Add manual-mode config option

Add a new option 'manual-mode' to 'dnssec-policy'. The intended
use is that if it is enabled, it will not automatically move to the
next state transition (RUMOURED, UNRETENTIVE), only after manual
confirmation. The intended state transition should be logged.

diff --git a/bin/named/config.c b/bin/named/config.c
index cb58713c8aa54809fdd09e5b28b9f868f2e13aea..380c8ebc51ff4dece8814cad4dd35e7571f8340a 100644 (file)
--- a/bin/named/config.c
+++ b/bin/named/config.c
@@ -309,6 +309,7 @@ dnssec-policy \"default\" {\n\
        cds-digest-types { 2; };\n\
        dnskey-ttl " DNS_KASP_KEY_TTL ";\n\
        inline-signing yes;\n\
+       manual-mode no;\n\
        offline-ksk no;\n\
        publish-safety " DNS_KASP_PUBLISH_SAFETY "; \n\
        retire-safety " DNS_KASP_RETIRE_SAFETY "; \n\
@@ -327,6 +328,7 @@ dnssec-policy \"insecure\" {\n\
        max-zone-ttl 0; \n\
        keys { };\n\
        inline-signing yes;\n\
+       manual-mode no;\n\
 };\n\
 \n\
 "

diff --git a/bin/tests/system/checkconf/good.conf.j2 b/bin/tests/system/checkconf/good.conf.j2
index 876b086787412ab65951e5d49567e80fcac6f6d3..fc33cb6503ca4e1af742d6e2b73c8ce5b6d52ca5 100644 (file)
--- a/bin/tests/system/checkconf/good.conf.j2
+++ b/bin/tests/system/checkconf/good.conf.j2
@@ -27,6 +27,7 @@ dnssec-policy "test" {
                zsk lifetime P30D algorithm 13;
                csk key-store "hsm" lifetime P30D algorithm 8 2048;
        };
+       manual-mode no;
        max-zone-ttl 86400;
        nsec3param ;
        parent-ds-ttl 7200;

diff --git a/doc/arm/reference.rst b/doc/arm/reference.rst
index 0592c64bf7876887fdb88fd5700287e6e3e91742..c0fb31ecad98c6b7246770dbbeb432769f8e036a 100644 (file)
--- a/doc/arm/reference.rst
+++ b/doc/arm/reference.rst
@@ -6408,6 +6408,16 @@ keys
    ``insecure``. In this specific case, the existing key files should be moved
    to the zone's ``key-directory`` from the new configuration.
 
+.. namedconf:statement:: manual-mode
+   :tags: dnssec
+   :short: Run key management in a manual mode.
+
+    If enabled, BIND 9 does not automatically start and progress key rollovers,
+    instead the change is logged. Only after manual confirmation with
+    :option:`rndc dnssec -step <rndc dnssec>` the change is made.
+
+    This feature is off by default.
+
 .. namedconf:statement:: offline-ksk
    :tags: dnssec
    :short: Specifies whether the DNSKEY, CDS, and CDNSKEY RRsets are being signed offline.

diff --git a/doc/misc/dnssec-policy.default.conf b/doc/misc/dnssec-policy.default.conf
index d5571bac0410c7e38b723fdb6a032a7cb1cd88f9..ce99f978fe94f262a25c7acc5f9a16d6abe6ee24 100644 (file)
--- a/doc/misc/dnssec-policy.default.conf
+++ b/doc/misc/dnssec-policy.default.conf
@@ -33,6 +33,7 @@ dnssec-policy "default" {
        signatures-validity-dnskey 14d;
 
        // Zone parameters
+       manual-mode no;
        inline-signing yes;
        max-zone-ttl 86400;
        zone-propagation-delay 300;

diff --git a/doc/misc/options b/doc/misc/options
index 3215fc7af7b5f5a7c69ca53e0532a8f332e13d04..5bb047d95a6c0e0b9e463a489a7daf49db725cb5 100644 (file)
--- a/doc/misc/options
+++ b/doc/misc/options
@@ -16,6 +16,7 @@ dnssec-policy <string> {
        dnskey-ttl <duration>;
        inline-signing <boolean>;
        keys { ( csk | ksk | zsk ) [ key-directory | key-store <string> ] lifetime <duration_or_unlimited> algorithm <string> [ tag-range <integer> <integer> ] [ <integer> ]; ... };
+       manual-mode <boolean>;
        max-zone-ttl <duration>;
        nsec3param [ iterations <integer> ] [ optout <boolean> ] [ salt-length <integer> ];
        offline-ksk <boolean>;

diff --git a/lib/dns/include/dns/kasp.h b/lib/dns/include/dns/kasp.h
index e2b0ea94dfc4332fe3851d3010bcca652123fe0b..999e08ddcbac6d69af8117c2ca6d424674488694 100644 (file)
--- a/lib/dns/include/dns/kasp.h
+++ b/lib/dns/include/dns/kasp.h
@@ -108,6 +108,7 @@ struct dns_kasp {
        dns_ttl_t zone_max_ttl;
        uint32_t  zone_propagation_delay;
        bool      inline_signing;
+       bool      manual_mode;
 
