kasp: Expose more key timings

When doing rollover in a timely manner we need to have access to the
relevant kasp configured durations.

Most of these are simple get functions, but 'dns_kasp_signdelay'
will calculate the maximum time that is needed with this policy to
resign the complete zone (taking into account the refresh interval
and signature validity).

Introduce parent-propagation-delay, parent-registration-delay,
parent-ds-ttl, zone-max-ttl, zone-propagation-delay.

diff --git a/bin/named/named.conf.docbook b/bin/named/named.conf.docbook
index 8221d4cce5a428fb52c5891b33cfadca7647ac60..f9696fa3fa00b5615cd0c363ebd1122975f8541a 100644 (file)
--- a/bin/named/named.conf.docbook
+++ b/bin/named/named.conf.docbook
@@ -1016,11 +1016,16 @@ zone <replaceable>string</replaceable> [ <replaceable>class</replaceable> ] {
 dnssec-policy <replaceable>string</replaceable> {
        dnskey-ttl <replaceable>ttlval</replaceable>;
        keys { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
+       parent-ds-ttl <replaceable>duration</replaceable>;
+       parent-propagation-delay <replaceable>duration</replaceable>;
+       parent-registration-delay <replaceable>duration</replaceable>;
        publish-safety <replaceable>duration</replaceable>;
        retire-safety <replaceable>duration</replaceable>;
        signatures-refresh <replaceable>duration</replaceable>;
        signatures-validity <replaceable>duration</replaceable>;
        signatures-validity-dnskey <replaceable>duration</replaceable>;
+       zone-max-ttl <replaceable>duration</replaceable>;
+       zone-propagation-delay <replaceable>duration</replaceable>;
 };
 </literallayout>
   </refsection>

diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml
index 47b08440ef678bf417f2e84a6b0f42ba51da5b8c..d0c21560d98765c6dccb20fa045e3df54bad1934 100644 (file)
--- a/doc/arm/Bv9ARM-book.xml
+++ b/doc/arm/Bv9ARM-book.xml
@@ -11151,6 +11151,83 @@ example.com                 CNAME   rpz-tcp-only.
              </listitem>
            </varlistentry>
 
+           <varlistentry>
+             <term><command>zone-max-ttl</command></term>
+             <listitem>
+               <para>
+               Like <command>max-zone-ttl</command>, specifies the maximum
+               permissible TTL value in seconds. When loading a zone file
+               using a <option>masterfile-format</option> or
+               <constant>text</constant> or <constant>raw</constant>,
+               any record encountered with a TTL higher than
+               <option>zone-max-ttl</option> will be capped to the maximum
+               permissible TTL value.
+               </para>
+               <para>
+               This is needed in DNSSEC-maintained zones because when
+               rolling to a new DNSKEY, the old key needs to remain
+               available until RRSIG records have expired from
+               caches.  The <option>zone-max-ttl</option> option guarantees
+               that the largest TTL in the zone will be no higher than the
+               set value.
+               </para>
+             <para>
+               (NOTE: Because <constant>map</constant>-format files
+               load directly into memory, this option cannot be
+               used with them.)
+             </para>
+             <para>
+               The default value is <constant>PT24H</constant> (24 hours).
+               A <option>zone-max-ttl</option> of zero is treated as if
+               the default value is in use.
+             </para>
+             </listitem>
+           </varlistentry>
+
+           <varlistentry>
+             <term><command>zone-propagation-delay</command></term>
+             <listitem>
+               <para>
+               The expected propagation delay from when a zone is updated
+               and when the new version of the zone is served by all its
+               name servers.  Default is <constant>PT5M</constant> (5 minutes).
+             </para>
+             </listitem>
+           </varlistentry>
+
+           <varlistentry>
+             <term><command>parent-ds-ttl</command></term>
+             <listitem>
+               <para>
+               The TTL of the DS RRset that the parent uses.  Default is
+               <constant>PT1H</constant> (1 hour).
+             </para>
+             </listitem>
+           </varlistentry>
+
+           <varlistentry>
+             <term><command>parent-propagation-delay</command></term>
+             <listitem>
+               <para>
+               The expected propagation delay from when the parent zone is
+               updated and when the new version of the parent zone is served
+               by all its name servers.  Default is
+               <constant>PT1H</constant> (1 hour).
+             </para>
+             </listitem>
+           </varlistentry>
+
+           <varlistentry>
+             <term><command>parent-registration-delay</command></term>
+             <listitem>
+               <para>
+               The expected registration delay from when a DS RRset change
+               is requested and when the DS RRset has been updated in the
+               parent zone.  Default is <constant>P1D</constant> (1 day).
+             </para>
+             </listitem>
+           </varlistentry>
+
          </variablelist>
 
