From bbfdcc36c855605b6959c9a353c942be7d1cfb7a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 3 Apr 2023 17:00:36 +0200 Subject: [PATCH 1/5] Add inline-signing to dnssec-policy Add an option to enable/disable inline-signing inside the dnssec-policy clause. The existing inline-signing option that is set in the zone clause takes priority, but if it is omitted, then the value that is set in dnssec-policy is taken. The built-in policies use inline-signing. This means that if you want to use the default policy without inline-signing you either have to set it explicitly in the zone clause: zone "example" { ... dnssec-policy default; inline-signing no; }; Or create a new policy, only overriding the inline-signing option: dnssec-policy "default-dynamic" { inline-signing no; }; zone "example" { ... dnssec-policy default-dynamic; }; This also means that if you are going insecure with a dynamic zone, the built-in "insecure" policy needs to be accompanied with "inline-signing no;". --- bin/named/config.c | 2 + bin/named/include/named/zoneconf.h | 10 +++- bin/named/server.c | 7 ++- bin/named/zoneconf.c | 57 ++++++++++++++++--- bin/tests/system/autosign/ns2/named.conf.in | 6 ++ bin/tests/system/autosign/ns3/named.conf.in | 27 +++++++++ bin/tests/system/checkconf/good-kasp.conf | 3 +- bin/tests/system/kasp/ns3/named-fips.conf.in | 2 +- .../kasp/ns3/policies/kasp-fips.conf.in | 4 ++ bin/tests/system/kasp/ns4/named.conf.in | 1 + bin/tests/system/kasp/ns6/named.conf.in | 1 + bin/tests/system/kasp/ns6/named2.conf.in | 2 + bin/tests/system/nsec3/ns3/named-fips.conf.in | 10 ++-- .../system/nsec3/ns3/named2-fips.conf.in | 1 + bin/tests/system/nsupdate/ns3/named.conf.in | 6 +- .../system/statschannel/ns2/named.conf.in | 2 + .../system/statschannel/ns2/named2.conf.in | 1 + doc/misc/dnssec-policy.default.conf | 1 + doc/misc/options | 1 + lib/dns/include/dns/kasp.h | 25 ++++++++ lib/dns/kasp.c | 16 ++++++ lib/isccfg/kaspconf.c | 17 ++++-- lib/isccfg/namedconf.c | 1 + 23 files changed, 178 insertions(+), 25 deletions(-) diff --git a/bin/named/config.c b/bin/named/config.c index 861c46c03d..b5548b3631 100644 --- a/bin/named/config.c +++ b/bin/named/config.c @@ -294,6 +294,7 @@ dnssec-policy \"default\" {\n\ cdnskey yes;\n\ cds-digest-types { 2; };\n\ dnskey-ttl " DNS_KASP_KEY_TTL ";\n\ + inline-signing yes;\n\ publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\ retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\ purge-keys " DNS_KASP_PURGE_KEYS "; \n\ @@ -308,6 +309,7 @@ dnssec-policy \"default\" {\n\ \n\ dnssec-policy \"insecure\" {\n\ keys { };\n\ + inline-signing yes;\n\ };\n\ \n\ " diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h index 387d8a1ef1..dbecd4a79e 100644 --- a/bin/named/include/named/zoneconf.h +++ b/bin/named/include/named/zoneconf.h @@ -44,7 +44,9 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig, */ bool -named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); +named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, + const cfg_obj_t *vconfig, const cfg_obj_t *config, + dns_kasplist_t *kasplist); /*%< * If 'zone' can be safely reconfigured according to the configuration * data in 'zconfig', return true. If the configuration data is so @@ -53,10 +55,12 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig); */ bool -named_zone_inlinesigning(const cfg_obj_t *zconfig); +named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, dns_kasplist_t *kasplist); /*%< * Determine if zone uses inline-signing. This is true if inline-signing - * is set to yes. + * is set to yes, in the zone clause or in the zone's dnssec-policy clause. + * By default, dnssec-policy uses inline-signing. */ isc_result_t diff --git a/bin/named/server.c b/bin/named/server.c index cbcba3d28d..c88ca57423 100644 --- a/bin/named/server.c +++ b/bin/named/server.c @@ -6715,7 +6715,9 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, goto cleanup; } - if (zone != NULL && !named_zone_reusable(zone, zconfig)) { + if (zone != NULL && + !named_zone_reusable(zone, zconfig, vconfig, config, kasplist)) + { dns_zone_detach(&zone); fullsign = true; } @@ -6788,7 +6790,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig, strcasecmp(ztypestr, "slave") == 0)); if (zone_maybe_inline) { - inline_signing = named_zone_inlinesigning(zconfig); + inline_signing = named_zone_inlinesigning(zconfig, vconfig, + config, kasplist); } if (inline_signing) { dns_zone_getraw(zone, &raw); diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c index 358f114ebd..1759da7837 100644 --- a/bin/named/zoneconf.c +++ b/bin/named/zoneconf.c @@ -1917,7 +1917,9 @@ named_zone_configure_writeable_dlz(dns_dlzdb_t *dlzdatabase, dns_zone_t *zone, } bool -named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { +named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig, + const cfg_obj_t *vconfig, const cfg_obj_t *config, + dns_kasplist_t *kasplist) { const cfg_obj_t *zoptions = NULL; const cfg_obj_t *obj = NULL; const char *cfilename; @@ -1951,7 +1953,8 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { has_raw = false; } - inline_signing = named_zone_inlinesigning(zconfig); + inline_signing = named_zone_inlinesigning(zconfig, vconfig, config, + kasplist); if (!inline_signing && has_raw) { dns_zone_log(zone, ISC_LOG_DEBUG(1), "not reusable: old zone was inline-signing"); @@ -1988,15 +1991,53 @@ named_zone_reusable(dns_zone_t *zone, const cfg_obj_t *zconfig) { } bool -named_zone_inlinesigning(const cfg_obj_t *zconfig) { - const cfg_obj_t *zoptions = NULL; +named_zone_inlinesigning(const cfg_obj_t *zconfig, const cfg_obj_t *vconfig, + const cfg_obj_t *config, dns_kasplist_t *kasplist) { + const cfg_obj_t *maps[4]; const cfg_obj_t *signing = NULL; + const cfg_obj_t *policy = NULL; + dns_kasp_t *kasp = NULL; + isc_result_t res; bool inline_signing = false; + int i = 0; - zoptions = cfg_tuple_get(zconfig, "options"); - inline_signing = (cfg_map_get(zoptions, "inline-signing", &signing) == - ISC_R_SUCCESS && - cfg_obj_asboolean(signing)); + maps[i++] = cfg_tuple_get(zconfig, "options"); + if (vconfig != NULL) { + maps[i++] = cfg_tuple_get(vconfig, "options"); + } + if (config != NULL) { + const cfg_obj_t *options = NULL; + (void)cfg_map_get(config, "options", &options); + if (options != NULL) { + maps[i++] = options; + } + } + maps[i] = NULL; + + /* "inline-signing" is a zone-only clause, so look in maps[0] only. */ + res = cfg_map_get(maps[0], "inline-signing", &signing); + if (res == ISC_R_SUCCESS && cfg_obj_isboolean(signing)) { + return (cfg_obj_asboolean(signing)); + } + + /* If inline-signing is not set, check the value in dnssec-policy. */ + policy = NULL; + res = named_config_get(maps, "dnssec-policy", &policy); + /* If no dnssec-policy found, then zone is not using inline-signing. */ + if (res != ISC_R_SUCCESS || + strcmp(cfg_obj_asstring(policy), "none") == 0) + { + return (false); + } + + /* Lookup the policy. */ + res = dns_kasplist_find(kasplist, cfg_obj_asstring(policy), &kasp); + if (res != ISC_R_SUCCESS) { + return (false); + } + + inline_signing = dns_kasp_inlinesigning(kasp); + dns_kasp_detach(&kasp); return (inline_signing); } diff --git a/bin/tests/system/autosign/ns2/named.conf.in b/bin/tests/system/autosign/ns2/named.conf.in index caf2ab83de..0dad4bde0d 100644 --- a/bin/tests/system/autosign/ns2/named.conf.in +++ b/bin/tests/system/autosign/ns2/named.conf.in @@ -81,6 +81,7 @@ zone "example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy autosign; sig-signing-type 65280; }; @@ -99,6 +100,7 @@ zone "private.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy private; }; @@ -108,6 +110,7 @@ zone "insecure.secure.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -117,6 +120,7 @@ zone "child.nsec3.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -126,6 +130,7 @@ zone "child.optout.example" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -135,6 +140,7 @@ zone "optout-with-ent" { allow-query { any; }; allow-transfer { any; }; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; diff --git a/bin/tests/system/autosign/ns3/named.conf.in b/bin/tests/system/autosign/ns3/named.conf.in index 7111515be5..343c743af3 100644 --- a/bin/tests/system/autosign/ns3/named.conf.in +++ b/bin/tests/system/autosign/ns3/named.conf.in @@ -141,6 +141,7 @@ zone "secure.example" { type primary; file "secure.