dynamic.kasp" {
zone "nsec3-other.kasp" {
type primary;
file "nsec3-other.kasp.db";
inline-signing yes;
dnssec-policy "nsec3-other";
};
@ -88,7 +85,6 @@ zone "nsec3-other.kasp" {
zone "nsec3-change.kasp" {
type primary;
file "nsec3-change.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "nsec3-other";
};
@ -97,6 +93,7 @@ zone "nsec3-dynamic-change.kasp" {
type primary;
file "nsec3-dynamic-change.kasp.db";
//dnssec-policy "nsec3";
inline-signing no;
dnssec-policy "nsec3-other";
allow-update { any; };
};
@ -105,7 +102,6 @@ zone "nsec3-dynamic-change.kasp" {
zone "nsec3-to-optout.kasp" {
type primary;
file "nsec3-to-optout.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "optout";
};
@ -114,7 +110,6 @@ zone "nsec3-to-optout.kasp" {
zone "nsec3-from-optout.kasp" {
type primary;
file "nsec3-from-optout.kasp.db";
inline-signing yes;
//dnssec-policy "optout";
dnssec-policy "nsec3";
};
@ -123,7 +118,6 @@ zone "nsec3-from-optout.kasp" {
zone "nsec3-to-nsec.kasp" {
type primary;
file "nsec3-to-nsec.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "nsec";
};
@ -140,7 +134,6 @@ zone "nsec3-fails-to-load.kasp" {
zone "nsec3-dynamic-to-inline.kasp" {
type primary;
file "nsec3-dynamic-to-inline.kasp.db";
inline-signing yes;
dnssec-policy "nsec3";
allow-update { any; };
};

4
bin/tests/system/nsec3/ns3/named2.conf.in
View File

@ -29,7 +29,6 @@ dnssec-policy "rsasha1" {
zone "rsasha1-to-nsec3.kasp" {
type primary;
file "rsasha1-to-nsec3.kasp.db";
inline-signing yes;
//dnssec-policy "rsasha1";
dnssec-policy "nsec3";
};
@ -42,7 +41,6 @@ zone "rsasha1-to-nsec3.kasp" {
zone "rsasha1-to-nsec3-wait.kasp" {
type primary;
file "rsasha1-to-nsec3-wait.kasp.db";
inline-signing yes;
//dnssec-policy "rsasha1";
dnssec-policy "nsec3";
};
@ -55,7 +53,6 @@ zone "rsasha1-to-nsec3-wait.kasp" {
zone "nsec3-to-rsasha1.kasp" {
type primary;
file "nsec3-to-rsasha1.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "rsasha1";
};
@ -69,7 +66,6 @@ zone "nsec3-to-rsasha1.kasp" {
zone "nsec3-to-rsasha1-ds.kasp" {
type primary;
file "nsec3-to-rsasha1-ds.kasp.db";
inline-signing yes;
//dnssec-policy "nsec3";
dnssec-policy "rsasha1";
};

6
bin/tests/system/nsupdate/ns3/named.conf.in
View File

@ -35,6 +35,10 @@ controls {
inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; };
};
dnssec-policy "default-dynamic" {
inline-signing no;
};
zone "example" {
type primary;
allow-update { any; };
@ -84,6 +88,6 @@ zone "too-big.test" {
zone "multisigner.test" {
type primary;
allow-update { any; };
dnssec-policy "default";
dnssec-policy "default-dynamic";
file "multisigner.test.db";
};

2
bin/tests/system/statschannel/ns2/named.conf.in
View File

@ -38,6 +38,7 @@ controls {
};
dnssec-policy "dnssec" {
inline-signing no;
keys {
ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
@ -45,6 +46,7 @@ dnssec-policy "dnssec" {
};
dnssec-policy "manykeys" {
inline-signing no;
keys {
ksk lifetime unlimited algorithm 8;
zsk lifetime unlimited algorithm 8;

1
bin/tests/system/statschannel/ns2/named2.conf.in
View File

@ -45,6 +45,7 @@ dnssec-policy "dnssec" {
};
dnssec-policy "manykeys" {
inline-signing no;
keys {
ksk lifetime unlimited algorithm 8;
zsk lifetime unlimited algorithm 8;

1
bin/tests/system/zonechecks/ns1/named.conf.in
View File

@ -36,6 +36,7 @@ controls {
};
dnssec-policy "zonechecks" {
inline-signing no;
keys {
ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;
zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@;