        /* Parent settings */
        dns_ttl_t parent_ds_ttl;
@@ -439,6 +440,30 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value);
  *\li   'kasp' is a valid, thawed kasp.
  */
 
+bool
+dns_kasp_manualmode(dns_kasp_t *kasp);
+/*%<
+ * Should we use manual-mode for this DNSSEC policy?
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, frozen kasp.
+ *
+ * Returns:
+ *
+ *\li   true or false.
+ */
+
+void
+dns_kasp_setmanualmode(dns_kasp_t *kasp, bool value);
+/*%<
+ * Set manual-mode.
+ *
+ * Requires:
+ *
+ *\li   'kasp' is a valid, thawed kasp.
+ */
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback);
 /*%<

diff --git a/lib/dns/kasp.c b/lib/dns/kasp.c
index 722c069d3a55e466e1e42af0de4f3910b2ce5cd0..884e3e33ec858d1ebd6090bb9546fd76fdf1c1ce 100644 (file)
--- a/lib/dns/kasp.c
+++ b/lib/dns/kasp.c
@@ -273,6 +273,22 @@ dns_kasp_setinlinesigning(dns_kasp_t *kasp, bool value) {
        kasp->inline_signing = value;
 }
 
+bool
+dns_kasp_manualmode(dns_kasp_t *kasp) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(kasp->frozen);
+
+       return kasp->manual_mode;
+}
+
+void
+dns_kasp_setmanualmode(dns_kasp_t *kasp, bool value) {
+       REQUIRE(DNS_KASP_VALID(kasp));
+       REQUIRE(!kasp->frozen);
+
+       kasp->manual_mode = value;
+}
+
 dns_ttl_t
 dns_kasp_zonemaxttl(dns_kasp_t *kasp, bool fallback) {
        REQUIRE(DNS_KASP_VALID(kasp));

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 4bc62c0ba4bd9e3d33e4f5e5f604b6a7906ef158..d83e0af46b51019055a9cd315f02fb25de2ca5c5 100644 (file)
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -473,7 +473,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
        uint32_t zonepropdelay = 0, parentpropdelay = 0;
        uint32_t ipub = 0, iret = 0;
        uint32_t ksk_min_lifetime = 0, zsk_min_lifetime = 0;
-       bool offline_ksk = false;
+       bool offline_ksk = false, manual_mode = false;
 
        REQUIRE(config != NULL);
        REQUIRE(kaspp != NULL && *kaspp == NULL);
@@ -578,6 +578,13 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
                dns_kasp_setinlinesigning(kasp, true);
        }
 
+       obj = NULL;
+       (void)confget(maps, "manual-mode", &obj);
+       if (obj != NULL) {
+               manual_mode = cfg_obj_asboolean(obj);
+       }
+       dns_kasp_setmanualmode(kasp, manual_mode);
+
        maxttl = get_duration(maps, "max-zone-ttl", DNS_KASP_ZONE_MAXTTL);
        dns_kasp_setzonemaxttl(kasp, maxttl);
 

diff --git a/lib/isccfg/namedconf.c b/lib/isccfg/namedconf.c
index 67824c75e80dc1401e2da2cc4ef002c661236dc9..6d204ebeeb719606748f77696dcb4a8c59a7796f 100644 (file)
--- a/lib/isccfg/namedconf.c
+++ b/lib/isccfg/namedconf.c
@@ -2213,6 +2213,7 @@ static cfg_clausedef_t dnssecpolicy_clauses[] = {
        { "dnskey-ttl", &cfg_type_duration, 0 },
        { "inline-signing", &cfg_type_boolean, 0 },
        { "keys", &cfg_type_kaspkeys, 0 },
+       { "manual-mode", &cfg_type_boolean, 0 },
        { "max-zone-ttl", &cfg_type_duration, 0 },
        { "nsec3param", &cfg_type_nsec3, 0 },
        { "offline-ksk", &cfg_type_boolean, 0 },