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -154,6 +155,7 @@ zone "nsec3.example" { type primary; file "nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -161,6 +163,7 @@ zone "autonsec3.example" { type primary; file "autonsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -168,6 +171,7 @@ zone "optout.nsec3.example" { type primary; file "optout.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -175,6 +179,7 @@ zone "nsec3.nsec3.example" { type primary; file "nsec3.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -182,6 +187,7 @@ zone "jitter.nsec3.example" { type primary; file "jitter.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy jitter-nsec3; sig-signing-nodes 1000; sig-signing-signatures 100; @@ -191,6 +197,7 @@ zone "secure.nsec3.example" { type primary; file "secure.nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -205,6 +212,7 @@ zone "secure.optout.example" { type primary; file "secure.optout.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -212,6 +220,7 @@ zone "nsec3.optout.example" { type primary; file "nsec3.optout.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -219,6 +228,7 @@ zone "optout.optout.example" { type primary; file "optout.optout.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy optout; }; @@ -226,6 +236,7 @@ zone "rsasha256.example" { type primary; file "rsasha256.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy rsasha256; }; @@ -233,6 +244,7 @@ zone "rsasha512.example" { type primary; file "rsasha512.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy rsasha512; }; @@ -240,6 +252,7 @@ zone "nsec-only.example" { type primary; file "nsec-only.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -247,6 +260,7 @@ zone "nsec3-to-nsec.example" { type primary; file "nsec3-to-nsec.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -254,6 +268,7 @@ zone "oldsigs.example" { type primary; file "oldsigs.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy jitter; sig-signing-nodes 1000; sig-signing-signatures 100; @@ -263,6 +278,7 @@ zone "prepub.example" { type primary; file "prepub.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -270,6 +286,7 @@ zone "ttl1.example" { type primary; file "ttl1.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -277,6 +294,7 @@ zone "ttl2.example" { type primary; file "ttl2.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -284,6 +302,7 @@ zone "ttl3.example" { type primary; file "ttl3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -291,6 +310,7 @@ zone "ttl4.example" { type primary; file "ttl4.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -303,6 +323,7 @@ zone "nozsk.example" { type primary; file "nozsk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -310,6 +331,7 @@ zone "inaczsk.example" { type primary; file "inaczsk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -317,6 +339,7 @@ zone "noksk.example" { type primary; file "noksk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -324,6 +347,7 @@ zone "sync.example" { type primary; file "sync.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy sync; }; @@ -338,6 +362,7 @@ zone "inaczsk2.example" { type primary; file "inaczsk2.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy autosign; }; @@ -345,6 +370,7 @@ zone "delzsk.example." { type primary; file "delzsk.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; @@ -352,6 +378,7 @@ zone "dname-at-apex-nsec3.example" { type primary; file "dname-at-apex-nsec3.example.db"; allow-update { any; }; + inline-signing no; dnssec-policy nsec3; }; diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 384fcfe34b..28210cfc69 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -21,6 +21,7 @@ dnssec-policy "test" { cds-digest-types { "sha-256"; }; + inline-signing yes; dnskey-ttl 3600; keys { ksk key-directory lifetime P1Y algorithm ecdsa256; @@ -44,7 +45,6 @@ options { zone "example1" { type primary; file "example1.db"; - inline-signing yes; }; zone "example2" { type primary; @@ -57,7 +57,6 @@ zone "example2" { zone "example3" { type primary; file "example3.db"; - inline-signing yes; dnssec-policy "default"; }; zone "dnssec-policy-none-shared-zonefile1" { diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index a6e8b3a5b9..61cc6d410d 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -133,7 +133,7 @@ zone "secondary.kasp" { zone "dynamic.kasp" { type primary; file "dynamic.kasp.db"; - dnssec-policy "default"; + dnssec-policy "default-dynamic"; allow-update { any; }; }; diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in index 90a92a223c..320f221252 100644 --- a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in +++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in @@ -19,6 +19,10 @@ dnssec-policy "unlimited" { }; }; +dnssec-policy "default-dynamic" { + inline-signing no; +}; + dnssec-policy "manual-rollover" { dnskey-ttl 3600; diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index 459ea73a89..0871546af5 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -155,6 +155,7 @@ view "example1" { zone "example.net" { type primary; + inline-signing no; file "example1.db"; }; }; diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index d20bf7194a..cb82b0b6c6 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -59,6 +59,7 @@ zone "step1.going-insecure-dynamic.kasp" { type primary; file "step1.going-insecure-dynamic.kasp.db"; dnssec-policy "unsigning"; + inline-signing no; allow-update { any; }; }; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 13a57f91f7..2fa5b80383 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -65,6 +65,7 @@ zone "step2.going-insecure.kasp" { zone "step1.going-insecure-dynamic.kasp" { type primary; file "step1.going-insecure-dynamic.kasp.db"; + inline-signing no; dnssec-policy "insecure"; allow-update { any; }; }; @@ -72,6 +73,7 @@ zone "step1.going-insecure-dynamic.kasp" { zone "step2.going-insecure-dynamic.kasp" { type primary; file "step2.going-insecure-dynamic.kasp.db"; + inline-signing no; dnssec-policy "insecure"; allow-update { any; }; }; diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.in b/bin/tests/system/nsec3/ns3/named-fips.conf.in index 183b31590a..14c09ebe88 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in @@ -94,6 +94,7 @@ zone "nsec3-change.kasp" { zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; + inline-signing no; dnssec-policy "nsec3"; allow-update { any; }; }; @@ -132,10 +133,11 @@ zone "nsec3-fails-to-load.kasp" { /* These zones switch from dynamic to inline-signing or vice versa. */ zone "nsec3-dynamic-to-inline.kasp" { - type primary; - file "nsec3-dynamic-to-inline.kasp.db"; - dnssec-policy "nsec3"; - allow-update { any; }; + type primary; + file "nsec3-dynamic-to-inline.kasp.db"; + inline-signing no; + dnssec-policy "nsec3"; + allow-update { any; }; }; zone "nsec3-inline-to-dynamic.kasp" { diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in index ef7afeb8ad..1ff5925d46 100644 --- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in @@ -97,6 +97,7 @@ zone "nsec3-dynamic-change.kasp" { type primary; file "nsec3-dynamic-change.kasp.db"; //dnssec-policy "nsec3"; + inline-signing no; dnssec-policy "nsec3-other"; allow-update { any; }; }; diff --git a/bin/tests/system/nsupdate/ns3/named.conf.in b/bin/tests/system/nsupdate/ns3/named.conf.in index 7628532924..66c874ab0c 100644 --- a/bin/tests/system/nsupdate/ns3/named.conf.in +++ b/bin/tests/system/nsupdate/ns3/named.conf.in @@ -35,6 +35,10 @@ controls { inet 10.53.0.3 port @CONTROLPORT@ allow { any; } keys { rndc_key; }; }; +dnssec-policy "default-dynamic" { + inline-signing no; +}; + zone "example" { type primary; allow-update { any; }; @@ -84,6 +88,6 @@ zone "too-big.test" { zone "multisigner.test" { type primary; allow-update { any; }; - dnssec-policy "default"; + dnssec-policy "default-dynamic"; file "multisigner.test.db"; }; diff --git a/bin/tests/system/statschannel/ns2/named.conf.in b/bin/tests/system/statschannel/ns2/named.conf.in index c2f81afb9e..342d03b561 100644 --- a/bin/tests/system/statschannel/ns2/named.conf.in +++ b/bin/tests/system/statschannel/ns2/named.conf.in @@ -38,6 +38,7 @@ controls { }; dnssec-policy "dnssec" { + inline-signing no; keys { ksk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; zsk lifetime unlimited algorithm @DEFAULT_ALGORITHM@; @@ -45,6 +46,7 @@ dnssec-policy "dnssec" { }; dnssec-policy "manykeys" { + inline-signing no; keys { ksk lifetime unlimited algorithm 8; zsk lifetime unlimited algorithm 8; diff --git a/bin/tests/system/statschannel/ns2/named2.conf.in b/bin/tests/system/statschannel/ns2/named2.conf.in index 2f2fd74c6f..c726ae4220 100644 --- a/bin/tests/system/statschannel/ns2/named2.conf.in +++ b/bin/tests/system/statschannel/ns2/named2.conf.in @@ -45,6 +45,7 @@ dnssec-policy "dnssec" { }; dnssec-policy "manykeys" { + inline-signing no; keys { ksk lifetime unlimited algorithm 8; zsk lifetime unlimited algorithm 8; diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf index 785a36c02e..cd033c1760 100644 --- a/doc/misc/dnssec-policy.default.conf +++ b/doc/misc/dnssec-policy.default.conf @@ -31,6 +31,7 @@ dnssec-policy "default" { signatures-validity-dnskey 14d; // Zone parameters + inline-signing yes; max-zone-ttl 86400; zone-propagation-delay 300; diff --git a/doc/misc/options b/doc/misc/options index ed5082403b..537da0fe24 100644 --- a/doc/misc/options +++ b/doc/misc/options @@ -14,6 +14,7 @@ dnssec-policy { cdnskey ; cds-digest-types { ; ... }; dnskey-ttl ; + inline-signing ; keys { ( csk | ksk | zsk ) [ ( key-directory ) ] lifetime algorithm [ ]; ... }; max-zone-ttl ; nsec3param [ iterations ] [ optout ] [ salt-length ]; diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h index 347e3ff746..88b6157233 100644 --- a/lib/dns/include/dns/kasp.h +++ b/lib/dns/include/dns/kasp.h @@ -103,6 +103,7 @@ struct dns_kasp { /* Zone settings */ dns_ttl_t zone_max_ttl; uint32_t zone_propagation_delay; + bool inline_signing; /* Parent settings */ dns_ttl_t parent_ds_ttl; @@ -389,6 +390,30 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value); *\li 'kasp' is a valid, thawed kasp. */ +bool +dns_kasp_inlinesigning(dns_kasp_t *kasp); +/*%< + * Should we use inline-signing for this DNSSEC policy? + * + * Requires: + * + *\li 'kasp' is a valid, frozen kasp. + * + * Returns: + * + *\li true or false. + */ + +void +dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value); +/*%< + * Set inline-signing. + * + * Requires: + * + *\li 'kasp' is a valid, thawed kasp. + */ + dns_ttl_t dns_kasp_zonemaxttl(dns_kasp_t *kasp); /*%< diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c index 792dcfe927..c6fa9aa8ab 100644 --- a/lib/dns/kasp.c +++ b/lib/dns/kasp.c @@ -247,6 +247,22 @@ dns_kasp_setretiresafety(dns_kasp_t *kasp, uint32_t value) { kasp->retire_safety = value; } +bool +dns_kasp_inlinesigning(dns_kasp_t *kasp) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(kasp->frozen); + + return (kasp->inline_signing); +} + +void +dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) { + REQUIRE(DNS_KASP_VALID(kasp)); + REQUIRE(!kasp->frozen); + + kasp->inline_signing = value; +} + dns_ttl_t dns_kasp_zonemaxttl(dns_kasp_t *kasp) { REQUIRE(DNS_KASP_VALID(kasp)); diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c index 03d1a1fa68..19365fdc06 100644 --- a/lib/isccfg/kaspconf.c +++ b/lib/isccfg/kaspconf.c @@ -360,6 +360,8 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, const cfg_obj_t *koptions = NULL; const cfg_obj_t *keys = NULL; const cfg_obj_t *nsec3 = NULL; + const cfg_obj_t *inlinesigning = NULL; + const cfg_obj_t *cds = NULL; const cfg_obj_t *obj = NULL; const cfg_listelt_t *element = NULL; const char *kaspname = NULL; @@ -446,6 +448,14 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, } /* Configuration: Zone settings */ + (void)confget(maps, "inline-signing", &inlinesigning); + if (inlinesigning != NULL && cfg_obj_isboolean(inlinesigning)) { + dns_kasp_setinlinesigning(kasp, + cfg_obj_asboolean(inlinesigning)); + } else { + dns_kasp_setinlinesigning(kasp, true); + } + maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL); dns_kasp_setzonemaxttl(kasp, maxttl); @@ -470,10 +480,9 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp, dns_kasp_setcdnskey(kasp, true); } - obj = NULL; - (void)confget(maps, "cds-digest-types", &obj); - if (obj != NULL) { - for (element = cfg_list_first(obj); element != NULL; + (void)confget(maps, "cds-digest-types", &cds); + if (cds != NULL) { + for (element = cfg_list_first(cds); element != NULL; element = cfg_list_next(element)) { result = add_digest(kasp, cfg_listelt_value(element), diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c index 64517d33b1..23da61eb61 100644 --- a/lib/isccfg/namedconf.c +++ b/lib/isccfg/namedconf.c @@ -2208,6 +2208,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = { { "cdnskey", &cfg_type_boolean, 0 }, { "cds-digest-types", &cfg_type_algorithmlist, 0 }, { "dnskey-ttl", &cfg_type_duration, 0 }, + { "inline-signing", &cfg_type_boolean, 0 }, { "keys", &cfg_type_kaspkeys, 0 }, { "max-zone-ttl", &cfg_type_duration, 0 }, { "nsec3param", &cfg_type_nsec3, 0 }, From 495597a91b42e2607e393f375fdc29fe6249350c Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 9 Dec 2022 12:22:49 +0100 Subject: [PATCH 2/5] Update inline-signing checkconf code When using automated DNSSEC management, it is required that the zone is dynamic, or that inline-signing is enabled (or both). Update the checkconf code to also allow inline-signing to be enabled within dnssec-policy. --- .../checkconf/bad-kasp-inline-signing.conf | 25 +++++++++++++++++++ bin/tests/system/checkconf/bad-noddns.conf | 6 ++++- bin/tests/system/checkconf/good-kasp.conf | 2 +- bin/tests/system/kasp/ns6/named.conf.in | 1 + bin/tests/system/kasp/ns6/named2.conf.in | 1 + bin/tests/system/zonechecks/ns1/named.conf.in | 1 + lib/isccfg/check.c | 23 +++++++++++++++++ 7 files changed, 57 insertions(+), 2 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-kasp-inline-signing.conf diff --git a/bin/tests/system/checkconf/bad-kasp-inline-signing.conf b/bin/tests/system/checkconf/bad-kasp-inline-signing.conf new file mode 100644 index 0000000000..178be5e11e --- /dev/null +++ b/bin/tests/system/checkconf/bad-kasp-inline-signing.conf @@ -0,0 +1,25 @@ +/* + * Copyright (C) Internet Systems Consortium, Inc. ("ISC") + * + * SPDX-License-Identifier: MPL-2.0 + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, you can obtain one at https://mozilla.org/MPL/2.0/. + * + * See the COPYRIGHT file distributed with this work for additional + * information regarding copyright ownership. + */ + +/* + * inline-signing is a boolean value. + */ +dnssec-policy "inline" { + inline-signing never-ever; +}; + +zone "." { + type primary; + file "root.db"; + dnssec-policy "inline"; +}; diff --git a/bin/tests/system/checkconf/bad-noddns.conf b/bin/tests/system/checkconf/bad-noddns.conf index 76435bc6e6..203bf4dda5 100644 --- a/bin/tests/system/checkconf/bad-noddns.conf +++ b/bin/tests/system/checkconf/bad-noddns.conf @@ -11,9 +11,13 @@ * information regarding copyright ownership. */ +dnssec-policy "test" { + inline-signing no; +}; + zone example { type primary; file "example.db"; - dnssec-policy default; + dnssec-policy test; allow-update { none; }; }; diff --git a/bin/tests/system/checkconf/good-kasp.conf b/bin/tests/system/checkconf/good-kasp.conf index 28210cfc69..fb3fceab0a 100644 --- a/bin/tests/system/checkconf/good-kasp.conf +++ b/bin/tests/system/checkconf/good-kasp.conf @@ -21,8 +21,8 @@ dnssec-policy "test" { cds-digest-types { "sha-256"; }; - inline-signing yes; dnskey-ttl 3600; + inline-signing yes; keys { ksk key-directory lifetime P1Y algorithm ecdsa256; zsk lifetime P30D algorithm 13; diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index cb82b0b6c6..a4b9ef8af7 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -73,6 +73,7 @@ zone "step1.going-straight-to-none.kasp" { zone "step1.going-straight-to-none-dynamic.kasp" { type primary; file "step1.going-straight-to-none-dynamic.kasp.db.signed"; + inline-signing no; dnssec-policy "default"; allow-update { any; }; }; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 2fa5b80383..5edcbcbe77 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -87,6 +87,7 @@ zone "step1.going-straight-to-none.kasp" { zone "step1.going-straight-to-none-dynamic.kasp" { type primary; file "step1.going-straight-to-none-dynamic.kasp.db.signed"; + inline-signing no; dnssec-policy "none"; allow-update { any; }; }; diff --git a/bin/tests/system/zonechecks/ns1/named.conf.in b/bin/tests/system/zonechecks/ns1/named.conf.in index efb11b01d8..6821500147 100644 --- a/bin/tests/system/zonechecks/ns1/named.conf.in +++ b/bin/tests/system/zonechecks/ns1/named.conf.in @@ -36,6 +36,7 @@ controls { }; dnssec-policy "zonechecks" { + inline-signing no; keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; zsk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; diff --git a/lib/isccfg/check.c b/lib/isccfg/check.c index af53af5aa9..44be487daa 