Merge branch 'misc-fixes-kasp' into 'master'

Miscellaneous fixes kasp See merge request isc-projects/bind9!2711
2025-08-31 06:25:31 +00:00 · 2019-12-09 08:22:56 +00:00
parent 6f096f5245 4b66c0ebf4
commit edd6a084f0
7 changed files with 108 additions and 48 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+5334.	[doc]		Update documentation with dnssec-policy clarifications.
+			Also change some defaults.
+
 5333.	[bug]		Fix duration printing on Solaris when value is not
 			an ISO 8601 duration. [GL #1460]

--- a/bin/tests/system/kasp/tests.sh
+++ b/bin/tests/system/kasp/tests.sh
@@ -724,7 +724,7 @@ status=$((status+ret))
 #
 zone_properties "ns3" "rsasha1.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
 # The first keys are immediately published and activated.
 # Because lifetime > 0, retired timing is also set.
@@ -997,7 +997,7 @@ check_subdomain
 #
 zone_properties "ns3" "inherit.kasp" "rsasha1" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "5" "RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "5" "RSASHA1" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "5" "RSASHA1" "2000" "yes" "no"
 # The first keys are immediately published and activated.
 # Because lifetime > 0, retired timing is also set.
@@ -1107,7 +1107,7 @@ status=$((status+ret))
 #
 zone_properties "ns3" "rsasha1-nsec3.kasp" "rsasha1-nsec3" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "7" "NSEC3RSASHA1" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "7" "NSEC3RSASHA1" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "7" "NSEC3RSASHA1" "2000" "yes" "no"
 # key_timings and key_states same as above.
 check_keys
@@ -1120,7 +1120,7 @@ dnssec_verify
 #
 zone_properties "ns3" "rsasha256.kasp" "rsasha256" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "8" "RSASHA256" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "8" "RSASHA256" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "8" "RSASHA256" "2000" "yes" "no"
 # key_timings and key_states same as above.
 check_keys
@@ -1133,7 +1133,7 @@ dnssec_verify
 #
 zone_properties "ns3" "rsasha512.kasp" "rsasha512" "1234" "3" "10.53.0.3"
 key_properties "KEY1" "ksk" "315360000" "10" "RSASHA512" "2048" "no" "yes"
-key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "1024" "yes" "no"
+key_properties "KEY2" "zsk" "157680000" "10" "RSASHA512" "2048" "yes" "no"
 key_properties "KEY3" "zsk" "31536000" "10" "RSASHA512" "2000" "yes" "no"
 # key_timings and key_states same as above.
 check_keys
--- a/dnssec-policy.default.conf
+++ b/dnssec-policy.default.conf
@@ -0,0 +1,26 @@
+dnssec-policy "default" {
+
+	// Keys
+	keys {
+		csk key-directory lifetime 0 algorithm 13;
+	};
+
+	// Key timings
+	dnskey-ttl 3600;
+	publish-safety 1h;
+	retire-safety 1h;
+
+	// Signature timings
+	signatures-refresh 5d;
+	signatures-validity 14d;
+	signatures-validity-dnskey 14d;
+	
+	// Zone parameters
+	zone-max-ttl 86400;
+	zone-propagation-delay 300;
+
+	// Parent parameters
+	parent-ds-ttl 86400;
+	parent-registration-delay 24h;
+	parent-propagation-delay 1h;
+};
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -4467,9 +4467,9 @@ badresp:1,adberr:0,findfail:0,valfail:0]
 		    The number of seconds to wait between attempts to
 		    reopen a closed output stream. The minimum is 1 second,
 		    the maximum is 600 seconds (10 minutes), and the default
-		    is 5 seconds.
-		    For convenience, TTL-style time unit suffixes may be
-		    used to specify the value.
+		    is 5 seconds.  For convenience, TTL-style time unit
+		    suffixes may be used to specify the value.  It also
+		    accepts ISO 8601 duration formats.
 		  </simpara>
 		</listitem>
 	      </itemizedlist>
@@ -5271,8 +5271,11 @@ options {
 		<para>
 		  For convenience, TTL-style time unit suffixes can be
 		  used to specify the NTA lifetime in seconds, minutes
-		  or hours.  <option>nta-lifetime</option> defaults to
-		  one hour.  It cannot exceed one week.
+		  or hours.  It also accepts ISO 8601 duration formats.
+		</para>
+		<para>
+		 <option>nta-lifetime</option> defaults to one hour.  It
+		 cannot exceed one week.