5
doc/arm/dnssec.inc.rst
View File

@ -98,11 +98,11 @@ up-to-date DNSSEC practices:
type primary;
file "dnssec.example.db";
dnssec-policy default;
inline-signing yes;
};
The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or
:any:`inline-signing` to be enabled. In the example above we use the latter.
:any:`inline-signing` to be enabled. In the example above we use the latter,
because the ``default`` policy uses :any:`inline-signing`.
This is sufficient to create the necessary signing keys, and generate
``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes
@ -174,7 +174,6 @@ by configuring parental agents:
type primary;
file "dnssec.example.db";
dnssec-policy default;
inline-signing yes;
parental-agents { 192.0.2.1; };
checkds explicit;
};

2
doc/arm/reference.rst
View File

@ -6086,7 +6086,7 @@ zone is maintained separately and is written out to a different file on disk
If the zone is dynamic because it is configured with an :any:`update-policy` or
:any:`allow-update`, the DNSSEC records are written to the filename set in the
original zone's :any:`file`, unless :any:`inline-signing` is explicitly set.
original zone's :any:`file`, unless :any:`inline-signing` is enabled.
Key rollover timing is computed for each key according to the key
lifetime defined in the KASP. The lifetime may be modified by zone TTLs

4
doc/dnssec-guide/recipes.rst
View File

@ -63,7 +63,6 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1
file "db/example.com.db";
key-directory "keys/example.com";
dnssec-policy default;
inline-signing yes;
allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
};
@ -143,7 +142,6 @@ signed data via zone transfer to the other three DNS secondaries. Its
file "db/example.com.db";
key-directory "keys/example.com";
dnssec-policy default;
inline-signing yes;
allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; };
};
@ -997,7 +995,6 @@ Here is what :iscman:`named.conf` looks like when it is signed:
type primary;
file "db/example.com.db";
dnssec-policy "default";
inline-signing yes;
};
To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
@ -1009,7 +1006,6 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line:
type primary;
file "db/example.com.db";
dnssec-policy "insecure";
inline-signing yes;
};
Then use :option:`rndc reload` to reload the zone.

11
doc/dnssec-guide/signing.rst
View File

@ -66,7 +66,6 @@ To sign a zone, add the following statement to its
zone "example.com" in {
...
dnssec-policy default;
inline-signing yes;
...
};
@ -81,14 +80,6 @@ default values.
Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing`
to be enabled.
.. note::
Previously, if a zone with a :any:`dnssec-policy` did not have dynamic
DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used
inline-signing implicitly. But this caused a lot of problems when operators
switched on or off dynamic DNS for their zones. Therefor, you now have to
configure it explicitly.
When the configuration file is updated, tell :iscman:`named` to
reload the configuration file by running :option:`rndc reconfig`:
@ -832,7 +823,6 @@ this example, we'll add it to the :any:`zone` statement:
zone "example.net" in {
...
dnssec-policy standard;
inline-signing yes;
...
};
@ -914,7 +904,6 @@ presence. Let's look at the following configuration excerpt:
zone "example.net" in {
...
dnssec-policy standard;
inline-signing yes;
parental-agents { "net"; };
checkds explicit;
...

1
doc/misc/dnssec-policy.default.conf
View File

@ -31,6 +31,7 @@ dnssec-policy "default" {
signatures-validity-dnskey 14d;
// Zone parameters
inline-signing yes;
max-zone-ttl 86400;
zone-propagation-delay 300;

1
doc/misc/options
View File

@ -14,6 +14,7 @@ dnssec-policy <string> {
cdnskey <boolean>;
cds-digest-types { <string>; ... };
dnskey-ttl <duration>;
inline-signing <boolean>;
keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime <duration_or_unlimited> algorithm <string> [ <integer> ]; ... };
max-zone-ttl <duration>;
nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];