100644 --- a/lib/isccfg/check.c +++ b/lib/isccfg/check.c @@ -2793,6 +2793,7 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, bool dlz; bool ddns = false; bool has_dnssecpolicy = false; + bool kasp_inlinesigning = false; const void *clauses = NULL; const char *option = NULL; const char *kaspname = NULL; @@ -3038,10 +3039,13 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, kaspname = cfg_obj_asstring(obj); if (strcmp(kaspname, "default") == 0) { has_dnssecpolicy = true; + kasp_inlinesigning = true; } else if (strcmp(kaspname, "insecure") == 0) { has_dnssecpolicy = true; + kasp_inlinesigning = true; } else if (strcmp(kaspname, "none") == 0) { has_dnssecpolicy = false; + kasp_inlinesigning = false; } else { (void)cfg_map_get(config, "dnssec-policy", &kasps); for (element = cfg_list_first(kasps); element != NULL; @@ -3052,7 +3056,24 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, if (strcmp(kaspname, cfg_obj_asstring(kobj)) == 0) { + const cfg_obj_t *inlinesigning = NULL; + const cfg_obj_t *kopt = cfg_tuple_get( + cfg_listelt_value(element), + "options"); + if (cfg_map_get(kopt, "inline-signing", + &inlinesigning) == + ISC_R_SUCCESS) + { + kasp_inlinesigning = + cfg_obj_asboolean( + inlinesigning); + } else { + /* By default true */ + kasp_inlinesigning = true; + } + has_dnssecpolicy = true; + break; } } @@ -3369,6 +3390,8 @@ check_zoneconf(const cfg_obj_t *zconfig, const cfg_obj_t *voptions, res1 = cfg_map_get(zoptions, "inline-signing", &obj); if (res1 == ISC_R_SUCCESS) { signing = cfg_obj_asboolean(obj); + } else if (has_dnssecpolicy) { + signing = kasp_inlinesigning; } if (has_dnssecpolicy) { From 62ddc3dca08f94bb47ee4cd14cb0ec39d7fa218a Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Mon, 3 Apr 2023 17:13:34 +0200 Subject: [PATCH 3/5] Remove redundant inline-signing lines from tests Now that inline-signing is explicitly set in dnssec-policy, remove the redundant "inline-signing yes;" lines from the system tests. --- .../system/checkconf/good-key-directory.conf | 3 - bin/tests/system/checkconf/good.conf.in | 12 ---- .../system/checkconf/kasp-bad-nsec3-iter.conf | 1 - .../kasp-bad-signatures-refresh.conf | 2 - .../system/checkconf/kasp-ignore-keylen.conf | 1 - bin/tests/system/checkconf/kasp-warning.conf | 3 - bin/tests/system/checkds/ns9/named.conf.in | 33 ----------- bin/tests/system/kasp/ns2/named.conf.in | 1 - bin/tests/system/kasp/ns3/ed25519.conf | 1 - bin/tests/system/kasp/ns3/ed448.conf | 1 - bin/tests/system/kasp/ns3/named-fips.conf.in | 59 ------------------- bin/tests/system/kasp/ns3/named.conf.in | 2 - .../kasp/ns3/policies/kasp-fips.conf.in | 1 + bin/tests/system/kasp/ns4/named.conf.in | 6 -- bin/tests/system/kasp/ns5/named.conf.in | 4 -- bin/tests/system/kasp/ns6/named.conf.in | 5 -- bin/tests/system/kasp/ns6/named2.conf.in | 16 ----- bin/tests/system/nsec3/ns2/named.conf.in | 1 - bin/tests/system/nsec3/ns3/named-fips.conf.in | 10 ---- bin/tests/system/nsec3/ns3/named.conf.in | 4 -- .../system/nsec3/ns3/named2-fips.conf.in | 8 --- bin/tests/system/nsec3/ns3/named2.conf.in | 4 -- 22 files changed, 1 insertion(+), 177 deletions(-) diff --git a/bin/tests/system/checkconf/good-key-directory.conf b/bin/tests/system/checkconf/good-key-directory.conf index 45befffa32..07deb28993 100644 --- a/bin/tests/system/checkconf/good-key-directory.conf +++ b/bin/tests/system/checkconf/good-key-directory.conf @@ -46,7 +46,6 @@ view "localhost" { type primary; file "localhost/example.com.zone"; dnssec-policy "localhost"; - inline-signing yes; }; }; @@ -57,7 +56,6 @@ view "external" { type primary; file "external/example.com.zone"; dnssec-policy "internet"; - inline-signing yes; }; }; @@ -68,6 +66,5 @@ view "internal" { type primary; file "internal/example.com.zone"; dnssec-policy "intranet"; - inline-signing yes; }; }; diff --git a/bin/tests/system/checkconf/good.conf.in b/bin/tests/system/checkconf/good.conf.in index 2ba4a0738e..7d1f6b8576 100644 --- a/bin/tests/system/checkconf/good.conf.in +++ b/bin/tests/system/checkconf/good.conf.in @@ -104,7 +104,6 @@ view "first" { zone "clone" { type primary; file "yyy"; - inline-signing yes; max-ixfr-ratio unlimited; }; dnssec-validation auto; @@ -168,12 +167,10 @@ view "third" { zone "p" { type primary; file "pfile"; - inline-signing yes; }; zone "s" { type secondary; file "sfile"; - inline-signing yes; primaries { 1.2.3.4; }; @@ -185,7 +182,6 @@ view "fourth" { type primary; checkds explicit; file "dnssec-test.db"; - inline-signing yes; parental-agents { 1.2.3.4; 1.2.3.5; @@ -196,7 +192,6 @@ view "fourth" { zone "dnssec-default" { type primary; file "dnssec-default.db"; - inline-signing yes; parental-agents { "parents"; }; @@ -206,7 +201,6 @@ view "fourth" { type primary; checkds no; file "dnssec-inherit.db"; - inline-signing yes; }; zone "dnssec-none" { type primary; @@ -217,13 +211,11 @@ view "fourth" { type primary; checkds yes; file "dnssec-view41.db"; - inline-signing yes; dnssec-policy "test"; }; zone "dnssec-view2" { type primary; file "dnssec-view42.db"; - inline-signing yes; }; zone "dnssec-view3" { type primary; @@ -243,20 +235,17 @@ view "fifth" { zone "dnssec-view1" { type primary; file "dnssec-view51.db"; - inline-signing yes; dnssec-policy "test"; }; zone "dnssec-view2" { type primary; file "dnssec-view52.db"; - inline-signing yes; dnssec-policy "test"; key-directory "keys"; }; zone "dnssec-view3" { type primary; file "dnssec-view53.db"; - inline-signing yes; dnssec-policy "default"; key-directory "keys"; }; @@ -271,7 +260,6 @@ view "chaos" chaos { zone "hostname.bind" chaos { type primary; database "_builtin hostname"; - inline-signing yes; }; }; dyndb "name" "library.so" { diff --git a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf index a5a71d39bb..8dc710f29c 100644 --- a/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf +++ b/bin/tests/system/checkconf/kasp-bad-nsec3-iter.conf @@ -57,5 +57,4 @@ zone "example.net" { type primary; file "example.db"; dnssec-policy "default"; - inline-signing yes; }; diff --git a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf index 197ff17d3f..dd907dddd2 100644 --- a/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf +++ b/bin/tests/system/checkconf/kasp-bad-signatures-refresh.conf @@ -34,13 +34,11 @@ dnssec-policy "bad-sigrefresh-dnskey" { zone "sigrefresh.example.net" { type primary; file "sigrefresh.example.db"; - inline-signing yes; dnssec-policy "bad-sigrefresh"; }; zone "dnskey.example.net" { type primary; file "dnskey.example.db"; - inline-signing yes; dnssec-policy "bad-sigrefresh-dnskey"; }; diff --git a/bin/tests/system/checkconf/kasp-ignore-keylen.conf b/bin/tests/system/checkconf/kasp-ignore-keylen.conf index c9787d4180..fae3e4120d 100644 --- a/bin/tests/system/checkconf/kasp-ignore-keylen.conf +++ b/bin/tests/system/checkconf/kasp-ignore-keylen.conf @@ -22,6 +22,5 @@ zone "example.net" { type primary; file "example.db"; dnssec-policy "warn-length"; - inline-signing yes; }; diff --git a/bin/tests/system/checkconf/kasp-warning.conf b/bin/tests/system/checkconf/kasp-warning.conf index 41b6d6f27c..4c05b5ad02 100644 --- a/bin/tests/system/checkconf/kasp-warning.conf +++ b/bin/tests/system/checkconf/kasp-warning.conf @@ -42,21 +42,18 @@ dnssec-policy "warn3" { zone "warn1.example.net" { type primary; file "warn1.example.db"; - inline-signing yes; dnssec-policy "warn1"; }; zone "warn2.example.net" { type primary; file "warn2.example.db"; - inline-signing yes; dnssec-policy "warn2"; }; zone "warn3.example.net" { type primary; file "warn3.example.db"; - inline-signing yes; dnssec-policy "warn3"; }; diff --git a/bin/tests/system/checkds/ns9/named.conf.in b/bin/tests/system/checkds/ns9/named.conf.in index 9f3ab8816c..54dea08527 100644 --- a/bin/tests/system/checkds/ns9/named.conf.in +++ b/bin/tests/system/checkds/ns9/named.conf.in @@ -54,7 +54,6 @@ zone "." { zone "good.explicit.dspublish.ns2" { type primary; file "good.explicit.dspublish.ns2.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.8 port @PORT@; }; }; @@ -63,7 +62,6 @@ zone "good.explicit.dspublish.ns2" { zone "reference.explicit.dspublish.ns2" { type primary; file "reference.explicit.dspublish.ns2.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { "ns8"; }; }; @@ -72,7 +70,6 @@ zone "reference.explicit.dspublish.ns2" { zone "resolver.explicit.dspublish.ns2" { type primary; file "resolver.explicit.dspublish.ns2.