Parse dnssec-policy config into kasp

author Matthijs Mekking <matthijs@isc.org>

Tue, 3 Sep 2019 09:42:10 +0000 (11:42 +0200)

committer Matthijs Mekking <matthijs@isc.org>

Wed, 6 Nov 2019 21:31:45 +0000 (22:31 +0100)
author Matthijs Mekking <matthijs@isc.org>
Tue, 3 Sep 2019 09:42:10 +0000 (11:42 +0200)
committer Matthijs Mekking <matthijs@isc.org>
Wed, 6 Nov 2019 21:31:45 +0000 (22:31 +0100)
diff --git a/bin/named/include/named/server.h b/bin/named/include/named/server.h

index 84432019088dcd14246d432e0635d6ff6385da90..97e0082ee3f9cf0ae62ba5d27d90fe1bb70e8932 100644 (file)
--- a/bin/named/include/named/server.h
+++ b/bin/named/include/named/server.h
@@ -64,6 +64,7 @@ struct named_server {
         dns_loadmgr_t *         loadmgr;
         dns_zonemgr_t *         zonemgr;
         dns_viewlist_t          viewlist;
+       dns_kasplist_t          kasplist;
         ns_interfacemgr_t *     interfacemgr;
         dns_db_t *              in_roothints;
  
diff --git a/bin/named/include/named/zoneconf.h b/bin/named/include/named/zoneconf.h

index 23c1f65f5322b4bbf0c49f0a29c83f50445650c5..88633b24f4599896c7ec20b15b0c43b25f73ee97 100644 (file)
--- a/bin/named/include/named/zoneconf.h
+++ b/bin/named/include/named/zoneconf.h
@@ -27,19 +27,18 @@ ISC_LANG_BEGINDECLS
  isc_result_t
  named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
                      const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
-                    dns_zone_t *zone, dns_zone_t *raw);
+                    dns_kasplist_t* kasplist, dns_zone_t *zone,
+                    dns_zone_t *raw);
  /*%<
   * Configure or reconfigure a zone according to the named.conf
- * data in 'cctx' and 'czone'.
+ * data.
   *
   * The zone origin is not configured, it is assumed to have been set
   * at zone creation time.
   *
   * Require:
- * \li 'lctx' to be initialized or NULL.
- * \li 'cctx' to be initialized or NULL.
   * \li 'ac' to point to an initialized cfg_aclconfctx_t.
- * \li 'czone' to be initialized.
+ * \li 'kasplist' to be initialized.
   * \li 'zone' to be initialized.
   */
  
diff --git a/bin/named/server.c b/bin/named/server.c

index 8730225864efe06411a8c9c82cb3db93d2b4f3c9..ca220ec62c9eb60e4ac84d38d33a39dc03576535 100644 (file)
--- a/bin/named/server.c
+++ b/bin/named/server.c
@@ -50,6 +50,7 @@
  #include <isc/util.h>
  
  #include <isccfg/grammar.h>
+#include <isccfg/kaspconf.h>
  #include <isccfg/namedconf.h>
  
  #include <bind9/check.h>
@@ -68,6 +69,7 @@
  #include <dns/forward.h>
  #include <dns/fixedname.h>
  #include <dns/journal.h>
+#include <dns/kasp.h>
  #include <dns/keytable.h>
  #include <dns/keyvalues.h>
  #include <dns/lib.h>
@@ -459,8 +461,8 @@ configure_alternates(const cfg_obj_t *config, dns_view_t *view,
  static isc_result_t
  configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
                const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-              dns_viewlist_t *viewlist, cfg_aclconfctx_t *aclconf,
-              bool added, bool old_rpz_ok,
+              dns_viewlist_t *viewlist, dns_kasplist_t* kasplist,
+              cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
                bool modify);
  
  static isc_result_t
@@ -2685,7 +2687,8 @@ catz_addmodzone_taskaction(isc_task_t *task, isc_event_t *event0) {
         dns_view_thaw(ev->view);
         result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
                                 ev->cbd->server->mctx, ev->view,
-                               &ev->cbd->server->viewlist, cfg->actx,
+                               &ev->cbd->server->viewlist,
+                               &ev->cbd->server->kasplist, cfg->actx,
                                 true, false, ev->mod);
         dns_view_freeze(ev->view);
         isc_task_endexclusive(task);
@@ -3770,11 +3773,10 @@ register_one_plugin(const cfg_obj_t *config, const cfg_obj_t *obj,
   * global defaults in 'config' used exclusively.
   */
  static isc_result_t
-configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
-              cfg_obj_t *config, cfg_obj_t *vconfig,
-              named_cachelist_t *cachelist, const cfg_obj_t *bindkeys,
-              isc_mem_t *mctx, cfg_aclconfctx_t *actx,
-              bool need_hints)
+configure_view(dns_view_t *view, dns_viewlist_t *viewlist, cfg_obj_t *config,
+              cfg_obj_t *vconfig, named_cachelist_t *cachelist,
+              dns_kasplist_t *kasplist, const cfg_obj_t *bindkeys,
+              isc_mem_t *mctx, cfg_aclconfctx_t *actx, bool need_hints)
  {
         const cfg_obj_t *maps[4];
         const cfg_obj_t *cfgmaps[3];
@@ -3901,8 +3903,8 @@ configure_view(dns_view_t *view, dns_viewlist_t *viewlist,
         {
                 const cfg_obj_t *zconfig = cfg_listelt_value(element);
                 CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
-                                    viewlist, actx, false, old_rpz_ok,
-                                    false));
+                                    viewlist, kasplist, actx, false,
+                                    old_rpz_ok, false));
         }
  
         /*
@@ -5899,8 +5901,8 @@ create_view(const cfg_obj_t *vconfig, dns_viewlist_t *viewlist,
  static isc_result_t
  configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
                const cfg_obj_t *vconfig, isc_mem_t *mctx, dns_view_t *view,
-              dns_viewlist_t *viewlist, cfg_aclconfctx_t *aclconf,
-              bool added, bool old_rpz_ok,
+              dns_viewlist_t *viewlist, dns_kasplist_t *kasplist,
+              cfg_aclconfctx_t *aclconf, bool added, bool old_rpz_ok,
                bool modify)
  {
         dns_view_t *pview = NULL;       /* Production view */
@@ -6117,8 +6119,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
                                                      zone));
                         dns_zone_setstats(zone, named_g_server->zonestats);
                 }
-               CHECK(named_zone_configure(config, vconfig, zconfig,
-                                          aclconf, zone, NULL));
+               CHECK(named_zone_configure(config, vconfig, zconfig, aclconf,
+                                          kasplist, zone, NULL));
                 dns_zone_attach(zone, &view->redirect);
                 goto cleanup;
         }
@@ -6280,8 +6282,8 @@ configure_zone(const cfg_obj_t *config, const cfg_obj_t *zconfig,
         /*
          * Configure the zone.
          */
-       CHECK(named_zone_configure(config, vconfig, zconfig,
-                                  aclconf, zone, raw));
+       CHECK(named_zone_configure(config, vconfig, zconfig, aclconf, kasplist,
+                                  zone, raw));
  
         /*
          * Add the zone to its view in the new view list.
@@ -7573,9 +7575,10 @@ configure_newzones(dns_view_t *view, cfg_obj_t *config, cfg_obj_t *vconfig,
              element = cfg_list_next(element))
         {
                 const cfg_obj_t *zconfig = cfg_listelt_value(element);
-               CHECK(configure_zone(config, zconfig, vconfig, mctx,
-                                    view, &named_g_server->viewlist, actx,
-                                    true, false, false));
+               CHECK(configure_zone(config, zconfig, vconfig, mctx, view,
+                                    &named_g_server->viewlist,
+                                    &named_g_server->kasplist, actx, true,
+                                    false, false));
         }
  
         result = ISC_R_SUCCESS;
@@ -7759,8 +7762,9 @@ configure_newzone(const cfg_obj_t *zconfig, cfg_obj_t *config,
                   cfg_aclconfctx_t *actx)
  {
         return (configure_zone(config, zconfig, vconfig, mctx, view,
-                              &named_g_server->viewlist, actx, true,
-                              false, false));
+                              &named_g_server->viewlist,
+                              &named_g_server->kasplist, actx, true, false,
+                              false));
  }
  
  /*%
@@ -7995,9 +7999,13 @@ load_configuration(const char *filename, named_server_t *server,
         const cfg_obj_t *obj;
         const cfg_obj_t *options;
         const cfg_obj_t *usev4ports, *avoidv4ports, *usev6ports, *avoidv6ports;
+       const cfg_obj_t *kasps;
+       dns_kasp_t *kasp = NULL;
+       dns_kasp_t *kasp_next = NULL;
+       dns_kasplist_t tmpkasplist, kasplist;
         const cfg_obj_t *views;
         dns_view_t *view = NULL;
-       dns_view_t *view_next;
+       dns_view_t *view_next = NULL;
         dns_viewlist_t tmpviewlist;
         dns_viewlist_t viewlist, builtin_viewlist;
         in_port_t listen_port, udpport_low, udpport_high;
@@ -8026,6 +8034,7 @@ load_configuration(const char *filename, named_server_t *server,
         dns_aclenv_t *env =
                 ns_interfacemgr_getaclenv(named_g_server->interfacemgr);
  
+       ISC_LIST_INIT(kasplist);
         ISC_LIST_INIT(viewlist);
         ISC_LIST_INIT(builtin_viewlist);
         ISC_LIST_INIT(cachelist);
@@ -8640,6 +8649,39 @@ load_configuration(const char *filename, named_server_t *server,
          */
         (void)configure_session_key(maps, server, named_g_mctx);
  
+       /*
+        * Create the DNSSEC key and signing policies (KASP).
+        */
+       kasps = NULL;
+       (void)cfg_map_get(config, "dnssec-policy", &kasps);
+       for (element = cfg_list_first(kasps);
+            element != NULL;
+            element = cfg_list_next(element))
+       {
+               cfg_obj_t *kconfig = cfg_listelt_value(element);
+               kasp = NULL;
+               CHECK(cfg_kasp_fromconfig(kconfig, named_g_mctx, &kasplist,
+                                         &kasp));
+               INSIST(kasp != NULL);
+               dns_kasp_freeze(kasp);
+               dns_kasp_detach(&kasp);
+       }
+       /*
+        * Create the default kasp.
+        */
+       kasp = NULL;
+       CHECK(cfg_kasp_fromconfig(NULL, named_g_mctx, &kasplist, &kasp));
+       INSIST(kasp != NULL);
+       dns_kasp_freeze(kasp);
+       dns_kasp_detach(&kasp);
+
+       tmpkasplist = server->kasplist;
+       server->kasplist = kasplist;
+       kasplist = tmpkasplist;
+
+       /*
+        * Configure the views.
+        */
         views = NULL;
         (void)cfg_map_get(config, "view", &views);
  
@@ -8718,8 +8760,8 @@ load_configuration(const char *filename, named_server_t *server,
                 view = NULL;
                 CHECK(find_view(vconfig, &viewlist, &view));
                 CHECK(configure_view(view, &viewlist, config, vconfig,
-                                    &cachelist, bindkeys, named_g_mctx,
-                                    named_g_aclconfctx, true));
+                                    &cachelist, &server->kasplist, bindkeys,
+                                    named_g_mctx, named_g_aclconfctx, true));
                 dns_view_freeze(view);
                 dns_view_detach(&view);
         }
@@ -8732,9 +8774,8 @@ load_configuration(const char *filename, named_server_t *server,
                 view = NULL;
                 CHECK(find_view(NULL, &viewlist, &view));
                 CHECK(configure_view(view, &viewlist, config, NULL,
-                                    &cachelist, bindkeys,
-                                    named_g_mctx, named_g_aclconfctx,
-                                    true));
+                                    &cachelist, &server->kasplist, bindkeys,
+                                    named_g_mctx, named_g_aclconfctx, true));
                 dns_view_freeze(view);
                 dns_view_detach(&view);
         }
@@ -8753,9 +8794,8 @@ load_configuration(const char *filename, named_server_t *server,
  
                 CHECK(create_view(vconfig, &builtin_viewlist, &view));
                 CHECK(configure_view(view, &viewlist, config, vconfig,
-                                    &cachelist, bindkeys,
-                                    named_g_mctx, named_g_aclconfctx,
-                                    false));
+                                    &cachelist, &server->kasplist, bindkeys,
+                                    named_g_mctx, named_g_aclconfctx, false));
                 dns_view_freeze(view);
                 dns_view_detach(&view);
                 view = NULL;
@@ -9191,6 +9231,10 @@ load_configuration(const char *filename, named_server_t *server,
                 dns_view_detach(&view);
         }
  
+       if (kasp != NULL) {
+               dns_kasp_detach(&kasp);
+       }
+
         ISC_LIST_APPENDLIST(viewlist, builtin_viewlist, link);
  
         /*
@@ -9213,6 +9257,15 @@ load_configuration(const char *filename, named_server_t *server,
                 dns_view_detach(&view);
         }
  
+       /*
+        * Same cleanup for kasp list.
+        */
+       for (kasp = ISC_LIST_HEAD(kasplist); kasp != NULL; kasp = kasp_next) {
+               kasp_next = ISC_LIST_NEXT(kasp, link);
+               ISC_LIST_UNLINK(kasplist, kasp, link);
+               dns_kasp_detach(&kasp);
+       }
+
         /* Same cleanup for cache list. */
         while ((nsc = ISC_LIST_HEAD(cachelist)) != NULL) {
                 ISC_LIST_UNLINK(cachelist, nsc, link);
@@ -9460,7 +9513,8 @@ named_server_flushonshutdown(named_server_t *server, bool flush) {
  static void
  shutdown_server(isc_task_t *task, isc_event_t *event) {
         isc_result_t result;
-       dns_view_t *view, *view_next;
+       dns_view_t *view, *view_next = NULL;
+       dns_kasp_t *kasp, *kasp_next = NULL;
         named_server_t *server = (named_server_t *)event->ev_arg;
         bool flush = server->flushonshutdown;
         named_cache_t *nsc;
@@ -9490,9 +9544,17 @@ shutdown_server(isc_task_t *task, isc_event_t *event) {
  
         (void) named_server_saventa(server);
  
-       for (view = ISC_LIST_HEAD(server->viewlist);
-            view != NULL;
-            view = view_next) {
+       for (kasp = ISC_LIST_HEAD(server->kasplist); kasp != NULL;
+            kasp = kasp_next)
+       {
+               kasp_next = ISC_LIST_NEXT(kasp, link);
+               ISC_LIST_UNLINK(server->kasplist, kasp, link);
+               dns_kasp_detach(&kasp);
+       }
+
+       for (view = ISC_LIST_HEAD(server->viewlist); view != NULL;
+            view = view_next)
+       {
                 view_next = ISC_LIST_NEXT(view, link);
                 ISC_LIST_UNLINK(server->viewlist, view, link);
                 if (flush)
@@ -9610,6 +9672,7 @@ named_server_create(isc_mem_t *mctx, named_server_t **serverp) {
  
         /* Initialize server data structures. */
         server->interfacemgr = NULL;
+       ISC_LIST_INIT(server->kasplist);
         ISC_LIST_INIT(server->viewlist);
         server->in_roothints = NULL;
  
@@ -9797,6 +9860,7 @@ named_server_destroy(named_server_t **serverp) {
  
         isc_event_free(&server->reload_event);
  
+       INSIST(ISC_LIST_EMPTY(server->kasplist));
         INSIST(ISC_LIST_EMPTY(server->viewlist));
         INSIST(ISC_LIST_EMPTY(server->cachelist));
  
@@ -11766,7 +11830,10 @@ named_server_rekey(named_server_t *server, isc_lex_t *lex,
  
         keyopts = dns_zone_getkeyopts(zone);
  
-       /* "rndc loadkeys" requires "auto-dnssec maintain". */
+       /*
+        * "rndc loadkeys" requires "auto-dnssec maintain"
+        * or a "dnssec-policy".
+        */
         if ((keyopts & DNS_ZONEKEY_ALLOW) == 0)
                 result = ISC_R_NOPERM;
         else if ((keyopts & DNS_ZONEKEY_MAINTAIN) == 0 && !fullsign)
@@ -12931,7 +12998,8 @@ do_addzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
         dns_view_thaw(view);
         result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
                                 server->mctx, view, &server->viewlist,
-                               cfg->actx, true, false, false);
+                               &server->kasplist, cfg->actx, true, false,
+                               false);
         dns_view_freeze(view);
  
         isc_task_endexclusive(server->task);
@@ -13109,7 +13177,8 @@ do_modzone(named_server_t *server, ns_cfgctx_t *cfg, dns_view_t *view,
         dns_view_thaw(view);
         result = configure_zone(cfg->config, zoneobj, cfg->vconfig,
                                 server->mctx, view, &server->viewlist,
-                               cfg->actx, true, false, true);
+                               &server->kasplist, cfg->actx, true, false,
+                               true);
         dns_view_freeze(view);
  
         exclusive = false;
diff --git a/bin/named/zoneconf.c b/bin/named/zoneconf.c

index 70b3bdba77a95c27156e9d6630d05a4eee05ddeb..d8163d5c0c1c614655cb745f96758855180e6e4f 100644 (file)
--- a/bin/named/zoneconf.c
+++ b/bin/named/zoneconf.c
@@ -25,6 +25,7 @@
  #include <dns/ipkeylist.h>
  #include <dns/fixedname.h>
  #include <dns/journal.h>
+#include <dns/kasp.h>
  #include <dns/log.h>
  #include <dns/name.h>
  #include <dns/masterdump.h>
@@ -840,8 +841,9 @@ process_notifytype(dns_notifytype_t ntype, dns_zonetype_t ztype,
  
  isc_result_t
  named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
-                 const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
-                 dns_zone_t *zone, dns_zone_t *raw)
+                    const cfg_obj_t *zconfig, cfg_aclconfctx_t *ac,
+                    dns_kasplist_t *kasplist, dns_zone_t *zone,
+                    dns_zone_t *raw)
  {
         isc_result_t result;
         const char *zname;
@@ -853,6 +855,7 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
         const cfg_obj_t *options = NULL;
         const cfg_obj_t *obj;
         const char *filename = NULL;
+       const char *kaspname = NULL;
         const char *dupcheck;
         dns_notifytype_t notifytype = dns_notifytype_yes;
         uint32_t count;
@@ -868,7 +871,8 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
         int32_t journal_size;
         bool multi;
         bool alt;
-       dns_view_t *view;
+       dns_view_t *view = NULL;
+       dns_kasp_t *kasp = NULL;
         bool check = false, fail = false;
         bool warn = false, ignore = false;
         bool ixfrdiff;
@@ -1192,6 +1196,21 @@ named_zone_configure(const cfg_obj_t *config, const cfg_obj_t *vconfig,
          */
         if (ztype != dns_zone_stub && ztype != dns_zone_staticstub &&
             ztype != dns_zone_redirect) {
+               obj = NULL;
+               result = cfg_map_get(zoptions, "dnssec-policy", &obj);
+               if (result == ISC_R_SUCCESS) {
+                       kaspname = cfg_obj_asstring(obj);
+                       result = dns_kasplist_find(kasplist, kaspname, &kasp);
+                       if (result != ISC_R_SUCCESS) {
+                               cfg_obj_log(obj, named_g_lctx,
+                                           ISC_LOG_ERROR,
+                                           "'dnssec-policy '%s' not found ",
+                                           kaspname);
+                               RETERR(result);
+                       }
+                       dns_zone_setkasp(zone, kasp);
+               }
+
                 obj = NULL;
                 result = named_config_get(maps, "notify", &obj);
                 INSIST(result == ISC_R_SUCCESS && obj != NULL);
author	Matthijs Mekking <matthijs@isc.org>
	Tue, 3 Sep 2019 09:42:10 +0000 (11:42 +0200)
committer	Matthijs Mekking <matthijs@isc.org>
	Wed, 6 Nov 2019 21:31:45 +0000 (22:31 +0100)
bin/named/include/named/server.h		patch \| blob \| blame \| history
bin/named/include/named/zoneconf.h		patch \| blob \| blame \| history
bin/named/server.c		patch \| blob \| blame \| history
bin/named/zoneconf.c		patch \| blob \| blame \| history