 		</para>
 	    </listitem>
 	  </varlistentry>
@@ -5305,9 +5308,13 @@ options {
 		<para>
 		  For convenience, TTL-style time unit suffixes can be
 		  used to specify the NTA recheck interval in seconds,
-		  minutes or hours.  The default is five minutes.  It
-		  cannot be longer than <option>nta-lifetime</option>
-		  (which cannot be longer than a week).
+		  minutes or hours.  It also accepts ISO 8601 duration
+		  formats.
+		</para>
+		<para>
+		  The default is five minutes.  It cannot be longer than
+		  <option>nta-lifetime</option> (which cannot be longer
+		  than a week).
 		</para>
 	    </listitem>
 	  </varlistentry>
@@ -5318,7 +5325,10 @@ options {
 	      <para>
 		Specifies a maximum permissible TTL value in seconds.
 		For convenience, TTL-style time unit suffixes may be
-		used to specify the maximum value.
+		used to specify the maximum value. It also
+                accepts ISO 8601 duration formats.
+	      </para>
+	      <para>
 		When loading a zone file using a
 		<option>masterfile-format</option> of
 		<constant>text</constant> or <constant>raw</constant>,
@@ -8463,7 +8473,8 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  <command>listen-on</command> configuration), and
 		  will stop listening on interfaces that have gone away.
 		  For convenience, TTL-style time unit suffixes may be
-		  used to specify the value.
+		  used to specify the value.  It also accepts ISO 8601
+		  duration formats.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8744,9 +8755,13 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  stores negative answers. <command>min-ncache-ttl</command> is
 		  used to set a minimum retention time for these answers in the
 		  server in seconds.  For convenience, TTL-style time unit
-		  suffixes may be used to specify the value.  The default
-		  <command>min-ncache-ttl</command> is <literal>0</literal>
-		  seconds.  <command>min-ncache-ttl</command> cannot exceed 90
+		  suffixes may be used to specify the value.  It also
+                  accepts ISO 8601 duration formats.
+		</para>
+		<para>
+		  The default <command>min-ncache-ttl</command> is
+		  <literal>0</literal> seconds.
+		  <command>min-ncache-ttl</command> cannot exceed 90
 		  seconds and will be truncated to 90 seconds if set to a
 		  greater value.
 		</para>
@@ -8758,10 +8773,14 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <listitem>
 		<para>
 		  Sets the minimum time for which the server will cache ordinary
-		  (positive) answers in seconds. For convenience, TTL-style time
-		  unit suffixes may be used to specify the value. The default
-		  <command>min-cache-ttl</command> is <literal>0</literal>
-		  seconds. <command>min-cache-ttl</command> cannot exceed 90
+		  (positive) answers in seconds.  For convenience, TTL-style
+		  time unit suffixes may be used to specify the value.  It also
+                  accepts ISO 8601 duration formats.
+		</para>
+		<para>
+		  The default <command>min-cache-ttl</command> is
+		  <literal>0</literal> seconds.
+		  <command>min-cache-ttl</command> cannot exceed 90
 		  seconds and will be truncated to 90 seconds if set to a
 		  greater value.
 		</para>
@@ -8773,15 +8792,19 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 	      <listitem>
 		<para>
 		  To reduce network traffic and increase performance,
-		  the server stores negative answers. <command>max-ncache-ttl</command> is
+		  the server stores negative answers.
+		  <command>max-ncache-ttl</command> is
 		  used to set a maximum retention time for these answers in
-		  the server in seconds.
-		  For convenience, TTL-style time unit suffixes may be
-		  used to specify the value.  The default
-		  <command>max-ncache-ttl</command> is <literal>10800</literal> seconds (3 hours).
-		  <command>max-ncache-ttl</command> cannot exceed
-		  7 days and will
-		  be silently truncated to 7 days if set to a greater value.
+		  the server in seconds.  For convenience, TTL-style time unit
+		  suffixes may be used to specify the value.  It also accepts
+		  ISO 8601 duration formats.
+		</para>
+		<para>
+		  The default <command>max-ncache-ttl</command> is
+		  <literal>10800</literal> seconds (3 hours).
+		  <command>max-ncache-ttl</command> cannot exceed 7 days and
+		  will be silently truncated to 7 days if set to a greater
+		  value.
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -8793,7 +8816,10 @@ avoid-v6-udp-ports { 40000; range 50000 60000; };
 		  Sets the maximum time for which the server will
 		  cache ordinary (positive) answers in seconds.
 		  For convenience, TTL-style time unit suffixes may be
-		  used to specify the value.
+		  used to specify the value.  It also accepts ISO 8601
+		  duration formats.
+		</para>
+		<para>
 		  The default is 604800 (one week).