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.3 port @PORT@; @@ -83,7 +80,6 @@ zone "resolver.explicit.dspublish.ns2" { zone "good.yes.dspublish.ns2" { type primary; file "good.yes.dspublish.ns2.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -91,7 +87,6 @@ zone "good.yes.dspublish.ns2" { zone "good.no.dspublish.ns2" { type primary; file "good.no.dspublish.ns2.db"; - inline-signing yes; dnssec-policy "default"; checkds no; }; @@ -100,7 +95,6 @@ zone "good.no.dspublish.ns2" { zone "no-ent.ns2" { type primary; file "no-ent.ns2.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -112,7 +106,6 @@ zone "no-ent.ns2" { zone "not-yet.explicit.dspublish.ns5" { type primary; file "not-yet.explicit.dspublish.ns5.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.5 port @PORT@; // missing @@ -122,7 +115,6 @@ zone "not-yet.explicit.dspublish.ns5" { zone "not-yet.yes.dspublish.ns5" { type primary; file "not-yet.yes.dspublish.ns5.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -134,7 +126,6 @@ zone "not-yet.yes.dspublish.ns5" { zone "bad.explicit.dspublish.ns6" { type primary; file "bad.explicit.dspublish.ns6.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.6 port @PORT@; // bad @@ -144,7 +135,6 @@ zone "bad.explicit.dspublish.ns6" { zone "bad.yes.dspublish.ns6" { type primary; file "bad.yes.dspublish.ns6.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -163,7 +153,6 @@ zone "bad.yes.dspublish.ns6" { zone "good.explicit.dspublish.ns2-4" { type primary; file "good.explicit.dspublish.ns2-4.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.8 port @PORT@; @@ -174,14 +163,12 @@ zone "good.explicit.dspublish.ns2-4" { zone "good.yes.dspublish.ns2-4" { type primary; file "good.yes.dspublish.ns2-4.db"; - inline-signing yes; dnssec-policy "default"; }; zone "good.no.dspublish.ns2-4" { type primary; file "good.no.dspublish.ns2-4.db"; - inline-signing yes; dnssec-policy "default"; checkds no; }; @@ -194,7 +181,6 @@ zone "good.no.dspublish.ns2-4" { zone "incomplete.explicit.dspublish.ns2-4-5" { type primary; file "incomplete.explicit.dspublish.ns2-4-5.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.8 port @PORT@; @@ -206,7 +192,6 @@ zone "incomplete.explicit.dspublish.ns2-4-5" { zone "incomplete.yes.dspublish.ns2-4-5" { type primary; file "incomplete.yes.dspublish.ns2-4-5.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -218,7 +203,6 @@ zone "incomplete.yes.dspublish.ns2-4-5" { zone "bad.explicit.dspublish.ns2-4-6" { type primary; file "bad.explicit.dspublish.ns2-4-6.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.8 port @PORT@; @@ -230,7 +214,6 @@ zone "bad.explicit.dspublish.ns2-4-6" { zone "bad.yes.dspublish.ns2-4-6" { type primary; file "bad.yes.dspublish.ns2-4-6.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -253,7 +236,6 @@ zone "bad.yes.dspublish.ns2-4-6" { zone "good.explicit.dsremoved.ns5" { type primary; file "good.explicit.dsremoved.ns5.db"; - inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.10 port @PORT@; }; }; @@ -261,7 +243,6 @@ zone "good.explicit.dsremoved.ns5" { zone "resolver.explicit.dsremoved.ns5" { type primary; file "resolver.explicit.dsremoved.ns5.db"; - inline-signing yes; dnssec-policy "default"; parental-agents { 10.53.0.3 port @PORT@; @@ -271,14 +252,12 @@ zone "resolver.explicit.dsremoved.ns5" { zone "good.yes.dsremoved.ns5" { type primary; file "good.yes.dsremoved.ns5.db"; - inline-signing yes; dnssec-policy "insecure"; }; zone "good.no.dsremoved.ns5" { type primary; file "good.no.dsremoved.ns5.db"; - inline-signing yes; dnssec-policy "insecure"; checkds no; }; @@ -286,7 +265,6 @@ zone "good.no.dsremoved.ns5" { zone "no-ent.ns5" { type primary; file "no-ent.ns5.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -298,7 +276,6 @@ zone "no-ent.ns5" { zone "still-there.explicit.dsremoved.ns2" { type primary; file "still-there.explicit.dsremoved.ns2.db"; - inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.2 port @PORT@; // still published @@ -308,7 +285,6 @@ zone "still-there.explicit.dsremoved.ns2" { zone "still-there.yes.dsremoved.ns2" { type primary; file "still-there.yes.dsremoved.ns2.db"; - inline-signing yes; dnssec-policy "insecure"; }; @@ -320,7 +296,6 @@ zone "still-there.yes.dsremoved.ns2" { zone "bad.explicit.dsremoved.ns6" { type primary; file "bad.explicit.dsremoved.ns6.db"; - inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.6 port @PORT@; // bad @@ -330,7 +305,6 @@ zone "bad.explicit.dsremoved.ns6" { zone "bad.yes.dsremoved.ns6" { type primary; file "bad.yes.dsremoved.ns6.db"; - inline-signing yes; dnssec-policy "insecure"; }; @@ -349,7 +323,6 @@ zone "bad.yes.dsremoved.ns6" { zone "good.explicit.dsremoved.ns5-7" { type primary; file "good.explicit.dsremoved.ns5-7.db"; - inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.10 port @PORT@; @@ -360,14 +333,12 @@ zone "good.explicit.dsremoved.ns5-7" { zone "good.yes.dsremoved.ns5-7" { type primary; file "good.yes.dsremoved.ns5-7.db"; - inline-signing yes; dnssec-policy "insecure"; }; zone "good.no.dsremoved.ns5-7" { type primary; file "good.no.dsremoved.ns5-7.db"; - inline-signing yes; dnssec-policy "insecure"; checkds no; }; @@ -380,7 +351,6 @@ zone "good.no.dsremoved.ns5-7" { zone "incomplete.explicit.dsremoved.ns2-5-7" { type primary; file "incomplete.explicit.dsremoved.ns2-5-7.db"; - inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.2 port @PORT@; // still published @@ -392,7 +362,6 @@ zone "incomplete.explicit.dsremoved.ns2-5-7" { zone "incomplete.yes.dsremoved.ns2-5-7" { type primary; file "incomplete.yes.dsremoved.ns2-5-7.db"; - inline-signing yes; dnssec-policy "insecure"; }; @@ -404,7 +373,6 @@ zone "incomplete.yes.dsremoved.ns2-5-7" { zone "bad.explicit.dsremoved.ns5-6-7" { type primary; file "bad.explicit.dsremoved.ns5-6-7.db"; - inline-signing yes; dnssec-policy "insecure"; parental-agents { 10.53.0.10 port @PORT@; @@ -416,7 +384,6 @@ zone "bad.explicit.dsremoved.ns5-6-7" { zone "bad.yes.dsremoved.ns5-6-7" { type primary; file "bad.yes.dsremoved.ns5-6-7.db"; - inline-signing yes; dnssec-policy "insecure"; }; diff --git a/bin/tests/system/kasp/ns2/named.conf.in b/bin/tests/system/kasp/ns2/named.conf.in index bdbacc2c3d..b23b9d565f 100644 --- a/bin/tests/system/kasp/ns2/named.conf.in +++ b/bin/tests/system/kasp/ns2/named.conf.in @@ -49,7 +49,6 @@ zone "signed.tld" { type primary; file "signed.tld.db"; dnssec-policy "default"; - inline-signing yes; }; /* Primary service for ns3 */ diff --git a/bin/tests/system/kasp/ns3/ed25519.conf b/bin/tests/system/kasp/ns3/ed25519.conf index 999fa2f657..b64c0c8471 100644 --- a/bin/tests/system/kasp/ns3/ed25519.conf +++ b/bin/tests/system/kasp/ns3/ed25519.conf @@ -24,6 +24,5 @@ dnssec-policy "ed25519" { zone "ed25519.kasp" { type primary; file "ed25519.kasp.db"; - inline-signing yes; dnssec-policy "ed25519"; }; diff --git a/bin/tests/system/kasp/ns3/ed448.conf b/bin/tests/system/kasp/ns3/ed448.conf index e9c8312a43..ee4c494892 100644 --- a/bin/tests/system/kasp/ns3/ed448.conf +++ b/bin/tests/system/kasp/ns3/ed448.conf @@ -24,6 +24,5 @@ dnssec-policy "ed448" { zone "ed448.kasp" { type primary; file "ed448.kasp.db"; - inline-signing yes; dnssec-policy "ed448"; }; diff --git a/bin/tests/system/kasp/ns3/named-fips.conf.in b/bin/tests/system/kasp/ns3/named-fips.conf.in index 61cc6d410d..0f1d2c1e2e 100644 --- a/bin/tests/system/kasp/ns3/named-fips.conf.in +++ b/bin/tests/system/kasp/ns3/named-fips.conf.in @@ -45,7 +45,6 @@ controls { zone "default.kasp" { type primary; file "default.kasp.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -53,7 +52,6 @@ zone "default.kasp" { zone "checkds-ksk.kasp" { type primary; file "checkds-ksk.kasp.db"; - inline-signing yes; dnssec-policy "checkds-ksk"; }; @@ -61,7 +59,6 @@ zone "checkds-ksk.kasp" { zone "checkds-doubleksk.kasp" { type primary; file "checkds-doubleksk.kasp.db"; - inline-signing yes; dnssec-policy "checkds-doubleksk"; }; @@ -69,7 +66,6 @@ zone "checkds-doubleksk.kasp" { zone "checkds-csk.kasp" { type primary; file "checkds-csk.kasp.db"; - inline-signing yes; dnssec-policy "checkds-csk"; }; @@ -77,7 +73,6 @@ zone "checkds-csk.kasp" { zone "unlimited.kasp" { type primary; file "unlimited.kasp.db"; - inline-signing yes; dnssec-policy "unlimited"; }; @@ -85,14 +80,12 @@ zone "unlimited.kasp" { zone "manual-rollover.kasp" { type primary; file "manual-rollover.kasp.db"; - inline-signing yes; dnssec-policy "manual-rollover"; }; /* A zone that inherits dnssec-policy. */ zone "inherit.kasp" { type primary; - inline-signing yes; file "inherit.kasp.db"; }; @@ -100,7 +93,6 @@ zone "inherit.kasp" { zone "unsigned.kasp" { type primary; file "unsigned.kasp.db"; - inline-signing yes; dnssec-policy "none"; }; @@ -108,7 +100,6 @@ zone "unsigned.kasp" { zone "insecure.kasp" { type primary; file "insecure.kasp.db"; - inline-signing yes; dnssec-policy "insecure"; }; @@ -116,7 +107,6 @@ zone "insecure.kasp" { zone "dnssec-keygen.kasp" { type primary; file "dnssec-keygen.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; @@ -125,7 +115,6 @@ zone "secondary.kasp" { type secondary; primaries { 10.53.0.2; }; file "secondary.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; @@ -143,7 +132,6 @@ zone "dynamic-inline-signing.kasp" { file "dynamic-inline-signing.kasp.db"; dnssec-policy "default"; allow-update { any; }; - inline-signing yes; }; /* An inline-signed zone with dnssec-policy. */ @@ -151,7 +139,6 @@ zone "inline-signing.kasp" { type primary; file "inline-signing.kasp.db"; dnssec-policy "default"; - inline-signing yes; }; /* @@ -160,7 +147,6 @@ zone "inline-signing.kasp" { zone "some-keys.kasp" { type primary; file "some-keys.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; @@ -170,7 +156,6 @@ zone "some-keys.kasp" { zone "legacy-keys.kasp" { type primary; file "legacy-keys.kasp.db"; - inline-signing yes; dnssec-policy "migrate-to-dnssec-policy"; }; @@ -180,7 +165,6 @@ zone "legacy-keys.kasp" { zone "pregenerated.kasp" { type primary; file "pregenerated.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; @@ -191,7 +175,6 @@ zone "pregenerated.kasp" { zone "rumoured.kasp" { type primary; file "rumoured.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; @@ -209,25 +192,21 @@ zone "multisigner-model2.kasp" { zone "rsasha256.kasp" { type primary; file "rsasha256.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; zone "rsasha512.kasp" { type primary; file "rsasha512.kasp.db"; - inline-signing yes; dnssec-policy "rsasha512"; }; zone "ecdsa256.kasp" { type primary; file "ecdsa256.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; zone "ecdsa384.kasp" { type primary; file "ecdsa384.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa384"; }; @@ -237,7 +216,6 @@ zone "ecdsa384.kasp" { zone "max-zone-ttl.kasp" { type primary; file "max-zone-ttl.kasp.db"; - inline-signing yes; dnssec-policy "ttl"; }; @@ -262,7 +240,6 @@ zone "three-is-a-crowd.kasp" { zone "expired-sigs.autosign" { type primary; file "expired-sigs.autosign.db"; - inline-signing yes; dnssec-policy "autosign"; }; @@ -272,7 +249,6 @@ zone "expired-sigs.autosign" { zone "fresh-sigs.autosign" { type primary; file "fresh-sigs.autosign.db"; - inline-signing yes; dnssec-policy "autosign"; }; @@ -282,7 +258,6 @@ zone "fresh-sigs.autosign" { zone "unfresh-sigs.autosign" { type primary; file "unfresh-sigs.autosign.db"; - inline-signing yes; dnssec-policy "autosign"; }; @@ -292,7 +267,6 @@ zone "unfresh-sigs.autosign" { zone "ksk-missing.autosign" { type primary; file "ksk-missing.autosign.db"; - inline-signing yes; dnssec-policy "autosign"; }; @@ -302,7 +276,6 @@ zone "ksk-missing.autosign" { zone "zsk-missing.autosign" { type primary; file "zsk-missing.autosign.db"; - inline-signing yes; dnssec-policy "autosign"; }; @@ -312,7 +285,6 @@ zone "zsk-missing.autosign" { zone "zsk-retired.autosign" { type primary; file "zsk-retired.autosign.db"; - inline-signing yes; dnssec-policy "autosign"; }; @@ -322,25 +294,21 @@ zone "zsk-retired.autosign" { zone "step1.enable-dnssec.autosign" { type primary; file "step1.enable-dnssec.autosign.db"; - inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step2.enable-dnssec.autosign" { type primary; file "step2.enable-dnssec.autosign.db"; - inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step3.enable-dnssec.autosign" { type primary; file "step3.enable-dnssec.autosign.db"; - inline-signing yes; dnssec-policy "enable-dnssec"; }; zone "step4.enable-dnssec.autosign" { type primary; file "step4.enable-dnssec.autosign.db"; - inline-signing yes; dnssec-policy "enable-dnssec"; }; @@ -350,37 +318,31 @@ zone "step4.enable-dnssec.autosign" { zone "step1.zsk-prepub.autosign" { type primary; file "step1.zsk-prepub.autosign.db"; - inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step2.zsk-prepub.autosign" { type primary; file "step2.zsk-prepub.autosign.db"; - inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step3.zsk-prepub.autosign" { type primary; file "step3.zsk-prepub.autosign.db"; - inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step4.zsk-prepub.autosign" { type primary; file "step4.zsk-prepub.autosign.db"; - inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step5.zsk-prepub.autosign" { type primary; file "step5.zsk-prepub.autosign.db"; - inline-signing yes; dnssec-policy "zsk-prepub"; }; zone "step6.zsk-prepub.autosign" { type primary; file "step6.zsk-prepub.autosign.db"; - inline-signing yes; dnssec-policy "zsk-prepub"; }; @@ -390,37 +352,31 @@ zone "step6.zsk-prepub.autosign" { zone "step1.ksk-doubleksk.autosign" { type primary; file "step1.ksk-doubleksk.autosign.db"; - inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step2.ksk-doubleksk.autosign" { type primary; file "step2.ksk-doubleksk.autosign.db"; - inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step3.ksk-doubleksk.autosign" { type primary; file "step3.ksk-doubleksk.autosign.db"; - inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step4.ksk-doubleksk.autosign" { type primary; file "step4.ksk-doubleksk.autosign.db"; - inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step5.ksk-doubleksk.autosign" { type primary; file "step5.ksk-doubleksk.autosign.db"; - inline-signing yes; dnssec-policy "ksk-doubleksk"; }; zone "step6.ksk-doubleksk.autosign" { type primary; file "step6.ksk-doubleksk.autosign.db"; - inline-signing yes; dnssec-policy "ksk-doubleksk"; }; @@ -430,91 +386,76 @@ zone "step6.ksk-doubleksk.autosign" { zone "step1.csk-roll.autosign" { type primary; file "step1.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step2.csk-roll.autosign" { type primary; file "step2.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step3.csk-roll.autosign" { type primary; file "step3.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step4.csk-roll.autosign" { type primary; file "step4.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step5.csk-roll.autosign" { type primary; file "step5.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step6.csk-roll.autosign" { type primary; file "step6.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step7.csk-roll.autosign" { type primary; file "step7.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step8.csk-roll.autosign" { type primary; file "step8.csk-roll.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll"; }; zone "step1.csk-roll2.autosign" { type primary; file "step1.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step2.csk-roll2.autosign" { type primary; file "step2.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step3.csk-roll2.autosign" { type primary; file "step3.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step4.csk-roll2.autosign" { type primary; file "step4.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step5.csk-roll2.autosign" { type primary; file "step5.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step6.csk-roll2.autosign" { type primary; file "step6.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; zone "step7.csk-roll2.autosign" { type primary; file "step7.csk-roll2.autosign.db"; - inline-signing yes; dnssec-policy "csk-roll2"; }; diff --git a/bin/tests/system/kasp/ns3/named.conf.in b/bin/tests/system/kasp/ns3/named.conf.in index 92e007d1e7..921ecc89d1 100644 --- a/bin/tests/system/kasp/ns3/named.conf.in +++ b/bin/tests/system/kasp/ns3/named.conf.in @@ -18,13 +18,11 @@ include "named-fips.conf"; zone "rsasha1.kasp" { type primary; file "rsasha1.kasp.db"; - inline-signing yes; dnssec-policy "rsasha1"; }; zone "rsasha1-nsec3.kasp" { type primary; file "rsasha1-nsec3.kasp.db"; - inline-signing yes; dnssec-policy "rsasha1-nsec3"; }; diff --git a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in index 320f221252..6778bac4d3 100644 --- a/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in +++ b/bin/tests/system/kasp/ns3/policies/kasp-fips.conf.in @@ -34,6 +34,7 @@ dnssec-policy "manual-rollover" { dnssec-policy "multisigner-model2" { dnskey-ttl 3600; + inline-signing no; keys { ksk key-directory lifetime unlimited algorithm @DEFAULT_ALGORITHM@; diff --git a/bin/tests/system/kasp/ns4/named.conf.in b/bin/tests/system/kasp/ns4/named.conf.in index 0871546af5..dd245ca919 100644 --- a/bin/tests/system/kasp/ns4/named.conf.in +++ b/bin/tests/system/kasp/ns4/named.conf.in @@ -76,14 +76,12 @@ view "inherit" { zone "inherit.inherit.signed" { type primary; file "inherit.inherit.signed.db"; - inline-signing yes; }; /* Override dnssec-policy */ zone "override.inherit.signed" { type primary; file "override.inherit.signed.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -103,14 +101,12 @@ view "override" { zone "inherit.override.signed" { type primary; file "inherit.override.signed.db"; - inline-signing yes; }; /* Override dnssec-policy */ zone "override.override.signed" { type primary; file "override.override.signed.db"; - inline-signing yes; dnssec-policy "test"; }; @@ -136,7 +132,6 @@ view "none" { zone "override.none.signed" { type primary; file "override.none.signed.db"; - inline-signing yes; dnssec-policy "test"; }; @@ -166,7 +161,6 @@ view "example2" { zone "example.net" { type primary; file "example2.db"; - inline-signing yes; }; }; diff --git a/bin/tests/system/kasp/ns5/named.conf.in b/bin/tests/system/kasp/ns5/named.conf.in index 44855b92d5..643e6494c6 100644 --- a/bin/tests/system/kasp/ns5/named.conf.in +++ b/bin/tests/system/kasp/ns5/named.conf.in @@ -67,7 +67,6 @@ view "inherit" { zone "override.inherit.unsigned" { type primary; file "override.inherit.unsigned.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -87,14 +86,12 @@ view "override" { zone "inherit.override.unsigned" { type primary; file "inherit.override.unsigned.db"; - inline-signing yes; }; /* Override dnssec-policy */ zone "override.override.unsigned" { type primary; file "override.override.unsigned.db"; - inline-signing yes; dnssec-policy "test"; }; @@ -120,7 +117,6 @@ view "none" { zone "override.none.unsigned" { type primary; file "override.none.unsigned.db"; - inline-signing yes; dnssec-policy "test"; }; diff --git a/bin/tests/system/kasp/ns6/named.conf.in b/bin/tests/system/kasp/ns6/named.conf.in index a4b9ef8af7..3a3536de97 100644 --- a/bin/tests/system/kasp/ns6/named.conf.in +++ b/bin/tests/system/kasp/ns6/named.conf.in @@ -51,7 +51,6 @@ zone "dynamic2inline.kasp" { zone "step1.going-insecure.kasp" { type primary; file "step1.going-insecure.kasp.db"; - inline-signing yes; dnssec-policy "unsigning"; }; @@ -66,7 +65,6 @@ zone "step1.going-insecure-dynamic.kasp" { zone "step1.going-straight-to-none.kasp" { type primary; file "step1.going-straight-to-none.kasp.db"; - inline-signing yes; dnssec-policy "default"; }; @@ -82,14 +80,12 @@ zone "step1.going-straight-to-none-dynamic.kasp" { zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "rsasha256"; }; zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; @@ -102,6 +98,5 @@ dnssec-policy "modified" { zone example { type primary; file "example.db"; - inline-signing yes; dnssec-policy modified; }; diff --git a/bin/tests/system/kasp/ns6/named2.conf.in b/bin/tests/system/kasp/ns6/named2.conf.in index 5edcbcbe77..9a1be143b6 100644 --- a/bin/tests/system/kasp/ns6/named2.conf.in +++ b/bin/tests/system/kasp/ns6/named2.conf.in @@ -43,7 +43,6 @@ zone "dynamic2inline.kasp" { type primary; file "dynamic2inline.kasp.db"; allow-update { any; }; - inline-signing yes; dnssec-policy "default"; }; @@ -51,14 +50,12 @@ zone "dynamic2inline.kasp" { zone "step1.going-insecure.kasp" { type primary; file "step1.going-insecure.kasp.db"; - inline-signing yes; dnssec-policy "insecure"; }; zone "step2.going-insecure.kasp" { type primary; file "step2.going-insecure.kasp.db"; - inline-signing yes; dnssec-policy "insecure"; }; @@ -98,42 +95,36 @@ zone "step1.going-straight-to-none-dynamic.kasp" { zone "step1.algorithm-roll.kasp" { type primary; file "step1.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step2.algorithm-roll.kasp" { type primary; file "step2.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step3.algorithm-roll.kasp" { type primary; file "step3.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step4.algorithm-roll.kasp" { type primary; file "step4.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step5.algorithm-roll.kasp" { type primary; file "step5.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; zone "step6.algorithm-roll.kasp" { type primary; file "step6.algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "ecdsa256"; }; @@ -143,42 +134,36 @@ zone "step6.algorithm-roll.kasp" { zone "step1.csk-algorithm-roll.kasp" { type primary; file "step1.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step2.csk-algorithm-roll.kasp" { type primary; file "step2.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step3.csk-algorithm-roll.kasp" { type primary; file "step3.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step4.csk-algorithm-roll.kasp" { type primary; file "step4.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step5.csk-algorithm-roll.kasp" { type primary; file "step5.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; zone "step6.csk-algorithm-roll.kasp" { type primary; file "step6.csk-algorithm-roll.kasp.db"; - inline-signing yes; dnssec-policy "csk-algoroll"; }; @@ -191,6 +176,5 @@ dnssec-policy "modified" { zone example { type primary; file "example.db"; - inline-signing yes; dnssec-policy modified; }; diff --git a/bin/tests/system/nsec3/ns2/named.conf.in b/bin/tests/system/nsec3/ns2/named.conf.in index f4cc1b0e5c..924e9d26cb 100644 --- a/bin/tests/system/nsec3/ns2/named.conf.in +++ b/bin/tests/system/nsec3/ns2/named.conf.in @@ -42,6 +42,5 @@ controls { zone "nsec3-xfr-inline.kasp" { type primary; file "nsec3-xfr-inline.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; diff --git a/bin/tests/system/nsec3/ns3/named-fips.conf.in b/bin/tests/system/nsec3/ns3/named-fips.conf.in index 14c09ebe88..7890d4aa6d 100644 --- a/bin/tests/system/nsec3/ns3/named-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named-fips.conf.in @@ -56,7 +56,6 @@ controls { zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; - inline-signing yes; dnssec-policy "nsec"; }; @@ -64,7 +63,6 @@ zone "nsec-to-nsec3.kasp" { zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -79,7 +77,6 @@ zone "nsec3-dynamic.kasp" { zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; - inline-signing yes; dnssec-policy "nsec3-other"; }; @@ -87,7 +84,6 @@ zone "nsec3-other.kasp" { zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -103,7 +99,6 @@ zone "nsec3-dynamic-change.kasp" { zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -111,7 +106,6 @@ zone "nsec3-to-optout.kasp" { zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; - inline-signing yes; dnssec-policy "optout"; }; @@ -119,7 +113,6 @@ zone "nsec3-from-optout.kasp" { zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -143,7 +136,6 @@ zone "nsec3-dynamic-to-inline.kasp" { zone "nsec3-inline-to-dynamic.kasp" { type primary; file "nsec3-inline-to-dynamic.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -151,7 +143,6 @@ zone "nsec3-inline-to-dynamic.kasp" { zone "nsec3-dynamic-update-inline.kasp" { type primary; file "nsec3-dynamic-update-inline.kasp.db"; - inline-signing yes; allow-update { any; }; dnssec-policy "nsec"; }; @@ -159,7 +150,6 @@ zone "nsec3-dynamic-update-inline.kasp" { zone "nsec3-xfr-inline.kasp" { type secondary; file "nsec3-xfr-inline.kasp.db"; - inline-signing yes; dnssec-policy "nsec"; primaries { 10.53.0.2; }; }; diff --git a/bin/tests/system/nsec3/ns3/named.conf.in b/bin/tests/system/nsec3/ns3/named.conf.in index 74a8924d38..9b1235e36f 100644 --- a/bin/tests/system/nsec3/ns3/named.conf.in +++ b/bin/tests/system/nsec3/ns3/named.conf.in @@ -29,7 +29,6 @@ dnssec-policy "rsasha1" { zone "rsasha1-to-nsec3.kasp" { type primary; file "rsasha1-to-nsec3.kasp.db"; - inline-signing yes; dnssec-policy "rsasha1"; }; @@ -41,7 +40,6 @@ zone "rsasha1-to-nsec3.kasp" { zone "rsasha1-to-nsec3-wait.kasp" { type primary; file "rsasha1-to-nsec3-wait.kasp.db"; - inline-signing yes; dnssec-policy "rsasha1"; }; @@ -53,7 +51,6 @@ zone "rsasha1-to-nsec3-wait.kasp" { zone "nsec3-to-rsasha1.kasp" { type primary; file "nsec3-to-rsasha1.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -66,6 +63,5 @@ zone "nsec3-to-rsasha1.kasp" { zone "nsec3-to-rsasha1-ds.kasp" { type primary; file "nsec3-to-rsasha1-ds.