6
doc/notes/notes-current.rst
View File

@ -40,6 +40,12 @@ Feature Changes
DNS SERVER COOKIES. Previously these were silently treated as
DNS CLIENT COOKIES. :gl:`#4194`
- The option :any:`inline-signing` can now also be set inside
:any:`dnssec-policy`. The built-in policies ``default`` and ``insecure``
enable the use of :any:`inline-signing`. If you set :any:`inline-signing`
at the ``zone`` level, it overrides the value used set in
:any:`dnssec-policy`. :gl:`#3677`.
Bug Fixes
~~~~~~~~~

25
lib/dns/include/dns/kasp.h
View File

@ -103,6 +103,7 @@ struct dns_kasp {
/* Zone settings */
dns_ttl_t zone_max_ttl;
uint32_t zone_propagation_delay;
bool inline_signing;
/* Parent settings */
dns_ttl_t parent_ds_ttl;
@ -389,6 +390,30 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value);
*\li 'kasp' is a valid, thawed kasp.
*/
bool
dns_kasp_inlinesigning(dns_kasp_t *kasp);
/*%<
* Should we use inline-signing for this DNSSEC policy?
*
* Requires:
*
*\li 'kasp' is a valid, frozen kasp.
*
* Returns:
*
*\li true or false.
*/
void
dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
/*%<
* Set inline-signing.
*
* Requires:
*
*\li 'kasp' is a valid, thawed kasp.
*/
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp);
/*%<

16
lib/dns/kasp.c
View File

@ -247,6 +247,22 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) {
kasp->retire_safety = value;
}
bool
dns_kasp_inlinesigning(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(kasp->frozen);
return (kasp->inline_signing);
}
void
dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
REQUIRE(DNS_KASP_VALID(kasp));
REQUIRE(!kasp->frozen);
kasp->inline_signing = value;
}
dns_ttl_t
dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
REQUIRE(DNS_KASP_VALID(kasp));

23
lib/isccfg/check.c
View File

@ -2793,6 +2793,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
bool dlz;
bool ddns = false;
bool has_dnssecpolicy = false;
bool kasp_inlinesigning = false;
const void *clauses = NULL;
const char *option = NULL;
const char *kaspname = NULL;
@ -3038,10 +3039,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
kaspname = cfg_obj_asstring(obj);
if (strcmp(kaspname, "default") == 0) {
has_dnssecpolicy = true;
kasp_inlinesigning = true;
} else if (strcmp(kaspname, "insecure") == 0) {
has_dnssecpolicy = true;
kasp_inlinesigning = true;
} else if (strcmp(kaspname, "none") == 0) {
has_dnssecpolicy = false;
kasp_inlinesigning = false;
} else {
(void)cfg_map_get(config, "dnssec-policy", &kasps);
for (element = cfg_list_first(kasps); element != NULL;
@ -3052,7 +3056,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
if (strcmp(kaspname, cfg_obj_asstring(kobj)) ==
0)
{
const cfg_obj_t *inlinesigning = NULL;
const cfg_obj_t *kopt = cfg_tuple_get(
cfg_listelt_value(element),
"options");
if (cfg_map_get(kopt, "inline-signing",
&inlinesigning) ==
ISC_R_SUCCESS)
{
kasp_inlinesigning =
cfg_obj_asboolean(
inlinesigning);
} else {
/* By default true */
kasp_inlinesigning = true;
}
has_dnssecpolicy = true;
break;
}
}
@ -3369,6 +3390,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions,
res1 = cfg_map_get(zoptions, "inline-signing", &obj);
if (res1 == ISC_R_SUCCESS) {
signing = cfg_obj_asboolean(obj);
} else if (has_dnssecpolicy) {
signing = kasp_inlinesigning;
}
if (has_dnssecpolicy) {

17
lib/isccfg/kaspconf.c
View File

@ -360,6 +360,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
const cfg_obj_t *koptions = NULL;
const cfg_obj_t *keys = NULL;
const cfg_obj_t *nsec3 = NULL;
const cfg_obj_t *inlinesigning = NULL;
const cfg_obj_t *cds = NULL;
const cfg_obj_t *obj = NULL;
const cfg_listelt_t *element = NULL;
const char *kaspname = NULL;
@ -446,6 +448,14 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
}
/* Configuration: Zone settings */
(void)confget(maps, "inline-signing", &inlinesigning);
if (inlinesigning != NULL && cfg_obj_isboolean(inlinesigning)) {
dns_kasp_setinlinesigning(kasp,
cfg_obj_asboolean(inlinesigning));
} else {
dns_kasp_setinlinesigning(kasp, true);
}
maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL);
dns_kasp_setzonemaxttl(kasp, maxttl);
@ -470,10 +480,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
dns_kasp_setcdnskey(kasp, true);
}
obj = NULL;
(void)confget(maps, "cds-digest-types", &obj);
if (obj != NULL) {
for (element = cfg_list_first(obj); element != NULL;
(void)confget(maps, "cds-digest-types", &cds);
if (cds != NULL) {
for (element = cfg_list_first(cds); element != NULL;
element = cfg_list_next(element))
{
result = add_digest(kasp, cfg_listelt_value(element),

1
lib/isccfg/namedconf.c
View File

@ -2208,6 +2208,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
{ "cdnskey", &cfg_type_boolean, 0 },
{ "cds-digest-types", &cfg_type_algorithmlist, 0 },
{ "dnskey-ttl", &cfg_type_duration, 0 },
{ "inline-signing", &cfg_type_boolean, 0 },
{ "keys", &cfg_type_kaspkeys, 0 },
{ "max-zone-ttl", &cfg_type_duration, 0 },
{ "nsec3param", &cfg_type_nsec3, 0 },