        </section>

diff --git a/doc/arm/dnssec-policy.grammar.xml b/doc/arm/dnssec-policy.grammar.xml
index 68e27d964c7a6c202117307499aeabcfbe84d920..c7df40c4d3dd2f130e9360dd54eb5843e1c771c0 100644 (file)
--- a/doc/arm/dnssec-policy.grammar.xml
+++ b/doc/arm/dnssec-policy.grammar.xml
@@ -15,11 +15,16 @@
 <command>dnssec-policy</command> <replaceable>string</replaceable> {
     <command>dnskey-ttl</command> <replaceable>ttlval</replaceable>;
     <command>keys</command> { ( csk | ksk | zsk ) key-directory <replaceable>duration</replaceable> <replaceable>integer</replaceable> [ <replaceable>integer</replaceable> ] ; ... };
+    <command>parent-ds-ttl</command> <replaceable>duration</replaceable>;
+    <command>parent-propagation-delay</command> <replaceable>duration</replaceable>;
+    <command>parent-registration-delay</command> <replaceable>duration</replaceable>;
     <command>publish-safety</command> <replaceable>duration</replaceable>;
     <command>retire-safety</command> <replaceable>duration</replaceable>;
     <command>signatures-refresh</command> <replaceable>duration</replaceable>;
     <command>signatures-validity</command> <replaceable>duration</replaceable>;
     <command>signatures-validity-dnskey</command> <replaceable>duration</replaceable>;
+    <command>zone-max-ttl</command> <replaceable>duration</replaceable>;
+    <command>zone-propagation-delay</command> <replaceable>duration</replaceable>;
 };
 </programlisting>
 

diff --git a/doc/misc/options b/doc/misc/options
index 6f5674692c785d34925b556c2e86f7fb3610c748..cb00923715ef3ffb8e10be9645b63c3ec0651c76 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -29,11 +29,16 @@ dnssec-policy <string> {
         dnskey-ttl <ttlval>;
         keys { ( csk | ksk | zsk ) key-directory <duration> <string>
            [ <integer> ]; ... };
+       parent-ds-ttl <duration>;
+       parent-propagation-delay <duration>;
+       parent-registration-delay <duration>;
         publish-safety <duration>;
         retire-safety <duration>;
         signatures-refresh <duration>;
         signatures-validity <duration>;
         signatures-validity-dnskey <duration>;
+        zone-max-ttl <duration>;
+       zone-propagation-delay <duration>;
 }; // may occur multiple times
 
 dyndb <string> <quoted_string> {

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index 6c953a0636e0d1e4e8eb68e6183999e8631ce544..c6b156119a64802663ab4457830b942fb85860a9 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -81,6 +81,15 @@ struct dns_kasp {
        uint32_t                        publish_safety;
        uint32_t                        retire_safety;
 
+       /* Zone settings */
+       dns_ttl_t                       zone_max_ttl;
+       time_t                          zone_propagation_delay;
+
+       /* Parent settings */
+       dns_ttl_t                       parent_ds_ttl;
+       time_t                          parent_propagation_delay;
+       time_t                          parent_registration_delay;
+
        // TODO: The rest of the KASP configuration
 };
 
@@ -92,8 +101,13 @@ struct dns_kasp {
 #define DNS_KASP_SIG_VALIDITY          (86400*14)
 #define DNS_KASP_SIG_VALIDITY_DNSKEY   (86400*14)
 #define DNS_KASP_KEY_TTL               (3600)
+#define DNS_KASP_DS_TTL                        (3600)
 #define DNS_KASP_PUBLISH_SAFETY                (300)
 #define DNS_KASP_RETIRE_SAFETY         (300)
+#define DNS_KASP_ZONE_MAXTTL           (86400)
+#define DNS_KASP_ZONE_PROPDELAY                (300)
+#define DNS_KASP_PARENT_PROPDELAY      (3600)
+#define DNS_KASP_PARENT_REGDELAY       (86400)
 
 /* Key roles */
 #define DNS_KASP_KEY_ROLE_KSK          0x01
@@ -194,6 +208,53 @@ dns_kasp_getname(dns_kasp_t *kasp);
  *\li   name of 'kasp'.
  */
 
+time_t
+dns_kasp_signdelay(dns_kasp_t *kasp);
+/*%<
+ * Get the delay that is needed to ensure that all existing RRsets have been
+ * re-signed with a successor key.  This is the signature validity minus the
+ * signature refresh time (that indicates how far before signature expiry an
+ * RRSIG should be refreshed).
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature refresh interval.
+ */
+
+time_t
+dns_kasp_sigrefresh(dns_kasp_t *kasp);
+/*%<
+ * Get signature refresh interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature refresh interval.
+ */
+
+time_t
+dns_kasp_sigvalidity(dns_kasp_t *kasp);
+time_t
+dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp);
+/*%<
+ * Get signature validity.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   signature validity.
+ */
+
 dns_ttl_t
 dns_kasp_dnskeyttl(dns_kasp_t *kasp);
 /*%<
@@ -208,6 +269,104 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp);
  *\li   DNSKEY TTL.
  */
 
+time_t
+dns_kasp_publishsafety(dns_kasp_t *kasp);
+/*%<
+ * Get publish safety interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Publish safety interval.
+ */
+
+time_t
+dns_kasp_retiresafety(dns_kasp_t *kasp);
+/*%<
+ * Get retire safety interval.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Retire safety interval.
+ */
+
+dns_ttl_t
+dns_kasp_zonemaxttl(dns_kasp_t *kasp);
+/*%<
+ * Get maximum zone TTL.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Maximum zone TTL.
+ */
+
+time_t
+dns_kasp_zonepropagationdelay(dns_kasp_t *kasp);
+/*%<
+ * Get zone propagation delay.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Zone propagation delay.
+ */
+
+dns_ttl_t
+dns_kasp_dsttl(dns_kasp_t *kasp);
+/*%<
+ * Get DS TTL (should match that of the parent DS record).
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Expected parent DS TTL.
+ */
+
+time_t
+dns_kasp_parentpropagationdelay(dns_kasp_t *kasp);
+/*%<
+ * Get parent zone propagation delay.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Parent zone propagation delay.
+ */
+
+time_t
+dns_kasp_parentregistrationdelay(dns_kasp_t *kasp);
+/*%<
+ * Get parent registration delay for submitting new DS.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   Parent registration delay.
+ */
+
 isc_result_t
 dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp);
 /*%<

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index f585129b32944cb03823c9765568ab8a5ec98072..6ec823678586552730e9bc155d1c237f0609b3ec 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -53,6 +53,13 @@ dns_kasp_create(isc_mem_t *mctx, const char *name, dns_kasp_t **kaspp)
        kasp->publish_safety = DNS_KASP_PUBLISH_SAFETY;
        kasp->retire_safety = DNS_KASP_RETIRE_SAFETY;
 
+       kasp->zone_max_ttl = DNS_KASP_ZONE_MAXTTL;
+       kasp->zone_propagation_delay = DNS_KASP_ZONE_PROPDELAY;
+
+       kasp->parent_ds_ttl = DNS_KASP_DS_TTL;
+       kasp->parent_propagation_delay = DNS_KASP_PARENT_PROPDELAY;
+       kasp->parent_registration_delay = DNS_KASP_PARENT_REGDELAY;
+
        // TODO: The rest of the KASP configuration
 
        kasp->magic = DNS_KASP_MAGIC;
@@ -117,6 +124,34 @@ dns_kasp_thaw(dns_kasp_t *kasp) {
        kasp->frozen = false;
 }
 
+time_t
+dns_kasp_signdelay(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return (kasp->signatures_validity - kasp->signatures_refresh);
+}
+
+time_t
+dns_kasp_sigrefresh(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->signatures_refresh;
+}
+
+time_t
+dns_kasp_sigvalidity(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->signatures_validity;
+}
+
+time_t
+dns_kasp_sigvalidity_dnskey(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->signatures_validity_dnskey;
+}
+
 dns_ttl_t
 dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
        REQUIRE(DNS_KASP_VALID(kasp));
@@ -124,6 +159,55 @@ dns_kasp_dnskeyttl(dns_kasp_t *kasp) {
        return kasp->dnskey_ttl;
 }
 
+time_t
+dns_kasp_publishsafety(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->publish_safety;
+}
+
+time_t
+dns_kasp_retiresafety(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->retire_safety;
+}
+
+dns_ttl_t
+dns_kasp_zonemaxttl(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->zone_max_ttl;
+}
+
+time_t
+dns_kasp_zonepropagationdelay(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->zone_propagation_delay;
+}
+
+dns_ttl_t
+dns_kasp_dsttl(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->parent_ds_ttl;
+}
+
+time_t
+dns_kasp_parentpropagationdelay(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->parent_propagation_delay;
+}
+
+time_t
+dns_kasp_parentregistrationdelay(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+       return kasp->parent_registration_delay;
+}
+
 isc_result_t
 dns_kasplist_find(dns_kasplist_t *list, const char *name, dns_kasp_t **kaspp)
 {

diff --git a/lib/dns/win32/libdns.def.in b/lib/dns/win32/libdns.def.in
index 153efc2e7b6062ad64a7c455444d0df8e2a6120a..de79d7bfb1045473485186324fb2cbe00441bde5 100644 (file)
--- a/lib/dns/win32/libdns.def.in
+++ b/lib/dns/win32/libdns.def.in
@@ -413,10 +413,11 @@ dns_journal_rollforward
 dns_journal_set_sourceserial
 dns_journal_write_transaction
 dns_journal_writediff
-dns_kasp_create
 dns_kasp_attach
+dns_kasp_create
 dns_kasp_detach
 dns_kasp_dnskeyttl
+dns_kasp_dsttl
 dns_kasp_freeze
 dns_kasp_getname
 dns_kasp_key_algorithm
@@ -426,7 +427,17 @@ dns_kasp_key_ksk
 dns_kasp_key_lifetime
 dns_kasp_key_size
 dns_kasp_key_zsk
+dns_kasp_parentpropagationdelay
+dns_kasp_parentregistrationdelay
+dns_kasp_publishsafety
+dns_kasp_retiresafety
+dns_kasp_signdelay
+dns_kasp_sigrefresh
+dns_kasp_sigvalidity
+dns_kasp_sigvalidity_dnskey
 dns_kasp_thaw
+dns_kasp_zonemaxttl
+dns_kasp_zonepropagationdelay
 dns_kasplist_find
 dns_keydata_fromdnskey
 dns_keydata_todnskey

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index eafb4c3b3547069fdd4d5c560530d3a6d21708ab..37eb1e3c69f348d67f7aa6eb79147d2008ee9470 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -192,6 +192,25 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, isc_mem_t* mctx,
        }
        ISC_INSIST(!(ISC_LIST_EMPTY(kasp->keys)));
 
+       /* Configuration: Zone settings */
+       kasp->zone_max_ttl = get_duration(maps, "zone-max-ttl",
+                                         DNS_KASP_ZONE_MAXTTL);
+       kasp->zone_propagation_delay = get_duration(maps,
+                                                   "zone-propagation-delay",
+                                                   DNS_KASP_ZONE_PROPDELAY);
+
+       /* Configuration: Parent settings */
+       kasp->parent_ds_ttl = get_duration(maps, "parent-ds-ttl",
+                                          DNS_KASP_DS_TTL);
+       kasp->parent_propagation_delay = get_duration(
+                                                    maps,
+                                                    "parent-propagation-delay",
+                                                    DNS_KASP_PARENT_PROPDELAY);
+       kasp->parent_registration_delay = get_duration(
+                                                   maps,
+                                                   "parent-registration-delay",
+                                                   DNS_KASP_PARENT_REGDELAY);
+
        // TODO: Rest of the configuration
 
        /* Success: Attach the kasp to the pointer and return. */

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 100cb0979df803df5e49abc9fea6022dffcd1e9f..7d0dd467dbf46b74b470817dc7059fcab07aa131 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2068,6 +2068,11 @@ dnssecpolicy_clauses[] = {
        { "signatures-refresh", &cfg_type_duration, 0 },
        { "signatures-validity", &cfg_type_duration, 0 },
        { "signatures-validity-dnskey", &cfg_type_duration, 0 },
+       { "zone-max-ttl", &cfg_type_duration, 0 },
+       { "zone-propagation-delay", &cfg_type_duration, 0 },
+       { "parent-ds-ttl", &cfg_type_duration, 0 },
+       { "parent-propagation-delay", &cfg_type_duration, 0 },
+       { "parent-registration-delay", &cfg_type_duration, 0 },
        { NULL, NULL, 0 }
 };