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; diff --git a/bin/tests/system/nsec3/ns3/named2-fips.conf.in b/bin/tests/system/nsec3/ns3/named2-fips.conf.in index 1ff5925d46..87e87f2e17 100644 --- a/bin/tests/system/nsec3/ns3/named2-fips.conf.in +++ b/bin/tests/system/nsec3/ns3/named2-fips.conf.in @@ -56,7 +56,6 @@ controls { zone "nsec-to-nsec3.kasp" { type primary; file "nsec-to-nsec3.kasp.db"; - inline-signing yes; //dnssec-policy "nsec"; dnssec-policy "nsec3"; }; @@ -65,7 +64,6 @@ zone "nsec-to-nsec3.kasp" { zone "nsec3.kasp" { type primary; file "nsec3.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; }; @@ -80,7 +78,6 @@ zone "nsec3-dynamic.kasp" { zone "nsec3-other.kasp" { type primary; file "nsec3-other.kasp.db"; - inline-signing yes; dnssec-policy "nsec3-other"; }; @@ -88,7 +85,6 @@ zone "nsec3-other.kasp" { zone "nsec3-change.kasp" { type primary; file "nsec3-change.kasp.db"; - inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "nsec3-other"; }; @@ -106,7 +102,6 @@ zone "nsec3-dynamic-change.kasp" { zone "nsec3-to-optout.kasp" { type primary; file "nsec3-to-optout.kasp.db"; - inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "optout"; }; @@ -115,7 +110,6 @@ zone "nsec3-to-optout.kasp" { zone "nsec3-from-optout.kasp" { type primary; file "nsec3-from-optout.kasp.db"; - inline-signing yes; //dnssec-policy "optout"; dnssec-policy "nsec3"; }; @@ -124,7 +118,6 @@ zone "nsec3-from-optout.kasp" { zone "nsec3-to-nsec.kasp" { type primary; file "nsec3-to-nsec.kasp.db"; - inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "nsec"; }; @@ -141,7 +134,6 @@ zone "nsec3-fails-to-load.kasp" { zone "nsec3-dynamic-to-inline.kasp" { type primary; file "nsec3-dynamic-to-inline.kasp.db"; - inline-signing yes; dnssec-policy "nsec3"; allow-update { any; }; }; diff --git a/bin/tests/system/nsec3/ns3/named2.conf.in b/bin/tests/system/nsec3/ns3/named2.conf.in index 81f6c49be1..a883940f31 100644 --- a/bin/tests/system/nsec3/ns3/named2.conf.in +++ b/bin/tests/system/nsec3/ns3/named2.conf.in @@ -29,7 +29,6 @@ dnssec-policy "rsasha1" { zone "rsasha1-to-nsec3.kasp" { type primary; file "rsasha1-to-nsec3.kasp.db"; - inline-signing yes; //dnssec-policy "rsasha1"; dnssec-policy "nsec3"; }; @@ -42,7 +41,6 @@ zone "rsasha1-to-nsec3.kasp" { zone "rsasha1-to-nsec3-wait.kasp" { type primary; file "rsasha1-to-nsec3-wait.kasp.db"; - inline-signing yes; //dnssec-policy "rsasha1"; dnssec-policy "nsec3"; }; @@ -55,7 +53,6 @@ zone "rsasha1-to-nsec3-wait.kasp" { zone "nsec3-to-rsasha1.kasp" { type primary; file "nsec3-to-rsasha1.kasp.db"; - inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "rsasha1"; }; @@ -69,7 +66,6 @@ zone "nsec3-to-rsasha1.kasp" { zone "nsec3-to-rsasha1-ds.kasp" { type primary; file "nsec3-to-rsasha1-ds.kasp.db"; - inline-signing yes; //dnssec-policy "nsec3"; dnssec-policy "rsasha1"; }; From 1e0f77b349ba6487e4026b648eac47400a97f6ab Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 9 Dec 2022 12:36:38 +0100 Subject: [PATCH 4/5] Remove redundant inline-signing lines from docs Now that inline-signing is explicitly set in dnssec-policy, remove the redundant "inline-signing yes;" lines from the documentation. --- doc/arm/dnssec.inc.rst | 5 ++--- doc/arm/reference.rst | 2 +- doc/dnssec-guide/recipes.rst | 4 ---- doc/dnssec-guide/signing.rst | 11 ----------- 4 files changed, 3 insertions(+), 19 deletions(-) diff --git a/doc/arm/dnssec.inc.rst b/doc/arm/dnssec.inc.rst index f3d364db2d..732e2debd5 100644 --- a/doc/arm/dnssec.inc.rst +++ b/doc/arm/dnssec.inc.rst @@ -98,11 +98,11 @@ up-to-date DNSSEC practices: type primary; file "dnssec.example.db"; dnssec-policy default; - inline-signing yes; }; The :any:`dnssec-policy` statement requires dynamic DNS to be set up, or -:any:`inline-signing` to be enabled. In the example above we use the latter. +:any:`inline-signing` to be enabled. In the example above we use the latter, +because the ``default`` policy uses :any:`inline-signing`. This is sufficient to create the necessary signing keys, and generate ``DNSKEY``, ``RRSIG``, and ``NSEC`` records for the zone. BIND also takes @@ -174,7 +174,6 @@ by configuring parental agents: type primary; file "dnssec.example.db"; dnssec-policy default; - inline-signing yes; parental-agents { 192.0.2.1; }; checkds explicit; }; diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst index 883e475646..96a7ebb6b0 100644 --- a/doc/arm/reference.rst +++ b/doc/arm/reference.rst @@ -6086,7 +6086,7 @@ zone is maintained separately and is written out to a different file on disk If the zone is dynamic because it is configured with an :any:`update-policy` or :any:`allow-update`, the DNSSEC records are written to the filename set in the -original zone's :any:`file`, unless :any:`inline-signing` is explicitly set. +original zone's :any:`file`, unless :any:`inline-signing` is enabled. Key rollover timing is computed for each key according to the key lifetime defined in the KASP. The lifetime may be modified by zone TTLs diff --git a/doc/dnssec-guide/recipes.rst b/doc/dnssec-guide/recipes.rst index ea24dc6650..e961584d61 100644 --- a/doc/dnssec-guide/recipes.rst +++ b/doc/dnssec-guide/recipes.rst @@ -63,7 +63,6 @@ what the :iscman:`named.conf` zone statement looks like on the primary server, 1 file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; - inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -143,7 +142,6 @@ signed data via zone transfer to the other three DNS secondaries. Its file "db/example.com.db"; key-directory "keys/example.com"; dnssec-policy default; - inline-signing yes; allow-transfer { 192.168.1.2; 192.168.1.3; 192.168.1.4; }; }; @@ -997,7 +995,6 @@ Here is what :iscman:`named.conf` looks like when it is signed: type primary; file "db/example.com.db"; dnssec-policy "default"; - inline-signing yes; }; To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: @@ -1009,7 +1006,6 @@ To indicate the reversion to unsigned, change the :any:`dnssec-policy` line: type primary; file "db/example.com.db"; dnssec-policy "insecure"; - inline-signing yes; }; Then use :option:`rndc reload` to reload the zone. diff --git a/doc/dnssec-guide/signing.rst b/doc/dnssec-guide/signing.rst index 3531651ad9..b8f0ebaf54 100644 --- a/doc/dnssec-guide/signing.rst +++ b/doc/dnssec-guide/signing.rst @@ -66,7 +66,6 @@ To sign a zone, add the following statement to its zone "example.com" in { ... dnssec-policy default; - inline-signing yes; ... }; @@ -81,14 +80,6 @@ default values. Using :any:`dnssec-policy` requires dynamic DNS or :any:`inline-signing` to be enabled. -.. note:: - - Previously, if a zone with a :any:`dnssec-policy` did not have dynamic - DNS set up and :any:`inline-signing` was not explicity set, BIND 9 used - inline-signing implicitly. But this caused a lot of problems when operators - switched on or off dynamic DNS for their zones. Therefor, you now have to - configure it explicitly. - When the configuration file is updated, tell :iscman:`named` to reload the configuration file by running :option:`rndc reconfig`: @@ -832,7 +823,6 @@ this example, we'll add it to the :any:`zone` statement: zone "example.net" in { ... dnssec-policy standard; - inline-signing yes; ... }; @@ -914,7 +904,6 @@ presence. Let's look at the following configuration excerpt: zone "example.net" in { ... dnssec-policy standard; - inline-signing yes; parental-agents { "net"; }; checkds explicit; ... From bd00c2ce4e844d393f892d1c3cdee049cdc4d7df Mon Sep 17 00:00:00 2001 From: Matthijs Mekking Date: Fri, 9 Dec 2022 12:42:05 +0100 Subject: [PATCH 5/5] Add release note and CHANGES for GL #3677 News worthy. --- CHANGES | 2 ++ doc/notes/notes-current.rst | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/CHANGES b/CHANGES index ce35066732..e568b930f3 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,5 @@ +6218. [func] Add inline-signing to dnssec-policy. [GL #3677] + 6217. [func] The dns_badcache unit was refactored to use cds_lfht instead of hand-crafted locked hashtable. [GL #4223] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 7e8907db10..c2e2a53268 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -40,6 +40,12 @@ Feature Changes DNS SERVER COOKIES. Previously these were silently treated as DNS CLIENT COOKIES. :gl:`#4194` +- The option :any:`inline-signing` can now also be set inside + :any:`dnssec-policy`. The built-in policies ``default`` and ``insecure`` + enable the use of :any:`inline-signing`. If you set :any:`inline-signing` + at the ``zone`` level, it overrides the value used set in + :any:`dnssec-policy`. :gl:`#3677`. + Bug Fixes ~~~~~~~~~