 		  A value of zero may cause all queries to return
 		  SERVFAIL, because of lost caches of intermediate
@@ -10099,7 +10125,9 @@ deny-answer-aliases { "example.net"; };
 	    The <command>max-policy-ttl</command> clause changes the
 	    maximum seconds from its default of 5.
 	    For convenience, TTL-style time unit suffixes may be
-	    used to specify the value.
+	    used to specify the value.  It also accepts ISO 8601 duration
+	    formats.
+
 	  </para>

 	  <para>
@@ -10195,7 +10223,8 @@ example.com                 CNAME   rpz-tcp-only.
 	    recent update, then the changes will not be carried out until this
 	    interval has elapsed.  The default is <literal>60</literal> seconds.
 	    For convenience, TTL-style time unit suffixes may be
-	    used to specify the value.
+	    used to specify the value.  It also accepts ISO 8601 duration
+	    formats.
 	  </para>
 	</section>

@@ -11117,8 +11146,8 @@ example.com                 CNAME   rpz-tcp-only.
 		<para>
 		  A margin that is added to the publish interval in key
 		  timing equations to give some extra time to cover
-		  unforeseen events.  Default is <constant>PT5M</constant>
-		  (5 minutes).
+		  unforeseen events.  Default is <constant>PT1H</constant>
+		  (1 hour).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11129,8 +11158,8 @@ example.com                 CNAME   rpz-tcp-only.
 		<para>
 		  A margin that is added to the retire interval in key
 		  timing equations to give some extra time to cover
-		  unforeseen events.  Default is <constant>PT5M</constant>
-		  (5 minutes).
+		  unforeseen events.  Default is <constant>PT1H</constant>
+		  (1 hour).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -11222,7 +11251,7 @@ example.com                 CNAME   rpz-tcp-only.
 	      <listitem>
 		<para>
 		  The TTL of the DS RRset that the parent uses.  Default is
-		  <constant>PT1H</constant> (1 hour).
+		  <constant>P1D</constant> (1 day).
 		</para>
 	      </listitem>
 	    </varlistentry>
@@ -12131,9 +12160,13 @@ view "external" {
 		<term><command>dnssec-policy</command></term>
 		<listitem>
 		  <para>
-		    The key and signing policy for this zone.  Set to
-		    <userinput>"default"</userinput> if you want to make use
-		    of the default policy.
+		    The key and signing policy for this zone.  This is a string
+		    referring to a <command>dnssec-policy</command> statement.
+		    There are two built-in policies:
+		    <userinput>"default"</userinput> allows you to use the
+		    default policy, and <userinput>"none"</userinput> means
+		    not to use any DNSSEC policy, keeping the zone unsigned.
+		    The default is <userinput>"none"</userinput>.
 		  </para>
 		</listitem>
 	      </varlistentry>
--- a/doc/arm/dnssec-policy.grammar.xml
+++ b/doc/arm/dnssec-policy.grammar.xml
@@ -14,7 +14,7 @@
 <programlisting>
 <command>dnssec-policy</command> <replaceable>string</replaceable> {
    <command>dnskey-ttl</command> <replaceable>duration</replaceable>;
-    <command>keys</command> { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
+    <command>keys</command> { ( csk | ksk | zsk ) key-directory lifetime <replaceable>duration</replaceable> algorithm <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
    <command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
    <command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
    <command>parent-registration-delay</command> <replaceable>duration</replaceable>;
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -99,9 +99,9 @@ struct dns_kasp {
 #define DNS_KASP_SIG_VALIDITY		(86400*14)
 #define DNS_KASP_SIG_VALIDITY_DNSKEY	(86400*14)
 #define DNS_KASP_KEY_TTL		(3600)
-#define DNS_KASP_DS_TTL			(3600)
-#define DNS_KASP_PUBLISH_SAFETY		(300)
-#define DNS_KASP_RETIRE_SAFETY		(300)
+#define DNS_KASP_DS_TTL			(86400)
+#define DNS_KASP_PUBLISH_SAFETY		(3600)
+#define DNS_KASP_RETIRE_SAFETY		(3600)
 #define DNS_KASP_ZONE_MAXTTL		(86400)
 #define DNS_KASP_ZONE_PROPDELAY		(300)
 #define DNS_KASP_PARENT_PROPDELAY	(3600)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -395,10 +395,8 @@ dns_kasp_key_size(dns_kasp_key_t *key) {
 			if (size > 4096) {
 				size = 4096;
 			}
-		} else if (key->role & DNS_KASP_KEY_ROLE_KSK) {
-			size = 2048;
 		} else {
-			size = 1024;
+			size = 2048;
 		}
 		break;
 	case DNS_KEYALG_ECDSA256: