zone\-max\-ttl: TIME
ksk\-lifetime: TIME
zsk\-lifetime: TIME
+ delete\-delay: TIME
propagation\-delay: TIME
rrsig\-lifetime: TIME
rrsig\-refresh: TIME
.UNINDENT
.sp
\fIDefault:\fP 30 days
+.SS delete\-delay
+.sp
+Once a key (KSK or ZSK) is rolled\-over and removed from the zone,
+keep it in the KASP database for at least this period before deleting it completely.
+This might be useful in some troubleshooting cases when resurrection
+is needed.
+.sp
+\fIDefault:\fP 0
.SS propagation\-delay
.sp
An extra delay added for each key rollover step. This value should be high
zone-max-ttl: TIME
ksk-lifetime: TIME
zsk-lifetime: TIME
+ delete-delay: TIME
propagation-delay: TIME
rrsig-lifetime: TIME
rrsig-refresh: TIME
*Default:* 30 days
+.. _policy_delete-delay:
+
+delete-delay
+------------
+
+Once a key (KSK or ZSK) is rolled-over and removed from the zone,
+keep it in the KASP database for at least this period before deleting it completely.
+This might be useful in some troubleshooting cases when resurrection
+is needed.
+
+*Default:* 0
+
.. _policy_propagation-delay:
propagation-delay
CONF_IO_FRLD_ZONES },
{ C_ZSK_LIFETIME, YP_TINT, YP_VINT = { 0, UINT32_MAX, DAYS(30), YP_STIME },
CONF_IO_FRLD_ZONES },
+ { C_DELETE_DELAY, YP_TINT, YP_VINT = { 0, UINT32_MAX, 0, YP_STIME } },
{ C_PROPAG_DELAY, YP_TINT, YP_VINT = { 0, UINT32_MAX, HOURS(1), YP_STIME },
CONF_IO_FRLD_ZONES },
{ C_RRSIG_LIFETIME, YP_TINT, YP_VINT = { 1, UINT32_MAX, DAYS(14), YP_STIME },
#define C_JOURNAL_MAX_USAGE "\x11""journal-max-usage"
#define C_KASP_DB "\x07""kasp-db"
#define C_KASP_DB_MAX_SIZE "\x10""kasp-db-max-size"
+#define C_DELETE_DELAY "\x0C""delete-delay"
#define C_KEY "\x03""key"
#define C_KEYSTORE "\x08""keystore"
#define C_KSK_LIFETIME "\x0C""ksk-lifetime"
val = conf_id_get(conf, C_POLICY, C_KSK_LIFETIME, id);
policy->ksk_lifetime = conf_int(&val);
+ val = conf_id_get(conf, C_POLICY, C_DELETE_DELAY, id);
+ policy->delete_delay = conf_int(&val);
+
val = conf_id_get(conf, C_POLICY, C_PROPAG_DELAY, id);
policy->propagation_delay = conf_int(&val);
uint32_t dnskey_ttl;
uint32_t zsk_lifetime; // like knot_time_t
uint32_t ksk_lifetime; // like knot_time_t
+ uint32_t delete_delay; // like knot_timediff_t
bool ksk_shared;
bool single_type_signing;
bool sts_default; // single-type-signing was set to default value
if (ctx->keep_deleted_keys) {
return 0;
}
- return knot_time_add(remove_time, ctx->policy->ksk_lifetime);
+ return knot_time_add(remove_time, ctx->policy->delete_delay);
}
static knot_time_t zsk_really_remove_time(knot_time_t remove_time, const kdnssec_ctx_t *ctx)
if (ctx->keep_deleted_keys) {
return 0;
}
- return knot_time_add(remove_time, ctx->policy->zsk_lifetime);
+ return knot_time_add(remove_time, ctx->policy->delete_delay);
}
// algorithm rollover related timers must be the same for KSK and ZSK
PUB_ONLY_KEYS = 1 if PUB_ONLY_SCENARIO > 0 else 0
PUB_ONLY_CDS = 1 if PUB_ONLY_SCENARIO > 1 else 0
PUB_ONLY_KEYID = ""
+DELETE_DELAY = random.choice([0, 2, 7, 17, 117])
DOUBLE_DS = random.choice([True, False])
CDS_DT = random.choice(["sha256", "sha384"])
-check_log("DOUBLE DS %s, cds dt %s, PUB_ONLY_KEYS %d, PUB_ONLY_CDS %d" % \
- (str(DOUBLE_DS), CDS_DT, PUB_ONLY_KEYS, PUB_ONLY_CDS))
+check_log("DOUBLE DS %s, cds dt %s, PUB_ONLY_KEYS %d, PUB_ONLY_CDS %d DELETE_DELAY %d" % \
+ (str(DOUBLE_DS), CDS_DT, PUB_ONLY_KEYS, PUB_ONLY_CDS, DELETE_DELAY))
def generate_public_only(server, zone, alg):
global PUB_ONLY_KEYID
child.dnssec(child_zone).dnskey_ttl = 2
child.dnssec(child_zone).zsk_lifetime = 99999
child.dnssec(child_zone).ksk_lifetime = 300 # this can be possibly left also infinity
+child.dnssec(child_zone).delete_delay = DELETE_DELAY
child.dnssec(child_zone).propagation_delay = 11
child.dnssec(child_zone).ksk_sbm_check = [ parent ]
child.dnssec(child_zone).ksk_sbm_check_interval = 2
self.zone_max_ttl = None
self.ksk_lifetime = None
self.zsk_lifetime = None
+ self.delete_delay = None
self.propagation_delay = None
self.rrsig_lifetime = None
self.rrsig_refresh = None
self._str(s, "zone-max-ttl", z.dnssec.zone_max_ttl)
self._str(s, "ksk-lifetime", z.dnssec.ksk_lifetime)
self._str(s, "zsk-lifetime", z.dnssec.zsk_lifetime)
+ self._str(s, "delete-delay", z.dnssec.delete_delay)
self._str(s, "propagation-delay", z.dnssec.propagation_delay)
self._str(s, "rrsig-lifetime", z.dnssec.rrsig_lifetime)
self._str(s, "rrsig-refresh", z.dnssec.rrsig_refresh)
projects / thirdparty / knot-dns.git / commitdiff
